Shell++ task relies on /tmp for temporary storage of script to execute. #13
Description
There is a small security risk here, where people can overwrite the file since it's in a shared, well known, location. In the Azure-DevOps-Extension-Tasks we switched to using the tmp package to generate a unique path name and used the Agent's temp directory instead of /tmp as a better, more secure location. As part of creating the temporary file, we also stripped its permissions.
function writeBuildTempFile(taskName: string, data: any): string {
const tempDir = tl.getVariable("Agent.TempDirectory");
const tempFile = tmp.tmpNameSync({ prefix: taskName, postfix: ".tmp", tmpdir: tempDir });
tl.debug(`Generating Build temp file: ${tempFile}`);
tl.writeFile(tempFile, data, { mode: 0o600, encoding: "utf8", flag: "wx+" });
return tempFile;
}
And made sure to delete the file after execution:
async function deleteBuildTempFile(tempFile: string) {
if (tempFile && tl.exist(tempFile)) {
tl.debug(`Deleting temp file: ${tempFile}`);
await fs.unlink(tempFile);
}
}