vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne <team@moderne.io>
2022-11-19 03:01:07 +00:00 · 2022-11-19 03:01:07 +00:00 · b282b5cbfe
parent 25bcb7961e
commit b282b5cbfe
5 changed files with 11 additions and 6 deletions
--- a/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java
+++ b/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java
@ -27,6 +27,7 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;

 import javax.ws.rs.core.HttpHeaders;

@ -96,7 +97,7 @@ public class MiscApiMockTest extends BaseDockerMockTest {
   public void testBuildContainerUsingPayload() throws Exception {
      MockWebServer server = mockWebServer(new MockResponse().setResponseCode(200));
      MiscApi api = api(DockerApi.class, server.url("/").toString()).getMiscApi();
-      File file = File.createTempFile("docker", "tmp");
+      File file = Files.createTempFile("docker", "tmp").toFile();
      FileInputStream data = new FileInputStream(file);
      Payload payload = Payloads.newInputStreamPayload(data);
      payload.getContentMetadata().setContentLength(file.length());
--- a/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java
+++ b/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java
@ -31,6 +31,7 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URLDecoder;
+import java.nio.file.Files;
 import java.util.Random;
 import java.util.concurrent.TimeUnit;

@ -268,7 +269,7 @@ public abstract class BaseHttpCommandExecutorServiceIntegrationTest extends Base
      Payload payload = null;

      try {
-         f = File.createTempFile("jclouds", "tmp");
+         f = Files.createTempFile("jclouds", "tmp").toFile();
         long length = (new Random().nextInt(32) + 1) * 1024L * 1024L;
         TestUtils.randomByteSource().slice(0, length).copyTo(Files.asByteSink(f));

--- a/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java
+++ b/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java
@ -43,6 +43,7 @@ import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.net.URI;
 import java.net.URLEncoder;
+import java.nio.file.Files;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.Collection;
@ -1036,7 +1037,7 @@ public class RestAnnotationProcessorTest extends BaseRestApiTest {
   public void testMultipartWithParamFilePart() throws Exception {
      Invokable<?, ?> method = method(TestMultipartForm.class, "withParamFilePart", String.class,
            File.class);
-      File file = File.createTempFile("foo", "bar");
+      File file = Files.createTempFile("foo", "bar").toFile();
      try {
         Files.append("foobledata", file, UTF_8);

@ -1082,7 +1083,7 @@ public class RestAnnotationProcessorTest extends BaseRestApiTest {
   public void testMultipartWithParamFileBinaryPart() throws Exception {
      Invokable<?, ?> method = method(TestMultipartForm.class, "withParamFileBinaryPart",
            String.class, File.class);
-      File file = File.createTempFile("foo", "bar");
+      File file = Files.createTempFile("foo", "bar").toFile();
      try {
         Files.write(new byte[] { 17, 26, 39, 40, 50 }, file);

--- a/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java
+++ b/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java
@ -28,6 +28,7 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.net.InetAddress;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.concurrent.Callable;
 import java.util.concurrent.Executors;
@ -161,7 +162,7 @@ public class JschSshClientLiveTest {

   @Test
   public void testPutAndGet() throws IOException {
-      temp = File.createTempFile("foo", "bar");
+      temp = Files.createTempFile("foo", "bar").toFile();
      try {
         SshClient client = setupClient();
         client.put(temp.getAbsolutePath(), Payloads.newStringPayload("rabbit"));
--- a/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java
+++ b/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java
@ -26,6 +26,7 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.net.InetAddress;
+import java.nio.file.Files;

 import org.jclouds.compute.domain.ExecChannel;
 import org.jclouds.compute.domain.ExecResponse;
@ -148,7 +149,7 @@ public class SshjSshClientLiveTest {
   }

   public void testPutAndGet() throws IOException {
-      temp = File.createTempFile("foo", "bar");
+      temp = Files.createTempFile("foo", "bar").toFile();
      try {
         SshClient client = setupClient();
         client.put(temp.getAbsolutePath(), Payloads.newStringPayload("rabbit"));