v / vlib / os
0 issues 1 contributor 4 branches 0 releases
Clone with HTTPS:

About

README
  V 99.7% 272k loc
  JavaScript 0.1% 344 loc
  C 0% 63 loc
  C++ 0% 95 loc
  Go 0% 63 loc
52 years ago
..
os_structs_stat_default.c.v checker: improve pub struct check (fix checker: improve pub struct check (fix #14446) (#14777)) (checker: improve pub struct check (fix #14446) (#14777)) last Jun 19
os_structs_stat_linux.c.v checker: improve pub struct check (fix checker: improve pub struct check (fix #14446) (#14777)) (checker: improve pub struct check (fix #14446) (#14777)) last Jun 19

Description:

os provides common OS/platform independent functions for accessing command line arguments, reading/writing files, listing folders, handling processes etc.


Security advice related to TOCTOU attacks

A few os module functions can lead to the <b>TOCTOU</b> vulnerability if used incorrectly. <b>TOCTOU</b> (Time-of-Check-to-Time-of-Use problem) can occur when a file, folder or similar is checked for certain specifications (e.g. read, write permissions) and a change is made afterwards. In the time between the initial check and the edit, an attacker can then cause damage. The following example shows an attack strategy on the left and an improved variant on the right so that <b>TOCTOU</b> is no longer possible.

<b>Example</b> <i>Hint</i>: os.create() opens a file in write-only mode

<table> <tr> <td> Possibility for TOCTOU attack

if os.is_writable("file"){

    // &gt;&gt; time to make a quick attack (e.g. symlink /etc/passwd to &gt;file&lt;) &lt;&lt;

    mut f := os.create('path/to/file') ?
        // &lt;do something with file&gt;
    f.close()
}

</td> <td>TOCTOU not possible

mut f := os.create('path/to/file') or {
    println("file not writable")
}

// &gt;&gt; do someting with file; file is locked &lt;&lt;

f.close()

</td> </tr> </table>

<b> Proven affected functions </b></br> The following functions should be used with care and only when used correctly.