# Insecure Temporary File (CWE-377)

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

- Prevalence: 中 覆盖 1 种语言
- Impact: 中 建议审查
- Prevention: 已记录 1 个修复示例

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

Temporary files that are created with predictable names, insecure permissions, or in shared directories can be exploited by attackers to read or modify sensitive data, or to inject malicious content.

## Prevention

### Key Practices

- Use tempfile

### Python

Use tempfile.NamedTemporaryFile or tempfile.mkstemp instead of mktemp

## Warning Signs

- [MEDIUM] insecure temporary file creation using tempfile

## Consequences

- 读取应用程序数据
- 修改应用程序数据
- 执行未授权代码

## Mitigations

- 使用安全的临时文件创建函数 (如 mkstemp)
- 在安全的、非全局可写的目录中创建临时文件
- 为临时文件设置严格的权限

## Detection

- Total rules: 1
- Languages: python

## Rules by Language

### Python (1 rules)

- **Insecure Temporary File Creation** [MEDIUM]: Detects insecure temporary file creation using tempfile.mktemp(), predictable
names, or world-readable permissions. These can lead to symlink attacks, race
conditions, or information disclosure. Use tempfile.mkstemp() or NamedTemporaryFile.
  - Remediation: Use tempfile.NamedTemporaryFile or tempfile.mkstemp instead of mktemp().

```python
import tempfile

with tempfile.NamedTemporaryFile(mode='w+', delete=True) as tmp:
    tmp.write(data)
    tmp.flush()
    result = process_file(tmp.name)
```

Learn more: https://shoulder.dev/learn/python/cwe-377/insecure-tempfile