Page History

...

• Share data between processes
• Store auxiliary program data (for example, to perserve preserve memory)
• Construct and/or load classes, JAR files and native libraries dynamically

...

Removing temporary files when they are no longer required allows file names and other resources (such as secondary storage) to be recycled. Each program is responsible for ensuring that temporary files are removed during normal operation. There is no surefire method that can guarantee the removal of orphaned files in the case of abnormal termination, even in the presence of a finally block, because the finally block may fail to execute. For this reason, many systems employ temporary file cleaner utilities to sweep temporary directories and remove old files. Such utilities can be invoked manually by a system administrator or can be periodically invoked by a system process. However, these utilities are themselves vulnerable to file-based exploits and may require the use of secure directories. We will assume that the code samples shown below obey all of the file-related rules referenced above. That is, the files are created in the current directory of the program, which is assumed to be a secure directory. Also, the files are created with appropriate access permissions, which are managed by default outside Java. The code samples below make sure that no existing file is overwritten.

Noncompliant Code Example

This noncompliant code example hardcodes the name of a temporary file; consequently, the file's name is predictable. However, the program makes no attempt to remove the file upon completion.

...

This noncompliant code example invokes the File.createTempFile() method which generates a unique temporary filename based on two parameters, a prefix and an extension. This is the only method currently designed and provided for producing unique file names; although the names produced can be easily predicted. If the filename must be unpredictable, this problem can be solved by using a good A random number generator can be used to produce the prefix if a random file name is required.

This example also attempts to use the {{deleteOnExit()}} method to ensure that the temporary file is deleted when the JVM terminates. However, according to the Java API \[[API 2006|AA. Bibliography#API 06]\] Class {{File}}, method {{deleteOnExit()}} documentation:

...

class TempFile {
  public static void main(String[] args) {
    Path tempFile = null;
    try {
      tempFile = Files.createTempFile("tempnam", ".tmp");
      try (BufferedWriter writer = Files.newBufferedWriter(tempFile, Charset.forName("UTF8"),
                                                           StandardOpenOption.DELETE_ON_CLOSE)) {
          // write to file
      }
      System.out.println("Temporary file write done, file erased");
    } catch (FileAlreadyExistsException x) {
      System.err.println("File exists: " + tempFile);
    } catch (IOException x) {
      // Some other sort of failure, such as permissions.
      System.err.println("Error creating temporary file: " + x);
    }
  }
}

To be compliant with rule FIO04-J. Do not operate on files in shared directories the files must be created in a secure directory. Also, to be compliant with FIO03-J. Create files with appropriate access permissions the files must be created with appropriate access permissions, which may be managed outside of Java.

Compliant Solution

If a secure directory for storing temporary files is not available, then the vulnerabilities that result from using temporary files in insecure directories can be avioded avoided by using alternate mechanisms including:

...

...