Add information disclosure test fix suggestions

JLLeitschuh · JLLeitschuh · commit 9299c7996db0 · 2022-02-04T17:10:27.000-05:00
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java
@@ -3,6 +3,8 @@
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.StandardOpenOption;
 import java.nio.file.attribute.PosixFilePermission;
@@ -12,96 +14,253 @@
 public class Test {
 
     void vulnerableFileCreateTempFile() throws IOException {
-        File temp = File.createTempFile("random", "file");
+        // VULNERABLE VERSION:
+        File tempVuln = File.createTempFile("random", "file");
+
+        // TO MAKE SAFE REWRITE TO:
+        File tempSafe = Files.createTempFile("random", "file").toFile();
     }
 
     void vulnerableFileCreateTempFileNull() throws IOException {
-        File temp = File.createTempFile("random", "file", null);
+        // VULNERABLE VERSION:
+        File tempVuln = File.createTempFile("random", "file", null);
+
+        // TO MAKE SAFE REWRITE TO:
+        File tempSafe = Files.createTempFile("random", "file").toFile();
     }
 
     void vulnerableFileCreateTempFileTainted() throws IOException {
+        // GIVEN:
         File tempDir = new File(System.getProperty("java.io.tmpdir"));
-        File temp = File.createTempFile("random", "file", tempDir);
+
+        // VULNERABLE VERSION:
+        File tempVuln = File.createTempFile("random", "file", tempDir);
+
+        // TO MAKE SAFE REWRITE TO (v1):
+        File tempSafe1 = Files.createTempFile(tempDir.toPath(), "random", "file").toFile();
+
+        // TO MAKE SAFE REWRITE TO (v2):
+        File tempSafe2 = Files.createTempFile("random", "file").toFile();
     }
 
     void vulnerableFileCreateTempFileChildTainted() throws IOException {
+        // GIVEN:
         File tempDirChild = new File(new File(System.getProperty("java.io.tmpdir")), "/child");
-        File temp = File.createTempFile("random", "file", tempDirChild);
+
+        // VULNERABLE VERSION:
+        File tempVuln = File.createTempFile("random", "file", tempDirChild);
+
+        // TO MAKE SAFE REWRITE TO:
+        File tempSafe = Files.createTempFile(tempDirChild.toPath(), "random", "file").toFile();
     }
 
     void vulnerableFileCreateTempFileCanonical() throws IOException {
+        // GIVEN:
         File tempDir = new File(System.getProperty("java.io.tmpdir")).getCanonicalFile();
-        File temp = File.createTempFile("random", "file", tempDir);
+
+        // VULNERABLE VERSION:
+        File tempVuln = File.createTempFile("random", "file", tempDir);
+
+        // TO MAKE SAFE REWRITE TO (v1):
+        File tempSafe1 = Files.createTempFile(tempDir.toPath(), "random", "file").toFile();
+
+        // TO MAKE SAFE REWRITE TO (v2):
+        File tempSafe2 = Files.createTempFile("random", "file").toFile();
     }
 
     void vulnerableFileCreateTempFileAbsolute() throws IOException {
+        // GIVEN:
         File tempDir = new File(System.getProperty("java.io.tmpdir")).getAbsoluteFile();
-        File temp = File.createTempFile("random", "file", tempDir);
+
+        // VULNERABLE VERSION:
+        File tempVuln = File.createTempFile("random", "file", tempDir);
+
+        // TO MAKE SAFE REWRITE TO (v1):
+        File tempSafe1 = Files.createTempFile(tempDir.toPath(), "random", "file").toFile();
+        // TO MAKE SAFE REWRITE TO (v2):
+        File tempSafe2 = Files.createTempFile("random", "file").toFile();
     }
 
     void safeFileCreateTempFileTainted() throws IOException {
-        /* Creating a temporary directoy in the current user directory is not a vulnerability. */
+        /*
+         * Creating a temporary directoy in the current user directory is not a
+         * vulnerability.
+         */
         File currentDirectory = new File(System.getProperty("user.dir"));
         File temp = File.createTempFile("random", "file", currentDirectory);
     }
 
     void vulnerableGuavaFilesCreateTempDir() {
+        // VULNERABLE VERSION:
         File tempDir = com.google.common.io.Files.createTempDir();
+
+        // TO MAKE SAFE REWRITE TO:
+        File tempSafe;
+        try {
+            Files.createTempDirectory("random").toFile();
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to create temporary directory", e);
+        }
     }
 
     void vulnerableFileCreateTempFileMkdirTainted() {
+        // GIVEN:
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
+
+        // VULNERABLE VERSION:
         tempDirChild.mkdir();
+
+        // TO MAKE SAFE REWRITE TO (v1):
+        File tempSafe1;
+        try {
+            tempSafe1 = Files.createTempDirectory(tempDirChild.toPath(), "random").toFile();
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to create temporary directory", e);
+        }
+
+        // TO MAKE SAFE REWRITE TO (v2):
+        File tempSafe2;
+        try {
+            tempSafe2 = Files.createTempDirectory("random").toFile();
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to create temporary directory", e);
+        }
     }
 
