add query for detecting insecure temprary files

2026-04-28 10:15:14 +02:00 · 2022-01-18 11:23:22 +01:00
parent 6a53b7b233
commit 2433eafef2
10 changed files with 286 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.expected
@@ -0,0 +1,53 @@
+nodes
+| insecure-temporary-file.js:7:9:11:5 | tmpLocation |
+| insecure-temporary-file.js:7:23:11:5 | path.jo ... )\\n    ) |
+| insecure-temporary-file.js:8:9:8:45 | os.tmpd ... mpDir() |
+| insecure-temporary-file.js:8:21:8:31 | os.tmpdir() |
+| insecure-temporary-file.js:8:21:8:31 | os.tmpdir() |
+| insecure-temporary-file.js:13:22:13:32 | tmpLocation |
+| insecure-temporary-file.js:13:22:13:32 | tmpLocation |
+| insecure-temporary-file.js:15:9:15:34 | tmpPath |
+| insecure-temporary-file.js:15:19:15:34 | "/tmp/something" |
+| insecure-temporary-file.js:15:19:15:34 | "/tmp/something" |
+| insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") |
+| insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") |
+| insecure-temporary-file.js:17:32:17:38 | tmpPath |
+| insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") |
+| insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") |
+| insecure-temporary-file.js:23:32:23:38 | tmpPath |
+| insecure-temporary-file.js:25:11:25:92 | tmpPath2 |
+| insecure-temporary-file.js:25:22:25:92 | path.jo ... )}.md`) |
+| insecure-temporary-file.js:25:32:25:42 | os.tmpdir() |
+| insecure-temporary-file.js:25:32:25:42 | os.tmpdir() |
+| insecure-temporary-file.js:26:22:26:29 | tmpPath2 |
+| insecure-temporary-file.js:26:22:26:29 | tmpPath2 |
+| insecure-temporary-file.js:28:17:28:24 | tmpPath2 |
+| insecure-temporary-file.js:28:17:28:24 | tmpPath2 |
+edges
+| insecure-temporary-file.js:7:9:11:5 | tmpLocation | insecure-temporary-file.js:13:22:13:32 | tmpLocation |
+| insecure-temporary-file.js:7:9:11:5 | tmpLocation | insecure-temporary-file.js:13:22:13:32 | tmpLocation |
+| insecure-temporary-file.js:7:23:11:5 | path.jo ... )\\n    ) | insecure-temporary-file.js:7:9:11:5 | tmpLocation |
+| insecure-temporary-file.js:8:9:8:45 | os.tmpd ... mpDir() | insecure-temporary-file.js:7:23:11:5 | path.jo ... )\\n    ) |
+| insecure-temporary-file.js:8:21:8:31 | os.tmpdir() | insecure-temporary-file.js:8:9:8:45 | os.tmpd ... mpDir() |
+| insecure-temporary-file.js:8:21:8:31 | os.tmpdir() | insecure-temporary-file.js:8:9:8:45 | os.tmpd ... mpDir() |
+| insecure-temporary-file.js:15:9:15:34 | tmpPath | insecure-temporary-file.js:17:32:17:38 | tmpPath |
+| insecure-temporary-file.js:15:9:15:34 | tmpPath | insecure-temporary-file.js:23:32:23:38 | tmpPath |
+| insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | insecure-temporary-file.js:15:9:15:34 | tmpPath |
+| insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | insecure-temporary-file.js:15:9:15:34 | tmpPath |
+| insecure-temporary-file.js:17:32:17:38 | tmpPath | insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") |
+| insecure-temporary-file.js:17:32:17:38 | tmpPath | insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") |
+| insecure-temporary-file.js:23:32:23:38 | tmpPath | insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") |
+| insecure-temporary-file.js:23:32:23:38 | tmpPath | insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") |
+| insecure-temporary-file.js:25:11:25:92 | tmpPath2 | insecure-temporary-file.js:26:22:26:29 | tmpPath2 |
+| insecure-temporary-file.js:25:11:25:92 | tmpPath2 | insecure-temporary-file.js:26:22:26:29 | tmpPath2 |
