SV.PCC.MISSING_TEMP_CALLS.MUST

Insecure variable temporary filename

If temporary files are created or used insecurely, application and system data can be left open to attack. Dangerous data can be injected into the application, or data stored in the temporary file can be accessed, modified, or corrupted. To avoid temporary filename issues, both GetTempPath and GetTempFileName should precede the CreateFile function call. The SV.PCC.MISSING_TEMP_CALLS.MUST checker flags situations in which CreateFile is called with a variable filename that doesn't receive its value from GetTempPath followed by GetTempFileName.

Vulnerability and risk

Temporary file vulnerability is a very common security issue-the Mitre Corp. security alert database lists over 200 reports of this type. The temporary file vulnerability can be exploited to escalate privilege or manipulate critical information.

Mitigation and prevention

To avoid this vulnerability:

• Use GetTempPath and GetTempFileName to ensure random name creation
• Review the least privilege settings for temporary files

Fixed code example

1     //  Gets the temp path env string (no guarantee it's a valid path).
2    dwRetVal = GetTempPath(MAX_PATH,          // length of the buffer
3                           lpTempPathBuffer); // buffer for path 
4    if (dwRetVal > MAX_PATH || (dwRetVal == 0))
5    {
6        PrintError(TEXT("GetTempPath failed"));
7        if (!CloseHandle(hFile))
8        {
9            PrintError(TEXT("CloseHandle(hFile) failed"));
10           return (7);
11       }
12       return (2);
13   }

14   //  Generates a temporary file name. 
15   uRetVal = GetTempFileName(lpTempPathBuffer, // directory for tmp files
16                             TEXT("DEMO"),     // temp file name prefix 
17                             0,                // create unique name 
18                             szTempFileName);  // buffer for name 
19   if (uRetVal == 0)
20   {
21       PrintError(TEXT("GetTempFileName failed"));
22       if (!CloseHandle(hFile))
23       {
24           PrintError(TEXT("CloseHandle(hFile) failed"));
25           return (7);
26       }
27       return (3);
28   }
29   //  Creates the new file to write to for the upper-case version.
30   hTempFile = CreateFile((LPTSTR) szTempFileName, // file name 
31                          GENERIC_WRITE,        // open for write 
32                          0,                    // do not share 
33                          NULL,                 // default security 
34                          CREATE_ALWAYS,        // overwrite existing
35                          FILE_ATTRIBUTE_TEMPORARY, // temporary storage 
36                          NULL);                // no template 
37   if (hTempFile == INVALID_HANDLE_VALUE) 
38   { 
39       PrintError(TEXT("Second CreateFile failed"));
40       if (!CloseHandle(hFile))
41       {
42           PrintError(TEXT("CloseHandle(hFile) failed"));
43           return (7);
44       }
45       return (4);
46   } 

This is an example of code that follows good practices in creating temporary files. With secure temporary filenames, you don't run the risk of leaving the application or system data open to attack.

Related checkers

• SV.PCC.CONST
• SV.PCC.INVALID_TEMP_PATH
• SV.PCC.MISSING_TEMP_FILENAME
• SV.PCC.MODIFIED_BEFORE_CREATE

External guidance

• CWE-377: Insecure Temporary File
• STIG-ID:APP3100 Temporary objects not removed from system

Security training

Application security training materials provided by Secure Code Warrior.

• Sensitive Data Exposure Training Video - Test your skills with a training example