Plugin: node-securityRules
no-data-in-temp-storage
ESLint rule documentation for no-data-in-temp-storage
📡 Live from GitHub — This documentation is fetched directly from no-data-in-temp-storage.md and cached for 6 hours.
Prevents sensitive data in temporary directories
Temporary directories (/tmp, /var/tmp, temp/) are often world-readable or persist longer than expected
Severity: 🔴 CRITICAL | 🟠 HIGH
CWE: CWE-312
OWASP: Insecure Data Storage
CVSS: 7.5
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-312 (Cleartext Storage) |
| Severity | 🟠 HIGH |
| Auto-Fix | ❌ Not available |
| Category | Security |
| Best For | Node.js File I/O |
Rule Details
Temporary directories (/tmp, /var/tmp, temp/) are often world-readable or persist longer than expected. Writing sensitive data (credentials, PII, session tokens) to these locations exposes it to other processes on the system.
❌ Incorrect
import fs from 'fs';
// ❌ Writing sensitive data to world-readable temp path
fs.writeFileSync('/tmp/credentials.json', JSON.stringify(creds));
// ❌ Using temp path in variable assignment for persistence
const tempTokenPath = '/var/tmp/session.token';
fs.writeFile(tempTokenPath, token, (err) => { ... });✅ Correct
import fs from 'fs';
import path from 'path';
// ✅ Using app-specific secure data directory
const secureDir = path.join(process.env.HOME, '.myapp', 'data');
fs.writeFileSync(path.join(secureDir, 'session.json'), encryptedData);
// ✅ Using in-memory storage for ephemeral data
const sessionCache = new Map();
sessionCache.set('token', token);⚙️ Configuration
| Option | Type | Default | Description |
|---|---|---|---|
tempPaths | string[] | ['/tmp', ...] | Custom list of temporary paths to flag |
ignoreFiles | string[] | [] | List of files or patterns to ignore |
Example Configuration
{
"rules": {
"node-security/no-data-in-temp-storage": [
"error",
{
"tempPaths": ["/private/tmp", "/var/folders"],
"ignoreFiles": ["**/tests/**"]
}
]
}
}🛡️ Why This Matters
- Information Leakage: On multi-tenant systems, the
/tmpdirectory is typically shared. - Persistence Risk: Temp files are not always cleared on restart or app crash.
- Forensic Recovery: Unencrypted data in temp files can be recovered even after "deletion".
Known False Negatives
- Paths constructed dynamically via
os.tmpdir(). - Stream-based writes using
createWriteStream. - Paths stored in environment variables.
🔗 Related Rules
node-security/no-arbitrary-file-accessnode-security/detect-non-literal-fs-filename