Make temp file location configurable in Jobstore

Question

Make temp file location configurable in Jobstore

seehamrun opened this issue 3 years ago · comments

We use File.createTempFile in the PerJobDatastore because a Random Access file is needed for some apis. This is currently only the GoogeVideoImporter and the BackblazeImporters: https://github.com/google/data-transfer-project/search?q=getTempFileFromInputStream

However File.createTempFile creates files in the the system temporary directory with file permissions -rw-r--r-- by default.

We'll need to figure out how to hold the file in memory somehow and still be comptiable with the APIs or simply make the location configurable.

Jonathan Leitschuh · Answer 1 · Thu Mar 11 2021 04:31:08 GMT+0800 (China Standard Time)

Or move to the new Files API which correctly sets the file permissions on temporary files to be restricted.

Jonathan Leitschuh · Answer 2 · Thu Mar 11 2021 04:31:26 GMT+0800 (China Standard Time)

https://docs.oracle.com/javase/7/docs/api/java/nio/file/Files.html#createTempFile(java.nio.file.Path,%20java.lang.String,%20java.lang.String,%20java.nio.file.attribute.FileAttribute...)

Jonathan Leitschuh · Answer 3 · Tue Apr 20 2021 03:51:49 GMT+0800 (China Standard Time)

Hi all, what's the disclosure/CVE issuance plan for this vulnerability?

Jonathan Leitschuh · Answer 4 · Thu Mar 10 2022 00:38:32 GMT+0800 (China Standard Time)

I've reached out to Google multiple times about getting a CVE issued for this vulnerability without response. At this point, I'll be moving forward with the CVE appeals process to get CVEs issued for this vulnerability.

Jonathan Leitschuh · Answer 5 · Thu Mar 10 2022 00:40:04 GMT+0800 (China Standard Time)

This vulnerability has been publicly disclosed here: GHSA-22c6-wcjm-qfjg