From 7a73abcd1584037f039ccf29a1d1fa4c0c8da9f8 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Sat, 19 Nov 2022 02:11:02 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../edu/isi/nlp/serialization/jackson/TestSerialization.java | 3 ++- gnuplot-util/src/main/java/edu/isi/nlp/gnuplot/PlotBundle.java | 3 ++- .../src/main/java/edu/isi/nlp/graphviz/DotRenderer.java | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) mode change 100755 => 100644 gnuplot-util/src/main/java/edu/isi/nlp/graphviz/DotRenderer.java diff --git a/common-core-open/src/test/java/edu/isi/nlp/serialization/jackson/TestSerialization.java b/common-core-open/src/test/java/edu/isi/nlp/serialization/jackson/TestSerialization.java index e45df0b..fce52af 100644 --- a/common-core-open/src/test/java/edu/isi/nlp/serialization/jackson/TestSerialization.java +++ b/common-core-open/src/test/java/edu/isi/nlp/serialization/jackson/TestSerialization.java @@ -12,6 +12,7 @@ import edu.isi.nlp.evaluation.FMeasureCounts; import java.io.File; import java.io.IOException; +import java.nio.file.Files; import java.util.Map; import org.junit.Test; @@ -25,7 +26,7 @@ public class TestSerialization { public void testFMeasureCounts() throws IOException { final Map foo = ImmutableMap.of("Hello", FMeasureCounts.fromTPFPFN(1, 2, 3)); - final File tmp = File.createTempFile("foo", "bar"); + final File tmp = Files.createTempFile("foo", "bar").toFile(); tmp.deleteOnExit(); assertEquals(foo, JacksonTestUtils.roundTripThroughSerializer(foo, serializer)); diff --git a/gnuplot-util/src/main/java/edu/isi/nlp/gnuplot/PlotBundle.java b/gnuplot-util/src/main/java/edu/isi/nlp/gnuplot/PlotBundle.java index 7542bd2..e79a1ac 100644 --- a/gnuplot-util/src/main/java/edu/isi/nlp/gnuplot/PlotBundle.java +++ b/gnuplot-util/src/main/java/edu/isi/nlp/gnuplot/PlotBundle.java @@ -9,6 +9,7 @@ import com.google.common.io.Files; import java.io.File; import java.io.IOException; +import java.nio.file.Files; import java.util.Map; /** @@ -35,7 +36,7 @@ private PlotBundle( public String commandsWritingDataTo(File dataDirectory) throws IOException { final Map refsToFiles = Maps.newHashMap(); for (final DatafileReference datafileReference : datafileReferences) { - final File randomFile = File.createTempFile("plotBundle", ".dat", dataDirectory); + final File randomFile = Files.createTempFile(dataDirectory.toPath(), "plotBundle", ".dat").toFile(); randomFile.deleteOnExit(); refsToFiles.put(datafileReference, randomFile); Files.asCharSink(randomFile, Charsets.UTF_8).write(datafileReference.data); diff --git a/gnuplot-util/src/main/java/edu/isi/nlp/graphviz/DotRenderer.java b/gnuplot-util/src/main/java/edu/isi/nlp/graphviz/DotRenderer.java old mode 100755 new mode 100644 index 2f5b11d..cf3e16e --- a/gnuplot-util/src/main/java/edu/isi/nlp/graphviz/DotRenderer.java +++ b/gnuplot-util/src/main/java/edu/isi/nlp/graphviz/DotRenderer.java @@ -19,6 +19,7 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; +import java.nio.file.Files; import javax.inject.Inject; import javax.inject.Qualifier; import org.slf4j.Logger; @@ -41,7 +42,7 @@ public static DotRenderer createForDotExecutable(File dotBinary) { } public void renderToFile(Graph graph, File outputFile) throws IOException, InterruptedException { - final File dotCommands = File.createTempFile("dotRenderer", ".dot"); + final File dotCommands = Files.createTempFile("dotRenderer", ".dot").toFile(); // dotCommands.deleteOnExit();; Files.asCharSink(dotCommands, Charsets.UTF_8).write(graph.toDot()); renderToFile(dotCommands, outputFile);