Apply suggestions from code review

JLLeitschuh · smowton · JLLeitschuh · commit a8d25b63ac8b · 2022-02-04T17:10:26.000-05:00
Co-authored-by: Chris Smowton &lt;smowton@github.com&gt;
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromMethodCall.ql
@@ -1,10 +1,10 @@
 /**
- * @name Temporary directory local information disclosure
- * @description Writing information without explicit permissions to a shared temporary directory may disclose it to other users.
+ * @name Temporary directory local information disclosure (file creation via inherently insecure method)
+ * @description Creating a temporary file in the system shared temporary directory, using a method that always creates it world-readable, may disclose its contents to other users.
  * @kind problem
  * @problem.severity warning
  * @precision very-high
- * @id java/local-temp-file-or-directory-information-disclosure-method
+ * @id java/local-temp-file-or-directory-information-disclosure-insecure-method
  * @tags security
  *       external/cwe/cwe-200
  *       external/cwe/cwe-732
@@ -15,21 +15,22 @@ import TempDirUtils
 
 abstract class MethodAccessInsecureFileCreation extends MethodAccess {
   /**
-   * Docstring describing the file system type (ie. file, directory, etc...) returned.
+   * Gets the type of entity created (e.g. `file`, `directory`, ...).
    */
-  abstract string getFileSystemType();
+  abstract string getFileSystemEntityType();
 }
 
 /**
- * Insecure calls to `java.io.File::createTempFile`.
+ * An insecure call to `java.io.File::createTempFile`.
  */
 class MethodAccessInsecureFileCreateTempFile extends MethodAccessInsecureFileCreation {
   MethodAccessInsecureFileCreateTempFile() {
     this.getMethod() instanceof MethodFileCreateTempFile and
     (
+      // `File.createTempFile(string, string)` always uses the default temporary directory
       this.getNumArgument() = 2
       or
-      // Vulnerablilty exists when the last argument is `null`
+      // The default temporary directory is used when the last argument of `File.createTempFile(string, string, File)` is `null`
       getArgument(2) instanceof NullLiteral
     )
   }
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
@@ -1,10 +1,10 @@
 /**
- * @name Temporary Directory Local information disclosure
- * @description Writing information without explicit permissions to a shared temporary directory may disclose it to other users.
+ * @name Temporary directory local information disclosure (file creation without explicit mode)
+ * @description Creating a temporary file in the system shared temporary directory without specifying explicit access rights (mode) may disclose its contents to other users.
  * @kind path-problem
  * @problem.severity warning
  * @precision very-high
- * @id java/local-temp-file-or-directory-information-disclosure-path
+ * @id java/local-temp-file-or-directory-information-disclosure-missing-mode
  * @tags security
  *       external/cwe/cwe-200
  *       external/cwe/cwe-732
@@ -36,7 +36,7 @@ private class FileFileCreationSink extends FileCreationSink {
 }
 
 /**
- * Sink for if tained File/Path having some `Files` method called on it that creates a file or directory.
+ * Sink for calling a file-creating or directory-creating `Files` method on a tainted `File` or `Path`.
  */
 private class FilesFileCreationSink extends FileCreationSink {
   FilesFileCreationSink() {
@@ -63,7 +63,7 @@ private class FilesVulnerableCreationMethodAccess extends MethodAccess {
 }
 
 /**
- * A call to `java.io.File::createTempFile` where the the system temp dir sinks to the last argument.
+ * The temp directory argument to a call to `java.io.File::createTempFile`, treated as a sink by `TempDirSystemGetPropertyToCreateConfig`.
  */
 private class FileCreateTempFileSink extends FileCreationSink {
   FileCreateTempFileSink() {
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -63,23 +63,21 @@ private predicate isTaintedFileCreation(Expr expSource, Expr exprDest) {
 private class TaintFollowingFileMethod extends Method {
   TaintFollowingFileMethod() {
     getDeclaringType() instanceof TypeFile and
-    (
-      hasName("getAbsoluteFile") or
-      hasName("getCanonicalFile")
-    )
+    hasName(["getAbsoluteFile", "getCanonicalFile"])
   }
 }
 
-private predicate isTaintFollowingFileTransformation(Expr expSource, Expr exprDest) {
+private predicate isTaintPropagatingFileTransformation(Expr expSource, Expr exprDest) {
   exists(MethodAccess fileMethodAccess |
-    fileMethodAccess.getMethod() instanceof TaintFollowingFileMethod and
+    fileMethodAccess.getMethod() instanceof TaintPropagatingFileMethod and
     fileMethodAccess.getQualifier() = expSource and
     fileMethodAccess = exprDest
   )
 }
 
 /**
- * Holds if the system temporary directory is still part of the root of the file path.
+ * Holds if taint should propagate from `node1` to `node2` across some file creation or transformation operation.
+ * For example, `taintedFile.getCanonicalFile()` is itself tainted.
  */
 predicate isAdditionalFileTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
   isTaintedFileCreation(node1.asExpr(), node2.asExpr()) or
