mirror of
https://github.com/github/codeql.git
synced 2025-12-24 04:36:35 +01:00
Merge pull request #201 from github/perm-file-report-source
Report rb/weak-file-permission alerts at source rather than sink and improve alert message
This commit is contained in:
Alex Ford
@@ -57,28 +57,28 @@ class PermissivePermissionsExpr extends Expr {
|
||||
}
|
||||
}
|
||||
|
||||
/** A call to a method of File or FileUtils that may modify file permissions */
|
||||
class PermissionSettingMethodCall extends MethodCall {
|
||||
/** A permissions argument of a call to a File/FileUtils method that may modify file permissions */
|
||||
class PermissionArgument extends Expr {
|
||||
private MethodCall call;
|
||||
private string methodName;
|
||||
private Expr permArg;
|
||||
|
||||
PermissionSettingMethodCall() {
|
||||
this.getReceiver() instanceof FileModuleAccess and
|
||||
this.getMethodName() = methodName and
|
||||
PermissionArgument() {
|
||||
call.getReceiver() instanceof FileModuleAccess and
|
||||
call.getMethodName() = methodName and
|
||||
(
|
||||
methodName in ["chmod", "chmod_R", "lchmod"] and permArg = this.getArgument(0)
|
||||
methodName in ["chmod", "chmod_R", "lchmod"] and this = call.getArgument(0)
|
||||
or
|
||||
methodName = "mkfifo" and permArg = this.getArgument(1)
|
||||
methodName = "mkfifo" and this = call.getArgument(1)
|
||||
or
|
||||
methodName in ["new", "open"] and permArg = this.getArgument(2)
|
||||
methodName in ["new", "open"] and this = call.getArgument(2)
|
||||
or
|
||||
methodName in ["install", "makedirs", "mkdir", "mkdir_p", "mkpath"] and
|
||||
permArg = this.getKeywordArgument("mode")
|
||||
this = call.getKeywordArgument("mode")
|
||||
// TODO: defaults for optional args? This may depend on the umask
|
||||
)
|
||||
}
|
||||
|
||||
Expr getPermissionArgument() { result = permArg }
|
||||
MethodCall getCall() { result = call }
|
||||
}
|
||||
|
||||
class PermissivePermissionsConfig extends DataFlow::Configuration {
|
||||
@@ -89,11 +89,13 @@ class PermissivePermissionsConfig extends DataFlow::Configuration {
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(PermissionSettingMethodCall c | sink.asExpr().getExpr() = c.getPermissionArgument())
|
||||
exists(PermissionArgument arg | sink.asExpr().getExpr() = arg)
|
||||
}
|
||||
}
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, PermissivePermissionsConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Overly permissive mask sets file to $@.", source.getNode(),
|
||||
source.getNode().toString()
|
||||
from
|
||||
DataFlow::PathNode source, DataFlow::PathNode sink, PermissivePermissionsConfig conf,
|
||||
PermissionArgument arg
|
||||
where conf.hasFlowPath(source, sink) and arg = sink.getNode().asExpr().getExpr()
|
||||
select source.getNode(), source, sink, "Overly permissive mask in $@ sets file to $@.",
|
||||
arg.getCall(), arg.getCall().toString(), source.getNode(), source.getNode().toString()
|
||||
|
||||
@@ -17,14 +17,14 @@ nodes
|
||||
| FilePermissions.rb:53:19:53:24 | "a+rw" | semmle.label | "a+rw" |
|
||||
| FilePermissions.rb:57:16:57:19 | 0755 | semmle.label | 0755 |
|
||||
#select
|
||||
| FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | Overly permissive mask sets file to $@. | FilePermissions.rb:4:19:4:22 | 0222 | 0222 |
|
||||
| FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | Overly permissive mask sets file to $@. | FilePermissions.rb:5:19:5:22 | 0622 | 0622 |
|
||||
| FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | Overly permissive mask sets file to $@. | FilePermissions.rb:6:19:6:22 | 0755 | 0755 |
|
||||
| FilePermissions.rb:7:19:7:22 | 0777 | FilePermissions.rb:7:19:7:22 | 0777 | FilePermissions.rb:7:19:7:22 | 0777 | Overly permissive mask sets file to $@. | FilePermissions.rb:7:19:7:22 | 0777 | 0777 |
|
||||
| FilePermissions.rb:24:13:24:16 | 0755 | FilePermissions.rb:24:13:24:16 | 0755 | FilePermissions.rb:24:13:24:16 | 0755 | Overly permissive mask sets file to $@. | FilePermissions.rb:24:13:24:16 | 0755 | 0755 |
