Insecure temporary directores #17
Comments
|
This is flagged as a security problem at https://nodesecurity.io/advisories/310 |
|
🛠️ A fix has been provided for this issue. Please reference: 418sec#1 🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The module uses temporary directories but creates them in an insecure way.
Besides general issues related to making of tmp files, the implementation in sync-exec/coffee/lib/create-pipes.coffee does not handle errors. The variable created is set to true even if the directory already exists and belong to another user. It seems that errors should be handled by callback, but it is inconsistent with synchronous usage of fs.mkdir.
Some node modules were suggested in response to the stackoverflow question "nodejs - Temporary file name [closed]"
More details related to the issue is given in "Creating temporary files securely"
This kind of vulnerabilities is discussed in general in CWE-377: Insecure Temporary File
The text was updated successfully, but these errors were encountered: