Remove path flow tracking in 'TempDirLocalInformationDisclosureFromMethodCall'

2025-12-22 03:36:30 +01:00 · 2021-02-16 16:39:53 -05:00
parent e4c017e888
commit f910fd4719
5 changed files with 57 additions and 40 deletions
--- a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql
@@ -12,32 +12,13 @@

 import TempDirUtils

-/**
- * All `java.io.File::createTempFile` methods.
- */
-class MethodFileCreateTempFile extends Method {
-  MethodFileCreateTempFile() {
-    this.getDeclaringType() instanceof TypeFile and
-    this.hasName("createTempFile")
-  }
+abstract class MethodAccessInsecureFileCreation extends MethodAccess {
+  /**
+   * Docstring describing the file system type (ie. file, directory, ect...) returned.
+   */
+  abstract string getFileSystemType();
 }

-class TempDirSystemGetPropertyToAnyConfig extends TaintTracking::Configuration {
-  TempDirSystemGetPropertyToAnyConfig() { this = "TempDirSystemGetPropertyToAnyConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof MethodAccessSystemGetPropertyTempDirTainted
-  }
-
-  override predicate isSink(DataFlow::Node source) { any() }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    isAdditionalFileTaintStep(node1, node2)
-  }
-}
-
-abstract class MethodAccessInsecureFileCreation extends MethodAccess { }
-
 /**
 * Insecure calls to `java.io.File::createTempFile`.
 */
@@ -45,15 +26,14 @@ class MethodAccessInsecureFileCreateTempFile extends MethodAccessInsecureFileCre
  MethodAccessInsecureFileCreateTempFile() {
    this.getMethod() instanceof MethodFileCreateTempFile and
    (
-      this.getNumArgument() = 2 or
+      this.getNumArgument() = 2
+      or
      // Vulnerablilty exists when the last argument is `null`
-      getArgument(2) instanceof NullLiteral or
-      // There exists a flow from the 'java.io.tmpdir' system property to this argument
-      exists(TempDirSystemGetPropertyToAnyConfig config |
-        config.hasFlowTo(DataFlow::exprNode(getArgument(2)))
-      )
+      getArgument(2) instanceof NullLiteral
    )
  }
+
+  override string getFileSystemType() { result = "file" }
 }

 class MethodGuavaFilesCreateTempFile extends Method {
@@ -67,8 +47,11 @@ class MethodAccessInsecureGuavaFilesCreateTempFile extends MethodAccessInsecureF
  MethodAccessInsecureGuavaFilesCreateTempFile() {
    getMethod() instanceof MethodGuavaFilesCreateTempFile
  }
+
+  override string getFileSystemType() { result = "directory" }
 }

 from MethodAccessInsecureFileCreation methodAccess
 select methodAccess,
-  "Local information disclosure vulnerability due to use of file or directory readable by other local users."
+  "Local information disclosure vulnerability due to use of " + methodAccess.getFileSystemType() +
+    " readable by other local users."
--- a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
@@ -56,7 +56,19 @@ private class FilesVulnerableCreationMethodAccess extends MethodAccess {
    (
      getMethod().hasName(["write", "newBufferedWriter", "newOutputStream"])
      or
-      getMethod().hasName(["createFile", "createDirectory", "createDirectories"]) and getNumArgument() = 1
+      getMethod().hasName(["createFile", "createDirectory", "createDirectories"]) and
+      getNumArgument() = 1
+    )
+  }
+}
+
+/**
+ * A call to `java.io.File::createTempFile` where the the system temp dir sinks to the last argument.
+ */
+private class FileCreateTempFileSink extends FileCreationSink {
+  FileCreateTempFileSink() {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof MethodFileCreateTempFile and ma.getArgument(2) = this.asExpr()
    )
  }
 }
--- a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -29,6 +29,16 @@ private class MethodAccessApacheFileUtilsTempDir extends MethodAccessSystemGetPr
  }
 }

+/**
+ * All `java.io.File::createTempFile` methods.
+ */
+class MethodFileCreateTempFile extends Method {
+  MethodFileCreateTempFile() {
+    this.getDeclaringType() instanceof TypeFile and
+    this.hasName("createTempFile")
+  }
+}
+
 /**
 * Find dataflow from the temp directory system property to the `File` constructor.
 * Examples:
@@ -44,7 +54,7 @@ private predicate isTaintedFileCreation(Expr expSource, Expr exprDest) {
 }

 /**
- * Any `File` methods that
+ * Any `File` methods where the temporary directory is still part of the root path.
 */
 private class TaintFollowingFileMethod extends Method {
  TaintFollowingFileMethod() {