Merge pull request #103 from lukecartey/csharp/zipslip-update

C#: ZipSlip - Refine sanitizers

Author: hvitved

csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll

@@ -4,6 +4,8 @@
 import csharp
 
 module ZipSlip {
+  import semmle.code.csharp.controlflow.Guards
+
   /**
    * A data flow source for unsafe zip extraction.
    */
@@ -96,31 +98,55 @@ module ZipSlip {
   }
 
   /**
-   * An argument to `GetFileName`.
+   * A call to `GetFileName`.
    *
    * This is considered a sanitizer because it extracts just the file name, not the full path.
    */
   class GetFileNameSanitizer extends Sanitizer {
     GetFileNameSanitizer() {
       exists(MethodCall mc |
         mc.getTarget().hasQualifiedName("System.IO.Path", "GetFileName") |
-        this.asExpr() = mc.getAnArgument()
+        this.asExpr() = mc
       )
     }
   }
 
   /**
-   * A qualifier in a call to `StartsWith` or `Substring` string method.
+   * A call to `Substring`.
    *
-   * A call to a String method such as `StartsWith` or `Substring` can indicate a check for a
-   * relative path, or a check against the destination folder for whitelisted/target path, etc.
+   * This is considered a sanitizer because `Substring` may be used to extract a single component
+   * of a path to avoid ZipSlip.
    */
-  class StringCheckSanitizer extends Sanitizer {
-    StringCheckSanitizer() {
+  class SubstringSanitizer extends Sanitizer {
+    SubstringSanitizer() {
       exists(MethodCall mc |
-        mc.getTarget().hasQualifiedName("System.String", "StartsWith") or
         mc.getTarget().hasQualifiedName("System.String", "Substring") |
-        this.asExpr() = mc.getQualifier()
+        this.asExpr() = mc
+      )
+    }
+  }
+
+  /**
+   * An expression which is guarded by a call to `String.StartsWith`.
+   *
+   * A call to the method `String.StartsWith` can indicate the the tainted path value is being
+   * validated to ensure that it occurs within a permitted output path.
+   */
+  class StringCheckSanitizer extends Sanitizer {
+    StringCheckSanitizer() {
+      exists(GuardedExpr ge, MethodCall mc, Expr startsWithQualifier |
+        ge = this.asExpr() and
+        ge.isGuardedBy(mc, startsWithQualifier, true) |
+        mc.getTarget().hasQualifiedName("System.String", "StartsWith") and
+        mc.getQualifier() = startsWithQualifier and
+        /*
+         * A StartsWith check against Path.Combine is not sufficient, because the ".." elements have
+         * not yet been resolved.
+         */
+        not exists(MethodCall combineCall |
+          combineCall.getTarget().hasQualifiedName("System.IO.Path", "Combine") and
+          DataFlow::localFlow(DataFlow::exprNode(combineCall), DataFlow::exprNode(startsWithQualifier))
+        )
       )
     }
   }

csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs

@@ -31,7 +31,15 @@ public static void UnzipFileByFile(ZipArchive archive,
                     string destFilePath = Path.Combine(destDirectory, fullPath);
                     entry.ExtractToFile(destFilePath, true);
 
-                    // GOOD: some check on destination.
+                    // BAD: destFilePath isn't fully resolved, so may still contain ..
+                    if (destFilePath.StartsWith(destDirectory))
+                        entry.ExtractToFile(destFilePath, true);
+
+                    // BAD
+                    destFilePath = Path.GetFullPath(Path.Combine(destDirectory, fullPath));
+                    entry.ExtractToFile(destFilePath, true);
+
+                    // GOOD: a check for StartsWith against a fully resolved path
                     if (destFilePath.StartsWith(destDirectory))
                         entry.ExtractToFile(destFilePath, true);
                 }
@@ -51,7 +59,7 @@ private static int UnzipToStream(Stream zipStream, string installDir)
                     foreach (ZipArchiveEntry entry in archive.Entries)
                     {
                         // figure out where we are putting the file
-                        string destFilePath = Path.Combine(InstallDir, entry.FullName);
+                        String destFilePath = Path.Combine(InstallDir, entry.FullName);
 
                         Directory.CreateDirectory(Path.GetDirectoryName(destFilePath));
 
@@ -86,6 +94,15 @@ private static int UnzipToStream(Stream zipStream, string installDir)
                                 Console.WriteLine(@"Writing ""{0}""", destFilePath);
                                 archiveFileStream.CopyTo(fs);
                             }
+
+                            // GOOD: Use substring to pick out single component
+                            string fileName = destFilePath.Substring(destFilePath.LastIndexOf("\\"));
+                            var fileInfo2 = new FileInfo(fileName);
+                            using (FileStream fs = fileInfo2.Open(FileMode.Create))
+                            {
+                                Console.WriteLine(@"Writing ""{0}""", destFilePath);
+                                archiveFileStream.CopyTo(fs);
+                            }
                         }
                     }
                 }
@@ -115,7 +132,7 @@ static void Main(string[] args)
                     // GOOD: the path is checked in this extension method
                     archive.ExtractToDirectory(targetPath);
 
-		    UnzipToStream(file, targetPath);
+                    UnzipToStream(file, targetPath);
                 }
             }
         }

csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected

@@ -1,7 +1,9 @@
 | ZipSlip.cs:24:41:24:52 | access to local variable destFileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:19:31:19:44 | access to property FullName | item path |
 | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path |
-| ZipSlip.cs:61:74:61:85 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:54:72:54:85 | access to property FullName | item path |
-| ZipSlip.cs:68:71:68:82 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:54:72:54:85 | access to property FullName | item path |
-| ZipSlip.cs:75:57:75:68 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:54:72:54:85 | access to property FullName | item path |
-| ZipSlip.cs:83:58:83:69 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:54:72:54:85 | access to property FullName | item path |
+| ZipSlip.cs:36:45:36:56 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path |
+| ZipSlip.cs:40:41:40:52 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path |
+| ZipSlip.cs:69:74:69:85 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path |
+| ZipSlip.cs:76:71:76:82 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path |
+| ZipSlip.cs:83:57:83:68 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path |
+| ZipSlip.cs:91:58:91:69 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path |
 | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad.cs:9:59:9:72 | access to property FullName | item path |