You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rocketmq.apache.org by pi...@apache.org on 2022/11/21 12:38:17 UTC
[rocketmq-mqtt] branch main updated: vuln-fix: Temporary File Information Disclosure
This is an automated email from the ASF dual-hosted git repository.
pingww pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/rocketmq-mqtt.git
The following commit(s) were added to refs/heads/main by this push:
new 2b9a3e0 vuln-fix: Temporary File Information Disclosure
new 3d869af Merge pull request #169 from BulkSecurityGeneratorProjectV2/fix/JLL/temporary_file_local_information_disclosure
2b9a3e0 is described below
commit 2b9a3e00fe4004df537f3bfe487d208edc318f03
Author: Jonathan Leitschuh <Jo...@gmail.com>
AuthorDate: Sat Nov 19 02:13:24 2022 +0000
vuln-fix: Temporary File Information Disclosure
This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.
Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
Reported-by: Jonathan Leitschuh <Jo...@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jo...@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
Co-authored-by: Moderne <te...@moderne.io>
---
.../org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/mqtt-exporter/src/main/java/org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java b/mqtt-exporter/src/main/java/org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java
index df4506c..adce253 100644
--- a/mqtt-exporter/src/main/java/org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java
+++ b/mqtt-exporter/src/main/java/org/apache/rocketmq/mqtt/exporter/http/BackedFileOutputStream.java
@@ -25,6 +25,7 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.nio.file.Files;
import java.util.Objects;
import com.google.common.io.ByteSource;
@@ -198,7 +199,7 @@ public class BackedFileOutputStream extends OutputStream {
*/
private void update(int len) throws IOException {
if (memory != null && (memory.getCount() + len > fileThreshold)) {
- File temp = File.createTempFile("FileBackedOutputStream", null, parentDirectory);
+ File temp = Files.createTempFile(parentDirectory.toPath(), "FileBackedOutputStream", null).toFile();
if (resetOnFinalize) {
// Finalizers are not guaranteed to be called on system shutdown;
// this is insurance.