Java: CWE-200: Temp directory local information disclosure vulnerability

[JLLeitschuh]

This vulnerability detects the use of the local temporary directory in ways that potentially expose sensitive information to other users.

Some examples

public class TempDirUsageVulnerable {
    void exampleVulnerable() {
        File temp1 = File.createTempFile("random", ".txt"); // BAD: File has permissions `-rw-r--r--`

        File temp2 = File.createTempFile("random", "file", null); // BAD: File has permissions `-rw-r--r--`

        File systemTempDir = new File(System.getProperty("java.io.tmpdir"));
        File temp3 = File.createTempFile("random", "file", systemTempDir); // BAD: File has permissions `-rw-r--r--`

        File tempDir = com.google.common.io.Files.createTempDir(); // BAD: CVE-2020-8908: Directory has permissions `drwxr-xr-x`

        new File(System.getProperty("java.io.tmpdir"), "/child").mkdir(); // BAD: Directory has permissions `-rw-r--r--`

        File tempDirChildFile = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
        Files.createFile(tempDirChildFile.toPath()); // BAD: File has permissions `-rw-r--r--`
    }
}

[aibaars]

This id is rather generic. Could you make it a bit more specific to this query?

[JLLeitschuh]

Fixed, I think

[aibaars]

For reference I think Apache Ant had a similar vulnerability CVE-2020-1945. I think this was addressed by

• apache/ant@9c1f4d9
• apache/ant@a8645a1

You might want to check your query on databases built from those commits and their parents.

[JLLeitschuh]

Here's one that I found that was just disclosed.
GHSA-269g-pwp5-87pp

[melloware]

@JLLeitschuh So if Junit 4.13.1 can patch this fix why can't Guava?

[JLLeitschuh]

@melloware 🤷‍♂️ bring it up with the Guava & Google team. There's only so much I can do.

[melloware]

Can we submit a PR against that ticket for review making the same fix Junit did?

[JLLeitschuh]

You can always submit a PR, I don't know if the Google team will accept it thought. I'd advise that you ask them if they'd consider accepting a PR on the existing issue:

google/guava#4011

It's probably not that useful to have this discussion here, on this unrelated issue.

[aibaars]

You could write:

Suggested change

	exists(MethodAccess ma |
	ma.getMethod() instanceof MethodFileSystemFileCreation and
	ma.getQualifier() = this.asExpr()
	)
	exists(MethodFileSystemFileCreation ma |
	ma.getQualifier() = this.asExpr()
	)

[JLLeitschuh]

This is not quite right. MethodFileSystemFileCreation is a Method not a MethodAccess

[JLLeitschuh]

Yea, I don't think I can change this to be simpler at all.

[JLLeitschuh]

There are some outstanding disclosures and CVES from this query. Hence why development is kinda frozen. I'm still leveraging it to report vulns.

[JLLeitschuh]

Test run of this query:

• Method Call: https://lgtm.com/query/3077692672321886364/
• Path: https://lgtm.com/query/5276757681085693414/

[JLLeitschuh]

This PR is now in a "I think I'm happy with it, please review" state. 😃

[aibaars]

This PR is now in a "I think I'm happy with it, please review" state.

In that case you might want to hit the Ready for review button to change from Draft to Review state ;-)

[JLLeitschuh]

Good point 😂

[smowton]

Assigned @aibaars since he has been reviewing this and moved to In Progress state

[JLLeitschuh]

False positives this is finding (the first path). However, other paths are valid.

• https://lgtm.com/query/8810980313419129810/
  There is a vulnerability here, but it's being incorrectly identified around the reason.

To simplify, the vulnerability being identified here is because of the following:

new File(System.getProperty("java.io.tmpdir")).mkdirs(); // Not really a vulnerability technically

This doesn't seem like a vulnerability.

However, the following is information disclosure of the file's name:

File tempDir = new File(System.getProperty("java.io.tmpdir"));
tempDir.mkdirs();
File tempFile = new File (tempDir, [USER_INPUT]); // vulnerability
tempFile.createFile(); // vulnerability

[smowton]

Looks like you're still tweaking this; let me know when you're done?

[JLLeitschuh]

Looks like you're still tweaking this; let me know when you're done?

I'm wondering if you have any insights into how to fix the problem I described here:

#4388 (comment)

[JLLeitschuh]

I think I have a fix here that I'm happy with:
49a7367

[JLLeitschuh]

@smowton I'm happy with this PR as-is

[smowton]

There's a real test failure to fix

[JLLeitschuh]

@smowton indeed! Fixed that. Thanks!

[felicitymay]

Thanks for writing help for your query. A few minor comments, but generally looking good 🙂

[felicitymay]

I'm wondering if this might be clearer. The query name should be in sentence case.

Suggested change

	* @name Temporary Directory Local information disclosure
	* @name Local information disclosure in a temporary directory

[felicitymay]

If we change the name of the query, we'd also need to update it here.

[JLLeitschuh]

Amazing! Very happy this is finally merged. Only took me ~1.3 years to get it finished 😆

Follow-up that adds OS specific guards: #8032