From 9f6b639c8c06dd24ac5cf83ac0084604c050d585 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 18 Nov 2022 22:41:30 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../validator/TestFileExistCmdLineOptionValidator.java | 4 ++-- .../test/java/org/apache/oodt/commons/ConfigurationTest.java | 3 ++- .../apache/oodt/commons/object/jndi/ObjectContextTest.java | 3 ++- .../crawl/typedetection/TestMimeExtractorConfigReader.java | 3 ++- .../oodt/cas/filemgr/catalog/TestDataSourceCatalog.java | 3 ++- .../apache/oodt/cas/filemgr/catalog/TestLuceneCatalog.java | 3 ++- .../org/apache/oodt/cas/filemgr/cli/TestFileManagerCli.java | 3 ++- .../cas/filemgr/cli/action/TestDumpMetadataCliAction.java | 4 ++-- .../cas/filemgr/cli/action/TestIngestProductCliAction.java | 3 ++- .../cas/filemgr/datatransfer/TestInPlaceDataTransferer.java | 4 ++-- .../cas/filemgr/datatransfer/TestLocalDataTransferer.java | 3 ++- .../oodt/cas/filemgr/structs/type/TestTypeHandler.java | 3 ++- .../metadata/filenaming/TestPathUtilsNamingConvention.java | 3 ++- .../java/org/apache/oodt/cas/pge/TestPGETaskInstance.java | 4 +++- .../oodt/cas/pge/writers/VelocityConfigFileWriterTest.java | 3 ++- .../cas/wmservices/repository/PackagedWorkflowManager.java | 5 +++-- .../instrepo/TestLuceneWorkflowInstanceRepository.java | 3 ++- .../repository/TestWorkflowDataSourceRepository.java | 3 ++- 18 files changed, 38 insertions(+), 22 deletions(-) diff --git a/cli/src/test/java/org/apache/oodt/cas/cli/option/validator/TestFileExistCmdLineOptionValidator.java b/cli/src/test/java/org/apache/oodt/cas/cli/option/validator/TestFileExistCmdLineOptionValidator.java index 7a85f440a..39f00b940 100644 --- a/cli/src/test/java/org/apache/oodt/cas/cli/option/validator/TestFileExistCmdLineOptionValidator.java +++ b/cli/src/test/java/org/apache/oodt/cas/cli/option/validator/TestFileExistCmdLineOptionValidator.java @@ -23,8 +23,8 @@ //JDK imports import java.io.File; import java.io.IOException; +import java.nio.file.Files; -//JUnit imports import junit.framework.TestCase; //OODT imports @@ -54,7 +54,7 @@ public void testValidate() throws IOException { .validate(instance).getGrade()); // Test pass case. - File tempFile = File.createTempFile("bogus", "bogus"); + File tempFile = Files.createTempFile("bogus", "bogus").toFile(); tempFile.deleteOnExit(); instance = createOptionInstance(createSimpleOption("test", false), tempFile.getAbsolutePath()); diff --git a/commons/src/test/java/org/apache/oodt/commons/ConfigurationTest.java b/commons/src/test/java/org/apache/oodt/commons/ConfigurationTest.java index f292faf30..9324f162d 100644 --- a/commons/src/test/java/org/apache/oodt/commons/ConfigurationTest.java +++ b/commons/src/test/java/org/apache/oodt/commons/ConfigurationTest.java @@ -16,6 +16,7 @@ package org.apache.oodt.commons; import java.io.*; +import java.nio.file.Files; import java.util.*; import junit.framework.*; @@ -33,7 +34,7 @@ public ConfigurationTest(String name) { protected void setUp() throws Exception { // Create a temporary test configuration file. - tmpFile = File.createTempFile("conf", ".xml"); + tmpFile = Files.createTempFile("conf", ".xml").toFile(); BufferedOutputStream out = new BufferedOutputStream(new FileOutputStream(tmpFile)); byte[] doc = TEST_DOC.getBytes(); out.write(doc, 0, doc.length); diff --git a/commons/src/test/java/org/apache/oodt/commons/object/jndi/ObjectContextTest.java b/commons/src/test/java/org/apache/oodt/commons/object/jndi/ObjectContextTest.java index 327afa7e7..aaaaabd7d 100644 --- a/commons/src/test/java/org/apache/oodt/commons/object/jndi/ObjectContextTest.java +++ b/commons/src/test/java/org/apache/oodt/commons/object/jndi/ObjectContextTest.java @@ -17,6 +17,7 @@ import java.io.File; import java.io.FileOutputStream; +import java.nio.file.Files; import java.util.ArrayList; import java.util.List; import java.util.Properties; @@ -46,7 +47,7 @@ public ObjectContextTest(String caseName) { public void setUp() throws Exception { super.setUp(); - aliasFile = File.createTempFile("test", ".properties"); + aliasFile = Files.createTempFile("test", ".properties").toFile(); aliasFile.deleteOnExit(); Properties aliases = new Properties(); aliases.setProperty("urn:alias:x", "urn:a:x"); diff --git a/crawler/src/test/java/org/apache/oodt/cas/crawl/typedetection/TestMimeExtractorConfigReader.java b/crawler/src/test/java/org/apache/oodt/cas/crawl/typedetection/TestMimeExtractorConfigReader.java index bfc445d9d..9073dc8b5 100644 --- a/crawler/src/test/java/org/apache/oodt/cas/crawl/typedetection/TestMimeExtractorConfigReader.java +++ b/crawler/src/test/java/org/apache/oodt/cas/crawl/typedetection/TestMimeExtractorConfigReader.java @@ -18,6 +18,7 @@ //JDK imports import java.io.File; +import java.nio.file.Files; import java.util.List; import java.util.UUID; @@ -47,7 +48,7 @@ public class TestMimeExtractorConfigReader extends TestCase { @Override public void setUp() throws Exception { - File tmpFile = File.createTempFile("bogus", "bogus"); + File tmpFile = Files.createTempFile("bogus", "bogus").toFile(); tmpDir = new File(tmpFile.getParentFile(), UUID.randomUUID().toString()); tmpFile.delete(); if (!tmpDir.mkdirs()) { diff --git a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestDataSourceCatalog.java b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestDataSourceCatalog.java index 766acd06f..7a1d59965 100644 --- a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestDataSourceCatalog.java +++ b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestDataSourceCatalog.java @@ -35,6 +35,7 @@ import java.io.File; import java.io.FileInputStream; import java.net.URL; +import java.nio.file.Files; import java.util.ArrayList; import java.util.List; import java.util.Properties; @@ -99,7 +100,7 @@ public void setUpProperties() { File tempFile; try { - tempFile = File.createTempFile("foo", "bar"); + tempFile = Files.createTempFile("foo", "bar").toFile(); tempFile.deleteOnExit(); tempDir = tempFile.getParentFile(); } catch (Exception e) { diff --git a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestLuceneCatalog.java b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestLuceneCatalog.java index cecf8036b..25f458d1d 100644 --- a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestLuceneCatalog.java +++ b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/catalog/TestLuceneCatalog.java @@ -37,6 +37,7 @@ import java.io.File; import java.io.FileInputStream; import java.net.URL; +import java.nio.file.Files; import java.util.List; import java.util.Properties; import java.util.Vector; @@ -93,7 +94,7 @@ public void setUpProperties() { File tempFile; try { - tempFile = File.createTempFile("foo", "bar"); + tempFile = Files.createTempFile("foo", "bar").toFile(); tempFile.deleteOnExit(); tempDir = tempFile.getParentFile(); } catch (Exception e) { diff --git a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/TestFileManagerCli.java b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/TestFileManagerCli.java index ebf8792ec..ecc61e3dc 100644 --- a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/TestFileManagerCli.java +++ b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/TestFileManagerCli.java @@ -21,6 +21,7 @@ import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; +import java.nio.file.Files; import java.util.Properties; //JUnit imports import junit.framework.TestCase; @@ -323,7 +324,7 @@ public void testIngestProduct() { public void testDumpMetadata() throws IOException { String productId = "TestProductId"; - File bogusFile = File.createTempFile("bogus", "bogus"); + File