github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 16:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security: use crypto.randomBytes for temp file names (#20654)

Browse Source 
Replace Math.random() with crypto.randomBytes() for generating
temporary file names. Math.random() is predictable and can enable
TOCTOU race conditions. Also set mode 0o600 on TTS temp files.

Co-authored-by: sirishacyd <sirishacyd@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
mahanandhi
2026-02-19 03:19:29 -08:00
committed by GitHub
parent fb35635c10
commit 57102cbec9
3 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/tts/tts.ts
View File

@@ -1,3 +1,4 @@
import { randomBytes } from "node:crypto";
import {
existsSync,
mkdirSync,
@@ -382,8 +383,8 @@ function readPrefs(prefsPath: string): TtsUserPrefs {
}
function atomicWriteFileSync(filePath: string, content: string): void {
const tmpPath = `${filePath}.tmp.${Date.now()}.${Math.random().toString(36).slice(2)}`;
writeFileSync(tmpPath, content);
const tmpPath = `${filePath}.tmp.${Date.now()}.${randomBytes(8).toString("hex")}`;
writeFileSync(tmpPath, content, { mode: 0o600 });
try {
renameSync(tmpPath, filePath);
} catch (err) {