The java.io.File#createTempFile() method creates a file that is world-readable and world-writeable, which is almost never necessary. Also, the file created is placed in a predictable directory (e.g., /tmp). Having predictable file names, locations, and will lead to many types of vulnerabilities. History has shown that this insecure pattern can lead to information leakage, privilege escalation and even code execution.
This change was autogenerated from a GitHub app - called Pixeebot. Feel free to check it our for more details for how you can install it onto your project's repo for continued code hardening and code security recommendations. 👍
This change replaces the usage of
java.io.File#createTempFile
withjava.nio.file.Files#createTempFile
which has more secure attributes.The
java.io.File#createTempFile()
method creates a file that is world-readable and world-writeable, which is almost never necessary. Also, the file created is placed in a predictable directory (e.g.,/tmp
). Having predictable file names, locations, and will lead to many types of vulnerabilities. History has shown that this insecure pattern can lead to information leakage, privilege escalation and even code execution.Our changes look something like this:
More reading
* [https://cwe.mitre.org/data/definitions/378.html](https://cwe.mitre.org/data/definitions/378.html) * [https://docs.fluidattacks.com/criteria/vulnerabilities/160/](https://docs.fluidattacks.com/criteria/vulnerabilities/160/) * [https://github.com/apache/druid/issues/11130](https://github.com/apache/druid/issues/11130) * [https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File](https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File) * [https://nvd.nist.gov/vuln/detail/CVE-2022-41954](https://nvd.nist.gov/vuln/detail/CVE-2022-41954) * [https://www.cvedetails.com/vulnerability-list/cwe-378/vulnerabilities.html](https://www.cvedetails.com/vulnerability-list/cwe-378/vulnerabilities.html)🧚🤖 Powered by Pixeebot
Feedback | Community | Docs | Codemod ID: pixee:java/upgrade-tempfile-to-nio