Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Java: CWE-200: Temp directory local information disclosure vulnerability #4388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
smowton merged 39 commits into from
Feb 14, 2022
Merged

Java: CWE-200: Temp directory local information disclosure vulnerability #4388

Changes from 1 commit
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
3a15678
Java: CWE-200: Temp directory local information disclosure vulnerability
JLLeitschuh Oct 2, 2020
cf0ed81
Add TempDir taint tracking for Files.write
JLLeitschuh Oct 14, 2020
ecad753
Add mkdirs check
JLLeitschuh Dec 8, 2020
bc12e99
Add `java.nio.file.Files` API checks
JLLeitschuh Jan 2, 2021
13fed0e
Temp Dir Info Disclosure: Final pass and add documentation
JLLeitschuh Jan 23, 2021
e4c017e
Apply suggestions from code review
JLLeitschuh Feb 16, 2021
f910fd4
Remove path flow tracking in 'TempDirLocalInformationDisclosureFromMe…
JLLeitschuh Feb 16, 2021
7929fae
Apply suggestions from code review
JLLeitschuh Feb 16, 2021
41b5011
Apply suggestions from code review
JLLeitschuh Feb 16, 2021
f6067d2
Fix file names and formatting from PR feedback
JLLeitschuh Feb 24, 2021
c19f52c
Add release notes for "Temporary Directory Local information disclosure"
JLLeitschuh Feb 25, 2021
7e55c92
Apply suggestions from code review
JLLeitschuh Mar 22, 2021
6683198
Add QLdoc to TempDirUtils
JLLeitschuh Mar 22, 2021
df716cb
Revert changes to MethodAccessSystemGetProperty
JLLeitschuh Mar 22, 2021
cb30385
Update java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
JLLeitschuh Apr 8, 2021
7e514e9
Add QLdoc and fix Compiler Errors in Tests
JLLeitschuh Apr 8, 2021
e795823
Autoformat TempDirUtils.qll
smowton Apr 16, 2021
a8d25b6
Apply suggestions from code review
JLLeitschuh Apr 16, 2021
a4b5573
Apply suggestions from code review
JLLeitschuh Apr 19, 2021
f7a4aac
Apply suggestions from code review
JLLeitschuh Apr 20, 2021
d5c9af3
Fixup documentation/code from PR feedback
JLLeitschuh Apr 20, 2021
79db76d
Fix test failures TempDirLocalInformationDisclosureFromSystemProperty
JLLeitschuh Apr 21, 2021
0a621c2
Fix the formatting in TempDirLocalInformationDisclosureFromMethodCall
JLLeitschuh Apr 26, 2021
9299c79
Add information disclosure test fix suggestions
JLLeitschuh Jan 28, 2022
0268dd9
Add file creation sanitizer
JLLeitschuh Feb 1, 2022
1f47ea5
Update to new change note format
JLLeitschuh Feb 4, 2022
de38638
Combine CWE-200 queries
smowton Feb 7, 2022
c4112e6
Post refactor fixiup
JLLeitschuh Feb 7, 2022
7965459
Apply suggestions from code review
smowton Feb 8, 2022
a6596ea
Fix test requirements, formatting
smowton Feb 8, 2022
7f46640
Consider calls to setReadable(false, false) then setReadable(true, tr…
JLLeitschuh Feb 8, 2022
787e3da
Update java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclo…
JLLeitschuh Feb 9, 2022
49a7367
Fix FP from mkdirs call on exact temp directory
JLLeitschuh Feb 9, 2022
bafcce1
Apply suggestions from code review
JLLeitschuh Feb 10, 2022
eee521e
Fix test failure for TempDirLocalInformationDisclosure
JLLeitschuh Feb 10, 2022
7dee22a
Fix implicit 'this' usage
JLLeitschuh Feb 14, 2022
bb580dd
Apply suggestions from code review
JLLeitschuh Feb 14, 2022
76964d5
Apply suggestions from code review
JLLeitschuh Feb 14, 2022
2048aed
Review feedback and improve temp dir vulnerable/safe code sugestion
JLLeitschuh Feb 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add information disclosure test fix suggestions
  • Loading branch information
@JLLeitschuh
JLLeitschuh committed Feb 4, 2022
commit 9299c7996db0d64b81d3448f6e55172db8af05b6
193 changes: 176 additions & 17 deletions java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.charset.StandardCharsets;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.PosixFilePermission;
Expand All @@ -12,96 +14,253 @@
public class Test {

void vulnerableFileCreateTempFile() throws IOException {
File temp = File.createTempFile("random", "file");
// VULNERABLE VERSION:
File tempVuln = File.createTempFile("random", "file");

