From d2178e730ac3d3033a1b46a8962f65bcfbd8fca0 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Sat, 19 Nov 2022 02:57:36 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- src/test/java/sg/edu/ntu/sce/sands/crypto/DCPABEToolTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/test/java/sg/edu/ntu/sce/sands/crypto/DCPABEToolTest.java b/src/test/java/sg/edu/ntu/sce/sands/crypto/DCPABEToolTest.java index 60fabb4..fe93091 100644 --- a/src/test/java/sg/edu/ntu/sce/sands/crypto/DCPABEToolTest.java +++ b/src/test/java/sg/edu/ntu/sce/sands/crypto/DCPABEToolTest.java @@ -43,7 +43,7 @@ public class DCPABEToolTest { @BeforeClass public static void beforeAll() throws Exception { - gpFile = File.createTempFile("dcpabe", "gp"); + gpFile = Files.createTempFile("dcpabe", "gp").toFile(); cmd = new CommandLine(new DCPABETool()); cmd.execute("gsetup", "-f", gpFile.getPath()); resFile = new File(DCPABEToolTest.class.getResource("/testResource.txt").toURI()); @@ -130,7 +130,7 @@ public void testASetupWorks() { @Test public void testGSetupWorks() throws IOException { - File gpFile = File.createTempFile("testGlobalSetup", "gp"); + File gpFile = Files.createTempFile("testGlobalSetup", "gp").toFile(); gpFile.deleteOnExit(); int exitCode = cmd.execute("gsetup", gpFile.getPath());