Comments (4)
Hi there!
The tempfile.mktemp
function should be avoided because it can introduce race conditions. However, the similarly named tempfile.mkstemp
function is okay. The Correct code
section above is using the approach recommended by the Python documentation.
Are you seeing a false positive where Dlint is detecting mkstemp
as well? It should only be detecting the function without the "s".
from dlint.
The
tempfile.mktemp
function should be avoided because it can introduce race conditions.
Agreed, yes!
However, the similarly named
tempfile.mkstemp
function is okay.
π
The
Correct code
section above is using the approach recommended by the Python documentation.
I think you refer to this block at https://docs.python.org/3.8/library/tempfile.html#deprecated-functions-and-variables:
>>> f = NamedTemporaryFile(delete=False)
>>> f.name
'/tmp/tmptjujjt'
>>> f.write(b"Hello World!\n")
13
>>> f.close()
>>> os.unlink(f.name)
>>> os.path.exists(f.name)
False
I consider their code to be demo code rather than an actual recommendation.
My understanding is that when you need to work with a filename, there are two cases:
a) The file is so short-lived that use of a context manager like β this is β fine:
with tempfile.NamedTemporaryFile() as f:
pass # work with f.file.fileno() and/or f.name here
# f.name deleted now
b) The file lives longer and regular use of a context manager is not an option:
fd, temp_filename = tempfile.mkstemp()
os.close(fd)
# do as much or little with the temp file here as needed
os.remove(filename)
If you want to keep using NamedTemporaryFile(delete=False)
for the example in the docs I would suggest to change currentβ¦
import tempfile
fd = tempfile.NamedTemporaryFile(delete=False)
temp_filename = fd.name
β¦toβ¦
import os, tempfile
f = tempfile.NamedTemporaryFile(delete=False)
# .. do work with f.name here ..
os.remove(f.name)
to be more complete and use f
(file) rather than mis-leading fd
(file descriptor) which is a plain integer most of the time.
What do you think?
Are you seeing a false positive where Dlint is detecting
mkstemp
as well? It should only be detecting the function without the "s".
I have no report like that, no.
from dlint.
Thanks for all these descriptive examples!
Regarding short-lived vs. long-lived files, I think the easiest way to cover all these cases is to avoid prescriptive docs for all close
and remove
scenarios (and context managers). These examples are just trying to show minimal snippets of roughly equivalent code and not fully production-ready code.
Good call with fd
vs. f
. That recommendation is also consistent with what the Python docs use. I'd be happy to accept a PR or make that change if that works for you π
from dlint.
I see your point about close
and remove
. I'm curious what you think of the approach taken with #22.
from dlint.
Related Issues (20)
- Whitelist yaml detection when using SafeLoader
- Add linter for XML calls allowing external entities (including DTD)
- Add linter for broken function level authorization
- DUO107 whitelist from xml.etree.ElementTree import Element, SubElement HOT 1
- Add linter for insecure JWT usage in python-jose
- Add linter for insecure JWT usage in pyjwt
- Add Python 3.9 support HOT 1
- Relationship to bandit HOT 1
- redos detection misses issues if the regex is provided via a variable HOT 1
- Support flake8>=4 HOT 1
- Publish sources on PyPi HOT 1
- Hashlib linter should not warn when `usedforsecurity=False` is set HOT 3
- Remove python2 compatibility code
- Support for flake8==5.x.x
- Stop recommending defusedxml instead of lxml / warn about specific lxml misuse
- Drop Python 3.6 support HOT 1
- Update DUO108 documentation
- Deprecate DUO101
- Flake8 v6 compatibility
- pkgutil.iter_modules is evaluated once per module
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dlint.