vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
This commit is contained in:
Jonathan Leitschuh 2022-11-18 22:42:52 +00:00
parent 57f300b1da
commit 920c19da45
No known key found for this signature in database
GPG Key ID: CF90EC62F65468A1
2 changed files with 4 additions and 2 deletions

View File

@ -28,6 +28,7 @@ import java.lang.management.ManagementFactory;
import java.lang.management.RuntimeMXBean; import java.lang.management.RuntimeMXBean;
import java.net.URL; import java.net.URL;
import java.net.URLClassLoader; import java.net.URLClassLoader;
import java.nio.file.Files;
import java.security.AccessController; import java.security.AccessController;
import java.security.CodeSource; import java.security.CodeSource;
import java.security.PrivilegedAction; import java.security.PrivilegedAction;
@ -148,7 +149,7 @@ public class InstrumentationFactory {
*/ */
private static String createAgentJar() throws IOException { private static String createAgentJar() throws IOException {
File file = File file =
File.createTempFile(InstrumentationFactory.class.getName(), ".jar"); Files.createTempFile(InstrumentationFactory.class.getName(), ".jar").toFile();
file.deleteOnExit(); file.deleteOnExit();
ZipOutputStream zout = new ZipOutputStream(new FileOutputStream(file)); ZipOutputStream zout = new ZipOutputStream(new FileOutputStream(file));

View File

@ -23,6 +23,7 @@ import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
import java.nio.file.Files;
import java.util.List; import java.util.List;
import java.util.MissingResourceException; import java.util.MissingResourceException;
@ -142,7 +143,7 @@ public class TestAnchorParsing extends TestCase {
private File resourceToTemporaryFile(String s) throws IOException { private File resourceToTemporaryFile(String s) throws IOException {
InputStream in = getClass().getClassLoader().getResourceAsStream(s); InputStream in = getClass().getClassLoader().getResourceAsStream(s);
File f = File.createTempFile("TestAnchorParsing", ".xml"); File f = Files.createTempFile("TestAnchorParsing", ".xml").toFile();
OutputStream out = new FileOutputStream(f); OutputStream out = new FileOutputStream(f);
byte[] bytes = new byte[1024]; byte[] bytes = new byte[1024];
while (true) { while (true) {