github
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql‎
Lines changed: 1 addition & 18 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql‎
Lines changed: 1 addition & 18 deletions
diff --git a/‎java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll‎
Lines changed: 23 additions & 0 deletions b/‎java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll‎
Lines changed: 18 additions & 0 deletions b/‎java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Bombs.java‎
Lines changed: 56 additions & 0 deletions b/‎java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/Bombs.java‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/CommonsCompressHandler.java‎
Lines changed: 108 additions & 83 deletions b/‎java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/CommonsCompressHandler.java‎
Lines changed: 108 additions & 83 deletions
diff --git a/‎java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/DecompressionBombs.qlref‎
Lines changed: 0 additions & 1 deletion b/‎java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/DecompressionBombs.qlref‎
Lines changed: 0 additions & 1 deletion
@@ -12,24 +12,7 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import experimental.semmle.code.java.security.FileAndFormRemoteSource
-import experimental.semmle.code.java.security.DecompressionBomb::DecompressionBomb
-import semmle.code.java.dataflow.TaintTracking
-
-module DecompressionBombsConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(AdditionalStep ads).step(nodeFrom, nodeTo)
-  }
-}
-
-module DecompressionBombsFlow = TaintTracking::Global<DecompressionBombsConfig>;
-
-import DecompressionBombsFlow::PathGraph
+import experimental.semmle.code.java.security.DecompressionBombQuery
 
 from DecompressionBombsFlow::PathNode source, DecompressionBombsFlow::PathNode sink
 where DecompressionBombsFlow::flowPath(source, sink)
 
@@ -222,6 +222,29 @@ module ApacheCommons {
       }
     }
 
+    /**
+     * Gets `n1` and `n2` which `CompressorInputStream n2 = new CompressorStreamFactory().createCompressorInputStream(n1)`
+     * or `ArchiveInputStream n2 = new ArchiveStreamFactory().createArchiveInputStream(n1)` or
+     * `n1.read(n2)`,
+     * second one is added because of sanitizer, we want to compare return value of each `read` or similar method
+     * that whether there is a flow to a comparison between total read of decompressed stream and a constant value
+     */
+    private class CompressorsAndArchiversAdditionalTaintStep extends DecompressionBomb::AdditionalStep
+    {
+      override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+        exists(Call call |
+          // Constructors
+          (
+            call.getCallee().getDeclaringType() = any(TypeCompressors t)
+            or
+            call.getCallee().getDeclaringType() = any(TypeArchivers t)
+          ) and
+          call.getArgument(0) = n1.asExpr() and
+          call = n2.asExpr()
+        )
+      }
+    }
+
     /**
      * The methods that read bytes and belong to `CompressorInputStream` or `ArchiveInputStream` Types
      */
 
