CWE Rule 377

Insecure Temporary File

Since R2024a

expand all in page

Description

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Polyspace Implementation

The rule checker checks for Use of non-secure temporary file.

Examples

expand all

Issue

This issue occurs when you use temporary file routines that are not secure.

Risk

If an attacker guesses the file name generated by a standard temporary file routine, the attacker can:

  • Cause a race condition when you generate the file name.

  • Precreate a file of the same name, filled with malicious content. If your program reads the file, the attacker’s file can inject the malicious code.

  • Create a symbolic link to a file storing sensitive data. When your program writes to the temporary file, the sensitive data is deleted.

Fix

To create temporary files, use a more secure standard temporary file routine, such as mkstemp from POSIX.1-2001.

Also, when creating temporary files with routines that allow flags, such as mkostemp, use the exclusion flag O_EXCL to avoid race conditions.

Example — Temp File Created With tempnam
#define _BSD_SOURCE
#define _XOPEN_SOURCE 
#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

int test_temp()
{
    char tpl[] = "abcXXXXXX";
    char suff_tpl[] = "abcXXXXXXsuff";
    char *filename = NULL;
    int fd;
    
    filename = tempnam("/var/tmp", "foo_");
    
    if (filename != NULL)
    {
        printf("generated tmp name (%s) in (%s:%s:%s)\n", 
               filename, getenv("TMPDIR") ? getenv("TMPDIR") : "$TMPDIR",
               "/var/tmp", P_tmpdir);
        
        fd = open(filename, O_CREAT, S_IRWXU|S_IRUSR); //Noncompliant
        if (fd != -1)
        {
            close(fd);
            unlink(filename);
            return 1;
        }
    }
    return 0;
}

In this example, Bug Finder flags open because it tries to use an unsecure temporary file. The file is opened without exclusive privileges. An attacker can access the file causing various risks.

Correction — Add O_EXCL Flag

One possible correction is to add the O_EXCL flag when you open the temporary file.

#define _BSD_SOURCE
#define _XOPEN_SOURCE 
#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

int test_temp()
{
    char tpl[] = "abcXXXXXX";
    char suff_tpl[] = "abcXXXXXXsuff";
    char *filename = NULL;
    int fd;
    
    filename = tempnam("/var/tmp", "foo_");
    
    if (filename != NULL)
    {
        printf("generated tmp name (%s) in (%s:%s:%s)\n", 
               filename, getenv("TMPDIR") ? getenv("TMPDIR") : "$TMPDIR",
               "/var/tmp", P_tmpdir);
        
        fd = open(filename, O_CREAT|O_EXCL, S_IRWXU|S_IRUSR);
        if (fd != -1)
        {
            close(fd);
            unlink(filename);
            return 1;
        }
    }
    return 0;
}

Check Information

Category: Others
PQL Name: std.cwe_native.R377

Version History

Introduced in R2024a

See Also

Topics

External Websites