From b4d9c85e64fe695e742acea543e1354df3587352 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Sat, 19 Nov 2022 02:03:39 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../test/java/org/glassfish/grizzly/FileTransferTest.java | 7 ++++--- .../glassfish/grizzly/http/server/filecache/FileCache.java | 3 ++- .../org/glassfish/grizzly/http/server/FileCacheTest.java | 3 ++- .../org/glassfish/grizzly/http/server/SendFileTest.java | 3 ++- .../grizzly/http/server/StaticHttpHandlerTest.java | 2 +- .../java/org/glassfish/grizzly/http2/FileCacheTest.java | 3 ++- 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/modules/grizzly/src/test/java/org/glassfish/grizzly/FileTransferTest.java b/modules/grizzly/src/test/java/org/glassfish/grizzly/FileTransferTest.java index a2431b3c74..c86e6058b5 100644 --- a/modules/grizzly/src/test/java/org/glassfish/grizzly/FileTransferTest.java +++ b/modules/grizzly/src/test/java/org/glassfish/grizzly/FileTransferTest.java @@ -26,6 +26,7 @@ import java.io.IOException; import java.math.BigInteger; import java.nio.ByteBuffer; +import java.nio.file.Files; import java.security.MessageDigest; import java.util.Random; import java.util.concurrent.TimeUnit; @@ -69,7 +70,7 @@ public NextAction handleRead(FilterChainContext ctx) throws IOException { TCPNIOTransport client = TCPNIOTransportBuilder.newInstance().build(); FilterChainBuilder clientChain = FilterChainBuilder.stateless(); final SafeFutureImpl future = SafeFutureImpl.create(); - final File temp = File.createTempFile("grizzly-download-", ".tmp"); + final File temp = Files.createTempFile("grizzly-download-", ".tmp").toFile(); temp.deleteOnExit(); final FileOutputStream out = new FileOutputStream(temp); final AtomicInteger total = new AtomicInteger(0); @@ -140,7 +141,7 @@ public void negativeFileTransferAPITest() throws Exception { fail("Unexpected exception type: " + e); } - f = File.createTempFile("grizzly-test-", ".tmp"); + f = Files.createTempFile("grizzly-test-", ".tmp").toFile(); f.deleteOnExit(); new FileOutputStream(f).write(1); @@ -195,7 +196,7 @@ private static BigInteger getMDSum(final File f) throws Exception { } private static File generateTempFile(final int size) throws IOException { - final File f = File.createTempFile("grizzly-temp-" + size, ".tmp"); + final File f = Files.createTempFile("grizzly-temp-" + size, ".tmp").toFile(); Random r = new Random(); byte[] data = new byte[8192]; r.nextBytes(data); diff --git a/modules/http-server/src/main/java/org/glassfish/grizzly/http/server/filecache/FileCache.java b/modules/http-server/src/main/java/org/glassfish/grizzly/http/server/filecache/FileCache.java index 9ba56eb32a..81a505e906 100644 --- a/modules/http-server/src/main/java/org/glassfish/grizzly/http/server/filecache/FileCache.java +++ b/modules/http-server/src/main/java/org/glassfish/grizzly/http/server/filecache/FileCache.java @@ -25,6 +25,7 @@ import java.nio.ByteBuffer; import java.nio.MappedByteBuffer; import java.nio.channels.FileChannel; +import java.nio.file.Files; import java.util.StringTokenizer; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; @@ -599,7 +600,7 @@ public void setFileSendEnabled(boolean fileSendEnabled) { */ protected void compressFile(final FileCacheEntry entry) { try { - final File tmpCompressedFile = File.createTempFile(String.valueOf(entry.plainFile.hashCode()), ".tmpzip", compressedFilesFolder); + final File tmpCompressedFile = Files.createTempFile(compressedFilesFolder.toPath(), String.valueOf(entry.plainFile.hashCode()), ".tmpzip").toFile(); tmpCompressedFile.deleteOnExit(); InputStream in = null; diff --git a/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/FileCacheTest.java b/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/FileCacheTest.java index 9502bf7cbf..06456a5719 100644 --- a/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/FileCacheTest.java +++ b/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/FileCacheTest.java @@ -28,6 +28,7 @@ import java.io.IOException; import java.io.InputStream; import java.net.URL; +import java.nio.file.Files; import java.text.SimpleDateFormat; import java.util.Arrays; import java.util.Calendar; @@ -965,7 +966,7 @@ private static String convertToDate(final long date) { } private static File createTempFile() throws IOException { - final File f = File.createTempFile("grizzly-file-cache", ".txt"); + final File f = Files.createTempFile("grizzly-file-cache", ".txt").toFile(); f.deleteOnExit(); FileOutputStream out = null; try { diff --git a/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/SendFileTest.java b/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/SendFileTest.java index 092af15fba..4ceef994cf 100644 --- a/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/SendFileTest.java +++ b/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/SendFileTest.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.math.BigInteger; import java.nio.channels.FileChannel; +import java.nio.file.Files; import java.security.MessageDigest; import java.util.Random; import java.util.concurrent.Executors; @@ -558,7 +559,7 @@ private static File generateTempFile(final int size) throws IOException { } private static File generateTempFile(final int size, final String ext) throws IOException { - final File f = File.createTempFile("grizzly-temp-" + size, "." + ext); + final File f = Files.createTempFile("grizzly-temp-" + size, "." + ext).toFile(); Random r = new Random(); byte[] data = new byte[8192]; r.nextBytes(data); diff --git a/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/StaticHttpHandlerTest.java b/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/StaticHttpHandlerTest.java index 0d22a05318..7865a8097e 100644 --- a/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/StaticHttpHandlerTest.java +++ b/modules/http-server/src/test/java/org/glassfish/grizzly/http/server/StaticHttpHandlerTest.java @@ -319,7 +319,7 @@ private static String getSystemTmpDir() { } private static File generateTempFile(final int size) throws IOException { - final File f = File.createTempFile("grizzly-temp-" + size, ".tmp2"); + final File f = Files.createTempFile("grizzly-temp-" + size, ".tmp2").toFile(); Random r = new Random(); byte[] data = new byte[8192]; r.nextBytes(data); diff --git a/modules/http2/src/test/java/org/glassfish/grizzly/http2/FileCacheTest.java b/modules/http2/src/test/java/org/glassfish/grizzly/http2/FileCacheTest.java index d694a0e0f9..91df6eeaf6 100644 --- a/modules/http2/src/test/java/org/glassfish/grizzly/http2/FileCacheTest.java +++ b/modules/http2/src/test/java/org/glassfish/grizzly/http2/FileCacheTest.java @@ -25,6 +25,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.Writer; +import java.nio.file.Files; import java.text.SimpleDateFormat; import java.util.Collection; import java.util.Date; @@ -400,7 +401,7 @@ private static String convertToDate(final long date) { } private static File createTempFile() throws IOException { - final File f = File.createTempFile("grizzly-file-cache", ".txt"); + final File f = Files.createTempFile("grizzly-file-cache", ".txt").toFile(); f.deleteOnExit(); FileOutputStream out = null; try {