vuln-fix: Temporary File Information Disclosure (#2988)

This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <[email protected]> Signed-off-by: Jonathan Leitschuh <[email protected]> Bug-tracker: JLLeitschuh/security-research#18 Co-authored-by: Moderne <[email protected]>
Adobe-Consulting-Services · Dec 2, 2022 · 87321f4 · 87321f4
1 parent bf45428
commit 87321f4
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java b/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java
@@ -23,6 +23,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.file.Files;
 
 import javax.imageio.IIOException;
 
@@ -129,7 +130,7 @@ public final void execute(WorkItem workItem, WorkflowSession workflowSession, Me
     @SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
     void saveImage(Asset asset, Rendition toReplace, Layer layer, String mimetype, double quality, WorkflowHelper workflowHelper)
             throws IOException {
-        File tmpFile = File.createTempFile(getTempFileSpecifier(), "." + workflowHelper.getExtension(mimetype));
+        File tmpFile = Files.createTempFile(getTempFileSpecifier(), "." + workflowHelper.getExtension(mimetype)).toFile();
         OutputStream out = FileUtils.openOutputStream(tmpFile);
         InputStream is = null;
         try {

diff --git a/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java b/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java
@@ -28,6 +28,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -60,7 +61,7 @@ private CacheUtils() {
     public static File createTemporaryCacheFile(CacheKey cacheKey) throws IOException {
         // Create a file in Java temp directory with cacheKey.toSting() as file name.
 
-        File file = File.createTempFile(cacheKey.toString(), ".tmp");
+        File file = Files.createTempFile(cacheKey.toString(), ".tmp").toFile();
         if (null != file) {
             log.debug("Temp file created with the name - {}", cacheKey);
         }

diff --git a/...m/adobe/acs/commons/indesign/dynamicdeckdynamo/services/impl/XMLGeneratorServiceImpl.java b/...m/adobe/acs/commons/indesign/dynamicdeckdynamo/services/impl/XMLGeneratorServiceImpl.java
@@ -95,7 +95,7 @@ public String generateInddXML(InputStream xmlInputStream,
             }
 
             // create a temp file 
-            processedXmlTempFile = File.createTempFile("targetFile-" + Calendar.getInstance().getTimeInMillis() + ".tmp", null);
+            processedXmlTempFile = Files.createTempFile("targetFile-" + Calendar.getInstance().getTimeInMillis() + ".tmp", null).toFile();
 
             TransformerFactory transformerFactory = TransformerFactory.newInstance();
             Transformer transformer = transformerFactory.newTransformer();