vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#18


Co-authored-by: Moderne <[email protected]>

cli/src/test/java/org/apache/oodt/cas/cli/option/validator/TestFileExistCmdLineOptionValidator.java

@@ -23,8 +23,8 @@
 //JDK imports
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 
-//JUnit imports
 import junit.framework.TestCase;
 
 //OODT imports
@@ -54,7 +54,7 @@ public void testValidate() throws IOException {
  .validate(instance).getGrade());
 
  // Test pass case.
- File tempFile = File.createTempFile("bogus", "bogus");
+ File tempFile = Files.createTempFile("bogus", "bogus").toFile();
  tempFile.deleteOnExit();
  instance = createOptionInstance(createSimpleOption("test", false),
  tempFile.getAbsolutePath());

commons/src/test/java/org/apache/oodt/commons/ConfigurationTest.java

@@ -16,6 +16,7 @@
 package org.apache.oodt.commons;
 
 import java.io.*;
+import java.nio.file.Files;
 import java.util.*;
 import junit.framework.*;
 
@@ -33,7 +34,7 @@ public ConfigurationTest(String name) {
 
  protected void setUp() throws Exception {
  // Create a temporary test configuration file.
- tmpFile = File.createTempFile("conf", ".xml");
+ tmpFile = Files.createTempFile("conf", ".xml").toFile();
  BufferedOutputStream out = new BufferedOutputStream(new FileOutputStream(tmpFile));
  byte[] doc = TEST_DOC.getBytes();
  out.write(doc, 0, doc.length);

commons/src/test/java/org/apache/oodt/commons/object/jndi/ObjectContextTest.java

@@ -17,6 +17,7 @@
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
@@ -46,7 +47,7 @@ public ObjectContextTest(String caseName) {
  public void setUp() throws Exception {
  super.setUp();
 
- aliasFile = File.createTempFile("test", ".properties");
+ aliasFile = Files.createTempFile("test", ".properties").toFile();
  aliasFile.deleteOnExit();
  Properties aliases = new Properties();
  aliases.setProperty("urn:alias:x", "urn:a:x");

crawler/src/test/java/org/apache/oodt/cas/crawl/typedetection/TestMimeExtractorConfigReader.java

@@ -18,6 +18,7 @@
 
 //JDK imports
 import java.io.File;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.UUID;
 
@@ -47,7 +48,7 @@ public class TestMimeExtractorConfigReader extends TestCase {
 
  @Override
  public void setUp() throws Exception {
- File tmpFile = File.createTempFile("bogus", "bogus");
+ File tmpFile = Files.createTempFile("bogus", "bogus").toFile();
  tmpDir = new File(tmpFile.getParentFile(), UUID.randomUUID().toString());
  tmpFile.delete();
  if (!tmpDir.mkdirs()) {

filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestDataSourceCatalog.java

@@ -35,6 +35,7 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.net.URL;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
@@ -99,7 +100,7 @@ public void setUpProperties() {
  File tempFile;
 
  try {
- tempFile = File.createTempFile("foo", "bar");
+ tempFile = Files.createTempFile("foo", "bar").toFile();
  tempFile.deleteOnExit();
  tempDir = tempFile.getParentFile();
  } catch (Exception e) {

filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestLuceneCatalog.java

@@ -37,6 +37,7 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.net.URL;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.Properties;
 import java.util.Vector;
@@ -93,7 +94,7 @@ public void setUpProperties() {
  File tempFile;
 
  try {
- tempFile = File.createTempFile("foo", "bar");
+ tempFile = Files.createTempFile("foo", "bar").toFile();
  tempFile.deleteOnExit();
  tempDir = tempFile.getParentFile();
  } catch (Exception e) {

filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/TestFileManagerCli.java

@@ -21,6 +21,7 @@
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.file.Files;
 import java.util.Properties;
 //JUnit imports
 import junit.framework.TestCase;
@@ -323,7 +324,7 @@ public void testIngestProduct() {
 
  public void testDumpMetadata() throws IOException {
  String productId = "TestProductId";
- File bogusFile = File.createTempFile("bogus", "bogus");
+ File bogusFile = Files.createTempFile("bogus", "bogus").toFile();
  File tmpFile = new File(bogusFile.getParentFile(), "CliDumpMetadata");
  tmpFile.mkdirs();
  bogusFile.delete();

filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestDumpMetadataCliAction.java

