From e3ecec524d13bfaa51f1a7089dfb21ffdbf7b24b Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 18 Nov 2022 22:48:05 +0000 Subject: [PATCH] vuln-fix: Temporary File Information Disclosure This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh Signed-off-by: Jonathan Leitschuh Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18 Co-authored-by: Moderne --- .../nbio/core/util/FileDownloadUtils.java | 4 ++-- .../nbio/core/util/FileDownloadUtilsTest.java | 4 ++-- .../nbio/core/util/FlatFileCacheTest.java | 3 ++- .../biojava/nbio/core/util/XMLHelperTest.java | 4 ++-- .../nbio/genome/GeneFeatureHelperTest.java | 9 ++++---- .../io/fastq/AbstractFastqReaderTest.java | 7 +++--- .../io/fastq/AbstractFastqWriterTest.java | 23 ++++++++++--------- .../nbio/genome/io/fastq/ConvertTest.java | 3 ++- .../org/biojava/nbio/phosphosite/Dataset.java | 2 +- .../nbio/structure/cath/CathInstallation.java | 3 ++- .../chem/DownloadChemCompProvider.java | 2 +- .../io/FastaAFPChainConverterTest.java | 3 ++- .../nbio/structure/io/TestMMCIFWriting.java | 3 ++- .../sifts/SiftsChainToUniprotMappingTest.java | 3 ++- 14 files changed, 41 insertions(+), 32 deletions(-) mode change 100755 => 100644 biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqReaderTest.java mode change 100755 => 100644 biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqWriterTest.java diff --git a/biojava-core/src/main/java/org/biojava/nbio/core/util/FileDownloadUtils.java b/biojava-core/src/main/java/org/biojava/nbio/core/util/FileDownloadUtils.java index e3b678ce8d..e8913f036d 100644 --- a/biojava-core/src/main/java/org/biojava/nbio/core/util/FileDownloadUtils.java +++ b/biojava-core/src/main/java/org/biojava/nbio/core/util/FileDownloadUtils.java @@ -124,7 +124,7 @@ public static void downloadFile(URL url, File destination) throws IOException { int maxTries = 10; int timeout = 60000; //60 sec - File tempFile = File.createTempFile(getFilePrefix(destination), "." + getFileExtension(destination)); + File tempFile = Files.createTempFile(getFilePrefix(destination), "." + getFileExtension(destination)).toFile(); // Took following recipe from stackoverflow: // http://stackoverflow.com/questions/921262/how-to-download-and-save-a-file-from-internet-using-java @@ -296,4 +296,4 @@ public static void deleteDirectory(String dir) throws IOException { deleteDirectory(Paths.get(dir)); } -} \ No newline at end of file +} diff --git a/biojava-core/src/test/java/org/biojava/nbio/core/util/FileDownloadUtilsTest.java b/biojava-core/src/test/java/org/biojava/nbio/core/util/FileDownloadUtilsTest.java index 374001ec5a..e253e9c64f 100644 --- a/biojava-core/src/test/java/org/biojava/nbio/core/util/FileDownloadUtilsTest.java +++ b/biojava-core/src/test/java/org/biojava/nbio/core/util/FileDownloadUtilsTest.java @@ -22,7 +22,7 @@ class FileCopy { private File createSrcFile () throws IOException { byte [] toSave = new byte []{1,2,3,4,5}; - File src = File.createTempFile("test", ".dat"); + File src = Files.createTempFile("test", ".dat").toFile(); try (FileOutputStream fos = new FileOutputStream(src);){ fos.write(toSave); } @@ -34,7 +34,7 @@ void copyFile() throws IOException { File src = createSrcFile(); //sanity check assertEquals(5, src.length()); - File dest = File.createTempFile("dest", ".dat"); + File dest = Files.createTempFile("dest", ".dat").toFile(); assertEquals(0, dest.length()); FileDownloadUtils.copy(src, dest); assertEquals(5, dest.length()); diff --git a/biojava-core/src/test/java/org/biojava/nbio/core/util/FlatFileCacheTest.java b/biojava-core/src/test/java/org/biojava/nbio/core/util/FlatFileCacheTest.java index e61a3023bb..86da192310 100644 --- a/biojava-core/src/test/java/org/biojava/nbio/core/util/FlatFileCacheTest.java +++ b/biojava-core/src/test/java/org/biojava/nbio/core/util/FlatFileCacheTest.java @@ -9,6 +9,7 @@ import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -24,7 +25,7 @@ void before(){ } File createSmallTmpFile() throws IOException{ - File f = File.createTempFile("flatFile","txt"); + File f = Files.createTempFile("flatFile", "txt").toFile(); writeToFile( aDNA, f); return f; } diff --git a/biojava-core/src/test/java/org/biojava/nbio/core/util/XMLHelperTest.java b/biojava-core/src/test/java/org/biojava/nbio/core/util/XMLHelperTest.java index 70d78e55f8..0a9ace033f 100644 --- a/biojava-core/src/test/java/org/biojava/nbio/core/util/XMLHelperTest.java +++ b/biojava-core/src/test/java/org/biojava/nbio/core/util/XMLHelperTest.java @@ -67,7 +67,7 @@ Document readTestDoc() throws SAXException, IOException, ParserConfigurationExce @Test void fileToDocument() throws IOException, SAXException, ParserConfigurationException { - File tmpFile = File.createTempFile("xml", ".xml"); + File tmpFile = Files.createTempFile("xml", ".xml").toFile(); Files.write(Paths.get(tmpFile.getAbsolutePath()), TEST_XML.getBytes()); Document doc = XMLHelper.loadXML(tmpFile.getAbsolutePath()); assertParsedDocument(doc); @@ -190,4 +190,4 @@ Document createDocumentWithRootElement() throws ParserConfigurationException { doc.appendChild(root); return doc; } -} \ No newline at end of file +} diff --git a/biojava-genome/src/test/java/org/biojava/nbio/genome/GeneFeatureHelperTest.java b/biojava-genome/src/test/java/org/biojava/nbio/genome/GeneFeatureHelperTest.java index db4fa31328..ba0a5d21a3 100644 --- a/biojava-genome/src/test/java/org/biojava/nbio/genome/GeneFeatureHelperTest.java +++ b/biojava-genome/src/test/java/org/biojava/nbio/genome/GeneFeatureHelperTest.java @@ -36,6 +36,7 @@ import java.io.File; import java.io.FileOutputStream; +import java.nio.file.Files; import java.util.Collection; import java.util.LinkedHashMap; @@ -78,7 +79,7 @@ public void testLoadFastaAddGeneFeaturesFromUpperCaseExonFastaFile() throws Exce .loadFastaAddGeneFeaturesFromUpperCaseExonFastaFile(fastaSequenceFile, uppercaseFastaFile, throwExceptionGeneNotFound); - File tmp = File.createTempFile("volvox_all_genes_exon_uppercase", "gff3"); + File tmp = Files.createTempFile("volvox_all_genes_exon_uppercase","gff3").toFile(); tmp.deleteOnExit(); FileOutputStream fo = new FileOutputStream(tmp); GFF3Writer gff3Writer = new GFF3Writer(); @@ -95,7 +96,7 @@ public void testOutputFastaSequenceLengthGFF3() throws Exception { // logger.info("outputFastaSequenceLengthGFF3"); File fastaSequenceFile = new File("src/test/resources/volvox_all.fna"); - File gffFile = File.createTempFile("volvox_length", "gff3"); + File gffFile = Files.createTempFile("volvox_length","gff3").toFile(); gffFile.deleteOnExit(); GeneFeatureHelper.outputFastaSequenceLengthGFF3(fastaSequenceFile, gffFile); FileAssert.assertEquals("volvox_length.gff3 and volvox_length_output.gff3 are not equal", gffFile, @@ -135,7 +136,7 @@ public void testGetProteinSequences() throws Exception { // for(ProteinSequence proteinSequence : proteinSequenceList.values()){ // logger.info("Output={}", proteinSequence.getSequenceAsString()); // } - File tmp = File.createTempFile("volvox_all", "faa"); + File tmp = Files.createTempFile("volvox_all","faa").toFile(); tmp.deleteOnExit(); FastaWriterHelper.writeProteinSequence(tmp, proteinSequenceList.values()); FileAssert.assertEquals("volvox_all_reference.faa and volvox_all.faa are not equal", new File( @@ -155,7 +156,7 @@ public void testGetGeneSequences() throws Exception { .getGeneSequences(chromosomeSequenceList.values()); Collection geneSequences = geneSequenceHashMap.values(); - File tmp = File.createTempFile("volvox_all_genes_exon_uppercase", "fna"); + File tmp = Files.createTempFile("volvox_all_genes_exon_uppercase","fna").toFile(); tmp.deleteOnExit(); FastaWriterHelper.writeGeneSequence(tmp, geneSequences, true); } diff --git a/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqReaderTest.java b/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqReaderTest.java old mode 100755 new mode 100644 index 6dbfbe968c..7cde3d3ec9 --- a/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqReaderTest.java +++ b/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqReaderTest.java @@ -28,6 +28,7 @@ import java.io.InputStream; import java.io.StringReader; import java.net.URL; +import java.nio.file.Files; /** @@ -132,7 +133,7 @@ public void testReadFile() throws Exception public void testReadEmptyFile() throws Exception { FastqReader reader = createFastqReader(); - File empty = File.createTempFile("abstractFastqReaderTest", null); + File empty = Files.createTempFile("abstractFastqReaderTest",null).toFile(); Iterable iterable = reader.read(empty); Assert.assertNotNull(iterable); int count = 0; @@ -148,7 +149,7 @@ public void testReadEmptyFile() throws Exception public void testReadRoundTripSingleFile() throws Exception { FastqReader reader = createFastqReader(); - File single = File.createTempFile("abstractFastqReaderTest", null); + File single = Files.createTempFile("abstractFastqReaderTest",null).toFile(); Fastq fastq = createFastq(); FastqWriter writer = createFastqWriter(); writer.write(single, fastq); @@ -167,7 +168,7 @@ public void testReadRoundTripSingleFile() throws Exception public void testReadRoundTripMultipleFile() throws Exception { FastqReader reader = createFastqReader(); - File multiple = File.createTempFile("abstractFastqReaderTest", null); + File multiple = Files.createTempFile("abstractFastqReaderTest",null).toFile(); Fastq fastq0 = createFastq(); Fastq fastq1 = createFastq(); Fastq fastq2 = createFastq(); diff --git a/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqWriterTest.java b/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqWriterTest.java old mode 100755 new mode 100644 index b2596dd51b..cf2b695968 --- a/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqWriterTest.java +++ b/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/AbstractFastqWriterTest.java @@ -26,6 +26,7 @@ import java.io.ByteArrayOutputStream; import java.io.File; import java.io.OutputStream; +import java.nio.file.Files; import java.util.ArrayList; import java.util.List; @@ -134,15 +135,15 @@ public void testWriteFileVararg() throws Exception Fastq fastq0 = createFastq(); Fastq fastq1 = createFastq(); Fastq fastq2 = createFastq(); - File file0 = File.createTempFile("abstractFastqWriterTest", null); + File file0 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file0, fastq0); - File file1 = File.createTempFile("abstractFastqWriterTest", null); + File file1 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file1, fastq0, fastq1); - File file2 = File.createTempFile("abstractFastqWriterTest", null); + File file2 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file2, fastq0, fastq1, fastq2); - File file3 = File.createTempFile("abstractFastqWriterTest", null); + File file3 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file3, fastq0, fastq1, fastq2, null); - File file4 = File.createTempFile("abstractFastqWriterTest", null); + File file4 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file4, (Fastq) null); try @@ -164,26 +165,26 @@ public void testWriteFileIterable() throws Exception Fastq fastq1 = createFastq(); Fastq fastq2 = createFastq(); List list = new ArrayList(); - File file0 = File.createTempFile("abstractFastqWriterTest", null); + File file0 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file0, list); list.add(fastq0); - File file1 = File.createTempFile("abstractFastqWriterTest", null); + File file1 