From b282b5cbfef760be026660522e78d1bba81988ac Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Sat, 19 Nov 2022 03:01:07 +0000
Subject: [PATCH] vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
---
 .../java/org/jclouds/docker/features/MiscApiMockTest.java    | 3 ++-
 .../http/BaseHttpCommandExecutorServiceIntegrationTest.java  | 3 ++-
 .../jclouds/rest/internal/RestAnnotationProcessorTest.java   | 5 +++--
 .../java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java     | 3 ++-
 .../test/java/org/jclouds/sshj/SshjSshClientLiveTest.java    | 3 ++-
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java b/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java
index a3d21a194d..0678966fc1 100644
--- a/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java
+++ b/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java
@@ -27,6 +27,7 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 
 import javax.ws.rs.core.HttpHeaders;
 
@@ -96,7 +97,7 @@ public class MiscApiMockTest extends BaseDockerMockTest {
    public void testBuildContainerUsingPayload() throws Exception {
       MockWebServer server = mockWebServer(new MockResponse().setResponseCode(200));
       MiscApi api = api(DockerApi.class, server.url("/").toString()).getMiscApi();
-      File file = File.createTempFile("docker", "tmp");
+      File file = Files.createTempFile("docker", "tmp").toFile();
       FileInputStream data = new FileInputStream(file);
       Payload payload = Payloads.newInputStreamPayload(data);
       payload.getContentMetadata().setContentLength(file.length());
diff --git a/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java b/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java
index 7a19459912..e9ce28ab7d 100644
--- a/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java
+++ b/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java
@@ -31,6 +31,7 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URLDecoder;
+import java.nio.file.Files;
 import java.util.Random;
 import java.util.concurrent.TimeUnit;
 
@@ -268,7 +269,7 @@ public abstract class BaseHttpCommandExecutorServiceIntegrationTest extends Base
       Payload payload = null;
 
       try {
-         f = File.createTempFile("jclouds", "tmp");
+         f = Files.createTempFile("jclouds", "tmp").toFile();
          long length = (new Random().nextInt(32) + 1) * 1024L * 1024L;
          TestUtils.randomByteSource().slice(0, length).copyTo(Files.asByteSink(f));
 
diff --git a/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java b/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java
index c81c65298f..666b7e1854 100644
--- a/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java
+++ b/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java
@@ -43,6 +43,7 @@ import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.net.URI;
 import java.net.URLEncoder;
+import java.nio.file.Files;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.Collection;
@@ -1036,7 +1037,7 @@ public class RestAnnotationProcessorTest extends BaseRestApiTest {
    public void testMultipartWithParamFilePart() throws Exception {
       Invokable<?, ?> method = method(TestMultipartForm.class, "withParamFilePart", String.class,
             File.class);
-      File file = File.createTempFile("foo", "bar");
+      File file = Files.createTempFile("foo", "bar").toFile();
       try {
          Files.append("foobledata", file, UTF_8);
 
@@ -1082,7 +1083,7 @@ public class RestAnnotationProcessorTest extends BaseRestApiTest {
    public void testMultipartWithParamFileBinaryPart() throws Exception {
       Invokable<?, ?> method = method(TestMultipartForm.class, "withParamFileBinaryPart",
             String.class, File.class);
-      File file = File.createTempFile("foo", "bar");
+      File file = Files.createTempFile("foo", "bar").toFile();
       try {
          Files.write(new byte[] { 17, 26, 39, 40, 50 }, file);
 
diff --git a/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java b/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java
index ede5b472ad..64007c299e 100644
--- a/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java
+++ b/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java
@@ -28,6 +28,7 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.net.InetAddress;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.concurrent.Callable;
 import java.util.concurrent.Executors;
@@ -161,7 +162,7 @@ public class JschSshClientLiveTest {
 
    @Test
    public void testPutAndGet() throws IOException {
-      temp = File.createTempFile("foo", "bar");
+      temp = Files.createTempFile("foo", "bar").toFile();
       try {
          SshClient client = setupClient();
          client.put(temp.getAbsolutePath(), Payloads.newStringPayload("rabbit"));
diff --git a/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java b/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java
index ba8e217d3d..fe664ce283 100644
--- a/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java
+++ b/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java
@@ -26,6 +26,7 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.net.InetAddress;
+import java.nio.file.Files;
 
 import org.jclouds.compute.domain.ExecChannel;
 import org.jclouds.compute.domain.ExecResponse;
@@ -148,7 +149,7 @@ public class SshjSshClientLiveTest {
    }
 
    public void testPutAndGet() throws IOException {
-      temp = File.createTempFile("foo", "bar");
+      temp = Files.createTempFile("foo", "bar").toFile();
       try {
          SshClient client = setupClient();
          client.put(temp.getAbsolutePath(), Payloads.newStringPayload("rabbit"));