349 html += """<p>That is all...</p>"""
350 # debugging
351 if len(sys.argv) == 3:
352 with open("/tmp/out.html", "w", encoding="utf-8") as fh:353 fh.write(html)
354 msg = MIMEMultipart("alternative")
355 msg["Subject"] = (738 _s = smtplib.SMTP("localhost")
739 _s.sendmail(msg["From"], msg["To"], msg.as_string())
740 _s.quit()
741 os.unlink("/tmp/cscap.xlsx")742 pgconn = get_dbconn("sustainablecorn")
743 cursor = pgconn.cursor()
744 cursor.execute(727 tmpfn = ("cscap_%s.xlsx") % (
728 datetime.datetime.utcnow().strftime("%Y%m%d%H%M%S"),
729 )
730 shutil.copyfile("/tmp/cscap.xlsx", "/var/webtmp/%s" % (tmpfn,))731 uri = "https://datateam.agron.iastate.edu/tmp/%s" % (tmpfn,)
732 etext = EMAILTEXT % (
733 datetime.datetime.utcnow().strftime("%d %B %Y %H:%M:%S"),675 missing = environ.get("custom_missing", "M")
676 detectlimit = environ.get("detectlimit", "1")
677
678 writer = pd.ExcelWriter("/tmp/cscap.xlsx", engine="xlsxwriter")679
680 # First sheet is Data Dictionary
681 if "SHM5" in shm: 8
9X = {"Arlington": "ARL", "Marshfield": "MAR", "Lancaster": "LAN"}
10
11df = pd.read_excel("/tmp/weather11-15.xls")12print("Found %s entries, columns: %s" % (len(df.index), df.columns))
13df["station"] = df["Location"].apply(lambda x: X[x])
14for i, row in df.iterrows():Using hardcoded temp directory is unsafe. The program can be tricked into performing file actions against the wrong file or using a malicious file instead of the expected temporary file. Prefer using tempfile
Malicious users can predict the file name and write to the directory containing the temporary file. They effectively hijack the temporary file by creating a symlink with the name of the temporary file before the program creates the file itself. This allows a malicious user to supply malicious data or cause actions by the program to affect the attacker chosen files.
tempfile.TemporaryFile function should be used to safely create temporary files. Besides creating temporary files safely, it creates random filenames, which can not be predicted, and cleans up the file automatically.
Bad practice
with open('/tmp/abc', 'w') as f: # Insecure, Hard coded temporary directory used
f.write('stuff')
Recommended
import tempfile
# Secure, temporary file is created using tempfile.TemporaryFile
# File will be deleted on close
with tempfile.TemporaryFile() as tmp:
tmp.write('stuff')
References:
- OWASP Top 10 2021 Category A04 - Insecure Design
- CWE 377 - Insecure Temporary File
- Python tempfile