From 735451054094ecb7aad806aea91cd4eb73436a97 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Fri, 18 Nov 2022 23:00:41 +0000
Subject: [PATCH] vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
---
 dkpro-lab-core/src/main/java/org/dkpro/lab/Util.java         | 5 +++--
 .../src/test/java/org/dkpro/lab/reporting/ChartUtilTest.java | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/dkpro-lab-core/src/main/java/org/dkpro/lab/Util.java b/dkpro-lab-core/src/main/java/org/dkpro/lab/Util.java
index c9849b0..5b14a17 100644
--- a/dkpro-lab-core/src/main/java/org/dkpro/lab/Util.java
+++ b/dkpro-lab-core/src/main/java/org/dkpro/lab/Util.java
@@ -28,6 +28,7 @@
 import java.lang.reflect.InvocationTargetException;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.nio.file.Files;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.zip.GZIPInputStream;
@@ -97,7 +98,7 @@ public static synchronized File getUrlAsFile(URL aUrl, boolean aCache)
 
 			// Get a temporary file which will be deleted when the JVM shuts
 			// down.
-			file = File.createTempFile(name, suffix);
+			file = Files.createTempFile(name, suffix).toFile();
 			file.deleteOnExit();
 
 			// Now copy the file from the URL to the file.
@@ -130,7 +131,7 @@ public static File getStreamAsFile(final InputStream is)
 	{
 		OutputStream os = null;
 		try {
-			final File f = File.createTempFile("lab_stream", "tmp");
+			final File f = Files.createTempFile("lab_stream", "tmp").toFile();
 			f.deleteOnExit();
 			os = new FileOutputStream(f);
 			shove(is, os);
diff --git a/dkpro-lab-core/src/test/java/org/dkpro/lab/reporting/ChartUtilTest.java b/dkpro-lab-core/src/test/java/org/dkpro/lab/reporting/ChartUtilTest.java
index d9a8f2e..6c0401a 100644
--- a/dkpro-lab-core/src/test/java/org/dkpro/lab/reporting/ChartUtilTest.java
+++ b/dkpro-lab-core/src/test/java/org/dkpro/lab/reporting/ChartUtilTest.java
@@ -20,6 +20,7 @@
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.OutputStream;
+import java.nio.file.Files;
 
 import org.jfree.chart.ChartFactory;
 import org.jfree.chart.JFreeChart;
@@ -50,7 +51,7 @@ public void testSvg()
         chart.getXYPlot().getRangeAxis().setRange(0.0, 1.0);
         chart.getXYPlot().getDomainAxis().setRange(0.0, 1.0);
 
-        File tmp = File.createTempFile("testfile", ".svg");
+        File tmp = Files.createTempFile("testfile", ".svg").toFile();
         try (OutputStream os = new FileOutputStream(tmp)) {
             ChartUtil.writeChartAsSVG(os, chart, 400, 400);
         }
@@ -81,7 +82,7 @@ public void testPDF()
         chart.getXYPlot().getRangeAxis().setRange(0.0, 1.0);
         chart.getXYPlot().getDomainAxis().setRange(0.0, 1.0);
 
-        File tmp = File.createTempFile("testfile", ".pdf");
+        File tmp = Files.createTempFile("testfile", ".pdf").toFile();
         try (OutputStream os = new FileOutputStream(tmp)) {
             ChartUtil.writeChartAsPDF(os, chart, 400, 400);
         }