Apply suggestions from code review

JLLeitschuh · aschackmull · JLLeitschuh · commit 7e55c92eb409 · 2022-02-04T17:10:25.000-05:00
Co-authored-by: Anders Schack-Mulligen &lt;aschackmull@users.noreply.github.com&gt;
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql
@@ -10,11 +10,12 @@
  *       external/cwe/cwe-732
  */
 
+import java
 import TempDirUtils
 
 abstract class MethodAccessInsecureFileCreation extends MethodAccess {
   /**
-   * Docstring describing the file system type (ie. file, directory, ect...) returned.
+   * Docstring describing the file system type (ie. file, directory, etc...) returned.
    */
   abstract string getFileSystemType();
 }
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
@@ -1,6 +1,6 @@
 /**
  * @name Temporary Directory Local information disclosure
- * @description Detect local information disclosure via the java temporary directory
+ * @description Writing information without explicit permissions to a shared temporary directory may disclose it to other users.
  * @kind path-problem
  * @problem.severity warning
  * @precision very-high
@@ -10,16 +10,14 @@
  *       external/cwe/cwe-732
  */
 
+import java
 import TempDirUtils
 import DataFlow::PathGraph
 
 private class MethodFileSystemFileCreation extends Method {
   MethodFileSystemFileCreation() {
     getDeclaringType() instanceof TypeFile and
-    (
-      hasName(["mkdir", "mkdirs"]) or
-      hasName("createNewFile")
-    )
+    hasName(["mkdir", "mkdirs", "createNewFile"])
   }
 }
 
@@ -52,11 +50,13 @@ private class FilesFileCreationSink extends FileCreationSink {
  */
 private class FilesVulnerableCreationMethodAccess extends MethodAccess {
   FilesVulnerableCreationMethodAccess() {
-    getMethod().getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
-    (
-      getMethod().hasName(["write", "newBufferedWriter", "newOutputStream"])
+    exists(Method m |
+      m = this.getMethod() and
+      m.getDeclaringType().hasQualifiedName("java.nio.file", "Files")
+    |
+      m.hasName(["write", "newBufferedWriter", "newOutputStream"])
       or
-      getMethod().hasName(["createFile", "createDirectory", "createDirectories"]) and
+      m.hasName(["createFile", "createDirectory", "createDirectories"]) and
       getNumArgument() = 1
     )
   }
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -30,7 +30,7 @@ private class MethodAccessApacheFileUtilsTempDir extends MethodAccessSystemGetPr
 }
 
 /**
- * All `java.io.File::createTempFile` methods.
+ * A `java.io.File::createTempFile` method.
  */
 class MethodFileCreateTempFile extends Method {
   MethodFileCreateTempFile() {

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ private class MethodAccessApacheFileUtilsTempDir extends MethodAccessSystemGetPr`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`/**`
`33`		- * All `java.io.File::createTempFile` methods.
	`33`	+ * A `java.io.File::createTempFile` method.
`34`	`34`	`*/`
`35`	`35`	`class MethodFileCreateTempFile extends Method {`
`36`	`36`	`MethodFileCreateTempFile() {`