Consider calls to setReadable(false, false) then setReadable(true, true) to be safe

JLLeitschuh · JLLeitschuh · commit 7f466401762f · 2022-02-08T17:57:10.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
@@ -197,14 +197,17 @@ class InsecureMethodPseudoConfiguration extends DataFlow::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, string message
 where
-  any(TempDirSystemGetPropertyToCreateConfig conf).hasFlowPath(source, sink) and
-  message =
-    "Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users."
-  or
-  any(InsecureMethodPseudoConfiguration conf).hasFlowPath(source, sink) and
-  // Note this message has no "$@" placeholder, so the "system temp directory" template parameter below is not used.
-  message =
-    "Local information disclosure vulnerability due to use of " +
-      source.getNode().asExpr().(MethodAccessInsecureFileCreation).getFileSystemEntityType() +
-      " readable by other local users."
+  (
+    any(TempDirSystemGetPropertyToCreateConfig conf).hasFlowPath(source, sink) and
+    message =
+      "Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users."
+    or
+    any(InsecureMethodPseudoConfiguration conf).hasFlowPath(source, sink) and
+    // Note this message has no "$@" placeholder, so the "system temp directory" template parameter below is not used.
+    message =
+      "Local information disclosure vulnerability due to use of " +
+        source.getNode().asExpr().(MethodAccessInsecureFileCreation).getFileSystemEntityType() +
+        " readable by other local users."
+  ) and
+  not isPermissionsProtectedTempDirUse(sink.getNode())
 select source.getNode(), source, sink, message, source.getNode(), "system temp directory"
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -59,8 +59,8 @@ private predicate isFileConstructorArgument(Expr expSource, Expr exprDest) {
  */
 private class TaintFollowingFileMethod extends Method {
   TaintFollowingFileMethod() {
-    getDeclaringType() instanceof TypeFile and
-    hasName(["getAbsoluteFile", "getCanonicalFile"])
+    this.getDeclaringType() instanceof TypeFile and
+    this.hasName(["getAbsoluteFile", "getCanonicalFile"])
   }
 }
 
@@ -80,3 +80,50 @@ predicate isAdditionalFileTaintStep(DataFlow::Node node1, DataFlow::Node node2)
   isFileConstructorArgument(node1.asExpr(), node2.asExpr()) or
   isTaintPropagatingFileTransformation(node1.asExpr(), node2.asExpr())
 }
+
+/**
+ * A method call to `java.io.File::setReadable`.
+ */
+private class FileSetRedableMethodAccess extends MethodAccess {
+  FileSetRedableMethodAccess() {
+    exists(Method m | this.getMethod() = m |
+      m.getDeclaringType() instanceof TypeFile and
+      m.hasName("setReadable")
+    )
+  }
+
+  predicate isCallWithArguments(boolean arg1, boolean arg2) {
+    this.isCallWithArgument(0, arg1) and this.isCallToSecondArgumentWithValue(arg2)
+  }
+
+  private predicate isCallToSecondArgumentWithValue(boolean value) {
+    this.getMethod().getNumberOfParameters() = 1 and value = true
+    or
+    isCallWithArgument(1, value)
+  }
+
+  private predicate isCallWithArgument(int index, boolean arg) {
+    DataFlow::localExprFlow(any(CompileTimeConstantExpr e | e.getBooleanValue() = arg),
+      this.getArgument(index))
+  }
+}
+
+/**
+ * Hold's if temporary directory's use is protected if there is an explicit call to
+ * `setReadable(false, false)`, then `setRedabale(true, true)`.
+ */
+predicate isPermissionsProtectedTempDirUse(DataFlow::Node sink) {
+  exists(FileSetRedableMethodAccess setReadable1, FileSetRedableMethodAccess setReadable2 |
+    setReadable1.isCallWithArguments(false, false) and
+    setReadable2.isCallWithArguments(true, true)
+  |
+    exists(DataFlow::Node setReadableNode1, DataFlow::Node setReadableNode2 |
+      setReadableNode1.asExpr() = setReadable1.getQualifier() and
+      setReadableNode2.asExpr() = setReadable2.getQualifier()
+    |
+      DataFlow::localFlow(sink, setReadableNode1) and // Flow from sink to setReadable(false, false)
+      DataFlow::localFlow(sink, setReadableNode2) and // Flow from sink to setReadable(true, true)
+      DataFlow::localFlow(setReadableNode1, setReadableNode2) // Flow from setReadable(false, false) to setReadable(true, true)
+    )
+  )
+}
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java
@@ -263,4 +263,10 @@ void vulnerableFileCreateDirectories() throws IOException {
         // TO MAKE SAFE REWRITE TO:
         Files.createDirectories(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
     }
+
+    void safeFileCreationWithPermissions() throws IOException {
+        File tempFile = File.createTempFile("temp", "file.txt");
+        tempFile.setReadable(false, false);
+        tempFile.setReadable(true, true);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -263,4 +263,10 @@ void vulnerableFileCreateDirectories() throws IOException {`
`263`	`263`	`// TO MAKE SAFE REWRITE TO:`
`264`	`264`	`Files.createDirectories(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));`
`265`	`265`	`}`
	`266`	`+`
	`267`	`+ void safeFileCreationWithPermissions() throws IOException {`
	`268`	`+ File tempFile = File.createTempFile("temp", "file.txt");`
	`269`	`+ tempFile.setReadable(false, false);`
	`270`	`+ tempFile.setReadable(true, true);`
	`271`	`+ }`
`266`	`272`	`}`