From 48cf22c844ee271e916add38566db4829a199cb0 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Fri, 18 Nov 2022 22:45:46 +0000
Subject: [PATCH] vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
---
 .../test/java/org/apache/omid/transaction/OmidTestBase.java    | 3 ++-
 .../test/java/org/apache/omid/transaction/TestOmidLLRaces.java | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/hbase-client/src/test/java/org/apache/omid/transaction/OmidTestBase.java b/hbase-client/src/test/java/org/apache/omid/transaction/OmidTestBase.java
index ba61d279..9c401593 100644
--- a/hbase-client/src/test/java/org/apache/omid/transaction/OmidTestBase.java
+++ b/hbase-client/src/test/java/org/apache/omid/transaction/OmidTestBase.java
@@ -22,6 +22,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.Method;
+import java.nio.file.Files;
 import java.util.ArrayList;
 
 import org.apache.hadoop.conf.Configuration;
@@ -128,7 +129,7 @@ public void beforeGroups(ITestContext context) throws Exception {
         hbaseConf.setInt("hbase.regionserver.nbreservationblocks", 1);
         hbaseConf.setInt(HBASE_CLIENT_RETRIES_NUMBER, 3);
 
-        File tempFile = File.createTempFile("OmidTest", "");
+        File tempFile = Files.createTempFile("OmidTest", "").toFile();
         tempFile.deleteOnExit();
         hbaseConf.set("hbase.rootdir", tempFile.getAbsolutePath());
         hbaseConf.setBoolean("hbase.localcluster.assign.random.ports",true);
diff --git a/hbase-client/src/test/java/org/apache/omid/transaction/TestOmidLLRaces.java b/hbase-client/src/test/java/org/apache/omid/transaction/TestOmidLLRaces.java
index 7d2fa76b..c271872c 100644
--- a/hbase-client/src/test/java/org/apache/omid/transaction/TestOmidLLRaces.java
+++ b/hbase-client/src/test/java/org/apache/omid/transaction/TestOmidLLRaces.java
@@ -48,6 +48,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.ArrayList;
 
 import org.apache.hadoop.conf.Configuration;
@@ -126,7 +127,7 @@ public void setup() throws Exception {
         hbaseConf.setInt("hbase.regionserver.nbreservationblocks", 1);
         hbaseConf.setInt(HBASE_CLIENT_RETRIES_NUMBER, 3);
 
-        File tempFile = File.createTempFile("OmidTest", "");
+        File tempFile = Files.createTempFile("OmidTest", "").toFile();
         tempFile.deleteOnExit();
         hbaseConf.set("hbase.rootdir", tempFile.getAbsolutePath());
         hbaseConf.setBoolean("hbase.localcluster.assign.random.ports",true);