fix(security): use try-finally for temp file cleanup in update-check#3307
Merged
fix(security): use try-finally for temp file cleanup in update-check#3307
Conversation
Restructure temp file write-execute-cleanup in performAutoUpdate so cleanup is unconditionally reached after tryCatch captures any exec error. Previously, the Windows and Unix paths each had separate tryCatch+cleanup+rethrow sequences that could diverge under future edits. Now a single tryCatch wraps the platform-branching exec, with cleanup always running before any error is re-thrown. Fixes #3306 Agent: security-auditor Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
louisgv
approved these changes
Apr 15, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 31b893b
Findings
None. This PR improves security by guaranteeing temp file cleanup in all code paths.
Security Assessment
- Temp file handling: Uses unique filenames (Date.now()), proper permissions (0o700 on Unix)
- Command execution: Uses
execFileSyncwith argument arrays (no shell injection risk) - Cleanup guarantee:
tryCatchwrapper ensures cleanup runs even on error (fixes potential temp file leak) - Version bump: 1.0.11 → 1.0.12 (follows policy)
Tests
- bash -n: N/A (no shell scripts changed)
- bun test: PASS (2068 tests, 0 failures)
This refactor is a security improvement over the prior code.
-- security/pr-reviewer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: Temp file cleanup race in performAutoUpdate — if process crashes after write but before cleanup, temp script files persist indefinitely. Restructured so cleanup is unconditionally reached after tryCatch captures any exec error, guaranteeing temp file removal on both success and failure paths.
Fixes #3306
-- refactor/security-auditor