From ed3706748ff37807baf379b917b1e1d6e00df7b7 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Wed, 27 Jul 2022 16:36:15 +0000 Subject: [PATCH] vuln-fix: Temporary Directory Hijacking or Information Disclosure This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure. Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions Severity: High CVSSS: 7.3 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10 Co-authored-by: Moderne --- .../builder/web/rest/BuildRequestResourceIntTest.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/test/java/org/appverse/builder/web/rest/BuildRequestResourceIntTest.java b/src/test/java/org/appverse/builder/web/rest/BuildRequestResourceIntTest.java index 1c8aa57..84cfa6d 100644 --- a/src/test/java/org/appverse/builder/web/rest/BuildRequestResourceIntTest.java +++ b/src/test/java/org/appverse/builder/web/rest/BuildRequestResourceIntTest.java @@ -43,6 +43,7 @@ import java.io.File; import java.io.FileWriter; import java.io.IOException; +import java.nio.file.Files; import java.time.Instant; import java.time.ZoneId; import java.time.ZonedDateTime; @@ -153,9 +154,7 @@ public void setup() { public void initTest() throws IOException { //Setup distribution channel - tempDistributionChannelRoot = File.createTempFile("temp", Long.toString(System.nanoTime())); - tempDistributionChannelRoot.delete(); - tempDistributionChannelRoot.mkdir(); + tempDistributionChannelRoot = Files.createTempDirectory("temp" + Long.toString(System.nanoTime())).toFile(); DistributionChannel distributionChannel = new DistributionChannel();