Modernize and secure temp file creation

[pixeebot]

This change replaces the usage of java.io.File#createTempFile with java.nio.file.Files#createTempFile which has more secure attributes.

The java.io.File#createTempFile() method creates a file that is world-readable and world-writeable, which is almost never necessary. Also, the file created is placed in a predictable directory (e.g., /tmp). Having predictable file names, locations, and will lead to many types of vulnerabilities. History has shown that this insecure pattern can lead to information leakage, privilege escalation and even code execution.

Our changes look something like this:

+  import java.nio.file.Files;
   ...
-  File txtFile = File.createTempFile("acme", ".txt");
+  File txtFile = Files.createTempFile("acme", ".txt").toFile();

More reading

• https://cwe.mitre.org/data/definitions/378.html
• https://docs.fluidattacks.com/criteria/vulnerabilities/160/
• create temporary file in directory with secure permissions  apache/druid#11130
• https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
• https://nvd.nist.gov/vuln/detail/CVE-2022-41954
• https://www.cvedetails.com/vulnerability-list/cwe-378/vulnerabilities.html

Powered by: pixeebot (codemod ID: pixee:java/upgrade-tempfile-to-nio)

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}