Insecure temporary file¶
ID: js/insecure-temporary-file
Kind: path-problem
Security severity: 7.0
Severity: warning
Precision: medium
Tags:
- external/cwe/cwe-377
- external/cwe/cwe-378
- security
Query suites:
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Temporary files created in the operating system’s temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.
Recommendation¶
Use a well-tested library like tmp for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.
Example¶
The following example creates a temporary file in the operating system’s temporary directory.
const fs = require('fs');
const os = require('os');
const path = require('path');
const file = path.join(os.tmpdir(), "test-" + (new Date()).getTime() + ".txt");
fs.writeFileSync(file, "content");
The file created above is accessible to other users, and there is no guarantee that the file does not already exist.
The below example uses the tmp library to securely create a temporary file.
const fs = require('fs');
const tmp = require('tmp');
const file = tmp.fileSync().name;
fs.writeFileSync(file, "content");