From 7e9fc300106b92958aad2e3b298d5b1c258d0e92 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 19 Jul 2024 20:50:59 -0400 Subject: [PATCH] vuln-fix: Temporary Directory Hijacking or Information Disclosure (#389) Simplify the creation of temp dir in FileMatchersTest This was originally identified as a security vulnerability (see details below), but inspection of the code showed that the vulnerability was not actually present in the code, as the original code does check the return code of `directory.delete()` and `directory.mkdirs()`. The PR was accepted because the change actually is an improvement to the code anyway. Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions Severity: High CVSSS: 7.3 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory) Reported-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10 Co-authored-by: Moderne --- .../src/test/java/org/hamcrest/io/FileMatchersTest.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/hamcrest/src/test/java/org/hamcrest/io/FileMatchersTest.java b/hamcrest/src/test/java/org/hamcrest/io/FileMatchersTest.java index 80a90e48..8a434d20 100644 --- a/hamcrest/src/test/java/org/hamcrest/io/FileMatchersTest.java +++ b/hamcrest/src/test/java/org/hamcrest/io/FileMatchersTest.java @@ -5,6 +5,7 @@ import java.io.File; import java.io.IOException; +import java.nio.file.Files; import static org.hamcrest.core.IsEqual.equalTo; @@ -16,9 +17,9 @@ public class FileMatchersTest extends AbstractMatcherTest { @Override protected void setUp() throws IOException { - directory = File.createTempFile("myDir", ""); - assertTrue("deleting " + directory, directory.delete()); - assertTrue("mkdir " + directory, directory.mkdirs()); + directory = Files.createTempDirectory("myDir").toFile(); + assertTrue("deleting " + directory, true); + assertTrue("mkdir " + directory, true); file = new File(directory, "myFile"); file.createNewFile();