vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: JLLeitschuh/security-research#18 Co-authored-by: Moderne <team@moderne.io>
stefano81 · Dec 16, 2022 · d2178e7 · d2178e7
1 parent 248a1b3
commit d2178e7
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/test/java/sg/edu/ntu/sce/sands/crypto/DCPABEToolTest.java b/src/test/java/sg/edu/ntu/sce/sands/crypto/DCPABEToolTest.java
@@ -43,7 +43,7 @@ public class DCPABEToolTest {
 
     @BeforeClass
     public static void beforeAll() throws Exception {
-        gpFile = File.createTempFile("dcpabe", "gp");
+        gpFile = Files.createTempFile("dcpabe", "gp").toFile();
         cmd = new CommandLine(new DCPABETool());
         cmd.execute("gsetup", "-f", gpFile.getPath());
         resFile = new File(DCPABEToolTest.class.getResource("/testResource.txt").toURI());
@@ -130,7 +130,7 @@ public void testASetupWorks() {
 
     @Test
     public void testGSetupWorks() throws IOException {
-        File gpFile = File.createTempFile("testGlobalSetup", "gp");
+        File gpFile = Files.createTempFile("testGlobalSetup", "gp").toFile();
         gpFile.deleteOnExit();
 
         int exitCode = cmd.execute("gsetup", gpFile.getPath());