vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#18


Co-authored-by: Moderne <[email protected]>

build-engine/src/main/java/org/apache/kylin/engine/mr/common/AbstractHadoopJob.java

@@ -29,6 +29,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Files;
 import java.util.HashMap;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -595,7 +596,7 @@ protected void attachSegmentMetadata(CubeSegment segment, Configuration conf, bo
 
     protected void dumpKylinPropsAndMetadata(String prj, Set<String> dumpList, KylinConfig kylinConfig,
             Configuration conf) throws IOException {
-        File tmp = File.createTempFile("kylin_job_meta", "");
+        File tmp = Files.createTempFile("kylin_job_meta", "").toFile();
         FileUtils.forceDelete(tmp); // we need a directory, so delete the file first
 
         File metaDir = new File(tmp, "meta");

build-engine/src/main/java/org/apache/kylin/engine/mr/common/CubeStatsReader.java

@@ -26,6 +26,7 @@
 import java.io.OutputStreamWriter;
 import java.io.PrintWriter;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.text.DecimalFormat;
 import java.text.DecimalFormatSymbols;
 import java.util.ArrayList;
@@ -156,7 +157,7 @@ private Map<Long, Double> handlePreciseCuboidsSize(Map<Long, Long> cuboidSizeMap
     }
 
     private File writeTmpSeqFile(InputStream inputStream) throws IOException {
-        File tempFile = File.createTempFile("kylin_stats_tmp", ".seq");
+        File tempFile = Files.createTempFile("kylin_stats_tmp", ".seq").toFile();
         FileOutputStream out = null;
         try {
             out = new FileOutputStream(tempFile);

core-common/src/main/java/org/apache/kylin/common/persistence/AutoDeleteDirectory.java

@@ -21,6 +21,7 @@
 import java.io.Closeable;
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 
 public class AutoDeleteDirectory implements Closeable {
 
@@ -31,7 +32,7 @@ public AutoDeleteDirectory(File file) {
     }
     public AutoDeleteDirectory(String prefix, String suffix) {
         try {
-            tempFile = File.createTempFile(prefix, suffix);
+            tempFile = Files.createTempFile(prefix, suffix).toFile();
             org.apache.commons.io.FileUtils.forceDelete(tempFile); // we need a directory, so delete the file first
             tempFile.mkdirs();
         } catch (IOException e) {

core-common/src/main/java/org/apache/kylin/common/persistence/FileResourceStore.java

@@ -24,6 +24,7 @@
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.Collection;
 
 import org.apache.commons.io.FileUtils;
@@ -130,7 +131,7 @@ protected void putResourceImpl(String resPath, ContentWriter content, long ts) t
         if (--failPutResourceCountDown == 0)
             throw new IOException("for test");
 
-        File tmp = File.createTempFile("kylin-fileresource-", ".tmp");
+        File tmp = Files.createTempFile("kylin-fileresource-", ".tmp").toFile();
         try {
 
             try (FileOutputStream out = new FileOutputStream(tmp); DataOutputStream dout = new DataOutputStream(out)) {

core-common/src/main/java/org/apache/kylin/common/persistence/ResourceStore.java

@@ -24,6 +24,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.LinkedHashMap;
@@ -787,7 +788,7 @@ protected abstract void visitFolderImpl(String folderPath, boolean recursive, Vi
             boolean loadContent, Visitor visitor) throws IOException;
 
     public static String dumpResources(KylinConfig kylinConfig, Collection<String> dumpList) throws IOException {
-        File tmp = File.createTempFile("kylin_job_meta", "");
+        File tmp = Files.createTempFile("kylin_job_meta", "").toFile();
         FileUtils.forceDelete(tmp); // we need a directory, so delete the file first
 
         File metaDir = new File(tmp, "meta");

core-common/src/test/java/org/apache/kylin/common/util/SSHClientTest.java

@@ -23,6 +23,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.nio.charset.Charset;
+import java.nio.file.Files;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.kylin.common.KylinConfig;
@@ -81,7 +82,7 @@ public void testScp() throws Exception {
             return;
 
         SSHClient ssh = new SSHClient(this.hostname, this.port, this.username, this.password);
-        File tmpFile = File.createTempFile("test_scp", "", new File("/tmp"));
+        File tmpFile = Files.createTempFile(new File("/tmp").toPath(), "test_scp", "").toFile();
         tmpFile.deleteOnExit();
         FileUtils.write(tmpFile, "test_scp", Charset.defaultCharset());
         ssh.scpFileToRemote(tmpFile.getAbsolutePath(), "/tmp");

core-cube/src/main/java/org/apache/kylin/gridtable/GTAggregateScanner.java

@@ -30,6 +30,7 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.ByteBuffer;
+import java.nio.file.Files;
 import java.util.Arrays;
 import java.util.Comparator;
 import java.util.Iterator;
@@ -666,7 +667,7 @@ class Dump implements Iterable<Pair<byte[], byte[]>> {
             DataInputStream dis;
 
             public Dump(SortedMap<byte[], MeasureAggregator[]> buffMap, long estMemSize) throws IOException {
-                this.dumpedFile = File.createTempFile("KYLIN_SPILL_", ".tmp");
+                this.dumpedFile = Files.createTempFile("KYLIN_SPILL_", ".tmp").toFile();
                 this.buffMap = buffMap;
                 this.estMemSize = estMemSize;
             }

core-metadata/src/test/java/org/apache/kylin/measure/topn/TopNCounterTest.java

@@ -27,6 +27,7 @@
 import java.io.OutputStreamWriter;
 import java.io.Writer;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
@@ -76,7 +77,7 @@ protected String prepareTestDate() throws IOException {
         ZipfDistribution zipf = new ZipfDistribution(KEY_SPACE, 0.5);
         int keyIndex;
 
