vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#18


Co-authored-by: Moderne <[email protected]>

enforcer-rules/src/test/java/org/apache/maven/plugins/enforcer/TestRequireFileChecksum.java

@@ -21,6 +21,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 
 import org.apache.maven.enforcer.rule.api.EnforcerRuleException;
 
@@ -48,7 +49,7 @@ public class TestRequireFileChecksum
     public void testFileChecksumMd5()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "message" );
 
         rule.setFile( f );
@@ -62,7 +63,7 @@ public void testFileChecksumMd5()
     public void testFileChecksumMd5UpperCase()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "message" );
 
         rule.setFile( f );
@@ -108,7 +109,7 @@ public void testFileChecksumMd5GivenFileDoesNotExistFailureWithMessage()
     public void testFileChecksumMd5GivenFileIsNotReadableFailure()
         throws IOException
     {
-        File t = File.createTempFile( "junit", null, temporaryFolder );
+        File t = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         File f = new File( t.getAbsolutePath() )
         {
             private static final long serialVersionUID = 6987790643999338089L;
@@ -193,7 +194,7 @@ public void testFileChecksumMd5NoTypeSpecifiedFailure()
     public void testFileChecksumMd5ChecksumMismatchFailure()
         throws IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         Throwable exception = assertThrows( EnforcerRuleException.class, () -> {
             FileUtils.fileWrite( f, "message" );
 
@@ -229,7 +230,7 @@ public void testFileChecksumMd5ChecksumMismatchFailureWithMessage()
     public void testFileChecksumSha1()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "message" );
 
         rule.setFile( f );
@@ -243,7 +244,7 @@ public void testFileChecksumSha1()
     public void testFileChecksumSha256()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "message" );
 
         rule.setFile( f );
@@ -257,7 +258,7 @@ public void testFileChecksumSha256()
     public void testFileChecksumSha384()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "message" );
 
         rule.setFile( f );
@@ -271,7 +272,7 @@ public void testFileChecksumSha384()
     public void testFileChecksumSha512()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "message" );
 
         rule.setFile( f );

enforcer-rules/src/test/java/org/apache/maven/plugins/enforcer/TestRequireFilesDontExist.java

@@ -22,12 +22,13 @@
 import static org.junit.jupiter.api.Assertions.*;
 
 import java.io.File;
-import java.io.IOException;
+import java.io.IOException;
+import java.nio.file.Files;
 
 import org.apache.maven.enforcer.rule.api.EnforcerRuleException;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.io.TempDir;
-
+import org.junit.jupiter.api.io.TempDir;
+
 /**
  * Test the "require files don't exist" rule.
  * 
@@ -44,7 +45,7 @@ public class TestRequireFilesDontExist
     public void testFileExists()
         throws IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
 
         rule.setFiles( new File[] { f } );
 
@@ -126,7 +127,7 @@ public void testEmptyFileListAllowNull()
     public void testFileDoesNotExist()
         throws EnforcerRuleException, IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         f.delete();
 
         assertFalse( f.exists() );
@@ -140,12 +141,12 @@ public void testFileDoesNotExist()
     public void testFileDoesNotExistSatisfyAny()
             throws EnforcerRuleException, IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         f.delete();
 
         assertFalse( f.exists() );
 
-        File g = File.createTempFile( "junit", null, temporaryFolder );
+        File g = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
 
         assertTrue( g.exists() );
 

enforcer-rules/src/test/java/org/apache/maven/plugins/enforcer/TestRequireFilesExist.java

@@ -23,6 +23,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 
 import org.apache.maven.enforcer.rule.api.EnforcerRuleException;
 import org.junit.jupiter.api.Test;
@@ -44,7 +45,7 @@ public class TestRequireFilesExist
     public void testFileExists()
         throws Exception
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
 
         rule.setFiles( new File[] { f.getCanonicalFile() } );
 
@@ -109,7 +110,7 @@ public void testEmptyFileListAllowNull()
     public void testFileDoesNotExist()
         throws Exception
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         f.delete();
 
         assertFalse( f.exists() );
@@ -126,12 +127,12 @@ public void testFileDoesNotExist()
     public void testFileExistsSatisfyAny()
             throws EnforcerRuleException, IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         f.delete();
 
         assertFalse( f.exists() );
 
