Audit: Storing or accessing files from a publicly accessible directory is vulnerable to information disclosure JS-A1001

When trying to read or write temporary files needed in your application, it is tempting to use the standard temporary directories provided by respective operating systems. However, such directories are not access controlled and performing operations on files in such directories are prone to unexpected information disclosure if the files have any sensitive content in them.

It can also lead to scenarios where an attacker might try to replace the contents of the file from which your applications reads data and inject corrupted or malicious data in your application logic.

This issue is raised when a hardcoded path to any of the below accessible directories is detected in the context of file operations:

• /tmp,
• /var/tmp,
• /usr/tmp,
• /run/lock,
• /var/run/lock,
• /Library/Caches,
• /private/tmp,
• /private/var/tmp

Bad Practice

import { writeFileSync } from 'fs'
writeFileSync('/tmp', data)

Recommended

import { writeFileSync } from 'fs'
writeFileSync('/someSafeDir', data)

References

• OWASP A01:2021 - Broken Access Control
• OWASP A05:2017 - Broken Access Control
• OWASP A03:2017 - Sensitive Data Exposure
• CWE-377: Insecure Temporary File
• CWE-379: Creation of Temporary File in Directory with Insecure Permissions