From bcce1513d8a4c1a52327ea850e7720c9cd12d5cf Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Sat, 19 Nov 2022 22:25:39 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../modules/csharp_client/TestCSharpSerialization.java | 5 +++-- .../javascript_client/TestJavaScriptSerialization.java | 5 +++-- .../modules/objc_client/TestObjCSerialization.java | 9 +++++---- .../php_json_client/TestPHPJsonSerialization.java | 5 +++-- .../modules/php_xml_client/TestPHPXmlSerialization.java | 5 +++-- .../modules/ruby_json_client/TestRubySerialization.java | 5 +++-- .../java/com/webcohesion/enunciate/mojo/ConfigMojo.java | 3 ++- .../enunciate/mojo/DeployArtifactBaseMojo.java | 3 ++- 8 files changed, 24 insertions(+), 16 deletions(-) diff --git a/csharp-xml-client/src/test/java/com/webcohesion/enunciate/modules/csharp_client/TestCSharpSerialization.java b/csharp-xml-client/src/test/java/com/webcohesion/enunciate/modules/csharp_client/TestCSharpSerialization.java index d4922bef3..0c9d9dc41 100644 --- a/csharp-xml-client/src/test/java/com/webcohesion/enunciate/modules/csharp_client/TestCSharpSerialization.java +++ b/csharp-xml-client/src/test/java/com/webcohesion/enunciate/modules/csharp_client/TestCSharpSerialization.java @@ -34,6 +34,7 @@ import java.io.File; import java.io.InputStreamReader; import java.net.URI; +import java.nio.file.Files; import java.util.*; /** @@ -551,8 +552,8 @@ else if (Figure instanceof House) { protected T processThroughXml(T object) throws Exception { JAXBContext context = JAXBContext.newInstance(object.getClass()); Marshaller marshaller = context.createMarshaller(); - File in = File.createTempFile(object.getClass().getName(), ".xml", this.tempDir); - File out = File.createTempFile(object.getClass().getName(), ".xml", this.tempDir); + File in = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName(), ".xml").toFile(); + File out = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName(), ".xml").toFile(); marshaller.marshal(object, in); Process process = new ProcessBuilder("mono", this.exe.getAbsolutePath(), convertClassname(object.getClass().getName()), in.getAbsolutePath(), out.getAbsolutePath()) .redirectErrorStream(true) diff --git a/javascript-client/src/test/java/com/webcohesion/enunciate/modules/javascript_client/TestJavaScriptSerialization.java b/javascript-client/src/test/java/com/webcohesion/enunciate/modules/javascript_client/TestJavaScriptSerialization.java index 2bde25e8e..4956a9574 100644 --- a/javascript-client/src/test/java/com/webcohesion/enunciate/modules/javascript_client/TestJavaScriptSerialization.java +++ b/javascript-client/src/test/java/com/webcohesion/enunciate/modules/javascript_client/TestJavaScriptSerialization.java @@ -23,6 +23,7 @@ import junit.framework.TestCase; import java.io.*; +import java.nio.file.Files; import java.util.*; import com.webcohesion.enunciate.examples.javascript_client.schema.*; @@ -523,8 +524,8 @@ else if (Figure instanceof House) { protected T processThroughJson(T object) throws Exception { JacksonJaxbJsonProvider provider = new JacksonJaxbJsonProvider(); - File in = File.createTempFile(object.getClass().getName() + "In", ".json", this.tempDir); - File out = File.createTempFile(object.getClass().getName() + "Out", ".json", this.tempDir); + File in = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName() + "In", ".json").toFile(); + File out = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName() + "Out", ".json").toFile(); FileOutputStream fos = new FileOutputStream(in); provider.writeTo(object, object.getClass(), null, null, null, null, fos); fos.close(); diff --git a/obj-c-xml-client/src/test/java/com/webcohesion/enunciate/modules/objc_client/TestObjCSerialization.java b/obj-c-xml-client/src/test/java/com/webcohesion/enunciate/modules/objc_client/TestObjCSerialization.java index 2e3ee7e92..e31ef85a5 100644 --- a/obj-c-xml-client/src/test/java/com/webcohesion/enunciate/modules/objc_client/TestObjCSerialization.java +++ b/obj-c-xml-client/src/test/java/com/webcohesion/enunciate/modules/objc_client/TestObjCSerialization.java @@ -38,9 +38,10 @@ import java.io.File; import java.io.InputStreamReader; import java.net.URI; +import java.nio.file.Files; import java.util.