Apply suggestions from code review

Co-authored-by: Chris Smowton <smowton@github.com>
2026-04-30 19:26:02 +02:00 · 2021-04-16 15:16:42 -04:00
parent e795823d97
commit a8d25b63ac
3 changed files with 18 additions and 19 deletions
--- a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql
@@ -1,10 +1,10 @@
 /**
- * @name Temporary directory local information disclosure
- * @description Writing information without explicit permissions to a shared temporary directory may disclose it to other users.
+ * @name Temporary directory local information disclosure (file creation via inherently insecure method)
+ * @description Creating a temporary file in the system shared temporary directory, using a method that always creates it world-readable, may disclose its contents to other users.
 * @kind problem
 * @problem.severity warning
 * @precision very-high
- * @id java/local-temp-file-or-directory-information-disclosure-method
+ * @id java/local-temp-file-or-directory-information-disclosure-insecure-method
 * @tags security
 *       external/cwe/cwe-200
 *       external/cwe/cwe-732
@@ -15,21 +15,22 @@ import TempDirUtils

 abstract class MethodAccessInsecureFileCreation extends MethodAccess {
  /**
-   * Docstring describing the file system type (ie. file, directory, etc...) returned.
+   * Gets the type of entity created (e.g. `file`, `directory`, ...).
   */
-  abstract string getFileSystemType();
+  abstract string getFileSystemEntityType();
 }

 /**
- * Insecure calls to `java.io.File::createTempFile`.
+ * An insecure call to `java.io.File::createTempFile`.
 */
 class MethodAccessInsecureFileCreateTempFile extends MethodAccessInsecureFileCreation {
  MethodAccessInsecureFileCreateTempFile() {
    this.getMethod() instanceof MethodFileCreateTempFile and
    (
+      // `File.createTempFile(string, string)` always uses the default temporary directory
      this.getNumArgument() = 2
      or
-      // Vulnerablilty exists when the last argument is `null`
+      // The default temporary directory is used when the last argument of `File.createTempFile(string, string, File)` is `null`
      getArgument(2) instanceof NullLiteral
    )
  }
--- a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
@@ -1,10 +1,10 @@
 /**
- * @name Temporary Directory Local information disclosure
- * @description Writing information without explicit permissions to a shared temporary directory may disclose it to other users.
+ * @name Temporary directory local information disclosure (file creation without explicit mode)
+ * @description Creating a temporary file in the system shared temporary directory without specifying explicit access rights (mode) may disclose its contents to other users.
 * @kind path-problem
 * @problem.severity warning
 * @precision very-high
- * @id java/local-temp-file-or-directory-information-disclosure-path
+ * @id java/local-temp-file-or-directory-information-disclosure-missing-mode
 * @tags security
 *       external/cwe/cwe-200
 *       external/cwe/cwe-732
@@ -36,7 +36,7 @@ private class FileFileCreationSink extends FileCreationSink {
 }

 /**
- * Sink for if tained File/Path having some `Files` method called on it that creates a file or directory.
+ * Sink for calling a file-creating or directory-creating `Files` method on a tainted `File` or `Path`.
 */
 private class FilesFileCreationSink extends FileCreationSink {
  FilesFileCreationSink() {
@@ -63,7 +63,7 @@ private class FilesVulnerableCreationMethodAccess extends MethodAccess {
 }

 /**
- * A call to `java.io.File::createTempFile` where the the system temp dir sinks to the last argument.
+ * The temp directory argument to a call to `java.io.File::createTempFile`, treated as a sink by `TempDirSystemGetPropertyToCreateConfig`.
 */
 private class FileCreateTempFileSink extends FileCreationSink {
  FileCreateTempFileSink() {
--- a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -63,23 +63,21 @@ private predicate isTaintedFileCreation(Expr expSource, Expr exprDest) {
 private class TaintFollowingFileMethod extends Method {
  TaintFollowingFileMethod() {
    getDeclaringType() instanceof TypeFile and
-    (
-      hasName("getAbsoluteFile") or
-      hasName("getCanonicalFile")
-    )
+    hasName(["getAbsoluteFile", "getCanonicalFile"])
  }
 }

-private predicate isTaintFollowingFileTransformation(Expr expSource, Expr exprDest) {
+private predicate isTaintPropagatingFileTransformation(Expr expSource, Expr exprDest) {
  exists(MethodAccess fileMethodAccess |
-    fileMethodAccess.getMethod() instanceof TaintFollowingFileMethod and
+    fileMethodAccess.getMethod() instanceof TaintPropagatingFileMethod and
    fileMethodAccess.getQualifier() = expSource and
    fileMethodAccess = exprDest
  )
 }

 /**
- * Holds if the system temporary directory is still part of the root of the file path.
+ * Holds if taint should propagate from `node1` to `node2` across some file creation or transformation operation.
+ * For example, `taintedFile.getCanonicalFile()` is itself tainted.
 */
 predicate isAdditionalFileTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
  isTaintedFileCreation(node1.asExpr(), node2.asExpr()) or