[MINVOKER-324] Temporary File Information Disclosure (#152)

JLLeitschuh · TeamModerne · gnodet · web-flow · commit 29da34c0bb72 · 2023-02-10T15:47:31.000+01:00
This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: JLLeitschuh/security-research#18 Co-authored-by: Moderne <team@moderne.io> Co-authored-by: Guillaume Nodet <gnodet@gmail.com>
diff --git a/src/main/java/org/apache/maven/plugins/invoker/AbstractInvokerMojo.java b/src/main/java/org/apache/maven/plugins/invoker/AbstractInvokerMojo.java
@@ -1398,7 +1398,7 @@ private File mergeSettings(File interpolatedSettingsFile) throws MojoExecutionEx
 
     private File writeMergedSettingsFile(Settings mergedSettings) throws IOException {
         File mergedSettingsFile;
-        mergedSettingsFile = File.createTempFile("invoker-settings", ".xml");
+        mergedSettingsFile = Files.createTempFile("invoker-settings", ".xml").toFile();
 
         SettingsXpp3Writer settingsWriter = new SettingsXpp3Writer();
 
diff --git a/src/test/java/org/apache/maven/plugins/invoker/InvokerPropertiesTest.java b/src/test/java/org/apache/maven/plugins/invoker/InvokerPropertiesTest.java
@@ -19,6 +19,7 @@
 package org.apache.maven.plugins.invoker;
 
 import java.io.File;
+import java.nio.file.Files;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
@@ -188,7 +189,7 @@ public void testConfigureRequestProject() throws Exception {
         Properties props = new Properties();
         InvokerProperties facade = new InvokerProperties(props);
 
-        File tempPom = File.createTempFile("maven-invoker-plugin-test", ".pom");
+        File tempPom = Files.createTempFile("maven-invoker-plugin-test", ".pom").toFile();
         try {
             File tempDir = tempPom.getParentFile();
             when(request.getBaseDirectory()).thenReturn(tempDir);
