Insecure Temporary File

ID

go.insecure_temporary_file

Severity

high

Resource

Api

Language

Go

Tags

CWE:377, NIST.SP.800-53, PCI-DSS:6.5.6

Description

Insecure temporary file creation can allow unauthorized access to sensitive information or unexpected code execution.

Rationale

The Golang API provides a way to create temporal directories.

Look at this example:

package insecure_temporary_file

import (
	"os"
)

func main() {
	os.Create("/tmp/demo2")                                     // FLAW
	os.Create("C:\\Users\\lab\\AppData\\Local\\Temp\\demo2") // FLAW
}

Remediation

To remediate this, use Golang’s CreateTemp function from os module.

Here’s the corrected usage:

package insecure_temporary_file

import (
	"os"
)

func main() {
	os.CreateTemp("/tmp/demo2", "")
}

References

  • CWE-377 : Insecure Temporary File.