Refactor PartialPathTraversal

2023-03-21 18:01:57 -04:00 · 2023-03-21 18:01:57 -04:00 · 469ac80d40
--- a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll
@ -7,11 +7,13 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources

 /**
+ * DEPRECATED: Use `PartialPathTraversalFromRemoteFlow` instead.
+ *
 * A taint-tracking configuration for unsafe user input
 * that is used to validate against path traversal, but is insufficient
 * and remains vulnerable to Partial Path Traversal.
 */
-class PartialPathTraversalFromRemoteConfig extends TaintTracking::Configuration {
+deprecated class PartialPathTraversalFromRemoteConfig extends TaintTracking::Configuration {
  PartialPathTraversalFromRemoteConfig() { this = "PartialPathTraversalFromRemoteConfig" }

  override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
@ -20,3 +22,20 @@ class PartialPathTraversalFromRemoteConfig extends TaintTracking::Configuration
    any(PartialPathTraversalMethodAccess ma).getQualifier() = node.asExpr()
  }
 }
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to validate against path traversal, but is insufficient
+ * and remains vulnerable to Partial Path Traversal.
+ */
+private module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node node) {
+    any(PartialPathTraversalMethodAccess ma).getQualifier() = node.asExpr()
+  }
+}
+
+/** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */
+module PartialPathTraversalFromRemoteFlow =
+  TaintTracking::Global<PartialPathTraversalFromRemoteConfig>;
--- a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
+++ b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
@ -11,10 +11,12 @@
 */

 import semmle.code.java.security.PartialPathTraversalQuery
-import DataFlow::PathGraph
+import PartialPathTraversalFromRemoteFlow::PathGraph

-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(PartialPathTraversalFromRemoteConfig config).hasFlowPath(source, sink)
+from
+  PartialPathTraversalFromRemoteFlow::PathNode source,
+  PartialPathTraversalFromRemoteFlow::PathNode sink
+where PartialPathTraversalFromRemoteFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
  "Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@.",
  source, "user-supplied data"
--- a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.ql
+++ b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.ql
@ -1,21 +1,24 @@
 import java
-import TestUtilities.InlineFlowTest
+import TestUtilities.InlineExpectationsTest
 import semmle.code.java.security.PartialPathTraversalQuery

-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 class TestRemoteSource extends RemoteFlowSource {
  TestRemoteSource() { this.asParameter().hasName(["dir", "path"]) }

  override string getSourceType() { result = "TestSource" }
 }

-class Test extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+class Test extends InlineExpectationsTest {
+  Test() { this = "PartialPathTraversalFromRemoteTest" }

-  override TaintTracking::Configuration getTaintFlowConfig() {
-    result instanceof PartialPathTraversalFromRemoteConfig
+  override string getARelevantTag() { result = "hasTaintFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node sink | PartialPathTraversalFromRemoteFlow::flowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
  }
 }