vuln-fix: Temporary File Information Disclosure

JLLeitschuh · TeamModerne · JLLeitschuh · commit e3ecec524d13 · 2022-11-18T22:48:05.000Z
This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: JLLeitschuh/security-research#18 Co-authored-by: Moderne <team@moderne.io>
diff --git a/biojava-core/src/main/java/org/biojava/nbio/core/util/FileDownloadUtils.java b/biojava-core/src/main/java/org/biojava/nbio/core/util/FileDownloadUtils.java
@@ -124,7 +124,7 @@ public static void downloadFile(URL url, File destination) throws IOException {
 		int maxTries = 10;
 		int timeout = 60000; //60 sec
 
-		File tempFile = File.createTempFile(getFilePrefix(destination), "." + getFileExtension(destination));
+		File tempFile = Files.createTempFile(getFilePrefix(destination), "." + getFileExtension(destination)).toFile();
 
 		// Took following recipe from stackoverflow:
 		// http://stackoverflow.com/questions/921262/how-to-download-and-save-a-file-from-internet-using-java
@@ -296,4 +296,4 @@ public static void deleteDirectory(String dir) throws IOException {
 		deleteDirectory(Paths.get(dir));
 	}
 
-}
+}
diff --git a/biojava-core/src/test/java/org/biojava/nbio/core/util/FileDownloadUtilsTest.java b/biojava-core/src/test/java/org/biojava/nbio/core/util/FileDownloadUtilsTest.java
@@ -22,7 +22,7 @@ class FileCopy {
         
         private File createSrcFile () throws IOException {
             byte [] toSave = new byte []{1,2,3,4,5};
-            File src = File.createTempFile("test", ".dat");
+            File src = Files.createTempFile("test", ".dat").toFile();
             try (FileOutputStream fos = new FileOutputStream(src);){
                 fos.write(toSave);
             }
@@ -34,7 +34,7 @@ void copyFile() throws IOException {
             File src = createSrcFile();
             //sanity check
             assertEquals(5, src.length());
-            File dest = File.createTempFile("dest", ".dat");
+            File dest = Files.createTempFile("dest", ".dat").toFile();
             assertEquals(0, dest.length());
             FileDownloadUtils.copy(src, dest);
             assertEquals(5, dest.length());
diff --git a/biojava-core/src/test/java/org/biojava/nbio/core/util/FlatFileCacheTest.java b/biojava-core/src/test/java/org/biojava/nbio/core/util/FlatFileCacheTest.java
@@ -9,6 +9,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -24,7 +25,7 @@ void before(){
     }
 
     File createSmallTmpFile() throws IOException{
-        File f = File.createTempFile("flatFile","txt");
+        File f = Files.createTempFile("flatFile", "txt").toFile();
        writeToFile( aDNA, f);
         return f;
     }
diff --git a/biojava-core/src/test/java/org/biojava/nbio/core/util/XMLHelperTest.java b/biojava-core/src/test/java/org/biojava/nbio/core/util/XMLHelperTest.java
@@ -67,7 +67,7 @@ Document readTestDoc() throws SAXException, IOException, ParserConfigurationExce
 
     @Test
     void fileToDocument() throws IOException, SAXException, ParserConfigurationException {
-        File tmpFile = File.createTempFile("xml", ".xml");
+        File tmpFile = Files.createTempFile("xml", ".xml").toFile();
         Files.write(Paths.get(tmpFile.getAbsolutePath()), TEST_XML.getBytes());
         Document doc = XMLHelper.loadXML(tmpFile.getAbsolutePath());
         assertParsedDocument(doc);
@@ -190,4 +190,4 @@ Document createDocumentWithRootElement() throws ParserConfigurationException {
         doc.appendChild(root);
         return doc;
     }
-}
+}
diff --git a/biojava-genome/src/test/java/org/biojava/nbio/genome/GeneFeatureHelperTest.java b/biojava-genome/src/test/java/org/biojava/nbio/genome/GeneFeatureHelperTest.java
@@ -36,6 +36,7 @@
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.nio.file.Files;
 import java.util.Collection;
 import java.util.LinkedHashMap;
 
@@ -78,7 +79,7 @@ public void testLoadFastaAddGeneFeaturesFromUpperCaseExonFastaFile() throws Exce
 				.loadFastaAddGeneFeaturesFromUpperCaseExonFastaFile(fastaSequenceFile, uppercaseFastaFile,
 						throwExceptionGeneNotFound);
 
