From 29da34c0bb723de4a25941b1c41b8521d03ed894 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Date: Fri, 10 Feb 2023 09:47:31 -0500
Subject: [PATCH] [MINVOKER-324] Temporary File Information Disclosure (#152)

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>


Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18

Co-authored-by: Moderne <team@moderne.io>
Co-authored-by: Guillaume Nodet <gnodet@gmail.com>
---
 .../org/apache/maven/plugins/invoker/AbstractInvokerMojo.java  | 2 +-
 .../apache/maven/plugins/invoker/InvokerPropertiesTest.java    | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/apache/maven/plugins/invoker/AbstractInvokerMojo.java b/src/main/java/org/apache/maven/plugins/invoker/AbstractInvokerMojo.java
index aa59f786..4a3bd354 100644
--- a/src/main/java/org/apache/maven/plugins/invoker/AbstractInvokerMojo.java
+++ b/src/main/java/org/apache/maven/plugins/invoker/AbstractInvokerMojo.java
@@ -1398,7 +1398,7 @@ private File mergeSettings(File interpolatedSettingsFile) throws MojoExecutionEx
 
     private File writeMergedSettingsFile(Settings mergedSettings) throws IOException {
         File mergedSettingsFile;
-        mergedSettingsFile = File.createTempFile("invoker-settings", ".xml");
+        mergedSettingsFile = Files.createTempFile("invoker-settings", ".xml").toFile();
 
         SettingsXpp3Writer settingsWriter = new SettingsXpp3Writer();
 
diff --git a/src/test/java/org/apache/maven/plugins/invoker/InvokerPropertiesTest.java b/src/test/java/org/apache/maven/plugins/invoker/InvokerPropertiesTest.java
index eb357c8b..2ba1d78c 100644
--- a/src/test/java/org/apache/maven/plugins/invoker/InvokerPropertiesTest.java
+++ b/src/test/java/org/apache/maven/plugins/invoker/InvokerPropertiesTest.java
@@ -19,6 +19,7 @@
 package org.apache.maven.plugins.invoker;
 
 import java.io.File;
+import java.nio.file.Files;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
@@ -188,7 +189,7 @@ public void testConfigureRequestProject() throws Exception {
         Properties props = new Properties();
         InvokerProperties facade = new InvokerProperties(props);
 
-        File tempPom = File.createTempFile("maven-invoker-plugin-test", ".pom");
+        File tempPom = Files.createTempFile("maven-invoker-plugin-test", ".pom").toFile();
         try {
             File tempDir = tempPom.getParentFile();
             when(request.getBaseDirectory()).thenReturn(tempDir);