-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.17.5 Upgrade #16744
2.17.5 Upgrade #16744
Conversation
Manual Merge: C# ZipSlip Conflict
Compatible with the latest released version of the CodeQL CLI
This pr is auto merged as it contains a mandatory file and is opened for more than 10 days.
Compatible with the latest released version of the CodeQL CLI
Compatible with the latest released version of the CodeQL CLI
Compatible with the latest released version of the CodeQL CLI
Compatible with the latest released version of the CodeQL CLI
Compatible with the latest released version of the CodeQL CLI
…ection Fixing FP case for Insecure SQL connection
Merge upstream/v2.17.4
Compatible with CodeQL CLI 2.17.4
Import v2.17.4 commit history
QHelp previews: csharp/ql/src/Security Features/CWE-022/ZipSlip.qhelpArbitrary file access during archive extraction ("Zip Slip")Extracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. Zip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element ( For example, if a zip file contains a file entry RecommendationEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations. The recommended way of writing an output file from a zip archive entry is to conduct the following in sequence:
ExampleIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like using System.IO;
using System.IO.Compression;
class Bad
{
public static void WriteToDirectory(ZipArchiveEntry entry,
string destDirectory)
{
string destFileName = Path.Combine(destDirectory, entry.FullName);
entry.ExtractToFile(destFileName);
}
} To fix this vulnerability, we need to make three changes. Firstly, we need to resolve any directory traversal or other special characters in the path by using using System.IO;
using System.IO.Compression;
class Good
{
public static void WriteToDirectory(ZipArchiveEntry entry,
string destDirectory)
{
string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));
string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);
if (!destFileName.StartsWith(fullDestDirPath)) {
throw new System.InvalidOperationException("Entry is outside the target dir: " +
destFileName);
}
entry.ExtractToFile(destFileName);
}
} References
|
TaintTrackingConfiguration() { this = "ZipSlipTaintTracking" } | ||
class RootSanitizerMethodCall extends SanitizerMethodCall { | ||
RootSanitizerMethodCall() { | ||
exists(MethodSystemStringStartsWith sm | this.getTarget() = sm) and |
Check warning
Code scanning / CodeQL
Expression can be replaced with a cast Warning
sm
module GetFullPathToQualifierTT = | ||
TaintTracking::Global<GetFullPathToQualifierTaintTrackingConfiguration>; | ||
|
||
private module GetFullPathToQualifierTaintTrackingConfiguration implements DataFlow::ConfigSig { |
Check warning
Code scanning / CodeQL
Data flow configuration module naming Warning
*/ | ||
abstract class Sanitizer extends DataFlow::ExprNode { } | ||
private module PathCombinerToGetFullPathTaintTrackingConfiguration implements DataFlow::ConfigSig { |
Check warning
Code scanning / CodeQL
Data flow configuration module naming Warning
* ... | ||
* } | ||
*/ | ||
private module SanitizedGuardTaintTrackingConfiguration implements DataFlow::ConfigSig { |
Check warning
Code scanning / CodeQL
Data flow configuration module naming Warning
exists(Expr q, AbstractValue v | | ||
this.getQualifier() = q and | ||
v.(AbstractValues::BooleanValue).getValue() = true and | ||
exists(MethodCallGetFullPath mcGetFullPath | safeCombineGetFullPathSequence(mcGetFullPath, q)) |
Check warning
Code scanning / CodeQL
Omittable 'exists' variable Warning
in this argument
not exists(node.getASuccessor()) | ||
} | ||
|
||
/** A FlowStack encapsulates flows between a source and a sink, and all the pathways inbetween (possibly multiple) */ |
Check warning
Code scanning / CodeQL
Misspelling Warning
/** | ||
* Get the first frame in the DataFlowStack, irregardless of whether or not it has a parent. | ||
*/ |
Check warning
Code scanning / CodeQL
Misspelling Warning
/** | ||
* A user-supplied predicate which given a Stack Frame, returns some Node associated with it. | ||
*/ |
Check warning
Code scanning / CodeQL
Predicate QLDoc style. Warning
@@ -115,6 +115,10 @@ | |||
(result.matches("RSA") implies not f.getName().toUpperCase().matches("%UNIVERSAL%")) and | |||
//rsaz functions deemed to be too low level, and can be ignored | |||
not f.getLocation().getFile().getBaseName().matches("rsaz_exp.c") and | |||
// SHA false positives | |||
(result.matches("SHA") implies not f.getName().toUpperCase().matches("%SHAKE%")) and |
Check notice
Code scanning / CodeQL
Use of regexp to match a set of constant string Note
// SHA false positives | ||
(result.matches("SHA") implies not f.getName().toUpperCase().matches("%SHAKE%")) and | ||
// CAST false positives | ||
(result.matches("CAST") implies not f.getName().toUpperCase().matches(["%UPCAST%", "%DOWNCAST%"])) and |
Check notice
Code scanning / CodeQL
Use of regexp to match a set of constant string Note
No description provided.