Fixup documentation/code from PR feedback

JLLeitschuh · JLLeitschuh · commit d5c9af31b224 · 2022-02-04T17:10:26.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosureFromSystemProperty.ql
@@ -36,8 +36,8 @@ private class FileFileCreationSink extends FileCreationSink {
 }
 
 /**
- * The argument to 
- a call to one of `Files` file-creating or directory-creating methods, treated as a sink by `TempDirSystemGetPropertyToCreateConfig`.
+ * The argument to
+ * a call to one of `Files` file-creating or directory-creating methods, treated as a sink by `TempDirSystemGetPropertyToCreateConfig`.
  */
 private class FilesFileCreationSink extends FileCreationSink {
   FilesFileCreationSink() {
@@ -81,6 +81,12 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
     source.asExpr() instanceof MethodAccessSystemGetPropertyTempDirTainted
   }
 
+  /**
+   * Find dataflow from the temp directory system property to the `File` constructor.
+   * Examples:
+   *  - `new File(System.getProperty("java.io.tmpdir"))`
+   *  - `new File(new File(System.getProperty("java.io.tmpdir")), "/child")`
+   */
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalFileTaintStep(node1, node2)
   }
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -44,10 +44,7 @@ class MethodFileCreateTempFile extends Method {
 }
 
 /**
- * Find dataflow from the temp directory system property to the `File` constructor.
- * Examples:
- *  - `new File(System.getProperty("java.io.tmpdir"))`
- *  - `new File(new File(System.getProperty("java.io.tmpdir")), "/child")`
+ * Holds if `expDest` is some constructor call `new java.io.File(x)` and `expSource` is `x`.
  */
 private predicate isFileConstructorArgument(Expr expSource, Expr exprDest) {
   exists(ConstructorCall construtorCall |
@@ -69,7 +66,7 @@ private class TaintFollowingFileMethod extends Method {
 
 private predicate isTaintPropagatingFileTransformation(Expr expSource, Expr exprDest) {
   exists(MethodAccess fileMethodAccess |
-    fileMethodAccess.getMethod() instanceof TaintPropagatingFileMethod and
+    fileMethodAccess.getMethod() instanceof TaintFollowingFileMethod and
     fileMethodAccess.getQualifier() = expSource and
     fileMethodAccess = exprDest
   )
@@ -80,6 +77,6 @@ private predicate isTaintPropagatingFileTransformation(Expr expSource, Expr expr
  * For example, `taintedFile.getCanonicalFile()` is itself tainted.
  */
 predicate isAdditionalFileTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-  isTaintedFileCreation(node1.asExpr(), node2.asExpr()) or
-  isTaintFollowingFileTransformation(node1.asExpr(), node2.asExpr())
+  isFileConstructorArgument(node1.asExpr(), node2.asExpr()) or
+  isTaintPropagatingFileTransformation(node1.asExpr(), node2.asExpr())
 }
