Fix: Temporary file cleanup security vulnerability (#67)

mazrean · claude · web-flow · commit fb4ab0a24608 · 2025-11-08T15:37:26.000+09:00
* Fix temporary file cleanup security issue This commit addresses a critical security vulnerability where temporary files created during multipart form parsing were not properly cleaned up from disk, potentially leading to: - Information disclosure of sensitive uploaded data - Disk space exhaustion from accumulated temp files - File descriptor leaks in error scenarios Changes: - Added filePath field to preProcessor struct to track temp file location - Modified preProcessor.Close() to explicitly remove temp files using os.Remove() - Ensured both file handle closure and file deletion with proper error handling The existing defer hsc.Close() in Parse() ensures cleanup even on errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * remove filepath field --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/parse.go b/parse.go
@@ -219,7 +219,20 @@ func (pp *preProcessor) Close() error {
 		return nil
 	}
 
-	return pp.file.Close()
+	filepath := pp.file.Name()
+
+	// Close the file handle first
+	closeErr := pp.file.Close()
+
+	// Remove the temporary file from disk
+	removeErr := os.Remove(filepath)
+
+	// Return combined errors if any
+	if closeErr != nil || removeErr != nil {
+		return errors.Join(closeErr, removeErr)
+	}
+
+	return nil
 }
 
 type judgeHook struct {
