vuln-fix: Temporary File Information Disclosure (#396)

Addressing issue #397 This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <[email protected]> Signed-off-by: Jonathan Leitschuh <[email protected]> Bug-tracker: JLLeitschuh/security-research#18 Co-authored-by: Moderne <[email protected]> Co-authored-by: Moderne <[email protected]>
paypal · Nov 20, 2022 · 33a3a3f · 33a3a3f
1 parent a55915b
commit 33a3a3f
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 10 deletions.
diff --git a/butterfly-cli/src/test/java/com/paypal/butterfly/cli/MiscIT.java b/butterfly-cli/src/test/java/com/paypal/butterfly/cli/MiscIT.java
@@ -7,6 +7,7 @@
 import java.io.IOException;
 import java.io.PrintStream;
 import java.net.URISyntaxException;
+import java.nio.file.Files;
 import java.util.Collections;
 
 import static org.testng.Assert.*;
@@ -44,7 +45,7 @@ public void helpTest() throws IOException, URISyntaxException {
 
         // Capturing the console output
         PrintStream systemOut = System.out;
-        File helpOut = File.createTempFile("butterfly-cli-help-output", null);
+        File helpOut = Files.createTempFile("butterfly-cli-help-output", null).toFile();
         PrintStream helpStream = new PrintStream(helpOut);
         System.setOut(helpStream);
 
@@ -67,7 +68,7 @@ public void extensionsListTest() throws IOException, URISyntaxException {
 
         // Capturing the console output
         PrintStream systemOut = System.out;
-        File listOut = File.createTempFile("butterfly-cli-list-output", null);
+        File listOut = Files.createTempFile("butterfly-cli-list-output", null).toFile();
         PrintStream listStream = new PrintStream(listOut);
         System.setOut(listStream);
 

diff --git a/butterfly-cli/src/test/java/com/paypal/butterfly/cli/TransformIT.java b/butterfly-cli/src/test/java/com/paypal/butterfly/cli/TransformIT.java
@@ -40,7 +40,7 @@ public void transformTest() throws IOException, URISyntaxException {
 
         // Capturing the console output
         PrintStream systemOut = System.out;
-        File transformOut = File.createTempFile("butterfly-cli-transform-output-", null);
+        File transformOut = Files.createTempFile("butterfly-cli-transform-output-", null).toFile();
         PrintStream transformStream = new PrintStream(transformOut);
         System.setOut(transformStream);
 
@@ -130,4 +130,4 @@ private void jsonResultTest(ButterflyCliRun run) throws IOException, URISyntaxEx
         assertTrue(FileUtils.contentEquals(baselineResult, resultFile), "Generated JSON result differs from test baseline\nTest baseline: " + baselineResult + "\nGenerated result: " + resultFile + "\n");
     }
 
-}
+}
diff --git a/...nsions-api/src/main/java/com/paypal/butterfly/extensions/api/TransformationOperation.java b/...nsions-api/src/main/java/com/paypal/butterfly/extensions/api/TransformationOperation.java
@@ -6,6 +6,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 
 /**
  * Special type of {@link TransformationUtility} that applies a modification to the project.
@@ -79,7 +80,7 @@ protected final File getOrCreateReadFile(File transformedAppFolder, Transformati
             if (originalFile.isDirectory()) {
                 throw new IOException("Specified file is a directory: " + originalFile.getAbsolutePath());
             }
-            readFile = File.createTempFile(READ_FILE_PREFIX, null);
+            readFile = Files.createTempFile(READ_FILE_PREFIX, null).toFile();
             FileUtils.copyFile(originalFile, readFile);
             readFile.setReadOnly();
         }

diff --git a/butterfly-utilities/src/main/java/com/paypal/butterfly/utilities/file/LoadFile.java b/butterfly-utilities/src/main/java/com/paypal/butterfly/utilities/file/LoadFile.java
@@ -10,6 +10,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Files;
 
 /**
  * Loads a resource from the classpath, writes it to a temporary file,
@@ -88,7 +89,7 @@ protected TUExecutionResult execution(File transformedAppFolder, TransformationC
                 result = TUExecutionResult.error(this, e);
             } else {
                 String fileNameSuffix = "_" + resource.replace('/', '_').replace('\\', '_');
-                File fileFromInputStream = File.createTempFile("butterfly_", fileNameSuffix);
+                File fileFromInputStream = Files.createTempFile("butterfly_", fileNameSuffix).toFile();
                 FileUtils.copyInputStreamToFile(inputStream, fileFromInputStream);
                 result = TUExecutionResult.value(this, fileFromInputStream);
             }

diff --git a/...-utilities/src/test/java/com/paypal/butterfly/utilities/operations/file/MoveFileTest.java b/...-utilities/src/test/java/com/paypal/butterfly/utilities/operations/file/MoveFileTest.java
@@ -9,6 +9,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 
 import static org.testng.Assert.*;
 
@@ -29,7 +30,7 @@ public void test() throws IOException {
         assertTrue(toDir.exists());
 
         // Saving original file as a temp file to have its content compared later
-        File tempOriginalFile = File.createTempFile("butterfly-test-file", null);
+        File tempOriginalFile = Files.createTempFile("butterfly-test-file", null).toFile();
         FileUtils.copyFile(originalFile, tempOriginalFile);
 
         Mockito.when(transformationContext.get("ATT")).thenReturn(new File(transformedAppFolder, "/src/main/resources"));
@@ -72,7 +73,7 @@ public void nonExistentDirTest() throws IOException {
         assertFalse(toDir.exists());
 
         // Saving original file as a temp file to have its content compared later
-        File tempOriginalFile = File.createTempFile("butterfly-test-file", null);
+        File tempOriginalFile = Files.createTempFile("butterfly-test-file", null).toFile();
         FileUtils.copyFile(originalFile, tempOriginalFile);
 
         MoveFile moveFile = new MoveFile().relative("foo.xml").setToRelative("bar");
@@ -100,7 +101,7 @@ public void existentToFileTest() throws IOException {
         assertTrue(new File(toDir, "dogs.yaml").exists());
 
         // Saving original file as a temp file to have its content compared later
-        File tempOriginalFile = File.createTempFile("butterfly-test-file", null);
+        File tempOriginalFile = Files.createTempFile("butterfly-test-file", null).toFile();
         FileUtils.copyFile(originalFile, tempOriginalFile);
 
         MoveFile moveFile = new MoveFile().relative("src/main/resources/dogs.yaml").setToRelative("src/main/resources/more_yaml");

diff --git a/...tilities/src/test/java/com/paypal/butterfly/utilities/operations/file/RenameFileTest.java b/...tilities/src/test/java/com/paypal/butterfly/utilities/operations/file/RenameFileTest.java
@@ -8,6 +8,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 
 import static org.testng.Assert.*;
 
@@ -26,7 +27,7 @@ public void test() throws IOException {
         assertTrue(originalFile.isFile());
 
         // Saving original file as a temp file to have its content compared later
-        File tempOriginalFile = File.createTempFile("butterfly-test-file", null);
+        File tempOriginalFile = Files.createTempFile("butterfly-test-file", null).toFile();
         FileUtils.copyFile(originalFile, tempOriginalFile);
 
         RenameFile renameFile = new RenameFile("bar.xml").relative("foo.xml");