Nov
DEC
Jan
30
2024
2025
2026
About this capture
T h e W a y b a c k M a c h i n e - h t t p : / / w e b . a r c h i v e . o r g / w e b / 2 0 2 5 1 2 3 0 2 3 1 1 3 3 / h t t p s : / / g i t h u b . c o m / g i t h u b / c o d e q l / p u l l / 7 7 1 2
S k i p t o c o n t e n t
N a v i g a t i o n M e n u
A p p e a r a n c e s e t t i n g s
P l a t f o r m A I C O D E C R E A T I O N G i t H u b C o p i l o t W r i t e b e t t e r c o d e w i t h A I G i t H u b S p a r k B u i l d a n d d e p l o y i n t e l l i g e n t a p p s G i t H u b M o d e l s M a n a g e a n d c o m p a r e p r o m p t s M C P R e g i s t r y N e w I n t e g r a t e e x t e r n a l t o o l s D E V E L O P E R W O R K F L O W S A c t i o n s A u t o m a t e a n y w o r k f l o w C o d e s p a c e s I n s t a n t d e v e n v i r o n m e n t s I s s u e s P l a n a n d t r a c k w o r k C o d e R e v i e w M a n a g e c o d e c h a n g e s A P P L I C A T I O N S E C U R I T Y G i t H u b A d v a n c e d S e c u r i t y F i n d a n d f i x v u l n e r a b i l i t i e s C o d e s e c u r i t y S e c u r e y o u r c o d e a s y o u b u i l d S e c r e t p r o t e c t i o n S t o p l e a k s b e f o r e t h e y s t a r t E X P L O R E ● W h y G i t H u b ● D o c u m e n t a t i o n ● B l o g ● C h a n g e l o g ● M a r k e t p l a c e V i e w a l l f e a t u r e s S o l u t i o n s B Y C O M P A N Y S I Z E ● E n t e r p r i s e s ● S m a l l a n d m e d i u m t e a m s ● S t a r t u p s ● N o n p r o f i t s B Y U S E C A S E ● A p p M o d e r n i z a t i o n ● D e v S e c O p s ● D e v O p s ● C I / C D ● V i e w a l l u s e c a s e s B Y I N D U S T R Y ● H e a l t h c a r e ● F i n a n c i a l s e r v i c e s ● M a n u f a c t u r i n g ● G o v e r n m e n t ● V i e w a l l i n d u s t r i e s V i e w a l l s o l u t i o n s R e s o u r c e s E X P L O R E B Y T O P I C ● AI ● S o f t w a r e D e v e l o p m e n t ● D e v O p s ● S e c u r i t y ● V i e w a l l t o p i c s E X P L O R E B Y T Y P E ● C u s t o m e r s t o r i e s ● E v e n t s & w e b i n a r s ● E b o o k s & r e p o r t s ● B u s i n e s s i n s i g h t s ● G i t H u b S k i l l s S U P P O R T & S E R V I C E S ● D o c u m e n t a t i o n ● C u s t o m e r s u p p o r t ● C o m m u n i t y f o r u m ● T r u s t c e n t e r ● P a r t n e r s O p e n S o u r c e C O M M U N I T Y G i t H u b S p o n s o r s F u n d o p e n s o u r c e d e v e l o p e r s P R O G R A M S ● S e c u r i t y L a b ● M a i n t a i n e r C o m m u n i t y ● A c c e l e r a t o r ● A r c h i v e P r o g r a m R E P O S I T O R I E S ● T o p i c s ● T r e n d i n g ● C o l l e c t i o n s E n t e r p r i s e E N T E R P R I S E S O L U T I O N S E n t e r p r i s e p l a t f o r m A I - p o w e r e d d e v e l o p e r p l a t f o r m A V A I L A B L E A D D - O N S G i t H u b A d v a n c e d S e c u r i t y E n t e r p r i s e - g r a d e s e c u r i t y f e a t u r e s C o p i l o t f o r B u s i n e s s E n t e r p r i s e - g r a d e A I f e a t u r e s P r e m i u m S u p p o r t E n t e r p r i s e - g r a d e 2 4 / 7 s u p p o r t ● P r i c i n g
S e a r c h o r j u m p t o . . .
