ruff: Fix S108 Probable insecure usage of temporary file.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-01-06 00:09:53 -08:00 · 2023-01-06 00:09:53 -08:00 · 7e3a681f80
parent d05f672132
commit 7e3a681f80
6 changed files with 16 additions and 11 deletions
--- a/tools/test-run-dev
+++ b/tools/test-run-dev
@ -3,6 +3,7 @@ import os
 import signal
 import subprocess
 import sys
 import tempfile
 import time
 from typing import Tuple
@ -37,12 +38,11 @@ def start_server(logfile_name: str) -> Tuple[bool, str]:
 if __name__ == "__main__":
    print("Testing development server start!")
-    logfile_name = "/tmp/run-dev-output"
+    with tempfile.NamedTemporaryFile(buffering=0) as logfile:
    with open(logfile_name, "wb", buffering=0) as logfile:
        run_dev = subprocess.Popen(
            [os.path.join(TOOLS_DIR, "run-dev.py")], stdout=logfile, stderr=subprocess.STDOUT
        )
-        failure, log = start_server(logfile_name)
+        failure, log = start_server(logfile.name)
    run_dev.send_signal(signal.SIGINT)
    run_dev.wait()
--- a/zerver/lib/debug.py
+++ b/zerver/lib/debug.py
@ -85,7 +85,8 @@ def tracemalloc_listen() -> None:
    listener_pid = os.getpid()
    sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
-    path = f"/tmp/tracemalloc.{os.getpid()}"
+    os.makedirs(settings.TRACEMALLOC_DUMP_DIR, exist_ok=True)
    path = os.path.join(settings.TRACEMALLOC_DUMP_DIR, f"tracemalloc.{os.getpid()}")
    sock.bind(path)
    thread = threading.Thread(target=lambda: tracemalloc_listen_sock(sock), daemon=True)
    thread.start()
@ -96,7 +97,7 @@ def maybe_tracemalloc_listen() -> None:
    """If tracemalloc tracing enabled, listen for requests to dump a snapshot.
    To trigger once this is listening:
-      echo | socat -u stdin unix-sendto:/tmp/tracemalloc.$pid
+      echo | socat -u stdin unix-sendto:/var/log/zulip/tracemalloc/tracemalloc.$pid
    To enable in the Zulip web server: edit /etc/zulip/uwsgi.ini ,
    and add e.g. ` PYTHONTRACEMALLOC=5` to the `env=` line.
--- a/zerver/middleware.py
+++ b/zerver/middleware.py
@ -1,5 +1,6 @@
 import cProfile
 import logging
 import tempfile
 import time
 import traceback
 from typing import Any, AnyStr, Callable, Dict, Iterable, List, MutableMapping, Optional, Tuple
@ -277,8 +278,11 @@ def write_log_line(
    if settings.PROFILE_ALL_REQUESTS:
        log_data["prof"].disable()
-        profile_path = "/tmp/profile.data.{}.{}".format(path.split("/")[-1], int(time_delta * 1000))
+        with tempfile.NamedTemporaryFile(
-        log_data["prof"].dump_stats(profile_path)
+            prefix="profile.data.{}.{}.".format(path.split("/")[-1], int(time_delta * 1000)),
            delete=False,
        ) as stats_file:
            log_data["prof"].dump_stats(stats_file.name)
    # Log some additional data whenever we return certain 40x errors
    if 400 <= status_code < 500 and status_code not in [401, 404, 405]:
--- a/zerver/tests/test_realm_export.py
+++ b/zerver/tests/test_realm_export.py
@ -55,7 +55,7 @@ class RealmExportTest(ZulipTestCase):
        args = mock_export.call_args_list[0][1]
        self.assertEqual(args["realm"], admin.realm)
        self.assertEqual(args["public_only"], True)
-        self.assertIn("/tmp/zulip-export-", args["output_dir"])
+        self.assertTrue(os.path.basename(args["output_dir"]).startswith("zulip-export-"))
        self.assertEqual(args["threads"], 6)
        # Get the entry and test that iago initiated it.
@ -125,7 +125,7 @@ class RealmExportTest(ZulipTestCase):
        args = mock_export.call_args_list[0][1]
        self.assertEqual(args["realm"], admin.realm)
        self.assertEqual(args["public_only"], True)
-        self.assertIn("/tmp/zulip-export-", args["output_dir"])
+        self.assertTrue(os.path.basename(args["output_dir"]).startswith("zulip-export-"))
        self.assertEqual(args["threads"], 6)
        # Get the entry and test that iago initiated it.
--- a/zerver/worker/queue_processors.py
+++ b/zerver/worker/queue_processors.py
@ -1080,7 +1080,7 @@ class TestWorker(QueueProcessingWorker):
    # This worker allows you to test the queue worker infrastructure without
    # creating significant side effects.  It can be useful in development or
    # for troubleshooting prod/staging.  It pulls a message off the test queue
-    # and appends it to a file in /tmp.
+    # and appends it to a file in /var/log/zulip.
    def consume(self, event: Mapping[str, Any]) -> None:  # nocoverage
        fn = settings.ZULIP_WORKER_TEST_FILE
        message = orjson.dumps(event)
--- a/zproject/computed_settings.py
+++ b/zproject/computed_settings.py
@ -694,7 +694,7 @@ RETENTION_LOG_PATH = zulip_path("/var/log/zulip/message_retention.log")
 AUTH_LOG_PATH = zulip_path("/var/log/zulip/auth.log")
 SCIM_LOG_PATH = zulip_path("/var/log/zulip/scim.log")
-ZULIP_WORKER_TEST_FILE = "/tmp/zulip-worker-test-file"
+ZULIP_WORKER_TEST_FILE = zulip_path("/var/log/zulip/zulip-worker-test-file")
 if IS_WORKER: