Shell++ task relies on `/tmp` for temporary storage of script to execute.

[jessehouwing]

There is a small security risk here, where people can overwrite the file since it's in a shared, well known, location. In the Azure-DevOps-Extension-Tasks we switched to using the tmp package to generate a unique path name and used the Agent's temp directory instead of /tmp as a better, more secure location. As part of creating the temporary file, we also stripped its permissions.

function writeBuildTempFile(taskName: string, data: any): string {
    const tempDir = tl.getVariable("Agent.TempDirectory");
    const tempFile = tmp.tmpNameSync({ prefix: taskName, postfix: ".tmp", tmpdir: tempDir });

    tl.debug(`Generating Build temp file: ${tempFile}`);
    tl.writeFile(tempFile, data, { mode: 0o600, encoding: "utf8", flag: "wx+" });

    return tempFile;
}

And made sure to delete the file after execution:

async function deleteBuildTempFile(tempFile: string) {
    if (tempFile && tl.exist(tempFile)) {
        tl.debug(`Deleting temp file: ${tempFile}`);
        await fs.unlink(tempFile);
    }
}

[jessehouwing]

@madkoo