Java: Add a flow step for Path::toFile in ZipSlip

rneatherway · rneatherway · commit 409733838bc6 · 2019-02-11T10:33:44.000Z
diff --git a/change-notes/1.20/analysis-java.md b/change-notes/1.20/analysis-java.md
@@ -14,6 +14,7 @@
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
+| Arbitrary file write during archive extraction ("Zip Slip") (`java/zipslip`) | Fewer false positive results | Results involving a sanitization step that converts a destination `Path` to a `File` are no longer reported. |
 | Double-checked locking is not thread-safe (`java/unsafe-double-checked-locking`) | Fewer false positive results and more true positive results | Results that use safe publication through a `final` field are no longer reported. Results that initialize immutable types like `String` incorrectly are now reported. |
 | Result of multiplication cast to wider type (`java/integer-multiplication-cast-to-long`) | Fewer results | Results involving conversions to `float` or `double` are no longer reported, as they were almost exclusively false positives. |
 
diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
@@ -79,6 +79,8 @@ predicate filePathStep(ExprNode n1, ExprNode n2) {
     m.getDeclaringType() instanceof TypeFile and m.hasName("toPath")
     or
     m.getDeclaringType() instanceof TypePath and m.hasName("toAbsolutePath")
+    or
+    m.getDeclaringType() instanceof TypePath and m.hasName("toFile")
   )
 }
 
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java
@@ -51,4 +51,13 @@ public void m5(ZipEntry entry, File dir) {
       throw new Exception();
     FileOutputStream os = new FileOutputStream(file); // OK
   }
+
+  public void m6(ZipEntry entry, Path dir) {
+    String canonicalDest = dir.toFile().getCanonicalPath();
+    Path target = dir.resolve(entry.getName());
+    String canonicalTarget = target.toFile().getCanonicalPath();
+    if (!canonicalTarget.startsWith(canonicalDest + File.separator))
+      throw new Exception();
+    OutputStream os = Files.newOutputStream(target); // OK
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,8 @@ predicate filePathStep(ExprNode n1, ExprNode n2) {`
`79`	`79`	`m.getDeclaringType() instanceof TypeFile and m.hasName("toPath")`
`80`	`80`	`or`
`81`	`81`	`m.getDeclaringType() instanceof TypePath and m.hasName("toAbsolutePath")`
	`82`	`+ or`
	`83`	`+ m.getDeclaringType() instanceof TypePath and m.hasName("toFile")`
`82`	`84`	`)`
`83`	`85`	`}`
`84`	`86`
Original file line number	Diff line number	Diff line change
`@@ -51,4 +51,13 @@ public void m5(ZipEntry entry, File dir) {`
`51`	`51`	`throw new Exception();`
`52`	`52`	`FileOutputStream os = new FileOutputStream(file); // OK`
`53`	`53`	`}`
	`54`	`+`
	`55`	`+ public void m6(ZipEntry entry, Path dir) {`
	`56`	`+ String canonicalDest = dir.toFile().getCanonicalPath();`
	`57`	`+ Path target = dir.resolve(entry.getName());`
	`58`	`+ String canonicalTarget = target.toFile().getCanonicalPath();`
	`59`	`+ if (!canonicalTarget.startsWith(canonicalDest + File.separator))`
	`60`	`+ throw new Exception();`
	`61`	`+ OutputStream os = Files.newOutputStream(target); // OK`
	`62`	`+ }`
`54`	`63`	`}`