// TO MAKE SAFE REWRITE TO:
File tempSafe = Files.createTempFile("random", "file").toFile();
}

void vulnerableFileCreateTempFileNull() throws IOException {
File temp = File.createTempFile("random", "file", null);
// VULNERABLE VERSION:
File tempVuln = File.createTempFile("random", "file", null);

// TO MAKE SAFE REWRITE TO:
File tempSafe = Files.createTempFile("random", "file").toFile();
}

void vulnerableFileCreateTempFileTainted() throws IOException {
// GIVEN:
File tempDir = new File(System.getProperty("java.io.tmpdir"));
File temp = File.createTempFile("random", "file", tempDir);

// VULNERABLE VERSION:
File tempVuln = File.createTempFile("random", "file", tempDir);

// TO MAKE SAFE REWRITE TO (v1):
File tempSafe1 = Files.createTempFile(tempDir.toPath(), "random", "file").toFile();

// TO MAKE SAFE REWRITE TO (v2):
File tempSafe2 = Files.createTempFile("random", "file").toFile();
}

void vulnerableFileCreateTempFileChildTainted() throws IOException {
// GIVEN:
File tempDirChild = new File(new File(System.getProperty("java.io.tmpdir")), "/child");
File temp = File.createTempFile("random", "file", tempDirChild);

// VULNERABLE VERSION:
File tempVuln = File.createTempFile("random", "file", tempDirChild);

// TO MAKE SAFE REWRITE TO:
File tempSafe = Files.createTempFile(tempDirChild.toPath(), "random", "file").toFile();
}

void vulnerableFileCreateTempFileCanonical() throws IOException {
// GIVEN:
File tempDir = new File(System.getProperty("java.io.tmpdir")).getCanonicalFile();
File temp = File.createTempFile("random", "file", tempDir);

// VULNERABLE VERSION:
File tempVuln = File.createTempFile("random", "file", tempDir);

// TO MAKE SAFE REWRITE TO (v1):
File tempSafe1 = Files.createTempFile(tempDir.toPath(), "random", "file").toFile();

// TO MAKE SAFE REWRITE TO (v2):
File tempSafe2 = Files.createTempFile("random", "file").toFile();
}

void vulnerableFileCreateTempFileAbsolute() throws IOException {
// GIVEN:
File tempDir = new File(System.getProperty("java.io.tmpdir")).getAbsoluteFile();
File temp = File.createTempFile("random", "file", tempDir);

// VULNERABLE VERSION:
File tempVuln = File.createTempFile("random", "file", tempDir);

// TO MAKE SAFE REWRITE TO (v1):
File tempSafe1 = Files.createTempFile(tempDir.toPath(), "random", "file").toFile();
// TO MAKE SAFE REWRITE TO (v2):
File tempSafe2 = Files.createTempFile("random", "file").toFile();
}

void safeFileCreateTempFileTainted() throws IOException {
/* Creating a temporary directoy in the current user directory is not a vulnerability. */
/*
* Creating a temporary directoy in the current user directory is not a
* vulnerability.
*/
File currentDirectory = new File(System.getProperty("user.dir"));
File temp = File.createTempFile("random", "file", currentDirectory);
}

void vulnerableGuavaFilesCreateTempDir() {
// VULNERABLE VERSION:
File tempDir = com.google.common.io.Files.createTempDir();

// TO MAKE SAFE REWRITE TO:
File tempSafe;
try {
Files.createTempDirectory("random").toFile();
} catch (IOException e) {
throw new RuntimeException("Failed to create temporary directory", e);
}
}

void vulnerableFileCreateTempFileMkdirTainted() {
// GIVEN:
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");

// VULNERABLE VERSION:
tempDirChild.mkdir();

// TO MAKE SAFE REWRITE TO (v1):
File tempSafe1;
try {
tempSafe1 = Files.createTempDirectory(tempDirChild.toPath(), "random").toFile();
} catch (IOException e) {
throw new RuntimeException("Failed to create temporary directory", e);
}

// TO MAKE SAFE REWRITE TO (v2):
File tempSafe2;
try {
tempSafe2 = Files.createTempDirectory("random").toFile();
} catch (IOException e) {
throw new RuntimeException("Failed to create temporary directory", e);
}
}

void vulnerableFileCreateTempFileMkdirsTainted() {
// GIVEN:
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");

// VULNERABLE VERSION:
tempDirChild.mkdirs();

// TO MAKE SAFE REWRITE TO (v1):
File tempSafe1;
try {
tempSafe1 = Files.createTempDirectory(tempDirChild.toPath(), "random").toFile();
} catch (IOException e) {
throw new RuntimeException("Failed to create temporary directory", e);
}

