Skip to content

Commit 2d00958

Browse files
committed
Address review comment
1 parent 6057b4b commit 2d00958

1 file changed

Lines changed: 12 additions & 10 deletions

File tree

java/ql/lib/semmle/code/java/security/PathSanitizer.qll

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -108,17 +108,19 @@ private class FileGetNameCall extends MethodCall {
108108
*/
109109
private predicate dotDotCheckGuard(Guard g, Expr e, boolean branch) {
110110
pathTraversalGuard(g, e, branch) and
111-
(
112-
exists(Guard previousGuard |
113-
previousGuard.(AllowedPrefixGuard).controls(g.getBasicBlock(), true)
114-
or
115-
previousGuard.(BlockListGuard).controls(g.getBasicBlock(), false)
116-
)
111+
exists(Guard previousGuard |
112+
previousGuard.(AllowedPrefixGuard).controls(g.getBasicBlock(), true)
117113
or
118-
// `File.getName` strips any directory prefix, returning only the final path
119-
// component. The only remaining path traversal risk is when that component is
120-
// itself `..`, so a check for `..` components completes the sanitization.
121-
exists(FileGetNameCall getName | localTaintFlowToPathGuard(getName, g))
114+
previousGuard.(BlockListGuard).controls(g.getBasicBlock(), false)
115+
)
116+
or
117+
// `File.getName` strips any directory prefix, returning only the final path
118+
// component. The only remaining path traversal risk is when that component is
119+
// itself `..`, so a check for `..` components on the result of `getName`
120+
// completes the sanitization.
121+
exists(FileGetNameCall getName |
122+
pathTraversalGuard(g, getName, branch) and
123+
TaintTracking::localExprTaint(getName, e)
122124
)
123125
}
124126

0 commit comments

Comments
 (0)