# Insecure Temporary File (CWE-377)

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

- Prevalence: 中 1 言語をカバー
- Impact: ミディアム レビュー推奨
- Prevention: 文書化済み 1 件の修正例

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

Temporary files that are created with predictable names, insecure permissions, or in shared directories can be exploited by attackers to read or modify sensitive data, or to inject malicious content.

## Prevention

### Key Practices

- Use tempfile

### Python

Use tempfile.NamedTemporaryFile or tempfile.mkstemp instead of mktemp

## Warning Signs

- [MEDIUM] insecure temporary file creation using tempfile

## Consequences

- アプリケーションデータの読み取り
- アプリケーションデータの変更
- 未承認コードの実行

## Mitigations

- 安全な一時ファイル作成関数 (例: mkstemp) を使用する
- 誰でも書き込めない安全なディレクトリに一時ファイルを作成する
- 一時ファイルには制限的なパーミッションを設定する

## Detection

- Total rules: 1
- Languages: python

## Rules by Language

### Python (1 rules)

- **Insecure Temporary File Creation** [MEDIUM]: Detects insecure temporary file creation using tempfile.mktemp(), predictable
names, or world-readable permissions. These can lead to symlink attacks, race
conditions, or information disclosure. Use tempfile.mkstemp() or NamedTemporaryFile.
  - Remediation: Use tempfile.NamedTemporaryFile or tempfile.mkstemp instead of mktemp().

```python
import tempfile

with tempfile.NamedTemporaryFile(mode='w+', delete=True) as tmp:
    tmp.write(data)
    tmp.flush()
    result = process_file(tmp.name)
```

Learn more: https://shoulder.dev/learn/python/cwe-377/insecure-tempfile