[opennlp] branch master updated: vuln-fix: Temporary File Information Disclosure (#435)

Mon, 05 Dec 2022 07:45:55 -0800 

This is an automated email from the ASF dual-hosted git repository.

jzemerick pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/opennlp.git


The following commit(s) were added to refs/heads/master by this push:
     new d6df0f0f vuln-fix: Temporary File Information Disclosure (#435)
d6df0f0f is described below

commit d6df0f0f26c831cfd416afa451bffffcb72b0e67
Author: Jonathan Leitschuh <[email protected]>
AuthorDate: Mon Dec 5 10:45:05 2022 -0500

    vuln-fix: Temporary File Information Disclosure (#435)
    
    OPENNLP-1398 - This fixes temporary file information disclosure 
vulnerability due to the use of the vulnerable `File.createTempFile()` method.
---
 .../src/main/java/opennlp/tools/ml/model/TwoPassDataIndexer.java       | 3 ++-
 .../src/test/java/opennlp/tools/cmdline/TokenNameFinderToolTest.java   | 3 ++-
 .../src/test/java/opennlp/tools/formats/DirectorySampleStreamTest.java | 2 +-
 .../test/java/opennlp/tools/ml/model/ModelParameterChunkerTest.java    | 2 +-
 .../src/test/java/opennlp/tools/namefind/TokenNameFinderModelTest.java | 2 +-
 5 files changed, 7 insertions(+), 5 deletions(-)

diff --git 
a/opennlp-tools/src/main/java/opennlp/tools/ml/model/TwoPassDataIndexer.java 
b/opennlp-tools/src/main/java/opennlp/tools/ml/model/TwoPassDataIndexer.java
index 4121e36c..3f6117ef 100644
--- a/opennlp-tools/src/main/java/opennlp/tools/ml/model/TwoPassDataIndexer.java
+++ b/opennlp-tools/src/main/java/opennlp/tools/ml/model/TwoPassDataIndexer.java
@@ -27,6 +27,7 @@ import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.math.BigInteger;
+import java.nio.file.Files;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -59,7 +60,7 @@ public class TwoPassDataIndexer extends AbstractDataIndexer {
 
     Map<String,Integer> predicateIndex = new HashMap<>();
 
-    File tmp = File.createTempFile("events", null);
+    File tmp = Files.createTempFile("events", null).toFile();
     tmp.deleteOnExit();
     int numEvents;
     BigInteger writeHash;
diff --git 
a/opennlp-tools/src/test/java/opennlp/tools/cmdline/TokenNameFinderToolTest.java
 
b/opennlp-tools/src/test/java/opennlp/tools/cmdline/TokenNameFinderToolTest.java
index e5925d88..9dbd50b7 100644
--- 
a/opennlp-tools/src/test/java/opennlp/tools/cmdline/TokenNameFinderToolTest.java
+++ 
b/opennlp-tools/src/test/java/opennlp/tools/cmdline/TokenNameFinderToolTest.java
@@ -26,6 +26,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.PrintStream;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
@@ -120,7 +121,7 @@ public class TokenNameFinderToolTest {
           nameFinderFactory);
     }
 
-    File modelFile = File.createTempFile("model", ".bin");
+    File modelFile = Files.createTempFile("model", ".bin").toFile();
 
     try (BufferedOutputStream modelOut =
              new BufferedOutputStream(new FileOutputStream(modelFile))) {
diff --git 
a/opennlp-tools/src/test/java/opennlp/tools/formats/DirectorySampleStreamTest.java
 
b/opennlp-tools/src/test/java/opennlp/tools/formats/DirectorySampleStreamTest.java
index ba06ae1e..4c42e349 100644
--- 
a/opennlp-tools/src/test/java/opennlp/tools/formats/DirectorySampleStreamTest.java
+++ 
b/opennlp-tools/src/test/java/opennlp/tools/formats/DirectorySampleStreamTest.java
@@ -100,7 +100,7 @@ public class DirectorySampleStreamTest {
     files.add(temp1);
     
     File tempSubDirectory = createTempFolder("sub1");
-    File temp2 = File.createTempFile("sub1", ".tmp", tempSubDirectory);
+    File temp2 = Files.createTempFile(tempSubDirectory.toPath(), "sub1", 
".tmp").toFile();
     files.add(temp2);
 
     DirectorySampleStream stream = new 
DirectorySampleStream(tempDirectory.toFile(), filter, true);
diff --git 
a/opennlp-tools/src/test/java/opennlp/tools/ml/model/ModelParameterChunkerTest.java
 
b/opennlp-tools/src/test/java/opennlp/tools/ml/model/ModelParameterChunkerTest.java
index cbf3a89b..c2a5c198 100644
--- 
a/opennlp-tools/src/test/java/opennlp/tools/ml/model/ModelParameterChunkerTest.java
+++ 
b/opennlp-tools/src/test/java/opennlp/tools/ml/model/ModelParameterChunkerTest.java
@@ -42,7 +42,7 @@ public class ModelParameterChunkerTest {
 
   @BeforeEach
   void setup() throws IOException {
-    tmp = File.createTempFile("chunker-test", ".dat");
+    tmp = Files.createTempFile("chunker-test", ".dat").toFile();
     tmp.deleteOnExit();
   }
 
diff --git 
a/opennlp-tools/src/test/java/opennlp/tools/namefind/TokenNameFinderModelTest.java
 
b/opennlp-tools/src/test/java/opennlp/tools/namefind/TokenNameFinderModelTest.java
index 6b0e9d97..2ca843fd 100644
--- 
a/opennlp-tools/src/test/java/opennlp/tools/namefind/TokenNameFinderModelTest.java
+++ 
b/opennlp-tools/src/test/java/opennlp/tools/namefind/TokenNameFinderModelTest.java
@@ -95,7 +95,7 @@ public class TokenNameFinderModelTest {
             featureGeneratorString.getBytes(), resources, new BioCodec()));
 
 
-    File model = File.createTempFile("nermodel", ".bin");
+    File model = Files.createTempFile("nermodel", ".bin").toFile();
     try {
       FileOutputStream modelOut = new FileOutputStream(model);
       nameFinderModel.serialize(modelOut);

Reply via email to