From 0761af03d5dc28df0ff56e787a5cb537a64e8f4a Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Tue, 9 Aug 2022 03:28:23 +0000
Subject: [PATCH] vuln-fix: Temporary Directory Hijacking or Information
 Disclosure

This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure.

Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Severity: High
CVSSS: 7.3
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/10


Co-authored-by: Moderne <team@moderne.io>
---
 .../java/org/seqdoop/hadoop_bam/util/TestVCFFileMerger.java   | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/test/java/org/seqdoop/hadoop_bam/util/TestVCFFileMerger.java b/src/test/java/org/seqdoop/hadoop_bam/util/TestVCFFileMerger.java
index ce8e26e..02b2a1e 100644
--- a/src/test/java/org/seqdoop/hadoop_bam/util/TestVCFFileMerger.java
+++ b/src/test/java/org/seqdoop/hadoop_bam/util/TestVCFFileMerger.java
@@ -18,9 +18,7 @@ public class TestVCFFileMerger {
 
   @Before
   public void setup() throws Exception {
-    File partsDir = File.createTempFile("parts", "");
-    partsDir.delete();
-    partsDir.mkdir();
+    File partsDir = Files.createTempDirectory("parts").toFile();
     Files.createFile(new File(partsDir, "_SUCCESS").toPath());
     partsDirectory = partsDir.toURI().toString();
     header = VCFHeaderReader.readHeaderFrom(TestVCFHeaderReader.seekableStream("test.vcf"));