2020-06-30 12:50:28 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
file = open("/tmp/temporary_file","w+") # Sensitive
|
|
|
|
|
----
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2020-06-30 12:50:28 +02:00
|
|
|
----
|
|
|
|
|
tmp_dir = os.environ.get('TMPDIR') # Sensitive
|
|
|
|
|
file = open(tmp_dir+"/temporary_file","w+")
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
import tempfile
|
|
|
|
|
|
|
|
|
|
file = tempfile.TemporaryFile(dir="/tmp/my_subdirectory", mode='"w+") # Compliant
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== See
|
|
|
|
|
|
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
|
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
|
|
|
* http://cwe.mitre.org/data/definitions/377[MITRE, CWE-377] - Insecure Temporary File
|
|
|
|
|
* http://cwe.mitre.org/data/definitions/379[MITRE, CWE-379] - Creation of Temporary File in Directory with Incorrect Permissions
|
|
|
|
|
* https://www.owasp.org/index.php/Insecure_Temporary_File[OWASP, Insecure Temporary File]
|
|
|
|
|
* https://docs.python.org/3/library/tempfile.html[Python tempfile module]
|
