go.lang.security.bad_tmp.bad-tmp-file-creation
Community Favorite
semgrepAuthor
70,061
Download Count*
License
File creation in shared tmp directory without using ioutil.Tempfile
Run Locally
Run in CI
Defintion
rules:
- id: bad-tmp-file-creation
message: File creation in shared tmp directory without using ioutil.Tempfile
languages:
- go
severity: WARNING
metadata:
cwe:
- "CWE-377: Insecure Temporary File"
source-rule-url: https://github.com/securego/gosec
category: security
technology:
- go
confidence: LOW
owasp:
- A01:2021 - Broken Access Control
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
pattern-either:
- pattern: ioutil.WriteFile("=~//tmp/.*$/", ...)
- pattern: os.Create("=~//tmp/.*$/", ...)
Examples
bad_tmp.go
package samples
import (
"fmt"
"io/ioutil"
)
func main() {
// ruleid:bad-tmp-file-creation
err := ioutil.WriteFile("/tmp/demo2", []byte("This is some data"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
}
func main_good() {
// ok:bad-tmp-file-creation
err := ioutil.Tempfile("/tmp", "my_temp")
if err != nil {
fmt.Println("Error while writing!")
}
}
Short Link: https://sg.run/Gejn