capacitor
capacitor copied to clipboard
bug: CWE ID 377
Bug Report
Capacitor Version
💊 Capacitor Doctor 💊
Latest Dependencies:
@capacitor/cli: 3.5.1
@capacitor/core: 3.5.1
@capacitor/android: 3.5.1
@capacitor/ios: 3.5.1
Installed Dependencies:
@capacitor/cli: 3.3.4
@capacitor/android: 3.5.1
@capacitor/ios: 3.5.1
@capacitor/core: 3.5.1
[success] iOS looking great! 👌
[success] Android looking great! 👌```
### Platform(s)
Android
### Current Behavior
Veracode Report
Insecure Temporary File CWE ID 377
Description
Creating and using insecure temporary files can leave application and system data vulnerable to attack. In particular, file names created by the tmpnam family of functions can be easily guessed by an attacker. If an attacker can predict the filename and create a malicious collision, he may be able to manipulate the behavior of the application.
Recommendations
Ensure that unpredictable names are used for temporary files and that files are created in a secure directory with appropriate permissions. Using mkstemp() is a reasonably safe way to create temporary files. It will attempt to create and open a unique file based on a filename template provided by the user, combined with a series of randomly generated characters. Note that mkstemp() is safe if only the descriptor is used and the returned filename is not used in a subsequent function call with extra privileges. Using mkstemp() does not completely eliminate race conditions but does provide better protection than other methods.
../BridgeWebChromeClient.java 509
com/.../camera/CameraUtils.java 22
### Expected Behavior
Either the issue is resolved or an explanation as to why this may be a false positive please.