Skip to content

Commit d153907

Browse files
JLLeitschuhJLLeitschuh
committed
Fix inverted predicate logic and add additional test cases
1 parent 6df13b4 commit d153907

File tree

2 files changed

+35
-7
lines changed

2 files changed

+35
-7
lines changed

java/ql/src/Security/CWE/CWE-378/TempDirHijackingVulnerability.ql

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -79,12 +79,12 @@ predicate isSinkConstrainedByIfCheck(DataFlow2::Node sink) {
7979
}
8080

8181
from
82-
DataFlow::Node source, DataFlow::Node deleteCheckpoint, DataFlow2::PathNode deleteCheckpoint2,
83-
DataFlow2::PathNode sink, TempDirHijackingToDeleteConfig toDeleteConfig,
82+
DataFlow::PathNode source, DataFlow::PathNode deleteCheckpoint, DataFlow2::Node deleteCheckpoint2,
83+
DataFlow2::Node sink, TempDirHijackingToDeleteConfig toDeleteConfig,
8484
TempDirHijackingFromDeleteConfig fromDeleteConfig
8585
where
86-
toDeleteConfig.hasFlow(source, deleteCheckpoint) and
87-
fromDeleteConfig.hasFlowPath(deleteCheckpoint2, sink) and
88-
deleteCheckpoint.asExpr() = deleteCheckpoint2.getNode().asExpr() and
89-
isSinkConstrainedByIfCheck(sink.getNode())
90-
select deleteCheckpoint2, deleteCheckpoint2, sink, "TODO %", sink
86+
toDeleteConfig.hasFlowPath(source, deleteCheckpoint) and
87+
fromDeleteConfig.hasFlow(deleteCheckpoint2, sink) and
88+
deleteCheckpoint.getNode().asExpr() = deleteCheckpoint2.asExpr() and
89+
not isSinkConstrainedByIfCheck(sink)
90+
select deleteCheckpoint.getNode(), source, deleteCheckpoint, "Local temporary directory hijacking race condition $@", sink, "here"

java/ql/test/query-tests/security/CWE-378/semmle/tests/Test.java

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,5 +35,33 @@ static File safe2() {
3535
throw new RuntimeException("Failed to create directory");
3636
}
3737
}
38+
39+
static File safe3() {
40+
File temp = File.createTempFile("test", "directory");
41+
temp.delete();
42+
if (!(temp.mkdirs()))) {
43+
throw new RuntimeException("Failed to create directory");
44+
}
45+
return temp;
46+
}
47+
48+
static File safe4() {
49+
boolean success = true;
50+
File temp = File.createTempFile("test", "directory");
51+
success &= temp.delete();
52+
success &= f.mkdir();
53+
if (!success) {
54+
throw new RuntimeException("Failed to create directory");
55+
}
56+
}
57+
58+
static File safe5() {
59+
File temp = File.createTempFile("test", "directory");
60+
if (temp.delete() && temp.mkdir()) {
61+
return temp;
62+
} else {
63+
throw new RuntimeException("Failed to create directory");
64+
}
65+
}
3866

3967
}

0 commit comments

Comments
 (0)