Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Security: Predictable temp file paths enable symlink attacks in multiple modules [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#54294Fetched 2026-04-08 01:29:28
View on GitHub
Comments
1
Participants
2
Timeline
4
Reactions
0
Author
jinduwang1001-maxjinduwang1001-max
Participants
jinduwang1001-maxjinduwang1001-maxvincentkocvincentkoc
Timeline (top)
closed ×1commented ×1labeled ×1locked ×1

Multiple modules create temp files with predictable name patterns using process.pid and Date.now(), without O_EXCL protection. A local attacker can pre-create a symlink at the predicted path to cause file overwrites.

Root Cause

Multiple modules create temp files with predictable name patterns using process.pid and Date.now(), without O_EXCL protection. A local attacker can pre-create a symlink at the predicted path to cause file overwrites.

Code Example

const tempPath = `${pathname}.tmp-${process.pid}-${Date.now()}`;

---

const tmp = `${filePath}.${process.pid}.tmp`;

---

`${statePath}.tmp-${process.pid}-${Date.now().toString(36)}`
RAW_BUFFERClick to expand / collapse

Summary

Multiple modules create temp files with predictable name patterns using process.pid and Date.now(), without O_EXCL protection. A local attacker can pre-create a symlink at the predicted path to cause file overwrites.

Affected locations

1. Secrets Writer (dist/shared-B5oxOBg0.js:33)

const tempPath = `${pathname}.tmp-${process.pid}-${Date.now()}`;

Highest severity — used for secrets storage.

2. Delivery Queue (dist/delivery-queue-DHURMSqX.js:31)

const tmp = `${filePath}.${process.pid}.tmp`;

PID reuse after restart causes collisions.

3. Workspace State (dist/workspace-D4K6QX9X.js:214)

`${statePath}.tmp-${process.pid}-${Date.now().toString(36)}`

Note

The core temp path utility (temp-path-B91lt0LF.js) correctly uses crypto.randomUUID() — these three modules do not use it.

Impact

Local privilege escalation or arbitrary file overwrite by a co-located attacker. Secrets writer is highest risk.

Suggested Fix

  1. Use crypto.randomBytes(16).toString("hex") for temp file names
  2. Open with O_CREAT | O_EXCL | O_WRONLY to fail if file pre-exists
  3. Or use the existing core temp path utility that already uses crypto.randomUUID()

extent analysis

Fix Plan

To address the issue, we will modify the affected modules to use a secure method for generating temporary file names and ensure exclusive creation.

Step 1: Modify Secrets Writer

Replace the existing line in dist/shared-B5oxOBg0.js:33 with:

const crypto = require('crypto');
const tempPath = `${pathname}.tmp-${crypto.randomBytes(16).toString("hex")}`;

And open the file with O_EXCL protection:

const fs = require('fs');
fs.open(tempPath, 'w', { flag: 'wx' }, (err, fd) => {
  // handle file operations
});

Step 2: Modify Delivery Queue

Replace the existing line in dist/delivery-queue-DHURMSqX.js:31 with:

const crypto = require('crypto');
const tmp = `${filePath}.${crypto.randomBytes(16).toString("hex")}.tmp`;

And open the file with O_EXCL protection:

const fs = require('fs');
fs.open(tmp, 'w', { flag: 'wx' }, (err, fd) => {
  // handle file operations
});

Step 3: Modify Workspace State

Replace the existing line in dist/workspace-D4K6QX9X.js:214 with:

const crypto = require('crypto');
const tmpPath = `${statePath}.tmp-${crypto.randomBytes(16).toString("hex")}`;

And open the file with O_EXCL protection:

const fs = require('fs');
fs.open(tmpPath, 'w', { flag: 'wx' }, (err, fd) => {
  // handle file operations
});

Alternatively, use the existing core temp path utility that already uses crypto.randomUUID().

Verification

To verify the fix, test the modified modules by attempting to create symlinks at the predicted paths and verify that the temporary files are created with unique names and exclusive access.

Extra Tips

  • Consider using a library like tmp to handle temporary file creation and removal.
  • Ensure that all temporary files are properly removed after use to prevent information disclosure.
  • Regularly review and update code to ensure that security best practices are followed.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#device allocation#model download#tokenizer error#prompt formatting#chain error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING