Description
nutz/src/org/nutz/dao/jdbc/Jdbcs.java
Line 709 in 595355b
Preamble
The system temporary directory is shared between all users on most unix-like systems (not MacOS, or Windows). Thus, code interacting with the system temporary directory must be careful about file interactions in this directory, and must ensure that the correct file permissions are set.
With the default uname configuration, File.createTempFile(..) creates a file with the permissions -rw-r--r--. This means that any other user on the system can read the contents of this file.
The chain of calls was detected in this repository in a way that leaves this project vulnerable.
File.createTempFile("nutzdao_blob", ".tmp"); --> Files.write(f, in);
Impact
Information in this file is visible to other local users, allowing a malicious actor co-resident on the same machine to view potentially sensitive files.
Other Examples
CVE-2020-15250 - junit-team/junit
CVE-2021-21364 - swagger-api/swagger-codegen
CVE-2022-24823 - netty/netty
CVE-2022-24823 - netty/netty
The Fix
The fix has been to convert the logic above to use the following API that was introduced in Java 1.7.
File f = Files.createTempFile("nutzdao_blob", ".tmp").toFile();
The API both creates the file securely, ie. with a random, non-conflicting name, with file permissions that only allow the currently executing user to read or write the contents of this file.
By default, Files.createTempFile("temp dir") will create a file with the permissions -rw-------, which only allows the user that created the file to view/write the file contents.