create temporary file in directory with secure permissions #11130
Labels
Comments
This was referenced Aug 16, 2023
This was referenced Sep 29, 2023
nahsra
referenced
this issue
in pixee/codemodder-java
Oct 3, 2023
This change replaces the usage of [`java.io.File#createTempFile`](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/io/File.html#createTempFile(java.lang.String,java.lang.String)) with [`java.nio.file.Files#createTempFile`](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...)) which has more secure attributes. The `java.io.File#createTempFile()` method creates a file that is world-readable and world-writeable, which is almost never necessary. Also, the file created is placed in a predictable directory (e.g., `/tmp`). Having predictable file names, locations, and will lead to many types of vulnerabilities. History has shown that this insecure pattern can lead to [information leakage](https://www.cvedetails.com/cve/CVE-2021-28168/), [privilege escalation](https://www.cvedetails.com/cve/CVE-2021-29428/) and even [code execution](https://www.openwall.com/lists/oss-security/2022/02/25/3). Our changes look something like this: ```diff + import java.nio.file.Files; ... - File txtFile = File.createTempFile("acme", ".txt"); + File txtFile = Files.createTempFile("acme", ".txt").toFile(); ``` <details> <summary>More reading</summary> * [https://cwe.mitre.org/data/definitions/378.html](https://cwe.mitre.org/data/definitions/378.html) * [https://docs.fluidattacks.com/criteria/vulnerabilities/160/](https://docs.fluidattacks.com/criteria/vulnerabilities/160/) * [https://github.com/apache/druid/issues/11130](https://github.com/apache/druid/issues/11130) * [https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File](https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File) * [https://nvd.nist.gov/vuln/detail/CVE-2022-41954](https://nvd.nist.gov/vuln/detail/CVE-2022-41954) * [https://www.cvedetails.com/vulnerability-list/cwe-378/vulnerabilities.html](https://www.cvedetails.com/vulnerability-list/cwe-378/vulnerabilities.html) </details> Powered by: [pixeebot](https://docs.pixee.ai/installing/) (codemod ID: [pixee:java/upgrade-tempfile-to-nio](https://docs.pixee.ai/codemods/java/pixee_java_upgrade-tempfile-to-nio))  <!--{"type":"DRIP","codemod":"pixee:java/upgrade-tempfile-to-nio"}--> --------- Co-authored-by: pixeebot[bot] <23113631+pixeebot@users.noreply.github.com> Co-authored-by: Arshan Dabirsiaghi <arshan.dabirsiaghi@gmail.com>
This was referenced Oct 26, 2023
This was referenced Nov 7, 2023
This was referenced Dec 19, 2023
This was referenced Dec 26, 2023
This was referenced Oct 18, 2024
This was referenced Oct 25, 2024
This was referenced Nov 3, 2024
This was referenced Nov 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Motivation
File.createTempFile(String, String)will create a temporary file in the system temporary directory if the'java.io.tmpdir'. The permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions:-rw-r--r--, thus, any other local user on that system can read the contents of that file.This can be a security concern if any sensitive data is stored in this file.
Proposed changes
Create a secure temp file using
PlatformDependent.createTempFileinstead ofFile.createTempFile. The change is released in netty-4.1.63.Final and Druid is upgraded tonetty-4.1.63.Finalin this commit.Rationale
Create temporary files with sane permissions by default.
The text was updated successfully, but these errors were encountered: