vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#18


Co-authored-by: Moderne <[email protected]>

maven-resolver-test-util/src/main/java/org/eclipse/aether/internal/test/util/TestFileUtils.java

@@ -27,6 +27,7 @@
 import java.io.OutputStream;
 import java.io.RandomAccessFile;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Properties;
@@ -154,7 +155,7 @@ public static File createTempFile( byte[] pattern, int repeat )
         throws IOException
     {
         mkdirs( TMP );
-        File tmpFile = File.createTempFile( "tmpfile-", ".data", TMP );
+        File tmpFile = Files.createTempFile( TMP.toPath(), "tmpfile-", ".data" ).toFile();
         writeBytes( tmpFile, pattern, repeat );
         return tmpFile;
     }
@@ -169,7 +170,7 @@ public static File createTempDir( String suffix )
         throws IOException
     {
         mkdirs( TMP );
-        File tmpFile = File.createTempFile( "tmpdir-", suffix, TMP );
+        File tmpFile = Files.createTempFile( TMP.toPath(), "tmpdir-", suffix ).toFile();
         deleteFile( tmpFile );
         mkdirs( tmpFile );
         return tmpFile;