• Home
• io.codemodder
• core-codemods
• 0.95.0
• source code
• description.md

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.codemodder.codemods.UpgradeTempFileToNIOCodemod.description.md Maven / Gradle / Ivy

This change replaces the usage of [`java.io.File#createTempFile`](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/io/File.html#createTempFile(java.lang.String,java.lang.String)) with [`java.nio.file.Files#createTempFile`](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...)) which has more secure attributes.

The `java.io.File#createTempFile()` method creates a file that is world-readable and world-writeable, which is almost never necessary. Also, the file created is placed in a predictable directory (e.g., `/tmp`). Having predictable file names, locations, and will lead to many types of vulnerabilities. History has shown that this insecure pattern can lead to [information leakage](https://www.cvedetails.com/cve/CVE-2021-28168/), [privilege escalation](https://www.cvedetails.com/cve/CVE-2021-29428/) and even [code execution](https://www.openwall.com/lists/oss-security/2022/02/25/3).

Our changes look something like this:

```diff
+  import java.nio.file.Files;
   ...
-  File txtFile = File.createTempFile("acme", ".txt");
+  File txtFile = Files.createTempFile("acme", ".txt").toFile();
```