Merge pull request github#12081 from jcogs33/jcogs33/update-some-Files-sinks

Java: update `createTempDirectory` and `copy` "create-file" sinks

Author: jcogs33

java/ql/lib/change-notes/2023-02-13-update-create-file-sinks.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Removed the first argument of `java.nio.file.Files#createTempDirectory(String,FileAttribute[])` as a "create-file" sink.
+* Added the first argument of `java.nio.file.Files#copy` as a "read-file" sink for the `java/path-injection` query.

java/ql/lib/ext/java.nio.file.model.yml

@@ -3,13 +3,14 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["java.nio.file", "Files", False, "copy", "", "", "Argument[0]", "read-file", "manual"]
       - ["java.nio.file", "Files", False, "copy", "", "", "Argument[1]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "createDirectories", "", "", "Argument[0]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "createDirectory", "", "", "Argument[0]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "createFile", "", "", "Argument[0]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "createLink", "", "", "Argument[0]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "createSymbolicLink", "", "", "Argument[0]", "create-file", "manual"]
-      - ["java.nio.file", "Files", False, "createTempDirectory", "", "", "Argument[0]", "create-file", "manual"]
+      - ["java.nio.file", "Files", False, "createTempDirectory", "(Path,String,FileAttribute[])", "", "Argument[0]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "createTempFile", "(Path,String,String,FileAttribute[])", "", "Argument[0]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "move", "", "", "Argument[1]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "newBufferedWriter", "", "", "Argument[0]", "create-file", "manual"]

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -261,9 +261,9 @@ module ModelValidation {
         [
           "open-url", "jndi-injection", "ldap", "sql", "jdbc-url", "logging", "mvel", "xpath",
           "groovy", "xss", "ognl-injection", "intent-start", "pending-intent-sent",
-          "url-open-stream", "url-redirect", "create-file", "write-file", "set-hostname-verifier",
-          "header-splitting", "information-leak", "xslt", "jexl", "bean-validation", "ssti",
-          "fragment-injection"
+          "url-open-stream", "url-redirect", "create-file", "read-file", "write-file",
+          "set-hostname-verifier", "header-splitting", "information-leak", "xslt", "jexl",
+          "bean-validation", "ssti", "fragment-injection"
         ] and
       not kind.matches("regex-use%") and
       not kind.matches("qltest%") and

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -29,7 +29,7 @@ class TaintedPathConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(PathCreation p).getAnInput()
     or
-    sinkNode(sink, "create-file")
+    sinkNode(sink, ["create-file", "read-file"])
   }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {

java/ql/test/utils/modelgenerator/dataflow/CaptureSinkModels.expected

@@ -1,4 +1,5 @@
 | p;PrivateFlowViaPublicInterface$SPI;true;openStream;();;Argument[-1];create-file;generated |
+| p;Sinks;true;copyFileToDirectory;(Path,Path,CopyOption[]);;Argument[0];read-file;generated |
 | p;Sinks;true;copyFileToDirectory;(Path,Path,CopyOption[]);;Argument[1];create-file;generated |
 | p;Sinks;true;readUrl;(URL,Charset);;Argument[0];open-url;generated |
 | p;Sources;true;readUrl;(URL);;Argument[0];open-url;generated |