-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security - refactor azure test code to not use insecure tempfile methods. #6985
base: main
Are you sure you want to change the base?
Conversation
|
most of this appears related to the azure provider test code, aka not an issue in practice, but scanners gonna scan. ie zero of this is runtime operational. that said, i agree these are poor uses of tempfile in this provider, and should be replaced |
@kennethkaane can you please go through the cncf contributor agreement process. [update] direct link https://api.easycla.lfx.linuxfoundation.org/v2/repository-provider/github/sign/14202841/52837350/6985/#/?version=2 |
Hi @kapilt, I have completed the CNCF contributor agreement process. |
it looks like some of the earlier commits were done with a github user which the cla bot doesn't recognize, can you rebase those or amend those commits? |
SonarQube scan reports five vulnerabilities with critical severity in the Cloud Custodian code. They arise from the use of the insecure 'tempfile.mktemp' function. Creating temporary files using insecure methods exposes the application to race conditions on filenames: a malicious user can try to create a file with a predictable name before the application does. A successful attack can result in other files being accessed, modified, corrupted, or deleted. This risk is even higher if the application runs with elevated permissions.
In the past, it has led to the following vulnerabilities:
The resolution is to use 'tempfile.TemporaryFile' function instead.