Skip to content

Commit 9f310c2

Browse files
owen-mcowen-mc
authored
Merge pull request #21734 from owen-mc/java/fix-partial-path-traversal
Java: fix bug in partial path traversal
2 parents 2764580 + c6f641e commit 9f310c2

File tree

5 files changed

+86
-68
lines changed

5 files changed

+86
-68
lines changed

java/ql/lib/change-notes/2026-04-18-partial-path-traversal-fix.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* The `java/partial-path-traversal` and `java/partial-path-traversal-from-remote` queries now correctly recognize file separator appends using `+=`.

java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,8 +40,11 @@ private class CharacterLiteralFileSeparatorExpr extends FileSeparatorExpr, Chara
4040
CharacterLiteralFileSeparatorExpr() { this.getValue() = "/" or this.getValue() = "\\" }
4141
}
4242

43-
private class FileSeparatorAppend extends AddExpr {
44-
FileSeparatorAppend() { this.getRightOperand() instanceof FileSeparatorExpr }
43+
private class FileSeparatorAppend extends BinaryExpr {
44+
FileSeparatorAppend() {
45+
this.(AddExpr).getRightOperand() instanceof FileSeparatorExpr or
46+
this.(AssignAddExpr).getRightOperand() instanceof FileSeparatorExpr
47+
}
4548
}
4649

4750
private predicate isSafe(Expr expr) {

java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.qlref

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,4 @@
1-
Security/CWE/CWE-023/PartialPathTraversal.ql
1+
query: Security/CWE/CWE-023/PartialPathTraversal.ql
2+
postprocess:
3+
- utils/test/PrettyPrintModels.ql
4+
- utils/test/InlineExpectationsTestQuery.ql

0 commit comments

Comments
 (0)