Merge pull request from GHSA-hpv8-9rq5-hq7w

security: fix CWE-378 CWE-200 CWE-732 - use java.nio.files

Author: frantuma

bin/java-petstore-all.sh

@@ -12,7 +12,6 @@
 ./bin/java-petstore-retrofit2rx2.sh
 ./bin/java8-petstore-jersey2.sh
 ./bin/java-petstore-retrofit2-play24.sh
-./bin/java-petstore-jersey2-java6.sh
 ./bin/java-petstore-resttemplate.sh
 ./bin/java-petstore-resttemplate-withxml.sh
 ./bin/java-petstore-resteasy.sh

bin/java-petstore-jersey2-java6.sh

@@ -198,7 +198,7 @@ public void processOpts() {
         super.processOpts();
 
         if (additionalProperties.containsKey(SUPPORT_JAVA6)) {
-            this.setSupportJava6(Boolean.valueOf(additionalProperties.get(SUPPORT_JAVA6).toString()));
+            this.setSupportJava6(false); // JAVA 6 not supported
         }
         additionalProperties.put(SUPPORT_JAVA6, supportJava6);
 

modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/AbstractJavaCodegen.java

@@ -69,7 +69,6 @@ public JavaClientCodegen() {
         cliOptions.add(CliOption.newBoolean(PARCELABLE_MODEL, "Whether to generate models for Android that implement Parcelable with the okhttp-gson library."));
         cliOptions.add(CliOption.newBoolean(USE_PLAY_WS, "Use Play! Async HTTP client (Play WS API)"));
         cliOptions.add(CliOption.newString(PLAY_VERSION, "Version of Play! Framework (possible values \"play24\", \"play25\")"));
-        cliOptions.add(CliOption.newBoolean(SUPPORT_JAVA6, "Whether to support Java6 with the Jersey1 library."));
         cliOptions.add(CliOption.newBoolean(USE_BEANVALIDATION, "Use BeanValidation API annotations"));
         cliOptions.add(CliOption.newBoolean(PERFORM_BEANVALIDATION, "Perform BeanValidation"));
         cliOptions.add(CliOption.newBoolean(USE_GZIP_FEATURE, "Send gzip-encoded requests"));

modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavaClientCodegen.java

@@ -13,7 +13,7 @@ public class JavaJerseyServerCodegen extends AbstractJavaJAXRSServerCodegen {
 
     protected static final String LIBRARY_JERSEY1 = "jersey1";
     protected static final String LIBRARY_JERSEY2 = "jersey2";
-    
+
     /**
      * Default library template to use. (Default:{@value #DEFAULT_LIBRARY})
      */
@@ -48,7 +48,6 @@ public JavaJerseyServerCodegen() {
         library.setDefault(DEFAULT_LIBRARY);
 
         cliOptions.add(library);
-        cliOptions.add(CliOption.newBoolean(SUPPORT_JAVA6, "Whether to support Java6 with the Jersey1/2 library."));
         cliOptions.add(CliOption.newBoolean(USE_TAGS, "use tags for creating interface and controller classnames"));
     }
 
@@ -89,11 +88,11 @@ public void processOpts() {
         if (StringUtils.isEmpty(library)) {
             setLibrary(DEFAULT_LIBRARY);
         }
-        
+
         if ( additionalProperties.containsKey(CodegenConstants.IMPL_FOLDER)) {
             implFolder = (String) additionalProperties.get(CodegenConstants.IMPL_FOLDER);
         }
-    
+
         if (additionalProperties.containsKey(USE_TAGS)) {
             this.setUseTags(Boolean.valueOf(additionalProperties.get(USE_TAGS).toString()));
         }

modules/swagger-codegen/src/main/java/io/swagger/codegen/languages/JavaJerseyServerCodegen.java

@@ -25,6 +25,7 @@ import java.io.InputStream;
 
 {{^supportJava6}}
 import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
 import org.glassfish.jersey.logging.LoggingFeature;
 {{/supportJava6}}
@@ -296,7 +297,7 @@ public class ApiClient {
   public int getReadTimeout() {
     return readTimeout;
   }
-  
+
   /**
    * Set the read timeout (in milliseconds).
    * A value of 0 means no timeout, otherwise values must be between 1 and
@@ -628,9 +629,9 @@ public class ApiClient {
     }
 
     if (tempFolderPath == null)
-      return File.createTempFile(prefix, suffix);
+      return Files.createTempFile(prefix, suffix).toFile();
     else
-      return File.createTempFile(prefix, suffix, new File(tempFolderPath));
+      return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile();
   }
 
   /**

modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache

@@ -24,6 +24,8 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.lang.reflect.Type;
 import java.net.URLConnection;
 import java.net.URLEncoder;
@@ -829,9 +831,9 @@ public class ApiClient {
         }
 
         if (tempFolderPath == null)
-            return File.createTempFile(prefix, suffix);
+            return Files.createTempFile(prefix, suffix).toFile();
         else
-            return File.createTempFile(prefix, suffix, new File(tempFolderPath));
+            return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile();
     }
 
     /**
@@ -981,7 +983,7 @@ public class ApiClient {
      * @param formParams The form parameters
      * @param authNames The authentications to apply
      * @param progressRequestListener Progress request listener
-     * @return The HTTP request 
+     * @return The HTTP request
      * @throws ApiException If fail to serialize the request body object
      */
     public Request buildRequest(String path, String method, List<Pair> queryParams, List<Pair> collectionQueryParams, Object body, Map<String, String> headerParams, Map<String, Object> formParams, String[] authNames, ProgressRequestBody.ProgressRequestListener progressRequestListener) throws ApiException {

modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache

@@ -8,6 +8,7 @@ import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
@@ -446,7 +447,7 @@ public class ApiClient {
   public Entity<?> serialize(Object obj, Map<String, Object> formParams, String contentType) throws ApiException {
     Entity<?> entity = null;
     if (contentType.startsWith("multipart/form-data")) {
-      MultipartFormDataOutput multipart = new MultipartFormDataOutput();  
+      MultipartFormDataOutput multipart = new MultipartFormDataOutput();
       //MultiPart multiPart = new MultiPart();
       for (Entry<String, Object> param: formParams.entrySet()) {
         if (param.getValue() instanceof File) {
@@ -552,9 +553,9 @@ public class ApiClient {
     }
 
     if (tempFolderPath == null)
-      return File.createTempFile(prefix, suffix);
+      return Files.createTempFile(prefix, suffix).toFile();
     else
-      return File.createTempFile(prefix, suffix, new File(tempFolderPath));
+      return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile();
   }
 
   /**

modules/swagger-codegen/src/main/resources/Java/libraries/resteasy/ApiClient.mustache

@@ -16,6 +16,8 @@ import com.twitter.util.Future
 import com.twitter.io.Buf
 import io.finch._, items._
 import java.io.File
+import java.nio.file.Files
+import java.nio.file.Paths
 import java.time._
 
 object {{classname}} {
@@ -81,7 +83,7 @@ object {{classname}} {
     }
 
     private def bytesToFile(input: Array[Byte]): java.io.File = {
-      val file = File.createTempFile("tmp{{classname}}", null)
+      val file = Files.createTempFile("tmp{{classname}}", null).toFile()
       val output = new FileOutputStream(file)
       output.write(input)
       file

modules/swagger-codegen/src/main/resources/finch/api.mustache

@@ -3,6 +3,7 @@ package {{packageName}}.infrastructure
 import okhttp3.*
 import java.io.File
 import java.io.IOException
+import java.nio.file.Files;
 import java.util.regex.Pattern
 
 open class ApiClient(val baseUrl: String) {
@@ -64,15 +65,15 @@ open class ApiClient(val baseUrl: String) {
 
     inline protected fun <reified T: Any?> responseBody(response: Response, mediaType: String = JsonMediaType): T? {
         if(response.body() == null) return null
-        
+
         if(T::class.java == java.io.File::class.java){
             return downloadFileFromResponse(response) as T
         } else if(T::class == kotlin.Unit::class) {
             return kotlin.Unit as T
         }
-        
+
         var contentType = response.headers().get("Content-Type")
-        
+
         if(contentType == null) {
             contentType = JsonMediaType
         }
@@ -85,7 +86,7 @@ open class ApiClient(val baseUrl: String) {
             TODO("Fill in more types!")
         }
     }
-    
+
     fun isJsonMime(mime: String?): Boolean {
         val jsonMime = "(?i)^(application/json|[^;/ \t]+/[^;/ \t]+[+]json)[ \t]*(;.*)?$"
         return mime != null && (mime.matches(jsonMime.toRegex()) || mime == "*/*")
@@ -162,7 +163,7 @@ open class ApiClient(val baseUrl: String) {
             )
         }
     }
-    
+
     @Throws(IOException::class)
     fun downloadFileFromResponse(response: Response): File {
         val file = prepareDownloadFile(response)
@@ -206,6 +207,6 @@ open class ApiClient(val baseUrl: String) {
             prefix = "download-"
         }
 
-        return File.createTempFile(prefix, suffix);
+        return Files.createTempFile(prefix, suffix).toFile();
     }
-}
+}