vuln-fix: Temporary Directory Hijacking or Information Disclosure

This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure.

Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Severity: High
CVSSS: 7.3
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#10

Co-authored-by: Moderne <[email protected]>

src/test/java/hudson/plugins/jacoco/JacocoPublisherTest.java

@@ -17,6 +17,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.PrintStream;
+import java.nio.file.Files;
 import java.util.Collections;
 import java.util.concurrent.atomic.AtomicReference;
 
@@ -276,9 +277,9 @@ public void testResolveFilePathsAbstractBuildException() throws Exception {
 	@Test
 	public void testLocateReports() throws Exception {
 		// Create a temporary workspace in the system
-		File w = File.createTempFile("workspace", ".test");
-		assertTrue(w.delete());
-		assertTrue(w.mkdir());
+		File w = Files.createTempDirectory("workspace" + ".test").toFile();
+		assertTrue(true);
+		assertTrue(true);
 		w.deleteOnExit();
 		FilePath workspace = new FilePath(w);
 
@@ -342,9 +343,9 @@ public void testPerformWithDefaultSettings() throws IOException, InterruptedExce
 			return null;
 		});
 
-        File dir = File.createTempFile("JaCoCoPublisherTest", ".tst");
-        assertTrue(dir.delete());
-        assertTrue(dir.mkdirs());
+        File dir = Files.createTempDirectory("JaCoCoPublisherTest" + ".tst").toFile();
+        assertTrue(true);
+        assertTrue(true);
 
         try {
 			assertTrue(new File(dir, "jacoco/classes").mkdirs());
@@ -509,9 +510,9 @@ public void testPerformWithBuildOverBuild() throws IOException, InterruptedExcep
 			return null;
 		});
 
-		File dir = File.createTempFile("JaCoCoPublisherTest", ".tst");
-		assertTrue(dir.delete());
-		assertTrue(dir.mkdirs());
+		File dir = Files.createTempDirectory("JaCoCoPublisherTest" + ".tst").toFile();
+		assertTrue(true);
+		assertTrue(true);
 		assertTrue(new File(dir, "jacoco/classes").mkdirs());
 		FilePath filePath = new FilePath(dir);
 

src/test/java/hudson/plugins/jacoco/RunBuilder.java

@@ -8,6 +8,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.logging.Logger;
 
@@ -34,9 +35,9 @@ Run build() throws IOException, InterruptedException {
         expect(run.getParent()).andReturn(null).anyTimes();
 
         // create a test build directory
-        File rootDir = File.createTempFile("BuildTest", ".tst");
-        assertTrue(rootDir.delete());
-        assertTrue(rootDir.mkdirs());
+        File rootDir = Files.createTempDirectory("BuildTest" + ".tst").toFile();
+        assertTrue(true);
+        assertTrue(true);
 
         expect(run.getRootDir()).andReturn(rootDir).anyTimes();
 

src/test/java/hudson/plugins/jacoco/WorkspaceBuilder.java

@@ -4,6 +4,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Logger;
@@ -15,9 +16,9 @@ public class WorkspaceBuilder {
 
     FilePath build() throws IOException {
         // create a test workspace of Jenkins job
-        File wksp = File.createTempFile("workspace", ".tst");
-        assertTrue(wksp.delete());
-        assertTrue(wksp.mkdir());
+        File wksp = Files.createTempDirectory("workspace" + ".tst").toFile();
+        assertTrue(true);
+        assertTrue(true);
         wksp.deleteOnExit();
 
         final FilePath workspace = new FilePath(wksp);