BAN-B108 · Hardcoded temporary directory detected

Hardcoded temporary directory detected BAN-B108

Security

Major

3 months ago — 3 months old

Probable insecure usage of temp file/directory.

106
107    fn = ",".join(stations)
108    res = open("/tmp/ss.xlsx", "rb").read()
109    os.unlink("/tmp/ss.xlsx")110    return res, fn
111
112

Probable insecure usage of temp file/directory.

htdocs/td/dl/wxdl.py

105        worksheet.freeze_panes(3, 0)
106
107    fn = ",".join(stations)
108    res = open("/tmp/ss.xlsx", "rb").read()109    os.unlink("/tmp/ss.xlsx")
110    return res, fn
111

Probable insecure usage of temp file/directory.

htdocs/td/dl/wxdl.py

 99    # re-establish the correct column sorting
100    df = df.reindex(cols, axis=1)
101
102    with pd.ExcelWriter("/tmp/ss.xlsx", engine="xlsxwriter") as writer:103        df.to_excel(writer, sheet_name="Daily Weather", index=False)
104        worksheet = writer.sheets["Daily Weather"]
105        worksheet.freeze_panes(3, 0)

Probable insecure usage of temp file/directory.

htdocs/td/dl/dl.py

477    msg.preamble = "Data"
478    try:
479        shutil.copyfile(f"/tmp/{tmpfn}", f"/var/webtmp/{tmpfn}")
480        os.unlink(f"/tmp/{tmpfn}")481    except PermissionError:
482        pass
483    uri = f"https://datateam.agron.iastate.edu/tmp/{tmpfn}"

Probable insecure usage of temp file/directory.

htdocs/td/dl/dl.py

476    msg["To"] = email
477    msg.preamble = "Data"
478    try:
479        shutil.copyfile(f"/tmp/{tmpfn}", f"/var/webtmp/{tmpfn}")480        os.unlink(f"/tmp/{tmpfn}")
481    except PermissionError:
482        pass

Description

Using hardcoded temp directory is unsafe. The program can be tricked into performing file actions against the wrong file or using a malicious file instead of the expected temporary file. Prefer using tempfile

Malicious users can predict the file name and write to the directory containing the temporary file. They effectively hijack the temporary file by creating a symlink with the name of the temporary file before the program creates the file itself. This allows a malicious user to supply malicious data or cause actions by the program to affect the attacker chosen files.

tempfile.TemporaryFile function should be used to safely create temporary files. Besides creating temporary files safely, it creates random filenames, which can not be predicted, and cleans up the file automatically.

Bad practice

with open('/tmp/abc', 'w') as f: # Insecure, Hard coded temporary directory used
    f.write('stuff')

References:

OWASP Top 10 2021 Category A04 - Insecure Design
CWE 377 - Insecure Temporary File
Python tempfile

isudatateam / datateam

Bad practice

Recommended

References: