Apply security fixes featuring refasterrules.FileRulesRecipes

Author: Vincent Potucek

core/src/main/java/hudson/FilePath.java

@@ -680,7 +680,7 @@ public Void invoke(File dir, VirtualChannel channel) throws IOException {
     }
 
     private static void unzip(File dir, InputStream in) throws IOException {
-        File tmpFile = File.createTempFile("tmpzip", null); // uses java.io.tmpdir
+        File tmpFile = Files.createTempFile("tmpzip", null).toFile(); // uses java.io.tmpdir
         try {
             // TODO why does this not simply use ZipInputStream?
             IOUtils.copy(in, tmpFile);
@@ -1582,7 +1582,7 @@ private static class CreateTempFile extends MasterToSlaveFileCallable<String> {
 
         @Override
         public String invoke(File dir, VirtualChannel channel) throws IOException {
-            File f = File.createTempFile(prefix, suffix, dir);
+            File f = Files.createTempFile(dir.toPath(), prefix, suffix).toFile();
             return f.getName();
         }
     }
@@ -1660,7 +1660,7 @@ public String invoke(File dir, VirtualChannel channel) throws IOException {
 
             File f;
             try {
-                f = File.createTempFile(prefix, suffix, dir);
+                f = Files.createTempFile(dir.toPath(), prefix, suffix).toFile();
             } catch (IOException e) {
                 throw new IOException("Failed to create a temporary directory in " + dir, e);
             }

core/src/main/java/hudson/Main.java

@@ -143,7 +143,7 @@ public static int remotePost(String[] args) throws Exception {
         }
 
         // write the output to a temporary file first.
-        File tmpFile = File.createTempFile("jenkins", "log");
+        File tmpFile = Files.createTempFile("jenkins", "log").toFile();
         try {
             int ret;
             try (OutputStream os = Files.newOutputStream(tmpFile.toPath());

core/src/main/java/hudson/PluginManager.java

@@ -88,7 +88,7 @@
 import java.net.http.HttpRequest;
 import java.nio.file.Files;
 import java.nio.file.InvalidPathException;
-import java.nio.file.Paths;
+import java.nio.file.Path;
 import java.nio.file.attribute.FileTime;
 import java.security.CodeSource;
 import java.time.Duration;
@@ -1396,7 +1396,7 @@ public PluginWrapper whichPlugin(Class c) {
                     if ("file".equals(loc.getProtocol())) {
                         File file;
                         try {
-                            file = Paths.get(loc.toURI()).toFile();
+                            file = Path.of(loc.toURI()).toFile();
                         } catch (InvalidPathException | URISyntaxException e) {
                             LOGGER.log(Level.WARNING, "could not inspect " + loc, e);
                             return null;
@@ -1962,7 +1962,7 @@ private HttpResponse doUploadPluginImpl(StaplerRequest2 req) throws IOException,
             }
 
             // first copy into a temporary file name
-            File t = File.createTempFile("uploaded", ".jpi", tmpDir);
+            File t = Files.createTempFile(tmpDir.toPath(), "uploaded", ".jpi").toFile();
             tmpDir.deleteOnExit();
             t.deleteOnExit();
             // TODO Remove this workaround after FILEUPLOAD-293 is resolved.

core/src/main/java/hudson/Util.java

@@ -1306,7 +1306,7 @@ private static void reportAtomicFailure(@NonNull Path pathForSymlink, @NonNull E
     @CheckReturnValue
     private static boolean createSymlinkAtomic(@NonNull Path pathForSymlink, @NonNull File fileForSymlink, @NonNull Path target, @NonNull String symlinkPath) {
         try {
-            File symlink = File.createTempFile("symtmp", null, fileForSymlink);
+            File symlink = Files.createTempFile(fileForSymlink.toPath(), "symtmp", null).toFile();
             tryToDeleteSymlink(symlink);
             Path tempSymlinkPath = symlink.toPath();
             Files.createSymbolicLink(tempSymlinkPath, target);

