Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5824

Using "tmpnam", "tmpnam_s" or "tmpnam_r" is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure use of "strncat" is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way, MISRA C++ 2008 recommended
    • Covered Languages:
      C, C++, Objective-C
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • CERT:
      CON33-C., FIO21-C.
    • CWE:
      CWE-377
    • OWASP:
      A9

      Description

      The functions "tmpnam", "tmpnam_s" and "tmpnam_r" are all used to return a file name that does not match an existing file, in order for the application to create a temporary file. However, even if the file did not exist at the time those functions were called, it might exist by the time the application tries to use the file name to create the files. This has been used by hackers to gain access to files that the application believed were trustworthy.

      There are alternative functions that, in addition to creating a suitable file name, create and open the file and return the file handler. Such functions are protected from this attack vector and should be preferred. About the only reason to use these functions would be to create a temporary folder, not a temporary file.

      Additionally, these functions might not be thread-safe, and if you don't provide them buffers of sufficient size, you will have a buffer overflow.

      Ask Yourself Whether

      • There is a possibility that several threads call any of these functions simultaneously
      • There is a possibility that the resulting file is opened without forcing its creation, meaning that it might have unexpected access rights
      • The buffers passed to these functions are respectively smaller than
        • L_tmpnam for tmpnam
        • L_tmpnam_s for tmpnam_s
        • L_tmpnam for tmpnam_r

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Use a function that directly opens the temporary file, such a tmpfile, tmpfile_s, mkstemp or mkstemps (the last two allow more accurate control of the file name).
      • If you can't get rid of these functions, when using the generated name to open the file, use a function that forces the creation of the file and fails if the file already exists.

      Sensitive Code Example

      int f(char *tempData) {
        char *path = tmpnam(NULL); // Sensitive
        FILE* f = fopen(tmpnam, "w");
        fputs(tempData, f);
        fclose(f);
      }
      

      Compliant Solution

      int f(char *tempData) {
        // The file will be opened in "wb+" mode, and will be automatically removed on normal program exit
        FILE* f = tmpfile(); // Compliant
        fputs(tempData, f);
        fclose(f);
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              freddy.mallet Freddy Mallet (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: