Fix bug so += File.separator is recognized

owen-mc · owen-mc · commit 6a4fa3afe664 · 2026-04-18T20:02:32.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll
@@ -40,8 +40,11 @@ private class CharacterLiteralFileSeparatorExpr extends FileSeparatorExpr, Chara
   CharacterLiteralFileSeparatorExpr() { this.getValue() = "/" or this.getValue() = "\\" }
 }
 
-private class FileSeparatorAppend extends AddExpr {
-  FileSeparatorAppend() { this.getRightOperand() instanceof FileSeparatorExpr }
+private class FileSeparatorAppend extends BinaryExpr {
+  FileSeparatorAppend() {
+    this.(AddExpr).getRightOperand() instanceof FileSeparatorExpr or
+    this.(AssignAddExpr).getRightOperand() instanceof FileSeparatorExpr
+  }
 }
 
 private predicate isSafe(Expr expr) {
diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected
@@ -14,4 +14,3 @@
 | PartialPathTraversalTest.java:176:14:176:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
 | PartialPathTraversalTest.java:194:18:194:87 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
 | PartialPathTraversalTest.java:212:14:212:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
-| PartialPathTraversalTest.java:234:14:234:54 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java
@@ -231,7 +231,7 @@ void foo24(File parent) throws IOException {
     void foo25(File parent) throws IOException {
         String path = parent.getCanonicalPath();
         path += File.separator;
-        if (!dir().getCanonicalPath().startsWith(path)) { // $ SPURIOUS: Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
+        if (!dir().getCanonicalPath().startsWith(path)) {
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -40,8 +40,11 @@ private class CharacterLiteralFileSeparatorExpr extends FileSeparatorExpr, Chara`
`40`	`40`	`CharacterLiteralFileSeparatorExpr() { this.getValue() = "/" or this.getValue() = "\\" }`
`41`	`41`	`}`
`42`	`42`
`43`		`-private class FileSeparatorAppend extends AddExpr {`
`44`		`- FileSeparatorAppend() { this.getRightOperand() instanceof FileSeparatorExpr }`
	`43`	`+private class FileSeparatorAppend extends BinaryExpr {`
	`44`	`+ FileSeparatorAppend() {`
	`45`	`+ this.(AddExpr).getRightOperand() instanceof FileSeparatorExpr or`
	`46`	`+ this.(AssignAddExpr).getRightOperand() instanceof FileSeparatorExpr`
	`47`	`+ }`
`45`	`48`	`}`
`46`	`49`
`47`	`50`	`private predicate isSafe(Expr expr) {`
Original file line number	Diff line number	Diff line change
`@@ -231,7 +231,7 @@ void foo24(File parent) throws IOException {`
`231`	`231`	`void foo25(File parent) throws IOException {`
`232`	`232`	`String path = parent.getCanonicalPath();`
`233`	`233`	`path += File.separator;`
`234`		`- if (!dir().getCanonicalPath().startsWith(path)) { // $ SPURIOUS: Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]`
	`234`	`+ if (!dir().getCanonicalPath().startsWith(path)) {`
`235`	`235`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`236`	`236`	`}`
`237`	`237`	`}`