From cbfc1581f94a7b99ece66f4600761356e2645e0c Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Sat, 19 Nov 2022 02:52:24 +0000
Subject: [PATCH] vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
---
 .../src/main/java/ninja/uploads/DiskFileItemProvider.java       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ninja-core/src/main/java/ninja/uploads/DiskFileItemProvider.java b/ninja-core/src/main/java/ninja/uploads/DiskFileItemProvider.java
index d868b5feaa..b10b5f55ec 100644
--- a/ninja-core/src/main/java/ninja/uploads/DiskFileItemProvider.java
+++ b/ninja-core/src/main/java/ninja/uploads/DiskFileItemProvider.java
@@ -67,7 +67,7 @@ public FileItem create(FileItemStream item) {
         
         // do copy
         try (InputStream is = item.openStream()) {
-            tmpFile = File.createTempFile("nju", null, tmpFolder);
+            tmpFile = Files.createTempFile(tmpFolder.toPath(), "nju", null).toFile();
             Files.copy(is, tmpFile.toPath(), StandardCopyOption.REPLACE_EXISTING);
         } catch (IOException e) {
             throw new RuntimeException("Failed to create temporary uploaded file on disk", e);