16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
75 lines
2.2 KiB
Plaintext
75 lines
2.2 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Using ``++File.createTempFile++`` as the first step in creating a temporary directory causes a race condition and is inherently unreliable and insecure. Instead, ``++Files.createTempDirectory++`` (Java 7+) or a library function such as Guava's similarly-named ``++Files.createTempDir++`` should be used.
|
|
|
|
|
|
This rule raises an issue when the following steps are taken in immediate sequence:
|
|
|
|
* call to ``++File.createTempFile++``
|
|
* delete resulting file
|
|
* call ``++mkdir++`` on the File object
|
|
|
|
*Note* that this rule is automatically disabled when the project's ``++sonar.java.source++`` is lower than ``++7++``.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
File tempDir;
|
|
tempDir = File.createTempFile("", ".");
|
|
tempDir.delete();
|
|
tempDir.mkdir(); // Noncompliant
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,java]
|
|
----
|
|
Path tempPath = Files.createTempDirectory("");
|
|
File tempDir = tempPath.toFile();
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Use "Files.createTempDirectory" or a library function to create this directory instead.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 26 May 2015, 12:01:03 Ann Campbell wrote:
|
|
http://nemo.sonarqube.org/coding_rules#rule_key=grvy%3Aorg.codenarc.rule.security.FileCreateTempFileRule
|
|
|
|
=== on 29 May 2015, 06:44:07 Nicolas Peru wrote:
|
|
Spec looks good.
|
|
|
|
|
|
\[~ann.campbell.2] I am wondering about the targeted language Groovy : rule is covered by codenarc and AFAIK we don't have any intention to develop our own groovy analyzer. So should it be covered instead of targeted for groovy ?
|
|
|
|
=== on 29 May 2015, 14:47:00 Ann Campbell wrote:
|
|
I wouldn't mark it covered based on a 3rd-party tool. I set it to targeted in case we ever do decide to write our own Groovy rules.
|
|
|
|
=== on 1 Jun 2015, 15:07:21 Nicolas Peru wrote:
|
|
Ok !
|
|
|
|
=== on 19 Aug 2019, 11:04:23 Pierre-Loup Tristant wrote:
|
|
https://guava.dev/releases/19.0/api/docs/com/google/common/io/Files.html#createTempDir()
|
|
|
|
endif::env-github,rspecator-view[]
|