Some program files and directories are created world writable. On a multiuser system this may allow an attacker to control behavior by modifying the files (eg a config file) or creating files in the directory (eg in a config directory). On Linux the umask should usually prevent this but it's not guaranteed. Secure coding standards recommend always specifying a restricted mode so files are secure in any environment. MITRE calls this CWE-732, one of the top 25 most dangerous vulnerabilities.
Steps
Some program files and directories are created world writable. On a multiuser system this may allow an attacker to control behavior by modifying the files (eg a config file) or creating files in the directory (eg in a config directory). On Linux the umask should usually prevent this but it's not guaranteed. Secure coding standards recommend always specifying a restricted mode so files are secure in any environment. MITRE calls this CWE-732, one of the top 25 most dangerous vulnerabilities.
Findings are listed here: https://lgtm.com/query/308122751628928618/ https://lgtm.com/query/8429440007276116881/
The install procedure seems to create all the programs dirs world writable, which could allow adding new files that influence program behavior. https://lgtm.com/projects/g/Semantic-Org/Semantic-UI/snapshot/fa84887daa85c5eda11ec085dd92a1b1e846df00/files/tasks/install.js?sort=name&dir=ASC&mode=heatmap#L290
This came out of research with CodeQL.
Expected Result
Program files are created with secure permissions.
Actual Result
Program files are created with insecure permissions.