-
Notifications
You must be signed in to change notification settings - Fork 2k
Java: CWE-378: Temp Directory Hijacking Race Condition Vulnerability #4473
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 1 commit
ba727af
aea0170
545eb2c
253c96f
d9d5b67
1fc7629
b42ff13
20bd05b
442ef83
fbecfdd
8a7d64d
884db9e
6f4ed4b
03983f1
37b1e1d
ac8e1cc
84003c1
4b6d1a4
325d0e1
71f5fc5
140c66e
21bef99
407dd05
0f5a1e7
e7f016e
3a50253
cd3662c
a2a7c73
b412c7f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,6 +13,16 @@ class MethodFileCreateTempFile extends Method { | |
| } | ||
| } | ||
|
|
||
| /** | ||
| * All methods on the class `java.io.File` that create directories. | ||
| */ | ||
| class MethodFileCreatesDirs extends Method { | ||
| MethodFileCreatesDirs() { | ||
| getDeclaringType() instanceof TypeFile and | ||
Check noticeCode scanning Using implicit `this`
Use of implicit `this`.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please fix |
||
| hasName(["mkdir", "mkdirs"]) | ||
Check noticeCode scanning Using implicit `this`
Use of implicit `this`.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please fix |
||
| } | ||
| } | ||
|
|
||
| private class TemporaryFileFlow extends SummaryModelCsv { | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Any file that defines model rows like this needs a private import at https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll#L79
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I intentionally don't want this to be defined at a global scope, yet. I don't know what the impact of this would be on any of the path normalization (path traversal) based queries and I don't really want to deal with that rn
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If it's only imported in some queries and not in others then it will lead to a whole bunch of cache invalidation and reevaluation of major parts of the libraries, which isn't acceptable. So if these steps only needs to be active for certain queries on an opt-in basis, then they can't use the csv format and must be defined fully in QL as pairs of data-flow nodes and directly mentioned by the configurations that wants to opt-in.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've broken this into an independent PR to allow this change to be tested independently. Thus, if it introduces FP into other queries, that can be analyzed independently: #8884 |
||
| override predicate row(string row) { | ||
| // qualifier to return | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,20 +13,11 @@ import semmle.code.java.dataflow.FlowSources | |
| import semmle.code.java.security.TempFileLib | ||
| import DataFlow::PathGraph | ||
|
|
||
| private class MethodFileMkdir extends Method { | ||
| MethodFileMkdir() { | ||
| getDeclaringType() instanceof TypeFile and | ||
| hasName("mkdir") | ||
| or | ||
| hasName("mkdirs") | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * An expression that will create a directory without throwing an exception if a file/directory already exists. | ||
| */ | ||
| private predicate isNonThrowingDirectoryCreationExpression(Expr expr, MethodAccess creationCall) { | ||
| creationCall.getMethod() instanceof MethodFileMkdir and creationCall.getQualifier() = expr | ||
| creationCall.getMethod() instanceof MethodFileCreatesDirs and creationCall.getQualifier() = expr | ||
| } | ||
|
JLLeitschuh marked this conversation as resolved.
|
||
|
|
||
| private class MethodFileDelete extends Method { | ||
|
|
@@ -47,9 +38,13 @@ private class TempDirHijackingToDeleteConfig extends TaintTracking::Configuratio | |
| source.asExpr() = | ||
| any(MethodAccess ma | | ||
| ma.getMethod() instanceof MethodFileCreateTempFile and ma.getNumArgument() = 2 | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Might be good to explain why check for
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done! |
||
| ) or | ||
| // TODO: Replace with getSystemProperty("java.io.tmpdir") | ||
| source.asExpr() = any(MethodAccessSystemGetProperty maSgp | maSgp.hasCompileTimeConstantGetPropertyName("java.io.tmpdir")) | ||
| ) | ||
| or | ||
| // TODO: Replace with getSystemProperty("java.io.tmpdir") | ||
| source.asExpr() = | ||
| any(MethodAccessSystemGetProperty maSgp | | ||
| maSgp.hasCompileTimeConstantGetPropertyName("java.io.tmpdir") | ||
| ) | ||
| } | ||
|
|
||
| override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.