From f5ccd4d5cc0de1f8a6be0347f53075b0d337f0e7 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 18 Nov 2022 22:42:41 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../assembly/filter/AbstractLineAggregatingHandler.java | 3 ++- .../assembly/filter/ComponentsXmlArchiverFileFilter.java | 2 +- .../assembly/filter/SimpleAggregatingDescriptorHandler.java | 3 ++- .../org/apache/maven/plugins/assembly/io/URLLocation.java | 3 ++- .../maven/plugins/assembly/io/DefaultAssemblyReaderTest.java | 2 +- .../maven/plugins/assembly/utils/LineEndingsUtilsTest.java | 5 +++-- 6 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/apache/maven/plugins/assembly/filter/AbstractLineAggregatingHandler.java b/src/main/java/org/apache/maven/plugins/assembly/filter/AbstractLineAggregatingHandler.java index 57b6b5c74..572880ca6 100644 --- a/src/main/java/org/apache/maven/plugins/assembly/filter/AbstractLineAggregatingHandler.java +++ b/src/main/java/org/apache/maven/plugins/assembly/filter/AbstractLineAggregatingHandler.java @@ -33,6 +33,7 @@ import java.io.InputStreamReader; import java.io.OutputStreamWriter; import java.io.PrintWriter; +import java.nio.file.Files; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -81,7 +82,7 @@ void addToArchive( final Archiver archiver ) File f; try { - f = File.createTempFile( "assembly-" + fname, ".tmp" ); + f = Files.createTempFile( "assembly-" + fname, ".tmp" ).toFile(); f.deleteOnExit(); try ( PrintWriter writer = diff --git a/src/main/java/org/apache/maven/plugins/assembly/filter/ComponentsXmlArchiverFileFilter.java b/src/main/java/org/apache/maven/plugins/assembly/filter/ComponentsXmlArchiverFileFilter.java index 83936fcea..d64f3ca5b 100644 --- a/src/main/java/org/apache/maven/plugins/assembly/filter/ComponentsXmlArchiverFileFilter.java +++ b/src/main/java/org/apache/maven/plugins/assembly/filter/ComponentsXmlArchiverFileFilter.java @@ -102,7 +102,7 @@ private void addToArchive( final Archiver archiver ) { if ( components != null ) { - final File f = File.createTempFile( "maven-assembly-plugin", "tmp" ); + final File f = Files.createTempFile( "maven-assembly-plugin", "tmp" ).toFile(); f.deleteOnExit(); diff --git a/src/main/java/org/apache/maven/plugins/assembly/filter/SimpleAggregatingDescriptorHandler.java b/src/main/java/org/apache/maven/plugins/assembly/filter/SimpleAggregatingDescriptorHandler.java index 4a4d2e794..a0f42049e 100644 --- a/src/main/java/org/apache/maven/plugins/assembly/filter/SimpleAggregatingDescriptorHandler.java +++ b/src/main/java/org/apache/maven/plugins/assembly/filter/SimpleAggregatingDescriptorHandler.java @@ -38,6 +38,7 @@ import java.io.StringWriter; import java.io.Writer; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; import java.util.ArrayList; import java.util.Collections; import java.util.Date; @@ -97,7 +98,7 @@ private File writePropertiesFile() File f; try { - f = File.createTempFile( "maven-assembly-plugin", "tmp" ); + f = Files.createTempFile( "maven-assembly-plugin", "tmp" ).toFile(); f.deleteOnExit(); try ( Writer writer = getWriter( f ) ) diff --git a/src/main/java/org/apache/maven/plugins/assembly/io/URLLocation.java b/src/main/java/org/apache/maven/plugins/assembly/io/URLLocation.java index 9c3ebca52..b7a229727 100644 --- a/src/main/java/org/apache/maven/plugins/assembly/io/URLLocation.java +++ b/src/main/java/org/apache/maven/plugins/assembly/io/URLLocation.java @@ -22,6 +22,7 @@ import java.io.File; import java.io.IOException; import java.net.URL; +import java.nio.file.Files; import org.apache.commons.io.IOUtils; @@ -65,7 +66,7 @@ protected void initFile() { if ( unsafeGetFile() == null ) { - File tempFile = File.createTempFile( tempFilePrefix, tempFileSuffix ); + File tempFile = Files.createTempFile( tempFilePrefix, tempFileSuffix ).toFile(); if ( tempFileDeleteOnExit ) { diff --git a/src/test/java/org/apache/maven/plugins/assembly/io/DefaultAssemblyReaderTest.java b/src/test/java/org/apache/maven/plugins/assembly/io/DefaultAssemblyReaderTest.java index ccc1a7712..ff1a05819 100644 --- a/src/test/java/org/apache/maven/plugins/assembly/io/DefaultAssemblyReaderTest.java +++ b/src/test/java/org/apache/maven/plugins/assembly/io/DefaultAssemblyReaderTest.java @@ -96,7 +96,7 @@ public void setUp() public void testIncludeSiteInAssembly_ShouldFailIfSiteDirectoryNonExistent() throws Exception { - final File siteDir = File.createTempFile( "assembly-reader.", ".test" ); + final File siteDir = Files.createTempFile( "assembly-reader.", ".test" ).toFile(); siteDir.delete(); when( configSource.getSiteDirectory() ).thenReturn( siteDir ); diff --git a/src/test/java/org/apache/maven/plugins/assembly/utils/LineEndingsUtilsTest.java b/src/test/java/org/apache/maven/plugins/assembly/utils/LineEndingsUtilsTest.java index 83b919a56..fa9ab3157 100644 --- a/src/test/java/org/apache/maven/plugins/assembly/utils/LineEndingsUtilsTest.java +++ b/src/test/java/org/apache/maven/plugins/assembly/utils/LineEndingsUtilsTest.java @@ -29,6 +29,7 @@ import java.io.IOException; import java.io.StringReader; import java.io.StringWriter; +import java.nio.file.Files; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNull; @@ -262,9 +263,9 @@ public void testConvertLineEndings_CRLFToLFWithEOFStripEOF() private void testConversion( String test, String check, LineEndings lineEndingChars, Boolean eof ) throws IOException { - File source = File.createTempFile( "line-conversion-test-in.", "" ); + File source = Files.createTempFile( "line-conversion-test-in.", "" ).toFile(); source.deleteOnExit(); - File dest = File.createTempFile( "line-conversion-test-out.", "" ); + File dest = Files.createTempFile( "line-conversion-test-out.", "" ).toFile(); dest.deleteOnExit(); FileWriter sourceWriter = null;