Bandit’s B108 rule flags literal uses of /tmp, /var/tmp and similar as medium-confidence issues, since predictable paths invite TOCTOU and symlink-hijack attacks. Our code currently has defaults like /tmp/bugsink/ingestion/... for Bugsink and /tmp/snappea.pid and /tmp/snappea.wakeup/... for Snappea.
Risk Assessment:
All identified risks are forms of local‑privilege‑escalation via filesystem race conditions and symlink hijacks
Bugsink is typically deployed in a docker container or in a single-use single-server (VPS) setup.
Container isolation and mapping root to an unprivileged host UID greatly reduce cross-process races in our default deployments. Likewise, the recommended single-server setup for Bugsink assumes no other co-resident services.
However, in the spirit of defense‑in‑depth, it would be better to layer in additional safeguards rather than lean entirely on isolation -- security is strongest when we make as few assumptions about how Bugsink will be deployed as possible.
Bandit’s B108 rule flags literal uses of
/tmp,/var/tmpand similar as medium-confidence issues, since predictable paths invite TOCTOU and symlink-hijack attacks. Our code currently has defaults like/tmp/bugsink/ingestion/...for Bugsink and/tmp/snappea.pidand/tmp/snappea.wakeup/...for Snappea.Risk Assessment:
All identified risks are forms of local‑privilege‑escalation via filesystem race conditions and symlink hijacks
Bugsink is typically deployed in a docker container or in a single-use single-server (VPS) setup.
Container isolation and mapping root to an unprivileged host UID greatly reduce cross-process races in our default deployments. Likewise, the recommended single-server setup for Bugsink assumes no other co-resident services.
However, in the spirit of defense‑in‑depth, it would be better to layer in additional safeguards rather than lean entirely on isolation -- security is strongest when we make as few assumptions about how Bugsink will be deployed as possible.