Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Fix Temporary Directory Hijacking or Information Disclosure Vulnerability #1146

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 2 additions & 10 deletions qulice-spi/src/main/java/com/qulice/spi/Environment.java
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
Expand Down Expand Up @@ -157,16 +158,7 @@ final class Mock implements Environment {
public Mock() throws IOException {
this.params = new HashMap<>();
this.classpath = new HashSet<>(1);
final File temp = File.createTempFile(
"mock", ".qulice",
new File(System.getProperty("java.io.tmpdir"))
);
if (!temp.delete()) {
throw new IllegalStateException("files collision");
}
if (!temp.mkdirs()) {
throw new IllegalStateException("mkdir failed");
}
Comment on lines -167 to -169

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JLLeitschuh you wrote:

tmpDir.mkdirs(); // This method returns 'false' because it was unable to create the directory. No exception is thrown.
// Attacker can write any new files to this directory that they wish.

but in this code we check the return value of mkdirs and throw an exception.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pull request fixes either 1. Temporary Directory Hijacking Vulnerability, or 2. Temporary Directory Information Disclosure Vulnerability, which existed in this project.

In this case, this fixes the second 'Temporary Directory Information Disclosure'. So while you are not vulnerable to the first vulnerability, you are vulnerable to the second

final File temp = Files.createTempDirectory(new File(System.getProperty("java.io.tmpdir")).toPath(), "mock" + ".qulice").toFile();
FileUtils.forceDeleteOnExit(temp);
this.basedir = new File(temp, "basedir");
if (this.basedir.mkdirs()) {
Expand Down