Closed fazledyn-or closed 10 months ago
Thanks for your report. I really appreciate!
FYI I opted for a different and more cross-platform approach than the one you proposed. You can take a look at the fix at [1].
Thanks again!
[1] https://github.com/buffer/thug/commit/b28ffa5b9755a3b2a3548ee4760e69f2701645e6
Thanks for your report. I really appreciate!
FYI I opted for a different and more cross-platform approach than the one you proposed. You can take a look at the fix at [1].
Thanks again!
[1] b28ffa5
Yup. NamedTemporaryFile
or mkstemp
is another approach to go. Glad to be of help!
Details
While triaging your project, our bug fixing tool generated the following message(s)-
Notes
For example, let's take the following script as an example -
After executing the script, we'd find two files called
thug-profiler-good.log
andthug-profiler-bad.log
in the/tmp
directory as below -Here, we can see that the
thug-profiler-bad.log
file was created with permission664
whereas the newthug-profiler-good.log
file is created with permission640
.Since
/tmp
is a public folder that's accessible from everyone, it's recommended that special measures should be taken so that files written to this directory can't be overridden or removed by others.Changes
Implemented an
opener()
method that opens the file with permission644 (rw-r--r--)
CLA Requirements
This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.
All contributed commits are already automatically signed off.
Sponsorship and Support
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.
The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.