Merge pull request #7626 from erik-krogh/CWE-377

JS: add query for detecting insecure temporary files
2026-04-30 11:15:13 +02:00 · 2022-05-16 15:25:17 +02:00
parent a9f6d203cd 4c317f5753
commit 23981cb323
10 changed files with 292 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp
+++ b/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp
@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Temporary files created in the operating system's temporary directory are by default accessible 
+to other users. In some cases, this can lead to information exposure, or in the worst 
+case, to remote code execution.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Use a well-tested library like <a href="https://www.npmjs.com/package/tmp">tmp</a> 
+for creating temporary files. These libraries ensure both that the file is inaccessible
+to other users and that the file does not already exist.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example creates a temporary file in the operating system's temporary directory.
+</p>
+<sample src="examples/insecure-temporary-file.js" />
+
+<p>
+The file created above is accessible to other users, and there is no guarantee that
+the file does not already exist. 
+</p>
+<p>
+The below example uses the <a href="https://www.npmjs.com/package/tmp">tmp</a> library
+to securely create a temporary file.
+</p>
+<sample src="examples/secure-temporary-file.js" />
+
+</example>
+
+<references>
+<li>Mitre.org: <a href="https://cwe.mitre.org/data/definitions/377.html">CWE-377</a>.</li>
+<li>NPM: <a href="https://www.npmjs.com/package/tmp">tmp</a>.</li>
+</references>
+
+</qhelp>
--- a/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
+++ b/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Insecure temporary file
+ * @description Creating a temporary file that is accessible by other users TODO:
+ * @kind path-problem
+ * @id js/insecure-temporary-file
+ * @problem.severity warning
+ * @security-severity 7.0
+ * @precision medium
+ * @tags external/cwe/cwe-377
+ *       external/cwe/cwe-378
+ *       security
+ */
+
+import javascript
+import DataFlow::PathGraph
+import semmle.javascript.security.dataflow.InsecureTemporaryFileQuery
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Insecure creation of file in $@.", source.getNode(),
+  "the os temp dir"
--- a/javascript/ql/src/Security/CWE-377/examples/insecure-temporary-file.js
+++ b/javascript/ql/src/Security/CWE-377/examples/insecure-temporary-file.js
@@ -0,0 +1,6 @@
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const file = path.join(os.tmpdir(), "test-" + (new Date()).getTime() + ".txt");
+fs.writeFileSync(file, "content");
--- a/javascript/ql/src/Security/CWE-377/examples/secure-temporary-file.js
+++ b/javascript/ql/src/Security/CWE-377/examples/secure-temporary-file.js
@@ -0,0 +1,5 @@
+const fs = require('fs');
+const tmp = require('tmp');
+
+const file = tmp.fileSync().name;
+fs.writeFileSync(file, "content");
--- a/javascript/ql/src/change-notes/2022-01-18-insecure-temporary-file.md
+++ b/javascript/ql/src/change-notes/2022-01-18-insecure-temporary-file.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* A new query `js/insecure-temporary-file` has been added. The query detects the creation of temporary files that may be accessible by others users. The query is not run by default.