Java: Fix File.getName() path sanitizer#22175
Open
owen-mc wants to merge 1 commit into
Open
Conversation
File.getName() path sanitizer
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes an unsound Java path-injection model by removing java.io.File.getName() as a full java/path-injection sanitizer, and adjusting the sanitizer logic/tests to treat it as safe only when paired with an explicit .. check—preventing false negatives like those reported in issue #22144.
Changes:
- Remove the
barrierModelentry that previously treatedFile.getName()’s return value as a completepath-injectionsanitizer. - Update the path-sanitizer guard logic to recognize sanitization when a
..-check occurs after data derived fromFile.getName(). - Update the CWE-022 test to add a BAD case (no
..check) and keep a GOOD case (with a..check), plus add a change note documenting new alerts.
Show a summary per file
| File | Description |
|---|---|
| java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java | Adjusts regression test to reflect that getName() alone is not a complete path-injection sanitizer; adds BAD + guarded GOOD variants. |
| java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected | Updates expected query results to include the newly-detected path-injection flow for the BAD case. |
| java/ql/lib/semmle/code/java/security/PathSanitizer.qll | Updates sanitizer-guard recognition so getName() can contribute to sanitization only when followed by a .. check. |
| java/ql/lib/ext/java.io.model.yml | Removes the barrierModel row marking File.getName() as a path-injection barrier. |
| java/ql/lib/change-notes/2026-07-11-file-getname-path-sanitizer.md | Documents the modeling change and that it may produce new alerts. |
Review details
- Files reviewed: 5/5 changed files
- Comments generated: 0
- Review effort level: Low
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reported in #22144. I have now downgraded it to a partial sanitizer. The return value has to be checked to confirm that it doesn't have any ".." components to become fully sanitized.