From 5b9563c8a1a2fa4e9e0fa787541f910ec2fc1838 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Tue, 4 Oct 2022 00:24:18 +0000 Subject: [PATCH] vuln-fix: Temporary Directory Hijacking or Information Disclosure This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure. Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions Severity: High CVSSS: 7.3 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10 Co-authored-by: Moderne --- .../analyzer/ArchiveAnalyzer.java | 11 ++--------- .../dependencycheck/analyzer/JarAnalyzer.java | 11 ++--------- .../analyzer/PythonDistributionAnalyzer.java | 16 +++------------- 3 files changed, 7 insertions(+), 31 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index f43e09240af..412ec72001a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -39,6 +39,7 @@ import org.slf4j.LoggerFactory; import java.io.*; +import java.nio.file.Files; import java.util.*; /** @@ -163,15 +164,7 @@ protected String getAnalyzerEnabledSettingKey() { @Override public void initializeFileTypeAnalyzer() throws Exception { final File baseDir = Settings.getTempDirectory(); - tempFileLocation = File.createTempFile("check", "tmp", baseDir); - if (!tempFileLocation.delete()) { - final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath()); - throw new AnalysisException(msg); - } - if (!tempFileLocation.mkdirs()) { - final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath()); - throw new AnalysisException(msg); - } + tempFileLocation = Files.createTempDirectory(baseDir.toPath(), "check" + "tmp").toFile(); } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 9c794aef133..9962c477cfb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -26,6 +26,7 @@ import java.io.InputStreamReader; import java.io.OutputStream; import java.io.Reader; +import java.nio.file.Files; import java.util.ArrayList; import java.util.Collections; import java.util.Enumeration; @@ -887,15 +888,7 @@ private void addLicense(Dependency d, String license) { @Override public void initializeFileTypeAnalyzer() throws Exception { final File baseDir = Settings.getTempDirectory(); - tempFileLocation = File.createTempFile("check", "tmp", baseDir); - if (!tempFileLocation.delete()) { - final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath()); - throw new AnalysisException(msg); - } - if (!tempFileLocation.mkdirs()) { - final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath()); - throw new AnalysisException(msg); - } + tempFileLocation = Files.createTempDirectory(baseDir.toPath(), "check" + "tmp").toFile(); } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index c89aaed6ff2..232678042dc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -23,6 +23,8 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FilenameFilter; +import java.nio.file.Files; + import org.apache.commons.io.filefilter.NameFileFilter; import org.apache.commons.io.filefilter.SuffixFileFilter; import org.apache.commons.io.input.AutoCloseInputStream; @@ -234,19 +236,7 @@ private void collectMetadataFromArchiveFormat(Dependency dependency, @Override protected void initializeFileTypeAnalyzer() throws Exception { final File baseDir = Settings.getTempDirectory(); - tempFileLocation = File.createTempFile("check", "tmp", baseDir); - if (!tempFileLocation.delete()) { - final String msg = String.format( - "Unable to delete temporary file '%s'.", - tempFileLocation.getAbsolutePath()); - throw new AnalysisException(msg); - } - if (!tempFileLocation.mkdirs()) { - final String msg = String.format( - "Unable to create directory '%s'.", - tempFileLocation.getAbsolutePath()); - throw new AnalysisException(msg); - } + tempFileLocation = Files.createTempDirectory(baseDir.toPath(), "check" + "tmp").toFile(); } /**