vuln-fix: Temporary File Information Disclosure
This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.
Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
Co-authored-by: Moderne <team@moderne.io>
diff --git a/src/main/java/org/apache/maven/plugins/assembly/filter/AbstractLineAggregatingHandler.java b/src/main/java/org/apache/maven/plugins/assembly/filter/AbstractLineAggregatingHandler.java
index 57b6b5c..572880c 100644
--- a/src/main/java/org/apache/maven/plugins/assembly/filter/AbstractLineAggregatingHandler.java
+++ b/src/main/java/org/apache/maven/plugins/assembly/filter/AbstractLineAggregatingHandler.java
@@ -33,6 +33,7 @@
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
+import java.nio.file.Files;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@@ -81,7 +82,7 @@
File f;
try
{
- f = File.createTempFile( "assembly-" + fname, ".tmp" );
+ f = Files.createTempFile( "assembly-" + fname, ".tmp" ).toFile();
f.deleteOnExit();
try ( PrintWriter writer =
diff --git a/src/main/java/org/apache/maven/plugins/assembly/filter/ComponentsXmlArchiverFileFilter.java b/src/main/java/org/apache/maven/plugins/assembly/filter/ComponentsXmlArchiverFileFilter.java
index 83936fc..d64f3ca 100644
--- a/src/main/java/org/apache/maven/plugins/assembly/filter/ComponentsXmlArchiverFileFilter.java
+++ b/src/main/java/org/apache/maven/plugins/assembly/filter/ComponentsXmlArchiverFileFilter.java
@@ -102,7 +102,7 @@
{
if ( components != null )
{
- final File f = File.createTempFile( "maven-assembly-plugin", "tmp" );
+ final File f = Files.createTempFile( "maven-assembly-plugin", "tmp" ).toFile();
f.deleteOnExit();
diff --git a/src/main/java/org/apache/maven/plugins/assembly/filter/SimpleAggregatingDescriptorHandler.java b/src/main/java/org/apache/maven/plugins/assembly/filter/SimpleAggregatingDescriptorHandler.java
index 4a4d2e7..a0f4204 100644
--- a/src/main/java/org/apache/maven/plugins/assembly/filter/SimpleAggregatingDescriptorHandler.java
+++ b/src/main/java/org/apache/maven/plugins/assembly/filter/SimpleAggregatingDescriptorHandler.java
@@ -38,6 +38,7 @@
import java.io.StringWriter;
import java.io.Writer;
import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
@@ -97,7 +98,7 @@
File f;
try
{
- f = File.createTempFile( "maven-assembly-plugin", "tmp" );
+ f = Files.createTempFile( "maven-assembly-plugin", "tmp" ).toFile();
f.deleteOnExit();
try ( Writer writer = getWriter( f ) )
diff --git a/src/main/java/org/apache/maven/plugins/assembly/io/URLLocation.java b/src/main/java/org/apache/maven/plugins/assembly/io/URLLocation.java
index 9c3ebca..b7a2297 100644
--- a/src/main/java/org/apache/maven/plugins/assembly/io/URLLocation.java
+++ b/src/main/java/org/apache/maven/plugins/assembly/io/URLLocation.java
@@ -22,6 +22,7 @@
import java.io.File;
import java.io.IOException;
import java.net.URL;
+import java.nio.file.Files;
import org.apache.commons.io.IOUtils;
@@ -65,7 +66,7 @@
{
if ( unsafeGetFile() == null )
{
- File tempFile = File.createTempFile( tempFilePrefix, tempFileSuffix );
+ File tempFile = Files.createTempFile( tempFilePrefix, tempFileSuffix ).toFile();
if ( tempFileDeleteOnExit )
{
diff --git a/src/test/java/org/apache/maven/plugins/assembly/io/DefaultAssemblyReaderTest.java b/src/test/java/org/apache/maven/plugins/assembly/io/DefaultAssemblyReaderTest.java
index ccc1a77..ff1a058 100644
--- a/src/test/java/org/apache/maven/plugins/assembly/io/DefaultAssemblyReaderTest.java
+++ b/src/test/java/org/apache/maven/plugins/assembly/io/DefaultAssemblyReaderTest.java
@@ -96,7 +96,7 @@
public void testIncludeSiteInAssembly_ShouldFailIfSiteDirectoryNonExistent()
throws Exception
{
- final File siteDir = File.createTempFile( "assembly-reader.", ".test" );
+ final File siteDir = Files.createTempFile( "assembly-reader.", ".test" ).toFile();
siteDir.delete();
when( configSource.getSiteDirectory() ).thenReturn( siteDir );
diff --git a/src/test/java/org/apache/maven/plugins/assembly/utils/LineEndingsUtilsTest.java b/src/test/java/org/apache/maven/plugins/assembly/utils/LineEndingsUtilsTest.java
index 83b919a..fa9ab31 100644
--- a/src/test/java/org/apache/maven/plugins/assembly/utils/LineEndingsUtilsTest.java
+++ b/src/test/java/org/apache/maven/plugins/assembly/utils/LineEndingsUtilsTest.java
@@ -29,6 +29,7 @@
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
+import java.nio.file.Files;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
@@ -262,9 +263,9 @@
private void testConversion( String test, String check, LineEndings lineEndingChars, Boolean eof )
throws IOException
{
- File source = File.createTempFile( "line-conversion-test-in.", "" );
+ File source = Files.createTempFile( "line-conversion-test-in.", "" ).toFile();
source.deleteOnExit();
- File dest = File.createTempFile( "line-conversion-test-out.", "" );
+ File dest = Files.createTempFile( "line-conversion-test-out.", "" ).toFile();
dest.deleteOnExit();
FileWriter sourceWriter = null;