Skip to content

[uk-ai-resilience] [security] Fix insecure temporary file creation in prepare-objective-impact-safe-output-evaluations.cjs (Code [Content truncated due to length] #43014

Description

@github-actions

Summary

CodeQL HIGH alert #635 (created 2026-06-22, open 10 days, no tracking issue until now) flags an insecure temporary file creation pattern in a CI evaluation script.

File: scripts/prepare-objective-impact-safe-output-evaluations.cjs line 34
Rule: js/insecure-temporary-file (CWE-377, CWE-378)
Severity: HIGH

Tier & Risk Scoring

Dimension Score Notes
Exposure amplification 2 CI script on shared runner; accessible to other concurrent runner processes
Patchability 1 One-line fix using fs.mkdtempSync or tmp library
Detectability 3 Race window is small but TOCTOU is silent if exploited
Operational fragility 2 Script failure could corrupt evaluation output
Ownership confidence 2 Bot-authored script, no named owner
Aggregate 10 Tier B — Open With Conditions

SLA: High — fix within 7 days.

Root Cause

path.join(os.tmpdir(), ...) creates a predictable temp file path that:

  1. Is accessible to all users on the same runner host
  2. Does not check whether the file already exists before opening it (TOCTOU race)
  3. Allows another process to predict the path and either read the data or cause the script to overwrite an existing sensitive file

Recommended Fix

Replace:

// line 34 — current (insecure)
const tmpFile = path.join(os.tmpdir(), 'some-prefix-' + Date.now() + '.json');

With one of:

// Option A — use mkdtempSync (built-in, no new dependency)
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'gh-aw-eval-'));
const tmpFile = path.join(tmpDir, 'output.json');

// Option B — use the 'tmp' npm library for automatic cleanup
const tmp = require('tmp');
tmp.setGracefulCleanup();
const tmpFile = tmp.fileSync({ prefix: 'gh-aw-eval-', postfix: '.json' }).name;

fs.mkdtempSync creates a directory with 0700 permissions (user-only), preventing other runner processes from accessing the data.

Governance Context

Identified by the UK AI Open Code Risk & Resilience Governance weekly scan (2026-07-02). See governance report discussion for full tier classification and remediation queue.

References: CodeQL alert #635 · §28604141985

Generated by UK AI Operational Resilience · 140.2 AIC · ⌖ 9.05 AIC · ⊞ 5.2K ·

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions