From be876d5ad66594e8de8bd49eae33ec798c0abdc9 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Tue, 4 Oct 2022 00:18:14 +0000 Subject: [PATCH] vuln-fix: Temporary Directory Hijacking or Information Disclosure This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure. Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions Severity: High CVSSS: 7.3 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10 Co-authored-by: Moderne --- .../orika/impl/generator/FilePathUtility.java | 13 ++++--------- .../test/perf/MultiLayeredClassloaderTestCase.java | 14 +++----------- 2 files changed, 7 insertions(+), 20 deletions(-) diff --git a/eclipse-tools/src/main/java/ma/glasnost/orika/impl/generator/FilePathUtility.java b/eclipse-tools/src/main/java/ma/glasnost/orika/impl/generator/FilePathUtility.java index 85681377..c67f1540 100644 --- a/eclipse-tools/src/main/java/ma/glasnost/orika/impl/generator/FilePathUtility.java +++ b/eclipse-tools/src/main/java/ma/glasnost/orika/impl/generator/FilePathUtility.java @@ -23,12 +23,13 @@ import java.io.FileOutputStream; import java.io.FileReader; import java.io.IOException; +import java.nio.file.Files; import java.util.Arrays; import java.util.Collection; import java.util.HashSet; import java.util.LinkedList; -import java.util.Set; - +import java.util.Set; + /** * * @author matt.deboer@gmail.com @@ -56,13 +57,7 @@ static String getJavaPackage(File sourceFile, File classPathRoot) { } static File createTempDirectory() throws IOException { - final File temp = File.createTempFile("temp", Long.toString(System.nanoTime())); - if(!(temp.delete())) { - throw new IOException("Could not delete temp file: " + temp.getAbsolutePath()); - } - if(!(temp.mkdir())) { - throw new IOException("Could not create temp directory: " + temp.getAbsolutePath()); - } + final File temp = Files.createTempDirectory("temp" + Long.toString(System.nanoTime())).toFile(); return temp; } diff --git a/tests/src/main/java/ma/glasnost/orika/test/perf/MultiLayeredClassloaderTestCase.java b/tests/src/main/java/ma/glasnost/orika/test/perf/MultiLayeredClassloaderTestCase.java index a378c9ae..cb3a1808 100644 --- a/tests/src/main/java/ma/glasnost/orika/test/perf/MultiLayeredClassloaderTestCase.java +++ b/tests/src/main/java/ma/glasnost/orika/test/perf/MultiLayeredClassloaderTestCase.java @@ -20,7 +20,8 @@ import java.io.File; import java.io.IOException; import java.net.URL; -import java.net.URLClassLoader; +import java.net.URLClassLoader; +import java.nio.file.Files; import ma.glasnost.orika.impl.generator.EclipseJdtCompiler; import ma.glasnost.orika.test.MavenProjectUtil; @@ -40,16 +41,7 @@ public class MultiLayeredClassloaderTestCase { * @throws IOException */ public static File createTempDirectory() throws IOException { - final File temp = File.createTempFile("temp", - Long.toString(System.nanoTime())); - if (!(temp.delete())) { - throw new IOException("Could not delete temp file: " - + temp.getAbsolutePath()); - } - if (!(temp.mkdir())) { - throw new IOException("Could not create temp directory: " - + temp.getAbsolutePath()); - } + final File temp = Files.createTempDirectory("temp" + Long.toString(System.nanoTime())).toFile(); return temp; }