fix(java) Bad permissions for unix-like system temporary files.

This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <[email protected]> Signed-off-by: Jonathan Leitschuh <[email protected]> Bug-tracker: JLLeitschuh/security-research#18 Co-authored-by: Moderne <[email protected]> Co-authored-by: Moderne <[email protected]>
jenkinsci · Nov 21, 2022 · 82a0f8b · 82a0f8b
1 parent c305a79
commit 82a0f8b
Showing 1 changed file with 9 additions and 8 deletions.
diff --git a/src/test/java/hudson/plugins/android_emulator/util/UtilsTest.java b/src/test/java/hudson/plugins/android_emulator/util/UtilsTest.java
@@ -11,6 +11,7 @@
 import java.io.FileReader;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.nio.file.Files;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -106,7 +107,7 @@ private static void assertRelativeDistance(String from, String to, int expectedR
 
     @Test
     public void testReadUnsupportedConfigFile() throws Exception {
-        final File temp = File.createTempFile("temp", ".txt");
+        final File temp = Files.createTempFile("temp", ".txt").toFile();
         temp.deleteOnExit();
 
         try {
@@ -121,7 +122,7 @@ public void testReadUnsupportedConfigFile() throws Exception {
 
     @Test
     public void testReadConfigFileInPropertiesFormat() throws Exception {
-        final File temp = File.createTempFile("temp", ".properties");
+        final File temp = Files.createTempFile("temp", ".properties").toFile();
         temp.deleteOnExit();
 
         // test multiline props
@@ -138,7 +139,7 @@ public void testReadConfigFileInPropertiesFormat() throws Exception {
 
     @Test
     public void testReadConfigFileInINIFormat() throws Exception {
-        final File temp = File.createTempFile("temp", ".ini");
+        final File temp = Files.createTempFile("temp", ".ini").toFile();
         temp.deleteOnExit();
 
         // value should be returned 'as-is' without removal of '\'
@@ -169,7 +170,7 @@ public void testReadConfigFileInINIFormat() throws Exception {
 
     @Test
     public void testWriteUnsupportedConfigFile() throws Exception {
-        final File temp = File.createTempFile("temp", ".txt");
+        final File temp = Files.createTempFile("temp", ".txt").toFile();
         temp.deleteOnExit();
 
         try {
@@ -184,10 +185,10 @@ public void testWriteUnsupportedConfigFile() throws Exception {
 
     @Test
     public void testWriteConfigFileInPropertiesFormat() throws Exception {
-        final File expected = File.createTempFile("temp", ".properties");
+        final File expected = Files.createTempFile("temp", ".properties").toFile();
         expected.deleteOnExit();
 
-        final File actual = File.createTempFile("temp", ".properties");
+        final File actual = Files.createTempFile("temp", ".properties").toFile();
         actual.deleteOnExit();
 
         final String newLine = (SystemUtils.IS_OS_WINDOWS) ? "\r\n" : "\n";
@@ -225,10 +226,10 @@ public void testWriteConfigFileInPropertiesFormat() throws Exception {
 
     @Test
     public void testWriteConfigFileInINIFormat() throws Exception {
-        final File expected = File.createTempFile("temp", ".ini");
+        final File expected = Files.createTempFile("temp", ".ini").toFile();
         expected.deleteOnExit();
 
-        final File actual = File.createTempFile("temp", ".ini");
+        final File actual = Files.createTempFile("temp", ".ini").toFile();
         actual.deleteOnExit();
 
         // Setup test data