Security Fix for Insecure use of Tmp files - huntr.dev

[huntr-helper]

https://huntr.dev/users/mufeedvh has fixed the Insecure use of Tmp files vulnerability 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue | #17
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/sync-exec/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-sync-exec

⚙️ Description *

The project sync-exec was creating tmp files insecurely with fs.mkdir(), now that Node has a new builtin function to create tmp files fs.mkdtemp(), it's better to use that.

💻 Technical Description *

tmp files were created insecurely using fs.mkdir() which resulted in the vulnerability Insecure Temporary File Creation.

The fix is implemented using the new Node builtin function fs.mkdtemp() which is solely meant for creating tmp files. This function generates a randomly generated string as the filename as well.

dir = fs.mkdtemp(tmp_dir + '/sync-exec-');

🐛 Proof of Concept (PoC) *

No PoC was provided.

🔥 Proof of Fix (PoF) *

No PoC was provided.

📚 Reference:

• https://cwe.mitre.org/data/definitions/377.html
• babel-node insecure temporary file handling causing errors and vulnerability babel/babel#1093
• https://nodejs.org/api/fs.html#fs_fs_mkdtemp_prefix_options_callback
• https://advancedweb.hu/secure-tempfiles-in-nodejs-without-dependencies/

👍 User Acceptance Testing (UAT)

Ref: Example Test

var exec = require('sync-exec');

// { stdout: '1\n',
//   stderr: '',
//   status: 0 }
console.log(exec('echo 1'));

// You can even pass options, just like for [child_process.exec](http://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback)
console.log(exec('ls -la', {cwd: '/etc'}));

// Times out after 1 second, throws an error
exec('sleep 3; echo 1', 1000);

Outputs:

{ stdout: '1\n', stderr: '', status: 0 }
{
  stdout: 'total XXXX\n' +
    ...
    ...
    ...
    ...
  stderr: '',
  status: 0
}

[JamieSlome]

@gvarsanyi - let me know if you have any thoughts!

Cheers! 🍰