This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-release.git
The following commit(s) were added to refs/heads/master by this push:
new 44024913 vuln-fix: Temporary File Information Disclosure
44024913 is described below
commit 4402491300f95eac40c274960f05c682dcd71cf1
Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
AuthorDate: Fri Nov 18 22:41:18 2022 +0000
vuln-fix: Temporary File Information Disclosure
This fixes temporary file information disclosure vulnerability due to the
use
of the vulnerable `File.createTempFile()` method. The vulnerability is
fixed by
using the `Files.createTempFile()` method which sets the correct posix
permissions.
Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite
(https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
Co-authored-by: Moderne <t...@moderne.io>
This closes #160
---
.../java/org/apache/maven/shared/release/exec/ForkedMavenExecutor.java | 3 ++-
.../org/apache/maven/shared/release/exec/InvokerMavenExecutor.java | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git
a/maven-release-manager/src/main/java/org/apache/maven/shared/release/exec/ForkedMavenExecutor.java
b/maven-release-manager/src/main/java/org/apache/maven/shared/release/exec/ForkedMavenExecutor.java
index 947424b0..2b8d9f62 100644
---
a/maven-release-manager/src/main/java/org/apache/maven/shared/release/exec/ForkedMavenExecutor.java
+++
b/maven-release-manager/src/main/java/org/apache/maven/shared/release/exec/ForkedMavenExecutor.java
@@ -27,6 +27,7 @@ import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.nio.file.Files;
import java.util.List;
import org.apache.maven.settings.io.xpp3.SettingsXpp3Writer;
@@ -83,7 +84,7 @@ public class ForkedMavenExecutor extends
AbstractMavenExecutor {
if (releaseEnvironment.getSettings() != null) {
// Have to serialize to a file as if Maven is embedded, there may
not actually be a settings.xml on disk
try {
- settingsFile = File.createTempFile("release-settings", ".xml");
+ settingsFile = Files.createTempFile("release-settings",
".xml").toFile();
SettingsXpp3Writer writer = getSettingsWriter();
try (FileWriter fileWriter = new FileWriter(settingsFile)) {
diff --git
a/maven-release-manager/src/main/java/org/apache/maven/shared/release/exec/InvokerMavenExecutor.java
b/maven-release-manager/src/main/java/org/apache/maven/shared/release/exec/InvokerMavenExecutor.java
index cc393244..51d83df3 100644
---
a/maven-release-manager/src/main/java/org/apache/maven/shared/release/exec/InvokerMavenExecutor.java
+++
b/maven-release-manager/src/main/java/org/apache/maven/shared/release/exec/InvokerMavenExecutor.java
@@ -25,6 +25,7 @@ import javax.inject.Singleton;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
+import java.nio.file.Files;
import java.util.ArrayList;
import java.util.List;
@@ -86,7 +87,7 @@ public class InvokerMavenExecutor extends
AbstractMavenExecutor {
if (releaseEnvironment.getSettings() != null) {
// Have to serialize to a file as if Maven is embedded, there may
not actually be a settings.xml on disk
try {
- settingsFile = File.createTempFile("release-settings", ".xml");
+ settingsFile = Files.createTempFile("release-settings",
".xml").toFile();
SettingsXpp3Writer writer = getSettingsWriter();
try (FileWriter fileWriter = new FileWriter(settingsFile)) {
