From af76c1fab1d32a7f668ca9657a51fcb5d0d00de8 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Tue, 4 Oct 2022 00:16:11 +0000 Subject: [PATCH] vuln-fix: Temporary Directory Hijacking or Information Disclosure This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure. Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions Severity: High CVSSS: 7.3 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10 Co-authored-by: Moderne --- .../org/apache/jackrabbit/core/OracleRepositoryTest.java | 5 ++--- .../jackrabbit/core/OracleRetrocompatibleRepositoryTest.java | 5 ++--- .../jackrabbit/core/persistence/PersistenceManagerTest.java | 5 ++--- .../org/apache/jackrabbit/core/util/RepositoryLockTest.java | 5 ++--- 4 files changed, 8 insertions(+), 12 deletions(-) mode change 100755 => 100644 jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRepositoryTest.java mode change 100755 => 100644 jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRetrocompatibleRepositoryTest.java diff --git a/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRepositoryTest.java b/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRepositoryTest.java old mode 100755 new mode 100644 index 8d641b0b550..39a2a7ad968 --- a/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRepositoryTest.java +++ b/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRepositoryTest.java @@ -18,6 +18,7 @@ import java.io.File; import java.io.InputStream; +import java.nio.file.Files; import java.util.Properties; import javax.jcr.Session; @@ -46,9 +47,7 @@ protected void setUp() throws Exception { || !sysProps.containsKey("tests.oracle.indexTablespace")) { throw new IllegalStateException("Missing system property for test"); } - dir = File.createTempFile("jackrabbit_", null, new File("target")); - dir.delete(); - dir.mkdir(); + dir = Files.createTempDirectory(new File("target").toPath(), "jackrabbit_").toFile(); final InputStream in = getClass().getResourceAsStream( "/org/apache/jackrabbit/core/repository-oracle.xml"); config = RepositoryConfig.create(in, dir.getPath()); diff --git a/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRetrocompatibleRepositoryTest.java b/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRetrocompatibleRepositoryTest.java old mode 100755 new mode 100644 index 327d1210855..404c34fd239 --- a/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRetrocompatibleRepositoryTest.java +++ b/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/OracleRetrocompatibleRepositoryTest.java @@ -18,6 +18,7 @@ import java.io.File; import java.io.InputStream; +import java.nio.file.Files; import java.util.Properties; import javax.jcr.Session; @@ -45,9 +46,7 @@ protected void setUp() throws Exception { || !sysProps.containsKey("tests.oracle.tablespace")) { throw new IllegalStateException("Missing system property for test"); } - dir = File.createTempFile("jackrabbit_", null, new File("target")); - dir.delete(); - dir.mkdir(); + dir = Files.createTempDirectory(new File("target").toPath(), "jackrabbit_").toFile(); final InputStream in = getClass().getResourceAsStream( "/org/apache/jackrabbit/core/repository-oracle-compat.xml"); config = RepositoryConfig.create(in, dir.getPath()); diff --git a/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/persistence/PersistenceManagerTest.java b/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/persistence/PersistenceManagerTest.java index d314f4898fd..714b84e658c 100644 --- a/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/persistence/PersistenceManagerTest.java +++ b/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/persistence/PersistenceManagerTest.java @@ -17,6 +17,7 @@ package org.apache.jackrabbit.core.persistence; import java.io.File; +import java.nio.file.Files; import java.util.Arrays; import javax.jcr.PropertyType; @@ -62,9 +63,7 @@ public class PersistenceManagerTest extends TestCase { private File database; protected void setUp() throws Exception { - directory = File.createTempFile("jackrabbit-persistence-", "-test"); - directory.delete(); - directory.mkdirs(); + directory = Files.createTempDirectory("jackrabbit-persistence-" + "-test").toFile(); database = File.createTempFile("jackrabbit-persistence-", "-derby"); database.delete(); diff --git a/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/util/RepositoryLockTest.java b/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/util/RepositoryLockTest.java index b3115a87f2d..e93789b928d 100644 --- a/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/util/RepositoryLockTest.java +++ b/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/util/RepositoryLockTest.java @@ -18,6 +18,7 @@ import java.io.File; import java.io.IOException; +import java.nio.file.Files; import javax.jcr.RepositoryException; @@ -37,9 +38,7 @@ public class RepositoryLockTest extends TestCase { * Sets up the temporary directory used for testing. */ protected void setUp() throws IOException { - directory = File.createTempFile("RepositoryLock", "Test"); - directory.delete(); - directory.mkdir(); + directory = Files.createTempDirectory("RepositoryLock" + "Test").toFile(); } /**