Expand isDeleteFileExpr to include delete method wrappers

JLLeitschuh · JLLeitschuh · commit 201b5191d368 · 2022-04-28T13:16:03.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-378/TempDirHijackingVulnerability.ql b/java/ql/src/Security/CWE/CWE-378/TempDirHijackingVulnerability.ql
@@ -101,12 +101,14 @@ private predicate isNonThrowingDirectoryCreationExpression(
 ) {
   creationCall.getMethod() instanceof MethodFileCreatesDirs and
   creationCall.getQualifier() = fileInstanceExpr and
-  // Check for 'throwing creations' and ensure that this call is not used in a throwing case.
-  if creationCall.(Guard).directlyControls(_, _)
-  then
-    // The creation call is used in a guard
+  (
+    // Check for 'throwing creations' and ensure that this call is not used in a throwing case.
+    // If the creation call is used in a guard:
+    creationCall.(Guard).directlyControls(_, _)
+    implies
+    // Then it must not be a 'safe' creation guard. Thus `creationCall` is not a 'throwing creation'.
     not creationCall = safeDirectoryCreationGuard(_) // Ensure that the guard is insufficient.
-  else any() // The creation call is not used in a guard. Thus is not a 'throwing creation'.
+  )
   or
   // Recursively look for methods that encapsulate the above.
   // Thus, the use of 'helper directory creation methods' are still considered
@@ -142,7 +144,23 @@ private class MethodFileExists extends Method {
 }
 
 predicate isDeleteFileExpr(Expr expr) {
-  expr = any(MethodFileDelete m).getAReference().getQualifier()
+  exists(Expr deleteMethodQualifier |
+    deleteMethodQualifier = any(MethodFileDelete m).getAReference().getQualifier()
+  |
+    // The expression is the qualifier of the `delete` method call.
+    expr = deleteMethodQualifier
+    or
+    // Any wrapper method that calls the `delete` method on a file instance argument.
+    expr =
+      any(Method m, int argIndex, Expr arg |
+        arg.(VarAccess).getVariable() = m.getParameter(argIndex) and
+        // We intentionally don't call this method recursively as it will increase the false positive rate.
+        // A delete call at a depth of one call is enough to cover most cases.
+        DataFlow::localExprFlow(arg, deleteMethodQualifier)
+      |
+        m.getAReference().getArgument(argIndex)
+      )
+  )
 }
 
 abstract private class DirHijackingTaintSource extends DataFlow::Node {
@@ -402,7 +420,7 @@ class TempDirHijackingFullPathInlcudingUnsafeUse extends TaintTracking2::Configu
     or
     // `File::mkdir(s)` is not an end-state when looking for an unsafe use
     isNonThrowingDirectoryCreationExpression(node1.asExpr(), _) and
-    node1.asExpr() = node2.asExpr() and
+    node1 = node2 and
     state1 instanceof FromDeleteFileFlowState and
     state2 instanceof FromMkdirsFileFlowState
   }
diff --git a/java/ql/test/query-tests/security/CWE-378/semmle/tests/TempDirHijackingVulnerability.expected b/java/ql/test/query-tests/security/CWE-378/semmle/tests/TempDirHijackingVulnerability.expected
@@ -34,15 +34,12 @@ edges
 | Test.java:146:22:146:57 | getProperty(...) : String | Test.java:146:13:146:58 | new File(...) : File |
 | Test.java:148:9:148:12 | temp : File | Test.java:148:9:148:12 | temp : File |
 | Test.java:148:9:148:12 | temp : File | Test.java:149:9:149:12 | temp |
-| Test.java:157:24:157:63 | createTempFile(...) : File | Test.java:158:21:158:24 | temp : File |
-| Test.java:158:21:158:24 | temp : File | Test.java:158:21:158:24 | temp : File |
-| Test.java:158:21:158:24 | temp : File | Test.java:158:38:158:41 | temp |
