You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by GitBox <gi...@apache.org> on 2020/11/19 14:15:54 UTC

[GitHub] [groovy] muse-dev[bot] commented on a change in pull request #1425: use newer api for creating temp dir

muse-dev[bot] commented on a change in pull request #1425:
URL: https://github.com/apache/groovy/pull/1425#discussion_r526919199



##########
File path: src/main/java/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
##########
@@ -211,42 +213,21 @@ public static ResourceBundle getBundle(ResourceBundle self, String bundleName, L
     }
 
     public static File createTempDir(File self) throws IOException {
-        return createTempDir(self, "groovy-generated-", "-tmpdir");
+        return createTempDir(self, "groovy-generated-", "tmpdir-");
+    }
+
+    public static File createTempDir(File self, final String prefix) throws IOException {
+        return createTempDirNio(prefix);
     }
 
     public static File createTempDir(File self, final String prefix, final String suffix) throws IOException {
-        final int MAXTRIES = 3;
-        int accessDeniedCounter = 0;
-        File tempFile=null;
-        for (int i=0; i<MAXTRIES; i++) {
-            try {
-                tempFile = File.createTempFile(prefix, suffix);
-                tempFile.delete();
-                tempFile.mkdirs();
-                break;
-            } catch (IOException ioe) {
-                if (ioe.getMessage().startsWith("Access is denied")) {
-                    accessDeniedCounter++;
-                    try {
-                        Thread.sleep(100);
-                    } catch (InterruptedException ignore) {
-                    }
-                }
-                if (i == MAXTRIES - 1) {
-                    if (accessDeniedCounter == MAXTRIES) {
-                        String msg = "Access is denied.\nWe tried " + accessDeniedCounter +
-                                " times to create a temporary directory and failed each time." +
-                                " If you are on Windows, you are possibly victim to" +
-                                " http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6325169." +
-                                " This is not a bug in Groovy.";
-                        throw new IOException(msg);
-                    } else {
-                        throw ioe;
-                    }
-                }
-            }
-        }
-        return tempFile;
+        // more secure Files api doesn't support suffix, so just append it to the prefix
+        return createTempDirNio(prefix + suffix);
+    }
+
+    private static File createTempDirNio(String prefix) throws IOException {
+        Path tempPath = Files.createTempDirectory(prefix);

Review comment:
       *PATH_TRAVERSAL_IN:*  This API (java/nio/file/Files.createTempDirectory(Ljava/lang/String;[Ljava/nio/file/attribute/FileAttribute;)Ljava/nio/file/Path;) reads a file whose location might be specified by user input [(details)](https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN)




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org