-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathTaintedPathLocal.ql
More file actions
32 lines (27 loc) · 1.04 KB
/
TaintedPathLocal.ql
File metadata and controls
32 lines (27 loc) · 1.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
/**
* @name Local-user-controlled data in path expression
* @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
* @kind problem
* @problem.severity recommendation
* @precision medium
* @id java/path-injection-local
* @tags security
* external/cwe/cwe-022
* external/cwe/cwe-023
* external/cwe/cwe-036
* external/cwe/cwe-073
*/
import java
import semmle.code.java.dataflow.FlowSources
import PathsCommon
class TaintedPathLocalConfig extends TaintTracking::Configuration {
TaintedPathLocalConfig() { this = "TaintedPathLocalConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(PathCreation p).getInput() }
}
from LocalUserInput u, PathCreation p, Expr e, TaintedPathLocalConfig conf
where
e = p.getInput() and
conf.hasFlow(u, DataFlow::exprNode(e)) and
not guarded(e)
select p, "$@ flows to here and is used in a path.", u, "User-provided value"