@@ -0,0 +1,18 @@
+import semmle.code.java.dataflow.FlowSources
+import experimental.semmle.code.java.security.FileAndFormRemoteSource
+import semmle.code.java.dataflow.TaintTracking
+import experimental.semmle.code.java.security.DecompressionBomb::DecompressionBomb
+
+module DecompressionBombsConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(AdditionalStep ads).step(nodeFrom, nodeTo)
+  }
+}
+
+module DecompressionBombsFlow = TaintTracking::Global<DecompressionBombsConfig>;
+
+import DecompressionBombsFlow::PathGraph
@@ -0,0 +1,56 @@
+import org.apache.commons.compress.archivers.ArchiveException;
+import org.apache.commons.compress.compressors.CompressorException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.BufferedReader;
+import java.net.Socket;
+import java.util.zip.DataFormatException;
+
+public class Bombs {
+    public void sendUserFileGood2(Socket sock) throws IOException {
+        InputStream remoteFile = sock.getInputStream();
+        // Zip
+        ZipHandler.ZipInputStreamSafe2(remoteFile);
+        ZipHandler.ZipInputStreamSafe(remoteFile);
+        ZipHandler.ZipInputStreamUnsafe(remoteFile);
+        ZipHandler.GZipInputStreamUnsafe(remoteFile);
+        ZipHandler.InflaterInputStreamUnsafe(remoteFile);
+
+        BufferedReader filenameReader =
+                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
+        String filename = filenameReader.readLine();
+        try {
+            ZipHandler.InflaterUnsafe(filename.getBytes());
+        } catch (DataFormatException e) {
+            throw new RuntimeException(e);
+        }
+        try {
+            ZipHandler.ZipFile1(filename);
+        } catch (DataFormatException e) {
+            throw new RuntimeException(e);
+        }
+
+        // Zip4j
+        Zip4jHandler.zip4jZipInputStream(remoteFile);
+        Zip4jHandler.zip4jZipInputStreamSafe(remoteFile);
+        // SnappyZip
+        SnappyHandler.SnappyZipInputStream(remoteFile);
+        // apache Commons
+        CommonsCompressHandler.commonsCompressArchiveInputStream2(remoteFile);
+        CommonsCompressHandler.commonsCompressorInputStream(remoteFile);
+        try {
+            CommonsCompressHandler.commonsCompressArchiveInputStream(remoteFile);
+            CommonsCompressHandler.commonsCompressArchiveStreamFactory(remoteFile);
+        } catch (ArchiveException e) {
+            throw new RuntimeException(e);
+        }
+        try {
+            CommonsCompressHandler.commonsCompressCompressorStreamFactory(remoteFile);
+        } catch (CompressorException e) {
+            throw new RuntimeException(e);
+        }
+
+    }
+}
@@ -1,103 +1,128 @@
-import java.io.*;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.IOException;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.BufferedInputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import org.apache.commons.compress.archivers.*;
+
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.ArchiveException;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.ArchiveStreamFactory;
 import org.apache.commons.compress.compressors.CompressorException;
 import org.apache.commons.compress.compressors.CompressorInputStream;
 import org.apache.commons.compress.compressors.CompressorStreamFactory;
-import org.apache.commons.compress.compressors.gzip.*;
+import org.apache.commons.compress.compressors.lz4.*;
+import org.apache.commons.compress.archivers.ar.ArArchiveInputStream;
+import org.apache.commons.compress.archivers.arj.ArjArchiveInputStream;
+import org.apache.commons.compress.archivers.cpio.CpioArchiveInputStream;
+import org.apache.commons.compress.archivers.jar.JarArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
+import org.apache.commons.compress.compressors.lzma.LZMACompressorInputStream;
+import org.apache.commons.compress.compressors.pack200.Pack200CompressorInputStream;
+import org.apache.commons.compress.compressors.snappy.SnappyCompressorInputStream;
+import org.apache.commons.compress.compressors.xz.XZCompressorInputStream;
+import org.apache.commons.compress.compressors.zstandard.ZstdCompressorInputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
+import org.apache.commons.compress.compressors.brotli.BrotliCompressorInputStream;
+import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
+import org.apache.commons.compress.compressors.deflate.DeflateCompressorInputStream;
+import org.apache.commons.compress.compressors.deflate64.Deflate64CompressorInputStream;
+import org.apache.commons.compress.compressors.z.ZCompressorInputStream;
 
 public class CommonsCompressHandler {
-  public static void commonsCompressorInputStream(InputStream inputStream) throws IOException {
-    BufferedInputStream in = new BufferedInputStream(inputStream);
-    OutputStream out = Files.newOutputStream(Path.of("tmpfile"));
-    GzipCompressorInputStream gzIn =
-        new org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream(in);
-    // for testing
-    new org.apache.commons.compress.compressors.brotli.BrotliCompressorInputStream(in);
-    new org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream(in);
-    new org.apache.commons.compress.compressors.deflate.DeflateCompressorInputStream(in);
-    new org.apache.commons.compress.compressors.deflate64.Deflate64CompressorInputStream(in);
-    new org.apache.commons.compress.compressors.lz4.BlockLZ4CompressorInputStream(in);
-    new org.apache.commons.compress.compressors.lzma.LZMACompressorInputStream(in);
-    new org.apache.commons.compress.compressors.pack200.Pack200CompressorInputStream(in);
-    new org.apache.commons.compress.compressors.snappy.SnappyCompressorInputStream(in);
-    new org.apache.commons.compress.compressors.xz.XZCompressorInputStream(in);
-    new org.apache.commons.compress.compressors.z.ZCompressorInputStream(in);
-    new org.apache.commons.compress.compressors.zstandard.ZstdCompressorInputStream(in);
 
