Handle special cases for File.createTempFile (#133530)

ldematte · web-flow · commit a4e3b0a61850 · 2025-08-27T15:19:03.000+02:00
We were missing a couple of cases where File.createTempFile (from java.io) are defaulting to the default temp directory. This PR addresses that. Fixes #130086
diff --git a/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java b/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java
@@ -771,6 +771,8 @@ public interface EntitlementChecker {
 
     void check$java_io_File$createNewFile(Class<?> callerClass, File file);
 
+    void check$java_io_File$$createTempFile(Class<?> callerClass, String prefix, String suffix);
+
     void check$java_io_File$$createTempFile(Class<?> callerClass, String prefix, String suffix, File directory);
 
     void check$java_io_File$delete(Class<?> callerClass, File file);
diff --git a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java
@@ -97,6 +97,17 @@ static void fileCreateTempFile() throws IOException {
         File.createTempFile("prefix", "suffix", readWriteDir().toFile());
     }
 
+    @EntitlementTest(expectedAccess = ALWAYS_ALLOWED)
+    static void fileCreateTempFileSystemTempDirectory() throws IOException {
+        File.createTempFile("prefix", "suffix");
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_ALLOWED)
+    static void fileCreateTempFileNullDirectory() throws IOException {
+        // null directory = system temp directory
+        File.createTempFile("prefix", "suffix", null);
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void fileDelete() throws IOException {
         var toDelete = EntitledActions.createTempFileForWrite();
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/ElasticsearchEntitlementChecker.java
@@ -1489,9 +1489,20 @@ public void checkSelectorProviderOpenSocketChannel(Class<?> callerClass, Selecto
         policyChecker.checkFileWrite(callerClass, file);
     }
 
+    @Override
+    public void check$java_io_File$$createTempFile(Class<?> callerClass, String prefix, String suffix) {
+        policyChecker.checkCreateTempFile(callerClass);
+    }
+
     @Override
     public void check$java_io_File$$createTempFile(Class<?> callerClass, String prefix, String suffix, File directory) {
-        policyChecker.checkFileWrite(callerClass, directory);
+        // A null value for the directory parameter means using the temp directory (java.io.tmpdir,
+        // aka org.elasticsearch.env.Environment#tmpDir, aka PathLookup#TEMP).
+        if (directory == null) {
+            policyChecker.checkCreateTempFile(callerClass);
+        } else {
+            policyChecker.checkFileWrite(callerClass, directory);
+        }
     }
 
     @Override
