OeditusCredo.Check.Security.TOCTOU (OeditusCredo v0.5.0)

View Source

Basics

This check is disabled by default.

Learn how to enable it via .credo.exs.

This check has a base priority of high and works with any version of Elixir.

Explanation

Detects Time-of-Check-Time-of-Use race conditions (CWE-367).

Checking a file's existence with File.exists?/1 and then operating on it introduces a race window where the file may be modified or deleted.

Bad:

if File.exists?(path) do
  {:ok, data} = File.read(path)
end

Good:

case File.read(path) do
  {:ok, data} -> process(data)
  {:error, :enoent} -> handle_missing()
end

Check-Specific Parameters

Use the following parameters to configure this check:

:exclude_test_files

Set to true to skip test files (default: false)

This parameter defaults to nil.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.