|
||||
| FilePermissions.rb:44:19:44:22 | perm | FilePermissions.rb:43:10:43:13 | 0777 : | FilePermissions.rb:44:19:44:22 | perm | Overly permissive mask sets file to $@. | FilePermissions.rb:43:10:43:13 | 0777 | 0777 |
|
||||
| FilePermissions.rb:46:19:46:23 | perm2 | FilePermissions.rb:43:10:43:13 | 0777 : | FilePermissions.rb:46:19:46:23 | perm2 | Overly permissive mask sets file to $@. | FilePermissions.rb:43:10:43:13 | 0777 | 0777 |
|
||||
| FilePermissions.rb:50:19:50:23 | perm2 | FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" : | FilePermissions.rb:50:19:50:23 | perm2 | Overly permissive mask sets file to $@. | FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" | "u=wrx,g=rwx,o=x" |
|
||||
| FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | Overly permissive mask sets file to $@. | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | "u=rwx,o+r" |
|
||||
| FilePermissions.rb:53:19:53:24 | "a+rw" | FilePermissions.rb:53:19:53:24 | "a+rw" | FilePermissions.rb:53:19:53:24 | "a+rw" | Overly permissive mask sets file to $@. | FilePermissions.rb:53:19:53:24 | "a+rw" | "a+rw" |
|
||||
| FilePermissions.rb:57:16:57:19 | 0755 | FilePermissions.rb:57:16:57:19 | 0755 | FilePermissions.rb:57:16:57:19 | 0755 | Overly permissive mask sets file to $@. | FilePermissions.rb:57:16:57:19 | 0755 | 0755 |
|
||||
| FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:4:3:4:32 | call to chmod | call to chmod | FilePermissions.rb:4:19:4:22 | 0222 | 0222 |
|
||||
| FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:5:3:5:32 | call to chmod | call to chmod | FilePermissions.rb:5:19:5:22 | 0622 | 0622 |
|
||||
| FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:6:3:6:32 | call to chmod | call to chmod | FilePermissions.rb:6:19:6:22 | 0755 | 0755 |
|
||||
| FilePermissions.rb:7:19:7:22 | 0777 | FilePermissions.rb:7:19:7:22 | 0777 | FilePermissions.rb:7:19:7:22 | 0777 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:7:3:7:32 | call to chmod | call to chmod | FilePermissions.rb:7:19:7:22 | 0777 | 0777 |
|
||||
| FilePermissions.rb:24:13:24:16 | 0755 | FilePermissions.rb:24:13:24:16 | 0755 | FilePermissions.rb:24:13:24:16 | 0755 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:24:3:24:26 | call to chmod | call to chmod | FilePermissions.rb:24:13:24:16 | 0755 | 0755 |
|
||||
| FilePermissions.rb:43:10:43:13 | 0777 | FilePermissions.rb:43:10:43:13 | 0777 : | FilePermissions.rb:44:19:44:22 | perm | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:44:3:44:32 | call to chmod | call to chmod | FilePermissions.rb:43:10:43:13 | 0777 | 0777 |
|
||||
| FilePermissions.rb:43:10:43:13 | 0777 | FilePermissions.rb:43:10:43:13 | 0777 : | FilePermissions.rb:46:19:46:23 | perm2 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:46:3:46:33 | call to chmod | call to chmod | FilePermissions.rb:43:10:43:13 | 0777 | 0777 |
|
||||
| FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" : | FilePermissions.rb:50:19:50:23 | perm2 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:50:3:50:33 | call to chmod | call to chmod | FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" | "u=wrx,g=rwx,o=x" |
|
||||
| FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:51:3:51:39 | call to chmod | call to chmod | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | "u=rwx,o+r" |
|
||||
| FilePermissions.rb:53:19:53:24 | "a+rw" | FilePermissions.rb:53:19:53:24 | "a+rw" | FilePermissions.rb:53:19:53:24 | "a+rw" | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:53:3:53:34 | call to chmod | call to chmod | FilePermissions.rb:53:19:53:24 | "a+rw" | "a+rw" |
|
||||
| FilePermissions.rb:57:16:57:19 | 0755 | FilePermissions.rb:57:16:57:19 | 0755 | FilePermissions.rb:57:16:57:19 | 0755 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:57:3:57:29 | call to chmod_R | call to chmod_R | FilePermissions.rb:57:16:57:19 | 0755 | 0755 |
|
||||
|
||||
Reference in New Issue
Block a user