This is an automated email from the ASF dual-hosted git repository.
xxyu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/kylin.git
The following commit(s) were added to refs/heads/main by this push:
new 45341307d5 vuln-fix: Temporary File Information Disclosure
45341307d5 is described below
commit 45341307d573c181fa343a34e95fc76b89a5e0ba
Author: Jonathan Leitschuh <[email protected]>
AuthorDate: Fri Nov 18 22:53:02 2022 +0000
vuln-fix: Temporary File Information Disclosure
This fixes temporary file information disclosure vulnerability due to the
use
of the vulnerable `File.createTempFile()` method. The vulnerability is
fixed by
using the `Files.createTempFile()` method which sets the correct posix
permissions.
Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite
(https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)
Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18
Co-authored-by: Moderne <[email protected]>
---
.../java/org/apache/kylin/engine/mr/common/AbstractHadoopJob.java | 3 ++-
.../main/java/org/apache/kylin/engine/mr/common/CubeStatsReader.java | 3 ++-
.../org/apache/kylin/common/persistence/AutoDeleteDirectory.java | 3 ++-
.../java/org/apache/kylin/common/persistence/FileResourceStore.java | 3 ++-
.../main/java/org/apache/kylin/common/persistence/ResourceStore.java | 3 ++-
.../src/test/java/org/apache/kylin/common/util/SSHClientTest.java | 3 ++-
.../src/main/java/org/apache/kylin/gridtable/GTAggregateScanner.java | 3 ++-
.../src/test/java/org/apache/kylin/measure/topn/TopNCounterTest.java | 3 ++-
core-metadata/src/test/java/org/apache/kylin/source/H2Database.java | 3 ++-
.../org/apache/kylin/engine/spark/job/NSparkMergeStatisticsStep.java | 3 ++-
.../src/test/java/org/apache/kylin/engine/spark/NSparkBasicTest.java | 3 ++-
.../main/java/org/apache/kylin/query/schema/OLAPSchemaFactory.java | 3 ++-
.../java/org/apache/kylin/tool/extractor/AbstractInfoExtractor.java | 3 ++-
tool/src/test/java/org/apache/kylin/tool/KylinConfigCLITest.java | 5 +++--
14 files changed, 29 insertions(+), 15 deletions(-)
diff --git
a/build-engine/src/main/java/org/apache/kylin/engine/mr/common/AbstractHadoopJob.java
b/build-engine/src/main/java/org/apache/kylin/engine/mr/common/AbstractHadoopJob.java
index fd4d4133bd..e2f7e0b5f6 100644
---
a/build-engine/src/main/java/org/apache/kylin/engine/mr/common/AbstractHadoopJob.java
+++
b/build-engine/src/main/java/org/apache/kylin/engine/mr/common/AbstractHadoopJob.java
@@ -29,6 +29,7 @@ import static
org.apache.kylin.engine.mr.common.JobRelatedMetaUtil.collectCubeMe
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.file.Files;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
@@ -595,7 +596,7 @@ public abstract class AbstractHadoopJob extends Configured
implements Tool {
protected void dumpKylinPropsAndMetadata(String prj, Set<String> dumpList,
KylinConfig kylinConfig,
Configuration conf) throws IOException {
- File tmp = File.createTempFile("kylin_job_meta", "");
+ File tmp = Files.createTempFile("kylin_job_meta", "").toFile();
FileUtils.forceDelete(tmp); // we need a directory, so delete the file
first
File metaDir = new File(tmp, "meta");
diff --git
a/build-engine/src/main/java/org/apache/kylin/engine/mr/common/CubeStatsReader.java
b/build-engine/src/main/java/org/apache/kylin/engine/mr/common/CubeStatsReader.java
index 14f0cbf0ae..ae06fa8bd9 100644
---
a/build-engine/src/main/java/org/apache/kylin/engine/mr/common/CubeStatsReader.java
+++
b/build-engine/src/main/java/org/apache/kylin/engine/mr/common/CubeStatsReader.java
@@ -26,6 +26,7 @@ import java.io.InputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
import java.text.DecimalFormat;
import java.text.DecimalFormatSymbols;
import java.util.ArrayList;
@@ -156,7 +157,7 @@ public class CubeStatsReader {
}
private File writeTmpSeqFile(InputStream inputStream) throws IOException {
- File tempFile = File.createTempFile("kylin_stats_tmp", ".seq");
+ File tempFile = Files.createTempFile("kylin_stats_tmp",
".seq").toFile();
FileOutputStream out = null;
try {
out = new FileOutputStream(tempFile);
diff --git
