You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rocketmq.apache.org by pi...@apache.org on 2022/11/21 12:38:17 UTC

[rocketmq-mqtt] branch main updated: vuln-fix: Temporary File Information Disclosure

This is an automated email from the ASF dual-hosted git repository.

pingww pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/rocketmq-mqtt.git


The following commit(s) were added to refs/heads/main by this push:
     new 2b9a3e0  vuln-fix: Temporary File Information Disclosure
     new 3d869af  Merge pull request #169 from BulkSecurityGeneratorProjectV2/fix/JLL/temporary_file_local_information_disclosure
2b9a3e0 is described below

commit 2b9a3e00fe4004df537f3bfe487d208edc318f03
Author: Jonathan Leitschuh <Jo...@gmail.com>
AuthorDate: Sat Nov 19 02:13:24 2022 +0000

    vuln-fix: Temporary File Information Disclosure
    
    
    
    This fixes temporary file information disclosure vulnerability due to the use
    of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
    using the `Files.createTempFile()` method which sets the correct posix permissions.
    
    Weakness: CWE-377: Insecure Temporary File
    Severity: Medium
    CVSSS: 5.5
    Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
    
    Reported-by: Jonathan Leitschuh <Jo...@gmail.com>
    Signed-off-by: Jonathan Leitschuh <Jo...@gmail.com>
    
    Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
    
    
    Co-authored-by: Moderne <te...@moderne.io>
---
 .../org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mqtt-exporter/src/main/java/org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java b/mqtt-exporter/src/main/java/org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java
index df4506c..adce253 100644
--- a/mqtt-exporter/src/main/java/org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java
+++ b/mqtt-exporter/src/main/java/org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java
@@ -25,6 +25,7 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.file.Files;
 import java.util.Objects;
 
 import com.google.common.io.ByteSource;
@@ -198,7 +199,7 @@ public class BackedFileOutputStream extends OutputStream {
      */
     private void update(int len) throws IOException {
         if (memory != null && (memory.getCount() + len > fileThreshold)) {
-            File temp = File.createTempFile("FileBackedOutputStream", null, parentDirectory);
+            File temp = Files.createTempFile(parentDirectory.toPath(), "FileBackedOutputStream", null).toFile();
             if (resetOnFinalize) {
                 // Finalizers are not guaranteed to be called on system shutdown;
                 // this is insurance.