问题描述

我需要创建一个临时文件并将一些数据存储到其中.我已经编写了以下代码:

I need to create a temporary file and store some data into it. I have written the following code to do so:

import org.apache.commons.lang.RandomStringUtils;
import java.security.SecureRandom;

[...]

String random = RandomStringUtils.random(10, 0, 0, true, true, null, new SecureRandom());
File tempFile = File.createTempFile("PREFIX-" + random, ".pdf");

[...]

它确实运行良好，但是当我将此代码提交到 Veracode 时，我得到了一个不安全的临时文件" (CWE ID 377)"错误.我认为使用SecureRandom将使攻击者无法预测临时文件名.

It does work perfectly, but when I submit this code to Veracode, I get an "Insecure Temporary File (CWE ID 377)" error.I thought that using SecureRandom will make the temporary file name impossible to predict by attackers.

在不使Veracode感到不满意的情况下生成临时文件的正确方法是什么?

What is the right way to generate a temporary file without making Veracode unhappy?

推荐答案

使用CreateTemp文件创建文件(在较低版本的Java中)时，它将首先创建具有给定后缀和前缀以及随机数的文件名.格式->前缀+ randam编号+后缀.如果生成的名称已经存在，则只需增加randam数即可.这是算法中的问题，其中v可以猜测下一个文件名是什么.

While creating File using CreateTemp file (in lower version java) it will first create a filename with given suffix and prefix and a random number. format--> Prefix+randam number+Suffix. If the generated name already present it just increment the randam number. here comes the issue in algorithum where v can guess what will be the next filename.

该问题已在Java 6中解决.但是，如果您在veracode中执行静态扫描，它们仍将显示为bug，因为它们会在Java版本低于6的情况下导致易受攻击的问题.如果您使用的是更高版本，则没有问题.只是跳过它..

The issue is resolved in Java 6. But still if u do Static scan in veracode they will show it as bug since they cause vulnerable issue in java version lower than 6. If you are using higher version then no problem. Just Skip it..

来自veracode的引用: https://www .veracode.com/blog/2009/01/how-boring-flaws-变得有趣

Reference from veracode: https://www.veracode.com/blog/2009/01/how-boring-flaws-become-interesting

这篇关于使用java.io.File.createTempFile时出现Veracode不安全的临时文件错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！