This is an automated email from the ASF dual-hosted git repository.
struberg pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openjpa.git
The following commit(s) were added to refs/heads/master by this push:
new 87e253b9e vuln-fix: Temporary File Information Disclosure
87e253b9e is described below
commit 87e253b9e58a8f061b0431a1ab4df3e5e1660519
Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
AuthorDate: Fri Nov 18 22:42:52 2022 +0000
vuln-fix: Temporary File Information Disclosure
This fixes temporary file information disclosure vulnerability due to the
use
of the vulnerable `File.createTempFile()` method. The vulnerability is
fixed by
using the `Files.createTempFile()` method which sets the correct posix
permissions.
Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite
(https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
Co-authored-by: Moderne <t...@moderne.io>
---
.../main/java/org/apache/openjpa/enhance/InstrumentationFactory.java | 3 ++-
.../src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git
a/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
b/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
index 6e94635b9..8a828fc47 100644
---
a/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
+++
b/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
@@ -28,6 +28,7 @@ import java.lang.management.ManagementFactory;
import java.lang.management.RuntimeMXBean;
import java.net.URL;
import java.net.URLClassLoader;
+import java.nio.file.Files;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.PrivilegedAction;
@@ -148,7 +149,7 @@ public class InstrumentationFactory {
*/
private static String createAgentJar() throws IOException {
File file =
- File.createTempFile(InstrumentationFactory.class.getName(),
".jar");
+ Files.createTempFile(InstrumentationFactory.class.getName(),
".jar").toFile();
file.deleteOnExit();
ZipOutputStream zout = new ZipOutputStream(new FileOutputStream(file));
diff --git
a/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
b/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
index 4b6be364b..7f2ca7992 100644
---
a/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
+++
b/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
@@ -23,6 +23,7 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.nio.file.Files;
import java.util.List;
import java.util.MissingResourceException;
@@ -142,7 +143,7 @@ public class TestAnchorParsing extends TestCase {
private File resourceToTemporaryFile(String s) throws IOException {
InputStream in = getClass().getClassLoader().getResourceAsStream(s);
- File f = File.createTempFile("TestAnchorParsing", ".xml");
+ File f = Files.createTempFile("TestAnchorParsing", ".xml").toFile();
OutputStream out = new FileOutputStream(f);
byte[] bytes = new byte[1024];
while (true) {