a/core-common/src/main/java/org/apache/kylin/common/persistence/AutoDeleteDirectory.java
b/core-common/src/main/java/org/apache/kylin/common/persistence/AutoDeleteDirectory.java
index a496ba8d3f..8ce05f8e95 100644
---
a/core-common/src/main/java/org/apache/kylin/common/persistence/AutoDeleteDirectory.java
+++
b/core-common/src/main/java/org/apache/kylin/common/persistence/AutoDeleteDirectory.java
@@ -21,6 +21,7 @@ package org.apache.kylin.common.persistence;
import java.io.Closeable;
import java.io.File;
import java.io.IOException;
+import java.nio.file.Files;
public class AutoDeleteDirectory implements Closeable {
@@ -31,7 +32,7 @@ public class AutoDeleteDirectory implements Closeable {
}
public AutoDeleteDirectory(String prefix, String suffix) {
try {
- tempFile = File.createTempFile(prefix, suffix);
+ tempFile = Files.createTempFile(prefix, suffix).toFile();
org.apache.commons.io.FileUtils.forceDelete(tempFile); // we need
a directory, so delete the file first
tempFile.mkdirs();
} catch (IOException e) {
diff --git
a/core-common/src/main/java/org/apache/kylin/common/persistence/FileResourceStore.java
b/core-common/src/main/java/org/apache/kylin/common/persistence/FileResourceStore.java
index 75c625bdd0..8ab9b6a99e 100644
---
a/core-common/src/main/java/org/apache/kylin/common/persistence/FileResourceStore.java
+++
b/core-common/src/main/java/org/apache/kylin/common/persistence/FileResourceStore.java
@@ -24,6 +24,7 @@ import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
+import java.nio.file.Files;
import java.util.Collection;
import org.apache.commons.io.FileUtils;
@@ -130,7 +131,7 @@ public class FileResourceStore extends ResourceStore {
if (--failPutResourceCountDown == 0)
throw new IOException("for test");
- File tmp = File.createTempFile("kylin-fileresource-", ".tmp");
+ File tmp = Files.createTempFile("kylin-fileresource-",
".tmp").toFile();
try {
try (FileOutputStream out = new FileOutputStream(tmp);
DataOutputStream dout = new DataOutputStream(out)) {
diff --git
a/core-common/src/main/java/org/apache/kylin/common/persistence/ResourceStore.java
b/core-common/src/main/java/org/apache/kylin/common/persistence/ResourceStore.java
index 65d4f59f2d..0a332bb9bb 100644
---
a/core-common/src/main/java/org/apache/kylin/common/persistence/ResourceStore.java
+++
b/core-common/src/main/java/org/apache/kylin/common/persistence/ResourceStore.java
@@ -24,6 +24,7 @@ import java.io.DataOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.file.Files;
import java.util.ArrayList;
import java.util.Collection;
import java.util.LinkedHashMap;
@@ -787,7 +788,7 @@ abstract public class ResourceStore {
boolean loadContent, Visitor visitor) throws IOException;
public static String dumpResources(KylinConfig kylinConfig,
Collection<String> dumpList) throws IOException {
- File tmp = File.createTempFile("kylin_job_meta", "");
+ File tmp = Files.createTempFile("kylin_job_meta", "").toFile();
FileUtils.forceDelete(tmp); // we need a directory, so delete the file
first
File metaDir = new File(tmp, "meta");
diff --git
a/core-common/src/test/java/org/apache/kylin/common/util/SSHClientTest.java
b/core-common/src/test/java/org/apache/kylin/common/util/SSHClientTest.java
index f93a0e3bfa..4a3d475f48 100644
--- a/core-common/src/test/java/org/apache/kylin/common/util/SSHClientTest.java
+++ b/core-common/src/test/java/org/apache/kylin/common/util/SSHClientTest.java
@@ -23,6 +23,7 @@ import static org.junit.Assert.assertEquals;
import java.io.File;
import java.io.IOException;
import java.nio.charset.Charset;
+import java.nio.file.Files;
import org.apache.commons.io.FileUtils;
import org.apache.kylin.common.KylinConfig;
@@ -81,7 +82,7 @@ public class SSHClientTest extends LocalFileMetadataTestCase {
return;
SSHClient ssh = new SSHClient(this.hostname, this.port, this.username,
this.password);
- File tmpFile = File.createTempFile("test_scp", "", new File("/tmp"));
+ File tmpFile = Files.createTempFile(new File("/tmp").toPath(),
"test_scp", "").toFile();
tmpFile.deleteOnExit();
FileUtils.write(tmpFile, "test_scp", Charset.defaultCharset());
