flink icon indicating copy to clipboard operation
flink copied to clipboard
verified publisher icon apache

[FLINK-37666]: Address CWE-378: Creation of Temporary File With Insec…

Open atu-sharm opened this issue 8 months ago • 8 comments

…ure Permissions in Temporary File Creation

What is the purpose of the change

The purpose of the change is to replace the usage of File.createTempFile with Files.createTempFile across multiple classes in the Flink project. This change ensures better alignment with modern Java APIs (java.nio.file.Files) for creating temporary files, which provide improved functionality and flexibility.

Brief change log

PackagedProgram.java:

  • Replaced File.createTempFile with Files.createTempFile in the createTempFile method.

ChangelogStreamHandleReaderWithCache.java:

  • Updated the downloadToCacheFile method to use Files.createTempFile instead of File.createTempFile.

StreamWindowSQLExample.java:

  • Modified the createTempFile method to use Files.createTempFile for creating temporary files.

YarnClusterDescriptor.java:

  • Replaced File.createTempFile with Files.createTempFile in two locations:
  • While creating a temporary file for the jobGraph.
  • While creating a temporary file for the Flink configuration file.

Verifying this change

Please make sure both new and modified tests in this PR follow the conventions for tests defined in our code quality guide.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): no
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: no

Documentation

  • Does this pull request introduce a new feature? no
  • If yes, how is the feature documented? not applicable

atu-sharm avatar Apr 13 '25 10:04 atu-sharm

CI report:

  • ac7c20135abd59ceb12a5fa643a254e2ea78e2f0 Azure: SUCCESS
Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

flinkbot avatar Apr 13 '25 11:04 flinkbot

@flinkbot run azure

atu-sharm avatar Apr 13 '25 11:04 atu-sharm

@flinkbot run azure

atu-sharm avatar Apr 13 '25 11:04 atu-sharm

@flinkbot run azure

atu-sharm avatar Apr 13 '25 13:04 atu-sharm

@flinkbot run azure

atu-sharm avatar Apr 13 '25 14:04 atu-sharm

@flinkbot run azure

atu-sharm avatar Apr 13 '25 15:04 atu-sharm

Sure, thanks for your review, will add changes :)

atu-sharm avatar Apr 14 '25 14:04 atu-sharm

Made changes according to the comments @davidradl :)

atu-sharm avatar Apr 14 '25 15:04 atu-sharm