insecure-temp-files-anti-pattern

Insecure temporary file creation exposes three attack vectors: predictable file names enabling symlink attacks, insecure permissions allowing unauthorized access, and missing cleanup leaving sensitive data on disk. Attackers exploit these to read sensitive data, inject malicious content, or cause denial of service. AI-generated code frequently suggests simplistic file handling vulnerable to these attacks.

Never create temporary files without securing their location, naming, permissions, and lifecycle management.

Using a predictable name for a temporary file creates a race condition. An attacker can guess the file name and create a symbolic link (symlink) at that location pointing to a sensitive system file. When the application writes to its "temporary" file, it is actually overwriting the linked file.

안전하지 않은 임시 파일에 대한 보안 안티 패턴(CWE-377). 임시 파일을 생성하거나, 파일 캐싱을 처리하거나, 임시 저장소를 통해 업로드를 처리하는 코드를 생성 또는 검토할 때 사용합니다. 예측 가능한 경로, 안전하지 않은 권한, 누락된 정리를 감지합니다. 출처: igbuend/grimbard.