From ab7ea609eda7aa7cc38c131f9e07cfa12cee45aa Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Wed, 27 Jul 2022 16:36:05 +0000
Subject: [PATCH] vuln-fix: Temporary Directory Hijacking or Information
 Disclosure

This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure.

Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Severity: High
CVSSS: 7.3
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10

Co-authored-by: Moderne <team@moderne.io>
---
 src/main/java/hockeyapp/HockeyappRecorder.java | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/main/java/hockeyapp/HockeyappRecorder.java b/src/main/java/hockeyapp/HockeyappRecorder.java
index f40e24a..b55b42e 100644
--- a/src/main/java/hockeyapp/HockeyappRecorder.java
+++ b/src/main/java/hockeyapp/HockeyappRecorder.java
@@ -24,6 +24,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import hudson.scm.ChangeLogSet.Entry;
 import java.io.*;
+import java.nio.file.Files;
 import java.util.*;
 
 import net.sf.json.JSONObject;
@@ -137,9 +138,7 @@ public boolean perform(AbstractBuild<?, ?> build, Launcher launcher,
 			EnvVars vars = build.getEnvironment(listener);
 
 			// Copy remote file to local file system.
-			tempDir = File.createTempFile("jtf", null);
-			tempDir.delete();
-			tempDir.mkdirs();
+			tempDir = Files.createTempDirectory("jtf").toFile();
 
 			File file = getFileLocally(build.getWorkspace(),
 					vars.expand(filePath), tempDir);