vuln-fix: Temporary Directory Hijacking or Information Disclosure

This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure. Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions Severity: High CVSSS: 7.3 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: JLLeitschuh/security-research#10 Co-authored-by: Moderne <team@moderne.io>
BulkSecurityGeneratorProjectV2 · Oct 4, 2022 · ec9ba26 · ec9ba26
1 parent 3b20050
commit ec9ba26
Showing 1 changed file with 2 additions and 11 deletions.
diff --git a/ugs-core/test/com/willwinder/universalgcodesender/utils/GcodeStreamTest.java b/ugs-core/test/com/willwinder/universalgcodesender/utils/GcodeStreamTest.java
@@ -21,6 +21,7 @@ This file is part of Universal Gcode Sender (UGS).
 import com.willwinder.universalgcodesender.types.GcodeCommand;
 
 import java.io.*;
+import java.nio.file.Files;
 
 import org.apache.commons.io.FileUtils;
 import org.junit.AfterClass;
@@ -40,17 +41,7 @@ public static File createTempDirectory() throws IOException
     {
         final File temp;
 
-        temp = File.createTempFile("temp", Long.toString(System.nanoTime()));
-
-        if(!(temp.delete()))
-        {
-            throw new IOException("Could not delete temp file: " + temp.getAbsolutePath());
-        }
-
-        if(!(temp.mkdir()))
-        {
-            throw new IOException("Could not create temp directory: " + temp.getAbsolutePath());
-        }
+        temp = Files.createTempDirectory("temp" + Long.toString(System.nanoTime())).toFile();
 
         return (temp);
     }