Java: handle null parent arg

Jami Cogswell · Jami Cogswell · commit 343e3d236d81 · 2025-01-31T14:26:32.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -6,6 +6,7 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.SSA
 private import semmle.code.java.frameworks.kotlin.IO
 private import semmle.code.java.frameworks.kotlin.Text
+private import semmle.code.java.dataflow.Nullness
 
 /** A sanitizer that protects against path injection vulnerabilities. */
 abstract class PathInjectionSanitizer extends DataFlow::Node { }
@@ -352,6 +353,16 @@ private class FileGetNameSanitizer extends PathInjectionSanitizer {
   }
 }
 
+/** Holds if `expr` may be null. */
+private predicate maybeNull(Expr expr) {
+  exists(DataFlow::Node src, DataFlow::Node sink |
+    src.asExpr() = nullExpr() and
+    sink.asExpr() = expr
+  |
+    DataFlow::localFlow(src, sink)
+  )
+}
+
 /** Holds if `g` is a guard that checks for `..` components. */
 private predicate pathTraversalGuard(Guard g, Expr e, boolean branch) {
   branch = g.(PathTraversalGuard).getBranch() and
@@ -367,6 +378,10 @@ private class FileConstructorSanitizer extends PathInjectionSanitizer {
   FileConstructorSanitizer() {
     exists(ConstructorCall constrCall, Argument arg |
       constrCall.getConstructedType() instanceof TypeFile and
+      // Exclude cases where the parent argument is null since the
+      // `java.io.File` documentation states that such cases are
+      // treated as if invoking the single-argument `File` constructor.
+      not maybeNull(constrCall.getArgument(0)) and
       arg = constrCall.getArgument(1) and
       (
         arg = DataFlow::BarrierGuard<pathTraversalGuard/3>::getABarrierNode().asExpr() or
