From dfcf2ec7071132c3127b09c12f732751c1164153 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Tue, 4 Oct 2022 00:19:09 +0000
Subject: [PATCH] vuln-fix: Temporary Directory Hijacking or Information
 Disclosure

This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure.

Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Severity: High
CVSSS: 7.3
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10


Co-authored-by: Moderne <team@moderne.io>
---
 .../java/net/imagej/ui/swing/updater/UpdaterGUITest.java     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/test/java/net/imagej/ui/swing/updater/UpdaterGUITest.java b/src/test/java/net/imagej/ui/swing/updater/UpdaterGUITest.java
index a735e11..7586d9f 100644
--- a/src/test/java/net/imagej/ui/swing/updater/UpdaterGUITest.java
+++ b/src/test/java/net/imagej/ui/swing/updater/UpdaterGUITest.java
@@ -38,6 +38,7 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.PrintStream;
+import java.nio.file.Files;
 import java.util.jar.JarEntry;
 import java.util.jar.JarInputStream;
 import java.util.jar.JarOutputStream;
@@ -290,9 +291,7 @@ private static void assertTrue(boolean condition) {
 	 * @throws IOException
 	 */
 	protected static File createTempDirectory(final String prefix) throws IOException {
-		final File file = File.createTempFile(prefix, "");
-		file.delete();
-		file.mkdir();
+		final File file = Files.createTempDirectory(prefix).toFile();
 		return file;
 	}
 }