Skip to content

Commit

Permalink
vuln-fix: Temporary File Information Disclosure
Browse files Browse the repository at this point in the history 
This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#18


Co-authored-by: Moderne <[email protected]>
  • Loading branch information
@JLLeitschuh @TeamModerne
JLLeitschuh and TeamModerne committed Nov 18, 2022
1 parent 0dfd50c commit 8594733
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 6 deletions.
3 changes: 2 additions & 1 deletion src/main/java/org/apache/maven/plugins/shade/mojo/ShadeMojo.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@
import java.io.InputStream;
import java.io.OutputStream;
import java.io.Writer;
import java.nio.file.Files;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
Expand Down Expand Up @@ -1150,7 +1151,7 @@ private void rewriteDependencyReducedPomIfWeHaveReduction( List<Dependency> depe
if ( generateUniqueDependencyReducedPom )
{
dependencyReducedPomLocation =
File.createTempFile( "dependency-reduced-pom-", ".xml", project.getBasedir() );
Files.createTempFile( project.getBasedir().toPath(), "dependency-reduced-pom-", ".xml" ).toFile();
project.getProperties().setProperty( "maven.shade.dependency-reduced-pom",
dependencyReducedPomLocation.getAbsolutePath() );
}
Expand Down
3 changes: 2 additions & 1 deletion src/test/java/org/apache/maven/plugins/shade/resource/GroovyResourceTransformerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.nio.file.Files;
import java.util.Collections;
import java.util.Properties;
import java.util.jar.JarFile;
Expand Down Expand Up @@ -75,7 +76,7 @@ private static InputStream module( String name, String version, String extension
private static Properties transform( GroovyResourceTransformer transformer )
throws Exception
{
File tempJar = File.createTempFile( "shade.", ".jar" );
File tempJar = Files.createTempFile( "shade.", ".jar" ).toFile();
tempJar.deleteOnExit();

try ( FileOutputStream fos = new FileOutputStream( tempJar );
Expand Down
9 changes: 5 additions & 4 deletions src/test/java/org/apache/maven/plugins/shade/resource/ServiceResourceTransformerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import java.io.FileOutputStream;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
Expand Down Expand Up @@ -65,7 +66,7 @@ public void relocatedClasses() throws Exception {
xformer.processResource( contentResource, contentStream, relocators, 0 );
contentStream.close();

File tempJar = File.createTempFile("shade.", ".jar");
File tempJar = Files.createTempFile( "shade.", ".jar" ).toFile();
tempJar.deleteOnExit();
FileOutputStream fos = new FileOutputStream( tempJar );
try ( JarOutputStream jos = new JarOutputStream( fos ) ) {
Expand Down Expand Up @@ -109,7 +110,7 @@ public void mergeRelocatedFiles() throws Exception {
xformer.processResource(contentResourceShaded, contentStream, relocators, 0);
}

File tempJar = File.createTempFile("shade.", ".jar");
File tempJar = Files.createTempFile( "shade.", ".jar" ).toFile();
tempJar.deleteOnExit();
FileOutputStream fos = new FileOutputStream( tempJar );
try ( JarOutputStream jos = new JarOutputStream( fos ) ) {
Expand Down Expand Up @@ -145,7 +146,7 @@ public void concatanationAppliedMultipleTimes() throws Exception {
xformer.processResource( contentResource, contentStream, relocators, 0 );
contentStream.close();

File tempJar = File.createTempFile("shade.", ".jar");
File tempJar = Files.createTempFile( "shade.", ".jar" ).toFile();
tempJar.deleteOnExit();
FileOutputStream fos = new FileOutputStream( tempJar );
try ( JarOutputStream jos = new JarOutputStream( fos ) ) {
Expand Down Expand Up @@ -188,7 +189,7 @@ public void concatenation() throws Exception {
xformer.processResource( contentResource, contentStream, relocators, 0 );
contentStream.close();

File tempJar = File.createTempFile("shade.", ".jar");
File tempJar = Files.createTempFile( "shade.", ".jar" ).toFile();
tempJar.deleteOnExit();
FileOutputStream fos = new FileOutputStream( tempJar );
try ( JarOutputStream jos = new JarOutputStream( fos ) ) {
Expand Down

0 comments on commit 8594733

Please sign in to comment.