codeql/javascript/ql/src/Security/CWE-367/FileSystemRace.qhelp

<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>

<overview>
<p>
Often it is necessary to check the state of a file before using it. These checks usually take a file name
to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.
</p>

<p>
However, in the time between the check and the operation, the underlying file referenced by the
file name could be changed by an attacker, causing unexpected behavior.
</p>

</overview>

<recommendation>
<p>
Use file descriptors instead of file names whenever possible.
</p>
</recommendation>

<example>
<p>
The following example shows a case where the code checks whether a file inside the <code>/tmp/</code> folder exists, 
and if it doesn't, the file is written to that location.
</p>

<sample src="examples/file-race-bad.js" />

<p>
However, in a multi-user environment the file might be created by another user between the existence check and the write. 
</p>

<p>
This can be avoided by using <code>fs.open</code> to get a file descriptor, and then use that file descriptor in the write operation.
</p>

<sample src="examples/file-race-good.js" />

</example>

<references>
<li>
Wikipedia: <a href="https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use">Time-of-check to time-of-use</a>.
</li>

<li>
  The CERT Oracle Secure Coding Standard for C:
  <a href="https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification">
    FIO01-C. Be careful using functions that use file names for identification
  </a>.
</li>
<li>
NodeJS: 
  <a href="https://nodejs.org/api/fs.html">The FS module</a>.
</li>
</references>
</qhelp>