vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>

apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java

@@ -27,6 +27,7 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 
 import javax.ws.rs.core.HttpHeaders;
 
@@ -96,7 +97,7 @@ public class MiscApiMockTest extends BaseDockerMockTest {
    public void testBuildContainerUsingPayload() throws Exception {
       MockWebServer server = mockWebServer(new MockResponse().setResponseCode(200));
       MiscApi api = api(DockerApi.class, server.url("/").toString()).getMiscApi();
-      File file = File.createTempFile("docker", "tmp");
+      File file = Files.createTempFile("docker", "tmp").toFile();
       FileInputStream data = new FileInputStream(file);
       Payload payload = Payloads.newInputStreamPayload(data);
       payload.getContentMetadata().setContentLength(file.length());

core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java

@@ -31,6 +31,7 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URLDecoder;
+import java.nio.file.Files;
 import java.util.Random;
 import java.util.concurrent.TimeUnit;
 
@@ -268,7 +269,7 @@ public abstract class BaseHttpCommandExecutorServiceIntegrationTest extends Base
       Payload payload = null;
 
       try {
-         f = File.createTempFile("jclouds", "tmp");
+         f = Files.createTempFile("jclouds", "tmp").toFile();
          long length = (new Random().nextInt(32) + 1) * 1024L * 1024L;
          TestUtils.randomByteSource().slice(0, length).copyTo(Files.asByteSink(f));
 

core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java

@@ -43,6 +43,7 @@ import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.net.URI;
 import java.net.URLEncoder;
+import java.nio.file.Files;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.Collection;
@@ -1036,7 +1037,7 @@ public class RestAnnotationProcessorTest extends BaseRestApiTest {
    public void testMultipartWithParamFilePart() throws Exception {
       Invokable<?, ?> method = method(TestMultipartForm.class, "withParamFilePart", String.class,
             File.class);
-      File file = File.createTempFile("foo", "bar");
+      File file = Files.createTempFile("foo", "bar").toFile();
       try {
          Files.append("foobledata", file, UTF_8);
 
@@ -1082,7 +1083,7 @@ public class RestAnnotationProcessorTest extends BaseRestApiTest {
    public void testMultipartWithParamFileBinaryPart() throws Exception {
       Invokable<?, ?> method = method(TestMultipartForm.class, "withParamFileBinaryPart",
             String.class, File.class);
-      File file = File.createTempFile("foo", "bar");
+      File file = Files.createTempFile("foo", "bar").toFile();
       try {
          Files.write(new byte[] { 17, 26, 39, 40, 50 }, file);
 

drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java

@@ -28,6 +28,7 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.net.InetAddress;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.concurrent.Callable;
 import java.util.concurrent.Executors;
@@ -161,7 +162,7 @@ public class JschSshClientLiveTest {
 
    @Test
    public void testPutAndGet() throws IOException {
-      temp = File.createTempFile("foo", "bar");
+      temp = Files.createTempFile("foo", "bar").toFile();
       try {
          SshClient client = setupClient();
          client.put(temp.getAbsolutePath(), Payloads.newStringPayload("rabbit"));

drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java

@@ -26,6 +26,7 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.net.InetAddress;
+import java.nio.file.Files;
 
 import org.jclouds.compute.domain.ExecChannel;
 import org.jclouds.compute.domain.ExecResponse;
@@ -148,7 +149,7 @@ public class SshjSshClientLiveTest {
    }
 
    public void testPutAndGet() throws IOException {
-      temp = File.createTempFile("foo", "bar");
+      temp = Files.createTempFile("foo", "bar").toFile();
       try {
          SshClient client = setupClient();
          client.put(temp.getAbsolutePath(), Payloads.newStringPayload("rabbit"));