Do not hardcode temp file or directory

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: python-security/hardcoded-tmp-file

Language: Python

Severity: Info

Category: Best Practices

Description

Do not hardcode the name or directory of temporary files. Use the tempfile Python instead of hardcoding values.

Learn More

Non-Compliant Code Examples

with open("/tmp/acme.pub", "rb") as key_file:
    public_key = serialization.load_pem_public_key(
        key_file.read(),
        backend=default_backend()
    )

def foobar():
    api_key_file = Path('/tmp/supersecret.txt')

keyfile = '/tmp/vulpy.apikey.{}.{}'.format(username, key)
keyfile = f"/tmp/vulpy.apikey.{username}.{key}"
def authenticate(request):
    if 'X-APIKEY' not in request.headers:
        return None

    key = request.headers['X-APIKEY']

    for f in Path('/tmp/').glob('vulpy.apikey.*.' + key):
        return f.name.split('.')[2]

    return None

Compliant Code Examples

secure_temp = tempfile.mkstemp(prefix="pre_",suffix="_suf")
print(secure_temp)

temp = tempfile.NamedTemporaryFile()
print(temp)
print(temp.name)
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis