SECURITY: undocumented options.name parameter allows arbitrary paths to be injected into tmp #205
Description
Operating System
- all
NodeJS Version
- all
Tmp Version
all existing and current code base
Expected Behavior
Prevent creating arbitrary files on the filesystem. Documented options do not include the name option.
Experienced Behavior
Specifying the undocumented name option as well as the documented dir option allow creation (and detection) of a file anywhere on the filesystem.
Security Concern
This can be a major security concern, depending on how applications make use of tmp.