Skip to content
Permalink
Browse files Browse the repository at this point in the history
vuln-fix: Temporary Directory Hijacking or Information Disclosure
This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure.

Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Severity: High
CVSSS: 7.3
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: JLLeitschuh/security-research#10


Co-authored-by: Moderne <team@moderne.io>
  • Loading branch information
JLLeitschuh and TeamModerne committed Oct 4, 2022
1 parent 280bc9c commit 94653cb
Showing 1 changed file with 2 additions and 3 deletions.
Expand Up @@ -9,6 +9,7 @@
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLClassLoader;
import java.nio.file.Files;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
Expand Down Expand Up @@ -80,9 +81,7 @@ public static void main (String[] args) throws URISyntaxException, IOException,
* Returns the absolute path to the temp directory.
*/
public static File createTempDir(int port) throws IOException {
File tempDir = File.createTempFile("portofino.tomcat.", "." + port);
tempDir.delete();
tempDir.mkdir();
File tempDir = Files.createTempDirectory("portofino.tomcat." + "." + port).toFile();
tempDir.deleteOnExit();
return tempDir;
}
Expand Down

0 comments on commit 94653cb

Please sign in to comment.