From f40722206931ceb126787fdd3ddf85bdbe8e4d54 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Sat, 19 Nov 2022 21:25:17 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../src/test/java/org/switchyard/common/io/FilesTests.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/common/core/src/test/java/org/switchyard/common/io/FilesTests.java b/common/core/src/test/java/org/switchyard/common/io/FilesTests.java index 07c9cfa8a..b542321f1 100644 --- a/common/core/src/test/java/org/switchyard/common/io/FilesTests.java +++ b/common/core/src/test/java/org/switchyard/common/io/FilesTests.java @@ -15,6 +15,7 @@ import java.io.File; import java.io.FileWriter; +import java.nio.file.Files; import junit.framework.Assert; @@ -31,12 +32,12 @@ public class FilesTests { @Test public void testCopy() throws Exception { final String expected = "test"; - File testFile1 = File.createTempFile("test-1", ".txt"); + File testFile1 = Files.createTempFile("test-1", ".txt").toFile(); FileWriter testFileWriter1 = new FileWriter(testFile1); testFileWriter1.write(expected); testFileWriter1.flush(); testFileWriter1.close(); - File testFile2 = File.createTempFile("test-2", ".txt"); + File testFile2 = Files.createTempFile("test-2", ".txt").toFile(); Files.copy(testFile1, testFile2); final String actual = new StringPuller().pull(testFile2); testFile1.delete();