Is it safe to store application files to user's temp directory?

Question

I'm developing a Node.js library that collects data whenever user runs tests. I would like to persist the data on local disk so that after the test run, user can run a command accessing that data. The test data might potentially contain sensitive data depending on what the user is testing, such as API keys (if the user is accidentally using real API keys for testing).

My first idea was to save the files to temporary directory like this:

const tempBaseDirectory = path.join(os.tmpdir(), "my-directory");
const tempDirectory = fs.mkdtempSync(tempBaseDirectory + path.sep);

and write the files for the test run in tempDirectory. Then after the test run, I can look into tempBaseDirectory for all the files I need.

That works fine, but I'm a bit worried about security. Could other users access that data in some operating systems?

Would it be better to store the data in a folder in user home directory or in the app directory? The latter option would require the user to specifically git-ignore the files.

Answer 1

Direct answer

Is it safe to store application files to user's temp directory?

To the letter of your question, yes, it is safe. However, very much take the bolded part into account. Not just any temp directory, only the user's temp directory suffices because it is appropriately access controlled to only give access to the current user.

os.tmpdir() gives access to the OS' temp directory and is therefore accessible by anyone who has access to this machine. Your temp files are not private to the user! Other users can access these files as well.

But what you can do is add encryption so that the data is unusable without the correct private key. This ensures that even when someone gains access to the file with ill intent (e.g. when the machine is compromised), that they can't actually parse the data.

---

Caveat: admin access

Note that local admins will be able to access the files as well. This can be a compromise of the private information but this is a decision made on the OS level to allow local administrators full access to the machine. If that is unacceptable for the level of privacy you and your users are expecting, then you can't really store anything on a machine.
But then again, technically speaking you wouldn't even be able to store a multi-session bearer token on that machine either, as an admin could get access to that token if they really wanted to. In reality, users compromise their own security (e.g. storing passwords in their browser) without worrying about things like admin access.

So it's up to you. If the privacy need is high (similar to banking information), don't store anything sensitive (without encrypting it) if you want to guarantee full privacy protection for your user. If the privacy need is reasonable (not accessible by anyone except those with appropriate rights decided by whoever owns the machine), then a user's folder is sufficiently private.

If you want to err on the safe side, encryption is a good way to ensure privacy from everyone including system admins, unless your files are prohibitively large to decrypt every time you want to access them.

---

User responsibility

@Kayaman deserves credit for posting it first, but I do want to add it as an answer rather than a comment.

Instead of fretting about the user's privacy and how you should handle it, why not use some real life inversion of control and instead let the user choose for themselves where to store the files?

This means you no longer have to worry about it. The user can take the appropriate privacy steps that they feel is required.

You could still e.g. add a notice to the application UI that these files may contain sensitive data and urge the users to keep them safe, but the final decision lies with them and not with you.

Answer 2

I would like to persist the data on local disk so that after the test run, user can run a command accessing that data.

That's reasonable and the User's Temporary directory is as good a place as any to put it. Of course, it matters what they're testing - if it's a piece of server-side functionality, like a Web app, then it might be better to retain all of this information on the server and not have to write it to local disk at all.

Another big concern with the User's Temporary directory is that Windows Disk Cleanup will blindly delete its contents when run and this is one of the first things that a Service Desk will suggest when the User starts to complain about running out of disk space!

The test data might potentially contain sensitive data depending on what the user is testing, such as API keys (if the user is accidentally using real API keys for testing).

That's a worry, especially in the World of GDPR.

You'll have to mitigate against this Risk; Getting rid of the data as soon as its no longer required is a good start.

I'm a bit worried about security. Could other users access that data in some operating systems?

Administrative users on that machine can access [just about] anything so yes, they would be able to see these files. if that's a serious [enough] concern, consider encrypting the files on disk.

Would it be better to store the data in a folder in user home directory or in the app directory?

On Windows, Regular users cannot write into the app directory, so that's probably a not a good choice.

Users can write into their own Home directory, but that's also one of the places that they go for their files so adding these into there just opens them up for Users to "fiddle with". That may or may not be an issue.

On Windows, subdirectories of %APPDATA% are a good choice. These are "local" to each User (although Admin-user accessible), writable by Regular Users but, most importantly, aren't "on their radar" of places to look for "interesting" files. Also, this location can be replicated across machines, if you have this kind of "Roaming" setup.