-    int buffersize = 4096;
-    final byte[] buffer = new byte[buffersize];
-    int n = 0;
-    while (-1 != (n = gzIn.read(buffer))) {
-      out.write(buffer, 0, n);
+    static void commonsCompressArchiveInputStream(InputStream inputStream) throws ArchiveException {
+        new ArArchiveInputStream(inputStream); // $bomb
+        new ArjArchiveInputStream(inputStream); // $bomb
+        new CpioArchiveInputStream(inputStream); // $bomb
+        new JarArchiveInputStream(inputStream); // $bomb
+        new ZipArchiveInputStream(inputStream); // $bomb
     }
-    out.close();
-    gzIn.close();
-  }
 
-  static void commonsCompressArchiveInputStream(InputStream inputStream) throws ArchiveException {
-    new org.apache.commons.compress.archivers.ar.ArArchiveInputStream(inputStream);
-    new org.apache.commons.compress.archivers.arj.ArjArchiveInputStream(inputStream);
-    new org.apache.commons.compress.archivers.cpio.CpioArchiveInputStream(inputStream);
-    new org.apache.commons.compress.archivers.jar.JarArchiveInputStream(inputStream);
-    new org.apache.commons.compress.archivers.zip.ZipArchiveInputStream(inputStream);
-  }
+    public static void commonsCompressorInputStream(InputStream inputStream) throws IOException {
+        BufferedInputStream in = new BufferedInputStream(inputStream);
+        OutputStream out = Files.newOutputStream(Path.of("tmpfile"));
+        GzipCompressorInputStream gzIn = new GzipCompressorInputStream(in); // $bomb
+        // for testing
+        new BrotliCompressorInputStream(in); // $bomb
+        new BZip2CompressorInputStream(in); // $bomb
+        new DeflateCompressorInputStream(in); // $bomb
+        new Deflate64CompressorInputStream(in); // $bomb
+        new BlockLZ4CompressorInputStream(in); // $bomb
+        new LZMACompressorInputStream(in); // $bomb
+        new Pack200CompressorInputStream(in); // $bomb
+        new SnappyCompressorInputStream(in); // $bomb
+        new XZCompressorInputStream(in); // $bomb
+        new ZCompressorInputStream(in); // $bomb
+        new ZstdCompressorInputStream(in); // $bomb
 
-  static void commonsCompressArchiveInputStream2(InputStream inputStream) {
-    byte[] readBuffer = new byte[4096];
-    try (org.apache.commons.compress.archivers.zip.ZipArchiveInputStream zipInputStream =
-        new org.apache.commons.compress.archivers.zip.ZipArchiveInputStream(inputStream)) {
-      ArchiveEntry entry = null;
-      while ((entry = zipInputStream.getNextEntry()) != null) {
-        if (!zipInputStream.canReadEntryData(entry)) {
-          continue;
+        int buffersize = 4096;
+        final byte[] buffer = new byte[buffersize];
+        int n = 0;
+        while (-1 != (n = gzIn.read(buffer))) {
+            out.write(buffer, 0, n);
         }
-        File f = new File("tmpfile");
-        try (OutputStream outputStream = new FileOutputStream(f)) {
-          int readLen;
-          while ((readLen = zipInputStream.read(readBuffer)) != -1) { // BAD
-            outputStream.write(readBuffer, 0, readLen);
-          }
+        out.close();
+        gzIn.close();
+    }
+
+    static void commonsCompressArchiveInputStream2(InputStream inputStream) {
+        byte[] readBuffer = new byte[4096];
+        try (org.apache.commons.compress.archivers.zip.ZipArchiveInputStream zipInputStream =
+                     new org.apache.commons.compress.archivers.zip.ZipArchiveInputStream(inputStream)) { // $bomb
+            ArchiveEntry entry = null;
+            while ((entry = zipInputStream.getNextEntry()) != null) {
+                if (!zipInputStream.canReadEntryData(entry)) {
+                    continue;
+                }
+                File f = new File("tmpfile");
+                try (OutputStream outputStream = new FileOutputStream(f)) {
+                    int readLen;
+                    while ((readLen = zipInputStream.read(readBuffer)) != -1) {
+                        outputStream.write(readBuffer, 0, readLen);
+                    }
+                }
+            }
+        } catch (IOException e) {
+            throw new RuntimeException(e);
         }
-      }
-    } catch (IOException e) {
-      throw new RuntimeException(e);
     }
-  }
 
