- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: go-security/tempfile-creation
Language: Go
Severity: Warning
Category: Security
CWE: 379
Hardcoding a temporary file in your application can lead to several issues:
Security Vulnerability: If the location and name of the temp file are known and predictable, it can be a target for malicious attacks. An attacker could replace or alter the original file with a similar named file containing malicious code.
Portability Issues: Hardcoding paths or file names may not work in different environments if the file paths vary. This makes the application less portable and increases maintenance cost as the code might need to be repeatedly modified for different systems.
Concurrency Problems: If your program is meant to run concurrently, you might run into an issue where multiple instances are trying to write or read from the same hardcoded file, potentially leading to data corruption.
Scalability: It limits the application’s scalability. If the program is handling larger amounts of data, these hardcoded temporary files might not be efficient or reliable.
Cleanup Issue: Temporary files should ideally be cleaned when they are no longer needed. With hardcoded temp files, you might run into a situation where you forget to delete these files leading to unnecessary disk space consumption.
Testing Troubles: Hardcoded values in a program make testing more difficult, as you cannot easily change them to isolate components or techniques.
The practice of creating temporary files in a more flexible and secure manner is highly recommended. This can be achieved by using temporary file APIs provided by various programming languages that ensures uniqueness, automatic cleanup, and security.
package static_analyzer
import (
"fmt"
"io/ioutil"
"os"
"path"
"path/filepath"
)
func main() {
err := ioutil.WriteFile("/tmp/myfile", []byte("something"), 0644)
if err != nil {
fmt.Println("Error while writing!")
}
}
package static_analyzer
import (
"os"
)
func main() {
file, err := os.Create("/tmp/tempfile")
}
package static_analyzer
import (
"os"
)
func main() {
tmpFile, err := ioutil.TempFile("/tmp", "foobar")
if err != nil {
log.Fatal(err)
}
defer os.Remove(file.Name())
}