Skip to content

Commit

Permalink
vuln-fix: Temporary File Information Disclosure
Browse files Browse the repository at this point in the history 
This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: JLLeitschuh/security-research#18


Co-authored-by: Moderne <team@moderne.io>
  • Loading branch information
@JLLeitschuh @TeamModerne
JLLeitschuh and TeamModerne committed Nov 19, 2022
1 parent 308e09c commit ae0af24
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 30 deletions.
3 changes: 2 additions & 1 deletion src/main/java/net/sf/mpxj/common/FileHelper.java
View file
Expand Up @@ -25,6 +25,7 @@

import java.io.File;
import java.io.IOException;
import java.nio.file.Files;

/**
* Common helper methods for working with files.
Expand Down Expand Up @@ -110,7 +111,7 @@ public static final void mkdirsQuietly(File file)
*/
public static final File createTempDir() throws IOException
{
File dir = File.createTempFile("mpxj", "tmp");
File dir = Files.createTempFile("mpxj", "tmp").toFile();
delete(dir);
mkdirs(dir);
return dir;
Expand Down
3 changes: 2 additions & 1 deletion src/main/java/net/sf/mpxj/common/InputStreamHelper.java
View file
Expand Up @@ -27,6 +27,7 @@
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.util.zip.ZipEntry;
import java.util.zip.ZipException;
import java.util.zip.ZipInputStream;
Expand All @@ -49,7 +50,7 @@ public static File writeStreamToTempFile(InputStream inputStream, String tempFil

try
{
File file = File.createTempFile("mpxj", tempFileSuffix);
File file = Files.createTempFile("mpxj", tempFileSuffix).toFile();
outputStream = new FileOutputStream(file);
byte[] buffer = new byte[1024];
while (true)
Expand Down
4 changes: 2 additions & 2 deletions src/test/java/net/sf/mpxj/junit/CustomerDataTest.java
View file
Expand Up @@ -174,7 +174,7 @@ public CustomerDataTest()

// Accessing the database directly from (new) Google Drive is too slow.
// Make a temporary local copy instead.
File file = File.createTempFile("primavera", "db");
File file = Files.createTempFile("primavera", "db").toFile();
file.deleteOnExit();
Files.copy(new File(m_primaveraFile).toPath(), file.toPath(), StandardCopyOption.REPLACE_EXISTING);

Expand Down Expand Up @@ -616,7 +616,7 @@ private boolean testBaseline(String name, ProjectFile project, File baselineDir,

if (baselineFile.exists())
{
File out = File.createTempFile("junit", suffix);
File out = Files.createTempFile("junit", suffix).toFile();
writer.write(project, out);
success = FileUtility.equals(baselineFile, out);

Expand Down
3 changes: 2 additions & 1 deletion src/test/java/net/sf/mpxj/junit/LocaleTest.java
View file
Expand Up @@ -26,6 +26,7 @@
import static net.sf.mpxj.junit.MpxjAssert.*;

import java.io.File;
import java.nio.file.Files;
import java.util.Locale;

import org.junit.Test;
Expand Down Expand Up @@ -64,7 +65,7 @@ private void testLocale(Locale locale) throws Exception

File in = new File(MpxjTestData.filePath("legacy/sample.mpx"));
ProjectFile mpx = reader.read(in);
File out = File.createTempFile("junit-" + locale.getLanguage(), ".mpx");
File out = Files.createTempFile("junit-" + locale.getLanguage(), ".mpx").toFile();
writer.setLocale(locale);
writer.write(mpx, out);