Clear
S e a r c h s y n t a x t i p s
P r o v i d e f e e d b a c k
Include my email address so I can be contacted
C a n c e l
S u b m i t f e e d b a c k
S a v e d s e a r c h e s
U s e s a v e d s e a r c h e s t o f i l t e r y o u r r e s u l t s m o r e q u i c k l y
Query
To see all available qualifiers, see our documentation .
C a n c e l
C r e a t e s a v e d s e a r c h
A p p e a r a n c e s e t t i n g s
Y o u s i g n e d i n w i t h a n o t h e r t a b o r w i n d o w . R e l o a d t o r e f r e s h y o u r s e s s i o n . Y o u s i g n e d o u t i n a n o t h e r t a b o r w i n d o w . R e l o a d t o r e f r e s h y o u r s e s s i o n . Y o u s w i t c h e d a c c o u n t s o n a n o t h e r t a b o r w i n d o w . R e l o a d t o r e f r e s h y o u r s e s s i o n .
D i s m i s s a l e r t
{ { m e s s a g e } }
g i t h u b
/
c o d e q l
P u b l i c
●
N o t i f i c a t i o n s
Y o u m u s t b e s i g n e d i n t o c h a n g e n o t i f i c a t i o n s e t t i n g s
●
F o r k
1 . 9 k
S t a r
9 . 1 k
●
C o d e ●
I s s u e s 9 1 7
●
P u l l r e q u e s t s 3 6 9
●
D i s c u s s i o n s ●
A c t i o n s ●
P r o j e c t s 0
●
M o d e l s ●
S e c u r i t y
U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e . ●
I n s i g h t s
A d d i t i o n a l n a v i g a t i o n o p t i o n s ●
C o d e
●
I s s u e s
●
P u l l r e q u e s t s
●
D i s c u s s i o n s
●
A c t i o n s
●
P r o j e c t s
●
M o d e l s
●
S e c u r i t y
●
I n s i g h t s
N e w i s s u e
H a v e a q u e s t i o n a b o u t t h i s p r o j e c t ? S i g n u p f o r a f r e e G i t H u b a c c o u n t t o o p e n a n i s s u e a n d c o n t a c t i t s m a i n t a i n e r s a n d t h e c o m m u n i t y .
S i g n u p f o r G i t H u b
B y c l i c k i n g “ S i g n u p f o r G i t H u b ” , y o u a g r e e t o o u r t e r m s o f s e r v i c e a n d
p r i v a c y s t a t e m e n t . W e ’ l l o c c a s i o n a l l y s e n d y o u a c c o u n t r e l a t e d e m a i l s .
A l r e a d y o n G i t H u b ?
S i g n i n t o y o u r a c c o u n t
J u m p t o b o t t o m
M e r g e d
a t o r r a l b a m e r g e d 1 1 c o m m i t s i n t o
g i t h u b : m a i n f r o m
l u c h u a - b c : j a v a / f i l e - p a t h - i n j e c t i o n
F e b 1 6 , 2 0 2 2
M e r g e d
a t o r r a l b a m e r g e d 1 1 c o m m i t s i n t o
g i t h u b : m a i n f r o m
l u c h u a - b c : j a v a / f i l e - p a t h - i n j e c t i o n
F e b 1 6 , 2 0 2 2
C o n v e r s a t i o n
63
C o m m i t s
11
C h e c k s
0
F i l e s c h a n g e d
U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e . C o n v e r s a t i o n
T h i s f i l e c o n t a i n s h i d d e n o r b i d i r e c t i o n a l U n i c o d e t e x t t h a t m a y b e i n t e r p r e t e d o r c o m p i l e d d i f f e r e n t l y t h a n w h a t a p p e a r s b e l o w . T o r e v i e w , o p e n t h e f i l e i n a n e d i t o r t h a t r e v e a l s h i d d e n U n i c o d e c h a r a c t e r s .
