[Security] Arbitrary file overwrite in private/tools/diff.bash via /tmp/cfg.json symlink (CWE-377/CWE-59) #1955
Description
Describe the bug
The script private/tools/diff.bash writes configuration data to a predictable, world-writable path (/tmp/cfg.json) using shell redirection. This behavior is vulnerable to a symlink attack, allowing a local attacker to perform an arbitrary file overwrite under the privileges of the user running the script.
To Reproduce
Steps to reproduce the behavior:
-
Prepare a victim file: Create a file that the current user owns but would not want overwritten (e.g., echo "SAFE_CONTENT" > /tmp/victim.txt).
-
Create a malicious symlink: Link the predictable path used by the script to your victim file (ln -sf /tmp/victim.txt /tmp/cfg.json).
-
Run the script: Execute the script in spawn_https mode:
private/tools/diff.bash --query dummy --registry spawn_https --base-ref 123 --head-ref 456
- Observe the result: Check the victim file (cat /tmp/victim.txt). It will now contain the JSON configuration generated by the script, proving the arbitrary overwrite occurred.
Expected behavior
A clear and concise description of what you expected to happen.
Console Output
The script should use secure, unique temporary files that cannot be pre-created or hijacked by other local users on the system. It should adhere to CWE-377 (Insecure Temporary File) and CWE-59 (Improper Link Resolution) mitigation standards.
Console Output
[+] Victim file created: /tmp/victim.txt
[+] Current content: SAFE_CONTENT
[+] Symlink created: /tmp/cfg.json -> /tmp/victim.txt
[*] Running vulnerable script...
[*] Verification:
[!!!] VULNERABILITY CONFIRMED: Victim file overwritten with JSON config.
Additional context
Vulnerability Type: This is a Symlink Race Condition. Because /tmp is world-writable, a local attacker can pre-create the predictable /tmp/cfg.json path as a symlink.
Impact: This is a Privilege Escalation (LPE) primitive. On shared build servers or multi-user workstations, a low-privileged user can overwrite files owned by higher-privileged users (like root) if they execute this script.
Google VRP Reference: This was reported via the Google OSS VRP (Issue 471071574). The Google Bug Hunter Team acknowledged the issue but decided it did not meet the threshold for internal security tracking, explicitly suggesting public disclosure on GitHub.
Recommended Fix: Replace hardcoded /tmp paths with mktemp -d to create a private, unique directory for temporary artifacts.