Add mkdirs check

JLLeitschuh · JLLeitschuh · commit 1b216f869f01 · 2020-12-08T15:40:22.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure2.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure2.ql
@@ -16,7 +16,7 @@ private class MethodFileSystemFileCreation extends Method {
   MethodFileSystemFileCreation() {
     getDeclaringType() instanceof TypeFile and
     (
-      hasName("mkdir") or
+      hasName(["mkdir", "mkdirs"]) or
       hasName("createNewFile")
     )
   }
diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/Test.java
@@ -50,6 +50,11 @@ void vulnerableFileCreateTempFileMkdirTainted() {
         tempDirChild.mkdir();
     }
 
+    void vulnerableFileCreateTempFileMkdirsTainted() {
+        File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
+        tempDirChild.mkdir();
+    }
+
     void vulnerableFileCreateTempFilesWrite1() {
         File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child");
         Files.write(tempDirChild.toPath(), Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE);

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ private class MethodFileSystemFileCreation extends Method {`
`16`	`16`	`MethodFileSystemFileCreation() {`
`17`	`17`	`getDeclaringType() instanceof TypeFile and`
`18`	`18`	`(`
`19`		`- hasName("mkdir") or`
	`19`	`+ hasName(["mkdir", "mkdirs"]) or`
`20`	`20`	`hasName("createNewFile")`
`21`	`21`	`)`
`22`	`22`	`}`