Fixed Improper Method Call: Replaced `mktemp`

[fazledyn-or]

Details

While triaging your project, our bug fixing tool generated the following message(s)-

In file: dask_spectral_cube.py, there is a method that creates a temporary file using an unsafe API mktemp. The use of this method is discouraged in the Python documentation. iCR suggested that a temporary file should be created using mkstemp which is a safe API. iCR replaced the usage of mktemp with mkstemp.

Resources Related to mktemp

• POC - Improper Method Call - python - mktemp.mp4
• MISC - Python - Taking a peek under the tempfile library.mp4

Changes

• Replaced mktemp() method with mkstemp()

Previously Found & Fixed

• https://www.github.com/spcl/dace/pull/1428
• https://www.github.com/invesalius/invesalius3/pull/679
• https://www.github.com/Azure/azure-linux-extensions/pull/1816
• https://www.github.com/celery/billiard/pull/394

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

All contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information). - Git Commit SignOff documentation

Sponsorship and Support

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.

[keflavich]

@astrofrog Could you evaluate this?

[keflavich]

See also #789

[fazledyn-or]

See also #789

I'm hardly able to see the logs since they're old and have been cleaned.

The main difference between mktemp and mkstemp is that, mktemp gives you a filename, whereas mkstemp creates the file for you with permission 600. I'm not familiar with zarr at all- if it requires the file to be physically absent (provided that zarr will create the file for you), then yes- mkstemp is not a good choice for you.

Let me know if I'm missing something here.