Google Git
Sign in
apache / openjpa / refs/heads/master^! / .
commit87e253b9e58a8f061b0431a1ab4df3e5e1660519[log] [tgz]
authorJonathan Leitschuh <Jonathan.Leitschuh@gmail.com>Fri Nov 18 22:42:52 2022 +0000
committerMark Struberg <struberg@yahoo.de>Tue Jul 22 20:22:11 2025 +0200
treedcd79dcd28a516e6a442c72b7d042439fca99656
parent87964e00c50f2b421c2b6685d66fce73512fb6e1 [diff]
vuln-fix: Temporary File Information Disclosure



This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
diff --git a/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java b/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
index 6e94635..8a828fc 100644
--- a/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
+++ b/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java

@@ -28,6 +28,7 @@
 import java.lang.management.RuntimeMXBean;
 import java.net.URL;
 import java.net.URLClassLoader;
+import java.nio.file.Files;
 import java.security.AccessController;
 import java.security.CodeSource;
 import java.security.PrivilegedAction;
@@ -148,7 +149,7 @@
      */
     private static String createAgentJar() throws IOException {
         File file =
-            File.createTempFile(InstrumentationFactory.class.getName(), ".jar");
+            Files.createTempFile(InstrumentationFactory.class.getName(), ".jar").toFile();
         file.deleteOnExit();
 
         ZipOutputStream zout = new ZipOutputStream(new FileOutputStream(file));

diff --git a/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java b/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
index 4b6be36..7f2ca79 100644
--- a/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
+++ b/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java

@@ -23,6 +23,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.MissingResourceException;
 
@@ -142,7 +143,7 @@
 
     private File resourceToTemporaryFile(String s) throws IOException {
         InputStream in = getClass().getClassLoader().getResourceAsStream(s);
-        File f = File.createTempFile("TestAnchorParsing", ".xml");
+        File f = Files.createTempFile("TestAnchorParsing", ".xml").toFile();
         OutputStream out = new FileOutputStream(f);
         byte[] bytes = new byte[1024];
         while (true) {