@@ -10,6 +10,7 @@ private import semmle.code.java.dataflow.SSA
1010private import semmle.code.java.frameworks.kotlin.IO
1111private import semmle.code.java.frameworks.kotlin.Text
1212private import semmle.code.java.dataflow.Nullness
13+ private import semmle.code.java.security.Sanitizers
1314
1415/** A sanitizer that protects against path injection vulnerabilities. */
1516abstract class PathInjectionSanitizer extends DataFlow:: Node { }
@@ -470,12 +471,7 @@ private class DirectoryCharactersGuard extends PathGuard {
470471 Expr checkedExpr ;
471472 boolean branch ;
472473
473- DirectoryCharactersGuard ( ) {
474- // Annotations are handled directly as barriers in `DirectoryCharactersSanitizer`,
475- // since they don't dominate the sanitized expression and so can't act as barrier guards.
476- not this instanceof Annotation and
477- isMatchesCall ( this , checkedExpr , branch )
478- }
474+ DirectoryCharactersGuard ( ) { isMatchesCall ( this , checkedExpr , branch ) }
479475
480476 override Expr getCheckedExpr ( ) { result = checkedExpr }
481477
@@ -501,12 +497,5 @@ private class DirectoryCharactersSanitizer extends PathInjectionSanitizer {
501497 this .asExpr ( ) instanceof ReplaceDirectoryCharactersSanitizer
502498 or
503499 this = DataFlow:: BarrierGuard< directoryCharactersGuard / 3 > :: getABarrierNode ( )
504- or
505- // Annotations don't fit into the model of barrier guards because the
506- // annotation doesn't dominate the sanitized expression, so we instead
507- // treat them as barriers directly.
508- exists ( RegexMatch rm | rm instanceof Annotation and isMatchesCall ( rm , _, true ) |
509- this .asExpr ( ) = rm .getString ( )
510- )
511500 }
512501}
0 commit comments