-        File g = File.createTempFile( "junit", null, temporaryFolder );
+        File g = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
 
         assertTrue( g.exists() );
 

enforcer-rules/src/test/java/org/apache/maven/plugins/enforcer/TestRequireFilesSize.java

@@ -24,14 +24,15 @@
 import java.io.BufferedWriter;
 import java.io.File;
 import java.io.FileWriter;
-import java.io.IOException;
+import java.io.IOException;
+import java.nio.file.Files;
 
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.enforcer.rule.api.EnforcerRuleException;
 import org.apache.maven.plugin.testing.ArtifactStubFactory;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.io.TempDir;
-
+import org.junit.jupiter.api.io.TempDir;
+
 /**
  * Test the "require files exist" rule.
  *
@@ -48,7 +49,7 @@ public class TestRequireFilesSize
     public void testFileExists()
         throws EnforcerRuleException, IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
 
         rule.setFiles( new File[] { f } );
 
@@ -88,7 +89,7 @@ public void testEmptyFileList()
         assertEquals( 0, rule.getFiles().length );
 
         MockProject project = new MockProject();
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
 
         ArtifactStubFactory factory = new ArtifactStubFactory();
         Artifact a = factory.getReleaseArtifact();
@@ -107,7 +108,7 @@ public void testEmptyFileList()
     public void testFileDoesNotExist()
         throws IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         f.delete();
         assertFalse( f.exists() );
         rule.setFiles( new File[] { f } );
@@ -127,7 +128,7 @@ public void testFileDoesNotExist()
     public void testFileTooSmall()
         throws IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         rule.setFiles( new File[] { f } );
         rule.setMinsize( 10 );
         try
@@ -145,7 +146,7 @@ public void testFileTooSmall()
     public void testFileTooBig()
         throws IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         try ( BufferedWriter out = new BufferedWriter( new FileWriter( f ) ) )
         {
             out.write( "123456789101112131415" );
@@ -169,14 +170,14 @@ public void testFileTooBig()
     public void testRequireFilesSizeSatisfyAny()
             throws EnforcerRuleException, IOException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         try ( BufferedWriter out = new BufferedWriter( new FileWriter( f ) ) )
         {
             out.write( "123456789101112131415" );
         }
         assertTrue( f.length() > 10 );
 
-        File g = File.createTempFile( "junit", null, temporaryFolder );
+        File g = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
 
         rule.setFiles( new File[] { f, g } );
         rule.setMaxsize( 10 );

enforcer-rules/src/test/java/org/apache/maven/plugins/enforcer/TestRequireTextFileChecksum.java

@@ -23,6 +23,7 @@
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 
 import org.apache.maven.enforcer.rule.api.EnforcerRuleException;
 import org.apache.maven.plugins.enforcer.utils.NormalizeLineSeparatorReader.LineSeparator;
@@ -46,7 +47,7 @@ public class TestRequireTextFileChecksum
     public void testFileChecksumMd5NormalizedFromUnixToWindows()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "line1\nline2\n" );
 
         rule.setFile( f );
@@ -62,7 +63,7 @@ public void testFileChecksumMd5NormalizedFromUnixToWindows()
     public void testFileChecksumMd5NormalizedFromWindowsToWindows()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "line1\r\nline2\r\n" );
 
         rule.setFile( f );
@@ -78,7 +79,7 @@ public void testFileChecksumMd5NormalizedFromWindowsToWindows()
     public void testFileChecksumMd5NormalizedFromWindowsToUnix()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "line1\r\nline2\r\n" );
 
         rule.setFile( f );
@@ -94,7 +95,7 @@ public void testFileChecksumMd5NormalizedFromWindowsToUnix()
     public void testFileChecksumMd5NormalizedFromUnixToUnix()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "line1\nline2\n" );
 
         rule.setFile( f );
@@ -110,7 +111,7 @@ public void testFileChecksumMd5NormalizedFromUnixToUnix()
     public void testFileChecksumMd5NormalizedWithMissingFileCharsetParameter()
         throws IOException, EnforcerRuleException
     {
-        File f = File.createTempFile( "junit", null, temporaryFolder );
+        File f = Files.createTempFile( temporaryFolder.toPath(), "junit", null ).toFile();
         FileUtils.fileWrite( f, "line1\nline2\n" );
 
         rule.setFile( f );