vuln-fix: Temporary Directory Hijacking or Information Disclosure

This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure. Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions Severity: High CVSSS: 7.3 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory) Reported-by: Jonathan Leitschuh <[email protected]> Signed-off-by: Jonathan Leitschuh <[email protected]> Bug-tracker: JLLeitschuh/security-research#10 Co-authored-by: Moderne <[email protected]>
BulkSecurityGeneratorProjectV2 · Oct 4, 2022 · ab9340f · ab9340f
1 parent 7155f8a
commit ab9340f
Showing 1 changed file with 2 additions and 11 deletions.
diff --git a/src/test/java/com/vaadin/wscdn/client/test/TestClient.java b/src/test/java/com/vaadin/wscdn/client/test/TestClient.java
@@ -11,6 +11,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.Arrays;
 import java.util.List;
 import java.util.logging.Level;
@@ -147,17 +148,7 @@ public String getArtifactId() {
     private static File createTempDirectory(String prefix) throws IOException {
         final File temp;
 
-        temp = File.createTempFile(prefix, Long.toString(System.nanoTime()));
-
-        if (!(temp.delete())) {
-            throw new IOException(
-                    "Could not delete temp file: " + temp.getAbsolutePath());
-        }
-
-        if (!(temp.mkdir())) {
-            throw new IOException("Could not create temp directory: "
-                    + temp.getAbsolutePath());
-        }
+        temp = Files.createTempDirectory(prefix + Long.toString(System.nanoTime())).toFile();
 
         return (temp);
     }