Dart Tempfile Unencrypted Sensitive Information
Description
Detects when sensitive information is stored unencrypted in temporary files in Dart applications. This practice could expose confidential data to unauthorized access since temporary files are readable by other processes on the system and may persist longer than intended.
Detection Strategy
• Check if the application imports dart:io or package:shelf/shelf.dart libraries
• Look for File or Directory object creations and operations involving temporary file paths (e.g., using Directory.systemTemp)
• Flag instances where file operations are performed without proper encryption or secure file handling
Vulnerable code example
import 'package:shelf/shelf.dart' as shelf;
import 'dart:io';
shelf.Response handleRequest(shelf.Request request) {
final password = request.url.queryParameters['password'];
var tempFile = File('/tmp/sensitive.txt'); // Security risk: Writing sensitive data to world-readable tmp directory
tempFile.writeAsStringSync(password);
return shelf.Response.ok('Done');...✅ Secure code example
import 'package:shelf/shelf.dart' as shelf;
import 'dart:io';
import 'dart:convert';
import 'package:crypto/crypto.dart';
shelf.Response handleRequest(shelf.Request request) {
final password = request.url.queryParameters['password'];
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.