Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b2d36ba

Browse files
alexrfordalexrford
committed
report rb/weak-file-permission alerts at source rather than sink and improve alert message
1 parent 63475dc commit b2d36ba

2 files changed

Lines changed: 29 additions & 27 deletions

File tree

ql/src/queries/security/cwe-732/WeakFilePermissions.ql

Lines changed: 18 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -57,28 +57,28 @@ class PermissivePermissionsExpr extends Expr {
5757
}
5858
}
5959

60-
/** A call to a method of File or FileUtils that may modify file permissions */
61-
class PermissionSettingMethodCall extends MethodCall {
60+
/** A permissions argument of a call to a File/FileUtils method that may modify file permissions */
61+
class PermissionArgument extends Expr {
62+
private MethodCall call;
6263
private string methodName;
63-
private Expr permArg;
6464

65-
PermissionSettingMethodCall() {
66-
this.getReceiver() instanceof FileModuleAccess and
67-
this.getMethodName() = methodName and
65+
PermissionArgument() {
66+
call.getReceiver() instanceof FileModuleAccess and
67+
call.getMethodName() = methodName and
6868
(
69-
methodName in ["chmod", "chmod_R", "lchmod"] and permArg = this.getArgument(0)
69+
methodName in ["chmod", "chmod_R", "lchmod"] and this = call.getArgument(0)
7070
or
71-
methodName = "mkfifo" and permArg = this.getArgument(1)
71+
methodName = "mkfifo" and this = call.getArgument(1)
7272
or
73-
methodName in ["new", "open"] and permArg = this.getArgument(2)
73+
methodName in ["new", "open"] and this = call.getArgument(2)
7474
or
7575
methodName in ["install", "makedirs", "mkdir", "mkdir_p", "mkpath"] and
76-
permArg = this.getKeywordArgument("mode")
76+
this = call.getKeywordArgument("mode")
7777
// TODO: defaults for optional args? This may depend on the umask
7878
)
7979
}
8080

81-
Expr getPermissionArgument() { result = permArg }
81+
MethodCall getCall() { result = call }
8282
}
8383

8484
class PermissivePermissionsConfig extends DataFlow::Configuration {
@@ -89,11 +89,13 @@ class PermissivePermissionsConfig extends DataFlow::Configuration {
8989
}
9090

9191
override predicate isSink(DataFlow::Node sink) {
92-
exists(PermissionSettingMethodCall c | sink.asExpr().getExpr() = c.getPermissionArgument())
92+
exists(PermissionArgument arg | sink.asExpr().getExpr() = arg)
9393
}
9494
}
9595

96-
from DataFlow::PathNode source, DataFlow::PathNode sink, PermissivePermissionsConfig conf
97-
where conf.hasFlowPath(source, sink)
98-
select sink.getNode(), source, sink, "Overly permissive mask sets file to $@.", source.getNode(),
99-
source.getNode().toString()
96+
from
97+
DataFlow::PathNode source, DataFlow::PathNode sink, PermissivePermissionsConfig conf,
98+
PermissionArgument arg
99+
where conf.hasFlowPath(source, sink) and arg = sink.getNode().asExpr().getExpr()
100+
select source.getNode(), source, sink, "Overly permissive mask in $@ sets file to $@.",
101+
arg.getCall(), arg.getCall(), source.getNode(), source.getNode().toString()

ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,14 @@ nodes
1717
| FilePermissions.rb:53:19:53:24 | "a+rw" | semmle.label | "a+rw" |
1818
| FilePermissions.rb:57:16:57:19 | 0755 | semmle.label | 0755 |
1919
#select
20-
| FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | Overly permissive mask sets file to $@. | FilePermissions.rb:4:19:4:22 | 0222 | 0222 |
21-
| FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | Overly permissive mask sets file to $@. | FilePermissions.rb:5:19:5:22 | 0622 | 0622 |
22-
| FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | Overly permissive mask sets file to $@. | FilePermissions.rb:6:19:6:22 | 0755 | 0755 |
23-
| FilePermissions.rb:7:19:7:22 | 0777 | FilePermissions.rb:7:19:7:22 | 0777 | FilePermissions.rb:7:19:7:22 | 0777 | Overly permissive mask sets file to $@. | FilePermissions.rb:7:19:7:22 | 0777 | 0777 |
24-
| FilePermissions.rb:24:13:24:16 | 0755 | FilePermissions.rb:24:13:24:16 | 0755 | FilePermissions.rb:24:13:24:16 | 0755 | Overly permissive mask sets file to $@. | FilePermissions.rb:24:13:24:16 | 0755 | 0755 |
25-
| FilePermissions.rb:44:19:44:22 | perm | FilePermissions.rb:43:10:43:13 | 0777 : | FilePermissions.rb:44:19:44:22 | perm | Overly permissive mask sets file to $@. | FilePermissions.rb:43:10:43:13 | 0777 | 0777 |
26-
| FilePermissions.rb:46:19:46:23 | perm2 | FilePermissions.rb:43:10:43:13 | 0777 : | FilePermissions.rb:46:19:46:23 | perm2 | Overly permissive mask sets file to $@. | FilePermissions.rb:43:10:43:13 | 0777 | 0777 |
27-
| FilePermissions.rb:50:19:50:23 | perm2 | FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" : | FilePermissions.rb:50:19:50:23 | perm2 | Overly permissive mask sets file to $@. | FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" | "u=wrx,g=rwx,o=x" |
28-
| FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | Overly permissive mask sets file to $@. | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | "u=rwx,o+r" |
29-
| FilePermissions.rb:53:19:53:24 | "a+rw" | FilePermissions.rb:53:19:53:24 | "a+rw" | FilePermissions.rb:53:19:53:24 | "a+rw" | Overly permissive mask sets file to $@. | FilePermissions.rb:53:19:53:24 | "a+rw" | "a+rw" |
30-
| FilePermissions.rb:57:16:57:19 | 0755 | FilePermissions.rb:57:16:57:19 | 0755 | FilePermissions.rb:57:16:57:19 | 0755 | Overly permissive mask sets file to $@. | FilePermissions.rb:57:16:57:19 | 0755 | 0755 |
20+
| FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:4:3:4:32 | call to chmod | FilePermissions.rb:4:3:4:32 | call to chmod | FilePermissions.rb:4:19:4:22 | 0222 | 0222 |
21+
| FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:5:3:5:32 | call to chmod | FilePermissions.rb:5:3:5:32 | call to chmod | FilePermissions.rb:5:19:5:22 | 0622 | 0622 |
22+
| FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:6:3:6:32 | call to chmod | FilePermissions.rb:6:3:6:32 | call to chmod | FilePermissions.rb:6:19:6:22 | 0755 | 0755 |
23+
| FilePermissions.rb:7:19:7:22 | 0777 | FilePermissions.rb:7:19:7:22 | 0777 | FilePermissions.rb:7:19:7:22 | 0777 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:7:3:7:32 | call to chmod | FilePermissions.rb:7:3:7:32 | call to chmod | FilePermissions.rb:7:19:7:22 | 0777 | 0777 |
24+
| FilePermissions.rb:24:13:24:16 | 0755 | FilePermissions.rb:24:13:24:16 | 0755 | FilePermissions.rb:24:13:24:16 | 0755 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:24:3:24:26 | call to chmod | FilePermissions.rb:24:3:24:26 | call to chmod | FilePermissions.rb:24:13:24:16 | 0755 | 0755 |
25+
| FilePermissions.rb:43:10:43:13 | 0777 | FilePermissions.rb:43:10:43:13 | 0777 : | FilePermissions.rb:44:19:44:22 | perm | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:44:3:44:32 | call to chmod | FilePermissions.rb:44:3:44:32 | call to chmod | FilePermissions.rb:43:10:43:13 | 0777 | 0777 |
26+
| FilePermissions.rb:43:10:43:13 | 0777 | FilePermissions.rb:43:10:43:13 | 0777 : | FilePermissions.rb:46:19:46:23 | perm2 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:46:3:46:33 | call to chmod | FilePermissions.rb:46:3:46:33 | call to chmod | FilePermissions.rb:43:10:43:13 | 0777 | 0777 |
27+
| FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" : | FilePermissions.rb:50:19:50:23 | perm2 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:50:3:50:33 | call to chmod | FilePermissions.rb:50:3:50:33 | call to chmod | FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" | "u=wrx,g=rwx,o=x" |
28+
| FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:51:3:51:39 | call to chmod | FilePermissions.rb:51:3:51:39 | call to chmod | FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | "u=rwx,o+r" |
29+
| FilePermissions.rb:53:19:53:24 | "a+rw" | FilePermissions.rb:53:19:53:24 | "a+rw" | FilePermissions.rb:53:19:53:24 | "a+rw" | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:53:3:53:34 | call to chmod | FilePermissions.rb:53:3:53:34 | call to chmod | FilePermissions.rb:53:19:53:24 | "a+rw" | "a+rw" |
30+
| FilePermissions.rb:57:16:57:19 | 0755 | FilePermissions.rb:57:16:57:19 | 0755 | FilePermissions.rb:57:16:57:19 | 0755 | Overly permissive mask in $@ sets file to $@. | FilePermissions.rb:57:3:57:29 | call to chmod_R | FilePermissions.rb:57:3:57:29 | call to chmod_R | FilePermissions.rb:57:16:57:19 | 0755 | 0755 |

0 commit comments

Comments
 (0)