Track taint through java.io.File constructor and #toURI; URI#toURL

Author: daniel-beck

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -234,6 +234,11 @@ private predicate constructorStep(Expr tracked, ConstructorCall sink) {
       or
       //a URI constructed from a tainted string is tainted.
       s = "java.net.URI" and argi = 0 and sink.getNumArgument() = 1
+      or
+      //a File constructed from a tainted string is tainted.
+      s = "java.io.File" and argi = 0
+      or
+      s = "java.io.File" and argi = 1
     )
     or
     exists(RefType t | t.getQualifiedName() = "java.lang.Number" |
@@ -372,6 +377,12 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
   m.hasName("get")
   or
+  m.getDeclaringType().hasQualifiedName("java.io", "File") and
+  m.hasName("toURI")
+  or
+  m.getDeclaringType().hasQualifiedName("java.net", "URI") and
+  m.hasName("toURL")
+  or
   m = any(GuiceProvider gp).getAnOverridingGetMethod()
   or
   m = any(ProtobufMessageLite p).getAGetterMethod()

java/ql/test/library-tests/dataflow/taint/B.java

@@ -129,6 +129,9 @@ public static void maintest() {
     String[][][] taintedArray3 = new String[][][] { { { s } } };
     sink(taintedArray3);
 
+    // Tainted file path and URI
+    sink(new java.io.File(s).toURI().toURL());
+
     return;
   }
 

java/ql/test/library-tests/dataflow/taint/test.expected

@@ -33,6 +33,7 @@
 | B.java:15:21:15:27 | taint(...) | B.java:126:10:126:21 | taintedArray |
 | B.java:15:21:15:27 | taint(...) | B.java:128:10:128:22 | taintedArray2 |
 | B.java:15:21:15:27 | taint(...) | B.java:130:10:130:22 | taintedArray3 |
+| B.java:15:21:15:27 | taint(...) | B.java:133:10:133:44 | toURL(...) |
 | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
 | MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
 | MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |