vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#18


Co-authored-by: Moderne <[email protected]>

modules/grizzly/src/test/java/org/glassfish/grizzly/FileTransferTest.java

@@ -26,6 +26,7 @@
 import java.io.IOException;
 import java.math.BigInteger;
 import java.nio.ByteBuffer;
+import java.nio.file.Files;
 import java.security.MessageDigest;
 import java.util.Random;
 import java.util.concurrent.TimeUnit;
@@ -69,7 +70,7 @@ public NextAction handleRead(FilterChainContext ctx) throws IOException {
         TCPNIOTransport client = TCPNIOTransportBuilder.newInstance().build();
         FilterChainBuilder clientChain = FilterChainBuilder.stateless();
         final SafeFutureImpl<File> future = SafeFutureImpl.create();
-        final File temp = File.createTempFile("grizzly-download-", ".tmp");
+        final File temp = Files.createTempFile("grizzly-download-", ".tmp").toFile();
         temp.deleteOnExit();
         final FileOutputStream out = new FileOutputStream(temp);
         final AtomicInteger total = new AtomicInteger(0);
@@ -140,7 +141,7 @@ public void negativeFileTransferAPITest() throws Exception {
             fail("Unexpected exception type: " + e);
         }
 
-        f = File.createTempFile("grizzly-test-", ".tmp");
+        f = Files.createTempFile("grizzly-test-", ".tmp").toFile();
         f.deleteOnExit();
         new FileOutputStream(f).write(1);
 
@@ -195,7 +196,7 @@ private static BigInteger getMDSum(final File f) throws Exception {
     }
 
     private static File generateTempFile(final int size) throws IOException {
-        final File f = File.createTempFile("grizzly-temp-" + size, ".tmp");
+        final File f = Files.createTempFile("grizzly-temp-" + size, ".tmp").toFile();
         Random r = new Random();
         byte[] data = new byte[8192];
         r.nextBytes(data);

modules/http-server/src/main/java/org/glassfish/grizzly/http/server/filecache/FileCache.java

@@ -25,6 +25,7 @@
 import java.nio.ByteBuffer;
 import java.nio.MappedByteBuffer;
 import java.nio.channels.FileChannel;
+import java.nio.file.Files;
 import java.util.StringTokenizer;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
@@ -599,7 +600,7 @@ public void setFileSendEnabled(boolean fileSendEnabled) {
      */
     protected void compressFile(final FileCacheEntry entry) {
         try {
-            final File tmpCompressedFile = File.createTempFile(String.valueOf(entry.plainFile.hashCode()), ".tmpzip", compressedFilesFolder);
+            final File tmpCompressedFile = Files.createTempFile(compressedFilesFolder.toPath(), String.valueOf(entry.plainFile.hashCode()), ".tmpzip").toFile();
             tmpCompressedFile.deleteOnExit();
 
             InputStream in = null;

modules/http-server/src/test/java/org/glassfish/grizzly/http/server/FileCacheTest.java

@@ -28,6 +28,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
+import java.nio.file.Files;
 import java.text.SimpleDateFormat;
 import java.util.Arrays;
 import java.util.Calendar;
@@ -965,7 +966,7 @@ private static String convertToDate(final long date) {
     }
 
     private static File createTempFile() throws IOException {
-        final File f = File.createTempFile("grizzly-file-cache", ".txt");
+        final File f = Files.createTempFile("grizzly-file-cache", ".txt").toFile();
         f.deleteOnExit();
         FileOutputStream out = null;
         try {

modules/http-server/src/test/java/org/glassfish/grizzly/http/server/SendFileTest.java

@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.math.BigInteger;
 import java.nio.channels.FileChannel;
+import java.nio.file.Files;
 import java.security.MessageDigest;
 import java.util.Random;
 import java.util.concurrent.Executors;
@@ -558,7 +559,7 @@ private static File generateTempFile(final int size) throws IOException {
     }
 
     private static File generateTempFile(final int size, final String ext) throws IOException {
-        final File f = File.createTempFile("grizzly-temp-" + size, "." + ext);
+        final File f = Files.createTempFile("grizzly-temp-" + size, "." + ext).toFile();
         Random r = new Random();
         byte[] data = new byte[8192];
         r.nextBytes(data);

modules/http-server/src/test/java/org/glassfish/grizzly/http/server/StaticHttpHandlerTest.java

@@ -319,7 +319,7 @@ private static String getSystemTmpDir() {
     }
 
     private static File generateTempFile(final int size) throws IOException {
-        final File f = File.createTempFile("grizzly-temp-" + size, ".tmp2");
+        final File f = Files.createTempFile("grizzly-temp-" + size, ".tmp2").toFile();
         Random r = new Random();
         byte[] data = new byte[8192];
         r.nextBytes(data);

modules/http2/src/test/java/org/glassfish/grizzly/http2/FileCacheTest.java

@@ -25,6 +25,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.Writer;
+import java.nio.file.Files;
 import java.text.SimpleDateFormat;
 import java.util.Collection;
 import java.util.Date;
@@ -400,7 +401,7 @@ private static String convertToDate(final long date) {
     }
 
     private static File createTempFile() throws IOException {
-        final File f = File.createTempFile("grizzly-file-cache", ".txt");
+        final File f = Files.createTempFile("grizzly-file-cache", ".txt").toFile();
         f.deleteOnExit();
         FileOutputStream out = null;
         try {