Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhwdjgtOXJxNS1ocTd3

Generated Code Contains Local Information Disclosure Vulnerability

Impact

This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!

On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used.

Java Code

The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

Patches

Fix has been applied to the master branch with:

https://github.com/swagger-api/swagger-codegen/commit/35adbd552d5f99b3ff1e0e59da228becc85190f2

included in release: 2.4.19

Workarounds

Users can remediate the vulnerability in non patched version by manually (or programmatically e.g. in CI) updating the generated source code to use java.nio.files.Files temporary file creation instead of java.io.File, e.g. by changing


    if (tempFolderPath == null)
      return File.createTempFile(prefix, suffix);
    else
      return File.createTempFile(prefix, suffix, new File(tempFolderPath));


    if (tempFolderPath == null)
      return Files.createTempFile(prefix, suffix).toFile();
    else
      return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile();

or generally changing:


File.createTempFile(prefix, suffix);


Files.createTempFile(prefix, suffix).toFile();

References

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Original vulnerability report

I'm performing OSS security research under the GitHub Security Lab Bug Bounty program.
I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.

https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f

https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac

https://github.com/github/codeql/pull/4473

The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.

This code exists in the code generator, in the generated code.

In this case, I believe this is only a local information disclosure. IE. another user can read the information, not replace it.

In particular, the method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

This is because File.createTempFile creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system.

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/kotlin-client/infrastructure/ApiClient.kt.mustache#L209

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/finch/api.mustache#L84

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L831-L834

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L630-L633

The fix here is to switch to the Files API, instead of File as that appropriately sets the file permissions.

Permalink: https://github.com/advisories/GHSA-hpv8-9rq5-hq7w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhwdjgtOXJxNS1ocTd3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: over 1 year ago

CVSS Score: 6.2
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-hpv8-9rq5-hq7w, CVE-2021-21364
References:

Repository: https://github.com/swagger-api/swagger-codegen
Blast Radius: 14.5

Affected Packages

maven:io.swagger:swagger-codegen

Dependent packages: 34
Dependent repositories: 218
Downloads:
Affected Version Ranges: < 2.4.19
Fixed in: 2.4.19
All affected versions: 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.4.16, 2.4.17, 2.4.18
All unaffected versions: 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.30, 2.4.31, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38, 2.4.39, 2.4.40, 2.4.41