Skip to content
Permalink
Browse files Browse the repository at this point in the history
Feature #4100 Fix critical Vulnerability
"File.createTempFile" should not be used to create a directory
  • Loading branch information
devent committed Oct 10, 2018
1 parent 936e971 commit 77a820b
Showing 1 changed file with 57 additions and 78 deletions.
@@ -1,18 +1,3 @@
/*
* Copyright 2016 Erwin Müller <erwin.mueller@deventm.org>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.anrisoftware.globalpom.fileresourcemanager;

/*-
Expand All @@ -24,9 +9,9 @@
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*
* http://www.apache.org/licenses/LICENSE-2.0
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Expand All @@ -39,6 +24,7 @@
import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;
import java.nio.file.Files;

import javax.inject.Inject;

Expand All @@ -51,77 +37,70 @@
/**
* Provides the file resource manager for ACID file operations. The store
* directory must be set before creating the manager.
*
*
* @author Erwin Mueller, erwin.mueller@deventm.org
* @since 1.8
*/
public class FileResourceManagerProvider implements
Provider<FileResourceManager> {
public class FileResourceManagerProvider implements Provider<FileResourceManager> {

@Inject
private FileResourceManagerProviderLogger log;
@Inject
private FileResourceManagerProviderLogger log;

private String storeDir;
private String storeDir;

private boolean debug;
private boolean debug;

/**
* Sets debug enabled for the file resource manager.
*
* @param debug
* set to {@code true} to enable debug before creating the
* manager.
*/
public void setDebug(boolean debug) {
this.debug = debug;
}
/**
* Sets debug enabled for the file resource manager.
*
* @param debug set to {@code true} to enable debug before creating the manager.
*/
public void setDebug(boolean debug) {
this.debug = debug;
}

/**
* Sets the store directory path for the file resource manager.
*
* @param path
* the store directory {@link File} path.
*/
public void setStoreDir(File path) {
setStoreDir(path.getAbsolutePath());
}
/**
* Sets the store directory path for the file resource manager.
*
* @param path the store directory {@link File} path.
*/
public void setStoreDir(File path) {
setStoreDir(path.getAbsolutePath());
}

/**
* Sets the store directory path for the file resource manager.
*
* @param path
* the store directory path.
*/
public void setStoreDir(String path) {
this.storeDir = path;
}
/**
* Sets the store directory path for the file resource manager.
*
* @param path the store directory path.
*/
public void setStoreDir(String path) {
this.storeDir = path;
}

@Override
public FileResourceManager get() {
String workDir = createTmpDir();
boolean urlEncodePath = false;
final ByteArrayOutputStream stream = new ByteArrayOutputStream(1024);
PrintWriter printWriter = new PrintWriter(stream) {
@Override
public void flush() {
super.flush();
log.logFileResourceMessage(stream.toString());
}
};
LoggerFacade logger = new PrintWriterLogger(printWriter, "", debug);
return new FileResourceManager(storeDir, workDir, urlEncodePath, logger);
}
@Override
public FileResourceManager get() {
String workDir = createTmpDir();
boolean urlEncodePath = false;
final ByteArrayOutputStream stream = new ByteArrayOutputStream(1024);
PrintWriter printWriter = new PrintWriter(stream) {
@Override
public void flush() {
super.flush();
log.logFileResourceMessage(stream.toString());
}
};
LoggerFacade logger = new PrintWriterLogger(printWriter, "", debug);
return new FileResourceManager(storeDir, workDir, urlEncodePath, logger);
}

private String createTmpDir() {
try {
File tmp = File.createTempFile("fileresourcemanager", null);
tmp.delete();
tmp.mkdir();
String workDir = tmp.getAbsolutePath();
return workDir;
} catch (IOException e) {
throw log.errorCreateWorkDir(e);
}
}
private String createTmpDir() {
try {
File tmp = Files.createTempDirectory("fileresourcemanager").toFile();
String workDir = tmp.getAbsolutePath();
return workDir;
} catch (IOException e) {
throw log.errorCreateWorkDir(e);
}
}

}

0 comments on commit 77a820b

Please sign in to comment.