From 82a0f8bbacc0372b51081616b9b12e3e73e509fc Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Mon, 21 Nov 2022 13:10:50 -0500 Subject: [PATCH] fix(java) Bad permissions for unix-like system temporary files. This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne Co-authored-by: Moderne --- .../android_emulator/util/UtilsTest.java | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/test/java/hudson/plugins/android_emulator/util/UtilsTest.java b/src/test/java/hudson/plugins/android_emulator/util/UtilsTest.java index bfaed80f..adada031 100644 --- a/src/test/java/hudson/plugins/android_emulator/util/UtilsTest.java +++ b/src/test/java/hudson/plugins/android_emulator/util/UtilsTest.java @@ -11,6 +11,7 @@ import java.io.FileReader; import java.io.IOException; import java.io.PrintWriter; +import java.nio.file.Files; import java.util.HashMap; import java.util.LinkedHashMap; import java.util.Map; @@ -106,7 +107,7 @@ private static void assertRelativeDistance(String from, String to, int expectedR @Test public void testReadUnsupportedConfigFile() throws Exception { - final File temp = File.createTempFile("temp", ".txt"); + final File temp = Files.createTempFile("temp", ".txt").toFile(); temp.deleteOnExit(); try { @@ -121,7 +122,7 @@ public void testReadUnsupportedConfigFile() throws Exception { @Test public void testReadConfigFileInPropertiesFormat() throws Exception { - final File temp = File.createTempFile("temp", ".properties"); + final File temp = Files.createTempFile("temp", ".properties").toFile(); temp.deleteOnExit(); // test multiline props @@ -138,7 +139,7 @@ public void testReadConfigFileInPropertiesFormat() throws Exception { @Test public void testReadConfigFileInINIFormat() throws Exception { - final File temp = File.createTempFile("temp", ".ini"); + final File temp = Files.createTempFile("temp", ".ini").toFile(); temp.deleteOnExit(); // value should be returned 'as-is' without removal of '\' @@ -169,7 +170,7 @@ public void testReadConfigFileInINIFormat() throws Exception { @Test public void testWriteUnsupportedConfigFile() throws Exception { - final File temp = File.createTempFile("temp", ".txt"); + final File temp = Files.createTempFile("temp", ".txt").toFile(); temp.deleteOnExit(); try { @@ -184,10 +185,10 @@ public void testWriteUnsupportedConfigFile() throws Exception { @Test public void testWriteConfigFileInPropertiesFormat() throws Exception { - final File expected = File.createTempFile("temp", ".properties"); + final File expected = Files.createTempFile("temp", ".properties").toFile(); expected.deleteOnExit(); - final File actual = File.createTempFile("temp", ".properties"); + final File actual = Files.createTempFile("temp", ".properties").toFile(); actual.deleteOnExit(); final String newLine = (SystemUtils.IS_OS_WINDOWS) ? "\r\n" : "\n"; @@ -225,10 +226,10 @@ public void testWriteConfigFileInPropertiesFormat() throws Exception { @Test public void testWriteConfigFileInINIFormat() throws Exception { - final File expected = File.createTempFile("temp", ".ini"); + final File expected = Files.createTempFile("temp", ".ini").toFile(); expected.deleteOnExit(); - final File actual = File.createTempFile("temp", ".ini"); + final File actual = Files.createTempFile("temp", ".ini").toFile(); actual.deleteOnExit(); // Setup test data