KnowledgeManagerImpl: Create temporary files in secure sub-folder ins…

…tead of publicly writable /tmp Signed-off-by: Florian Hotze <dev@florianhotze.com>
llamara-ai · Feb 28, 2025 · 3c514d4 · 3c514d4
1 parent 0d0b0aa
commit 3c514d4
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/src/main/java/com/github/llamara/ai/internal/knowledge/KnowledgeManagerImpl.java b/src/main/java/com/github/llamara/ai/internal/knowledge/KnowledgeManagerImpl.java
@@ -22,6 +22,7 @@
 import static com.github.llamara.ai.internal.Utils.generateChecksum;
 
 import com.github.llamara.ai.internal.MetadataKeys;
+import com.github.llamara.ai.internal.StartupException;
 import com.github.llamara.ai.internal.ingestion.DocumentIngestor;
 import com.github.llamara.ai.internal.ingestion.IngestionStatus;
 import com.github.llamara.ai.internal.knowledge.embedding.EmbeddingStorePermissionMetadataManager;
@@ -39,9 +40,13 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.FileAttribute;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
 import java.util.Collection;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.UUID;
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Inject;
@@ -76,6 +81,7 @@
 class KnowledgeManagerImpl implements KnowledgeManager {
     private static final String FILE_STORAGE_FILE_NOT_FOUND_PATTERN =
             "File for knowledge '%s' should exist in storage, but is missing";
+    private static final Path TEMP_DIR = Path.of("/tmp/llamara/knowledge");
 
     private final DocumentIngestor ingestor;
     private final EmbeddingStore<TextSegment> embeddingStore;
@@ -97,6 +103,17 @@ class KnowledgeManagerImpl implements KnowledgeManager {
         this.embeddingStorePermissionMetadataManager = embeddingStorePermissionMetadataManager;
     }
 
+    @Startup
+    void init() {
+        FileAttribute<Set<PosixFilePermission>> attr =
+                PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"));
+        try {
+            Files.createDirectories(TEMP_DIR, attr);
+        } catch (IOException e) {
+            throw new StartupException("Failed to create temporary directory", e);
+        }
+    }
+
     @Override
     public Collection<Knowledge> getAllKnowledge() {
         return repository.listAll();
@@ -352,7 +369,7 @@ public void retryFailedIngestion(UUID id)
         NamedFileContainer fc = getFile(id);
         File tempFile;
         try {
-            tempFile = File.createTempFile("knowledge_" + id, null);
+            tempFile = File.createTempFile(id.toString(), null, TEMP_DIR.toFile());
             tempFile.deleteOnExit(); // the file will be deleted when the JVM exits
             Files.copy(fc.content(), tempFile.toPath(), StandardCopyOption.REPLACE_EXISTING);
         } catch (IOException e) {