Insecure temporary file
Description
The application creates files in shared system temporary directories without using the `tempfile.TemporaryFile` function, which may allow an attacker to create symlinks that point to other files prior to the application creating or writing to the target file, leading to unintended files being created or overwritten.
Examples
Insecure Code
python
with open('/tmp/example.txt', 'w') as f: f.write('example')Secure Code
python
import tempfile
with tempfile.TemporaryFile() as fp: fp.write(b'example')Remediation
Use the `tempfile.TemporaryFile` function to create temporary files.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0169 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-377 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | temporary file, symlink |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |