add query for detecting insecure temprary files

2026-03-06 07:36:47 +01:00 · 2022-01-18 11:23:22 +01:00
parent 6a53b7b233
commit 2433eafef2
10 changed files with 286 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp
+++ b/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp
@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Temporary files created in the operating system tmp directory are by default accessible 
+to other users. This can in some cases lead to information exposure, or in the worst 
+case to remote code execution.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Use a well tested library like <a href="https://www.npmjs.com/package/tmp">tmp</a> 
+for creating temprary files. These libraries ensure both that the file is inaccesible
+to other users and that the file does not already exist.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example creates a temporary file in the operating system tmp directory.
+</p>
+<sample src="examples/insecure-temporary-file.js" />
+
+<p>
+The file created above is accessible to other users, and there is no guarantee that
+the file does not already exist. 
+</p>
+<p>
+The below example uses the <a href="https://www.npmjs.com/package/tmp">tmp</a> library
+to securely create a temporary file.
+</p>
+<sample src="examples/secure-temporary-file.js" />
+
+</example>
+
+<references>
+<li>Mitre.org: <a href="https://cwe.mitre.org/data/definitions/377.html">CWE-377</a>.</li>
+<li>NPM: <a href="https://www.npmjs.com/package/tmp">tmp</a>.</li>
+</references>
+
+</qhelp>
--- a/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
+++ b/javascript/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Insecure temporary file
+ * @description Creating a temporary file that is accessible by other users TODO:
+ * @kind path-problem
+ * @id js/insecure-temporary-file
+ * @problem.severity warning
+ * @security-severity 7.0
+ * @precision medium
+ * @tags external/cwe/cwe-377
+ *       external/cwe/cwe-378
+ *       security
+ */
+
+import javascript
+import DataFlow::PathGraph
+import semmle.javascript.security.dataflow.InsecureTemporaryFileQuery
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Insecure creation of file in $@.", source.getNode(),
+  "the os temp dir"
--- a/javascript/ql/src/Security/CWE-377/examples/insecure-temporary-file.js
+++ b/javascript/ql/src/Security/CWE-377/examples/insecure-temporary-file.js
@@ -0,0 +1,6 @@
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const file = path.join(os.tmpdir(), "test-" + (new Date()).getTime() + ".txt");
+fs.writeFileSync(file, "content");
--- a/javascript/ql/src/Security/CWE-377/examples/secure-temporary-file.js
+++ b/javascript/ql/src/Security/CWE-377/examples/secure-temporary-file.js
@@ -0,0 +1,5 @@
+const fs = require('fs');
+const tmp = require('tmp');
+
+const file = tmp.fileSync().name;
+fs.writeFileSync(file, "content");