[RESOLVED] LocalTaint flow from getParameter to File constructor

[CaledoniaProject]

Take the following controller for example

protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
   String dirname = req.getParameter("dirname");
   new File(application.getRealPath("/") + "/" + dirname);
}

I'm trying to learn codeql by creating a local taint flow from getParameter to the File constructor:

import java
import semmle.code.java.frameworks.spring.SpringController
import semmle.code.java.dataflow.TaintTracking
from Method method, Callable callable, Call call
where

method.hasName("getParameter")
and method.getDeclaringType().getAnAncestor().hasQualifiedName("javax.servlet", "ServletRequest")

and call.getCallee() = callable
and callable.hasName("File") 
and callable.getDeclaringType().hasQualifiedName("java.io", "File")
and TaintTracking::localTaint(DataFlow::ParameterNode(method.getAParameter()), DataFlow::exprNode(call.getArgument(0))) 
select callable

The query above is invalid, can you help me fix it?

[smowton]

DataFlow::ParameterNode should be DataFlow::parameterNode (lowercase 'p').

In general by convention, predicate names and fields are lower-camel-case and class and module names are upper-camel-case.

[CaledoniaProject]

Thanks, I've fixed the predicate name, but it still produces no results. Then I tried to debug it by commenting out the local taint line, and all calls to new File are found. So the problem is from the local taint.

import java
import semmle.code.java.frameworks.spring.SpringController
import semmle.code.java.dataflow.TaintTracking
from Method method, Callable callable, Call call
where

method.hasName("getParameter")
and method.getDeclaringType().getAnAncestor().hasQualifiedName("javax.servlet", "ServletRequest")

and call.getCallee() = callable
and callable.hasName("File") 
and callable.getDeclaringType().hasQualifiedName("java.io", "File")
// and TaintTracking::localTaint(DataFlow::parameterNode(method.getAParameter()), DataFlow::exprNode(call.getArgument(0))) 
select callable, call

[hvitved]

I think the problem is that you should not be asking for flow from a parameter of method, but rather from the result of calling method. I.e., instead of

TaintTracking::localTaint(DataFlow::parameterNode(method.getAParameter()), DataFlow::exprNode(call.getArgument(0))) 

try

TaintTracking::localTaint(DataFlow::exprNode(any(MethodAccess ma | ma.getCallee() = method)), DataFlow::exprNode(call.getArgument(0)))