vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#18


Co-authored-by: Moderne <[email protected]>

Author: 2 people

src/main/java/org/apache/maven/plugins/assembly/filter/AbstractLineAggregatingHandler.java

@@ -33,6 +33,7 @@
 import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
 import java.io.PrintWriter;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -81,7 +82,7 @@ void addToArchive( final Archiver archiver )
             File f;
             try
             {
-                f = File.createTempFile( "assembly-" + fname, ".tmp" );
+                f = Files.createTempFile( "assembly-" + fname, ".tmp" ).toFile();
                 f.deleteOnExit();
 
                 try ( PrintWriter writer =

src/main/java/org/apache/maven/plugins/assembly/filter/ComponentsXmlArchiverFileFilter.java

@@ -102,7 +102,7 @@ private void addToArchive( final Archiver archiver )
     {
         if ( components != null )
         {
-            final File f = File.createTempFile( "maven-assembly-plugin", "tmp" );
+            final File f = Files.createTempFile( "maven-assembly-plugin", "tmp" ).toFile();
             f.deleteOnExit();
 
 

src/main/java/org/apache/maven/plugins/assembly/filter/SimpleAggregatingDescriptorHandler.java

@@ -38,6 +38,7 @@
 import java.io.StringWriter;
 import java.io.Writer;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Date;
@@ -97,7 +98,7 @@ private File writePropertiesFile()
         File f;
         try
         {
-            f = File.createTempFile( "maven-assembly-plugin", "tmp" );
+            f = Files.createTempFile( "maven-assembly-plugin", "tmp" ).toFile();
             f.deleteOnExit();
 
             try ( Writer writer = getWriter( f ) )

src/main/java/org/apache/maven/plugins/assembly/io/URLLocation.java

@@ -22,6 +22,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.net.URL;
+import java.nio.file.Files;
 
 import org.apache.commons.io.IOUtils;
 
@@ -65,7 +66,7 @@ protected void initFile()
     {
         if ( unsafeGetFile() == null )
         {
-            File tempFile = File.createTempFile( tempFilePrefix, tempFileSuffix );
+            File tempFile = Files.createTempFile( tempFilePrefix, tempFileSuffix ).toFile();
 
             if ( tempFileDeleteOnExit )
             {

src/test/java/org/apache/maven/plugins/assembly/io/DefaultAssemblyReaderTest.java

@@ -96,7 +96,7 @@ public void setUp()
     public void testIncludeSiteInAssembly_ShouldFailIfSiteDirectoryNonExistent()
         throws Exception
     {
-        final File siteDir = File.createTempFile( "assembly-reader.", ".test" );
+        final File siteDir = Files.createTempFile( "assembly-reader.", ".test" ).toFile();
         siteDir.delete();
 
         when( configSource.getSiteDirectory() ).thenReturn( siteDir );

src/test/java/org/apache/maven/plugins/assembly/utils/LineEndingsUtilsTest.java

@@ -29,6 +29,7 @@
 import java.io.IOException;
 import java.io.StringReader;
 import java.io.StringWriter;
+import java.nio.file.Files;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
@@ -262,9 +263,9 @@ public void testConvertLineEndings_CRLFToLFWithEOFStripEOF()
     private void testConversion( String test, String check, LineEndings lineEndingChars, Boolean eof )
         throws IOException
     {
-        File source = File.createTempFile( "line-conversion-test-in.", "" );
+        File source = Files.createTempFile( "line-conversion-test-in.", "" ).toFile();
         source.deleteOnExit();
-        File dest = File.createTempFile( "line-conversion-test-out.", "" );
+        File dest = Files.createTempFile( "line-conversion-test-out.", "" ).toFile();
         dest.deleteOnExit();
 
         FileWriter sourceWriter = null;