Improve system property lookup

2025-12-21 03:06:31 +01:00 · 2022-03-02 11:16:10 -05:00
parent dad9a02fbd
commit 82d3cd8924
5 changed files with 138 additions and 32 deletions
--- a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
@@ -132,7 +132,7 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
  TempDirSystemGetPropertyToCreateConfig() { this = "TempDirSystemGetPropertyToCreateConfig" }

  override predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof MethodAccessSystemGetPropertyTempDirTainted
+    source.asExpr() instanceof ExprSystemGetPropertyTempDirTainted
  }

  /**
@@ -178,9 +178,9 @@ private class TempDirSystemGetPropertyDirectlyToMkdirConfig extends TaintTrackin

  override predicate isSource(DataFlow::Node node) {
    exists(
-      MethodAccessSystemGetPropertyTempDirTainted propertyGetMethodAccess, DataFlow::Node callSite
+      ExprSystemGetPropertyTempDirTainted propertyGetExpr, DataFlow::Node callSite
    |
-      DataFlow::localFlow(DataFlow::exprNode(propertyGetMethodAccess), callSite)
+      DataFlow::localFlow(DataFlow::exprNode(propertyGetExpr), callSite)
    |
      isFileConstructorArgument(callSite.asExpr(), node.asExpr(), 1)
    )
--- a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -3,34 +3,14 @@
 */

 import java
+private import semmle.code.java.environment.SystemProperty
 import semmle.code.java.dataflow.FlowSources

 /**
- * A method that returns a `String` or `File` that has been tainted by `System.getProperty("java.io.tmpdir")`.
+ * A method or field access that returns a `String` or `File` that has been tainted by `System.getProperty("java.io.tmpdir")`.
 */
-abstract class MethodAccessSystemGetPropertyTempDirTainted extends MethodAccess { }
-
-/**
- * Method access `System.getProperty("java.io.tmpdir")`.
- */
-private class MethodAccessSystemGetPropertyTempDir extends MethodAccessSystemGetPropertyTempDirTainted,
-  MethodAccessSystemGetProperty {
-  MethodAccessSystemGetPropertyTempDir() {
-    this.hasCompileTimeConstantGetPropertyName("java.io.tmpdir")
-  }
-}
-
-/**
- * A method call to the `org.apache.commons.io.FileUtils` methods `getTempDirectory` or `getTempDirectoryPath`.
- */
-private class MethodAccessApacheFileUtilsTempDir extends MethodAccessSystemGetPropertyTempDirTainted {
-  MethodAccessApacheFileUtilsTempDir() {
-    exists(Method m |
-      m.getDeclaringType().hasQualifiedName("org.apache.commons.io", "FileUtils") and
-      m.hasName(["getTempDirectory", "getTempDirectoryPath"]) and
-      this.getMethod() = m
-    )
-  }
+class ExprSystemGetPropertyTempDirTainted extends Expr {
+  ExprSystemGetPropertyTempDirTainted() { this = getSystemProperty("java.io.tmpdir") }
 }

 /**