@@ -24,8 +24,8 @@
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.file.Files;
 
-//Apache imports
 import org.apache.commons.io.FileUtils;
 
 //OODT imports
@@ -53,7 +53,7 @@ public class TestDumpMetadataCliAction extends TestCase {
 
  @Override
  public void setUp() throws Exception {
- File bogusFile = File.createTempFile("bogus", "bogus");
+ File bogusFile = Files.createTempFile("bogus", "bogus").toFile();
  tmpFile = new File(bogusFile.getParentFile(), "MetadataDump");
  tmpFile.mkdirs();
  bogusFile.delete();

filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestIngestProductCliAction.java

@@ -23,6 +23,7 @@
 import java.io.PrintStream;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.file.Files;
 import java.util.Collections;
 import java.util.Comparator;
 
@@ -237,7 +238,7 @@ public int compare(Reference ref1, Reference ref2) {
  }
 
  private File createTmpDir() throws IOException {
- File bogusDir = File.createTempFile("bogus", "bogus");
+ File bogusDir = Files.createTempFile("bogus", "bogus").toFile();
  File tmpDir = bogusDir.getParentFile();
  bogusDir.delete();
  tmpDir = new File(tmpDir, "Metadata");

filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestInPlaceDataTransferer.java

@@ -24,8 +24,8 @@
 
 //JDK imports
 import java.io.File;
+import java.nio.file.Files;
 
-//Junit imports
 import junit.framework.TestCase;
 
 /**
@@ -48,7 +48,7 @@ public TestInPlaceDataTransferer() {
  transfer = (InPlaceDataTransferer) new InPlaceDataTransferFactory()
  .createDataTransfer();
  try {
- File tempFileSrc = File.createTempFile("foo", ".txt");
+ File tempFileSrc = Files.createTempFile("foo", ".txt").toFile();
  tempFileSrc.deleteOnExit();
  productOrigLoc = tempFileSrc.getAbsolutePath();
  productExpectedLoc = tempFileSrc.getParent();

filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestLocalDataTransferer.java

@@ -28,6 +28,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.net.URL;
+import java.nio.file.Files;
 import java.util.UUID;
 
 //Junit imports
@@ -55,7 +56,7 @@ public void setUp() throws Exception {
  .createDataTransfer();
  URL url = this.getClass().getResource("/test.txt");
  origFile = new File(url.getFile());
- File testFile = File.createTempFile("test", ".txt");
+ File testFile = Files.createTempFile("test", ".txt").toFile();
  testDir = new File(testFile.getParentFile(), UUID.randomUUID().toString());
  repoDir = new File(testDir, "repo");
  if (!repoDir.mkdirs()) {

filemgr/src/test/java/org/apache/oodt/cas/filemgr/structs/type/TestTypeHandler.java

@@ -44,6 +44,7 @@
 import java.io.FileInputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.file.Files;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.SQLException;
@@ -99,7 +100,7 @@ public void setUpProperties() {
  File tempFile;
 
  try {
- tempFile = File.createTempFile("foo", "bar");
+ tempFile = Files.createTempFile("foo", "bar").toFile();
  tempFile.deleteOnExit();
  tempDir = tempFile.getParentFile();
  } catch (Exception e) {

metadata/src/test/java/org/apache/oodt/cas/metadata/filenaming/TestPathUtilsNamingConvention.java

@@ -19,6 +19,7 @@
 //JDK imports
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.UUID;
 
