Fix insecure temporary file creation

[SandstromErik]

Fix insecure temporary file creation when setting up arguments for code gen process

[Daniel-Svensson]

I think that this mostly solves the sonarqube issue, but it can be made better

"Issues"

• There is a race condition between File.Exists and when the file is created
• minor: 9 attempts 1..9, is it intentional or was it intended to be 10 ?

Improvements

Avoid race condition

1. Exlicitly create the file with
   - FileMode.CreateNew (this checks that the file did not exist before so File.Exists becomes redundant)
   - FileAccess.Write
   - FileShare.Read (this allows the file to be "locked", preventing it from beeing modified or deleted while in use)

• use try/catch to handle IOException in case file exists (and retry with a new name)

2. And make sure that it remains open untill after the process is completed.

Other things

• add "openria-codegen-{DateTime.Now:MMdd-hhmmss-fff}" or similar as part of filename
  • The random part of filename will maybe only be needed if first attempt fails
• The code to create the temp file could return something which is IDisposable
  • but it might very well be more complex than needed
  • that means an using can be used instead of try/catch/finally
    to close and delete the file
  • If using a new class make it sealed and add a method such as "KeepFileOnDispose" for disabling deletion of file
• Consider moving logic for creating temporary file to a helper method ? (this can make code flow easier

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

75.0% Coverage
0.0% Duplication

[Daniel-Svensson]

The solution is fine.

I would have made it a bit different and kept the file open until after the process has completed.

I would have made a "FileStream CreteTemporaryFile() method similar to below psuedo code"
and called it from GenerateClientProxiesOutOfProcess. Keeping that code separate (even as a local method) means it is quite simple to add up to X retries

name = Path.Combine (tempfolder ,"openria....")
extentions = "rsp" // tmp , txt or similar

   try
      return new FileStream(fname + ext, CreateNew, Write, FileShare.Read);
  catch IOException
       return new FileStream(fname + random + ext, CreateNew, Write, FileShare.Read);

update
As for your error handling question:

• it would be nice to log an error with details about that we "could not create temporary file with codegen input", but the risk is very low (full file system etc) so maybe the generic exception message is god enough.

To log the exception one could do
something similar to try/catch in GenerateClientProxiesOutOfProcess

Or have create temp file log extra details

for I in 0..9
   Try return new FileStream
   Catch update random part

Report error and return failure using null, false or throw