Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix predictable temporary filename vulnerability #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
himattm wants to merge 1 commit into from
Closed

πŸ›‘οΈ Sentinel: [CRITICAL] Fix predictable temporary filename vulnerability #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-05-18 - Prevent Predictable Temporary Filenames during Atomic File Writes
**Vulnerability:** Found predictable temporary filenames in atomic file writes (e.g., `path + ".tmp"`) using `os.WriteFile` in `internal/burnrate/burnrate.go` and `internal/sparkline/sparkline.go`. This opens up symlink attacks during the predictable write, leading to potential unintended file overrides and privilege escalation.
**Learning:** It existed because `os.WriteFile` + `os.Rename` is a common but incomplete pattern for atomic file writes. The initial write must go to a file with an unpredictable name to prevent an attacker from creating a symlink before the write happens.
**Prevention:** Always use `os.CreateTemp` to generate an unpredictable temporary file for the initial write. Ensure it is created in the same directory as the target path (`filepath.Dir(path)`), close the file handle, and perform the `os.Rename` with explicit permission handling (`Chmod`).
22 changes: 20 additions & 2 deletions internal/burnrate/burnrate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,28 @@ func LoadOrCreateSnapshotAt(sessionID string, currentCost float64, now time.Time
return nil, false, err
}

tmpPath := path + ".tmp"
if err := os.WriteFile(tmpPath, data, 0644); err != nil {
dir := filepath.Dir(path)
tmpFile, err := os.CreateTemp(dir, "prism-burn-*")
if err != nil {
return nil, false, err
}
tmpPath := tmpFile.Name()

if _, err := tmpFile.Write(data); err != nil {
tmpFile.Close()
os.Remove(tmpPath)
return nil, false, err
}
if err := tmpFile.Chmod(0644); err != nil {
tmpFile.Close()
os.Remove(tmpPath)
return nil, false, err
}
if err := tmpFile.Close(); err != nil {
os.Remove(tmpPath)
return nil, false, err
}

if err := os.Rename(tmpPath, path); err != nil {
os.Remove(tmpPath)
return nil, false, err
Comment on lines +67 to 91
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The manual cleanup of the temporary file and its handle on every error path is repetitive and error-prone. Using defer for cleanup is the idiomatic Go approach; it ensures that the temporary file is removed and the file handle is closed regardless of how the function exits (including panics). Since os.Rename moves the file, the deferred os.Remove will simply become a no-op on success.

	dir := filepath.Dir(path)
	tmpFile, err := os.CreateTemp(dir, "prism-burn-*")
	if err != nil {
		return nil, false, err
	}
	tmpPath := tmpFile.Name()
	defer os.Remove(tmpPath)
	defer tmpFile.Close()

	if _, err := tmpFile.Write(data); err != nil {
		return nil, false, err
	}
	if err := tmpFile.Chmod(0644); err != nil {
		return nil, false, err
	}
	if err := tmpFile.Close(); err != nil {
		return nil, false, err
	}

	if err := os.Rename(tmpPath, path); err != nil {
		return nil, false, err
	}

Expand Down
27 changes: 24 additions & 3 deletions internal/sparkline/sparkline.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,11 +138,32 @@ func Save(sessionID, metric string, b *Buffer) {
if err != nil {
return
}
tmp := path + ".tmp"
if err := os.WriteFile(tmp, data, 0644); err != nil {

dir := filepath.Dir(path)
tmpFile, err := os.CreateTemp(dir, "prism-spark-*")
if err != nil {
return
}
tmpPath := tmpFile.Name()

if _, err := tmpFile.Write(data); err != nil {
tmpFile.Close()
os.Remove(tmpPath)
return
}
os.Rename(tmp, path)
if err := tmpFile.Chmod(0644); err != nil {
tmpFile.Close()
os.Remove(tmpPath)
return
}
if err := tmpFile.Close(); err != nil {
os.Remove(tmpPath)
return
}

if err := os.Rename(tmpPath, path); err != nil {
os.Remove(tmpPath)
}
Comment on lines +142 to +166
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Similar to the implementation in burnrate.go, the manual cleanup logic here is redundant. Adopting the defer pattern improves maintainability and ensures resources are properly released even if the function logic grows or encounters unexpected failures.

	dir := filepath.Dir(path)
	tmpFile, err := os.CreateTemp(dir, "prism-spark-*")
	if err != nil {
		return
	}
	tmpPath := tmpFile.Name()
	defer os.Remove(tmpPath)
	defer tmpFile.Close()

	if _, err := tmpFile.Write(data); err != nil {
		return
	}
	if err := tmpFile.Chmod(0644); err != nil {
		return
	}
	if err := tmpFile.Close(); err != nil {
		return
	}

	if err := os.Rename(tmpPath, path); err != nil {
		return
	}

}

// PushAndSave is a convenience that loads, pushes, saves, and returns the buffer
Expand Down
Loading