From 9d24d5bbbc766ab0344748cd7514f9b21eab3b9f Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 18 Nov 2022 22:42:38 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../main/java/org/apache/oozie/client/AuthOozieClient.java | 3 +-- .../org/apache/oozie/command/wf/TestSubmitXCommand.java | 3 ++- .../org/apache/oozie/util/graph/TestGraphGenerator.java | 7 ++++--- tools/src/main/java/org/apache/oozie/tools/OozieDBCLI.java | 3 ++- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java b/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java index cad9cf569e..0a83ba12ee 100644 --- a/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java +++ b/client/src/main/java/org/apache/oozie/client/AuthOozieClient.java @@ -273,8 +273,7 @@ protected AuthenticatedURL.Token readAuthToken() { protected void writeAuthToken(AuthenticatedURL.Token authToken) { try { String jvmName = ManagementFactory.getRuntimeMXBean().getName(); - File tmpTokenFile = File.createTempFile(".oozie-auth-token", jvmName + "tmp", - new File(System.getProperty("user.home"))); + File tmpTokenFile = Files.createTempFile(new File(System.getProperty("user.home")).toPath(), ".oozie-auth-token", jvmName + "tmp").toFile(); // just to be safe, if something goes wrong delete tmp file eventually tmpTokenFile.deleteOnExit(); Writer writer = new OutputStreamWriter(new FileOutputStream(tmpTokenFile), StandardCharsets.UTF_8); diff --git a/core/src/test/java/org/apache/oozie/command/wf/TestSubmitXCommand.java b/core/src/test/java/org/apache/oozie/command/wf/TestSubmitXCommand.java index aec6328119..7aafca93a7 100644 --- a/core/src/test/java/org/apache/oozie/command/wf/TestSubmitXCommand.java +++ b/core/src/test/java/org/apache/oozie/command/wf/TestSubmitXCommand.java @@ -27,6 +27,7 @@ import java.io.StringReader; import java.net.URI; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; import org.apache.commons.lang3.RandomStringUtils; import org.apache.hadoop.conf.Configuration; @@ -327,7 +328,7 @@ public boolean evaluate() throws Exception { assertNull(protoConf.get(WorkflowAppService.APP_LIB_PATH_LIST)); new File(getTestCaseDir() + "/lib").mkdirs(); - File.createTempFile("parentLibrary", ".jar", new File(getTestCaseDir() + "/lib")); + Files.createTempFile(new File(getTestCaseDir() + "/lib").toPath(), "parentLibrary", ".jar").toFile(); conf.set(OozieClient.APP_PATH, workflowUri); conf.set(OozieClient.USER_NAME, getTestUser()); conf.set("appName", "var-app-name"); diff --git a/core/src/test/java/org/apache/oozie/util/graph/TestGraphGenerator.java b/core/src/test/java/org/apache/oozie/util/graph/TestGraphGenerator.java index f935f2e4d4..e44fa82c35 100644 --- a/core/src/test/java/org/apache/oozie/util/graph/TestGraphGenerator.java +++ b/core/src/test/java/org/apache/oozie/util/graph/TestGraphGenerator.java @@ -38,6 +38,7 @@ import java.io.InputStreamReader; import java.io.OutputStream; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; public class TestGraphGenerator extends XTestCase { private static final XLog LOG = XLog.getLog(TestGraphGenerator.class); @@ -100,7 +101,7 @@ private WorkflowJobBean createSimpleWorkflow() { private void generateAndAssertPng(final WorkflowJobBean workflowJob, final String path, final boolean showKill) { File outputPng = null; try { - outputPng = File.createTempFile("graph-output", path + ".png"); + outputPng = Files.createTempFile("graph-output", path + ".png").toFile(); final String content = IOUtils.getResourceAsString(path, -1); final GraphGenerator g = new GraphGenerator(content, workflowJob, showKill, new GraphvizRenderer()); g.write(new FileOutputStream(outputPng), OutputFormat.PNG); @@ -131,7 +132,7 @@ public void testSimpleGraphDot() { File outputDot = null; try { - outputDot = File.createTempFile("graph-output", "graph-workflow-simple.dot"); + outputDot = Files.createTempFile("graph-output", "graph-workflow-simple.dot").toFile(); final String content = IOUtils.getResourceAsString("graph-workflow-simple.xml", -1); final GraphGenerator g = new GraphGenerator(content, jsonWFJob, true, new GraphvizRenderer()); g.write(new FileOutputStream(outputDot), OutputFormat.DOT); @@ -165,7 +166,7 @@ public void testSimpleGraphSvg() { File outputDot = null; try { - outputDot = File.createTempFile("graph-output", "graph-workflow-simple.svg"); + outputDot = Files.createTempFile("graph-output", "graph-workflow-simple.svg").toFile(); final String content = IOUtils.getResourceAsString("graph-workflow-simple.xml", -1); final GraphGenerator g = new GraphGenerator(content, jsonWFJob, true, new GraphvizRenderer()); g.write(new FileOutputStream(outputDot), OutputFormat.SVG); diff --git a/tools/src/main/java/org/apache/oozie/tools/OozieDBCLI.java b/tools/src/main/java/org/apache/oozie/tools/OozieDBCLI.java index 58eb4f7812..1518931871 100644 --- a/tools/src/main/java/org/apache/oozie/tools/OozieDBCLI.java +++ b/tools/src/main/java/org/apache/oozie/tools/OozieDBCLI.java @@ -38,6 +38,7 @@ import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; import java.sql.Blob; import java.sql.CallableStatement; import java.sql.Clob; @@ -126,7 +127,7 @@ else if (command.getName().equals(VERSION_CMD)) { CommandLine commandLine = command.getCommandLine(); String sqlFile = commandLine.getOptionValue(SQL_FILE_OPT); if (sqlFile == null || sqlFile.isEmpty()) { - File tempFile = File.createTempFile("ooziedb-", ".sql"); + File tempFile = Files.createTempFile("ooziedb-", ".sql").toFile(); tempFile.deleteOnExit(); sqlFile = tempFile.getAbsolutePath(); }