LINE/Security: harden inbound media temp-file naming (#20792)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: f6f3eecdb3 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky
2026-05-10 03:52:42 +00:00 · 2026-02-19 09:37:33 +00:00
parent 6b14498d2f
commit 8e6d1e6368
3 changed files with 77 additions and 4 deletions
--- a/src/line/download.ts
+++ b/src/line/download.ts
@@ -1,3 +1,4 @@
+import crypto from "node:crypto";
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
@@ -10,6 +11,10 @@ interface DownloadResult {
  size: number;
 }

+function buildLineTempMediaPath(extension: string): string {
+  return path.join(os.tmpdir(), `line-media-${Date.now()}-${crypto.randomUUID()}${extension}`);
+}
+
 export async function downloadLineMedia(
  messageId: string,
  channelAccessToken: string,
@@ -39,10 +44,8 @@ export async function downloadLineMedia(
  const contentType = detectContentType(buffer);
  const ext = getExtensionForContentType(contentType);

-  // Write to temp file
-  const tempDir = os.tmpdir();
-  const fileName = `line-media-${messageId}-${Date.now()}${ext}`;
-  const filePath = path.join(tempDir, fileName);
+  // Use random temp names; never derive paths from external message identifiers.
+  const filePath = buildLineTempMediaPath(ext);

  await fs.promises.writeFile(filePath, buffer);