Kotlin: Adapt PathSanitizer#11550
Conversation
intrigus-lgtm
left a comment
intrigus-lgtm
left a comment
There was a problem hiding this comment.
If this is intended to fix, #11460 (comment)
shouldn't there be a test for https://kotlinlang.org/api/latest/jvm/stdlib/kotlin.io/java.io.-file/starts-with.html?
From the CodeQL code it seems that this is modeled, but could also be that I just missed the tests for it :D
|
|
||
| private void blockListGuardValidation(String path) throws Exception { | ||
| if (path.contains("..") || !path.startsWith("/data")) | ||
| if (path.contains("..") || path.startsWith("/data")) |
There was a problem hiding this comment.
Yes, a blocklist guard should check for forbidden paths + path normalization/check for ... So it was wrong before this change — of course, the Java test should've failed before, I still need to figure out why it didn't.
Whoops, nvm. OK, now I see what you mean. I'll add tests for that too, thanks! |
Apologies, I should have been more explicit in describing the problem :) |
atorralba
force-pushed
the
atorralba/kotlin/adapt-path-sanitizer
branch
from
089d494 to
47d61e0
Compare
tamasvajk
left a comment
tamasvajk
left a comment
There was a problem hiding this comment.
Looks good to me. I added some nitpicking comments for consideration.
|
Thanks for the thorough review @tamasvajk! I added your suggestions in 2f622ad, it looks much better now. I also went a step further and added another predicate BTW, I think |
tamasvajk
left a comment
tamasvajk
left a comment
There was a problem hiding this comment.
Looks good to me.
I'll need to adjust the indexing a bit after #11588 is merged. There are some special cases of $default extension methods.
3 participants
Adapts
PathSanitizer.qllso that it works properly on Kotlin codebases too. Mainly handles$defaultmethods (which have a different name) and extension methods (which have a different declaring type and receiver position).Note the considerable amount of
MISSING/SPURIOUSalerts in the Kotlin test: all are due to an extraction error whereString.equalsandPath.toStringare extracted asObject.equalsandObject.toStringrespectively, causing the local taint flow calculations (which are needed for many sanitizers/guards) to fail.