Add TempDir taint tracking for Files.write

JLLeitschuh · JLLeitschuh · commit e0b0f911ef56 · 2020-10-13T20:42:09.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure2.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure2.ql
@@ -12,8 +12,8 @@
 import TempDirUtils
 import DataFlow::PathGraph
 
-private class MethodFileSystemCreation extends Method {
-  MethodFileSystemCreation() {
+private class MethodFileSystemFileCreation extends Method {
+  MethodFileSystemFileCreation() {
     getDeclaringType() instanceof TypeFile and
     (
       hasName("mkdir") or
@@ -22,6 +22,33 @@ private class MethodFileSystemCreation extends Method {
   }
 }
 
+private class MethodFilesSystemFileCreation extends Method {
+  MethodFilesSystemFileCreation() {
+    getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
+    hasName("write")
+  }
+}
+
+private abstract class FileCreationSink extends DataFlow::Node {}
+
+private class FileFileCreationSink extends FileCreationSink {
+  FileFileCreationSink() {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof MethodFileSystemFileCreation and
+      ma.getQualifier() = this.asExpr()
+    )
+  }
+}
+
+private class FilesFileCreationSink extends FileCreationSink {
+  FilesFileCreationSink() {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof MethodFilesSystemFileCreation and
+      ma.getArgument(0) = this.asExpr()
+    )
+  }
+}
+
 private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Configuration {
   TempDirSystemGetPropertyToCreateConfig() { this = "TempDirSystemGetPropertyToCreateConfig" }
 
@@ -34,15 +61,12 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists (MethodAccess ma |
-      ma.getMethod() instanceof MethodFileSystemCreation and
-      ma.getQualifier() = sink.asExpr()
-    )
+    sink instanceof FileCreationSink
   }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, TempDirSystemGetPropertyToCreateConfig conf
 where conf.hasFlowPath(source, sink)
 select source.getNode(), source, sink,
-  "Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users.", source.getNode(),
-  "system temp directory"
+  "Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users.",
+  source.getNode(), "system temp directory"
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java
@@ -1,6 +1,9 @@
 
+import java.util.Arrays;
 import java.io.File;
-import com.google.common.io.Files;
+import java.nio.file.Files;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.StandardOpenOption;
 
 public class Test {
 
@@ -39,12 +42,23 @@ void safeFileCreateTempFileTainted() {
     }
 
     void vulnerableGuavaFilesCreateTempDir() {
-        File tempDir = Files.createTempDir();
+        File tempDir = com.google.common.io.Files.createTempDir();
     }
 
     void vulnerableFileCreateTempFileMkdirTainted() {
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
         tempDirChild.mkdir();
     }
+
+    void vulnerableFileCreateTempFilesWrite1() {
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
+        Files.write(tempDirChild.toPath(), Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE);
+    }
     
+    void vulnerableFileCreateTempFilesWrite2() {
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
+        String secret = "secret";
+        byte[] byteArrray = secret.getBytes();
+        Files.write(tempDirChild.toPath(), byteArrray, StandardOpenOption.CREATE);
+    }
 }
