rust.lang.security.temp-dir.temp-dir

semgrep

Author

unknown

Download Count*

License

temp_dir should not be used for security operations. From the docs: 'The temporary directory may be shared among users, or between processes with different privileges; thus, the creation of any files or directories in the temporary directory must use a secure method to create a uniquely named file. Creating a file or directory with a fixed or predictable name may result in “insecure temporary file” security vulnerabilities.'

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: temp-dir
    message: "temp_dir should not be used for security operations. From the docs:
      'The temporary directory may be shared among users, or between processes
      with different privileges; thus, the creation of any files or directories
      in the temporary directory must use a secure method to create a uniquely
      named file. Creating a file or directory with a fixed or predictable name
      may result in “insecure temporary file” security vulnerabilities.'"
    pattern: std::env::temp_dir()
    metadata:
      references:
        - https://doc.rust-lang.org/stable/std/env/fn.temp_dir.html
      technology:
        - rust
      category: security
      cwe: "CWE-807: Reliance on Untrusted Inputs in a Security Decision"
      confidence: HIGH
      likelihood: LOW
      impact: LOW
      subcategory: audit
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other
    languages:
      - rust
    severity: INFO

Examples

temp-dir.rs

use std::env;

// ruleid: temp-dir
let dir = env::temp_dir();

Short Link: https://sg.run/qzEO