-| Test.java:170:17:170:26 | this <.field> [post update] [safe12temp] : File | Test.java:171:21:171:30 | this <.field> [safe12temp] : File |
-| Test.java:170:30:170:69 | createTempFile(...) : File | Test.java:170:17:170:26 | this <.field> [post update] [safe12temp] : File |
-| Test.java:170:30:170:69 | createTempFile(...) : File | Test.java:171:21:171:30 | safe12temp : File |
-| Test.java:171:21:171:30 | safe12temp : File | Test.java:171:21:171:30 | safe12temp : File |
-| Test.java:171:21:171:30 | safe12temp : File | Test.java:171:44:171:53 | safe12temp |
-| Test.java:171:21:171:30 | this <.field> [safe12temp] : File | Test.java:171:21:171:30 | safe12temp : File |
+| Test.java:156:20:156:59 | createTempFile(...) : File | Test.java:157:17:157:20 | temp : File |
+| Test.java:157:17:157:20 | temp : File | Test.java:157:17:157:20 | temp : File |
+| Test.java:157:17:157:20 | temp : File | Test.java:157:34:157:37 | temp |
+| Test.java:169:24:169:63 | createTempFile(...) : File | Test.java:170:21:170:24 | safe : File |
+| Test.java:170:21:170:24 | safe : File | Test.java:170:21:170:24 | safe : File |
+| Test.java:170:21:170:24 | safe : File | Test.java:170:38:170:41 | safe |
 | Test.java:211:21:211:66 | new File(...) : File | Test.java:213:65:213:68 | temp : File |
 | Test.java:211:30:211:65 | getProperty(...) : String | Test.java:211:21:211:66 | new File(...) : File |
 | Test.java:213:24:213:69 | createTempFile(...) : File | Test.java:214:14:214:20 | workDir : File |
@@ -137,16 +134,14 @@ nodes
 | Test.java:148:9:148:12 | temp : File | semmle.label | temp : File |
 | Test.java:148:9:148:12 | temp : File | semmle.label | temp : File |
 | Test.java:149:9:149:12 | temp | semmle.label | temp |
-| Test.java:157:24:157:63 | createTempFile(...) : File | semmle.label | createTempFile(...) : File |
-| Test.java:158:21:158:24 | temp : File | semmle.label | temp : File |
-| Test.java:158:21:158:24 | temp : File | semmle.label | temp : File |
-| Test.java:158:38:158:41 | temp | semmle.label | temp |
-| Test.java:170:17:170:26 | this <.field> [post update] [safe12temp] : File | semmle.label | this <.field> [post update] [safe12temp] : File |
-| Test.java:170:30:170:69 | createTempFile(...) : File | semmle.label | createTempFile(...) : File |
-| Test.java:171:21:171:30 | safe12temp : File | semmle.label | safe12temp : File |
-| Test.java:171:21:171:30 | safe12temp : File | semmle.label | safe12temp : File |
-| Test.java:171:21:171:30 | this <.field> [safe12temp] : File | semmle.label | this <.field> [safe12temp] : File |
-| Test.java:171:44:171:53 | safe12temp | semmle.label | safe12temp |
+| Test.java:156:20:156:59 | createTempFile(...) : File | semmle.label | createTempFile(...) : File |
+| Test.java:157:17:157:20 | temp : File | semmle.label | temp : File |
+| Test.java:157:17:157:20 | temp : File | semmle.label | temp : File |
+| Test.java:157:34:157:37 | temp | semmle.label | temp |
+| Test.java:169:24:169:63 | createTempFile(...) : File | semmle.label | createTempFile(...) : File |
+| Test.java:170:21:170:24 | safe : File | semmle.label | safe : File |
+| Test.java:170:21:170:24 | safe : File | semmle.label | safe : File |
+| Test.java:170:38:170:41 | safe | semmle.label | safe |
 | Test.java:211:21:211:66 | new File(...) : File | semmle.label | new File(...) : File |
 | Test.java:211:30:211:65 | getProperty(...) : String | semmle.label | getProperty(...) : String |
 | Test.java:213:24:213:69 | createTempFile(...) : File | semmle.label | createTempFile(...) : File |
@@ -208,8 +203,7 @@ subpaths
 | Test.java:24:9:24:12 | temp | Test.java:22:21:22:60 | createTempFile(...) : File | Test.java:24:9:24:12 | temp | Local temporary directory hijacking race condition between $@ and this directory creation call. As such, the directory usage $@ may have been hijacked by another local user. | Test.java:23:9:23:12 | temp | delete here | Test.java:25:16:25:19 | temp | here |
 | Test.java:131:9:131:12 | temp | Test.java:129:71:129:106 | getProperty(...) : String | Test.java:131:9:131:12 | temp | Local temporary directory hijacking race condition between $@ and this directory creation call. As such, the directory usage $@ may have been hijacked by another local user. | Test.java:130:9:130:12 | temp | delete here | Test.java:132:16:132:19 | temp | here |
 | Test.java:149:9:149:12 | temp | Test.java:146:22:146:57 | getProperty(...) : String | Test.java:149:9:149:12 | temp | Local temporary directory hijacking race condition between $@ and this directory creation call. As such, the directory usage $@ may have been hijacked by another local user. | Test.java:148:9:148:12 | temp | delete here | Test.java:150:16:150:19 | temp | here |
-| Test.java:158:38:158:41 | temp | Test.java:157:24:157:63 | createTempFile(...) : File | Test.java:158:38:158:41 | temp | Local temporary directory hijacking race condition between $@ and this directory creation call. As such, the directory usage $@ may have been hijacked by another local user. | Test.java:158:21:158:24 | temp | delete here | Test.java:163:16:163:19 | temp | here |
-| Test.java:171:44:171:53 | safe12temp | Test.java:170:30:170:69 | createTempFile(...) : File | Test.java:171:44:171:53 | safe12temp | Local temporary directory hijacking race condition between $@ and this directory creation call. As such, the directory usage $@ may have been hijacked by another local user. | Test.java:171:21:171:30 | safe12temp | delete here | Test.java:176:16:176:25 | safe12temp | here |
+| Test.java:170:38:170:41 | safe | Test.java:169:24:169:63 | createTempFile(...) : File | Test.java:170:38:170:41 | safe | Local temporary directory hijacking race condition between $@ and this directory creation call. As such, the directory usage $@ may have been hijacked by another local user. | Test.java:170:21:170:24 | safe | delete here | Test.java:176:16:176:25 | safe12temp | here |
 | Test.java:222:14:222:16 | dir | Test.java:211:30:211:65 | getProperty(...) : String | Test.java:222:14:222:16 | dir | Local temporary directory hijacking race condition between $@ and this directory creation call. As such, the directory usage $@ may have been hijacked by another local user. | Test.java:214:14:214:20 | workDir | delete here | Test.java:218:16:218:22 | workDir | here |
 | Test.java:222:14:222:16 | dir | Test.java:211:30:211:65 | getProperty(...) : String | Test.java:222:14:222:16 | dir | Local temporary directory hijacking race condition between $@ and this directory creation call. As such, the directory usage $@ may have been hijacked by another local user. | Test.java:214:14:214:20 | workDir | delete here | Test.java:222:31:222:33 | dir | here |
 | Test.java:230:9:230:12 | temp | Test.java:228:21:228:66 | createTempFile(...) : File | Test.java:230:9:230:12 | temp | Local temporary directory hijacking race condition between $@ and this directory creation call. As such, the directory usage $@ may have been hijacked by another local user. | Test.java:229:9:229:12 | temp | delete here | Test.java:231:16:231:19 | temp | here |
diff --git a/java/ql/test/query-tests/security/CWE-378/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-378/semmle/tests/Test.java
@@ -152,12 +152,10 @@ static File vulnerable3() throws IOException {
 
