refactor(clipboard): fix 'CodeQL / Insecure temporary file'

remarkablemark · github-advanced-security[bot] · remarkablemark · commit 116e4ed5d98c · 2026-05-19T18:58:43.000-04:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/utils/clipboard.test.ts b/src/utils/clipboard.test.ts
@@ -4,6 +4,7 @@ const {
   mockExecFileSync,
   mockExistsSync,
   mockMkdirSync,
+  mockRandomUUID,
   mockRmSync,
   mockSpawnSync,
   mockTmpdir,
@@ -12,6 +13,7 @@ const {
   mockExecFileSync: vi.fn(),
   mockExistsSync: vi.fn(),
   mockMkdirSync: vi.fn(),
+  mockRandomUUID: vi.fn(() => 'test-uuid'),
   mockRmSync: vi.fn(),
   mockSpawnSync: vi.fn(),
   mockTmpdir: '/tmp/code-ollama-tests',
@@ -23,6 +25,10 @@ vi.mock('node:child_process', () => ({
   spawnSync: mockSpawnSync,
 }));
 
+vi.mock('node:crypto', () => ({
+  randomUUID: mockRandomUUID,
+}));
+
 vi.mock('node:os', async () => ({
   ...(await vi.importActual('node:os')),
   tmpdir: () => mockTmpdir,
@@ -62,7 +68,7 @@ describe('clipboard', () => {
       await import('./clipboard');
 
     expect(saveClipboardImage('image-1')).toBe(
-      join(TEMP_IMAGES_DIRECTORY, 'image-1.png'),
+      join(TEMP_IMAGES_DIRECTORY, 'test-uuid.png'),
     );
     expect(mockMkdirSync).toHaveBeenCalledWith(TEMP_IMAGES_DIRECTORY, {
       recursive: true,
@@ -87,11 +93,12 @@ describe('clipboard', () => {
       await import('./clipboard');
 
     expect(saveClipboardImage('image-2')).toBe(
-      join(TEMP_IMAGES_DIRECTORY, 'image-2.png'),
+      join(TEMP_IMAGES_DIRECTORY, 'test-uuid.png'),
     );
     expect(mockWriteFileSync).toHaveBeenCalledWith(
-      join(TEMP_IMAGES_DIRECTORY, 'image-2.png'),
+      join(TEMP_IMAGES_DIRECTORY, 'test-uuid.png'),
       Buffer.from('png'),
+      { flag: 'wx', mode: 0o600 },
     );
   });
 
@@ -120,7 +127,7 @@ describe('clipboard', () => {
       await import('./clipboard');
 
     expect(saveClipboardImage('image-4')).toBe(
-      join(TEMP_IMAGES_DIRECTORY, 'image-4.png'),
+      join(TEMP_IMAGES_DIRECTORY, 'test-uuid.png'),
     );
   });
 
@@ -133,7 +140,7 @@ describe('clipboard', () => {
       await import('./clipboard');
 
     expect(saveClipboardImage('image-5')).toBe(
-      join(TEMP_IMAGES_DIRECTORY, 'image-5.png'),
+      join(TEMP_IMAGES_DIRECTORY, 'test-uuid.png'),
     );
     expect(mockExecFileSync).toHaveBeenCalledWith(
       'powershell',
diff --git a/src/utils/clipboard.ts b/src/utils/clipboard.ts
@@ -1,4 +1,5 @@
 import { execFileSync, spawnSync } from 'node:child_process';
+import { randomUUID } from 'node:crypto';
 import { existsSync, mkdirSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
@@ -12,12 +13,9 @@ function ensureTempDirectory(directory: string): string {
   return directory;
 }
 
-function buildTargetPath(
-  directory: string,
-  baseName: string,
-  extension: string,
-) {
-  return join(ensureTempDirectory(directory), `${baseName}.${extension}`);
+function buildTargetPath(directory: string, extension: string) {
+  const uniqueName = `${randomUUID()}.${extension}`;
+  return join(ensureTempDirectory(directory), uniqueName);
 }
 
 function readMacClipboardImage(path: string): void {
@@ -64,13 +62,13 @@ $image.Save($args[0], [System.Drawing.Imaging.ImageFormat]::Png)
   });
 }
 
-function readLinuxClipboardImage(directory: string, baseName: string): string {
+function readLinuxClipboardImage(directory: string): string {
   const wlPng = spawnSync('wl-paste', ['--no-newline', '--type', 'image/png'], {
     encoding: 'buffer',
   });
   if (wlPng.status === 0 && wlPng.stdout.length > 0) {
-    const path = buildTargetPath(directory, baseName, 'png');
-    writeFileSync(path, wlPng.stdout);
+    const path = buildTargetPath(directory, 'png');
+    writeClipboardImageFile(path, wlPng.stdout);
     return path;
   }
 
@@ -80,8 +78,8 @@ function readLinuxClipboardImage(directory: string, baseName: string): string {
     { encoding: 'buffer' },
   );
   if (xclipPng.status === 0 && xclipPng.stdout.length > 0) {
-    const path = buildTargetPath(directory, baseName, 'png');
-    writeFileSync(path, xclipPng.stdout);
+    const path = buildTargetPath(directory, 'png');
+    writeClipboardImageFile(path, xclipPng.stdout);
     return path;
   }
 
@@ -90,24 +88,31 @@ function readLinuxClipboardImage(directory: string, baseName: string): string {
   );
 }
 
+function writeClipboardImageFile(path: string, data: Buffer): void {
+  writeFileSync(path, data, { flag: 'wx', mode: 0o600 });
+}
+
 export function saveClipboardImage(
   baseName: string,
   directory = TEMP_IMAGES_DIRECTORY,
 ): string {
   try {
     switch (process.platform) {
       case 'darwin': {
-        const path = buildTargetPath(directory, baseName, 'png');
+        const path = buildTargetPath(directory, 'png');
         readMacClipboardImage(path);
         return path;
       }
+
       case 'win32': {
-        const path = buildTargetPath(directory, baseName, 'png');
+        const path = buildTargetPath(directory, 'png');
         readWindowsClipboardImage(path);
         return path;
       }
+
       case 'linux':
-        return readLinuxClipboardImage(directory, baseName);
+        return readLinuxClipboardImage(directory);
+
       default:
         throw new Error(
           'Clipboard image paste is not supported on this platform. Paste an image path instead.',
