fix: use secure temp directory in volume-mounts test#765
Conversation
Replace predictable /tmp/secret-file-12345.txt path with fs.mkdtempSync to prevent symlink attacks (CodeQL alert #173). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
This PR addresses CodeQL security alert #173 by replacing a predictable temporary file path with a secure temporary directory in the volume-mounts integration test. The change prevents potential symlink attacks by using fs.mkdtempSync to create a unique directory with restrictive permissions.
Changes:
- Replaced hardcoded
/tmp/secret-file-12345.txtpath withfs.mkdtempSyncfor secure temp directory creation - Set restrictive file permissions (0o600) when writing the secret file
- Updated cleanup logic to recursively remove the temporary directory instead of unlinking a single file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| try { | ||
| const result = await runner.runWithSudo( | ||
| 'sh -c "cat /data/test.txt && cat /tmp/secret-file-12345.txt"', | ||
| `sh -c "cat /data/test.txt && cat ${secretFile}"`, |
There was a problem hiding this comment.
The secretFile path is directly interpolated into the shell command without proper escaping. If the path contains spaces or special characters (which is possible if os.tmpdir() returns such a path), the command will fail or could potentially be exploited. Consider using proper shell escaping or wrapping the path in quotes.
See below for a potential fix:
const escapedSecretFile = secretFile.replace(/'/g, `'\\''`);
const result = await runner.runWithSudo(
`sh -c "cat /data/test.txt && cat '${escapedSecretFile}'"`,
Deno Build Test Results
Overall: ✅ PASS All Deno tests completed successfully.
|
Bun Build Test Results
Overall: PASS All Bun projects built and tested successfully.
|
Build Test: C++ - PASS ✅
Overall: PASS All C++ projects built successfully.
|
|
Smoke Test Results Last 2 merged PRs:
✅ GitHub MCP: PASS Overall Status: PASS
|
Node.js Build Test Results
Overall: PASS ✅ All Node.js projects installed successfully and passed their tests.
|
Go Build Test Results
Overall: PASS ✅ All Go projects built and tested successfully.
|
|
Smoke Test Results (Run 21962630565) Last 2 merged PRs:
✅ GitHub MCP - Last 2 PRs retrieved Status: PASS cc: @Mossaka
|
|
Smoke test results:
|
Rust Build Test Results
Overall: PASS ✅ All Rust projects built successfully and all tests passed.
|
.NET Build Test Results
Overall: PASS ✅ All .NET projects successfully restored, built, and ran with expected output.
|
Build Test: Java ✅All Java projects successfully built and tested through AWF firewall.
Overall: PASS Maven successfully downloaded dependencies through Squid proxy (172.30.0.10:3128) using configured
|
1 participant
Summary
/tmp/secret-file-12345.txtpath withfs.mkdtempSyncto create a unique temporary directory, preventing symlink attacks (CodeQL alert smoke test: copilot engine validation (run 20643921403) #173)0o600) inside the secure temp directoryTest plan
npm run buildcompiles successfully🤖 Generated with Claude Code