Expand Down
51 changes: 26 additions & 25 deletions src/test/java/net/sf/mpxj/junit/legacy/BasicTest.java
View file
Expand Up @@ -26,6 +26,7 @@
import static org.junit.Assert.*;

import java.io.File;
import java.nio.file.Files;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Iterator;
Expand Down Expand Up @@ -74,7 +75,7 @@ public class BasicTest
{
File in = new File(MpxjTestData.filePath("legacy/sample.mpx"));
ProjectFile mpx = new MPXReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
MPXWriter writer = new MPXWriter();
writer.setUseLocaleDefaults(false);
writer.write(mpx, out);
Expand All @@ -93,7 +94,7 @@ public class BasicTest
{
File in = new File(MpxjTestData.filePath("legacy/sample1.xml"));
ProjectFile xml = new MSPDIReader().read(in);
File out = File.createTempFile("junit", ".xml");
File out = Files.createTempFile("junit", ".xml").toFile();
new MSPDIWriter().write(xml, out);
boolean success = FileUtility.equals(in, out);
assertTrue("Files are not identical", success);
Expand All @@ -110,7 +111,7 @@ public class BasicTest
{
File in = new File(MpxjTestData.filePath("legacy/sample1.mpx"));
ProjectFile mpx = new MPXReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
MPXWriter writer = new MPXWriter();
writer.setUseLocaleDefaults(false);
writer.write(mpx, out);
Expand All @@ -128,7 +129,7 @@ public class BasicTest
File in = new File(MpxjTestData.filePath("legacy/empty.mpp"));
ProjectFile mpx = new MPPReader().read(in);
mpx.getProjectProperties().setCurrentDate(new SimpleDateFormat("dd/MM/yyyy").parse("01/03/2006"));
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
MPXWriter writer = new MPXWriter();
writer.setUseLocaleDefaults(false);
writer.write(mpx, out);
Expand All @@ -144,7 +145,7 @@ public class BasicTest
{
File in = new File(MpxjTestData.filePath("legacy/sample.mpx"));
ProjectFile mpx = new MPXReader().read(in);
File out = File.createTempFile("junit", ".planner");
File out = Files.createTempFile("junit", ".planner").toFile();
new PlannerWriter().write(mpx, out);
//success = FileUtility.equals (in, out);
//assertTrue ("Files are not identical", success);
Expand Down Expand Up @@ -267,7 +268,7 @@ public class BasicTest
{
File in = new File(MpxjTestData.filePath("legacy/sample98.mpp"));
ProjectFile mpp = new MPPReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(mpp, out);
commonTests(mpp);
out.deleteOnExit();
Expand All @@ -280,7 +281,7 @@ public class BasicTest
{
File in = new File(MpxjTestData.filePath("legacy/sample.mpp"));
ProjectFile mpp = new MPPReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(mpp, out);
commonTests(mpp);
out.deleteOnExit();
Expand All @@ -293,7 +294,7 @@ public class BasicTest
{
File in = new File(MpxjTestData.filePath("legacy/sample.xml"));
ProjectFile xml = new MSPDIReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(xml, out);
commonTests(xml);
out.deleteOnExit();
Expand Down Expand Up @@ -353,12 +354,12 @@ private void commonTests(ProjectFile file)
{
File in = new File(MpxjTestData.filePath("legacy/sample.mpp"));
ProjectFile mpp = new MPPReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(mpp, out);

ProjectFile mpx = new MPXReader().read(out);
out.deleteOnExit();
out = File.createTempFile("junit", ".xml");
out = Files.createTempFile("junit", ".xml").toFile();
new MSPDIWriter().write(mpx, out);
out.deleteOnExit();
}
Expand Down Expand Up @@ -428,7 +429,7 @@ private void commonTests(ProjectFile file)
task5.setStart(new Date());
task5.setNotes(notes5);

File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(file1, out);

ProjectFile file2 = new MPXReader().read(out);
Expand Down Expand Up @@ -490,7 +491,7 @@ private void commonTests(ProjectFile file)
resource5.setName("Test Resource 5");
resource5.setNotes(notes5);

File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(file1, out);