-		File tmp = File.createTempFile("volvox_all_genes_exon_uppercase", "gff3");
+		File tmp = Files.createTempFile("volvox_all_genes_exon_uppercase","gff3").toFile();
 		tmp.deleteOnExit();
 		FileOutputStream fo = new FileOutputStream(tmp);
 		GFF3Writer gff3Writer = new GFF3Writer();
@@ -95,7 +96,7 @@ public void testOutputFastaSequenceLengthGFF3() throws Exception {
 		// logger.info("outputFastaSequenceLengthGFF3");
 
 		File fastaSequenceFile = new File("src/test/resources/volvox_all.fna");
-		File gffFile = File.createTempFile("volvox_length", "gff3");
+		File gffFile = Files.createTempFile("volvox_length","gff3").toFile();
 		gffFile.deleteOnExit();
 		GeneFeatureHelper.outputFastaSequenceLengthGFF3(fastaSequenceFile, gffFile);
 		FileAssert.assertEquals("volvox_length.gff3 and volvox_length_output.gff3 are not equal", gffFile,
@@ -135,7 +136,7 @@ public void testGetProteinSequences() throws Exception {
 		// for(ProteinSequence proteinSequence : proteinSequenceList.values()){
 		// logger.info("Output={}", proteinSequence.getSequenceAsString());
 		// }
-		File tmp = File.createTempFile("volvox_all", "faa");
+		File tmp = Files.createTempFile("volvox_all","faa").toFile();
 		tmp.deleteOnExit();
 		FastaWriterHelper.writeProteinSequence(tmp, proteinSequenceList.values());
 		FileAssert.assertEquals("volvox_all_reference.faa and volvox_all.faa are not equal", new File(
@@ -155,7 +156,7 @@ public void testGetGeneSequences() throws Exception {
 				.getGeneSequences(chromosomeSequenceList.values());
 		Collection<GeneSequence> geneSequences = geneSequenceHashMap.values();
 
-		File tmp = File.createTempFile("volvox_all_genes_exon_uppercase", "fna");
+		File tmp = Files.createTempFile("volvox_all_genes_exon_uppercase","fna").toFile();
 		tmp.deleteOnExit();
 		FastaWriterHelper.writeGeneSequence(tmp, geneSequences, true);
 	}
diff --git a/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqReaderTest.java b/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqReaderTest.java
@@ -28,6 +28,7 @@
 import java.io.InputStream;
 import java.io.StringReader;
 import java.net.URL;
+import java.nio.file.Files;
 
 
 /**
@@ -132,7 +133,7 @@ public void testReadFile() throws Exception
 	public void testReadEmptyFile() throws Exception
 	{
 		FastqReader reader = createFastqReader();
-		File empty = File.createTempFile("abstractFastqReaderTest", null);
+		File empty = Files.createTempFile("abstractFastqReaderTest",null).toFile();
 		Iterable<Fastq> iterable = reader.read(empty);
 		Assert.assertNotNull(iterable);
 		int count = 0;
@@ -148,7 +149,7 @@ public void testReadEmptyFile() throws Exception
 	public void testReadRoundTripSingleFile() throws Exception
 	{
 		FastqReader reader = createFastqReader();
-		File single = File.createTempFile("abstractFastqReaderTest", null);
+		File single = Files.createTempFile("abstractFastqReaderTest",null).toFile();
 		Fastq fastq = createFastq();
 		FastqWriter writer = createFastqWriter();
 		writer.write(single, fastq);
@@ -167,7 +168,7 @@ public void testReadRoundTripSingleFile() throws Exception
 	public void testReadRoundTripMultipleFile() throws Exception
 	{
 		FastqReader reader = createFastqReader();
-		File multiple = File.createTempFile("abstractFastqReaderTest", null);
+		File multiple = Files.createTempFile("abstractFastqReaderTest",null).toFile();
 		Fastq fastq0 = createFastq();
 		Fastq fastq1 = createFastq();
 		Fastq fastq2 = createFastq();
diff --git a/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqWriterTest.java b/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqWriterTest.java
@@ -26,6 +26,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.OutputStream;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -134,15 +135,15 @@ public void testWriteFileVararg() throws Exception
 		Fastq fastq0 = createFastq();
 		Fastq fastq1 = createFastq();
 		Fastq fastq2 = createFastq();
-		File file0 = File.createTempFile("abstractFastqWriterTest", null);
+		File file0 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file0, fastq0);
-		File file1 = File.createTempFile("abstractFastqWriterTest", null);
+		File file1 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file1, fastq0, fastq1);
-		File file2 = File.createTempFile("abstractFastqWriterTest", null);
+		File file2 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file2, fastq0, fastq1, fastq2);
-		File file3 = File.createTempFile("abstractFastqWriterTest", null);
+		File file3 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file3, fastq0, fastq1, fastq2, null);
-		File file4 = File.createTempFile("abstractFastqWriterTest", null);
+		File file4 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file4, (Fastq) null);
 