L e a r n m o r e a b o u t b i d i r e c t i o n a l U n i c o d e c h a r a c t e r s S h o w h i d d e n c h a r a c t e r s
C o n t r i b u t o r
E x t e r n a l C o n t r o l o f F i l e N a m e o r P a t h , a l s o c a l l e d F i l e P a t h I n j e c t i o n , i s a c o m m o n a t t a c k a n d i n j e c t i o n a t t a c k i s l i s t e d a s o n e o f t h e t o p a t t a c k s i n O W A S P T o p T e n 2 0 2 1 . L o a d i n g f i l e s b a s e d o n u n v a l i d a t e d u s e r - i n p u t m a y c a u s e f i l e i n f o r m a t i o n d i s c l o s u r e a n d u p l o a d i n g f i l e s w i t h u n v a l i d a t e d f i l e t y p e s t o a n a r b i t r a r y d i r e c t o r y m a y l e a d t o R e m o t e C o m m a n d E x e c u t i o n ( R C E ) . J F i n a l i s a w i d e l y u s e d W e b + O R M f r a m e w o r k , w h i c h h a s 1 . 4 K f o r k s a n d 3 . 2 k s t a r s o n G i t H u b . M u l t i p l e C W E s h a v e b e e n s u b m i t t e d f o r F i l e P a t h I n j e c t i o n a t t a c k a s s o c i a t e d w i t h t h i s f r a m e w o r k . O n e s a m p l e C W E a n d i t s d e t a i l s c a n b e f o u n d a t I s s u e # 1 1 5 : Z r L o g 2 . 2 . 2 R e m o t e c o m m a n d e x e c u t i o n v u l n e r a b i l i t y . A n o t h e r o n e c a n b e f o u n d a t I s s u e # 2 7 : F i l e r e a d i n g . T h i s q u e r y d e t e c t s u n s a f e f i l e l o a d i n g / d o w n l o a d i n g o p e r a t i o n s i n c o d e r e p o s i t o r i e s t h a t c o n s u m e t h i s f r a m e w o r k . P l e a s e c o n s i d e r t o m e r g e t h i s P R . T h a n k s .
Sorry, something went wrong.
F i l e p a t h i n j e c t i o n w i t h t h e J F i n a l f r a m e w o r k
2 7 0 4 3 a 0
l u c h u a - b c r e q u e s t e d a r e v i e w
f r o m a t e a m a s a c o d e o w n e r J a n u a r y 2 3 , 2 0 2 2 1 8 : 2 0
g i t h u b - a c t i o n s b o t a d d e d
d o c u m e n t a t i o n
J a v a
l a b e l s
J a n 2 3 , 2 0 2 2
l u c h u a - b c m e n t i o n e d t h i s p u l l r e q u e s t
J a n 2 3 , 2 0 2 2
[ J a v a ] : C W E - 0 7 3 - F i l e p a t h i n j e c t i o n w i t h t h e J F i n a l f r a m e w o r k
g i t h u b / s e c u r i t y l a b # 5 2 7
C l o s e d
2 t a s k s
C o n t r i b u t o r
A u t h o r
Following up on the comment @smowton made with PR# 7286 that java.nio.file.Path normalization check and other path traversal checks are worth having in general, I've created a separate PathSanitizer library with the generic name Path Traversal (not unsafe URL forward) so that the library can be promoted as a shared lib that can be used by other queries as well.
Sorry, something went wrong.
a t o r r a l b a
r e v i e w e d
F e b 7 , 2 0 2 2
V i e w r e v i e w e d c h a n g e s
C o n t r i b u t o r
a t o r r a l b a
l e f t a c o m m e n t
e d i t e d
U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
T h e r e w a s a p r o b l e m h i d i n g t h i s c o m m e n t .
C h o o s e a r e a s o n f o r h i d i n g t h i s c o m m e n t
T h e r e a s o n w i l l b e d i s p l a y e d t o d e s c r i b e t h i s c o m m e n t t o o t h e r s . L e a r n m o r e .
H e y @ l u c h u a - b c , t h a n k s f o r y o u r c o n t r i b u t i o n . I a d d e d s o m e i n l i n e c o m m e n t s b u t , i n g e n e r a l , I t h i n k t h i s q u e r y m o s t l y o v e r l a p s w i t h j a v a / p a t h - i n j e c t i o n a n d t h e y s h o u l d p r o b a b l y b e m e r g e d a t s o m e p o i n t ( p r o b a b l y d u r i n g p r o m o t i o n ) . S o I M O t h e v a l u a b l e c o n t r i b u t i o n s h e r e a r e t h e J F i n a l s o u r c e s a n d t h e P a t h S a n i t i z e r . q l l l i b r a r y . T h e l a t t e r I d i d n ' t r e v i e w i n d e t a i l a g a i n s i n c e i t w a s m o s t l y t a k e n f r o m # 7 2 8 6 .
