Modernize and secure temp file creation

[pixeeai]

This change replaces the usage of java.io.File#createTempFile with java.nio.file.Files#createTempFile which has more secure attributes.

The java.io.File#createTempFile() method creates a file that is world-readable and world-writeable, which is almost never necessary. Also, the file created is placed in a predictable directory (e.g., /tmp). Having predictable file names, locations, and will lead to many types of vulnerabilities. History has shown that this insecure pattern can lead to information leakage, privilege escalation and even code execution.

Our changes look something like this:

+  import java.nio.file.Files;
   ...
-  File txtFile = File.createTempFile("acme", ".txt");
+  File txtFile = Files.createTempFile("acme", ".txt").toFile();

More reading

• https://cwe.mitre.org/data/definitions/378.html
• https://docs.fluidattacks.com/criteria/vulnerabilities/160/
• create temporary file in directory with secure permissions  apache/druid#11130
• https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
• https://nvd.nist.gov/vuln/detail/CVE-2022-41954
• https://www.cvedetails.com/vulnerability-list/cwe-378/vulnerabilities.html

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:java/upgrade-tempfile-to-nio

[pixeeai]

This change was autogenerated from a GitHub app - called Pixeebot. Feel free to check it our for more details for how you can install it onto your project's repo for continued code hardening and code security recommendations. 👍

[pixeeai]

Any chance you've had the time to review these changes?

If you're not interested implementing them at this time, no worries. I can close the PR and follow up with additional changes in the future. Also, this plugin is free for non-commercial open sourced projects, so feel free to give it an install if you want to see the other recommended PRs. (Pixeebot | Automated code fixes. · GitHub Marketplace)

Thanks,
Zach