mirror of https://github.com/apache/openjpa.git
vuln-fix: Temporary File Information Disclosure
This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne <team@moderne.io>
This commit is contained in:
parent
57f300b1da
commit
920c19da45
|
@ -28,6 +28,7 @@ import java.lang.management.ManagementFactory;
|
||||||
import java.lang.management.RuntimeMXBean;
|
import java.lang.management.RuntimeMXBean;
|
||||||
import java.net.URL;
|
import java.net.URL;
|
||||||
import java.net.URLClassLoader;
|
import java.net.URLClassLoader;
|
||||||
|
import java.nio.file.Files;
|
||||||
import java.security.AccessController;
|
import java.security.AccessController;
|
||||||
import java.security.CodeSource;
|
import java.security.CodeSource;
|
||||||
import java.security.PrivilegedAction;
|
import java.security.PrivilegedAction;
|
||||||
|
@ -148,7 +149,7 @@ public class InstrumentationFactory {
|
||||||
*/
|
*/
|
||||||
private static String createAgentJar() throws IOException {
|
private static String createAgentJar() throws IOException {
|
||||||
File file =
|
File file =
|
||||||
File.createTempFile(InstrumentationFactory.class.getName(), ".jar");
|
Files.createTempFile(InstrumentationFactory.class.getName(), ".jar").toFile();
|
||||||
file.deleteOnExit();
|
file.deleteOnExit();
|
||||||
|
|
||||||
ZipOutputStream zout = new ZipOutputStream(new FileOutputStream(file));
|
ZipOutputStream zout = new ZipOutputStream(new FileOutputStream(file));
|
||||||
|
|
|
@ -23,6 +23,7 @@ import java.io.FileOutputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
import java.io.OutputStream;
|
import java.io.OutputStream;
|
||||||
|
import java.nio.file.Files;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.MissingResourceException;
|
import java.util.MissingResourceException;
|
||||||
|
|
||||||
|
@ -142,7 +143,7 @@ public class TestAnchorParsing extends TestCase {
|
||||||
|
|
||||||
private File resourceToTemporaryFile(String s) throws IOException {
|
private File resourceToTemporaryFile(String s) throws IOException {
|
||||||
InputStream in = getClass().getClassLoader().getResourceAsStream(s);
|
InputStream in = getClass().getClassLoader().getResourceAsStream(s);
|
||||||
File f = File.createTempFile("TestAnchorParsing", ".xml");
|
File f = Files.createTempFile("TestAnchorParsing", ".xml").toFile();
|
||||||
OutputStream out = new FileOutputStream(f);
|
OutputStream out = new FileOutputStream(f);
|
||||||
byte[] bytes = new byte[1024];
|
byte[] bytes = new byte[1024];
|
||||||
while (true) {
|
while (true) {
|
||||||
|
|
Loading…
Reference in New Issue