Sorry, something went wrong.
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / F i l e P a t h I n j e c t i o n . q l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / F i l e P a t h I n j e c t i o n . q l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / F i l e P a t h I n j e c t i o n . q h e l p
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / F i l e P a t h I n j e c t i o n . q h e l p
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / F i l e P a t h I n j e c t i o n . q h e l p
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / F i l e P a t h I n j e c t i o n . q h e l p
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / F i l e P a t h I n j e c t i o n . q h e l p
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / J F i n a l C o n t r o l l e r . q l l
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / J F i n a l C o n t r o l l e r . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / J F i n a l C o n t r o l l e r . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
C o n t r i b u t o r
A u t h o r
Thanks @atorralba for reviewing this PR. I'll work on suggested changes.
The library PathSanitizer.qll does overlap with PR# 7286 and is actually taken from that PR then renamed. The rationale is that all queries requiring a path traversal check can use the shared library. Shall I move it to the directory experimental.semmle.code.java.security?
And I noticed one thing when testing this query. That is, we included indexOf and lastIndexOf since they are methods commonly used in partial string match, however, they are different from the boolean check contains, startsWith, matches, and regionMatches as they are typically compared with the value -1, e.g. path.indexOf("..") == -1 instead of !path.contains(".."). I tried to enhance the library by adding the integer comparison check but it doesn't seem to fit in the BarrierGuard that you and Chris helped to design. Would you please shed some light on this issue?
Once this PR is merged, I will create a separate PR to replace UnsafeUrlForward.qll in the unsafe URL forward/dispatcher query with the new one.
Thanks,@luchua-bc
Sorry, something went wrong.
C o r r e c t t h e d a t a m o d e l a n d u p d a t e q l d o c
f f 4 8 2 6 d
C o n t r i b u t o r
The library PathSanitizer.qll does overlap with PR# 7286 and is actually taken from that PR then renamed. The rationale is that all queries requiring a path traversal check can use the shared library. Shall I move it to the directory experimental.semmle.code.java.security?
And I noticed one thing when testing this query. That is, we included indexOf and lastIndexOf since they are methods commonly used in partial string match, however, they are different from the boolean check contains, startsWith, matches, and regionMatches as they are typically compared with the value -1, e.g. path.indexOf("..") == -1 instead of !path.contains(".."). I tried to enhance the library by adding the integer comparison check but it doesn't seem to fit in the BarrierGuard that you and Chris helped to design. Would you please shed some light on this issue?
I think it makes sense for that to be in the main library, but it probably should be in a different PR. That way, this PR would only contain the experimental query and would be easier to approve/merge. If you decide to do so, we can discuss the approach to supporting indexOf and lastIndexOf in the other PR.
Sorry, something went wrong.
C o n t r i b u t o r
A u t h o r
The library PathSanitizer.qll does overlap with PR# 7286 and is actually taken from that PR then renamed. The rationale is that all queries requiring a path traversal check can use the shared library. Shall I move it to the directory experimental.semmle.code.java.security? indexOf and lastIndexOf since they are methods commonly used in partial string match, however, they are different from the boolean check contains, startsWith, matches, and regionMatches as they are typically compared with the value -1, e.g. path.indexOf("..") == -1 instead of !path.contains(".."). I tried to enhance the library by adding the integer comparison check but it doesn't seem to fit in the BarrierGuard that you and Chris helped to design. Would you please shed some light on this issue?
I think it makes sense for that to be in the main library, but it probably should be in a different PR. That way, this PR would only contain the experimental query and would be easier to approve/merge. If you decide to do so, we can discuss the approach to supporting indexOf and lastIndexOf in the other PR.
I like the idea. Let's complete this PR as an experimental query then I'll submit a new PR to the main directory that supports indexOf and lastIndexOf.
