hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixup documentation/code from PR feedback

Browse Source
This commit is contained in:
Jonathan Leitschuh
2021-04-20 13:12:05 -04:00
parent f7a4aac525
commit d5c9af31b2
2 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
View File

@@ -36,8 +36,8 @@ private class FileFileCreationSink extends FileCreationSink {
}
/**
* The argument to
a call to one of `Files` file-creating or directory-creating methods, treated as a sink by `TempDirSystemGetPropertyToCreateConfig`.
* The argument to
* a call to one of `Files` file-creating or directory-creating methods, treated as a sink by `TempDirSystemGetPropertyToCreateConfig`.
*/
private class FilesFileCreationSink extends FileCreationSink {
FilesFileCreationSink() {
@@ -81,6 +81,12 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
source.asExpr() instanceof MethodAccessSystemGetPropertyTempDirTainted
}
/**
* Find dataflow from the temp directory system property to the `File` constructor.
* Examples:
* - `new File(System.getProperty("java.io.tmpdir"))`
* - `new File(new File(System.getProperty("java.io.tmpdir")), "/child")`
*/
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalFileTaintStep(node1, node2)
}

11
java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
View File

@@ -44,10 +44,7 @@ class MethodFileCreateTempFile extends Method {
}
/**
* Find dataflow from the temp directory system property to the `File` constructor.
* Examples:
* - `new File(System.getProperty("java.io.tmpdir"))`
* - `new File(new File(System.getProperty("java.io.tmpdir")), "/child")`
* Holds if `expDest` is some constructor call `new java.io.File(x)` and `expSource` is `x`.
*/
private predicate isFileConstructorArgument(Expr expSource, Expr exprDest) {
exists(ConstructorCall construtorCall |
@@ -69,7 +66,7 @@ private class TaintFollowingFileMethod extends Method {
private predicate isTaintPropagatingFileTransformation(Expr expSource, Expr exprDest) {
exists(MethodAccess fileMethodAccess |
fileMethodAccess.getMethod() instanceof TaintPropagatingFileMethod and
fileMethodAccess.getMethod() instanceof TaintFollowingFileMethod and
fileMethodAccess.getQualifier() = expSource and
fileMethodAccess = exprDest
)
@@ -80,6 +77,6 @@ private predicate isTaintPropagatingFileTransformation(Expr expSource, Expr expr
* For example, `taintedFile.getCanonicalFile()` is itself tainted.
*/
predicate isAdditionalFileTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
isTaintedFileCreation(node1.asExpr(), node2.asExpr()) or
isTaintFollowingFileTransformation(node1.asExpr(), node2.asExpr())
isFileConstructorArgument(node1.asExpr(), node2.asExpr()) or
isTaintPropagatingFileTransformation(node1.asExpr(), node2.asExpr())
}