Java: CWE-200: Temp directory local information disclosure vulnerability

java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure1.ql

@@ -0,0 +1,72 @@
+/**
+ * @name Temporary Directory Local information disclosure
+ * @description Detect local information disclosure via the java temporary directory
+ * @kind problem
+ * @problem.severity warning
+ * @precision very-high
+ * @id java/local-information-disclosure
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import TempDirUtils
+
+/**
+ * All `java.io.File::createTempFile` methods.
+ */
+class MethodFileCreateTempFile extends Method {
+  MethodFileCreateTempFile() {
+    this.getDeclaringType() instanceof TypeFile and
+    this.hasName("createTempFile")
+  }
+}
+
+class TempDirSystemGetPropertyToAnyConfig extends TaintTracking::Configuration {
+  TempDirSystemGetPropertyToAnyConfig() { this = "TempDirSystemGetPropertyToAnyConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof MethodAccessSystemGetPropertyTempDir
+  }
+
+  override predicate isSink(DataFlow::Node source) { any() }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isAdditionalFileTaintStep(node1, node2)
+  }
+}
+
+abstract class MethodAccessInsecureFileCreation extends MethodAccess { }
+
+/**
+ * Insecure calls to `java.io.File::createTempFile`.
+ */
+class MethodAccessInsecureFileCreateTempFile extends MethodAccessInsecureFileCreation {
+  MethodAccessInsecureFileCreateTempFile() {
+    this.getMethod() instanceof MethodFileCreateTempFile and
+    (
+      this.getNumArgument() = 2 or
+      getArgument(2) instanceof NullLiteral or
+      // There exists a flow from the 'java.io.tmpdir' system property to this argument
+      exists(TempDirSystemGetPropertyToAnyConfig config |
+        config.hasFlowTo(DataFlow::exprNode(getArgument(2)))
+      )
+    )
+  }
+}
+
+class MethodGuavaFilesCreateTempFile extends Method {
+  MethodGuavaFilesCreateTempFile() {
+    getDeclaringType().hasQualifiedName("com.google.common.io", "Files") and
+    hasName("createTempDir")
+  }
+}
+
+class MethodAccessInsecureGuavaFilesCreateTempFile extends MethodAccessInsecureFileCreation {
+  MethodAccessInsecureGuavaFilesCreateTempFile() {
+    getMethod() instanceof MethodGuavaFilesCreateTempFile
+  }
+}
+
+from MethodAccessInsecureFileCreation methodAccess
+select methodAccess,
+  "Local information disclosure vulnerability due to use of file or directory readable by other local users."

java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure2.ql

@@ -0,0 +1,48 @@
+/**
+ * @name Temporary Directory Local information disclosure
+ * @description Detect local information disclosure via the java temporary directory
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision very-high
+ * @id java/local-information-disclosure
+ * @tags security
+ *       external/cwe/cwe-200
+ */
+
+import TempDirUtils
+import DataFlow::PathGraph
+
+private class MethodFileSystemCreation extends Method {
+  MethodFileSystemCreation() {
+    getDeclaringType() instanceof TypeFile and
+    (
+      hasName("mkdir") or
+      hasName("createNewFile")
+    )
+  }
+}
+
+private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Configuration {
+  TempDirSystemGetPropertyToCreateConfig() { this = "TempDirSystemGetPropertyToCreateConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof MethodAccessSystemGetPropertyTempDir
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isAdditionalFileTaintStep(node1, node2)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists (MethodAccess ma |
+      ma.getMethod() instanceof MethodFileSystemCreation and
+      ma.getQualifier() = sink.asExpr()
+    )
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, TempDirSystemGetPropertyToCreateConfig conf
+where conf.hasFlowPath(source, sink)
+select source.getNode(), source, sink,
+  "Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users.", source.getNode(),
+  "system temp directory"

java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll

@@ -0,0 +1,46 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+class MethodAccessSystemGetPropertyTempDir extends MethodAccessSystemGetProperty {
+  MethodAccessSystemGetPropertyTempDir() { this.hasCompileTimeConstantGetPropertyName("java.io.tmpdir") }
+}
+
+/**
+ * Find dataflow from the temp directory system property to the `File` constructor.
+ * Examples:
+ *  - `new File(System.getProperty("java.io.tmpdir"))`
+ *  - `new File(new File(System.getProperty("java.io.tmpdir")), "/child")`
+ */
+private predicate isTaintedFileCreation(Expr expSource, Expr exprDest) {
+  exists(ConstructorCall construtorCall |
+    construtorCall.getConstructedType() instanceof TypeFile and
+    construtorCall.getArgument(0) = expSource and
+    construtorCall = exprDest
+  )
+}
+
+/**
+ * Any `File` methods that 
+ */
+private class TaintFollowingFileMethod extends Method {
+  TaintFollowingFileMethod() {
+    getDeclaringType() instanceof TypeFile and
+    (
+      hasName("getAbsoluteFile") or
+      hasName("getCanonicalFile")
+    )
+  }
+}
+
+private predicate isTaintFollowingFileTransformation(Expr expSource, Expr exprDest) {
+  exists(MethodAccess fileMethodAccess |
+    fileMethodAccess.getMethod() instanceof TaintFollowingFileMethod and
+    fileMethodAccess.getQualifier() = expSource and
+    fileMethodAccess = exprDest
+  )
+}
+
+predicate isAdditionalFileTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  isTaintedFileCreation(node1.asExpr(), node2.asExpr()) or
+  isTaintFollowingFileTransformation(node1.asExpr(), node2.asExpr())
+}