File tree Expand file tree Collapse file tree 2 files changed +18
-1
lines changed
src/experimental/semmle/code/java/security
test/experimental/query-tests/security/CWE-522-DecompressionBombs Expand file tree Collapse file tree 2 files changed +18
-1
lines changed Original file line number Diff line number Diff line change @@ -58,6 +58,23 @@ module XerialSnappy {
5858 }
5959 }
6060
61+ /**
62+ * Gets `n1` and `n2` which `SnappyInputStream n2 = new SnappyInputStream(n1)` or
63+ * `n1.read(n2)`,
64+ * second one is added because of sanitizer, we want to compare return value of each `read` or similar method
65+ * that whether there is a flow to a comparison between total read of decompressed stream and a constant value
66+ */
67+ private class InputStreamAdditionalTaintStep extends DecompressionBomb:: AdditionalStep {
68+ override predicate step ( DataFlow:: Node n1 , DataFlow:: Node n2 ) {
69+ exists ( Call call |
70+ // Constructors
71+ call .getCallee ( ) .getDeclaringType ( ) = any ( TypeInputStream t ) and
72+ call .getArgument ( 0 ) = n1 .asExpr ( ) and
73+ call = n2 .asExpr ( )
74+ )
75+ }
76+ }
77+
6178 class Sink extends DecompressionBomb:: Sink {
6279 Sink ( ) {
6380 this .asExpr ( ) = any ( ReadInputStreamCall r ) .getQualifier ( )
Original file line number Diff line number Diff line change @@ -12,7 +12,7 @@ public static void SnappyZipInputStream(InputStream inputStream) throws IOExcept
1212 byte [] readBuffer = new byte [4096 ];
1313 try (SnappyInputStream zipInputStream = new SnappyInputStream (inputStream )) { // $ hasTaintFlow="inputStream"
1414 try (OutputStream outputStream = Files .newOutputStream (Paths .get ("extractedFile" ))) {
15- while ((readLen = zipInputStream .read (readBuffer )) != -1 ) {
15+ while ((readLen = zipInputStream .read (readBuffer )) != -1 ) { // $ hasTaintFlow="zipInputStream"
1616 outputStream .write (readBuffer , 0 , readLen );
1717 }
1818 }
You can’t perform that action at this time.
0 commit comments