qualman
commented
2 years ago Snyk error details:
PoC
File guavaTempDir = com.google.common.io.Files.createTempDir();
System.out.println("Guava Temp Dir: " + guavaTempDir.getName());
runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x
File child = new File(guavaTempDir, "guava-child.txt");
child.createNewFile();
runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--For Android developers, it is recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. Remediation
There is no fix for com.google.guava:guava. However, in version 30.0 and above, the vulnerable functionality has been deprecated. In oder to mitigate this vulnerability, upgrade for version 30.0 or higher and ensure your dependencies don't use the createTempFile or createTempFile methods.
This PR adds a field to the Node Source configuration for retrieving the AWS Secret Key from Key Storage - rather than asking the user to "resubmit" their AWS Secret. This both reduces the number of steps to get setup with AWS resources, but also enables customers to limit the number of users who have direct access to AWS Credentials. This is similar to what has been done with the Azure Node Source plugin.
Behavior is that the plugin will use either the
Key Storage Pathor theSecret Keyfield - thereby being backwards compatible (this has been tested). If a user (mistakenly) provides inputs to both fields, then the plugin will use the one pulled from Key Storage.