 		try
@@ -164,26 +165,26 @@ public void testWriteFileIterable() throws Exception
 		Fastq fastq1 = createFastq();
 		Fastq fastq2 = createFastq();
 		List<Fastq> list = new ArrayList<Fastq>();
-		File file0 = File.createTempFile("abstractFastqWriterTest", null);
+		File file0 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file0, list);
 
 		list.add(fastq0);
-		File file1 = File.createTempFile("abstractFastqWriterTest", null);
+		File file1 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file1, list);
 
 		list.add(fastq1);
-		File file2 = File.createTempFile("abstractFastqWriterTest", null);
+		File file2 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file2, list);
 
 		list.add(fastq2);
-		File file3 = File.createTempFile("abstractFastqWriterTest", null);
+		File file3 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file3, list);
 
 		list.add(null);
-		File file4 = File.createTempFile("abstractFastqWriterTest", null);
+		File file4 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 		writer.write(file4, list);
 
-		File file5 = File.createTempFile("abstractFastqWriterTest", null);
+		File file5 = Files.createTempFile("abstractFastqWriterTest",null).toFile();
 
 		try
 		{
diff --git a/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/ConvertTest.java b/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/ConvertTest.java
@@ -22,6 +22,7 @@
 
 import java.io.File;
 import java.io.FileWriter;
+import java.nio.file.Files;
 import java.util.List;
 import java.util.Map;
 
@@ -74,7 +75,7 @@ public void testConvert() throws Exception
 				FastqWriter writer = writers.get(variant2);
 				String expectedFileName = expectedFileNames.get(new FastqVariantPair(variant1, variant2));
 
-				File tmp = File.createTempFile("convertTest", "fastq");
+				File tmp = Files.createTempFile("convertTest","fastq").toFile();
 				FileWriter fileWriter = new FileWriter(tmp);
 
 				for (Fastq fastq : reader.read(getClass().getResource(inputFileName))) {
diff --git a/biojava-modfinder/src/main/java/org/biojava/nbio/phosphosite/Dataset.java b/biojava-modfinder/src/main/java/org/biojava/nbio/phosphosite/Dataset.java
@@ -152,7 +152,7 @@ public void downloadFile(URL u, File localFile) throws IOException {
 
 		logger.info("Downloading " + u);
 
-		File tmp = File.createTempFile("tmp","phosphosite");
+		File tmp = Files.createTempFile("tmp","phosphosite").toFile();
 
 		InputStream is = u.openStream();
 
diff --git a/biojava-structure/src/main/java/org/biojava/nbio/structure/cath/CathInstallation.java b/biojava-structure/src/main/java/org/biojava/nbio/structure/cath/CathInstallation.java
@@ -31,6 +31,7 @@
 
 import java.io.*;
 import java.net.URL;
+import java.nio.file.Files;
 import java.text.DateFormat;
 import java.text.DecimalFormat;
 import java.text.ParseException;
@@ -639,7 +640,7 @@ protected void downloadFileFromRemote(URL remoteURL, File localFile) throws IOEx
 		LOGGER.info("Downloading file {} to local file {}", remoteURL, localFile);
 
 		long timeS = System.currentTimeMillis();
-		File tempFile  = File.createTempFile(FileDownloadUtils.getFilePrefix(localFile), "."+ FileDownloadUtils.getFileExtension(localFile));
+		File tempFile  = Files.createTempFile(FileDownloadUtils.getFilePrefix(localFile),"." + FileDownloadUtils.getFileExtension(localFile)).toFile();
 
