This is an automated email from the ASF dual-hosted git repository.

struberg pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openjpa.git


The following commit(s) were added to refs/heads/master by this push:
     new 87e253b9e vuln-fix: Temporary File Information Disclosure
87e253b9e is described below

commit 87e253b9e58a8f061b0431a1ab4df3e5e1660519
Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
AuthorDate: Fri Nov 18 22:42:52 2022 +0000

    vuln-fix: Temporary File Information Disclosure
    
    
    
    This fixes temporary file information disclosure vulnerability due to the 
use
    of the vulnerable `File.createTempFile()` method. The vulnerability is 
fixed by
    using the `Files.createTempFile()` method which sets the correct posix 
permissions.
    
    Weakness: CWE-377: Insecure Temporary File
    Severity: Medium
    CVSSS: 5.5
    Detection: CodeQL & OpenRewrite 
(https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
    
    Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
    Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
    
    Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
    
    
    Co-authored-by: Moderne <t...@moderne.io>
---
 .../main/java/org/apache/openjpa/enhance/InstrumentationFactory.java   | 3 ++-
 .../src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git 
a/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
 
b/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
index 6e94635b9..8a828fc47 100644
--- 
a/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
+++ 
b/openjpa-kernel/src/main/java/org/apache/openjpa/enhance/InstrumentationFactory.java
@@ -28,6 +28,7 @@ import java.lang.management.ManagementFactory;
 import java.lang.management.RuntimeMXBean;
 import java.net.URL;
 import java.net.URLClassLoader;
+import java.nio.file.Files;
 import java.security.AccessController;
 import java.security.CodeSource;
 import java.security.PrivilegedAction;
@@ -148,7 +149,7 @@ public class InstrumentationFactory {
      */
     private static String createAgentJar() throws IOException {
         File file =
-            File.createTempFile(InstrumentationFactory.class.getName(), 
".jar");
+            Files.createTempFile(InstrumentationFactory.class.getName(), 
".jar").toFile();
         file.deleteOnExit();
 
         ZipOutputStream zout = new ZipOutputStream(new FileOutputStream(file));
diff --git 
a/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
 
b/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
index 4b6be364b..7f2ca7992 100644
--- 
a/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
+++ 
b/openjpa-persistence-jdbc/src/test/java/org/apache/openjpa/lib/conf/TestAnchorParsing.java
@@ -23,6 +23,7 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.MissingResourceException;
 
@@ -142,7 +143,7 @@ public class TestAnchorParsing extends TestCase {
 
     private File resourceToTemporaryFile(String s) throws IOException {
         InputStream in = getClass().getClassLoader().getResourceAsStream(s);
-        File f = File.createTempFile("TestAnchorParsing", ".xml");
+        File f = Files.createTempFile("TestAnchorParsing", ".xml").toFile();
         OutputStream out = new FileOutputStream(f);
         byte[] bytes = new byte[1024];
         while (true) {

Reply via email to