Potential time of check time of use vulnerability (GetTempFileName)
Description
The `GetTempFileName` function works by generating a randomly named file, creating the file (if it does not exist) and then closing it. An application wishing to use this temporary file will need to reopen this file to begin working with it. This leads to a potential Time Of Check Time Of Use (TOCTOU) vulnerability, as an attacker could replace or modify the contents of the file prior to it being used by the application.
Examples
Insecure Code
c
GetTempFileName(...)Secure Code
c
CreateFile(random_filename, ...)Remediation
Consider generating a random filename and opening the file directly in a single `CreateFile` or `OpenFile` call.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0616 |
| Category | Generic |
| Severity | MEDIUM |
| CWE | CWE-377 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | TOCTOU, Time Of Check Time Of Use |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |