Improve warning in TempDirHijackingVulnerability

JLLeitschuh · Jan 19, 2022 · 4a0b10a · 4a0b10a
1 parent afc9d2c
commit 4a0b10a
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/java/ql/src/Security/CWE/CWE-378/TempDirHijackingVulnerability.ql b/java/ql/src/Security/CWE/CWE-378/TempDirHijackingVulnerability.ql
@@ -31,6 +31,13 @@ private class MethodFileMkdir extends Method {
   }
 }
 
+/**
+ * An expression that will create a directory without throwing an exception if a file/directory already exists.
+ */
+private predicate isNonThrowingDirectoryCreationExpression(Expr expr, MethodAccess creationCall) {
+  creationCall.getMethod() instanceof MethodFileMkdir and creationCall.getQualifier() = expr
+}
+
 private class MethodFileDelete extends Method {
   MethodFileDelete() {
     getDeclaringType() instanceof TypeFile and
@@ -64,10 +71,7 @@ private class TempDirHijackingFromDeleteConfig extends DataFlow2::Configuration
   override predicate isSource(DataFlow::Node source) { isDeleteFileExpr(source.asExpr()) }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof MethodFileMkdir and
-      ma.getQualifier() = sink.asExpr()
-    )
+    isNonThrowingDirectoryCreationExpression(sink.asExpr(), _)
   }
 }
 
@@ -95,12 +99,13 @@ private predicate safeUse(Expr e) {
 
 from
   DataFlow::PathNode source, DataFlow::PathNode deleteCheckpoint, DataFlow2::Node deleteCheckpoint2,
-  DataFlow2::Node sink, TempDirHijackingToDeleteConfig toDeleteConfig, Expr unsafeUse,
+  DataFlow2::Node sink, MethodAccess creationCall, TempDirHijackingToDeleteConfig toDeleteConfig,
   TempDirHijackingFromDeleteConfig fromDeleteConfig
 where
   toDeleteConfig.hasFlowPath(source, deleteCheckpoint) and
   fromDeleteConfig.hasFlow(deleteCheckpoint2, sink) and
   deleteCheckpoint.getNode().asExpr() = deleteCheckpoint2.asExpr() and
-  isUnsafeUseUnconstrainedByIfCheck(sink, unsafeUse)
+  isUnsafeUseUnconstrainedByIfCheck(sink, _) and
+  isNonThrowingDirectoryCreationExpression(sink.asExpr(), creationCall)
 select deleteCheckpoint.getNode(), source, deleteCheckpoint,
-  "Local temporary directory hijacking race condition $@", sink, "here"
+  "Local temporary directory hijacking race condition $@", creationCall, "here"