2021-02-11 16:56:46 +01:00
Operating systems have global directories where any user has write access. Those folders are mostly used as temporary storage areas like ``++/tmp++`` in Linux based systems. An application manipulating files from these folders is exposed to race conditions on filenames: a malicious user can try to create a file with a predictable name before the application does. A successful attack can result in other files being accessed, modified, corrupted or deleted. This risk is even higher if the application runs with elevated permissions.
2021-01-28 15:53:33 +01:00
2021-02-02 15:02:10 +01:00
2021-01-28 15:53:33 +01:00
In the past, it has led to the following vulnerabilities:
* https://nvd.nist.gov/vuln/detail/CVE-2012-2451[CVE-2012-2451]
* https://nvd.nist.gov/vuln/detail/CVE-2015-1838[CVE-2015-1838]
2021-02-11 16:56:46 +01:00
This rule raises an issue whenever it detects a hard-coded path to a publicly writable directory like ``++/tmp++`` (see examples bellow). It also detects access to environment variables that point to publicly writable directories, e.g., ``++TMP++``, ``++TMPDIR++`` and ``++TEMP++``.
2021-02-02 15:02:10 +01:00
2021-01-28 15:53:33 +01:00
* ``++/tmp++``
* ``++/var/tmp++``
* ``++/usr/tmp++``
* ``++/dev/shm++``
* ``++/dev/mqueue++``
* ``++/run/lock++``
* ``++/var/run/lock++``
* ``++/Library/Caches++``
* ``++/Users/Shared++``
* ``++/private/tmp++``
* ``++/private/var/tmp++``
* ``++\Windows\Temp++``
* ``++\Temp++``
* ``++\TMP++``
* ``++%USERPROFILE%\AppData\Local\Temp++``
2021-01-27 16:55:38 +01:00
include::../ask-yourself.adoc[]
2021-01-28 15:53:33 +01:00
== Recommended Secure Coding Practices
Out of the box, .NET is missing secure-by-design APIs to create temporary files. To overcome this, one of the following options can be used:
* Use a dedicated sub-folder with tightly controlled permissions
2021-02-11 16:56:46 +01:00
* Created temporary files in a publicly writable folder and make sure:
2021-01-28 15:53:33 +01:00
** Generated filename is unpredictable
** File is readable and writable only by the creating user ID
** File descriptor is not inherited by child processes
** File is destroyed as soon as it is closed
2021-01-27 16:55:38 +01:00
== Sensitive Code Example
----
2021-02-18 04:11:09 +00:00
using var writer = new StreamWriter("/tmp/f"); // Sensitive
2021-01-27 16:55:38 +01:00
----
----
2021-02-17 12:23:45 +01:00
var tmp = Environment.GetEnvironmentVariable("TMP"); // Sensitive
2021-01-27 16:55:38 +01:00
----
== Compliant Solution
2022-02-04 17:28:24 +01:00
[source,csharp]
2021-01-27 16:55:38 +01:00
----
2021-01-28 15:53:33 +01:00
var randomPath = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
2021-01-27 16:55:38 +01:00
2021-01-28 15:53:33 +01:00
// Creates a new file with write, non inheritable permissions which is deleted on close.
2021-02-18 04:11:09 +00:00
using var fileStream = new FileStream(randomPath, FileMode.CreateNew, FileAccess.Write, FileShare.None, 4096, FileOptions.DeleteOnClose);
using var writer = new StreamWriter(fileStream);
2021-01-27 16:55:38 +01:00
----
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2023-06-22 10:38:01 +02:00
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
