Insecure temporary file¶

ID: js/insecure-temporary-file
Kind: path-problem
Security severity: 7.0
Severity: warning
Precision: medium
Tags:
   - external/cwe/cwe-377
   - external/cwe/cwe-378
   - security
Query suites:
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Temporary files created in the operating system’s temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.

Recommendation¶

Use a well-tested library like tmp for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.

Example¶

The following example creates a temporary file in the operating system’s temporary directory.

const fs = require('fs');
const os = require('os');
const path = require('path');

const file = path.join(os.tmpdir(), "test-" + (new Date()).getTime() + ".txt");
fs.writeFileSync(file, "content");

The file created above is accessible to other users, and there is no guarantee that the file does not already exist.

The below example uses the tmp library to securely create a temporary file.

const fs = require('fs');
const tmp = require('tmp');

const file = tmp.fileSync().name;
fs.writeFileSync(file, "content");

References¶

Mitre.org: CWE-377.
NPM: tmp.
Common Weakness Enumeration: CWE-377.
Common Weakness Enumeration: CWE-378.

© GitHub, Inc.
Terms
Privacy

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Insecure temporary file¶

Recommendation¶

Example¶

References¶

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.