Page History

...

Removing temporary files when they are no longer required allows file names and other resources (such as secondary storage) to be recycled. Each program is responsible for ensuring that temporary files are removed during normal operation. There is no surefire method that can guarantee the removal of orphaned files in the case of abnormal termination, even in the presence of a finally block, because the finally block may fail to execute. For this reason, many systems employ temporary file cleaner utilities to sweep temporary directories and remove old files. Such utilities can be invoked manually by a system administrator or can be periodically invoked by a system process. However, these utilities are themselves vulnerable to file-based exploits and may require the use of secure directories.

Noncompliant Code Example

For this and subsequent code examples, we will assume that the files are automatically being created in a secure directory, to comply with rule FIO00-J. Do not operate on files in shared directories. We will also assume the files are created with proper access permissions, to compy with FIO01-J. Create files with appropriate access permissions. Both requirements may be managed outside the JVM.

...

class TempFile {
  public static void main(String[] args) throws IOException{
    File f = new File("tempnam.tmp");
    FileOutputStream fop = new FileOutputStream(f);
    String str = "Data";
    
    if (f.exists()) {
      fop.write(str.getBytes());
      fop.close();
    } else { 
      System.out.println("This file does not exist"); 
    }
  }      
}

Noncompliant Code Example (createTempFile(), deleteOnExit())

This noncompliant code example invokes the File.createTempFile() method which generates a unique temporary filename based on two parameters, a prefix and an extension. This is the only method currently designed and provided for producing unique file names; although the names produced can be easily predicted. A random number generator can be used to produce the prefix if a random file name is required.

...

class TempFile {
  public static void main(String[] args) throws IOException{
    File f = File.createTempFile("tempnam",".tmp");
    FileOutputStream fop = new FileOutputStream(f);
    String str = "Data";
    try {
      fop.write(str.getBytes());
      fop.flush();        
    } finally {
      // Stream/file still open; file will
      // not be deleted on Windows systems
      f.deleteOnExit(); // Delete the file when the JVM terminates
    }
  }       
}

Compliant Solution (Java 1.7), DELETE_ON_CLOSE)

This compliant solution creates a temporary file using several methods of Java 1.7's NIO package. It uses the createTempFile() method, which creates an unpredictable name. (The actual method by which the name is created is implementation-defined and undocumented.) Additionally, the createTempFile() will throw an exception if the file already exists. The file is opened using the try-with-resources construct, which automatically closes the file whether or not an exception occurs. Finally, the file is opened with the Java 1.7 DELETE_ON_CLOSE option, which serves to remove the file automatically when it is closed.

class TempFile {
  public static void main(String[] args) {
    Path tempFile = null;
    try {
      tempFile = Files.createTempFile("tempnam", ".tmp");
      try (BufferedWriter writer = Files.newBufferedWriter(tempFile, Charset.forName("UTF8"),
                                                           StandardOpenOption.DELETE_ON_CLOSE)) {
          // write to file
      }
      System.out.println("Temporary file write done, file erased");
    } catch (FileAlreadyExistsException x) {
      System.err.println("File exists: " + tempFile);
    } catch (IOException x) {
      // Some other sort of failure, such as permissions.
      System.err.println("Error creating temporary file: " + x);
    }
  }
}

Compliant Solution

If a secure directory for storing temporary files is not available, then the vulnerabilities that result from using temporary files in insecure directories can be avoided by using alternate mechanisms including:

• other IPC mechanisms such as sockets and remote procedure calls
• the low-level Java Native Interface (JNI).
• memory mapped files
• threads to share heap data within the same JVM (applies to data sharing between Java processes only)
• a secure directory that can be accessed only by application instances, provided that multiple instances of the application running on the same platform avoid competing for the same files.

Risk Assessment

Failure to follow best practices while creating, using and deleting temporary files can lead to information leakage, misinterpretations and alterations in control flow.

Related Guidelines

Bibliography

...