[B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.

Question

[B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.

sandrobonazzola opened this issue 2 years ago · comments

bandit reports:

Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
   Severity: Medium   Confidence: Medium
   CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
   Location:
      ./run_kraken.py:
         29 :     with open("/tmp/kraken_status", "w+") as file:
      ./server.py:
         22 :         f = open("/tmp/kraken_status", "rb")
         37 :         with open("/tmp/kraken_status", "w+") as file:
         43 :         with open("/tmp/kraken_status", "w+") as file:
         49 :         with open("/tmp/kraken_status", "w+") as file:
   More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b108_hardcoded_tmp_directory.html

Usage of /tmp/kraken_status was added in pr #158. @paigerube14 if I get it right you want to record RUN, STOP, PAUSE events and send the logs over HTTP when a GET request is coming for / path.

Do you really need to store the log on disk? Could it be stored in an io.StringIO memory buffer instead?

Paige Patton · Answer 1 · Sat Sep 03 2022 01:06:14 GMT+0800 (China Standard Time)

@sandrobonazzola how did you get that security output? Should we add that as a github workflow so we can more readily catch errors like this

Janos · Answer 2 · Sat Sep 03 2022 15:21:19 GMT+0800 (China Standard Time)

@paigerube14 https://bandit.readthedocs.io/en/latest/

Paige Patton · Answer 3 · Tue Sep 13 2022 00:41:33 GMT+0800 (China Standard Time)

closing with PR being merged