bogusFile = Files.createTempFile("bogus", "bogus").toFile(); File tmpFile = new File(bogusFile.getParentFile(), "CliDumpMetadata"); tmpFile.mkdirs(); bogusFile.delete(); diff --git a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestDumpMetadataCliAction.java b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestDumpMetadataCliAction.java index fd735e497..dd5215dd5 100644 --- a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestDumpMetadataCliAction.java +++ b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestDumpMetadataCliAction.java @@ -24,8 +24,8 @@ import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; +import java.nio.file.Files; -//Apache imports import org.apache.commons.io.FileUtils; //OODT imports @@ -53,7 +53,7 @@ public class TestDumpMetadataCliAction extends TestCase { @Override public void setUp() throws Exception { - File bogusFile = File.createTempFile("bogus", "bogus"); + File bogusFile = Files.createTempFile("bogus", "bogus").toFile(); tmpFile = new File(bogusFile.getParentFile(), "MetadataDump"); tmpFile.mkdirs(); bogusFile.delete(); diff --git a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestIngestProductCliAction.java b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestIngestProductCliAction.java index fd99d7e82..ebf815b37 100644 --- a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestIngestProductCliAction.java +++ b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/cli/action/TestIngestProductCliAction.java @@ -23,6 +23,7 @@ import java.io.PrintStream; import java.net.MalformedURLException; import java.net.URL; +import java.nio.file.Files; import java.util.Collections; import java.util.Comparator; @@ -237,7 +238,7 @@ public int compare(Reference ref1, Reference ref2) { } private File createTmpDir() throws IOException { - File bogusDir = File.createTempFile("bogus", "bogus"); + File bogusDir = Files.createTempFile("bogus", "bogus").toFile(); File tmpDir = bogusDir.getParentFile(); bogusDir.delete(); tmpDir = new File(tmpDir, "Metadata"); diff --git a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestInPlaceDataTransferer.java b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestInPlaceDataTransferer.java index 34eb6d9e5..f46f85dcc 100644 --- a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestInPlaceDataTransferer.java +++ b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestInPlaceDataTransferer.java @@ -24,8 +24,8 @@ //JDK imports import java.io.File; +import java.nio.file.Files; -//Junit imports import junit.framework.TestCase; /** @@ -48,7 +48,7 @@ public TestInPlaceDataTransferer() { transfer = (InPlaceDataTransferer) new InPlaceDataTransferFactory() .createDataTransfer(); try { - File tempFileSrc = File.createTempFile("foo", ".txt"); + File tempFileSrc = Files.createTempFile("foo", ".txt").toFile(); tempFileSrc.deleteOnExit(); productOrigLoc = tempFileSrc.getAbsolutePath(); productExpectedLoc = tempFileSrc.getParent(); diff --git a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestLocalDataTransferer.java b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestLocalDataTransferer.java index cde641d9d..b10beca86 100644 --- a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestLocalDataTransferer.java +++ b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/datatransfer/TestLocalDataTransferer.java @@ -28,6 +28,7 @@ import java.io.File; import java.io.IOException; import java.net.URL; +import java.nio.file.Files; import java.util.UUID; //Junit imports @@ -55,7 +56,7 @@ public void setUp() throws Exception { .createDataTransfer(); URL url = this.getClass().getResource("/test.txt"); origFile = new File(url.getFile()); - File testFile = File.createTempFile("test", ".txt"); + File testFile = Files.createTempFile("test", ".txt").toFile(); testDir = new File(testFile.getParentFile(), UUID.randomUUID().toString()); repoDir = new File(testDir, "repo"); if (!repoDir.mkdirs()) { diff --git a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/structs/type/TestTypeHandler.java b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/structs/type/TestTypeHandler.java index a189f93db..4dc1496bf 100644 --- a/filemgr/src/test/java/org/apache/oodt/cas/filemgr/structs/type/TestTypeHandler.java +++ b/filemgr/src/test/java/org/apache/oodt/cas/filemgr/structs/type/TestTypeHandler.java @@ -44,6 +44,7 @@ import java.io.FileInputStream; import java.net.MalformedURLException; import java.net.URL; +import java.nio.file.Files; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; @@ -99,7 +100,7 @@ public void setUpProperties() { File tempFile; try { - tempFile = File.createTempFile("foo", "bar"); + tempFile = Files.createTempFile("foo", "bar").toFile(); tempFile.deleteOnExit(); tempDir = tempFile.getParentFile(); } catch (Exception e) { diff --git a/metadata/src/test/java/org/apache/oodt/cas/metadata/filenaming/TestPathUtilsNamingConvention.java b/metadata/src/test/java/org/apache/oodt/cas/metadata/filenaming/TestPathUtilsNamingConvention.java index ed47b36ca..fed7cfe0f 100644 --- a/metadata/src/test/java/org/apache/oodt/cas/metadata/filenaming/TestPathUtilsNamingConvention.java +++ b/metadata/src/test/java/org/apache/oodt/cas/metadata/filenaming/TestPathUtilsNamingConvention.java @@ -19,6 +19,7 @@ //JDK imports import java.io.File; import java.io.IOException; +import java.nio.file.Files; import java.util.UUID; //Apache imports @@ -39,7 +40,7 @@ public class TestPathUtilsNamingConvention extends TestCase { public void testRename() throws IOException, NamingConventionException { - File tmpFile = File.createTempFile("bogus", "bogus"); + File tmpFile = Files.createTempFile("bogus", "bogus").toFile(); File tmpDir = new File(tmpFile.getParentFile(), UUID.randomUUID().toString()); if (!tmpDir.mkdirs()) { diff --git a/pge/src/test/java/org/apache/oodt/cas/pge/TestPGETaskInstance.java b/pge/src/test/java/org/apache/oodt/cas/pge/TestPGETaskInstance.java index 23788493b..6b0be0402 100644 --- a/pge/src/test/java/org/apache/oodt/cas/pge/TestPGETaskInstance.java +++ b/pge/src/test/java/org/apache/oodt/cas/pge/TestPGETaskInstance.java @@ -55,6 +55,7 @@ import java.io.FileInputStream; import java.io.StringReader; import java.net.URL; +import java.nio.file.Files; import java.util.Collections; import java.util.List; import java.util.Map; @@ -77,6 +78,7 @@ import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; import static org.junit.Assume.assumeTrue; + //JDK imports //JUnit imports //Apache imports @@ -647,7 +649,7 @@ private PGETaskInstance createTestInstance(String workflowInstId) } private File createTmpDir() throws Exception { - File tmpFile = File.createTempFile("bogus", "bogus"); + File tmpFile = Files.createTempFile("bogus", "bogus").toFile(); File tmpDir = new File(tmpFile.getParentFile(), UUID.randomUUID().toString()); tmpFile.delete(); tmpDir.mkdirs(); diff --git a/pge/src/test/java/org/apache/oodt/cas/pge/writers/VelocityConfigFileWriterTest.java b/pge/src/test/java/org/apache/oodt/cas/pge/writers/VelocityConfigFileWriterTest.java index 61b6ac48f..760fae608 100644 --- a/pge/src/test/java/org/apache/oodt/cas/pge/writers/VelocityConfigFileWriterTest.java +++ b/pge/src/test/java/org/apache/oodt/cas/pge/writers/VelocityConfigFileWriterTest.java @@ -23,6 +23,7 @@ import java.io.File; import java.io.IOException; import java.net.URL; +import java.nio.file.Files; import java.util.logging.Level; import java.util.logging.Logger; @@ -40,7 +41,7 @@ public void testCreateConfigFile() throws IOException { metadata.addMetadata("name", "Chris"); metadata.addMetadata("name", "Paul"); metadata.addMetadata("conference", "ApacheCon"); - File config = File.createTempFile("config", ".out"); + File config = Files.createTempFile("config", ".out").toFile(); try { vcfw.generateFile(config.toString(), metadata, LOG, url.getFile()); } catch (Exception e) { diff --git a/webapp/wmservices/src/main/java/org/apache/oodt/cas/wmservices/repository/PackagedWorkflowManager.java b/webapp/wmservices/src/main/java/org/apache/oodt/cas/wmservices/repository/PackagedWorkflowManager.java index 688eebc0e..eb2048d47 100644 --- a/webapp/wmservices/src/main/java/org/apache/oodt/cas/wmservices/repository/PackagedWorkflowManager.java +++ b/webapp/wmservices/src/main/java/org/apache/oodt/cas/wmservices/repository/PackagedWorkflowManager.java @@ -19,6 +19,7 @@ import java.io.File; import java.io.FileOutputStream; +import java.nio.file.Files; import java.util.ArrayList; import java.util.Collections; import java.util.List; @@ -83,7 +84,7 @@ public String serializeWorkflow(Workflow workflow) throws RepositoryException { try { this.loadTasksToRepo(workflow); String workflowId = this.repo.addWorkflow(workflow); - File f = File.createTempFile("tempworkflow-", "-packaged"); + File f = Files.createTempFile("tempworkflow-", "-packaged").toFile(); this.saveWorkflow(workflowId, f.getAbsolutePath()); String workflowXML = FileUtils.readFileToString(f); f.delete(); @@ -107,7 +108,7 @@ public String serializeWorkflow(Workflow workflow) throws RepositoryException { public Workflow parsePackagedWorkflow(String workflowID, String workflowXML) throws RepositoryException { try { - File tmpfile = File.createTempFile("tempworkflow-", "-packaged"); + File tmpfile = Files.createTempFile("tempworkflow-", "-packaged").toFile(); FileUtils.writeStringToFile(tmpfile, workflowXML); PackagedWorkflowRepository tmprepo = new PackagedWorkflowRepository( Collections.singletonList(tmpfile)); diff --git a/workflow/src/test/java/org/apache/oodt/cas/workflow/instrepo/TestLuceneWorkflowInstanceRepository.java b/workflow/src/test/java/org/apache/oodt/cas/workflow/instrepo/TestLuceneWorkflowInstanceRepository.java index 7c8bec444..b5d411b7c 100644 --- a/workflow/src/test/java/org/apache/oodt/cas/workflow/instrepo/TestLuceneWorkflowInstanceRepository.java +++ b/workflow/src/test/java/org/apache/oodt/cas/workflow/instrepo/TestLuceneWorkflowInstanceRepository.java @@ -31,6 +31,7 @@ //JDK imports import java.io.File; import java.io.FileInputStream; +import java.nio.file.Files; import java.util.List; import java.util.Vector; @@ -114,7 +115,7 @@ public TestLuceneWorkflowInstanceRepository() { File tempFile; try { - tempFile = File.createTempFile("foo", "bar"); + tempFile = Files.createTempFile("foo", "bar").toFile(); tempFile.deleteOnExit(); tempDir = tempFile.getParentFile(); } catch (Exception e) { diff --git a/workflow/src/test/java/org/apache/oodt/cas/workflow/repository/TestWorkflowDataSourceRepository.java b/workflow/src/test/java/org/apache/oodt/cas/workflow/repository/TestWorkflowDataSourceRepository.java index ba2bb7e8a..1cf37eee5 100644 --- a/workflow/src/test/java/org/apache/oodt/cas/workflow/repository/TestWorkflowDataSourceRepository.java +++ b/workflow/src/test/java/org/apache/oodt/cas/workflow/repository/TestWorkflowDataSourceRepository.java @@ -37,6 +37,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; +import java.nio.file.Files; import java.sql.SQLException; import java.util.ArrayList; import java.util.Collections; @@ -82,7 +83,7 @@ public TestWorkflowDataSourceRepository() throws SQLException, FileNotFoundExcep File tempFile; try { - tempFile = File.createTempFile("foo", "bar"); + tempFile = Files.createTempFile("foo", "bar").toFile(); tempFile.deleteOnExit(); tempDir = tempFile.getParentFile(); } catch (Exception e) {