Security scan reported problem with com.google.common.io.FileBackedOutputStream #2575
Description
We are using google commons APIs in our project and security scan on our code has reported following problem. Could you please let me know if this is of any concern or it can be fixed in new version of this API.
Problem: Creating and using insecure temporary files can leave application and system data vulnerable to attack. In particular,file names created by the tmpnam family of functions can be easily guessed by an attacker. If an attacker can predictthe filename and create a malicious collision, he may be able to manipulate the behavior of the application.
Recommendations (Generated by tool)
Ensure that unpredictable names are used for temporary files and that files are created in a secure directory with appropriate permissions. Using mkstemp() is a reasonably safe way to create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user, combined with a series of randomly generated characters. Note that mkstemp() is safe if only the descriptor is used and the returned filename is not used in a subsequent function call with extra privileges. Using mkstemp() does not completely eliminate race conditions but does provide better protection than other methods
Class:
com.google.common.io.FileBackedOutputStream