From 920c19da45a9c5c231d41ec889fb91ca94dc440b Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 18 Nov 2022 22:42:52 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../org/apache/openjpa/enhance/InstrumentationFactory.java | 3 ++- .../java/org/apache/openjpa/lib/conf/TestAnchorParsing.java | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java b/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java index 6e94635b9..8a828fc47 100644 --- a/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java +++ b/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java @@ -28,6 +28,7 @@ import java.lang.management.ManagementFactory; import java.lang.management.RuntimeMXBean; import java.net.URL; import java.net.URLClassLoader; +import java.nio.file.Files; import java.security.AccessController; import java.security.CodeSource; import java.security.PrivilegedAction; @@ -148,7 +149,7 @@ public class InstrumentationFactory { */ private static String createAgentJar() throws IOException { File file = - File.createTempFile(InstrumentationFactory.class.getName(), ".jar"); + Files.createTempFile(InstrumentationFactory.class.getName(), ".jar").toFile(); file.deleteOnExit(); ZipOutputStream zout = new ZipOutputStream(new FileOutputStream(file)); diff --git a/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java b/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java index 4b6be364b..7f2ca7992 100644 --- a/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java +++ b/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java @@ -23,6 +23,7 @@ import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.nio.file.Files; import java.util.List; import java.util.MissingResourceException; @@ -142,7 +143,7 @@ public class TestAnchorParsing extends TestCase { private File resourceToTemporaryFile(String s) throws IOException { InputStream in = getClass().getClassLoader().getResourceAsStream(s); - File f = File.createTempFile("TestAnchorParsing", ".xml"); + File f = Files.createTempFile("TestAnchorParsing", ".xml").toFile(); OutputStream out = new FileOutputStream(f); byte[] bytes = new byte[1024]; while (true) {