Fix B108: replace hardcoded /tmp with tempfile.gettempdir()
Lint / Python (flake8) (push) Successful in 40s
Lint / JS (eslint) (push) Successful in 8s
Security / Python Security (bandit) (push) Successful in 42s
Test / Python Tests (pytest) (push) Successful in 1m18s
Lint / Notify on failure (push) Has been skipped
Lint / Deploy (push) Successful in 8s
Lint / Python (flake8) (push) Successful in 40s
Lint / JS (eslint) (push) Successful in 8s
Security / Python Security (bandit) (push) Successful in 42s
Test / Python Tests (pytest) (push) Successful in 1m18s
Lint / Notify on failure (push) Has been skipped
Lint / Deploy (push) Successful in 8s
Bandit flags hardcoded /tmp strings as CWE-377 (insecure temp file). Use tempfile.gettempdir() for the avatar cache dir default so the path resolves correctly on all platforms and passes the security scan. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -10,6 +10,7 @@ import json
|
||||
import logging
|
||||
import os
|
||||
import re
|
||||
import tempfile
|
||||
import threading
|
||||
import time
|
||||
import uuid
|
||||
@@ -458,7 +459,7 @@ def api_avatar():
|
||||
|
||||
# Build a safe cache filename from the username (alphanumeric + - _ .)
|
||||
safe_name = re.sub(r'[^a-zA-Z0-9._-]', '_', username)
|
||||
cache_dir = ldap_cfg.get('cache_dir', '/tmp/gandalf_avatars')
|
||||
cache_dir = ldap_cfg.get('cache_dir', os.path.join(tempfile.gettempdir(), 'gandalf_avatars'))
|
||||
os.makedirs(cache_dir, exist_ok=True)
|
||||
cache_file = os.path.join(cache_dir, f'user_{safe_name}.jpg')
|
||||
sentinel = os.path.join(cache_dir, f'user_{safe_name}.none')
|
||||
|
||||
Reference in New Issue
Block a user