Add file creation sanitizer

JLLeitschuh · JLLeitschuh · commit 0268dd9f0ab5 · 2022-02-04T17:10:27.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql
@@ -34,7 +34,7 @@ class MethodAccessInsecureFileCreateTempFile extends MethodAccessInsecureFileCre
       this.getNumArgument() = 2
       or
       // The default temporary directory is used when the last argument of `File.createTempFile(string, string, File)` is `null`
-      getArgument(2) instanceof NullLiteral
+      DataFlow::localExprFlow(any(NullLiteral n), getArgument(2))
     )
   }
 
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
@@ -16,8 +16,8 @@ import DataFlow::PathGraph
 
 private class MethodFileSystemFileCreation extends Method {
   MethodFileSystemFileCreation() {
-    getDeclaringType() instanceof TypeFile and
-    hasName(["mkdir", "mkdirs", "createNewFile"])
+    this.getDeclaringType() instanceof TypeFile and
+    this.hasName(["mkdir", "mkdirs", "createNewFile"])
   }
 }
 
@@ -58,7 +58,26 @@ private class FilesVulnerableCreationMethodAccess extends MethodAccess {
       m.hasName(["write", "newBufferedWriter", "newOutputStream"])
       or
       m.hasName(["createFile", "createDirectory", "createDirectories"]) and
-      getNumArgument() = 1
+      this.getNumArgument() = 1
+      or
+      m.hasName("newByteChannel") and
+      this.getNumArgument() = 2
+    )
+  }
+}
+
+/**
+ * A call to a `File` method that create files/directories with a specific set of permissions explicitly set.
+ * We can safely assume that any calls to these methods with explicit `PosixFilePermissions.asFileAttribute` contains a certain level of intentionality behind it.
+ */
+private class FilesSanitiznignCreationMethodAccess extends MethodAccess {
+  FilesSanitiznignCreationMethodAccess() {
+    exists(Method m |
+      m = this.getMethod() and
+      m.getDeclaringType().hasQualifiedName("java.nio.file", "Files")
+    |
+      m.hasName(["createFile", "createDirectory", "createDirectories"]) and
+      this.getNumArgument() = 2
     )
   }
 }
@@ -92,10 +111,16 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
   }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    exists(FilesSanitiznignCreationMethodAccess sanitisingMethodAccess |
+      sanitizer.asExpr() = sanitisingMethodAccess.getArgument(0)
+    )
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, TempDirSystemGetPropertyToCreateConfig conf
 where conf.hasFlowPath(source, sink)
-select source.getNode(), source, sink,
+select sink.getNode(), source, sink,
   "Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users.",
   source.getNode(), "system temp directory"
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosureFromMethodCall.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosureFromMethodCall.expected
@@ -1,3 +1,3 @@
-| Test.java:15:21:15:57 | createTempFile(...) | Local information disclosure vulnerability due to use of file readable by other local users. |
-| Test.java:19:21:19:63 | createTempFile(...) | Local information disclosure vulnerability due to use of file readable by other local users. |
-| Test.java:49:24:49:65 | createTempDir(...) | Local information disclosure vulnerability due to use of directory readable by other local users. |
+| Test.java:18:25:18:61 | createTempFile(...) | Local information disclosure vulnerability due to use of file readable by other local users. |
+| Test.java:26:25:26:67 | createTempFile(...) | Local information disclosure vulnerability due to use of file readable by other local users. |
+| Test.java:95:24:95:65 | createTempDir(...) | Local information disclosure vulnerability due to use of directory readable by other local users. |
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosureFromSystemProperty.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosureFromSystemProperty.expected

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ class MethodAccessInsecureFileCreateTempFile extends MethodAccessInsecureFileCre`
`34`	`34`	`this.getNumArgument() = 2`
`35`	`35`	`or`
`36`	`36`	// The default temporary directory is used when the last argument of `File.createTempFile(string, string, File)` is `null`
`37`		`- getArgument(2) instanceof NullLiteral`
	`37`	`+ DataFlow::localExprFlow(any(NullLiteral n), getArgument(2))`
`38`	`38`	`)`
`39`	`39`	`}`
`40`	`40`