-  static void commonsCompressArchiveStreamFactory(InputStream inputStream)
-      throws IOException, ArchiveException {
-    BufferedInputStream bin = new BufferedInputStream(inputStream);
-    ArchiveInputStream zipInputStream = new ArchiveStreamFactory().createArchiveInputStream(bin);
-    ArchiveEntry entry = null;
-    byte[] readBuffer = new byte[4096];
-    while ((entry = zipInputStream.getNextEntry()) != null) {
-      if (!zipInputStream.canReadEntryData(entry)) {
-        continue;
-      }
-      File f = new File("tmpfile");
-      try (OutputStream outputStream = new FileOutputStream(f)) {
-        int readLen;
-        while ((readLen = zipInputStream.read(readBuffer)) != -1) { // BAD
-          outputStream.write(readBuffer, 0, readLen);
+    static void commonsCompressArchiveStreamFactory(InputStream inputStream)
+            throws IOException, ArchiveException {
+        BufferedInputStream bin = new BufferedInputStream(inputStream);
+        ArchiveInputStream zipInputStream = new ArchiveStreamFactory().createArchiveInputStream(bin);
+        ArchiveEntry entry = null;
+        byte[] readBuffer = new byte[4096];
+        while ((entry = zipInputStream.getNextEntry()) != null) {
+            if (!zipInputStream.canReadEntryData(entry)) {
+                continue;
+            }
+            File f = new File("tmpfile");
+            try (OutputStream outputStream = new FileOutputStream(f)) {
+                int readLen;
+                while ((readLen = zipInputStream.read(readBuffer)) != -1) {  // $bomb
+                    outputStream.write(readBuffer, 0, readLen);
+                }
+            }
         }
-      }
     }
-  }
 
-  static void commonsCompressCompressorStreamFactory(InputStream inputStream)
-      throws IOException, CompressorException {
-    BufferedInputStream bin = new BufferedInputStream(inputStream);
-    CompressorInputStream in = new CompressorStreamFactory().createCompressorInputStream(bin);
-    OutputStream out = Files.newOutputStream(Path.of("tmpfile"));
-    int buffersize = 4096;
-    final byte[] buffer = new byte[buffersize];
-    int n = 0;
-    while (-1 != (n = in.read(buffer))) { // BAD
-      out.write(buffer, 0, n);
+    static void commonsCompressCompressorStreamFactory(InputStream inputStream)
+            throws IOException, CompressorException {
+        BufferedInputStream bin = new BufferedInputStream(inputStream);
+        CompressorInputStream in = new CompressorStreamFactory().createCompressorInputStream(bin);
+        OutputStream out = Files.newOutputStream(Path.of("tmpfile"));
+        int buffersize = 4096;
+        final byte[] buffer = new byte[buffersize];
+        int n = 0;
+        while (-1 != (n = in.read(buffer))) { // $bomb
+            out.write(buffer, 0, n);
+        }
+        out.close();
+        in.close();
     }
-    out.close();
-    in.close();
-  }
 }