Review feedback and improve temp dir vulnerable/safe code sugestion

JLLeitschuh · JLLeitschuh · commit 2048aed0a9dd · 2022-02-14T11:29:16.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirUsageSafe.java b/java/ql/src/Security/CWE/CWE-200/TempDirUsageSafe.java
@@ -1,3 +1,5 @@
+import java.io.File;
+import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.attribute.PosixFilePermission;
 import java.nio.file.attribute.PosixFilePermissions;
@@ -9,11 +11,90 @@ void exampleSafe() throws IOException {
 
         Path temp2 = Files.createTempDirectory("random-directory"); // GOOD: File has permissions `drwx------`
 
-        File tempDirChildFile = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
+        // Creating a temporary file with a non-randomly generated name
+        File tempChildFile = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
+        // Warning: This will fail on windows as it doesn't support PosixFilePermissions.
+        // See `exampleSafeWithWindowsSupportFile` if your code needs to support windows and unix-like systems.
         Files.createFile(
-            tempDirChildFile.toPath(),
-            tempDirChild.toPath(),
+            tempChildFile.toPath(),
             PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))
         ); // GOOD: Good has permissions `-rw-------`
     }
+
+    /*
+     * An example of a safe use of createFile or createDirectory if your code must support windows and unix-like systems.
+     */
+    void exampleSafeWithWindowsSupportFile() {
+        // Creating a temporary file with a non-randomly generated name
+        File tempChildFile = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
+        createTempFile(tempChildFile.toPath()); // GOOD: Good has permissions `-rw-------`
+    }
+
+    static void createTempFile(Path tempDir) {
+        try {
+            if (tempDirChild.getFileSystem().supportedFileAttributeViews().contains("posix")) {
+                // Explicit permissions setting is only required on unix-like systems because
+                // the temporary directory is shared between all users.
+                // This is not necessary on Windows, each user has their own temp directory
+                final EnumSet<PosixFilePermission> posixFilePermissions =
+                        EnumSet.of(
+                            PosixFilePermission.OWNER_READ,
+                            PosixFilePermission.OWNER_WRITE
+                        );
+                if (!Files.exists(tempDirChild)) {
+                    Files.createFile(
+                        tempDirChild,
+                        PosixFilePermissions.asFileAttribute(posixFilePermissions)
+                    ); // GOOD: Directory has permissions `-rw-------`
+                } else {
+                    Files.setPosixFilePermissions(
+                            tempDirChild,
+                            posixFilePermissions
+                    ); // GOOD: Good has permissions `-rw-------`, or will throw an exception if this fails
+                }
+            } else if (!Files.exists(tempDirChild)) {
+                // On Windows, we still need to create the directory, when it doesn't already exist.
+                Files.createDirectory(tempDirChild); // GOOD: Windows doesn't share the temp directory between users
+            }
+        } catch (IOException exception) {
+            throw new UncheckedIOException("Failed to create temp file", exception);
+        }
+    }
+
+    void exampleSafeWithWindowsSupportDirectory() {
+        File tempDirChildDir = new File(System.getProperty("java.io.tmpdir"), "/child-dir");
+        createTempDirectories(tempDirChildDir.toPath()); // GOOD: Directory has permissions `drwx------`
+    }
+
+    static void createTempDirectories(Path tempDirChild) {
+        try {
+            if (tempDirChild.getFileSystem().supportedFileAttributeViews().contains("posix")) {
+                // Explicit permissions setting is only required on unix-like systems because
+                // the temporary directory is shared between all users.
+                // This is not necessary on Windows, each user has their own temp directory
+                final EnumSet<PosixFilePermission> posixFilePermissions =
+                        EnumSet.of(
+                            PosixFilePermission.OWNER_READ,
+                            PosixFilePermission.OWNER_WRITE,
+                            PosixFilePermission.OWNER_EXECUTE
+                        );
+                if (!Files.exists(tempDirChild)) {
+                    Files.createDirectories(
+                        tempDirChild,
+                        PosixFilePermissions.asFileAttribute(posixFilePermissions)
+                    ); // GOOD: Directory has permissions `drwx------`
+                } else {
+                    Files.setPosixFilePermissions(
+                            tempDirChild,
+                            posixFilePermissions
+                    ); // GOOD: Good has permissions `drwx------`, or will throw an exception if this fails
+                }
+            } else if (!Files.exists(tempDirChild)) {
+                // On Windows, we still need to create the directory, when it doesn't already exist.
+                Files.createDirectories(tempDirChild); // GOOD: Windows doesn't share the temp directory between users
+            }
+        } catch (IOException exception) {
+            throw new UncheckedIOException("Failed to create temp dir", exception);
+        }
+    }
 }
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirUsageVulnerable.java b/java/ql/src/Security/CWE/CWE-200/TempDirUsageVulnerable.java
@@ -15,5 +15,9 @@ void exampleVulnerable() {
 
         File tempDirChildFile = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
         Files.createFile(tempDirChildFile.toPath()); // BAD: File has permissions `-rw-r--r--`
+
+        File tempDirChildDir = new File(System.getProperty("java.io.tmpdir"), "/child-dir");
+        tempDirChildDir.mkdir(); // BAD: Directory has permissions `drwxr-xr-x`
+        Files.createDirectory(tempDirChildDir.toPath()); // BAD: Directory has permissions `drwxr-xr-x`
     }
 }
diff --git a/java/ql/src/change-notes/2022-02-04-local-temp-file-or-directory-information-disclosure.md b/java/ql/src/change-notes/2022-02-04-local-temp-file-or-directory-information-disclosure.md
@@ -1,6 +1,6 @@
 ---
 category: newQuery
 ---
-* A new query titled "Temporary directory Local information disclosure" (`java/local-temp-file-or-directory-information-disclosure`) has been added.
+* A new query titled "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) has been added.
   This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory.
   This query was originally [submitted as query by @JLLeitschuh](https://github.com/github/codeql/pull/4388).

Original file line number	Diff line number	Diff line change
`@@ -15,5 +15,9 @@ void exampleVulnerable() {`
`15`	`15`
`16`	`16`	`File tempDirChildFile = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");`
`17`	`17`	Files.createFile(tempDirChildFile.toPath()); // BAD: File has permissions `-rw-r--r--`
	`18`	`+`
	`19`	`+ File tempDirChildDir = new File(System.getProperty("java.io.tmpdir"), "/child-dir");`
	`20`	+ tempDirChildDir.mkdir(); // BAD: Directory has permissions `drwxr-xr-x`
	`21`	+ Files.createDirectory(tempDirChildDir.toPath()); // BAD: Directory has permissions `drwxr-xr-x`
`18`	`22`	`}`
`19`	`23`	`}`