Add java.nio.file.Files API checks

Author: JLLeitschuh

java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure2.ql

@@ -22,14 +22,7 @@ private class MethodFileSystemFileCreation extends Method {
   }
 }
 
-private class MethodFilesSystemFileCreation extends Method {
-  MethodFilesSystemFileCreation() {
-    getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
-    hasName("write")
-  }
-}
-
-private abstract class FileCreationSink extends DataFlow::Node {}
+abstract private class FileCreationSink extends DataFlow::Node { }
 
 private class FileFileCreationSink extends FileCreationSink {
   FileFileCreationSink() {
@@ -42,9 +35,17 @@ private class FileFileCreationSink extends FileCreationSink {
 
 private class FilesFileCreationSink extends FileCreationSink {
   FilesFileCreationSink() {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof MethodFilesSystemFileCreation and
-      ma.getArgument(0) = this.asExpr()
+    exists(FilesVulnerableCreationMethodAccess ma | ma.getArgument(0) = this.asExpr())
+  }
+}
+
+private class FilesVulnerableCreationMethodAccess extends MethodAccess {
+  FilesVulnerableCreationMethodAccess() {
+    getMethod().getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
+    (
+      getMethod().hasName(["write", "newBufferedWriter", "newOutputStream"])
+      or
+      getMethod().hasName(["createFile", "createDirectory", "createDirectories"]) and getNumArgument() = 1
     )
   }
 }
@@ -60,9 +61,7 @@ private class TempDirSystemGetPropertyToCreateConfig extends TaintTracking::Conf
     isAdditionalFileTaintStep(node1, node2)
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof FileCreationSink
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, TempDirSystemGetPropertyToCreateConfig conf

java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure1.expected

@@ -0,0 +1,7 @@
+| Test.java:15:21:15:57 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
+| Test.java:19:21:19:63 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
+| Test.java:24:21:24:66 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
+| Test.java:29:21:29:71 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
+| Test.java:34:21:34:66 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
+| Test.java:39:21:39:66 | createTempFile(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |
+| Test.java:49:24:49:65 | createTempDir(...) | Local information disclosure vulnerability due to use of file or directory readable by other local users. |