 //Apache imports
@@ -39,7 +40,7 @@
 public class TestPathUtilsNamingConvention extends TestCase {
 
  public void testRename() throws IOException, NamingConventionException {
- File tmpFile = File.createTempFile("bogus", "bogus");
+ File tmpFile = Files.createTempFile("bogus", "bogus").toFile();
  File tmpDir = new File(tmpFile.getParentFile(),
  UUID.randomUUID().toString());
  if (!tmpDir.mkdirs()) {

pge/src/test/java/org/apache/oodt/cas/pge/TestPGETaskInstance.java

@@ -55,6 +55,7 @@
 import java.io.FileInputStream;
 import java.io.StringReader;
 import java.net.URL;
+import java.nio.file.Files;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -77,6 +78,7 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.junit.Assume.assumeTrue;
+
 //JDK imports
 //JUnit imports
 //Apache imports
@@ -647,7 +649,7 @@ private PGETaskInstance createTestInstance(String workflowInstId)
  }
 
  private File createTmpDir() throws Exception {
- File tmpFile = File.createTempFile("bogus", "bogus");
+ File tmpFile = Files.createTempFile("bogus", "bogus").toFile();
  File tmpDir = new File(tmpFile.getParentFile(), UUID.randomUUID().toString());
  tmpFile.delete();
  tmpDir.mkdirs();

pge/src/test/java/org/apache/oodt/cas/pge/writers/VelocityConfigFileWriterTest.java

@@ -23,6 +23,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.net.URL;
+import java.nio.file.Files;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -40,7 +41,7 @@ public void testCreateConfigFile() throws IOException {
  metadata.addMetadata("name", "Chris");
  metadata.addMetadata("name", "Paul");
  metadata.addMetadata("conference", "ApacheCon");
- File config = File.createTempFile("config", ".out");
+ File config = Files.createTempFile("config", ".out").toFile();
  try {
  vcfw.generateFile(config.toString(), metadata, LOG, url.getFile());
  } catch (Exception e) {

webapp/wmservices/src/main/java/org/apache/oodt/cas/wmservices/repository/PackagedWorkflowManager.java

@@ -19,6 +19,7 @@
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -83,7 +84,7 @@ public String serializeWorkflow(Workflow workflow) throws RepositoryException {
  try {
  this.loadTasksToRepo(workflow);
  String workflowId = this.repo.addWorkflow(workflow);
- File f = File.createTempFile("tempworkflow-", "-packaged");
+ File f = Files.createTempFile("tempworkflow-", "-packaged").toFile();
  this.saveWorkflow(workflowId, f.getAbsolutePath());
  String workflowXML = FileUtils.readFileToString(f);
  f.delete();
@@ -107,7 +108,7 @@ public String serializeWorkflow(Workflow workflow) throws RepositoryException {
  public Workflow parsePackagedWorkflow(String workflowID, String workflowXML)
  throws RepositoryException {
  try {
- File tmpfile = File.createTempFile("tempworkflow-", "-packaged");
+ File tmpfile = Files.createTempFile("tempworkflow-", "-packaged").toFile();
  FileUtils.writeStringToFile(tmpfile, workflowXML);
  PackagedWorkflowRepository tmprepo = new PackagedWorkflowRepository(
  Collections.singletonList(tmpfile));

workflow/src/test/java/org/apache/oodt/cas/workflow/instrepo/TestLuceneWorkflowInstanceRepository.java

@@ -31,6 +31,7 @@
 //JDK imports
 import java.io.File;
 import java.io.FileInputStream;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.Vector;
 
@@ -114,7 +115,7 @@ public TestLuceneWorkflowInstanceRepository() {
  File tempFile;
 
  try {
- tempFile = File.createTempFile("foo", "bar");
+ tempFile = Files.createTempFile("foo", "bar").toFile();
  tempFile.deleteOnExit();
  tempDir = tempFile.getParentFile();
  } catch (Exception e) {

workflow/src/test/java/org/apache/oodt/cas/workflow/repository/TestWorkflowDataSourceRepository.java

@@ -37,6 +37,7 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
+import java.nio.file.Files;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -82,7 +83,7 @@ public TestWorkflowDataSourceRepository() throws SQLException, FileNotFoundExcep
  File tempFile;
 
  try {
- tempFile = File.createTempFile("foo", "bar");
+ tempFile = Files.createTempFile("foo", "bar").toFile();
  tempFile.deleteOnExit();
  tempDir = tempFile.getParentFile();
  } catch (Exception e) {