From bbfd0d39961a298584cc957765c2d4ee33c38158 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Sat, 19 Nov 2022 02:11:00 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../karaf/cave/deployer/service/DeployerServiceImpl.java | 5 +++-- .../karaf/cave/repository/service/RepositoryServiceImpl.java | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/deployer/service/src/main/java/org/apache/karaf/cave/deployer/service/DeployerServiceImpl.java b/deployer/service/src/main/java/org/apache/karaf/cave/deployer/service/DeployerServiceImpl.java index 7dbd846..142db0c 100644 --- a/deployer/service/src/main/java/org/apache/karaf/cave/deployer/service/DeployerServiceImpl.java +++ b/deployer/service/src/main/java/org/apache/karaf/cave/deployer/service/DeployerServiceImpl.java @@ -61,6 +61,7 @@ import javax.xml.parsers.ParserConfigurationException; import java.io.*; import java.net.URI; +import java.nio.file.Files; import java.util.*; import java.util.jar.JarInputStream; import java.util.regex.Matcher; @@ -367,7 +368,7 @@ public void upload(String groupId, } } - File artifactFile = File.createTempFile(artifactId, coordonates.get("extension")); + File artifactFile = Files.createTempFile(artifactId, coordonates.get("extension")).toFile(); FileOutputStream os = new FileOutputStream(artifactFile); copyStream(new URI(artifactUrl).toURL().openStream(), os); @@ -470,7 +471,7 @@ public void assembleFeature(String groupId, } } featuresModel.getFeature().add(wrapFeature); - File featuresFile = File.createTempFile(artifactId, "xml"); + File featuresFile = Files.createTempFile(artifactId, "xml").toFile(); FileOutputStream os = new FileOutputStream(featuresFile); JaxbUtil.marshal(featuresModel, os); uploadArtifact(groupId, artifactId, version, "xml", "features", featuresFile, repositoryUrl); diff --git a/repository/service/src/main/java/org/apache/karaf/cave/repository/service/RepositoryServiceImpl.java b/repository/service/src/main/java/org/apache/karaf/cave/repository/service/RepositoryServiceImpl.java index 6a62761..1526cdb 100644 --- a/repository/service/src/main/java/org/apache/karaf/cave/repository/service/RepositoryServiceImpl.java +++ b/repository/service/src/main/java/org/apache/karaf/cave/repository/service/RepositoryServiceImpl.java @@ -429,7 +429,7 @@ public void addArtifact(String artifactUrl, String groupId, String artifactId, S throw new IllegalStateException("Repository " + name + " location is not defined"); } - File artifactFile = File.createTempFile(artifactId, type); + File artifactFile = Files.createTempFile(artifactId, type).toFile(); try (FileOutputStream os = new FileOutputStream(artifactFile)) { copyStream(new URI(artifactUrl).toURL().openStream(), os); os.flush();