Sorry, something went wrong.
l u c h u a - b c
a d d e d 2 c o m m i t s
F e b r u a r y 9 , 2 0 2 2 0 3 : 2 4
U s e d a t a m o d e l f o r r e q u e s t / s e s s i o n a t t r i b u t e o p e r a t i o n s
4 6 0 9 2 2 7
F i x e d a n i s s u e r e l a t e d t o n o r m a l i z e d p a t h
c e 0 3 a e b
C o n t r i b u t o r
A u t h o r
@atorralba - I've fixed an issue related to normalized paths in the latest commit to successfully detect the following test case:
// GOOD: Upload file to user specified path with path normalization and validation
public void uploadFile2 () throws IOException {
String savePath = getPara ("dir" );
File file = getFile ("fileParam" ).getFile ();
String finalFilePath = BASE_PATH + savePath ;
Path path = Paths .get (finalFilePath ).normalize ();
As the method call is after the Paths.get(...) call, a regular sanitizer doesn't help therefore I made the new change.
Sorry, something went wrong.
a t o r r a l b a
r e v i e w e d
F e b 1 0 , 2 0 2 2
V i e w r e v i e w e d c h a n g e s
C o n t r i b u t o r
a t o r r a l b a
l e f t a c o m m e n t
e d i t e d
U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
T h e r e w a s a p r o b l e m h i d i n g t h i s c o m m e n t .
C h o o s e a r e a s o n f o r h i d i n g t h i s c o m m e n t
T h e r e a s o n w i l l b e d i s p l a y e d t o d e s c r i b e t h i s c o m m e n t t o o t h e r s . L e a r n m o r e .
I ' m n o t s u r e I l i k e t h e a p p r o a c h o f s a n i t i z i n g a n y s i n k t h a t f l o w s t o a n o r m a l i z e c a l l . I t c o u l d d o s o c o n d i t i o n a l l y , o r t h e n o r m a l i z e d v a l u e c o u l d n e v e r b e c h e c k e d . T h i s i s a c t u a l l y a s h o r t c o m i n g o f t h e c u r r e n t j a v a / p a t h - i n j e c t i o n q u e r y t o o , a n d i t n e e d s t o b e f i x e d — b u t I d o n ' t t h i n k t h i s i s t h e p r o p e r w a y t o d o i t . I c a n ' t s u g g e s t a b e t t e r a l t e r n a t i v e a t t h e m o m e n t , t h o u g h . A n y w a y , I a d d e d a s m a l l s u g g e s t i o n i f y o u d e c i d e t o k e e p t h i s .
Sorry, something went wrong.
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / P a t h S a n i t i z e r . q l l O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e . l u c h u a - b c
a d d e d 5 c o m m i t s
F e b r u a r y 1 1 , 2 0 2 2 0 1 : 0 5
S i m p l i f y t h e q u e r y
1 2 c 5 3 b a
U p d a t e n o r m a l i z e d p a t h n o d e
e 3 d 0 e 9 f
M a t c h a t t r i b u t e n a m e t o r e d u c e F P
7 8 6 3 0 f 2
M o d e l v a l u e p a s s i n g b e t w e e n a s e t t e r a n d a g e t t e r c a l l a s a v a l u e s t e p
3 5 a 9 2 4 2
R e m o v e s p e c i f i e d v a l u e s t e p f r o m a d d i t i o n a l t a i n t s t e p
2 b 5 9 8 2 f
a t o r r a l b a
r e v i e w e d
F e b 1 5 , 2 0 2 2
V i e w r e v i e w e d c h a n g e s
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / J F i n a l C o n t r o l l e r . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
R e m o v e t h e s a m e c a l l a b l e c o n s t r a i n t
f d 5 3 3 f 2
s m o w t o n
r e v i e w e d
F e b 1 5 , 2 0 2 2
V i e w r e v i e w e d c h a n g e s
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / F i l e P a t h I n j e c t i o n . q h e l p
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / F i l e P a t h I n j e c t i o n . q h e l p
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / J F i n a l C o n t r o l l e r . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / J F i n a l C o n t r o l l e r . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / J F i n a l C o n t r o l l e r . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
j a v a / q l / s r c / e x p e r i m e n t a l / S e c u r i t y / C W E / C W E - 0 7 3 / J F i n a l C o n t r o l l e r . q l l
O u t d a t e d
S h o w r e s o l v e d
H i d e r e s o l v e d U h o h !