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file1, list); list.add(fastq1); - File file2 = File.createTempFile("abstractFastqWriterTest", null); + File file2 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file2, list); list.add(fastq2); - File file3 = File.createTempFile("abstractFastqWriterTest", null); + File file3 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file3, list); list.add(null); - File file4 = File.createTempFile("abstractFastqWriterTest", null); + File file4 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); writer.write(file4, list); - File file5 = File.createTempFile("abstractFastqWriterTest", null); + File file5 = Files.createTempFile("abstractFastqWriterTest",null).toFile(); try { diff --git a/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/ConvertTest.java b/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/ConvertTest.java index 0c6775a659..b07e237ef2 100644 --- a/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/ConvertTest.java +++ b/biojava-genome/src/test/java/org/biojava/nbio/genome/io/fastq/ConvertTest.java @@ -22,6 +22,7 @@ import java.io.File; import java.io.FileWriter; +import java.nio.file.Files; import java.util.List; import java.util.Map; @@ -74,7 +75,7 @@ public void testConvert() throws Exception FastqWriter writer = writers.get(variant2); String expectedFileName = expectedFileNames.get(new FastqVariantPair(variant1, variant2)); - File tmp = File.createTempFile("convertTest", "fastq"); + File tmp = Files.createTempFile("convertTest","fastq").toFile(); FileWriter fileWriter = new FileWriter(tmp); for (Fastq fastq : reader.read(getClass().getResource(inputFileName))) { diff --git a/biojava-modfinder/src/main/java/org/biojava/nbio/phosphosite/Dataset.java b/biojava-modfinder/src/main/java/org/biojava/nbio/phosphosite/Dataset.java index f2d3ee2e6f..2ad301d112 100644 --- a/biojava-modfinder/src/main/java/org/biojava/nbio/phosphosite/Dataset.java +++ b/biojava-modfinder/src/main/java/org/biojava/nbio/phosphosite/Dataset.java @@ -152,7 +152,7 @@ public void downloadFile(URL u, File localFile) throws IOException { logger.info("Downloading " + u); - File tmp = File.createTempFile("tmp","phosphosite"); + File tmp = Files.createTempFile("tmp","phosphosite").toFile(); InputStream is = u.openStream(); diff --git a/biojava-structure/src/main/java/org/biojava/nbio/structure/cath/CathInstallation.java b/biojava-structure/src/main/java/org/biojava/nbio/structure/cath/CathInstallation.java index 45914f6208..3b7f94981a 100644 --- a/biojava-structure/src/main/java/org/biojava/nbio/structure/cath/CathInstallation.java +++ b/biojava-structure/src/main/java/org/biojava/nbio/structure/cath/CathInstallation.java @@ -31,6 +31,7 @@ import java.io.*; import java.net.URL; +import java.nio.file.Files; import java.text.DateFormat; import java.text.DecimalFormat; import java.text.ParseException; @@ -639,7 +640,7 @@ protected void downloadFileFromRemote(URL remoteURL, File localFile) throws IOEx LOGGER.info("Downloading file {} to local file {}", remoteURL, localFile); long timeS = System.currentTimeMillis(); - File tempFile = File.createTempFile(FileDownloadUtils.getFilePrefix(localFile), "."+ FileDownloadUtils.getFileExtension(localFile)); + File tempFile = Files.createTempFile(FileDownloadUtils.getFilePrefix(localFile),"." + FileDownloadUtils.getFileExtension(localFile)).toFile(); FileOutputStream out = new FileOutputStream(tempFile); diff --git a/biojava-structure/src/main/java/org/biojava/nbio/structure/chem/DownloadChemCompProvider.java b/biojava-structure/src/main/java/org/biojava/nbio/structure/chem/DownloadChemCompProvider.java index a0a44433a7..f2180dba03 100644 --- a/biojava-structure/src/main/java/org/biojava/nbio/structure/chem/DownloadChemCompProvider.java +++ b/biojava-structure/src/main/java/org/biojava/nbio/structure/chem/DownloadChemCompProvider.java @@ -378,7 +378,7 @@ private static boolean downloadChemCompRecord(String recordName) { String localName = getLocalFileName(recordName); File newFile; try { - newFile = File.createTempFile("chemcomp" + recordName, "cif"); + newFile = Files.createTempFile("chemcomp" + recordName,"cif").toFile(); logger.debug("Will write chem comp file to temp file {}", newFile.toString()); } catch(IOException e) { logger.error("Could not write to temp directory {} to create the chemical component download temp file", System.getProperty("java.io.tmpdir")); diff --git a/biojava-structure/src/test/java/org/biojava/nbio/structure/io/FastaAFPChainConverterTest.java b/biojava-structure/src/test/java/org/biojava/nbio/structure/io/FastaAFPChainConverterTest.java index da9242e80f..29f4332936 100644 --- a/biojava-structure/src/test/java/org/biojava/nbio/structure/io/FastaAFPChainConverterTest.java +++ b/biojava-structure/src/test/java/org/biojava/nbio/structure/io/FastaAFPChainConverterTest.java @@ -43,6 +43,7 @@ import org.xml.sax.SAXException; import java.io.*; +import java.nio.file.Files; import static org.junit.Assert.assertEquals; import static org.junit.Assert.fail; @@ -164,7 +165,7 @@ public void testFromFasta() throws IOException, StructureException, CompoundNotF assertEquals("Wrong number of alnLength",53,afpChain.getAlnLength()); String xml = AFPChainXMLConverter.toXML(afpChain); File expected = new File("src/test/resources/1w0p_1qdm.xml"); - File x = File.createTempFile("1w0p_1qdm_output", "xml.tmp"); + File x = Files.createTempFile("1w0p_1qdm_output","xml.tmp").toFile(); x.deleteOnExit(); BufferedWriter bw = new BufferedWriter(new FileWriter(x)); bw.write(xml); diff --git a/biojava-structure/src/test/java/org/biojava/nbio/structure/io/TestMMCIFWriting.java b/biojava-structure/src/test/java/org/biojava/nbio/structure/io/TestMMCIFWriting.java index 12b3d1a3b7..d33978cbde 100644 --- a/biojava-structure/src/test/java/org/biojava/nbio/structure/io/TestMMCIFWriting.java +++ b/biojava-structure/src/test/java/org/biojava/nbio/structure/io/TestMMCIFWriting.java @@ -25,6 +25,7 @@ import java.io.File; import java.io.FileWriter; import java.io.IOException; +import java.nio.file.Files; import java.util.Arrays; import org.biojava.nbio.structure.AminoAcidImpl; @@ -83,7 +84,7 @@ private static void testRoundTrip(String pdbId) throws IOException, StructureExc Structure originalStruct = StructureIO.getStructure(pdbId); - File outputFile = File.createTempFile("biojava_testing_", ".cif"); + File outputFile = Files.createTempFile("biojava_testing_",".cif").toFile(); outputFile.deleteOnExit(); diff --git a/biojava-structure/src/test/java/org/biojava/nbio/structure/io/sifts/SiftsChainToUniprotMappingTest.java b/biojava-structure/src/test/java/org/biojava/nbio/structure/io/sifts/SiftsChainToUniprotMappingTest.java index 66f3485248..012d01eb13 100644 --- a/biojava-structure/src/test/java/org/biojava/nbio/structure/io/sifts/SiftsChainToUniprotMappingTest.java +++ b/biojava-structure/src/test/java/org/biojava/nbio/structure/io/sifts/SiftsChainToUniprotMappingTest.java @@ -30,6 +30,7 @@ import java.io.IOException; import java.io.InputStreamReader; import java.io.PrintWriter; +import java.nio.file.Files; import static org.junit.Assert.assertEquals; @@ -44,7 +45,7 @@ public class SiftsChainToUniprotMappingTest { @Test public void test() throws IOException { - SiftsChainToUniprotMapping.DEFAULT_FILE = File.createTempFile("biojavaSiftsTest-", ""); + SiftsChainToUniprotMapping.DEFAULT_FILE = Files.createTempFile("biojavaSiftsTest-","").toFile(); SiftsChainToUniprotMapping.DEFAULT_FILE.deleteOnExit(); BufferedReader br = new BufferedReader(new InputStreamReader(getClass().getResourceAsStream("mock_sifts.tsv")));