vuln-fix: Temporary File Information Disclosure

JLLeitschuh · TeamModerne · mtughan · mtughan · commit dfa928b38ec3 · 2023-06-16T14:56:35.000-04:00
This fixes temporary file information disclosure vulnerability due to the use of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by using the `Files.createTempFile()` method which sets the correct posix permissions. Weakness: CWE-377: Insecure Temporary File Severity: Medium CVSSS: 5.5 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: JLLeitschuh/security-research#18 Co-authored-by: Moderne <team@moderne.io> Co-authored-by: Michael Tughan <mtughan@gmail.com>
diff --git a/src/test/java/org/jenkinsci/plugins/scriptler/restapi/ScriptlerRestApiTest.java b/src/test/java/org/jenkinsci/plugins/scriptler/restapi/ScriptlerRestApiTest.java
@@ -12,11 +12,12 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.List;
 
 import org.apache.commons.fileupload.FileItem;
-import org.apache.commons.io.FileUtils;
 import org.jenkinsci.plugins.scriptler.ScriptlerManagementHelper;
 import org.jenkinsci.plugins.scriptler.ScriptlerManagement;
 import org.jenkinsci.plugins.scriptler.config.Parameter;
@@ -51,9 +52,9 @@ public void setup() throws Exception {
     }
     
     private void saveFile(ScriptlerManagementHelper helper, String scriptId, String scriptContent) throws Exception {
-        File f = File.createTempFile(scriptId, "-temp");
-        FileUtils.writeStringToFile(f, scriptContent);
-        FileItem fi = new FileItemImpl(f);
+        Path f = Files.createTempFile("script", "-temp");
+        Files.writeString(f, scriptContent);
+        FileItem fi = new FileItemImpl(f.toFile());
         helper.saveScript(fi, true, scriptId);
     }
     
@@ -126,4 +127,4 @@ public void testUnknownScript() throws Exception {
         JenkinsRule.WebClient webClient = j.createWebClient();
         webClient.goTo("scriptler/runScript?id=unknown.groovy");
     }
-}
+}
