[camel-karaf] branch main updated: vuln-fix: Temporary File Information Disclosure (#210)

Thu, 24 Nov 2022 22:02:20 -0800 

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-karaf.git


The following commit(s) were added to refs/heads/main by this push:
     new 950dfa5d vuln-fix: Temporary File Information Disclosure (#210)
950dfa5d is described below

commit 950dfa5d23e6e2065711b46486f3cdffc5f60df0
Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
AuthorDate: Fri Nov 25 01:02:09 2022 -0500

    vuln-fix: Temporary File Information Disclosure (#210)
    
    This fixes temporary file information disclosure vulnerability due to the 
use
    of the vulnerable `File.createTempFile()` method. The vulnerability is 
fixed by
    using the `Files.createTempFile()` method which sets the correct posix 
permissions.
    
    Weakness: CWE-377: Insecure Temporary File
    Severity: Medium
    CVSSS: 5.5
    Detection: CodeQL & OpenRewrite 
(https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
    
    Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
    Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
    
    Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
    
    
    Co-authored-by: Moderne <t...@moderne.io>
    
    Co-authored-by: Moderne <t...@moderne.io>
---
 .../src/test/java/org/apache/camel/blueprint/MainTest.java             | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/components/camel-blueprint-main/src/test/java/org/apache/camel/blueprint/MainTest.java
 
b/components/camel-blueprint-main/src/test/java/org/apache/camel/blueprint/MainTest.java
index fd045a3c..c3876cbb 100644
--- 
a/components/camel-blueprint-main/src/test/java/org/apache/camel/blueprint/MainTest.java
+++ 
b/components/camel-blueprint-main/src/test/java/org/apache/camel/blueprint/MainTest.java
@@ -20,6 +20,7 @@ import java.io.File;
 import java.io.FileOutputStream;
 import java.net.URL;
 import java.net.URLClassLoader;
+import java.nio.file.Files;
 
 import org.apache.aries.util.io.IOUtils;
 import org.apache.camel.ProducerTemplate;
@@ -64,7 +65,7 @@ public class MainTest {
                 .set("Bundle-ManifestVersion", "2")
                 .set("Bundle-SymbolicName", SYMBOLIC_NAME)
                 .set("Bundle-Version", "1.0.0");
-        File tb = File.createTempFile(SYMBOLIC_NAME + "-", ".jar", new 
File("target"));
+        File tb = Files.createTempFile(new File("target").toPath(), 
SYMBOLIC_NAME + "-", ".jar").toFile();
         FileOutputStream out = new FileOutputStream(tb);
         IOUtils.copy(bundle.build(), out);
         out.close();

Reply via email to