*; -/** + /** * Makes sure Objecitve C serialization is working correctly. * * @author Ryan Heaton @@ -654,8 +655,8 @@ else if (Figure instanceof House) { protected T processThroughXml(T object) throws Exception { JAXBContext context = JAXBContext.newInstance(object.getClass()); Marshaller marshaller = context.createMarshaller(); - File in = File.createTempFile(getName(), ".in.xml", this.tempDir); - File out = File.createTempFile(getName(), ".out.xml", this.tempDir); + File in = Files.createTempFile(this.tempDir.toPath(), getName(), ".in.xml").toFile(); + File out = Files.createTempFile(this.tempDir.toPath(), getName(), ".out.xml").toFile(); marshaller.marshal(object, in); // System.out.printf("%s %s %s %s\n", this.exe.getAbsolutePath(), object.getClass().getSimpleName().toLowerCase(), in.getAbsolutePath(), out.getAbsolutePath()); Process process = new ProcessBuilder(this.exe.getAbsolutePath(), object.getClass().getSimpleName().toLowerCase(), in.getAbsolutePath(), out.getAbsolutePath()) @@ -694,4 +695,4 @@ protected String packageToModule(String pckg) { } } -} \ No newline at end of file +} diff --git a/php-json-client/src/test/java/com/webcohesion/enunciate/modules/php_json_client/TestPHPJsonSerialization.java b/php-json-client/src/test/java/com/webcohesion/enunciate/modules/php_json_client/TestPHPJsonSerialization.java index fa364e1e8..08fbe1934 100644 --- a/php-json-client/src/test/java/com/webcohesion/enunciate/modules/php_json_client/TestPHPJsonSerialization.java +++ b/php-json-client/src/test/java/com/webcohesion/enunciate/modules/php_json_client/TestPHPJsonSerialization.java @@ -23,6 +23,7 @@ import junit.framework.TestCase; import java.io.*; +import java.nio.file.Files; import java.util.*; import com.webcohesion.enunciate.examples.php_json_client.schema.*; @@ -523,8 +524,8 @@ else if (Figure instanceof House) { protected T processThroughJson(T object) throws Exception { JacksonJaxbJsonProvider provider = new JacksonJaxbJsonProvider(); - File in = File.createTempFile(object.getClass().getName() + "In", ".json", this.tempDir); - File out = File.createTempFile(object.getClass().getName() + "Out", ".json", this.tempDir); + File in = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName() + "In", ".json").toFile(); + File out = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName() + "Out", ".json").toFile(); FileOutputStream fos = new FileOutputStream(in); provider.writeTo(object, object.getClass(), null, null, null, null, fos); fos.close(); diff --git a/php-xml-client/src/test/java/com/webcohesion/enunciate/modules/php_xml_client/TestPHPXmlSerialization.java b/php-xml-client/src/test/java/com/webcohesion/enunciate/modules/php_xml_client/TestPHPXmlSerialization.java index 9adee0dcc..fbadc5bd7 100644 --- a/php-xml-client/src/test/java/com/webcohesion/enunciate/modules/php_xml_client/TestPHPXmlSerialization.java +++ b/php-xml-client/src/test/java/com/webcohesion/enunciate/modules/php_xml_client/TestPHPXmlSerialization.java @@ -29,6 +29,7 @@ import java.io.File; import java.io.FileOutputStream; import java.io.InputStreamReader; +import java.nio.file.Files; import java.util.