From c92d84e30e2ab09225aff961f6f8696e08c93572 Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Wed, 20 May 2026 11:23:35 -0700
Subject: [PATCH] fix(security): insecure temporary file creation with
 predictable

In `internal/defaultcodesamples/defaultcodesamples.go`, the code creates a temporary file using `os.TempDir()` with a hardcoded filename `defaultcodesamples.js`. This is predictable and could lead to a race condition or symlink attack if an attacker can create this file before the program does. The file is written with `0o644` permissions and then executed via `exec.Command`.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 internal/defaultcodesamples/defaultcodesamples.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/defaultcodesamples/defaultcodesamples.go b/internal/defaultcodesamples/defaultcodesamples.go
index bf764e867..e48826eea 100644
--- a/internal/defaultcodesamples/defaultcodesamples.go
+++ b/internal/defaultcodesamples/defaultcodesamples.go
@@ -35,7 +35,11 @@ func DefaultCodeSamples(ctx context.Context, flags DefaultCodeSamplesFlags) erro
 	if err != nil {
 		return fmt.Errorf("failed to read default code samples file: %w", err)
 	}
-	tempDir := os.TempDir()
+	tempDir, err := os.MkdirTemp("", "defaultcodesamples-*")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary directory: %w", err)
+	}
+	defer os.RemoveAll(tempDir)
 	tempFile := fmt.Sprintf("%s/defaultcodesamples.js", tempDir)
 	err = os.WriteFile(tempFile, result, 0o644)
 	if err != nil {