[AUTO-CHERRYPICK] [Medium] Patch junit to fix CVE-2020-15250 - branch 3.0-dev (#12503)

CBL-Mariner-Bot · jykanase · web-flow · commit 3ec0ab5ae4ec · 2025-02-25T11:46:22.000-05:00
Co-authored-by: jykanase &lt;v-jykanase@microsoft.com&gt;
diff --git a/SPECS/junit/CVE-2020-15250.patch b/SPECS/junit/CVE-2020-15250.patch
@@ -0,0 +1,74 @@
+From 2a3b5c8b4d62291d4c646b5fd9aac2753378b49e Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Tue, 11 Feb 2025 13:28:51 +0000
+Subject: [PATCH] CVE-2020-15250
+
+Source Link: https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae
+---
+ .../java/org/junit/rules/TemporaryFolder.java | 43 ++++++++++++++++++-
+ 1 file changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/junit/rules/TemporaryFolder.java b/src/main/java/org/junit/rules/TemporaryFolder.java
+index 1a6a770..a726c66 100644
+--- a/src/main/java/org/junit/rules/TemporaryFolder.java
++++ b/src/main/java/org/junit/rules/TemporaryFolder.java
+@@ -4,6 +4,9 @@ import static org.junit.Assert.fail;
+ 
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.reflect.Array;
++import java.lang.reflect.InvocationTargetException;
++import java.lang.reflect.Method;
+ 
+ import org.junit.Rule;
+ 
+@@ -229,7 +232,45 @@ public class TemporaryFolder extends ExternalResource {
+         return createTemporaryFolderIn(getRoot());
+     }
+ 
+-    private File createTemporaryFolderIn(File parentFolder) throws IOException {
++    private static File createTemporaryFolderIn(File parentFolder) throws IOException {
++        try {
++            return createTemporaryFolderWithNioApi(parentFolder);
++        } catch (ClassNotFoundException ignore) {
++            // Fallback for Java 5 and 6
++            return createTemporaryFolderWithFileApi(parentFolder);
++        } catch (InvocationTargetException e) {
++            Throwable cause = e.getCause();
++            if (cause instanceof IOException) {
++                throw (IOException) cause;
++            }
++            if (cause instanceof RuntimeException) {
++                throw (RuntimeException) cause;
++            }
++            IOException exception = new IOException("Failed to create temporary folder in " + parentFolder);
++            exception.initCause(cause);
++            throw exception;
++        } catch (Exception e) {
++            throw new RuntimeException("Failed to create temporary folder in " + parentFolder, e);
++        }
++    }
++
++    private static File createTemporaryFolderWithNioApi(File parentFolder) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
++        Class<?> filesClass = Class.forName("java.nio.file.Files");
++        Object fileAttributeArray = Array.newInstance(Class.forName("java.nio.file.attribute.FileAttribute"), 0);
++        Class<?> pathClass = Class.forName("java.nio.file.Path");
++        Object tempDir;
++        if (parentFolder != null) {
++            Method createTempDirectoryMethod = filesClass.getDeclaredMethod("createTempDirectory", pathClass, String.class, fileAttributeArray.getClass());
++            Object parentPath = File.class.getDeclaredMethod("toPath").invoke(parentFolder);
++            tempDir = createTempDirectoryMethod.invoke(null, parentPath, TMP_PREFIX, fileAttributeArray);
++        } else {
++            Method createTempDirectoryMethod = filesClass.getDeclaredMethod("createTempDirectory", String.class, fileAttributeArray.getClass());
++            tempDir = createTempDirectoryMethod.invoke(null, TMP_PREFIX, fileAttributeArray);
++        }
++        return (File) pathClass.getDeclaredMethod("toFile").invoke(tempDir);
++    }
++
++    private static File createTemporaryFolderWithFileApi(File parentFolder) throws IOException {
+         File createdFolder = null;
+         for (int i = 0; i < TEMP_DIR_ATTEMPTS; ++i) {
+             // Use createTempFile to get a suitable folder name.
+-- 
+2.45.2
+
diff --git a/SPECS/junit/junit.spec b/SPECS/junit/junit.spec
@@ -18,7 +18,7 @@
 Summary:        Java regression test package
 Name:           junit
 Version:        4.13
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        EPL-1.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -27,6 +27,7 @@ URL:            https://www.junit.org/
 Source0:        https://github.com/junit-team/junit/archive/r%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        build.xml
 Patch1:         0001-Port-to-hamcrest-2.2.patch
+Patch2:         CVE-2020-15250.patch
 BuildRequires:  ant
 BuildRequires:  fdupes
 BuildRequires:  hamcrest >= 1.3
@@ -68,6 +69,7 @@ Documentation for %{name}.
 %setup -q -n %{name}4-r%{version}
 cp %{SOURCE1} .
 %patch 1 -p1
+%patch 2 -p1
 
 find . -type f -name "*.jar" -or -name "*.class" | xargs -t rm -rf
 
@@ -123,6 +125,9 @@ java -cp %{buildroot}/%{_javadir}/%{name}.jar: test 2>&1 | \
 %doc doc/*
 
 %changelog
+* Tue Feb 11 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 4.13-7
+- Patch to fix CVE-2020-15250
+
 * Wed Feb 28 2024 Riken Maharjan <rmaharjan@microsoft.com> - 4.13-6
 - rebuild with msopenjdk-17
 
