security - refactor azure test code to not use insecure tempfile methods. #6985
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
kapilt
changed the title
|
most of this appears related to the azure provider test code, aka not an issue in practice, but scanners gonna scan. ie zero of this is runtime operational. that said, i agree these are poor uses of tempfile in this provider, and should be replaced |
|
@kennethkaane can you please go through the cncf contributor agreement process. [update] direct link https://api.easycla.lfx.linuxfoundation.org/v2/repository-provider/github/sign/14202841/52837350/6985/#/?version=2 |
Hi @kapilt, I have completed the CNCF contributor agreement process. |
|
it looks like some of the earlier commits were done with a github user which the cla bot doesn't recognize, can you rebase those or amend those commits? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SonarQube scan reports five vulnerabilities with critical severity in the Cloud Custodian code. They arise from the use of the insecure 'tempfile.mktemp' function. Creating temporary files using insecure methods exposes the application to race conditions on filenames: a malicious user can try to create a file with a predictable name before the application does. A successful attack can result in other files being accessed, modified, corrupted, or deleted. This risk is even higher if the application runs with elevated permissions.
In the past, it has led to the following vulnerabilities:
The resolution is to use 'tempfile.TemporaryFile' function instead.