[BUG] Unsecurable functions

[ghost]

What / Why

The module functions offer no way to specify mode for implicitly created directories so they always create directories world writable. If a user wants to ensure secure directories they have to avoid these methods. Accepting a directory mode would make it possible to use them securely.

World writable resources such as config files can allow other users to control program behavior. In some cases there's code injection through the config file, which can lead to privilege elevation. World writable directories have the same weakness since they allow adding files within them. A world writable config directory /etc/froznator/conf.d offers a route to controlling program behavior through a new config file. On Linux the umask should usually prevent this but it's not guaranteed. Secure coding standards recommend always specifying a restricted mode so files and directories are secure in any environment. MITRE calls this CWE-732, one of the top 25 most dangerous vulnerabilities.

These lines always create directories without specifying mode. If you used move-file to eg install default config files, you could end up with a world writable config directory.

move-file/index.js

Line 71 in ab492ef

await mkdirp(dirname(destination))

move-file/index.js

Line 122 in ab492ef

mkdirp.sync(dirname(destination))

This came out of research with CodeQL.

When

• n/a

Where

• n/a

How

Current Behavior

Directories always created world writable.

Steps to Reproduce

• Use move-file to create parent directories with umask set to 000.
• World writable directories are created.

Expected Behavior

Implicitly created directories can be secured.

Who

• n/a

References

• n/a

[ghost]

For reference, move-file added a directoryMode option to handle this.