ssh.scpFileToRemote(tmpFile.getAbsolutePath(), "/tmp");
diff --git
a/core-cube/src/main/java/org/apache/kylin/gridtable/GTAggregateScanner.java
b/core-cube/src/main/java/org/apache/kylin/gridtable/GTAggregateScanner.java
index ff66805e56..aba0d2fc28 100644
--- a/core-cube/src/main/java/org/apache/kylin/gridtable/GTAggregateScanner.java
+++ b/core-cube/src/main/java/org/apache/kylin/gridtable/GTAggregateScanner.java
@@ -30,6 +30,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.ByteBuffer;
+import java.nio.file.Files;
import java.util.Arrays;
import java.util.Comparator;
import java.util.Iterator;
@@ -666,7 +667,7 @@ public class GTAggregateScanner implements IGTScanner,
IGTBypassChecker {
DataInputStream dis;
public Dump(SortedMap<byte[], MeasureAggregator[]> buffMap, long
estMemSize) throws IOException {
- this.dumpedFile = File.createTempFile("KYLIN_SPILL_", ".tmp");
+ this.dumpedFile = Files.createTempFile("KYLIN_SPILL_",
".tmp").toFile();
this.buffMap = buffMap;
this.estMemSize = estMemSize;
}
diff --git
a/core-metadata/src/test/java/org/apache/kylin/measure/topn/TopNCounterTest.java
b/core-metadata/src/test/java/org/apache/kylin/measure/topn/TopNCounterTest.java
index 817f27aea4..7247da9540 100644
---
a/core-metadata/src/test/java/org/apache/kylin/measure/topn/TopNCounterTest.java
+++
b/core-metadata/src/test/java/org/apache/kylin/measure/topn/TopNCounterTest.java
@@ -27,6 +27,7 @@ import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
@@ -76,7 +77,7 @@ public class TopNCounterTest {
ZipfDistribution zipf = new ZipfDistribution(KEY_SPACE, 0.5);
int keyIndex;
- File tempFile = File.createTempFile("ZipfDistribution", ".txt");
+ File tempFile = Files.createTempFile("ZipfDistribution",
".txt").toFile();
if (tempFile.exists())
FileUtils.forceDelete(tempFile);
diff --git
a/core-metadata/src/test/java/org/apache/kylin/source/H2Database.java
b/core-metadata/src/test/java/org/apache/kylin/source/H2Database.java
index bec7434d1d..16fd9fa193 100644
--- a/core-metadata/src/test/java/org/apache/kylin/source/H2Database.java
+++ b/core-metadata/src/test/java/org/apache/kylin/source/H2Database.java
@@ -29,6 +29,7 @@ import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.file.Files;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;
@@ -93,7 +94,7 @@ public class H2Database {
File tempFile = null;
try {
- tempFile = File.createTempFile("tmp_h2", ".csv");
+ tempFile = Files.createTempFile("tmp_h2", ".csv").toFile();
FileOutputStream tempFileStream = new FileOutputStream(tempFile);
String path = path(tableDesc);
InputStream csvStream =
metaMgr.getStore().getResource(path).content();
diff --git
a/kylin-spark-project/kylin-spark-engine/src/main/java/org/apache/kylin/engine/spark/job/NSparkMergeStatisticsStep.java
b/kylin-spark-project/kylin-spark-engine/src/main/java/org/apache/kylin/engine/spark/job/NSparkMergeStatisticsStep.java
index 1884cd48f2..024cacdd90 100644
---
a/kylin-spark-project/kylin-spark-engine/src/main/java/org/apache/kylin/engine/spark/job/NSparkMergeStatisticsStep.java
+++
b/kylin-spark-project/kylin-spark-engine/src/main/java/org/apache/kylin/engine/spark/job/NSparkMergeStatisticsStep.java
@@ -52,6 +52,7 @@ import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.file.Files;
import java.util.List;
import java.util.Map;
@@ -94,7 +95,7 @@ public class NSparkMergeStatisticsStep extends
NSparkExecutable {
File tempFile = null;
FileOutputStream tempFileStream = null;
try {
- tempFile = File.createTempFile(segmentId, ".seq");
+ tempFile = Files.createTempFile(segmentId,
".seq").toFile();
tempFileStream = new FileOutputStream(tempFile);
org.apache.commons.io.IOUtils.copy(is, tempFileStream);
} finally {
diff --git
a/kylin-spark-project/kylin-spark-engine/src/test/java/org/apache/kylin/engine/spark/NSparkBasicTest.java
b/kylin-spark-project/kylin-spark-engine/src/test/java/org/apache/kylin/engine/spark/NSparkBasicTest.java
index c1cf6a4c40..ebfae7a286 100644
---
a/kylin-spark-project/kylin-spark-engine/src/test/java/org/apache/kylin/engine/spark/NSparkBasicTest.java
+++
