C Sharp Insecure Tempfile Creation
Description
Detects insecure temporary file creation in C# applications using potentially unsafe methods like Path.GetTempFileName(). This method creates predictable filenames and can lead to race conditions between file creation and use, potentially allowing attackers to exploit file access for malicious purposes.
Detection Strategy
• Scans C# source code for calls to Path.GetTempFileName() and related methods (including fully qualified versions with System.IO namespace)
• Reports a vulnerability when these methods are used directly without additional security controls
• Checks for method calls in these forms: 'System.IO.Path.GetTempFileName', 'IO.Path.GetTempFileName', and 'Path.GetTempFileName'
Vulnerable code example
using System.IO;
class Program {
static void Main() {
string tempPath = Path.GetTempFileName(); // Vulnerable: Creates temp file without secure permissions
using (var writer = new StreamWriter(tempPath)) {
writer.WriteLine("sensitive data");
}...✅ Secure code example
using System;
using System.IO;
using System.Security.AccessControl;
class Program {
static void Main() {
// Generate unique filename in temp directory with random name
string tempPath = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.