Comments (4)
mschwager
commented on June 18, 2024
Hi there!
The tempfile.mktemp function should be avoided because it can introduce race conditions. However, the similarly named tempfile.mkstemp function is okay. The Correct code section above is using the approach recommended by the Python documentation.
Are you seeing a false positive where Dlint is detecting mkstemp as well? It should only be detecting the function without the "s".
from dlint.
hartwork
commented on June 18, 2024
The
tempfile.mktempfunction should be avoided because it can introduce race conditions.
Agreed, yes!
However, the similarly named
tempfile.mkstempfunction is okay.
π
The
Correct codesection above is using the approach recommended by the Python documentation.
I think you refer to this block at https://docs.python.org/3.8/library/tempfile.html#deprecated-functions-and-variables:
>>> f = NamedTemporaryFile(delete=False)
>>> f.name
'/tmp/tmptjujjt'
>>> f.write(b"Hello World!\n")
13
>>> f.close()
>>> os.unlink(f.name)
>>> os.path.exists(f.name)
False
I consider their code to be demo code rather than an actual recommendation.
My understanding is that when you need to work with a filename, there are two cases:
a) The file is so short-lived that use of a context manager like β this is β fine:
with tempfile.NamedTemporaryFile() as f:
pass # work with f.file.fileno() and/or f.name here
# f.name deleted now
b) The file lives longer and regular use of a context manager is not an option:
fd, temp_filename = tempfile.mkstemp()
os.close(fd)
# do as much or little with the temp file here as needed
os.remove(filename)
If you want to keep using NamedTemporaryFile(delete=False) for the example in the docs I would suggest to change currentβ¦
import tempfile
fd = tempfile.NamedTemporaryFile(delete=False)
temp_filename = fd.name
β¦toβ¦
import os, tempfile
f = tempfile.NamedTemporaryFile(delete=False)
# .. do work with f.name here ..
os.remove(f.name)
to be more complete and use f (file) rather than mis-leading fd (file descriptor) which is a plain integer most of the time.
What do you think?
Are you seeing a false positive where Dlint is detecting
mkstempas well? It should only be detecting the function without the "s".
I have no report like that, no.
from dlint.
mschwager
commented on June 18, 2024
Thanks for all these descriptive examples!
Regarding short-lived vs. long-lived files, I think the easiest way to cover all these cases is to avoid prescriptive docs for all close and remove scenarios (and context managers). These examples are just trying to show minimal snippets of roughly equivalent code and not fully production-ready code.
Good call with fd vs. f. That recommendation is also consistent with what the Python docs use. I'd be happy to accept a PR or make that change if that works for you π
from dlint.
hartwork
commented on June 18, 2024
I see your point about close and remove. I'm curious what you think of the approach taken with #22.
from dlint.
Related Issues (20)
- Whitelist yaml detection when using SafeLoader
- Add linter for XML calls allowing external entities (including DTD)
- Add linter for broken function level authorization
- DUO107 whitelist from xml.etree.ElementTree import Element, SubElement HOT 1
- Add linter for insecure JWT usage in python-jose
- Add linter for insecure JWT usage in pyjwt
- Add Python 3.9 support HOT 1
- Relationship to bandit HOT 1
- redos detection misses issues if the regex is provided via a variable HOT 1
- Support flake8>=4 HOT 1
- Publish sources on PyPi HOT 1
- Hashlib linter should not warn when `usedforsecurity=False` is set HOT 3
- Remove python2 compatibility code
- Support for flake8==5.x.x
- Stop recommending defusedxml instead of lxml / warn about specific lxml misuse
- Drop Python 3.6 support HOT 1
- Update DUO108 documentation
- Deprecate DUO101
- Flake8 v6 compatibility
- pkgutil.iter_modules is evaluated once per module
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dlint.