securesauce / precaution-beta

Precaution provides a simple, automated code review for GitHub projects by running code linters with a security focus on pull requests.
Other
1 stars 0 forks source link

Use temp folders after Gosec modules adoption #200

Open MVrachev opened 5 years ago

MVrachev commented 5 years ago

Is your feature request related to a problem? Please describe. Right now we are creating non-temporary folders where we download the pull request files for deletion and then we delete all those folders and their content. It's better to use temp folders because that way for whatever reason Precaution fails to delete those folders the OS itself will delete them in future.

Another argument is that using temp folders is a lot harder to predict the path or use path-traversal based attacks.

There is a problem to implement this right now because Gosec is depending heavily on the GOPATH and the location of all go files. When they adopt Go modules (which will happen really soon: https://github.com/securego/gosec/pull/297) we won't be restricted by the GOPATH.

Describe the solution you'd like The solution will be just to use the OS temp directory with this function - https://nodejs.org/api/os.html#os_os_tmpdir and then create a directory with a unique name with this function - https://nodejs.org/api/fs.html#fs_fs_mkdtemp_prefix_options_callback

MVrachev commented 5 years ago

This issue is blocked by https://github.com/vmware/precaution/issues/108.