logo

Database

Java Predictable Temp File Creation

Description

Detects insecure creation of temporary files in Java code using createTempFile() method. This can lead to race conditions or predictable file names, allowing attackers to potentially hijack file operations or access sensitive data through temp file manipulation.

Weakness:

160 - Excessive privileges - Temporary Files

Category: Access Subversion

Detection Strategy

    Search for method calls to createTempFile() in Java code

    Check if the createTempFile call is from standard Java libraries by analyzing imports

    Verify if the temporary file creation follows secure coding practices

    Report a vulnerability when createTempFile is used in ways that could lead to predictable file names or race conditions

Vulnerable code example

import java.io.File;

public class UnsafeTemp {
    public static void main(String directoryPath) {
        try {
            // Unsafe: User-controlled directoryPath used directly in temp file creation
            File.createTempFile(directoryPath, null);
        } catch (Exception e) {...

✅ Secure code example

import java.io.File;
import java.nio.file.Files;
import java.nio.file.Path;

public class SafeTemp {
    public static void main(String directoryPath) {
        try {
            // Safe: Use Files.createTempFile which handles path security automatically...