Java: add library tests, remove query tests

Jami Cogswell · Jami Cogswell · commit 20705cac4e84 · 2025-01-31T14:26:19.000-05:00
diff --git a/java/ql/test/library-tests/pathsanitizer/Test.java b/java/ql/test/library-tests/pathsanitizer/Test.java
@@ -3,6 +3,9 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import android.net.Uri;
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.net.Socket;
 
 public class Test {
 
@@ -61,6 +64,7 @@ public void exactPathMatchGuard() throws Exception {
     }
 
     private void allowListGuardValidation(String path) throws Exception {
+        //if (path.indexOf("..") != -1 || !path.startsWith("/safe"))
         if (path.contains("..") || !path.startsWith("/safe"))
             throw new Exception();
     }
@@ -463,4 +467,152 @@ public void blockListGuard() throws Exception {
             }
         }
     }
+
+    private void fileConstructorValidation(String path) throws Exception {
+        // Use `indexOf` instead of `contains` for this test since a `contains`
+        // call in this scenario will already be sanitized due to the inclusion
+        // of `ValidatedVariableAccess` nodes in `defaultTaintSanitizer`.
+        if (path.indexOf("..") != -1)
+            throw new Exception();
+    }
+
+    public void fileConstructor() throws Exception {
+        // PathTraversalGuard
+        {
+            String source = (String) source();
+            File f1 = new File("safe/file.txt");
+            if (!source.contains("..")) {
+                File f2 = new File(f1, source);
+                sink(f2); // Safe
+                sink(source); // $ hasTaintFlow
+            } else {
+                File f3 = new File(f1, source);
+                sink(f3); // $ hasTaintFlow
+                sink(source); // $ hasTaintFlow
+            }
+        }
+        {
+            String source = (String) source();
+
+            // `f1` tainted by an `ActiveThreatModelSource`
+            Socket sock = new Socket();
+            BufferedReader filenameReader =
+                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
+            String filename = filenameReader.readLine();
+            File f1Tainted = new File(filename); // tainted
+
+            if (!source.contains("..")) {
+                // `f2` is unsafe if `f1` is tainted
+                File f2 = new File(f1Tainted, source);
+                sink(f2); // $ hasTaintFlow
+                sink(source); // $ hasTaintFlow
+            } else {
+                File f3 = new File(f1Tainted, source);
+                sink(f3); // $ hasTaintFlow
+                sink(source); // $ hasTaintFlow
+            }
+        }
+        {
+            String source = (String) source();
+            File f1Null = null;
+            if (!source.contains("..")) {
+                // `f2` is unsafe if `f1` is null
+                File f2 = new File(f1Null, source);
+                sink(f2); // $ hasTaintFlow
+                sink(source); // $ hasTaintFlow
+            } else {
+                File f3 = new File(f1Null, source);
+                sink(f3); // $ hasTaintFlow
+                sink(source); // $ hasTaintFlow
+            }
+        }
+        {
+            String source = (String) source();
+            File f1 = new File("safe/file.txt");
+            if (source.indexOf("..") == -1) {
+                File f2 = new File(f1, source);
+                sink(f2); // Safe
+                sink(source); // $ hasTaintFlow
+            } else {
+                File f3 = new File(f1, source);
+                sink(f3); // $ hasTaintFlow
+                sink(source); // $ hasTaintFlow
+            }
+        }
+        {
+            String source = (String) source();
+            File f1 = new File("safe/file.txt");
+            if (source.indexOf("..") != -1) {
+                File f2 = new File(f1, source);
+                sink(f2); // $ hasTaintFlow
+                sink(source); // $ hasTaintFlow
+            } else {
+                File f3 = new File(f1, source);
+                sink(f3); // Safe
+                sink(source); // $ hasTaintFlow
+            }
+        }
+        {
+            String source = (String) source();
+            File f1 = new File("safe/file.txt");
+            if (source.lastIndexOf("..") == -1) {
+                File f2 = new File(f1, source);
+                sink(f2); // Safe
+                sink(source); // $ hasTaintFlow
+            } else {
+                File f3 = new File(f1, source);
+                sink(f3); // $ hasTaintFlow
+                sink(source); // $ hasTaintFlow
+            }
+        }
+        // validation method
+        {
+            String source = (String) source();
+            File f1 = new File("safe/file.txt");
+            fileConstructorValidation(source);
+            File f2 = new File(f1, source);
+            sink(f2); // Safe
+            sink(source); // $ hasTaintFlow
+        }
+        {
+            String source = (String) source();
+            File f1 = new File("safe/file.txt");
+
+            if (source.contains("..")) {
+                throw new Exception();
+            } else {
+                File f2 = new File(f1, source);
+                sink(f2); // Safe
+                sink(source); // $ hasTaintFlow
+            }
+        }
+        // PathNormalizeSanitizer
+        {
+            File source = (File) source();
+            String normalized = source.getCanonicalPath();
+            File f1 = new File("safe/file.txt");
+            File f2 = new File(f1, normalized);
+            sink(f2); // Safe
+            sink(source); // $ hasTaintFlow
+            sink(normalized); // $ hasTaintFlow
+        }
+        {
+            File source = (File) source();
+            String normalized = source.getCanonicalFile().toString();
+            File f1 = new File("safe/file.txt");
+            File f2 = new File(f1, normalized);
+            sink(f2); // Safe
+            sink(source); // $ hasTaintFlow
+            sink(normalized); // $ hasTaintFlow
+        }
+        {
+            String source = (String) source();
+            String normalized = Paths.get(source).normalize().toString();
+            File f1 = new File("safe/file.txt");
+            File f2 = new File(f1, normalized);
+            sink(f2); // Safe
+            sink(source); // $ hasTaintFlow
+            sink(normalized); // $ hasTaintFlow
+        }
+    }
 }
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
@@ -86,38 +86,4 @@ public void sendUserFileGood4(Socket sock, String user) throws IOException {
             fileLine = fileReader.readLine();
         }
     }
-
-    public void sendUserFileGood5(Socket sock, String user) throws IOException {
-        BufferedReader filenameReader =
-                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
-        String filename = filenameReader.readLine();
-        File f1 = new File("safe/file.txt");
-        // GOOD: ensure that the path does not contain ".." and is used as the
-        // second argument to a `File` constructor
-        if (!filename.contains("..")) {
-            File f2 = new File(f1, filename);
-            f2.exists();
-
-            // Only sanitize `f2`; `filename` is still tainted
-            BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ hasTaintFlow
-        }
-    }
-
-    public void sendUserFileGood6(Socket sock, String user) throws IOException {
-        BufferedReader filenameReader =
-                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
-        String filename = filenameReader.readLine();
-        File f1 = new File("safe/file.txt");
-
-        // GOOD: ensure that the path is normalized and is then used as the
-        // second argument to a `File` constructor
-        Path normalizedFilename = Paths.get(filename).normalize().toAbsolutePath();
-        String normalizedFilenameStr = normalizedFilename.toString();
-        File f2 = new File(f1, normalizedFilenameStr);
-        f2.exists();
-
-        // Only sanitize `f2`; `filename` and `normalizedFilenameStr` are still tainted
-        BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ hasTaintFlow
-        BufferedReader fileReader2 = new BufferedReader(new FileReader(normalizedFilenameStr)); // $ hasTaintFlow
-    }
 }