     static File safe11() throws IOException {
         File temp = null;
-        if (temp == null) {
-            while (true) {
-                temp = File.createTempFile("test", "directory");
-                if (temp.delete() && temp.mkdir()) {
-                    break;
-                }
+        while (true) {
+            temp = File.createTempFile("test", "directory");
+            if (temp.delete() && temp.mkdir()) {
+                break;
             }
         }
         return temp;
@@ -166,12 +164,14 @@ static File safe11() throws IOException {
     File safe12temp;
     File safe12() throws IOException {
         if (safe12temp == null) {
+            File safe = null;
             while (true) {
-                safe12temp = File.createTempFile("test", "directory");
-                if (safe12temp.delete() && safe12temp.mkdir()) {
+                safe = File.createTempFile("test", "directory");
+                if (safe.delete() && safe.mkdir()) {
                     break;
                 }
             }
+            safe12temp = safe;
         }
         return safe12temp;
     }
@@ -307,4 +307,17 @@ static void mkdirsWrapper3(File file) throws IOException {
             throw new IOException("Mkdirs failed to create " + file.toString());
         }
     }
+
+    File vulnerable10() throws IOException {
+        File temp = new File(System.getProperty("java.io.tmpdir"));
+        temp.mkdirs();
+        File workDir = File.createTempFile("test", "directory", temp);
+        deleteWrapper(workDir);
+        workDir.mkdirs();
+        return workDir;
+    }
+
+    static void deleteWrapper(File file) {
+        file.delete();
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -152,12 +152,10 @@ static File vulnerable3() throws IOException {`
`152`	`152`
`153`	`153`	`static File safe11() throws IOException {`
`154`	`154`	`File temp = null;`
`155`		`- if (temp == null) {`
`156`		`- while (true) {`
`157`		`- temp = File.createTempFile("test", "directory");`
`158`		`- if (temp.delete() && temp.mkdir()) {`
`159`		`- break;`
`160`		`- }`
	`155`	`+ while (true) {`
	`156`	`+ temp = File.createTempFile("test", "directory");`
	`157`	`+ if (temp.delete() && temp.mkdir()) {`
	`158`	`+ break;`
`161`	`159`	`}`
`162`	`160`	`}`
`163`	`161`	`return temp;`
`@@ -166,12 +164,14 @@ static File safe11() throws IOException {`
`166`	`164`	`File safe12temp;`
`167`	`165`	`File safe12() throws IOException {`
`168`	`166`	`if (safe12temp == null) {`
	`167`	`+ File safe = null;`
`169`	`168`	`while (true) {`
`170`		`- safe12temp = File.createTempFile("test", "directory");`
`171`		`- if (safe12temp.delete() && safe12temp.mkdir()) {`
	`169`	`+ safe = File.createTempFile("test", "directory");`
	`170`	`+ if (safe.delete() && safe.mkdir()) {`
`172`	`171`	`break;`
`173`	`172`	`}`
`174`	`173`	`}`
	`174`	`+ safe12temp = safe;`
`175`	`175`	`}`
`176`	`176`	`return safe12temp;`
`177`	`177`	`}`
`@@ -307,4 +307,17 @@ static void mkdirsWrapper3(File file) throws IOException {`
`307`	`307`	`throw new IOException("Mkdirs failed to create " + file.toString());`
`308`	`308`	`}`
`309`	`309`	`}`
	`310`	`+`
	`311`	`+ File vulnerable10() throws IOException {`
	`312`	`+ File temp = new File(System.getProperty("java.io.tmpdir"));`
	`313`	`+ temp.mkdirs();`
	`314`	`+ File workDir = File.createTempFile("test", "directory", temp);`
	`315`	`+ deleteWrapper(workDir);`
	`316`	`+ workDir.mkdirs();`
	`317`	`+ return workDir;`
	`318`	`+ }`
	`319`	`+`
	`320`	`+ static void deleteWrapper(File file) {`
	`321`	`+ file.delete();`
	`322`	`+ }`
`310`	`323`	`}`