hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.23.5
codeql/javascript/ql/test/query-tests/Security/CWE-377/insecure-temporary-file.js
Asger F 64d39da5f8 JS: Accept Sources/Sink tags
2025-02-28 13:29:30 +01:00

31 lines
1.0 KiB
JavaScript
Raw Permalink Blame History

const os = require('os');
const uuid = require('node-uuid');
const fs = require('fs');
const path = require('path');
(function main() {
var tmpLocation = path.join(
os.tmpdir ? os.tmpdir() : os.tmpDir(), // $ Source
'something',
uuid.v4().slice(0, 8)
);
fs.writeFileSync(tmpLocation, content); // $ Alert
var tmpPath = "/tmp/something"; // $ Source
fs.writeFileSync(path.join("./foo/", tmpPath), content);
fs.writeFileSync(path.join(tmpPath, "./foo/"), content); // $ Alert
fs.writeFileSync(path.join(tmpPath, "./foo/"), content, {mode: 0o600});
fs.writeFileSync(path.join(tmpPath, "./foo/"), content, {mode: mode}); // OK - assumed unknown mode is secure
fs.writeFileSync(path.join(tmpPath, "./foo/"), content, {mode: 0o666}); // $ Alert - explicitly insecure
const tmpPath2 = path.join(os.tmpdir(), `tmp_${Math.floor(Math.random() * 1000000)}.md`); // $ Source
fs.writeFileSync(tmpPath2, content); // $ Alert
fs.openSync(tmpPath2, 'w'); // $ Alert
fs.openSync(tmpPath2, 'w', 0o600);
})
Reference in New Issue View Git Blame Copy Permalink