Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java: CWE-200: Temp directory local information disclosure vulnerability #4388

Conversation

JLLeitschuh
Copy link
Contributor

@JLLeitschuh JLLeitschuh commented Oct 2, 2020

This vulnerability detects the use of the local temporary directory in ways that potentially expose sensitive information to other users.

Some examples

public class TempDirUsageVulnerable {
    void exampleVulnerable() {
        File temp1 = File.createTempFile("random", ".txt"); // BAD: File has permissions `-rw-r--r--`

        File temp2 = File.createTempFile("random", "file", null); // BAD: File has permissions `-rw-r--r--`

        File systemTempDir = new File(System.getProperty("java.io.tmpdir"));
        File temp3 = File.createTempFile("random", "file", systemTempDir); // BAD: File has permissions `-rw-r--r--`

        File tempDir = com.google.common.io.Files.createTempDir(); // BAD: CVE-2020-8908: Directory has permissions `drwxr-xr-x`

        new File(System.getProperty("java.io.tmpdir"), "/child").mkdir(); // BAD: Directory has permissions `-rw-r--r--`

        File tempDirChildFile = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt");
        Files.createFile(tempDirChildFile.toPath()); // BAD: File has permissions `-rw-r--r--`
    }
}

* @kind problem
* @problem.severity warning
* @precision very-high
* @id java/local-information-disclosure
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This id is rather generic. Could you make it a bit more specific to this query?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, I think

@aibaars
Copy link
Contributor

aibaars commented Oct 8, 2020

For reference I think Apache Ant had a similar vulnerability CVE-2020-1945. I think this was addressed by

You might want to check your query on databases built from those commits and their parents.

@JLLeitschuh
Copy link
Contributor Author

JLLeitschuh commented Oct 12, 2020

Here's one that I found that was just disclosed.
GHSA-269g-pwp5-87pp

@melloware
Copy link

@JLLeitschuh So if Junit 4.13.1 can patch this fix why can't Guava?

@JLLeitschuh
Copy link
Contributor Author

@melloware 🤷‍♂️ bring it up with the Guava & Google team. There's only so much I can do.

@melloware
Copy link

melloware commented Oct 12, 2020

Can we submit a PR against that ticket for review making the same fix Junit did?

@JLLeitschuh
Copy link
Contributor Author

You can always submit a PR, I don't know if the Google team will accept it thought. I'd advise that you ask them if they'd consider accepting a PR on the existing issue:

google/guava#4011

It's probably not that useful to have this discussion here, on this unrelated issue.

Comment on lines 36 to 32
exists(MethodAccess ma |
ma.getMethod() instanceof MethodFileSystemFileCreation and
ma.getQualifier() = this.asExpr()
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could write:

Suggested change
exists(MethodAccess ma |
ma.getMethod() instanceof MethodFileSystemFileCreation and
ma.getQualifier() = this.asExpr()
)
exists(MethodFileSystemFileCreation ma |
ma.getQualifier() = this.asExpr()
)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not quite right. MethodFileSystemFileCreation is a Method not a MethodAccess

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, I don't think I can change this to be simpler at all.

@JLLeitschuh
Copy link
Contributor Author

There are some outstanding disclosures and CVES from this query. Hence why development is kinda frozen. I'm still leveraging it to report vulns.

@JLLeitschuh JLLeitschuh force-pushed the feat/JLL/java/CWE-200_temp_directory_local_information_disclosure branch from 1b216f8 to b1aeb99 Compare December 8, 2020 20:42
@smowton smowton self-assigned this Jan 4, 2021
@JLLeitschuh JLLeitschuh force-pushed the feat/JLL/java/CWE-200_temp_directory_local_information_disclosure branch from e53cfd8 to 6deb3d8 Compare January 23, 2021 17:49
@JLLeitschuh
Copy link
Contributor Author

JLLeitschuh commented Jan 23, 2021

Test run of this query:

@JLLeitschuh
Copy link
Contributor Author

This PR is now in a "I think I'm happy with it, please review" state. 😃

@aibaars
Copy link
Contributor

aibaars commented Jan 25, 2021

This PR is now in a "I think I'm happy with it, please review" state.

In that case you might want to hit the Ready for review button to change from Draft to Review state ;-)

@JLLeitschuh
Copy link
Contributor Author

Good point 😂

@JLLeitschuh JLLeitschuh marked this pull request as ready for review January 25, 2021 14:56
@JLLeitschuh JLLeitschuh requested review from felicitymay and a team as code owners January 25, 2021 14:56
@smowton smowton assigned aibaars and unassigned smowton Jan 27, 2021
@smowton
Copy link
Contributor

smowton commented Jan 27, 2021

Assigned @aibaars since he has been reviewing this and moved to In Progress state

smowton
smowton previously approved these changes Feb 8, 2022
aschackmull
aschackmull previously approved these changes Feb 8, 2022
@smowton smowton dismissed stale reviews from aschackmull and themself via a6596ea February 8, 2022 12:02
@JLLeitschuh
Copy link
Contributor Author

JLLeitschuh commented Feb 8, 2022

False positives this is finding (the first path). However, other paths are valid.

To simplify, the vulnerability being identified here is because of the following:

new File(System.getProperty("java.io.tmpdir")).mkdirs(); // Not really a vulnerability technically

This doesn't seem like a vulnerability.

However, the following is information disclosure of the file's name:

File tempDir = new File(System.getProperty("java.io.tmpdir"));
tempDir.mkdirs();
File tempFile = new File (tempDir, [USER_INPUT]); // vulnerability
tempFile.createFile(); // vulnerability

@smowton
Copy link
Contributor

smowton commented Feb 9, 2022

Looks like you're still tweaking this; let me know when you're done?

@JLLeitschuh
Copy link
Contributor Author

Looks like you're still tweaking this; let me know when you're done?

I'm wondering if you have any insights into how to fix the problem I described here:

#4388 (comment)

@JLLeitschuh
Copy link
Contributor Author

I think I have a fix here that I'm happy with:
49a7367

@JLLeitschuh JLLeitschuh requested a review from smowton February 9, 2022 17:34
@JLLeitschuh
Copy link
Contributor Author

@smowton I'm happy with this PR as-is

@smowton
Copy link
Contributor

smowton commented Feb 10, 2022

There's a real test failure to fix

@felicitymay felicitymay added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Feb 10, 2022
@JLLeitschuh
Copy link
Contributor Author

@smowton indeed! Fixed that. Thanks!

Copy link
Contributor

@felicitymay felicitymay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for writing help for your query. A few minor comments, but generally looking good 🙂

@@ -0,0 +1,258 @@
/**
* @name Temporary Directory Local information disclosure
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if this might be clearer. The query name should be in sentence case.

Suggested change
* @name Temporary Directory Local information disclosure
* @name Local information disclosure in a temporary directory

---
category: newQuery
---
* A new query titled "Temporary directory Local information disclosure" (`java/local-temp-file-or-directory-information-disclosure`) has been added.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we change the name of the query, we'd also need to update it here.

@smowton smowton merged commit 0bf6c83 into github:main Feb 14, 2022
@JLLeitschuh
Copy link
Contributor Author

Amazing! Very happy this is finally merged. Only took me ~1.3 years to get it finished 😆

Follow-up that adds OS specific guards: #8032

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Java ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants