Predictable temporary file naming (TOCTOU vulnerability) #56
Description
Security Vulnerability Report
Severity: Medium
Vulnerability Type: Time-of-Check to Time-of-Use (TOCTOU) / Insecure Temporary File
Affected Files and Lines
src/commands/reply.ts- Line 145
Code Snippet
// Create temp file with current reply
const tmpFile = join(tmpdir(), `ship-reply-${Date.now()}.txt`);
const header = `# Edit your reply below. Lines starting with # are ignored.
# Save and close the editor to submit, or delete all content to cancel.
# ─────────────────────────────────────────────────────────────────────
`;
writeFileSync(tmpFile, header + currentReply, 'utf8');Description
The temporary file is created using Date.now() for uniqueness, which is predictable within milliseconds. On a multi-user system or under conditions where a user can predict timing, an attacker could:
- Predict the temp file name
- Create a symlink with that name before the application creates it
- Cause the application to write sensitive reply content to an attacker-controlled location
Additionally, there's a race condition (TOCTOU) between checking if a file exists and creating it.
Impact
- Sensitive user data (reply content) could be written to attacker-controlled locations
- Potential privilege escalation on shared systems
- Data theft through symlink attacks
Recommended Fix
Use Node.js's secure temporary file creation:
import { mkdtempSync } from 'fs';
import { randomBytes } from 'crypto';
// Use secure random suffix
const suffix = randomBytes(8).toString('hex');
const tempDir = mkdtempSync(join(tmpdir(), 'ship-reply-'));
const tmpFile = join(tempDir, 'reply.txt');