vuln-fix: Temporary File Information Disclosure (#1007)

This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <[email protected]> Signed-off-by: Jonathan Leitschuh <[email protected]> Bug-tracker: JLLeitschuh/security-research#18 Co-authored-by: Moderne <[email protected]> Co-authored-by: Moderne <[email protected]>
apache · Nov 21, 2022 · babe66e · babe66e
1 parent 0f2acde
commit babe66e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/core/src/main/java/com/digitalpebble/stormcrawler/parse/filter/DebugParseFilter.java b/core/src/main/java/com/digitalpebble/stormcrawler/parse/filter/DebugParseFilter.java
@@ -20,6 +20,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.OutputStream;
+import java.nio.file.Files;
 import java.util.Map;
 import org.apache.commons.io.FileUtils;
 import org.apache.xml.serialize.XMLSerializer;
@@ -46,7 +47,7 @@ public void filter(String URL, byte[] content, DocumentFragment doc, ParseResult
     @Override
     public void configure(@NotNull Map<String, Object> stormConf, @NotNull JsonNode filterParams) {
         try {
-            File outFile = File.createTempFile("DOMDump", ".xml");
+            File outFile = Files.createTempFile("DOMDump", ".xml").toFile();
             os = FileUtils.openOutputStream(outFile);
         } catch (IOException e) {
             e.printStackTrace();

diff --git a/...nal/aws/src/main/java/com/digitalpebble/stormcrawler/aws/bolt/CloudSearchIndexerBolt.java b/...nal/aws/src/main/java/com/digitalpebble/stormcrawler/aws/bolt/CloudSearchIndexerBolt.java
@@ -41,6 +41,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
@@ -349,7 +350,7 @@ public void sendBatch() {
 
         if (dumpBatchFilesToTemp) {
             try {
-                File temp = File.createTempFile("CloudSearch_", ".json");
+                File temp = Files.createTempFile("CloudSearch_", ".json").toFile();
                 FileUtils.writeByteArrayToFile(temp, bb);
                 LOG.info("Wrote batch file {}", temp.getName());
                 // ack the tuples