hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add java.nio.file.Files API checks

Browse Source
This commit is contained in:
Jonathan Leitschuh
2021-01-01 19:32:32 -05:00
parent ecad7534ae
commit bc12e994b0
4 changed files with 103 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure2.ql
View File

@@ -22,14 +22,7 @@ private class MethodFileSystemFileCreation extends Method {
}
}
private class MethodFilesSystemFileCreation extends Method {
MethodFilesSystemFileCreation() {
getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
hasName("write")
}
}
private abstract class FileCreationSink extends DataFlow::Node {}
abstract private class FileCreationSink extends DataFlow::Node { }
private class FileFileCreationSink extends FileCreationSink {
FileFileCreationSink() {
@@ -42,9 +35,17 @@ private class FileFileCreationSink extends FileCreationSink {
private class FilesFileCreationSink extends FileCreationSink {
FilesFileCreationSink() {
exists(MethodAccess ma |
ma.getMethod() instanceof MethodFilesSystemFileCreation and
ma.getArgument(0) = this.asExpr()
exists(FilesVulnerableCreationMethodAccess ma | ma.getArgument(0) = this.asExpr())
}
}
private class FilesVulnerableCreationMethodAccess extends MethodAccess {
FilesVulnerableCreationMethodAccess() {
getMethod().getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
(
getMethod().hasName(["write", "newBufferedWriter", "newOutputStream"])
or
getMethod().hasName(["createFile", "createDirectory", "createDirectories"]) and getNumArgument() = 1
)
}
}
@@ -60,9 +61,7 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
isAdditionalFileTaintStep(node1, node2)
}
override predicate isSink(DataFlow::Node sink) {
sink instanceof FileCreationSink
}
override predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
}
from DataFlow::PathNode source, DataFlow::PathNode sink, TempDirSystemGetPropertyToCreateConfig conf

7
java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure1.expected Normal file
View File

@@ -0,0 +1,7 @@
| Test.java:15:21:15:57 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
| Test.java:19:21:19:63 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
| Test.java:24:21:24:66 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
| Test.java:29:21:29:71 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
| Test.java:34:21:34:66 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
| Test.java:39:21:39:66 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
| Test.java:49:24:49:65 | createTempDir(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |

43
java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure2.expected Normal file
View File

