vuln-fix: Temporary Directory Hijacking or Information Disclosure

This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure. Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions Severity: High CVSSS: 7.3 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: JLLeitschuh/security-research#10 Co-authored-by: Moderne <team@moderne.io>
gserdyuk · Oct 4, 2022 · c7b3250 · c7b3250
1 parent 17a80d7
commit c7b3250
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/bigdata-rdf-test/src/test/java/com/bigdata/rdf/store/TestDataLoader.java b/bigdata-rdf-test/src/test/java/com/bigdata/rdf/store/TestDataLoader.java
@@ -28,6 +28,7 @@
 import java.io.FileWriter;
 import java.io.FilenameFilter;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.Properties;
 
 import org.openrdf.rio.RDFFormat;
@@ -362,11 +363,8 @@ public void test_durableQueues02_batchCommit_incrementalClosure() throws IOExcep
 	private void doDurableQueueTest(final DataLoader dataLoader) throws IOException {
 
 		// temporary directory where we setup the test.
-		final File tmpDir = File.createTempFile(getClass().getName(), ".tmp");
-		try {
-
-			tmpDir.delete(); // delete random file name.
-			tmpDir.mkdir(); // recreate it as a directory.
+		final File tmpDir = Files.createTempDirectory(getClass().getName() + ".tmp").toFile();
+		try { // recreate it as a directory.
 
 			// Setup directory with files.
 			final File goodFile = new File(tmpDir, "good.ttl");