Do not hardcode temporary file or directory names このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください 。
このルールを試す ID: python-security/hardcoded-tmp-file
Language: Python
Severity: Info
Category: Best Practices
CWE : 377
Description Do not hardcode the names of temporary files or directories. This may constitute a security vulnerability because an attacker might use that name to create a link to a file they want to overwrite or read.
Instead of hardcoding values, use the tempfile
Python module to create unpredictable names.
Learn More Non-Compliant Code Examples with open ( "/tmp/acme.pub" , "rb" ) as key_file :
public_key = serialization . load_pem_public_key (
key_file . read (),
backend = default_backend ()
)
def foobar ():
api_key_file = Path ( '/tmp/supersecret.txt' )
keyfile = '/tmp/vulpy.apikey. {} . {} ' . format ( username , key )
keyfile = f "/tmp/vulpy.apikey. { username } . { key } "
def authenticate ( request ):
if 'X-APIKEY' not in request . headers :
return None
key = request . headers [ 'X-APIKEY' ]
for f in Path ( '/tmp/' ) . glob ( 'vulpy.apikey.*.' + key ):
return f . name . split ( '.' )[ 2 ]
return None
Compliant Code Examples secure_temp = tempfile . mkstemp ( prefix = "pre_" , suffix = "_suf" )
print ( secure_temp )
temp = tempfile . NamedTemporaryFile ()
print ( temp )
print ( temp . name )
Seamless integrations. Try Datadog Code Analysis