Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: File constructor path sanitizer #18504

Merged
merged 10 commits into from
Feb 18, 2025
Merged

Java: File constructor path sanitizer #18504

merged 10 commits into from
Feb 18, 2025

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Jan 16, 2025
edited
Loading

Description

Adds a path injection sanitizer for the child argument of a java.io.File constructor when that argument is normalized or checked for the absence of "..".

Consideration

Note that sanitizing the second argument of the File constructor also sanitizes other uses of that variable after the constructor call (see the MISSING cases in the tests). Let me know if there is some way to adjust the QL to avoid also sanitizing these other uses. I can sanitize the File constructor call instead of the second argument, but then the first argument needs to be checked for taint.

Pull Request checklist

All query authors

Internal query authors only

  • Changes are validated at scale (internal access required).

@github-actions github-actions bot added the Java label Jan 16, 2025
@jcogs33 jcogs33 force-pushed the jcogs33/java/file-constructor-path-sanitizer branch from 4dc7562 to 7837ad6 Compare January 31, 2025 19:26
@jcogs33 jcogs33 force-pushed the jcogs33/java/file-constructor-path-sanitizer branch from 8ef7637 to 60cc16c Compare February 4, 2025 22:52
@jcogs33 jcogs33 marked this pull request as ready for review February 5, 2025 01:49
@Copilot Copilot bot review requested due to automatic review settings February 5, 2025 01:49
@jcogs33 jcogs33 requested a review from a team as a code owner February 5, 2025 01:49
@jcogs33 jcogs33 requested a review from owen-mc February 5, 2025 01:49
Copilot
Copilot AI reviewed Feb 5, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

java/ql/test/library-tests/pathsanitizer/Test.java:482

  • Several consecutive blocks (lines 480–610) repeat similar path validation logic. Consider extracting this shared logic into a utility method or parameterized test to simplify and reduce duplication.
File f1 = new File("safe/file.txt");

Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more
owen-mc
owen-mc reviewed Feb 5, 2025
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to sanitize the constructor call instead, with checks on the first argument.

@github-actions GitHub Actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,10,4622,259,99,,9,,,26
+    Java Standard Library,``java.*``,10,4621,259,99,,9,,,26
-    Totals,,312,26329,2635,404,16,128,33,1,409
+    Totals,,312,26328,2635,404,16,128,33,1,409
  • Changes to framework-coverage-java.csv:
- java.io,66,1,226,,,,,,,,,22,,,,,,,,,,,,,,,44,,,,,,,,,,,,,,,,,,,,,,1,,203,23
+ java.io,66,1,225,,,,,,,,,22,,,,,,,,,,,,,,,44,,,,,,,,,,,,,,,,,,,,,,1,,202,23

@jcogs33 jcogs33 requested a review from owen-mc February 14, 2025 22:29
@jcogs33
Copy link
Contributor Author

jcogs33 commented Feb 15, 2025

The new DCA run looks good.

owen-mc
owen-mc previously approved these changes Feb 17, 2025
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. Only trivial comments. It's great that we found a way of expressing exactly what we want with good performance.

owen-mc
owen-mc approved these changes Feb 18, 2025
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love the thorough tests.

@jcogs33 jcogs33 merged commit d94dc5a into github:main Feb 18, 2025
15 checks passed
@jcogs33 jcogs33 deleted the jcogs33/java/file-constructor-path-sanitizer branch February 18, 2025 13:00
@jcogs33 jcogs33 restored the jcogs33/java/file-constructor-path-sanitizer branch February 24, 2025 15:05
@jcogs33 jcogs33 deleted the jcogs33/java/file-constructor-path-sanitizer branch March 4, 2025 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@owen-mc owen-mc owen-mc approved these changes

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jcogs33 @owen-mc