Temporary File Information Disclosure Vulnerability

[Alex111998]

https://github.com/nutzam/nutz/blob/595355b3ce41d5e98538a9ef6cbec7f76fa09345/src/org/nutz/dao/jdbc/Jdbcs.java#L709

Preamble

The system temporary directory is shared between all users on most unix-like systems (not MacOS, or Windows). Thus, code interacting with the system temporary directory must be careful about file interactions in this directory, and must ensure that the correct file permissions are set.

With the default uname configuration, File.createTempFile(..) creates a file with the permissions -rw-r--r--. This means that any other user on the system can read the contents of this file.

The chain of calls was detected in this repository in a way that leaves this project vulnerable. File.createTempFile("nutzdao_blob", ".tmp"); --> Files.write(f, in);

Impact

Information in this file is visible to other local users, allowing a malicious actor co-resident on the same machine to view potentially sensitive files.

Other Examples

CVE-2020-15250 - junit-team/junit CVE-2021-21364 - swagger-api/swagger-codegen CVE-2022-24823 - netty/netty CVE-2022-24823 - netty/netty

The Fix

The fix has been to convert the logic above to use the following API that was introduced in Java 1.7. File f = Files.createTempFile("nutzdao_blob", ".tmp").toFile(); The API both creates the file securely, ie. with a random, non-conflicting name, with file permissions that only allow the currently executing user to read or write the contents of this file. By default, Files.createTempFile("temp dir") will create a file with the permissions -rw-------, which only allows the user that created the file to view/write the file contents.