Skip to content

Commit 4b68dd2

Browse files
am0o0am0o0
committed
add new additional taint steps, fix some comments
1 parent 9946e07 commit 4b68dd2

File tree

2 files changed

+25
-7
lines changed

2 files changed

+25
-7
lines changed

java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,11 +27,11 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
2727
or
2828
source instanceof FileUploadRemoteFlowSource
2929
) and
30-
state = ["ZipFile", "Zip4j", "inflator", "Zip", "ApacheCommons", "XerialSnappy"]
30+
state = ["ZipFile", "Zip4j", "inflator", "UtilZip", "ApacheCommons", "XerialSnappy"]
3131
}
3232

3333
predicate isSink(DataFlow::Node sink, FlowState state) {
34-
any(DecompressionBomb::Sink ads).sink(sink, state)
34+
any(DecompressionBomb::Sink s).sink(sink, state)
3535
}
3636

3737
predicate isAdditionalFlowStep(

java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll

Lines changed: 23 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ module XerialSnappy {
3838
}
3939

4040
/**
41-
* Gets `n1` and `n2` which `SnappyInputStream n2 = new SnappyInputStream(n2)` or
41+
* Gets `n1` and `n2` which `SnappyInputStream n2 = new SnappyInputStream(n1)` or
4242
* `n1.read(n2)`,
4343
* second one is added because of sanitizer, we want to compare return value of each `read` or similar method
4444
* that whether there is a flow to a comparison between total read of decompressed stream and a constant value
@@ -482,7 +482,7 @@ module CommonsIO {
482482
class Sink extends DecompressionBomb::Sink {
483483
override predicate sink(DataFlow::Node sink, DataFlow::FlowState state) {
484484
sink.asExpr() = any(IOUtils r).getArgument(0) and
485-
state = ["ZipFile", "Zip4j", "inflator", "Zip", "ApacheCommons", "XerialSnappy"]
485+
state = ["ZipFile", "Zip4j", "inflator", "UtilZip", "ApacheCommons", "XerialSnappy"]
486486
}
487487
}
488488
}
@@ -522,7 +522,7 @@ module Zip {
522522

523523
class ReadInputStreamSink extends DecompressionBomb::Sink {
524524
override predicate sink(DataFlow::Node sink, DataFlow::FlowState state) {
525-
sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and state = "Zip"
525+
sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and state = "UtilZip"
526526
}
527527
}
528528

@@ -549,8 +549,8 @@ module Zip {
549549
call.getQualifier() = n1.asExpr() and
550550
call = n2.asExpr()
551551
) and
552-
stateFrom = "Zip" and
553-
stateTo = "Zip"
552+
stateFrom = "UtilZip" and
553+
stateTo = "UtilZip"
554554
}
555555
}
556556

@@ -708,6 +708,24 @@ module InputStream {
708708
) and
709709
stateFrom = "ZipFile" and
710710
stateTo = "ZipFile"
711+
or
712+
exists(Call call |
713+
// Method calls
714+
call.(ConstructorCall).getConstructedType().hasQualifiedName("java.util.zip", "ZipFile") and
715+
n1.asExpr() = call.getAnArgument() and
716+
n2.asExpr() = call
717+
) and
718+
stateFrom = "ZipFile" and
719+
stateTo = "ZipFile"
711720
}
712721
}
713722
}
723+
724+
predicate step(DataFlow::Node n1, DataFlow::Node n2) {
725+
exists(Call call |
726+
// Method calls
727+
call.(ConstructorCall).getConstructedType().hasQualifiedName("java.util.zip", "ZipFile") and
728+
n1.asExpr() = call.getAnArgument() and
729+
n2.asExpr() = call
730+
)
731+
}

0 commit comments

Comments
 (0)