From d82acf58664a23137390d07210bfb39b10604f97 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 21 May 2024 11:31:49 +0200 Subject: [PATCH 1/2] Java: Add simple type sanitization to java/zipslip. --- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll index 75e2f7000c55..08a58bfa6e9b 100644 --- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll @@ -6,6 +6,7 @@ import semmle.code.java.security.PathSanitizer private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.PathCreation +private import semmle.code.java.security.Sanitizers /** * A method that returns the name of an archive entry. @@ -39,7 +40,10 @@ module ZipSlipConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink } - predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof SimpleTypeSanitizer or + node instanceof PathInjectionSanitizer + } } /** Tracks flow from archive entries to file creation. */ From 7828cb8f5ad1a9497207d3ea03a7d239912cc877 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Wed, 22 May 2024 10:27:33 +0200 Subject: [PATCH 2/2] Java: Add change note. --- .../src/change-notes/2024-05-22-zipslip-number-sanitizer.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/change-notes/2024-05-22-zipslip-number-sanitizer.md diff --git a/java/ql/src/change-notes/2024-05-22-zipslip-number-sanitizer.md b/java/ql/src/change-notes/2024-05-22-zipslip-number-sanitizer.md new file mode 100644 index 000000000000..e3f1bf3e42d6 --- /dev/null +++ b/java/ql/src/change-notes/2024-05-22-zipslip-number-sanitizer.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The sanitizer of the query `java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives.