Fix modular jar final permissions

laurentgo · laurentgo · commit 2cf85abeb73e · 2024-04-27T13:55:26.000-07:00
When a new modular jar file is generated with maven-jar-plugin with
Java 11, the final permissions of the file are restricted to the current
user instead of using the environment umask which usually allows for
group and other users to access the file as well.

This is caused by the use of Files#createTempFile() which has a
restrictive file permission model for security reason but as the
temporary file is generated next to the original jar file, and
there's no sensitive reason to restrict its access, the restrictive
file permission should not be needed.

Fix the issue by creating a simple temporary file generator method.
diff --git a/src/main/java/org/codehaus/plexus/archiver/jar/JarToolModularJarArchiver.java b/src/main/java/org/codehaus/plexus/archiver/jar/JarToolModularJarArchiver.java
@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.io.PrintStream;
 import java.lang.reflect.Method;
+import java.nio.file.FileAlreadyExistsException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
@@ -31,6 +32,7 @@
 import java.util.Enumeration;
 import java.util.List;
 import java.util.Locale;
+import java.util.Random;
 import java.util.TimeZone;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
@@ -147,7 +149,7 @@ protected void postCreateArchive() throws ArchiverException {
     private void fixLastModifiedTimeZipEntries() throws IOException {
         long timeMillis = getLastModifiedTime().toMillis();
         Path destFile = getDestFile().toPath();
-        Path tmpZip = Files.createTempFile(destFile.getParent(), null, null);
+        Path tmpZip = createTempFile(destFile.getParent());
         try (ZipFile zipFile = new ZipFile(getDestFile());
                 ZipOutputStream out = new ZipOutputStream(Files.newOutputStream(tmpZip))) {
             Enumeration<? extends ZipEntry> entries = zipFile.entries();
@@ -263,4 +265,24 @@ private boolean isJarDateOptionSupported(Method runMethod) {
             return false;
         }
     }
+
+    /**
+     * Create a temporary file in the provided directory.
+     *
+     * It is an unsecure replacement for {@code Files#createTempFile(Path, String, String, java.nio.file.attribute.FileAttribute...)}:
+     * The new file permissions are controlled by the umask property instead of just being accessible to the current user.
+     */
+    private Path createTempFile(Path dir) throws IOException {
+        Random random = new Random();
+        for (; ; ) {
+
+            String name = Long.toUnsignedString(random.nextLong()) + ".tmp";
+            Path path = dir.resolve(name);
+            try {
+                return Files.createFile(path);
+            } catch (FileAlreadyExistsException e) {
+                // retry;
+            }
+        }
+    }
 }