core/src/main/java/hudson/WebAppMain.java

@@ -224,7 +224,7 @@ public Locale get() {
             // even if the temp directory doesn't exist.
             // check that and report an error
             try {
-                File f = File.createTempFile("test", "test");
+                File f = Files.createTempFile("test", "test").toFile();
                 boolean result = f.delete();
                 if (!result) {
                     LOGGER.log(FINE, "Temp file test.test could not be deleted.");

core/src/main/java/hudson/cli/InstallPluginCommand.java

@@ -169,7 +169,7 @@ protected int run() throws Exception {
     }
 
     private static File getTmpFile() throws Exception {
-        return File.createTempFile("download", ".jpi.tmp", Jenkins.get().getPluginManager().rootDir);
+        return Files.createTempFile(Jenkins.get().getPluginManager().rootDir.toPath(), "download", ".jpi.tmp").toFile();
     }
 
     private static File moveToFinalLocation(File tmpFile) throws Exception {

core/src/main/java/hudson/scm/SCM.java

@@ -516,7 +516,7 @@ public void checkout(
                         BuildListener.class,
                         File.class)) {
             if (changelogFile == null) {
-                changelogFile = File.createTempFile("changelog", ".xml");
+                changelogFile = Files.createTempFile("changelog", ".xml").toFile();
                 try {
                     if (!checkout((AbstractBuild) build, launcher, workspace, (BuildListener) listener, changelogFile)) {
                         throw new AbortException();

core/src/main/java/hudson/util/AtomicFileWriter.java

@@ -155,7 +155,7 @@ public AtomicFileWriter(@NonNull Path destinationPath, @NonNull Charset charset,
 
         try {
             // JENKINS-48407: NIO's createTempFile creates file with 0600 permissions, so we use pre-NIO for this...
-            tmpPath = File.createTempFile(destPath.getFileName() + "-atomic", "tmp", dir.toFile()).toPath();
+            tmpPath = Files.createTempFile(dir, destPath.getFileName() + "-atomic", "tmp");
         } catch (IOException e) {
             throw new IOException("Failed to create a temporary file in " + dir, e);
         }

core/src/main/java/hudson/util/RemotingDiagnostics.java

@@ -184,7 +184,7 @@ public static FilePath getHeapDump(VirtualChannel channel) throws IOException, I
     private static class GetHeapDump extends MasterToSlaveCallable<FilePath, IOException> {
             @Override
             public FilePath call() throws IOException {
-                final File hprof = File.createTempFile("hudson-heapdump", ".hprof");
+                final File hprof = Files.createTempFile("hudson-heapdump", ".hprof").toFile();
                 Files.delete(Util.fileToPath(hprof));
                 try {
                     MBeanServer server = ManagementFactory.getPlatformMBeanServer();

core/src/main/java/jenkins/install/SetupWizard.java

@@ -245,7 +245,7 @@ private void createInitialApiToken(User user) throws IOException, InterruptedExc
                 }
 
                 try {
-                    plainText = Files.readString(apiTokenFile, StandardCharsets.UTF_8);
+                    plainText = Files.readString(apiTokenFile);
                     LOGGER.log(Level.INFO, "API Token generated using contents of file: {0}", apiTokenFile.toAbsolutePath());
                 } catch (IOException e) {
                     LOGGER.log(Level.WARNING, String.format("The API Token cannot be retrieved from the file: %s", apiTokenFile), e);
@@ -483,7 +483,7 @@ public VersionNumber getCurrentLevel() {
         File state = getUpdateStateFile();
         if (state.exists()) {
             try {
-                String version = Files.readString(Util.fileToPath(state), StandardCharsets.UTF_8);
+                String version = Files.readString(Util.fileToPath(state));
                 if (version == null || version.isBlank()) {
                     version = "1.0";
                 }