vuln-fix: Temporary Directory Hijacking or Information Disclosure

This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure.

Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Severity: High
CVSSS: 7.3
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#10


Co-authored-by: Moderne <[email protected]>

Author: JLLeitschuh

src/test/java/net/imagej/ui/swing/updater/UpdaterGUITest.java

@@ -38,6 +38,7 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.PrintStream;
+import java.nio.file.Files;
 import java.util.jar.JarEntry;
 import java.util.jar.JarInputStream;
 import java.util.jar.JarOutputStream;
@@ -290,9 +291,7 @@ private static void assertTrue(boolean condition) {
 	 * @throws IOException
 	 */
 	protected static File createTempDirectory(final String prefix) throws IOException {
-		final File file = File.createTempFile(prefix, "");
-		file.delete();
-		file.mkdir();
+		final File file = Files.createTempDirectory(prefix).toFile();
 		return file;
 	}
 }