java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure2.expected

@@ -0,0 +1,43 @@
+edges
+| Files.java:10:33:10:68 | getProperty(...) : String | Files.java:15:17:15:23 | tempDir |
+| Test.java:53:38:53:73 | getProperty(...) : String | Test.java:54:9:54:20 | tempDirChild |
+| Test.java:58:38:58:73 | getProperty(...) : String | Test.java:59:9:59:20 | tempDirChild |
+| Test.java:63:38:63:73 | getProperty(...) : String | Test.java:64:21:64:41 | toPath(...) |
+| Test.java:68:38:68:73 | getProperty(...) : String | Test.java:71:21:71:41 | toPath(...) |
+| Test.java:75:38:75:73 | getProperty(...) : String | Test.java:76:33:76:53 | toPath(...) |
+| Test.java:80:38:80:73 | getProperty(...) : String | Test.java:81:31:81:51 | toPath(...) |
+| Test.java:85:38:85:73 | getProperty(...) : String | Test.java:86:26:86:46 | toPath(...) |
+| Test.java:98:38:98:73 | getProperty(...) : String | Test.java:99:31:99:51 | toPath(...) |
+| Test.java:103:38:103:73 | getProperty(...) : String | Test.java:104:33:104:53 | toPath(...) |
+nodes
+| Files.java:10:33:10:68 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Files.java:15:17:15:23 | tempDir | semmle.label | tempDir |
+| Test.java:53:38:53:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:54:9:54:20 | tempDirChild | semmle.label | tempDirChild |
+| Test.java:58:38:58:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:59:9:59:20 | tempDirChild | semmle.label | tempDirChild |
+| Test.java:63:38:63:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:64:21:64:41 | toPath(...) | semmle.label | toPath(...) |
+| Test.java:68:38:68:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:71:21:71:41 | toPath(...) | semmle.label | toPath(...) |
+| Test.java:75:38:75:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:76:33:76:53 | toPath(...) | semmle.label | toPath(...) |
+| Test.java:80:38:80:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:81:31:81:51 | toPath(...) | semmle.label | toPath(...) |
+| Test.java:85:38:85:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:86:26:86:46 | toPath(...) | semmle.label | toPath(...) |
+| Test.java:98:38:98:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:99:31:99:51 | toPath(...) | semmle.label | toPath(...) |
+| Test.java:103:38:103:73 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:104:33:104:53 | toPath(...) | semmle.label | toPath(...) |
+#select
+| Files.java:10:33:10:68 | getProperty(...) | Files.java:10:33:10:68 | getProperty(...) : String | Files.java:15:17:15:23 | tempDir | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Files.java:10:33:10:68 | getProperty(...) | system temp directory |
+| Test.java:53:38:53:73 | getProperty(...) | Test.java:53:38:53:73 | getProperty(...) : String | Test.java:54:9:54:20 | tempDirChild | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:53:38:53:73 | getProperty(...) | system temp directory |
+| Test.java:58:38:58:73 | getProperty(...) | Test.java:58:38:58:73 | getProperty(...) : String | Test.java:59:9:59:20 | tempDirChild | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:58:38:58:73 | getProperty(...) | system temp directory |
+| Test.java:63:38:63:73 | getProperty(...) | Test.java:63:38:63:73 | getProperty(...) : String | Test.java:64:21:64:41 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:63:38:63:73 | getProperty(...) | system temp directory |
+| Test.java:68:38:68:73 | getProperty(...) | Test.java:68:38:68:73 | getProperty(...) : String | Test.java:71:21:71:41 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:68:38:68:73 | getProperty(...) | system temp directory |
+| Test.java:75:38:75:73 | getProperty(...) | Test.java:75:38:75:73 | getProperty(...) : String | Test.java:76:33:76:53 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:75:38:75:73 | getProperty(...) | system temp directory |
+| Test.java:80:38:80:73 | getProperty(...) | Test.java:80:38:80:73 | getProperty(...) : String | Test.java:81:31:81:51 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:80:38:80:73 | getProperty(...) | system temp directory |
+| Test.java:85:38:85:73 | getProperty(...) | Test.java:85:38:85:73 | getProperty(...) : String | Test.java:86:26:86:46 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:85:38:85:73 | getProperty(...) | system temp directory |
+| Test.java:98:38:98:73 | getProperty(...) | Test.java:98:38:98:73 | getProperty(...) : String | Test.java:99:31:99:51 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:98:38:98:73 | getProperty(...) | system temp directory |
+| Test.java:103:38:103:73 | getProperty(...) | Test.java:103:38:103:73 | getProperty(...) : String | Test.java:104:33:104:53 | toPath(...) | Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users. | Test.java:103:38:103:73 | getProperty(...) | system temp directory |

java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java

@@ -1,9 +1,13 @@
 
 import java.util.Arrays;
 import java.io.File;
+import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.StandardOpenOption;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
+import java.util.EnumSet;
 
 public class Test {
 
@@ -52,18 +56,51 @@ void vulnerableFileCreateTempFileMkdirTainted() {
 
     void vulnerableFileCreateTempFileMkdirsTainted() {
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
-        tempDirChild.mkdir();
+        tempDirChild.mkdirs();
     }
 
     void vulnerableFileCreateTempFilesWrite1() {
-        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
         Files.write(tempDirChild.toPath(), Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE);
     }
 
     void vulnerableFileCreateTempFilesWrite2() {
-        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt");
         String secret = "secret";
         byte[] byteArrray = secret.getBytes();
         Files.write(tempDirChild.toPath(), byteArrray, StandardOpenOption.CREATE);
     }
+
+    void vulnerableFileCreateTempFilesNewBufferedWriter() throws IOException {
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-buffered-writer.txt");
+        Files.newBufferedWriter(tempDirChild.toPath());
+    }
+
+    void vulnerableFileCreateTempFilesNewOutputStream() throws IOException {
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-output-stream.txt");
+        Files.newOutputStream(tempDirChild.toPath()).close();
+    }
+
+    void vulnerableFileCreateTempFilesCreateFile() throws IOException {
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
+        Files.createFile(tempDirChild.toPath());
+    }
+
+    void safeFileCreateTempFilesCreateFile() throws IOException {
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
+        Files.createFile(
+            tempDirChild.toPath(),
+            PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))
+        );
+    }
+
+    void vulnerableFileCreateDirectory() throws IOException {
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory");
+        Files.createDirectory(tempDirChild.toPath());
+    }
+
+    void vulnerableFileCreateDirectories() throws IOException {
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directories/child");
+        Files.createDirectories(tempDirChild.toPath());
+    }
 }