+| insecure-temporary-file.js:25:11:25:92 | tmpPath2 | insecure-temporary-file.js:28:17:28:24 | tmpPath2 |
+| insecure-temporary-file.js:25:11:25:92 | tmpPath2 | insecure-temporary-file.js:28:17:28:24 | tmpPath2 |
+| insecure-temporary-file.js:25:22:25:92 | path.jo ... )}.md`) | insecure-temporary-file.js:25:11:25:92 | tmpPath2 |
+| insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | insecure-temporary-file.js:25:22:25:92 | path.jo ... )}.md`) |
+| insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | insecure-temporary-file.js:25:22:25:92 | path.jo ... )}.md`) |
+#select
+| insecure-temporary-file.js:13:22:13:32 | tmpLocation | insecure-temporary-file.js:8:21:8:31 | os.tmpdir() | insecure-temporary-file.js:13:22:13:32 | tmpLocation | Insecure creation of file in $@. | insecure-temporary-file.js:8:21:8:31 | os.tmpdir() | the os temp dir |
+| insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") | insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | insecure-temporary-file.js:17:22:17:49 | path.jo ... /foo/") | Insecure creation of file in $@. | insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | the os temp dir |
+| insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") | insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | insecure-temporary-file.js:23:22:23:49 | path.jo ... /foo/") | Insecure creation of file in $@. | insecure-temporary-file.js:15:19:15:34 | "/tmp/something" | the os temp dir |
+| insecure-temporary-file.js:26:22:26:29 | tmpPath2 | insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | insecure-temporary-file.js:26:22:26:29 | tmpPath2 | Insecure creation of file in $@. | insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | the os temp dir |
+| insecure-temporary-file.js:28:17:28:24 | tmpPath2 | insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | insecure-temporary-file.js:28:17:28:24 | tmpPath2 | Insecure creation of file in $@. | insecure-temporary-file.js:25:32:25:42 | os.tmpdir() | the os temp dir |
--- a/javascript/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.qlref
@@ -0,0 +1 @@
+Security/CWE-377/InsecureTemporaryFile.ql
--- a/javascript/ql/test/query-tests/Security/CWE-377/insecure-temporary-file.js
+++ b/javascript/ql/test/query-tests/Security/CWE-377/insecure-temporary-file.js
@@ -0,0 +1,30 @@
+const os = require('os');
+const uuid = require('node-uuid');
+const fs = require('fs');
+const path = require('path');
+
+(function main() {
+    var tmpLocation = path.join(
+        os.tmpdir ? os.tmpdir() : os.tmpDir(),
+        'something',
+        uuid.v4().slice(0, 8)
+    );
+
+    fs.writeFileSync(tmpLocation, content); // NOT OK
+
+    var tmpPath = "/tmp/something";
+    fs.writeFileSync(path.join("./foo/", tmpPath), content); // OK
+    fs.writeFileSync(path.join(tmpPath, "./foo/"), content); // NOT OK
+
+    fs.writeFileSync(path.join(tmpPath, "./foo/"), content, {mode: 0o600}); // OK
+
+    fs.writeFileSync(path.join(tmpPath, "./foo/"), content, {mode: mode}); // OK - assumed unknown mode is secure
+
+    fs.writeFileSync(path.join(tmpPath, "./foo/"), content, {mode: 0o666}); // NOT OK - explicitly insecure
+
+    const tmpPath2 = path.join(os.tmpdir(), `tmp_${Math.floor(Math.random() * 1000000)}.md`);
+    fs.writeFileSync(tmpPath2, content); // NOT OK
+
+    fs.openSync(tmpPath2, 'w'); // NOT OK
+    fs.openSync(tmpPath2, 'w', 0o600); // OK
+})