b/kylin-spark-project/kylin-spark-engine/src/test/java/org/apache/kylin/engine/spark/NSparkBasicTest.java
@@ -31,6 +31,7 @@ import org.junit.Test;
import java.io.File;
import java.io.IOException;
import java.nio.charset.Charset;
+import java.nio.file.Files;
import java.util.List;
@Ignore("convenient trial tool for dev")
@@ -39,7 +40,7 @@ public class NSparkBasicTest extends
LocalWithSparkSessionTest {
@Test
public void testToRdd() throws IOException {
final String dataJson = "0,1,2,1000\n0,1,2,1\n3,4,5,2";
- File dataFile = File.createTempFile("tmp", ".csv");
+ File dataFile = Files.createTempFile("tmp", ".csv").toFile();
dataFile.deleteOnExit();
FileUtils.writeStringToFile(dataFile, dataJson,
Charset.defaultCharset());
diff --git
a/query/src/main/java/org/apache/kylin/query/schema/OLAPSchemaFactory.java
b/query/src/main/java/org/apache/kylin/query/schema/OLAPSchemaFactory.java
index 534b02f5a4..7c1c370890 100644
--- a/query/src/main/java/org/apache/kylin/query/schema/OLAPSchemaFactory.java
+++ b/query/src/main/java/org/apache/kylin/query/schema/OLAPSchemaFactory.java
@@ -20,6 +20,7 @@ package org.apache.kylin.query.schema;
import java.io.File;
import java.io.IOException;
+import java.nio.file.Files;
import java.util.Collection;
import java.util.HashMap;
import java.util.Locale;
@@ -119,7 +120,7 @@ public class OLAPSchemaFactory implements SchemaFactory {
String jsonContent = out.toString();
File file = cachedJsons.get(jsonContent);
if (file == null) {
- file = File.createTempFile("olap_model_", ".json");
+ file = Files.createTempFile("olap_model_", ".json").toFile();
file.deleteOnExit();
FileUtils.writeStringToFile(file, jsonContent);
diff --git
a/tool/src/main/java/org/apache/kylin/tool/extractor/AbstractInfoExtractor.java
b/tool/src/main/java/org/apache/kylin/tool/extractor/AbstractInfoExtractor.java
index 845a182ab1..3a8025fcf4 100644
---
a/tool/src/main/java/org/apache/kylin/tool/extractor/AbstractInfoExtractor.java
+++
b/tool/src/main/java/org/apache/kylin/tool/extractor/AbstractInfoExtractor.java
@@ -22,6 +22,7 @@ package org.apache.kylin.tool.extractor;
import java.io.File;
import java.io.IOException;
import java.nio.charset.Charset;
+import java.nio.file.Files;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Locale;
@@ -122,7 +123,7 @@ public abstract class AbstractInfoExtractor extends
AbstractApplication {
// compress to zip package
if (shouldCompress) {
- File tempZipFile = File.createTempFile(packageType + "_", ".zip");
+ File tempZipFile = Files.createTempFile(packageType + "_",
".zip").toFile();
File tempZipDir = new File(exportDest + packageName + "/");
FileUtils.forceMkdir(tempZipDir);
for (File file : exportDir.listFiles()) {
diff --git a/tool/src/test/java/org/apache/kylin/tool/KylinConfigCLITest.java
b/tool/src/test/java/org/apache/kylin/tool/KylinConfigCLITest.java
index e28e567cd1..5977fc9478 100644
--- a/tool/src/test/java/org/apache/kylin/tool/KylinConfigCLITest.java
+++ b/tool/src/test/java/org/apache/kylin/tool/KylinConfigCLITest.java
@@ -25,6 +25,7 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.nio.charset.Charset;
+import java.nio.file.Files;
import org.apache.commons.io.FileUtils;
import org.apache.kylin.common.util.LocalFileMetadataTestCase;
@@ -36,7 +37,7 @@ public class KylinConfigCLITest extends
LocalFileMetadataTestCase {
@Test
public void testGetProperty() throws IOException {
PrintStream o = System.out;
- File f = File.createTempFile("cfg", ".tmp");
+ File f = Files.createTempFile("cfg", ".tmp").toFile();
PrintStream tmpOut = new PrintStream(new FileOutputStream(f), false,
"UTF-8");
System.setOut(tmpOut);
KylinConfigCLI.main(new String[] { "kylin.storage.url" });
@@ -51,7 +52,7 @@ public class KylinConfigCLITest extends
LocalFileMetadataTestCase {
@Test
public void testGetPrefix() throws IOException {
PrintStream o = System.out;
- File f = File.createTempFile("cfg", ".tmp");
+ File f = Files.createTempFile("cfg", ".tmp").toFile();
PrintStream tmpOut = new PrintStream(new FileOutputStream(f), false,
"UTF-8");
System.setOut(tmpOut);
KylinConfigCLI.main(new String[] { "kylin.cube.engine." });
