From 45d12fe3311fa77adce2e0f3d64994ef42f57558 Mon Sep 17 00:00:00 2001
From: Jami Cogswell <jcogs33@Jamis-MacBook-Pro.local>
Date: Tue, 25 Feb 2025 16:09:50 -0500
Subject: [PATCH] Java: move tests to lib

---
 .../library-tests/pathsanitizer/Test.java     | 28 +++++++++++
 .../CWE-022/semmle/tests/TaintedPath.java     | 47 -------------------
 2 files changed, 28 insertions(+), 47 deletions(-)

diff --git a/java/ql/test/library-tests/pathsanitizer/Test.java b/java/ql/test/library-tests/pathsanitizer/Test.java
index d3285352fa38..947c2ddd37f5 100644
--- a/java/ql/test/library-tests/pathsanitizer/Test.java
+++ b/java/ql/test/library-tests/pathsanitizer/Test.java
@@ -604,4 +604,32 @@ public void fileConstructorSanitizer() throws Exception {
             sink(normalized); // $ hasTaintFlow
         }
     }
+
+    private void directoryCharsValidation(String path) throws Exception {
+        // TODO
+    }
+
+    public void directoryCharsSanitizer() throws Exception {
+        {
+            String source = (String) source();
+            // Ensures that directory characters (/, \ and ..) cannot possibly be in the payload
+            if (source.matches("[0-9a-fA-F]{20,}")) {
+                sink(source); // Safe
+            } else {
+                sink(source); // $ hasTaintFlow
+            }
+        }
+        {
+            String source = (String) source();
+            // Removes all ".." sequences and path separators from the payload
+            source = source.replaceAll("\\.\\.|[/\\\\]", "");
+            sink(source); // Safe
+        }
+        {
+            String source = (String) source();
+            // Removes all ".." sequences and path separators from the payload
+            source = source.replaceAll("\\.", "").replaceAll("/", "");
+            sink(source); // Safe
+        }
+    }
 }
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
index 0f18eeac3674..14bd451b7f1b 100644
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
@@ -87,51 +87,4 @@ public void sendUserFileGood4(Socket sock, String user) throws IOException {
             fileLine = fileReader.readLine();
         }
     }
-
-    // TODO : New tests
-
-    public void sendUserFileGood5(Socket sock, String user) throws IOException {
-        BufferedReader filenameReader = new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
-        // GOOD: remove all ".." sequences and path separators from the filename
-        String filename = filenameReader.readLine().replaceAll("\\.", "").replaceAll("/", "");
-        BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // GOOD
-        String fileLine = fileReader.readLine();
-        while(fileLine != null) {
-            sock.getOutputStream().write(fileLine.getBytes());
-            fileLine = fileReader.readLine();
-        }
-    }
-
-    public void sendUserFileGood6(Socket sock, String user) throws IOException {
-        BufferedReader filenameReader = new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
-        String filename = filenameReader.readLine();
-        // GOOD: remove all ".." sequences and path separators from the filename
-        filename = filename.replaceAll("\\.\\.|[/\\\\]", "");
-        BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // GOOD
-        String fileLine = fileReader.readLine();
-        while(fileLine != null) {
-            sock.getOutputStream().write(fileLine.getBytes());
-            fileLine = fileReader.readLine();
-        }
-    }
-
-    public void sendUserFileGood7(Socket sock, String user) throws Exception {
-        BufferedReader filenameReader =
-                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
-        String filename = filenameReader.readLine();
-
-        // GOOD: ensure that that /, \ and .. cannot possibly be in the payload
-        if (filename.matches("[0-9a-fA-F]{20,}")) {
-            final Path pathObject = FileSystems.getDefault().getPath(filename); // summary now, see https://github.com/github/codeql/commit/19cb7adb6db17a3131b7db93482abc6a0d93ceff#diff-4b91db1bd2a19ab607f83fbe858f0ceffd942d1fb246739c731112367c865f88L8
-
-            BufferedReader fileReader = new BufferedReader(new FileReader(pathObject.toString())); // GOOD
-            String fileLine = fileReader.readLine();
-            while (fileLine != null) {
-                sock.getOutputStream().write(fileLine.getBytes());
-                fileLine = fileReader.readLine();
-            }
-        }
-
-    }
-
 }