T h e r e w a s a n e r r o r w h i l e l o a d i n g . P l e a s e r e l o a d t h i s p a g e .
C o n t r i b u t o r
Sorry, something went wrong.
M o v e s h a r e d c o d e t o t h e l i b f o l d e r a n d u p d a t e q l d o c
4 0 b f 0 9 3
C o n t r i b u t o r
A u t h o r
Thanks @smowton for reviewing this PR. As per your advice, I've moved PathSanitizer.qll to the shared lib directory. And I will submit a small PR to clean up the other query once this one is approved and merged.
Sorry, something went wrong.
s m o w t o n
a p p r o v e d t h e s e c h a n g e s
F e b 1 6 , 2 0 2 2
V i e w r e v i e w e d c h a n g e s
a t o r r a l b a m e r g e d c o m m i t 1 1 1 a a b b i n t o
g i t h u b : m a i n
F e b 1 6 , 2 0 2 2 l u c h u a - b c
d e l e t e d t h e
j a v a / f i l e - p a t h - i n j e c t i o n
b r a n c h
F e b r u a r y 1 6 , 2 0 2 2 1 6 : 0 8
l u c h u a - b c m e n t i o n e d t h i s p u l l r e q u e s t
F e b 1 6 , 2 0 2 2
C W E - 5 5 2 : S w i t c h t o t h e s h a r e d P a t h S a n i t i z e r l i b r a r y
# 8 0 5 5
M e r g e d
S i g n u p f o r f r e e t o j o i n t h i s c o n v e r s a t i o n o n G i t H u b .
A l r e a d y h a v e a n a c c o u n t ?
S i g n i n t o c o m m e n t
smowton
smowton approved these changes
Reviewers whose approvals may not affect merge requirements
No one assigned
d o c u m e n t a t i o n
J a v a
No milestone
Successfully merging this pull request may close these issues.
A d d t h i s s u g g e s t i o n t o a b a t c h t h a t c a n b e a p p l i e d a s a s i n g l e c o m m i t . T h i s s u g g e s t i o n i s i n v a l i d b e c a u s e n o c h a n g e s w e r e m a d e t o t h e c o d e . S u g g e s t i o n s c a n n o t b e a p p l i e d w h i l e t h e p u l l r e q u e s t i s c l o s e d . S u g g e s t i o n s c a n n o t b e a p p l i e d w h i l e v i e w i n g a s u b s e t o f c h a n g e s . O n l y o n e s u g g e s t i o n p e r l i n e c a n b e a p p l i e d i n a b a t c h . A d d t h i s s u g g e s t i o n t o a b a t c h t h a t c a n b e a p p l i e d a s a s i n g l e c o m m i t . A p p l y i n g s u g g e s t i o n s o n d e l e t e d l i n e s i s n o t s u p p o r t e d . Y o u m u s t c h a n g e t h e e x i s t i n g c o d e i n t h i s l i n e i n o r d e r t o c r e a t e a v a l i d s u g g e s t i o n .
T h i s s u g g e s t i o n h a s b e e n a p p l i e d o r m a r k e d r e s o l v e d . S u g g e s t i o n s c a n n o t b e a p p l i e d f r o m p e n d i n g r e v i e w s . S u g g e s t i o n s c a n n o t b e a p p l i e d o n m u l t i - l i n e c o m m e n t s . S u g g e s t i o n s c a n n o t b e a p p l i e d w h i l e t h e p u l l r e q u e s t i s q u e u e d t o m e r g e . S u g g e s t i o n c a n n o t b e a p p l i e d r i g h t n o w . P l e a s e c h e c k b a c k l a t e r . F o o t e r
© 2 0 2 5 G i t H u b , I n c .
●
T e r m s ●
P r i v a c y ●
S e c u r i t y ●
S t a t u s ●
C o m m u n i t y ●
D o c s ●
C o n t a c t ●
M a n a g e c o o k i e s
●
D o n o t s h a r e m y p e r s o n a l i n f o r m a t i o n
Y o u c a n ’ t p e r f o r m t h a t a c t i o n a t t h i s t i m e .
luchua-bc
commented
luchua-bc
requested a review
from a team
as a code owner
github-actions
bot
added
documentation
Java
labels
atorralba
left a comment
•
edited
atorralba
merged commit 
