SDK-6180 proxyCaCertificate: harden temp trust-anchor file (mkdtemp + 0600 + O_EXCL)

AakashHotchandani · claude · AakashHotchandani · commit d3c3ab603a15 · 2026-06-03T17:31:19.000+05:30
Security review flagged the predictable temp path used for NODE_EXTRA_CA_CERTS when
converting a DER cert. Now write into a fresh owner-only dir (fs.mkdtempSync) and open
the file with O_EXCL|O_NOFOLLOW at mode 0600, preventing a local pre-plant/symlink-race
on the file the process trusts as a CA.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/bin/helpers/caCertHelper.js b/bin/helpers/caCertHelper.js
@@ -92,8 +92,17 @@ function setupCaCertificate(bsConfig) {
       if (!isPem) {
         const os = require('os');
         const path = require('path');
-        nodeExtra = path.join(os.tmpdir(), `browserstack_sdk_ca_${process.pid}.pem`);
-        fs.writeFileSync(nodeExtra, pemCerts.join(''));
+        // Fresh owner-only temp dir (random name) + 0600 + O_EXCL/O_NOFOLLOW: a predictable
+        // path in a world-writable tmpdir would let a local attacker pre-plant or symlink-race
+        // the file the process is about to TRUST as a CA.
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'browserstack_sdk_ca_'));
+        nodeExtra = path.join(tmpDir, 'ca.pem');
+        const fd = fs.openSync(nodeExtra, fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_EXCL | (fs.constants.O_NOFOLLOW || 0), 0o600);
+        try {
+          fs.writeFileSync(fd, pemCerts.join(''));
+        } finally {
+          fs.closeSync(fd);
+        }
       }
       process.env.NODE_EXTRA_CA_CERTS = nodeExtra;
     }
