Fix insecure temporary file creation (CWE-377) with secure file permissions

[Copilot]

CodeQL flagged fs.writeFileSync() in actions/setup/src/index.js for creating files in /tmp without secure permissions, making them readable by other users (CWE-377).

Changes

• Added secure file permissions (mode 0o600) to fs.writeFileSync() - files are now only readable/writable by owner
• Added secure directory permissions (mode 0o700) to fs.mkdirSync() - directories are now only accessible by owner
• Documented Windows limitation (mode parameter ignored, relies on NTFS defaults)

// Before
fs.writeFileSync(filePath, content, 'utf8');

// After - using secure permissions
fs.writeFileSync(filePath, content, { encoding: "utf8", mode: 0o600 });

This implementation uses Node.js built-in fs module with secure file permissions, ensuring files are inaccessible to other users without adding external dependencies.

Platform Compatibility

• Unix/Linux/macOS: File/directory modes are enforced as specified
• Windows: Mode parameter is ignored; relies on default NTFS permissions

Verification

• ✅ CodeQL security scanner: 0 JavaScript alerts
• ✅ No external npm dependencies added
• ✅ Files created with secure permissions (owner access only)

Original prompt

Please fix this security alert in actions/setup/src/index.js:30

Tool
CodeQL
Rule ID
js/insecure-temporary-file
Query
View source
Description
Temporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.

Recommendation
Use a well-tested library like tmp for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.

Example
The following example creates a temporary file in the operating system's temporary directory.

const fs = require('fs');
const os = require('os');
const path = require('path');

const file = path.join(os.tmpdir(), "test-" + (new Date()).getTime() + ".txt");
fs.writeFileSync(file, "content");
The file created above is accessible to other users, and there is no guarantee that the file does not already exist.

The below example uses the tmp library to securely create a temporary file.

const fs = require('fs');
const tmp = require('tmp');

const file = tmp.fileSync().name;
fs.writeFileSync(file, "content");
References
Mitre.org: CWE-377.
NPM: tmp.
Common Weakness Enumeration: CWE-377.
Common Weakness Enumeration: CWE-378.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[eaftan]

@copilot The original prompt told you to use the tmp library (https://www.npmjs.com/package/tmp) to solve this. Please do that.

[pelikhan]

@eaftan we do not have any npm dependencies

[Copilot]

@copilot The original prompt told you to use the tmp library (https://www.npmjs.com/package/tmp) to solve this. Please do that.

Done! I've updated the code to use the tmp library as requested.

Changes in commit ed7b174:

• Added tmp (v0.2.5) as a dependency
• Using tmp.dirSync() for secure directory creation (mode 0o700)
• Using tmp.fileSync() for secure file creation (mode 0o600)

CodeQL security scanner confirms 0 JavaScript alerts.

[pelikhan]

@copilot revert the previous commit

[Copilot]

@copilot revert the previous commit

Reverted in commit 9cbe53f. Removed the tmp library dependency and reverted to using Node.js built-in fs module with secure file permissions (mode 0o600 for files, 0o700 for directories).

CodeQL security scanner still shows 0 JavaScript alerts - the security issue is resolved without adding external dependencies.

[pelikhan]

@copilot format, lint

[Copilot]

@copilot format, lint

All files are already properly formatted and linted - no changes needed.

✓ make fmt - All files unchanged (already formatted)
✓ make lint - 0 issues, all validations passed