     void vulnerableFileCreateTempFileMkdirsTainted() {
+        // GIVEN:
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
+        
+        // VULNERABLE VERSION:
         tempDirChild.mkdirs();
+
+        // TO MAKE SAFE REWRITE TO (v1):
+        File tempSafe1;
+        try {
+            tempSafe1 = Files.createTempDirectory(tempDirChild.toPath(), "random").toFile();
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to create temporary directory", e);
+        }
+
+        // TO MAKE SAFE REWRITE TO (v2):
+        File tempSafe2;
+        try {
+            tempSafe2 = Files.createTempDirectory("random").toFile();
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to create temporary directory", e);
+        }
     }
 
     void vulnerableFileCreateTempFilesWrite1() throws IOException {
+        // VULNERABLE VERSION:
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
         Files.write(tempDirChild.toPath(), Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE);
+
+        // TO MAKE SAFE REWRITE TO (v1):
+        // Use this version if you care that the file has the exact path of `[java.io.tmpdir]/child.txt`
+        try {
+            Path tempSafe = Paths.get(System.getProperty("java.io.tmpdir"), "child.txt");
+            Files.createFile(tempSafe, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
+            Files.write(tempSafe, Arrays.asList("secret"));
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to write temporary file", e);
+        }
+
+        // TO MAKE SAFE REWRITE TO (v2):
+        // Use this version if you don't care that the file has an exact path. This will write to a file of the name `[java.io.tmpdir]/random[random string]child.txt`
+        try {
+            Path tempSafe = Files.createTempFile("random", "child.txt");
+            Files.write(tempSafe, Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE);
+        } catch (IOException e) {
+            throw new RuntimeException("Failed to write temporary file", e);
+        }
     }
-    
+
     void vulnerableFileCreateTempFilesWrite2() throws IOException {
-        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
+        // GIVEN:
         String secret = "secret";
         byte[] byteArrray = secret.getBytes();
+        
+        // VULNERABLE VERSION:
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
         Files.write(tempDirChild.toPath(), byteArrray, StandardOpenOption.CREATE);
+        
+        // TO MAKE SAFE REWRITE TO (v1):
+        // Use this version if you care that the file has the exact path of `[java.io.tmpdir]/child.txt`
+        Path tempSafe1 = Paths.get(System.getProperty("java.io.tmpdir"), "child.txt");
+        Files.createFile(tempSafe1, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
+        Files.write(tempSafe1, byteArrray);
+
+        // TO MAKE SAFE REWRITE TO (v2):
+        // Use this version if you don't care that the file has an exact path. This will write to a file of the name `[java.io.tmpdir]/random[random string]child.txt`
+        Path tempSafe2 = Files.createTempFile("random", "child.txt");
+        Files.write(tempSafe2, byteArrray);
     }
 
     void vulnerableFileCreateTempFilesNewBufferedWriter() throws IOException {
-        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-buffered-writer.txt");
-        Files.newBufferedWriter(tempDirChild.toPath());
+        // GIVEN:
+        Path tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-buffered-writer.txt").toPath();
+        
+        // VULNERABLE VERSION:
+        Files.newBufferedWriter(tempDirChild);
+
+        // TO MAKE SAFE REWRITE TO:
+        Files.createFile(tempDirChild, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
+        Files.newBufferedWriter(tempDirChild);
     }
 
     void vulnerableFileCreateTempFilesNewOutputStream() throws IOException {
-        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-output-stream.txt");
-        Files.newOutputStream(tempDirChild.toPath()).close();
+        // GIVEN:
+        Path tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-output-stream.txt").toPath();
+        
+        // VULNERABLE VERSION:
+        Files.newOutputStream(tempDirChild).close();
+
+        // TO MAKE SAFE REWRITE TO:
+        Files.createFile(tempDirChild, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
+        Files.newOutputStream(tempDirChild).close();
     }
 
     void vulnerableFileCreateTempFilesCreateFile() throws IOException {
+        // GIVEN:
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
+        
+        // VULNERABLE VERSION:
         Files.createFile(tempDirChild.toPath());
+
+        // TO MAKE SAFE REWRITE TO:
+        Files.createFile(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
     }
 
     void safeFileCreateTempFilesCreateFile() throws IOException {
-        // Clear permissions intentions by setting the 'OWNER_READ' and 'OWNER_WRITE' permissions.
+        // Clear permissions intentions by setting the 'OWNER_READ' and 'OWNER_WRITE'
+        // permissions.
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
         Files.createFile(
-            tempDirChild.toPath(),
-            PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))
-        );
+                tempDirChild.toPath(),
+                PosixFilePermissions
+                        .asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
     }
 
     void vulnerableFileCreateDirectory() throws IOException {
+        // GIVEN:
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory");
+
+        // VULNERABLE VERSION:
         Files.createDirectory(tempDirChild.toPath()); // Creates with permissions 'drwxr-xr-x'
+        
+        // TO MAKE SAFE REWRITE TO:
+        Files.createDirectory(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
     }
 
     void vulnerableFileCreateDirectories() throws IOException {
+        // GIVEN:
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directories/child");
+        
+        // VULNERABLE VERSION:
         Files.createDirectories(tempDirChild.toPath()); // Creates with permissions 'drwxr-xr-x'
+
+        // TO MAKE SAFE REWRITE TO:
+        Files.createDirectories(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
     }
 }
