From 8609babcb3570a15a643762a304b0ad6f8e749cc Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Fri, 18 Nov 2022 22:46:38 +0000
Subject: [PATCH] vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
---
 .../org/appverse/builder/build/BuildExecutorWorker.java    | 3 ++-
 .../org/appverse/builder/build/BuildRequestTestUtils.java  | 3 ++-
 .../builder/web/rest/BuildChainResourceIntTest.java        | 7 ++++---
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/appverse/builder/build/BuildExecutorWorker.java b/src/main/java/org/appverse/builder/build/BuildExecutorWorker.java
index b8a497c..afc1a32 100644
--- a/src/main/java/org/appverse/builder/build/BuildExecutorWorker.java
+++ b/src/main/java/org/appverse/builder/build/BuildExecutorWorker.java
@@ -20,6 +20,7 @@
 
 import javax.inject.Inject;
 import java.io.*;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.CopyOnWriteArrayList;
@@ -164,7 +165,7 @@ private File getBuildLogFile() {
         if (currentLogFile == null) {
             try {
                 //TODO find a better place to store the log file
-                currentLogFile = File.createTempFile(currentBuildRequest.getChainId().toString() + "-" + currentBuildRequest.getId(), "log");
+                currentLogFile = Files.createTempFile(currentBuildRequest.getChainId().toString() + "-" + currentBuildRequest.getId(), "log").toFile();
             } catch (IOException e) {
                 log.warn("Could not create the temporary log file", e);
             }
diff --git a/src/test/java/org/appverse/builder/build/BuildRequestTestUtils.java b/src/test/java/org/appverse/builder/build/BuildRequestTestUtils.java
index f7c3025..0c2d98f 100644
--- a/src/test/java/org/appverse/builder/build/BuildRequestTestUtils.java
+++ b/src/test/java/org/appverse/builder/build/BuildRequestTestUtils.java
@@ -19,6 +19,7 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.nio.file.Files;
 
 import static org.appverse.builder.domain.enumeration.BuildStatus.QUEUED;
 import static org.assertj.core.api.Assertions.assertThat;
@@ -51,7 +52,7 @@ public void waitStart(BuildRequestDTO buildRequest) throws InterruptedException
     }
 
     public BuildChainDTO createBuildChainFromPayload(File nativeDemoDir) throws IOException, ZipException {
-        File tempFile = File.createTempFile("payload-test", ".zip");
+        File tempFile = Files.createTempFile("payload-test", ".zip").toFile();
         tempFile.delete();
         ZipFile zipFile = new ZipFile(tempFile);
         ZipParameters parameters = new ZipParameters();
diff --git a/src/test/java/org/appverse/builder/web/rest/BuildChainResourceIntTest.java b/src/test/java/org/appverse/builder/web/rest/BuildChainResourceIntTest.java
index 3598342..414b736 100644
--- a/src/test/java/org/appverse/builder/web/rest/BuildChainResourceIntTest.java
+++ b/src/test/java/org/appverse/builder/web/rest/BuildChainResourceIntTest.java
@@ -44,6 +44,7 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.time.Instant;
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
@@ -327,7 +328,7 @@ public void onlyOwnerCanDeleteBuildChain() throws Exception {
     @Test
     public void createBuildChainFromPayload() throws Exception {
         File nativeDemoDir = new ClassPathResource("demo/native").getFile();
-        File tempFile = File.createTempFile("payload-test", ".zip");
+        File tempFile = Files.createTempFile("payload-test", ".zip").toFile();
         tempFile.delete();
         ZipFile zipFile = new ZipFile(tempFile);
         ZipParameters parameters = new ZipParameters();
@@ -376,7 +377,7 @@ public void createBuildChainFromPayload() throws Exception {
     @Test
     public void createBuildChainFromPayloadWithOptions() throws Exception {
         File nativeDemoDir = new ClassPathResource("demo/native").getFile();
-        File tempFile = File.createTempFile("payload-test", ".zip");
+        File tempFile = Files.createTempFile("payload-test", ".zip").toFile();
         tempFile.delete();
         ZipFile zipFile = new ZipFile(tempFile);
         ZipParameters parameters = new ZipParameters();
@@ -429,7 +430,7 @@ public void createBuildChainFromPayloadWithOptions() throws Exception {
     @Test
     public void createBuildChainFromPayloadWithFlavor() throws Exception {
         File nativeDemoDir = new ClassPathResource("demo/native").getFile();
-        File tempFile = File.createTempFile("payload-test", ".zip");
+        File tempFile = Files.createTempFile("payload-test", ".zip").toFile();
         tempFile.delete();
         ZipFile zipFile = new ZipFile(tempFile);
         ZipParameters parameters = new ZipParameters();