 		FileOutputStream out = new FileOutputStream(tempFile);
 
diff --git a/biojava-structure/src/main/java/org/biojava/nbio/structure/chem/DownloadChemCompProvider.java b/biojava-structure/src/main/java/org/biojava/nbio/structure/chem/DownloadChemCompProvider.java
@@ -378,7 +378,7 @@ private static boolean downloadChemCompRecord(String recordName) {
         String localName = getLocalFileName(recordName);
         File newFile;
         try {
-            newFile = File.createTempFile("chemcomp" + recordName, "cif");
+            newFile = Files.createTempFile("chemcomp" + recordName,"cif").toFile();
             logger.debug("Will write chem comp file to temp file {}", newFile.toString());
         } catch(IOException e) {
             logger.error("Could not write to temp directory {} to create the chemical component download temp file", System.getProperty("java.io.tmpdir"));
diff --git a/biojava-structure/src/test/java/org/biojava/nbio/structure/io/FastaAFPChainConverterTest.java b/biojava-structure/src/test/java/org/biojava/nbio/structure/io/FastaAFPChainConverterTest.java
@@ -43,6 +43,7 @@
 import org.xml.sax.SAXException;
 
 import java.io.*;
+import java.nio.file.Files;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
@@ -164,7 +165,7 @@ public void testFromFasta() throws IOException, StructureException, CompoundNotF
 		assertEquals("Wrong number of alnLength",53,afpChain.getAlnLength());
 		String xml = AFPChainXMLConverter.toXML(afpChain);
 		File expected = new File("src/test/resources/1w0p_1qdm.xml");
-		File x = File.createTempFile("1w0p_1qdm_output", "xml.tmp");
+		File x = Files.createTempFile("1w0p_1qdm_output","xml.tmp").toFile();
 		x.deleteOnExit();
 		BufferedWriter bw = new BufferedWriter(new FileWriter(x));
 		bw.write(xml);
diff --git a/biojava-structure/src/test/java/org/biojava/nbio/structure/io/TestMMCIFWriting.java b/biojava-structure/src/test/java/org/biojava/nbio/structure/io/TestMMCIFWriting.java
@@ -25,6 +25,7 @@
 import java.io.File;
 import java.io.FileWriter;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.Arrays;
 
 import org.biojava.nbio.structure.AminoAcidImpl;
@@ -83,7 +84,7 @@ private static void testRoundTrip(String pdbId) throws IOException, StructureExc
 
 		Structure originalStruct = StructureIO.getStructure(pdbId);
 
-		File outputFile = File.createTempFile("biojava_testing_", ".cif");
+		File outputFile = Files.createTempFile("biojava_testing_",".cif").toFile();
 		outputFile.deleteOnExit();
 
 
diff --git a/biojava-structure/src/test/java/org/biojava/nbio/structure/io/sifts/SiftsChainToUniprotMappingTest.java b/biojava-structure/src/test/java/org/biojava/nbio/structure/io/sifts/SiftsChainToUniprotMappingTest.java
@@ -30,6 +30,7 @@
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.PrintWriter;
+import java.nio.file.Files;
 
 import static org.junit.Assert.assertEquals;
 
@@ -44,7 +45,7 @@ public class SiftsChainToUniprotMappingTest {
 
 	@Test
 	public void test() throws IOException {
-		SiftsChainToUniprotMapping.DEFAULT_FILE = File.createTempFile("biojavaSiftsTest-", "");
+		SiftsChainToUniprotMapping.DEFAULT_FILE = Files.createTempFile("biojavaSiftsTest-","").toFile();
 		SiftsChainToUniprotMapping.DEFAULT_FILE.deleteOnExit();
 
 		BufferedReader br = new BufferedReader(new InputStreamReader(getClass().getResourceAsStream("mock_sifts.tsv")));

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`	`import java.io.IOException;`
`10`	`10`	`import java.io.InputStream;`
`11`	`11`	`import java.nio.charset.StandardCharsets;`
	`12`	`+import java.nio.file.Files;`
`12`	`13`
`13`	`14`	`import org.junit.jupiter.api.BeforeEach;`
`14`	`15`	`import org.junit.jupiter.api.Test;`
`@@ -24,7 +25,7 @@ void before(){`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`File createSmallTmpFile() throws IOException{`
`27`		`- File f = File.createTempFile("flatFile","txt");`
	`28`	`+ File f = Files.createTempFile("flatFile", "txt").toFile();`
`28`	`29`	`writeToFile( aDNA, f);`
`29`	`30`	`return f;`
`30`	`31`	`}`