ProjectFile file2 = new MPXReader().read(out);
Expand Down Expand Up @@ -524,7 +525,7 @@ private void commonTests(ProjectFile file)
{
File in = new File(MpxjTestData.filePath("legacy/bug1.mpp"));
ProjectFile mpp = new MPPReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(mpp, out);
out.deleteOnExit();
}
Expand All @@ -536,7 +537,7 @@ private void commonTests(ProjectFile file)
{
File in = new File(MpxjTestData.filePath("legacy/bug2.mpp"));
ProjectFile mpp = new MPPReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(mpp, out);
out.deleteOnExit();
}
Expand All @@ -563,7 +564,7 @@ private void commonTests(ProjectFile file)
{
File in = new File(MpxjTestData.filePath("legacy/bug4.mpp"));
ProjectFile mpp = new MPPReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(mpp, out.getAbsolutePath());
out.deleteOnExit();
}
Expand Down Expand Up @@ -896,7 +897,7 @@ private boolean testSingleFlagTrue(boolean[] flags, int index)
//
// Write this out as an MSPDI file
//
File out = File.createTempFile("junit", ".xml");
File out = Files.createTempFile("junit", ".xml").toFile();
new MSPDIWriter().write(mpp, out);

//
Expand Down Expand Up @@ -927,7 +928,7 @@ private boolean testSingleFlagTrue(boolean[] flags, int index)
ProjectFile xml = reader.read(in);
validateAliases(xml);

File out = File.createTempFile("junit", ".xml");
File out = Files.createTempFile("junit", ".xml").toFile();
writer.write(xml, out);

xml = reader.read(out);
Expand Down Expand Up @@ -1247,7 +1248,7 @@ private void validateAliases(ProjectFile mpx)
//
// Write the file
//
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(file, out);

//
Expand Down Expand Up @@ -1338,7 +1339,7 @@ private void validateAliases(ProjectFile mpx)
ProjectFile xml = reader.read(MpxjTestData.filePath("legacy/mspextattr.xml"));
commonMspdiExtendedAttributeTests(xml);

File out = File.createTempFile("junit", ".xml");
File out = Files.createTempFile("junit", ".xml").toFile();
writer.write(xml, out);

xml = reader.read(out);
Expand Down Expand Up @@ -1404,7 +1405,7 @@ private void commonMspdiExtendedAttributeTests(ProjectFile xml)
// Write the file, re-read it and test to ensure that
// the project properties have the expected values
//
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
writer.write(mpx, out);
mpx = reader.read(out);
testProperties(mpx);
Expand Down Expand Up @@ -1435,7 +1436,7 @@ private void commonMspdiExtendedAttributeTests(ProjectFile xml)
// Write the file, re-read it and test to ensure that
// the project properties have the expected values
//
out = File.createTempFile("junit", ".xml");
out = Files.createTempFile("junit", ".xml").toFile();
new MSPDIWriter().write(mpx, out);

mpx = new MSPDIReader().read(out);
Expand Down Expand Up @@ -1512,13 +1513,13 @@ private void testMspdiProperties(ProjectFile file)
ProjectFile xml = new MSPDIReader().read(MpxjTestData.filePath("legacy/mspdipriority.xml"));
validatePriority(xml);

File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(mpx, out);
ProjectFile mpx2 = new MPXReader().read(out);
validatePriority(mpx2);
out.deleteOnExit();

out = File.createTempFile("junit", ".xml");
out = Files.createTempFile("junit", ".xml").toFile();
new MSPDIWriter().write(mpx, out);
ProjectFile xml3 = new MSPDIReader().read(out);
validatePriority(xml3);
Expand Down Expand Up @@ -1720,7 +1721,7 @@ private void validateTaskCalendars(ProjectFile mpx)
//
// Write the file and re-read it to ensure we get consistent results.
//
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
new MPXWriter().write(mpp, out);

ProjectFile mpx = new MPXReader().read(out);
Expand All @@ -1737,7 +1738,7 @@ private void validateTaskCalendars(ProjectFile mpx)
{
File in = new File(MpxjTestData.filePath("legacy/calendarExceptions.mpx"));
ProjectFile mpx = new MPXReader().read(in);
File out = File.createTempFile("junit", ".mpx");
File out = Files.createTempFile("junit", ".mpx").toFile();
MPXWriter writer = new MPXWriter();
writer.setUseLocaleDefaults(false);
writer.write(mpx, out);
Expand Down

0 comments on commit ae0af24

Please sign in to comment.