Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Java: CWE-200: Temp directory local information disclosure vulnerability #4388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
smowton merged 39 commits into from
Feb 14, 2022
Merged

Java: CWE-200: Temp directory local information disclosure vulnerability #4388

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
3a15678
Java: CWE-200: Temp directory local information disclosure vulnerability
JLLeitschuh Oct 2, 2020
cf0ed81
Add TempDir taint tracking for Files.write
JLLeitschuh Oct 14, 2020
ecad753
Add mkdirs check
JLLeitschuh Dec 8, 2020
bc12e99
Add `java.nio.file.Files` API checks
JLLeitschuh Jan 2, 2021
13fed0e
Temp Dir Info Disclosure: Final pass and add documentation
JLLeitschuh Jan 23, 2021
e4c017e
Apply suggestions from code review
JLLeitschuh Feb 16, 2021
f910fd4
Remove path flow tracking in 'TempDirLocalInformationDisclosureFromMe…
JLLeitschuh Feb 16, 2021
7929fae
Apply suggestions from code review
JLLeitschuh Feb 16, 2021
41b5011
Apply suggestions from code review
JLLeitschuh Feb 16, 2021
f6067d2
Fix file names and formatting from PR feedback
JLLeitschuh Feb 24, 2021
c19f52c
Add release notes for "Temporary Directory Local information disclosure"
JLLeitschuh Feb 25, 2021
7e55c92
Apply suggestions from code review
JLLeitschuh Mar 22, 2021
6683198
Add QLdoc to TempDirUtils
JLLeitschuh Mar 22, 2021
df716cb
Revert changes to MethodAccessSystemGetProperty
JLLeitschuh Mar 22, 2021
cb30385
Update java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
JLLeitschuh Apr 8, 2021
7e514e9
Add QLdoc and fix Compiler Errors in Tests
JLLeitschuh Apr 8, 2021
e795823
Autoformat TempDirUtils.qll
smowton Apr 16, 2021
a8d25b6
Apply suggestions from code review
JLLeitschuh Apr 16, 2021
a4b5573
Apply suggestions from code review
JLLeitschuh Apr 19, 2021
f7a4aac
Apply suggestions from code review
JLLeitschuh Apr 20, 2021
d5c9af3
Fixup documentation/code from PR feedback
JLLeitschuh Apr 20, 2021
79db76d
Fix test failures TempDirLocalInformationDisclosureFromSystemProperty
JLLeitschuh Apr 21, 2021
0a621c2
Fix the formatting in TempDirLocalInformationDisclosureFromMethodCall
JLLeitschuh Apr 26, 2021
9299c79
Add information disclosure test fix suggestions
JLLeitschuh Jan 28, 2022
0268dd9
Add file creation sanitizer
JLLeitschuh Feb 1, 2022
1f47ea5
Update to new change note format
JLLeitschuh Feb 4, 2022
de38638
Combine CWE-200 queries
smowton Feb 7, 2022
c4112e6
Post refactor fixiup
JLLeitschuh Feb 7, 2022
7965459
Apply suggestions from code review
smowton Feb 8, 2022
a6596ea
Fix test requirements, formatting
smowton Feb 8, 2022
7f46640
Consider calls to setReadable(false, false) then setReadable(true, tr…
JLLeitschuh Feb 8, 2022
787e3da
Update java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclo…
JLLeitschuh Feb 9, 2022
49a7367
Fix FP from mkdirs call on exact temp directory
JLLeitschuh Feb 9, 2022
bafcce1
Apply suggestions from code review
JLLeitschuh Feb 10, 2022
eee521e
Fix test failure for TempDirLocalInformationDisclosure
JLLeitschuh Feb 10, 2022
7dee22a
Fix implicit 'this' usage
JLLeitschuh Feb 14, 2022
bb580dd
Apply suggestions from code review
JLLeitschuh Feb 14, 2022
76964d5
Apply suggestions from code review
JLLeitschuh Feb 14, 2022
2048aed
Review feedback and improve temp dir vulnerable/safe code sugestion
JLLeitschuh Feb 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Apply suggestions from code review
  • Loading branch information
@smowton
smowton authored Feb 8, 2022
commit 79654592d92a5d9532b60affb3f41e1df0485383
17 changes: 10 additions & 7 deletions java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,8 @@ private class FilesVulnerableCreationMethodAccess extends MethodAccess {
* We can safely assume that any calls to these methods with explicit `PosixFilePermissions.asFileAttribute`
* contains a certain level of intentionality behind it.
*/
private class FilesSanitiznignCreationMethodAccess extends MethodAccess {
FilesSanitiznignCreationMethodAccess() {
private class FilesSanitizingCreationMethodAccess extends MethodAccess {
FilesSanitizingCreationMethodAccess() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType().hasQualifiedName("java.nio.file", "Files")
Expand Down Expand Up @@ -116,15 +116,18 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
override predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }

override predicate isSanitizer(DataFlow::Node sanitizer) {
exists(FilesSanitiznignCreationMethodAccess sanitisingMethodAccess |
exists(FilesSanitizingCreationMethodAccess sanitisingMethodAccess |
sanitizer.asExpr() = sanitisingMethodAccess.getArgument(0)
)
}
}

// Below this, configuration for tracking single-method calls that are vulnerable.
//
// Begin configuration for tracking single-method calls that are vulnerable.
//

/**
* A MethodAccess against a method that creates a temporary file or directory in a shared temporary directory.
* A `MethodAccess` against a method that creates a temporary file or directory in a shared temporary directory.
*/
abstract class MethodAccessInsecureFileCreation extends MethodAccess {
/**
Expand Down Expand Up @@ -174,15 +177,15 @@ class MethodAccessInsecureGuavaFilesCreateTempFile extends MethodAccessInsecureF

/**
* This is a hack: we include use of inherently insecure methods, which don't have any associated
* flow path, in with results describing a path from reading java.io.tmpdir or similar to use
* flow path, in with results describing a path from reading `java.io.tmpdir` or similar to use
* in a file creation op.
*
* We achieve this by making inherently-insecure method invocations both a source and a sink in
* this configuration, resulting in a zero-length path which is type-compatible with the actual
* path-flow results.
*/
class InsecureMethodPseudoConfiguration extends DataFlow::Configuration {
InsecureMethodPseudoConfiguration() { this = "InsecureMethodPseudoConfiguration " }
InsecureMethodPseudoConfiguration() { this = "InsecureMethodPseudoConfiguration" }

override predicate isSource(DataFlow::Node node) {
node.asExpr() instanceof MethodAccessInsecureFileCreation
Expand Down
4 changes: 2 additions & 2 deletions .../change-notes/2022-02-04-local-temp-file-or-directory-information-disclosure.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
category: newQuery
---
* Two new querys both titled "Temporary directory Local information disclosure" (`java/local-temp-file-or-directory-information-disclosure-path`, `java/local-temp-file-or-directory-information-disclosure-method`) have been added.
These queries find uses of APIs that leak potentially sensitive information to other local users via the system temporary directory.
* A new query titled "Temporary directory Local information disclosure" (`java/local-temp-file-or-directory-information-disclosure`) has been added.
Copy link
Copy Markdown
Contributor

@felicitymay felicitymay Feb 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we change the name of the query, we'd also need to update it here.

This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory.
This query was originally [submitted as query by @JLLeitschuh](https://github.com/github/codeql/pull/4388).