This is an automated email from the ASF dual-hosted git repository. slachiewicz pushed a commit to branch MSCMPUB-56 in repository https://gitbox.apache.org/repos/asf/maven-scm-publish-plugin.git
commit 973eb142cdbd836782cffa03ee1ff61e584bf999 Author: Jonathan Leitschuh <[email protected]> AuthorDate: Wed Jul 27 16:55:27 2022 +0000 [MSCMPUB-56] vuln-fix: Temporary Directory Hijacking or Information Disclosure This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure. Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions Severity: High CVSSS: 7.3 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory) Reported-by: Jonathan Leitschuh <[email protected]> Signed-off-by: Jonathan Leitschuh <[email protected]> Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10 Co-authored-by: Moderne <[email protected]> Closes #7 --- .../maven/plugins/scmpublish/AbstractScmPublishMojo.java | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/apache/maven/plugins/scmpublish/AbstractScmPublishMojo.java b/src/main/java/org/apache/maven/plugins/scmpublish/AbstractScmPublishMojo.java index ee343e7..06a890c 100644 --- a/src/main/java/org/apache/maven/plugins/scmpublish/AbstractScmPublishMojo.java +++ b/src/main/java/org/apache/maven/plugins/scmpublish/AbstractScmPublishMojo.java @@ -176,7 +176,7 @@ public abstract class AbstractScmPublishMojo */ @Component protected ScmRepositoryConfigurator scmRepositoryConfigurator; - + /** * The serverId specified in the settings.xml, which should be used for the authentication. */ @@ -232,10 +232,10 @@ public abstract class AbstractScmPublishMojo */ @Parameter( defaultValue = "${settings}", readonly = true, required = true ) protected Settings settings; - + @Component private SettingsDecrypter settingsDecrypter; - + /** * Collections of paths not to delete when checking content to delete. @@ -320,7 +320,7 @@ public abstract class AbstractScmPublishMojo String provider = ScmUrlUtils.getProvider( pubScmUrl ); String delimiter = ScmUrlUtils.getDelimiter( pubScmUrl ); - + String providerPart = "scm:" + provider + delimiter; // X TODO: also check the information from releaseDescriptor.getScmRelativePathProjectDirectory() @@ -592,9 +592,7 @@ public abstract class AbstractScmPublishMojo try { tmpCheckout = true; - checkoutDirectory = File.createTempFile( "maven-scm-publish", ".checkout" ); - checkoutDirectory.delete(); - checkoutDirectory.mkdir(); + checkoutDirectory = Files.createTempDirectory( "maven-scm-publish" + ".checkout" ).toFile(); } catch ( IOException ioe ) {
