[MINVOKER-324] Temporary File Information Disclosure (#152)

This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <[email protected]>


Bug-tracker: JLLeitschuh/security-research#18

Co-authored-by: Moderne <[email protected]>
Co-authored-by: Guillaume Nodet <[email protected]>

Author: 3 people

src/main/java/org/apache/maven/plugins/invoker/AbstractInvokerMojo.java

@@ -1398,7 +1398,7 @@ private File mergeSettings(File interpolatedSettingsFile) throws MojoExecutionEx
 
     private File writeMergedSettingsFile(Settings mergedSettings) throws IOException {
         File mergedSettingsFile;
-        mergedSettingsFile = File.createTempFile("invoker-settings", ".xml");
+        mergedSettingsFile = Files.createTempFile("invoker-settings", ".xml").toFile();
 
         SettingsXpp3Writer settingsWriter = new SettingsXpp3Writer();
 

src/test/java/org/apache/maven/plugins/invoker/InvokerPropertiesTest.java

@@ -19,6 +19,7 @@
 package org.apache.maven.plugins.invoker;
 
 import java.io.File;
+import java.nio.file.Files;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
@@ -188,7 +189,7 @@ public void testConfigureRequestProject() throws Exception {
         Properties props = new Properties();
         InvokerProperties facade = new InvokerProperties(props);
 
-        File tempPom = File.createTempFile("maven-invoker-plugin-test", ".pom");
+        File tempPom = Files.createTempFile("maven-invoker-plugin-test", ".pom").toFile();
         try {
             File tempDir = tempPom.getParentFile();
             when(request.getBaseDirectory()).thenReturn(tempDir);