-        File tempFile = File.createTempFile("ZipfDistribution", ".txt");
+        File tempFile = Files.createTempFile("ZipfDistribution", ".txt").toFile();
 
         if (tempFile.exists())
             FileUtils.forceDelete(tempFile);

core-metadata/src/test/java/org/apache/kylin/source/H2Database.java

@@ -29,6 +29,7 @@
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Files;
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.sql.Statement;
@@ -93,7 +94,7 @@ private void loadH2Table(String tableName) throws SQLException {
         File tempFile = null;
 
         try {
-            tempFile = File.createTempFile("tmp_h2", ".csv");
+            tempFile = Files.createTempFile("tmp_h2", ".csv").toFile();
             FileOutputStream tempFileStream = new FileOutputStream(tempFile);
             String path = path(tableDesc);
             InputStream csvStream = metaMgr.getStore().getResource(path).content();

kylin-spark-project/kylin-spark-engine/src/main/java/org/apache/kylin/engine/spark/job/NSparkMergeStatisticsStep.java

@@ -52,6 +52,7 @@
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.Map;
 
@@ -94,7 +95,7 @@ protected ExecuteResult doWork(ExecutableContext context) throws ExecuteExceptio
                 File tempFile = null;
                 FileOutputStream tempFileStream = null;
                 try {
-                    tempFile = File.createTempFile(segmentId, ".seq");
+                    tempFile = Files.createTempFile(segmentId, ".seq").toFile();
                     tempFileStream = new FileOutputStream(tempFile);
                     org.apache.commons.io.IOUtils.copy(is, tempFileStream);
                 } finally {

kylin-spark-project/kylin-spark-engine/src/test/java/org/apache/kylin/engine/spark/NSparkBasicTest.java

@@ -31,6 +31,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.nio.charset.Charset;
+import java.nio.file.Files;
 import java.util.List;
 
 @Ignore("convenient trial tool for dev")
@@ -39,7 +40,7 @@ public class NSparkBasicTest extends LocalWithSparkSessionTest {
     @Test
     public void testToRdd() throws IOException {
         final String dataJson = "0,1,2,1000\n0,1,2,1\n3,4,5,2";
-        File dataFile = File.createTempFile("tmp", ".csv");
+        File dataFile = Files.createTempFile("tmp", ".csv").toFile();
         dataFile.deleteOnExit();
         FileUtils.writeStringToFile(dataFile, dataJson, Charset.defaultCharset());
 

query/src/main/java/org/apache/kylin/query/schema/OLAPSchemaFactory.java

@@ -20,6 +20,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.Locale;
@@ -119,7 +120,7 @@ public static File createTempOLAPJson(String project, KylinConfig config) {
             String jsonContent = out.toString();
             File file = cachedJsons.get(jsonContent);
             if (file == null) {
-                file = File.createTempFile("olap_model_", ".json");
+                file = Files.createTempFile("olap_model_", ".json").toFile();
                 file.deleteOnExit();
                 FileUtils.writeStringToFile(file, jsonContent);
 

tool/src/main/java/org/apache/kylin/tool/extractor/AbstractInfoExtractor.java

@@ -22,6 +22,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.nio.charset.Charset;
+import java.nio.file.Files;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.Locale;
@@ -122,7 +123,7 @@ protected void execute(OptionsHelper optionsHelper) throws Exception {
 
         // compress to zip package
         if (shouldCompress) {
-            File tempZipFile = File.createTempFile(packageType + "_", ".zip");
+            File tempZipFile = Files.createTempFile(packageType + "_", ".zip").toFile();
             File tempZipDir = new File(exportDest + packageName + "/");
             FileUtils.forceMkdir(tempZipDir);
             for (File file : exportDir.listFiles()) {

tool/src/test/java/org/apache/kylin/tool/KylinConfigCLITest.java

@@ -25,6 +25,7 @@
 import java.io.IOException;
 import java.io.PrintStream;
 import java.nio.charset.Charset;
+import java.nio.file.Files;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.kylin.common.util.LocalFileMetadataTestCase;
@@ -36,7 +37,7 @@ public class KylinConfigCLITest extends LocalFileMetadataTestCase {
     @Test
     public void testGetProperty() throws IOException {
         PrintStream o = System.out;
-        File f = File.createTempFile("cfg", ".tmp");
+        File f = Files.createTempFile("cfg", ".tmp").toFile();
         PrintStream tmpOut = new PrintStream(new FileOutputStream(f), false, "UTF-8");
         System.setOut(tmpOut);
         KylinConfigCLI.main(new String[] { "kylin.storage.url" });
@@ -51,7 +52,7 @@ public void testGetProperty() throws IOException {
     @Test
     public void testGetPrefix() throws IOException {
         PrintStream o = System.out;
-        File f = File.createTempFile("cfg", ".tmp");
+        File f = Files.createTempFile("cfg", ".tmp").toFile();
         PrintStream tmpOut = new PrintStream(new FileOutputStream(f), false, "UTF-8");
         System.setOut(tmpOut);
         KylinConfigCLI.main(new String[] { "kylin.cube.engine." });