// TO MAKE SAFE REWRITE TO (v2):
File tempSafe2;
try {
tempSafe2 = Files.createTempDirectory("random").toFile();
} catch (IOException e) {
throw new RuntimeException("Failed to create temporary directory", e);
}
}

void vulnerableFileCreateTempFilesWrite1() throws IOException {
// VULNERABLE VERSION:
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
Files.write(tempDirChild.toPath(), Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE);

// TO MAKE SAFE REWRITE TO (v1):
// Use this version if you care that the file has the exact path of `[java.io.tmpdir]/child.txt`
try {
Path tempSafe = Paths.get(System.getProperty("java.io.tmpdir"), "child.txt");
Files.createFile(tempSafe, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
Files.write(tempSafe, Arrays.asList("secret"));
} catch (IOException e) {
throw new RuntimeException("Failed to write temporary file", e);
}

// TO MAKE SAFE REWRITE TO (v2):
// Use this version if you don't care that the file has an exact path. This will write to a file of the name `[java.io.tmpdir]/random[random string]child.txt`
try {
Path tempSafe = Files.createTempFile("random", "child.txt");
Files.write(tempSafe, Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE);
} catch (IOException e) {
throw new RuntimeException("Failed to write temporary file", e);
}
}

void vulnerableFileCreateTempFilesWrite2() throws IOException {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
// GIVEN:
String secret = "secret";
byte[] byteArrray = secret.getBytes();

// VULNERABLE VERSION:
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
Files.write(tempDirChild.toPath(), byteArrray, StandardOpenOption.CREATE);

// TO MAKE SAFE REWRITE TO (v1):
// Use this version if you care that the file has the exact path of `[java.io.tmpdir]/child.txt`
Path tempSafe1 = Paths.get(System.getProperty("java.io.tmpdir"), "child.txt");
Files.createFile(tempSafe1, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
Files.write(tempSafe1, byteArrray);

// TO MAKE SAFE REWRITE TO (v2):
// Use this version if you don't care that the file has an exact path. This will write to a file of the name `[java.io.tmpdir]/random[random string]child.txt`
Path tempSafe2 = Files.createTempFile("random", "child.txt");
Files.write(tempSafe2, byteArrray);
}

void vulnerableFileCreateTempFilesNewBufferedWriter() throws IOException {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-buffered-writer.txt");
Files.newBufferedWriter(tempDirChild.toPath());
// GIVEN:
Path tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-buffered-writer.txt").toPath();

// VULNERABLE VERSION:
Files.newBufferedWriter(tempDirChild);

// TO MAKE SAFE REWRITE TO:
Files.createFile(tempDirChild, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
Files.newBufferedWriter(tempDirChild);
}

void vulnerableFileCreateTempFilesNewOutputStream() throws IOException {
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-output-stream.txt");
Files.newOutputStream(tempDirChild.toPath()).close();
// GIVEN:
Path tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-output-stream.txt").toPath();

// VULNERABLE VERSION:
Files.newOutputStream(tempDirChild).close();

// TO MAKE SAFE REWRITE TO:
Files.createFile(tempDirChild, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
Files.newOutputStream(tempDirChild).close();
}

void vulnerableFileCreateTempFilesCreateFile() throws IOException {
// GIVEN:
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");

// VULNERABLE VERSION:
Files.createFile(tempDirChild.toPath());

// TO MAKE SAFE REWRITE TO:
Files.createFile(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
}

void safeFileCreateTempFilesCreateFile() throws IOException {
// Clear permissions intentions by setting the 'OWNER_READ' and 'OWNER_WRITE' permissions.
// Clear permissions intentions by setting the 'OWNER_READ' and 'OWNER_WRITE'
// permissions.
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
Files.createFile(
tempDirChild.toPath(),
PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))
);
tempDirChild.toPath(),
PosixFilePermissions
.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
}

void vulnerableFileCreateDirectory() throws IOException {
// GIVEN:
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory");

// VULNERABLE VERSION:
Files.createDirectory(tempDirChild.toPath()); // Creates with permissions 'drwxr-xr-x'

// TO MAKE SAFE REWRITE TO:
Files.createDirectory(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
}

void vulnerableFileCreateDirectories() throws IOException {
// GIVEN:
File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directories/child");

// VULNERABLE VERSION:
Files.createDirectories(tempDirChild.toPath()); // Creates with permissions 'drwxr-xr-x'

// TO MAKE SAFE REWRITE TO:
Files.createDirectories(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
}
}