Merge pull request #18214 from jcogs33/jcogs33/java/file-getname-path-sanitizer

Java: add File.getName as a path injection sanitizer

Author: jcogs33

java/ql/lib/change-notes/2024-12-06-file-getname.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `java.io.File.getName()` as a path injection sanitizer.

java/ql/lib/semmle/code/java/security/PathSanitizer.qll

@@ -337,3 +337,18 @@ private Method getSourceMethod(Method m) {
   not exists(Method src | m = src.getKotlinParameterDefaultsProxy()) and
   result = m
 }
+
+/**
+ * A sanitizer that protects against path injection vulnerabilities
+ * by extracting the final component of the user provided path.
+ *
+ * TODO: convert this class to models-as-data if sanitizer support is added
+ */
+private class FileGetNameSanitizer extends PathInjectionSanitizer {
+  FileGetNameSanitizer() {
+    exists(MethodCall mc |
+      mc.getMethod().hasQualifiedName("java.io", "File", "getName") and
+      this.asExpr() = mc
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java

@@ -71,4 +71,19 @@ public void sendUserFileGood3(Socket sock, String user) throws Exception {
             fileLine = fileReader.readLine();
         }
     }
+
+    public void sendUserFileGood4(Socket sock, String user) throws IOException {
+        BufferedReader filenameReader =
+                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
+        String filename = filenameReader.readLine();
+        File file = new File(filename);
+        String baseName = file.getName();
+        // GOOD: only use the final component of the user provided path
+        BufferedReader fileReader = new BufferedReader(new FileReader(baseName));
+        String fileLine = fileReader.readLine();
+        while (fileLine != null) {
+            sock.getOutputStream().write(fileLine.getBytes());
+            fileLine = fileReader.readLine();
+        }
+    }
 }