Avoid hardcoded temporary file

Metadata

ID: go-security/tempfile-creation

Language: Go

Severity: Warning

Category: Security

CWE: 379

Description

Hardcoding a temporary file in your application can lead to several issues:

  • Security Vulnerability: If the location and name of the temp file are known and predictable, it can be a target for malicious attacks. An attacker could replace or alter the original file with a similar named file containing malicious code.

  • Portability Issues: Hardcoding paths or file names may not work in different environments if the file paths vary. This makes the application less portable and increases maintenance cost as the code might need to be repeatedly modified for different systems.

  • Concurrency Problems: If your program is meant to run concurrently, you might run into an issue where multiple instances are trying to write or read from the same hardcoded file, potentially leading to data corruption.

  • Scalability: It limits the application’s scalability. If the program is handling larger amounts of data, these hardcoded temporary files might not be efficient or reliable.

  • Cleanup Issue: Temporary files should ideally be cleaned when they are no longer needed. With hardcoded temp files, you might run into a situation where you forget to delete these files leading to unnecessary disk space consumption.

  • Testing Troubles: Hardcoded values in a program make testing more difficult, as you cannot easily change them to isolate components or techniques.

The practice of creating temporary files in a more flexible and secure manner is highly recommended. This can be achieved by using temporary file APIs provided by various programming languages that ensures uniqueness, automatic cleanup, and security.

Learn More

Non-Compliant Code Examples

package static_analyzer

import (
	"fmt"
	"io/ioutil"
	"os"
	"path"
	"path/filepath"
)

func main() {
	err := ioutil.WriteFile("/tmp/myfile", []byte("something"), 0644)
	if err != nil {
		fmt.Println("Error while writing!")
	}
}
package static_analyzer

import (
	"os"
)

func main() {
	file, err := os.Create("/tmp/tempfile")
}

Compliant Code Examples

package static_analyzer

import (

	"os"

)

func main() {
	tmpFile, err := ioutil.TempFile("/tmp", "foobar")
	if err != nil {
		log.Fatal(err)
	}
	defer os.Remove(file.Name())

}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: may/unit-testing