C#: ZipSlip - Address review comments.

lcartey · lcartey · commit 1a90f7df2c18 · 2018-10-03T11:38:48.000+01:00
- Add backticks
 - Add extra test.
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll
@@ -112,7 +112,7 @@ module ZipSlip {
   }
 
   /**
-   * A call to Substring.
+   * A call to `Substring`.
    *
    * This is considered a sanitizer because `Substring` may be used to extract a single component
    * of a path to avoid ZipSlip.
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs
@@ -59,7 +59,7 @@ private static int UnzipToStream(Stream zipStream, string installDir)
                     foreach (ZipArchiveEntry entry in archive.Entries)
                     {
                         // figure out where we are putting the file
-                        string destFilePath = Path.Combine(InstallDir, entry.FullName);
+                        String destFilePath = Path.Combine(InstallDir, entry.FullName);
 
                         Directory.CreateDirectory(Path.GetDirectoryName(destFilePath));
 
@@ -94,6 +94,15 @@ private static int UnzipToStream(Stream zipStream, string installDir)
                                 Console.WriteLine(@"Writing ""{0}""", destFilePath);
                                 archiveFileStream.CopyTo(fs);
                             }
+
+                            // GOOD: Use substring to pick out single component
+                            string fileName = destFilePath.Substring(destFilePath.LastIndexOf("\\"));
+                            var fileInfo2 = new FileInfo(fileName);
+                            using (FileStream fs = fileInfo2.Open(FileMode.Create))
+                            {
+                                Console.WriteLine(@"Writing ""{0}""", destFilePath);
+                                archiveFileStream.CopyTo(fs);
+                            }
                         }
                     }
                 }

Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,7 @@ module ZipSlip {`
`112`	`112`	`}`
`113`	`113`
`114`	`114`	`/**`
`115`		`- * A call to Substring.`
	`115`	+ * A call to `Substring`.
`116`	`116`	`*`
`117`	`117`	* This is considered a sanitizer because `Substring` may be used to extract a single component
`118`	`118`	`* of a path to avoid ZipSlip.`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ private static int UnzipToStream(Stream zipStream, string installDir)`
`59`	`59`	`foreach (ZipArchiveEntry entry in archive.Entries)`
`60`	`60`	`{`
`61`	`61`	`// figure out where we are putting the file`
`62`		`- string destFilePath = Path.Combine(InstallDir, entry.FullName);`
	`62`	`+ String destFilePath = Path.Combine(InstallDir, entry.FullName);`
`63`	`63`
`64`	`64`	`Directory.CreateDirectory(Path.GetDirectoryName(destFilePath));`
`65`	`65`
`@@ -94,6 +94,15 @@ private static int UnzipToStream(Stream zipStream, string installDir)`
`94`	`94`	`Console.WriteLine(@"Writing ""{0}""", destFilePath);`
`95`	`95`	`archiveFileStream.CopyTo(fs);`
`96`	`96`	`}`
	`97`	`+`
	`98`	`+ // GOOD: Use substring to pick out single component`
	`99`	`+ string fileName = destFilePath.Substring(destFilePath.LastIndexOf("\\"));`
	`100`	`+ var fileInfo2 = new FileInfo(fileName);`
	`101`	`+ using (FileStream fs = fileInfo2.Open(FileMode.Create))`
	`102`	`+ {`
	`103`	`+ Console.WriteLine(@"Writing ""{0}""", destFilePath);`
	`104`	`+ archiveFileStream.CopyTo(fs);`
	`105`	`+ }`
`97`	`106`	`}`
`98`	`107`	`}`
`99`	`108`	`}`