This is an automated email from the ASF dual-hosted git repository.
gaul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jclouds.git
The following commit(s) were added to refs/heads/master by this push:
new b282b5cbfe vuln-fix: Temporary File Information Disclosure
b282b5cbfe is described below
commit b282b5cbfef760be026660522e78d1bba81988ac
Author: Jonathan Leitschuh <[email protected]>
AuthorDate: Sat Nov 19 03:01:07 2022 +0000
vuln-fix: Temporary File Information Disclosure
This fixes temporary file information disclosure vulnerability due to the
use
of the vulnerable `File.createTempFile()` method. The vulnerability is
fixed by
using the `Files.createTempFile()` method which sets the correct posix
permissions.
Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite
(https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
Co-authored-by: Moderne <[email protected]>
---
.../src/test/java/org/jclouds/docker/features/MiscApiMockTest.java | 3 ++-
.../jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java | 3 ++-
.../java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java | 5 +++--
.../src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java | 3 ++-
.../sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java | 3 ++-
5 files changed, 11 insertions(+), 6 deletions(-)
diff --git
a/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java
b/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java
index a3d21a194d..0678966fc1 100644
--- a/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java
+++ b/apis/docker/src/test/java/org/jclouds/docker/features/MiscApiMockTest.java
@@ -27,6 +27,7 @@ import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
import javax.ws.rs.core.HttpHeaders;
@@ -96,7 +97,7 @@ public class MiscApiMockTest extends BaseDockerMockTest {
public void testBuildContainerUsingPayload() throws Exception {
MockWebServer server = mockWebServer(new
MockResponse().setResponseCode(200));
MiscApi api = api(DockerApi.class,
server.url("/").toString()).getMiscApi();
- File file = File.createTempFile("docker", "tmp");
+ File file = Files.createTempFile("docker", "tmp").toFile();
FileInputStream data = new FileInputStream(file);
Payload payload = Payloads.newInputStreamPayload(data);
payload.getContentMetadata().setContentLength(file.length());
diff --git
a/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java
b/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java
index 7a19459912..e9ce28ab7d 100644
---
a/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java
+++
b/core/src/test/java/org/jclouds/http/BaseHttpCommandExecutorServiceIntegrationTest.java
@@ -31,6 +31,7 @@ import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.URLDecoder;
+import java.nio.file.Files;
import java.util.Random;
import java.util.concurrent.TimeUnit;
@@ -268,7 +269,7 @@ public abstract class
BaseHttpCommandExecutorServiceIntegrationTest extends Base
Payload payload = null;
try {
- f = File.createTempFile("jclouds", "tmp");
+ f = Files.createTempFile("jclouds", "tmp").toFile();
long length = (new Random().nextInt(32) + 1) * 1024L * 1024L;
TestUtils.randomByteSource().slice(0,
length).copyTo(Files.asByteSink(f));
diff --git
a/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java
b/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java
index c81c65298f..666b7e1854 100644
---
a/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java
+++
b/core/src/test/java/org/jclouds/rest/internal/RestAnnotationProcessorTest.java
@@ -43,6 +43,7 @@ import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.net.URI;
import java.net.URLEncoder;
+import java.nio.file.Files;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Collection;
@@ -1036,7 +1037,7 @@ public class RestAnnotationProcessorTest extends
BaseRestApiTest {
public void testMultipartWithParamFilePart() throws Exception {
Invokable<?, ?> method = method(TestMultipartForm.class,
"withParamFilePart", String.class,
File.class);
- File file = File.createTempFile("foo", "bar");
+ File file = Files.createTempFile("foo", "bar").toFile();
try {
Files.append("foobledata", file, UTF_8);
@@ -1082,7 +1083,7 @@ public class RestAnnotationProcessorTest extends
BaseRestApiTest {
public void testMultipartWithParamFileBinaryPart() throws Exception {
Invokable<?, ?> method = method(TestMultipartForm.class,
"withParamFileBinaryPart",
String.class, File.class);
- File file = File.createTempFile("foo", "bar");
+ File file = Files.createTempFile("foo", "bar").toFile();
try {
Files.write(new byte[] { 17, 26, 39, 40, 50 }, file);
diff --git
a/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java
b/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java
index ede5b472ad..64007c299e 100644
--- a/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java
+++ b/drivers/jsch/src/test/java/org/jclouds/ssh/jsch/JschSshClientLiveTest.java
@@ -28,6 +28,7 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintStream;
import java.net.InetAddress;
+import java.nio.file.Files;
import java.util.List;
import java.util.concurrent.Callable;
import java.util.concurrent.Executors;
@@ -161,7 +162,7 @@ public class JschSshClientLiveTest {
@Test
public void testPutAndGet() throws IOException {
- temp = File.createTempFile("foo", "bar");
+ temp = Files.createTempFile("foo", "bar").toFile();
try {
SshClient client = setupClient();
client.put(temp.getAbsolutePath(),
Payloads.newStringPayload("rabbit"));
diff --git
a/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java
b/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java
index ba8e217d3d..fe664ce283 100644
--- a/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java
+++ b/drivers/sshj/src/test/java/org/jclouds/sshj/SshjSshClientLiveTest.java
@@ -26,6 +26,7 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintStream;
import java.net.InetAddress;
+import java.nio.file.Files;
import org.jclouds.compute.domain.ExecChannel;
import org.jclouds.compute.domain.ExecResponse;
@@ -148,7 +149,7 @@ public class SshjSshClientLiveTest {
}
public void testPutAndGet() throws IOException {
- temp = File.createTempFile("foo", "bar");
+ temp = Files.createTempFile("foo", "bar").toFile();
try {
SshClient client = setupClient();
client.put(temp.getAbsolutePath(),
Payloads.newStringPayload("rabbit"));