*; /** @@ -527,8 +528,8 @@ else if (Figure instanceof House) { protected T processThroughXml(T object) throws Exception { JAXBContext context = JAXBContext.newInstance(object.getClass()); Marshaller marshaller = context.createMarshaller(); - File in = File.createTempFile(object.getClass().getName() + "In", ".xml", this.tempDir); - File out = File.createTempFile(object.getClass().getName() + "Out", ".xml", this.tempDir); + File in = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName() + "In", ".xml").toFile(); + File out = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName() + "Out", ".xml").toFile(); FileOutputStream fos = new FileOutputStream(in); marshaller.marshal(object, in); fos.close(); diff --git a/ruby-json-client/src/test/java/com/webcohesion/enunciate/modules/ruby_json_client/TestRubySerialization.java b/ruby-json-client/src/test/java/com/webcohesion/enunciate/modules/ruby_json_client/TestRubySerialization.java index 4c83e7faa..1b984dc2f 100644 --- a/ruby-json-client/src/test/java/com/webcohesion/enunciate/modules/ruby_json_client/TestRubySerialization.java +++ b/ruby-json-client/src/test/java/com/webcohesion/enunciate/modules/ruby_json_client/TestRubySerialization.java @@ -24,6 +24,7 @@ import junit.framework.TestCase; import java.io.*; +import java.nio.file.Files; import java.util.*; /** @@ -522,8 +523,8 @@ else if (Figure instanceof House) { protected T processThroughJson(T object) throws Exception { JacksonJaxbJsonProvider provider = new JacksonJaxbJsonProvider(); - File in = File.createTempFile(object.getClass().getName() + "In", ".json", this.tempDir); - File out = File.createTempFile(object.getClass().getName() + "Out", ".json", this.tempDir); + File in = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName() + "In", ".json").toFile(); + File out = Files.createTempFile(this.tempDir.toPath(), object.getClass().getName() + "Out", ".json").toFile(); FileOutputStream fos = new FileOutputStream(in); provider.writeTo(object, object.getClass(), null, null, null, null, fos); fos.close(); diff --git a/slim-maven-plugin/src/main/java/com/webcohesion/enunciate/mojo/ConfigMojo.java b/slim-maven-plugin/src/main/java/com/webcohesion/enunciate/mojo/ConfigMojo.java index 54a0c09ac..aa8ea149a 100644 --- a/slim-maven-plugin/src/main/java/com/webcohesion/enunciate/mojo/ConfigMojo.java +++ b/slim-maven-plugin/src/main/java/com/webcohesion/enunciate/mojo/ConfigMojo.java @@ -64,6 +64,7 @@ import java.net.MalformedURLException; import java.net.URL; import java.net.URLClassLoader; +import java.nio.file.Files; import java.util.*; /** @@ -681,7 +682,7 @@ protected void loadConfig(Enunciate config, File configFile) throws IOException, } else { this.buildDir.mkdirs(); - File filteredConfig = File.createTempFile("enunciateConfig", ".xml", this.buildDir); + File filteredConfig = Files.createTempFile(this.buildDir.toPath(), "enunciateConfig", ".xml").toFile(); getLog().debug("[ENUNCIATE] Filtering " + configFile + " to " + filteredConfig + "..."); this.configFilter.copyFile(configFile, filteredConfig, true, this.project, new ArrayList(), true, "utf-8", this.session); config.loadConfiguration(filteredConfig); //load the filtered configuration... diff --git a/slim-maven-plugin/src/main/java/com/webcohesion/enunciate/mojo/DeployArtifactBaseMojo.java b/slim-maven-plugin/src/main/java/com/webcohesion/enunciate/mojo/DeployArtifactBaseMojo.java index 740e5c267..0cbbcc5e4 100644 --- a/slim-maven-plugin/src/main/java/com/webcohesion/enunciate/mojo/DeployArtifactBaseMojo.java +++ b/slim-maven-plugin/src/main/java/com/webcohesion/enunciate/mojo/DeployArtifactBaseMojo.java @@ -21,6 +21,7 @@ import java.io.FileWriter; import java.io.IOException; import java.io.Reader; +import java.nio.file.Files; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -404,7 +405,7 @@ private File generatePomFile(Model model) throws MojoExecutionException { FileWriter fw = null; try { - File tempFile = File.createTempFile("mvninstall", ".pom"); + File tempFile = Files.createTempFile("mvninstall", ".pom").toFile(); tempFile.deleteOnExit();