@@ -0,0 +1,43 @@
edges
| Files.java:10:33:10:68 | getProperty(...) : String | Files.java:15:17:15:23 | tempDir |
| Test.java:53:38:53:73 | getProperty(...) : String | Test.java:54:9:54:20 | tempDirChild |
| Test.java:58:38:58:73 | getProperty(...) : String | Test.java:59:9:59:20 | tempDirChild |
| Test.java:63:38:63:73 | getProperty(...) : String | Test.java:64:21:64:41 | toPath(...) |
| Test.java:68:38:68:73 | getProperty(...) : String | Test.java:71:21:71:41 | toPath(...) |
| Test.java:75:38:75:73 | getProperty(...) : String | Test.java:76:33:76:53 | toPath(...) |
| Test.java:80:38:80:73 | getProperty(...) : String | Test.java:81:31:81:51 | toPath(...) |
| Test.java:85:38:85:73 | getProperty(...) : String | Test.java:86:26:86:46 | toPath(...) |
| Test.java:98:38:98:73 | getProperty(...) : String | Test.java:99:31:99:51 | toPath(...) |
| Test.java:103:38:103:73 | getProperty(...) : String | Test.java:104:33:104:53 | toPath(...) |
nodes
| Files.java:10:33:10:68 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Files.java:15:17:15:23 | tempDir | semmle.label | tempDir |
| Test.java:53:38:53:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:54:9:54:20 | tempDirChild | semmle.label | tempDirChild |
| Test.java:58:38:58:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:59:9:59:20 | tempDirChild | semmle.label | tempDirChild |
| Test.java:63:38:63:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:64:21:64:41 | toPath(...) | semmle.label | toPath(...) |
| Test.java:68:38:68:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:71:21:71:41 | toPath(...) | semmle.label | toPath(...) |
| Test.java:75:38:75:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:76:33:76:53 | toPath(...) | semmle.label | toPath(...) |
| Test.java:80:38:80:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:81:31:81:51 | toPath(...) | semmle.label | toPath(...) |
| Test.java:85:38:85:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:86:26:86:46 | toPath(...) | semmle.label | toPath(...) |
| Test.java:98:38:98:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:99:31:99:51 | toPath(...) | semmle.label | toPath(...) |
| Test.java:103:38:103:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:104:33:104:53 | toPath(...) | semmle.label | toPath(...) |
#select
| Files.java:10:33:10:68 | getProperty(...) | Files.java:10:33:10:68 | getProperty(...) : String | Files.java:15:17:15:23 | tempDir | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Files.java:10:33:10:68 | getProperty(...) | system temp directory |
| Test.java:53:38:53:73 | getProperty(...) | Test.java:53:38:53:73 | getProperty(...) : String | Test.java:54:9:54:20 | tempDirChild | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:53:38:53:73 | getProperty(...) | system temp directory |
| Test.java:58:38:58:73 | getProperty(...) | Test.java:58:38:58:73 | getProperty(...) : String | Test.java:59:9:59:20 | tempDirChild | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:58:38:58:73 | getProperty(...) | system temp directory |
| Test.java:63:38:63:73 | getProperty(...) | Test.java:63:38:63:73 | getProperty(...) : String | Test.java:64:21:64:41 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:63:38:63:73 | getProperty(...) | system temp directory |
| Test.java:68:38:68:73 | getProperty(...) | Test.java:68:38:68:73 | getProperty(...) : String | Test.java:71:21:71:41 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:68:38:68:73 | getProperty(...) | system temp directory |
| Test.java:75:38:75:73 | getProperty(...) | Test.java:75:38:75:73 | getProperty(...) : String | Test.java:76:33:76:53 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:75:38:75:73 | getProperty(...) | system temp directory |
| Test.java:80:38:80:73 | getProperty(...) | Test.java:80:38:80:73 | getProperty(...) : String | Test.java:81:31:81:51 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:80:38:80:73 | getProperty(...) | system temp directory |
| Test.java:85:38:85:73 | getProperty(...) | Test.java:85:38:85:73 | getProperty(...) : String | Test.java:86:26:86:46 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:85:38:85:73 | getProperty(...) | system temp directory |
| Test.java:98:38:98:73 | getProperty(...) | Test.java:98:38:98:73 | getProperty(...) : String | Test.java:99:31:99:51 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:98:38:98:73 | getProperty(...) | system temp directory |
| Test.java:103:38:103:73 | getProperty(...) | Test.java:103:38:103:73 | getProperty(...) : String | Test.java:104:33:104:53 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:103:38:103:73 | getProperty(...) | system temp directory |

43
java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java
View File

@@ -1,9 +1,13 @@
import java.util.Arrays;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.charset.StandardCharsets;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.util.EnumSet;
public class Test {
@@ -52,18 +56,51 @@ public class Test {
void vulnerableFileCreateTempFileMkdirsTainted() {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
tempDirChild.mkdir();
tempDirChild.mkdirs();
}
void vulnerableFileCreateTempFilesWrite1() {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
Files.write(tempDirChild.toPath(), Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE);
}
void vulnerableFileCreateTempFilesWrite2() {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
String secret = "secret";
byte[] byteArrray = secret.getBytes();
Files.write(tempDirChild.toPath(), byteArrray, StandardOpenOption.CREATE);
}
void vulnerableFileCreateTempFilesNewBufferedWriter() throws IOException {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-buffered-writer.txt");
Files.newBufferedWriter(tempDirChild.toPath());
}
void vulnerableFileCreateTempFilesNewOutputStream() throws IOException {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-output-stream.txt");
Files.newOutputStream(tempDirChild.toPath()).close();
}
void vulnerableFileCreateTempFilesCreateFile() throws IOException {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
Files.createFile(tempDirChild.toPath());
}
void safeFileCreateTempFilesCreateFile() throws IOException {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
Files.createFile(
tempDirChild.toPath(),
PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))
);
}
void vulnerableFileCreateDirectory() throws IOException {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory");
Files.createDirectory(tempDirChild.toPath());
}
void vulnerableFileCreateDirectories() throws IOException {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directories/child");
Files.createDirectories(tempDirChild.toPath());
}
}