- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: python-security/hardcoded-tmp-file
Language: Python
Severity: Info
Category: Best Practices
CWE: 377
Do not hardcode the names of temporary files or directories. This may constitute a security vulnerability because an attacker might use that name to create a link to a file they want to overwrite or read.
Instead of hardcoding values, use the tempfile
Python module to create unpredictable names.
with open("/tmp/acme.pub", "rb") as key_file:
public_key = serialization.load_pem_public_key(
key_file.read(),
backend=default_backend()
)
def foobar():
api_key_file = Path('/tmp/supersecret.txt')
keyfile = '/tmp/vulpy.apikey.{}.{}'.format(username, key)
keyfile = f"/tmp/vulpy.apikey.{username}.{key}"
def authenticate(request):
if 'X-APIKEY' not in request.headers:
return None
key = request.headers['X-APIKEY']
for f in Path('/tmp/').glob('vulpy.apikey.*.' + key):
return f.name.split('.')[2]
return None
secure_temp = tempfile.mkstemp(prefix="pre_",suffix="_suf")
print(secure_temp)
temp = tempfile.NamedTemporaryFile()
print(temp)
print(temp.name)
|
|
For more information, please read the Code Security documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products