Bug 64654

Summary: Ant may still use java.io.tmp as tmp directory
Product: Ant Reporter: Sourabh Sarvotham Parkala <sourabh.sarvotham.parkala>
Component: CoreAssignee: Ant Notifications List <notifications>
Status: RESOLVED WONTFIX    
Severity: normal    
Priority: P2    
Version: 1.9.15   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Sourabh Sarvotham Parkala 2020-08-07 13:54:14 UTC 
This is in association to a CVE CVE-2020-1945.

Affected version : All Apache Ant versions <= 1.10.8 (Including).

The CVE states to use the new Ant property 'ant.tmpdir' for default tmp directory. But the fix does not restrict the users from still using 'java.io.tmpdir' as a tmp directory for Ant. Also no default or safe value (tmp directory path) is provided to the new Ant property.


This bug is to indicate that, it would be good to set a proper default directory path to ant.tmpdir. Instead of expecting the user to set the property `ant.tmpdir` with a path value.

Because, if the user does not set the `ant.tmpdir` property with a safe path value. The user could still use 'java.io.tmpdir' property path value as Ant tmp directory (which is considered as unsafe).

The bug is filed in reference to this line in Apache Ant GitHub https://github.com/apache/ant/blob/rel/1.10.8/src/main/org/apache/tools/ant/util/FileUtils.java#L998
Comment 1 Stefan Bodewig 2020-08-11 13:10:23 UTC 
Actually, java.io.tmpdir is our best bet for finding a writable directory.

Some time in the past we created temporary files inside of the current working directory rather than the system tempdir and had to change that as in some contexts the CWD was unwritable. Think CI system using read-only containers that only mount the build tree.

Most Ant tasks create temporary files inside of the build tree, but not all of them. When we fixed CVE-2020-1945 we discussed making all tasks ensure they write to the build directory but not all places that create temporary files actually know the concept of a "build directory". So any such solution would have been partial.

Current master will set up a user-specific 700 permission temp directory inside of java.io.tmpdir if this is possible. But this really still is a kludge and won't work on Windows.

Therefore the best approach is and remains the user sets up a directory with proper permissions before starting Ant.
Comment 2 Sourabh Sarvotham Parkala 2020-08-24 12:03:33 UTC 
Hello Stefan,

Thank you for the  response. As I understand, creating a tmp folder in random locations is creating an access permission issue. This is even more restrictive when using Apache Ant in Windows OS.

Please correct me if I am wrong.

However a suggestion, Have you considered using "~/" USER_HOME folder for this tmp directory creation?

Would USER_HOME folder serve your purpose and allow appropriate access folder permissions after creation of tmp directory for Ant use?

Just a  thought.

Please let me know, if this is something to be considered

Thanks
Sourabh
Comment 3 Stefan Bodewig 2020-08-24 13:27:31 UTC 
There are cases, where the users home directory is not writable by Ant. The most simple example are docker containers with read-only mounted filesystems as can be found in certain CI systems.

There is no location we could come up with that would be reasonably secure and we'd be sure we could write to at the same time.

This really is heavily dependent on the environment in question and so we've decided to leave full control in the hands of the people who know the environment.

If you want to enforce people to use the home directory you could define ANT_OPTS as a system environment variable, I guess. Of course people would be able to override that.