Apply suggestions from code review

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2026-04-30 19:26:02 +02:00 · 2021-03-22 15:07:08 -04:00
parent c19f52cd04
commit 7e55c92eb4
3 changed files with 12 additions and 11 deletions
--- a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql
@@ -10,11 +10,12 @@
 *       external/cwe/cwe-732
 */

+import java
 import TempDirUtils

 abstract class MethodAccessInsecureFileCreation extends MethodAccess {
  /**
-   * Docstring describing the file system type (ie. file, directory, ect...) returned.
+   * Docstring describing the file system type (ie. file, directory, etc...) returned.
   */
  abstract string getFileSystemType();
 }
--- a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
@@ -1,6 +1,6 @@
 /**
 * @name Temporary Directory Local information disclosure
- * @description Detect local information disclosure via the java temporary directory
+ * @description Writing information without explicit permissions to a shared temporary directory may disclose it to other users.
 * @kind path-problem
 * @problem.severity warning
 * @precision very-high
@@ -10,16 +10,14 @@
 *       external/cwe/cwe-732
 */

+import java
 import TempDirUtils
 import DataFlow::PathGraph

 private class MethodFileSystemFileCreation extends Method {
  MethodFileSystemFileCreation() {
    getDeclaringType() instanceof TypeFile and
-    (
-      hasName(["mkdir", "mkdirs"]) or
-      hasName("createNewFile")
-    )
+    hasName(["mkdir", "mkdirs", "createNewFile"])
  }
 }

@@ -52,11 +50,13 @@ private class FilesFileCreationSink extends FileCreationSink {
 */
 private class FilesVulnerableCreationMethodAccess extends MethodAccess {
  FilesVulnerableCreationMethodAccess() {
-    getMethod().getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
-    (
-      getMethod().hasName(["write", "newBufferedWriter", "newOutputStream"])
+    exists(Method m |
+      m = this.getMethod() and
+      m.getDeclaringType().hasQualifiedName("java.nio.file", "Files")
+    |
+      m.hasName(["write", "newBufferedWriter", "newOutputStream"])
      or
-      getMethod().hasName(["createFile", "createDirectory", "createDirectories"]) and
+      m.hasName(["createFile", "createDirectory", "createDirectories"]) and
      getNumArgument() = 1
    )
  }
--- a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -30,7 +30,7 @@ private class MethodAccessApacheFileUtilsTempDir extends MethodAccessSystemGetPr
 }

 /**
- * All `java.io.File::createTempFile` methods.
+ * A `java.io.File::createTempFile` method.
 */
 class MethodFileCreateTempFile extends Method {
  MethodFileCreateTempFile() {