[GitHub] [groovy] muse-dev[bot] commented on a change in pull request #1425: use newer api for creating temp dir

[GitBox]

muse-dev[bot] commented on a change in pull request #1425:
URL: https://github.com/apache/groovy/pull/1425#discussion_r526919199



##########
File path: 
src/main/java/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
##########
@@ -211,42 +213,21 @@ public static ResourceBundle getBundle(ResourceBundle 
self, String bundleName, L
     }
 
     public static File createTempDir(File self) throws IOException {
-        return createTempDir(self, "groovy-generated-", "-tmpdir");
+        return createTempDir(self, "groovy-generated-", "tmpdir-");
+    }
+
+    public static File createTempDir(File self, final String prefix) throws 
IOException {
+        return createTempDirNio(prefix);
     }
 
     public static File createTempDir(File self, final String prefix, final 
String suffix) throws IOException {
-        final int MAXTRIES = 3;
-        int accessDeniedCounter = 0;
-        File tempFile=null;
-        for (int i=0; i<MAXTRIES; i++) {
-            try {
-                tempFile = File.createTempFile(prefix, suffix);
-                tempFile.delete();
-                tempFile.mkdirs();
-                break;
-            } catch (IOException ioe) {
-                if (ioe.getMessage().startsWith("Access is denied")) {
-                    accessDeniedCounter++;
-                    try {
-                        Thread.sleep(100);
-                    } catch (InterruptedException ignore) {
-                    }
-                }
-                if (i == MAXTRIES - 1) {
-                    if (accessDeniedCounter == MAXTRIES) {
-                        String msg = "Access is denied.\nWe tried " + 
accessDeniedCounter +
-                                " times to create a temporary directory and 
failed each time." +
-                                " If you are on Windows, you are possibly 
victim to" +
-                                " 
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6325169."; +
-                                " This is not a bug in Groovy.";
-                        throw new IOException(msg);
-                    } else {
-                        throw ioe;
-                    }
-                }
-            }
-        }
-        return tempFile;
+        // more secure Files api doesn't support suffix, so just append it to 
the prefix
+        return createTempDirNio(prefix + suffix);
+    }
+
+    private static File createTempDirNio(String prefix) throws IOException {
+        Path tempPath = Files.createTempDirectory(prefix);

Review comment:
       *PATH_TRAVERSAL_IN:*  This API 
(java/nio/file/Files.createTempDirectory(Ljava/lang/String;[Ljava/nio/file/attribute/FileAttribute;)Ljava/nio/file/Path;)
 reads a file whose location might be specified by user input 
[(details)](https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN)




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org