From dabb7718af3e3c4e9a2a455c7bc5c262baa32d66 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Fri, 18 Nov 2022 22:52:27 +0000
Subject: [PATCH] vuln-fix: Temporary File Information Disclosure

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
---
 .../org/apache/tomcat/maven/common/TomcatManagerTest.java    | 5 +++--
 .../tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java | 3 ++-
 .../tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java | 3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/common-tomcat-maven-plugin/src/test/java/org/apache/tomcat/maven/common/TomcatManagerTest.java b/common-tomcat-maven-plugin/src/test/java/org/apache/tomcat/maven/common/TomcatManagerTest.java
index 513194a8..e156a0c9 100644
--- a/common-tomcat-maven-plugin/src/test/java/org/apache/tomcat/maven/common/TomcatManagerTest.java
+++ b/common-tomcat-maven-plugin/src/test/java/org/apache/tomcat/maven/common/TomcatManagerTest.java
@@ -35,6 +35,7 @@
 import java.io.IOException;
 import java.io.StringWriter;
 import java.net.URL;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -220,7 +221,7 @@ protected void doPut( HttpServletRequest req, HttpServletResponse resp )
             throws ServletException, IOException
         {
             System.out.println( "put ok:" + req.getRequestURI() );
-            File file = File.createTempFile( "tomcat-unit-test", "tmp" );
+            File file = Files.createTempFile( "tomcat-unit-test", "tmp" ).toFile();
             uploadedResources.add( new UploadedResource( req.getRequestURI(), file ) );
             IOUtils.copy( req.getInputStream(), new FileOutputStream( file ) );
         }
@@ -242,7 +243,7 @@ protected void doPut( HttpServletRequest req, HttpServletResponse resp )
             System.out.println( "RedirectServlet put ok:" + req.getRequestURI() );
             if ( req.getRequestURI().contains( "redirectrelative" ) )
             {
-                File file = File.createTempFile( "tomcat-unit-test", "tmp" );
+                File file = Files.createTempFile( "tomcat-unit-test", "tmp" ).toFile();
                 uploadedResources.add( new UploadedResource( req.getRequestURI(), file ) );
                 IOUtils.copy( req.getInputStream(), new FileOutputStream( file ) );
                 return;
diff --git a/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java b/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java
index 6f011c93..0e315814 100644
--- a/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java
+++ b/tomcat7-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat7/run/AbstractExecWarMojo.java
@@ -52,6 +52,7 @@
 import java.io.IOException;
 import java.io.OutputStream;
 import java.io.PrintWriter;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.Iterator;
@@ -622,7 +623,7 @@ protected File addContextXmlToWar( File contextXmlFile, File warFile )
     {
         ArchiveOutputStream os = null;
         OutputStream warOutputStream = null;
-        File tmpWar = File.createTempFile( "tomcat", "war-exec" );
+        File tmpWar = Files.createTempFile( "tomcat", "war-exec" ).toFile();
         tmpWar.deleteOnExit();
 
         try
diff --git a/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java b/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java
index 64262ec6..3927332a 100644
--- a/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java
+++ b/tomcat8-maven-plugin/src/main/java/org/apache/tomcat/maven/plugin/tomcat8/run/AbstractExecWarMojo.java
@@ -52,6 +52,7 @@
 import java.io.IOException;
 import java.io.OutputStream;
 import java.io.PrintWriter;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.Iterator;
@@ -614,7 +615,7 @@ protected File addContextXmlToWar( File contextXmlFile, File warFile )
     {
         ArchiveOutputStream os = null;
         OutputStream warOutputStream = null;
-        File tmpWar = File.createTempFile( "tomcat", "war-exec" );
+        File tmpWar = Files.createTempFile( "tomcat", "war-exec" ).toFile();
         tmpWar.deleteOnExit();
 
         try