Headline
CVE-2021-21364: Generated Code Contains Local Information Disclosure Vulnerability
swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used. Because this vulnerability impacts generated code, the generated code will remain vulnerable until fixed manually! This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21363.
Impact
This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!
On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r–r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used.
Java Code
The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.
return File.createTempFile(prefix, suffix);
val file = File.createTempFile("tmp{{classname}}", null)
if (tempFolderPath == null)
return File.createTempFile(prefix, suffix);
else
return File.createTempFile(prefix, suffix, new File(tempFolderPath));
if (tempFolderPath == null)
return File.createTempFile(prefix, suffix);
else
return File.createTempFile(prefix, suffix, new File(tempFolderPath));
Patches
Fix has been applied to the master branch with:
- 35adbd5
included in release: 2.4.19
Workarounds
Users can remediate the vulnerability in non patched version by manually (or programmatically e.g. in CI) updating the generated source code to use java.nio.files.Files temporary file creation instead of java.io.File, e.g. by changing
if (tempFolderPath == null)
return File.createTempFile(prefix, suffix);
else
return File.createTempFile(prefix, suffix, new File(tempFolderPath));
to
if (tempFolderPath == null)
return Files.createTempFile(prefix, suffix).toFile();
else
return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile();
or generally changing:
File.createTempFile(prefix, suffix);
to
Files.createTempFile(prefix, suffix).toFile();
References
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-732: Incorrect Permission Assignment for Critical Resource
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Original vulnerability report
I’m performing OSS security research under the GitHub Security Lab Bug Bounty program.
I’ve been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.
- https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f
- https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac
- github/codeql#4473
The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.
This code exists in the code generator, in the generated code.
In this case, I believe this is only a local information disclosure. IE. another user can read the information, not replace it.
In particular, the method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.
This is because File.createTempFile creates a file inside of the system temporary directory with the permissions: -rw-r–r--. Thus the contents of this file are viewable by all other users locally on the system.
return File.createTempFile(prefix, suffix);
val file = File.createTempFile("tmp{{classname}}", null)
if (tempFolderPath == null)
return File.createTempFile(prefix, suffix);
else
return File.createTempFile(prefix, suffix, new File(tempFolderPath));
if (tempFolderPath == null)
return File.createTempFile(prefix, suffix);
else
return File.createTempFile(prefix, suffix, new File(tempFolderPath));
The fix here is to switch to the Files API, instead of File as that appropriately sets the file permissions.
Related news
Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.
A vulnerability was found in pig-vector and classified as problematic. Affected by this issue is the function LogisticRegression of the file src/main/java/org/apache/mahout/pig/LogisticRegression.java. The manipulation leads to insecure temporary file. The attack needs to be approached locally. The name of the patch is 1e7bd9fab5401a2df18d2eabd802adcf0dcf1f15. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216500.
The package com.github.samtools:htsjdk before 3.0.1 are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the createTempDir() function in util/IOUtil.java not checking for the existence of the temporary directory before attempting to create it.
A vulnerability has been found in ManyDesigns Portofino 5.3.2 and classified as problematic. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure permissions. Upgrading to version 5.3.3 is able to address this issue. The name of the patch is 94653cb357806c9cf24d8d294e6afea33f8f0775. It is recommended to upgrade the affected component. The identifier VDB-213457 was assigned to this vulnerability.
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. Auto-generated code (Java, Scala) that deals with uploading or downloading binary data through API endpoints will create insecure temporary files during the process. Affected generators: `java` (jersey2, okhttp-gson (default library)), `scala-finch`. The issue has been patched with `Files.createTempFile` and released in the v5.1.0 stable version.