Summary
CodeQL HIGH alert #635 (created 2026-06-22, open 10 days, no tracking issue until now) flags an insecure temporary file creation pattern in a CI evaluation script.
File: scripts/prepare-objective-impact-safe-output-evaluations.cjs line 34
Rule: js/insecure-temporary-file (CWE-377, CWE-378)
Severity: HIGH
Tier & Risk Scoring
| Dimension |
Score |
Notes |
| Exposure amplification |
2 |
CI script on shared runner; accessible to other concurrent runner processes |
| Patchability |
1 |
One-line fix using fs.mkdtempSync or tmp library |
| Detectability |
3 |
Race window is small but TOCTOU is silent if exploited |
| Operational fragility |
2 |
Script failure could corrupt evaluation output |
| Ownership confidence |
2 |
Bot-authored script, no named owner |
| Aggregate |
10 |
Tier B — Open With Conditions |
SLA: High — fix within 7 days.
Root Cause
path.join(os.tmpdir(), ...) creates a predictable temp file path that:
- Is accessible to all users on the same runner host
- Does not check whether the file already exists before opening it (TOCTOU race)
- Allows another process to predict the path and either read the data or cause the script to overwrite an existing sensitive file
Recommended Fix
Replace:
// line 34 — current (insecure)
const tmpFile = path.join(os.tmpdir(), 'some-prefix-' + Date.now() + '.json');
With one of:
// Option A — use mkdtempSync (built-in, no new dependency)
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'gh-aw-eval-'));
const tmpFile = path.join(tmpDir, 'output.json');
// Option B — use the 'tmp' npm library for automatic cleanup
const tmp = require('tmp');
tmp.setGracefulCleanup();
const tmpFile = tmp.fileSync({ prefix: 'gh-aw-eval-', postfix: '.json' }).name;
fs.mkdtempSync creates a directory with 0700 permissions (user-only), preventing other runner processes from accessing the data.
Governance Context
Identified by the UK AI Open Code Risk & Resilience Governance weekly scan (2026-07-02). See governance report discussion for full tier classification and remediation queue.
References: CodeQL alert #635 · §28604141985
Generated by UK AI Operational Resilience · 140.2 AIC · ⌖ 9.05 AIC · ⊞ 5.2K · ◷
Summary
CodeQL HIGH alert #635 (created 2026-06-22, open 10 days, no tracking issue until now) flags an insecure temporary file creation pattern in a CI evaluation script.
File:
scripts/prepare-objective-impact-safe-output-evaluations.cjsline 34Rule:
js/insecure-temporary-file(CWE-377, CWE-378)Severity: HIGH
Tier & Risk Scoring
fs.mkdtempSyncortmplibrarySLA: High — fix within 7 days.
Root Cause
path.join(os.tmpdir(), ...)creates a predictable temp file path that:Recommended Fix
Replace:
With one of:
fs.mkdtempSynccreates a directory with0700permissions (user-only), preventing other runner processes from accessing the data.Governance Context
Identified by the UK AI Open Code Risk & Resilience Governance weekly scan (2026-07-02). See governance report discussion for full tier classification and remediation queue.
References: CodeQL alert #635 · §28604141985