From 9117238c218ed4b26290a8028536a2a8e2eac50b Mon Sep 17 00:00:00 2001 From: openrefactory Date: Wed, 31 Aug 2022 12:53:20 +0600 Subject: [PATCH] Suggested fixes by iCR, OpenRefactory, Inc. --- git/index/base.py | 6 +++++- git/index/util.py | 4 +++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/git/index/base.py b/git/index/base.py index 10f8b8b25..797e54e13 100644 --- a/git/index/base.py +++ b/git/index/base.py @@ -4,6 +4,7 @@ # This module is part of GitPython and is released under # the BSD License: http://www.opensource.org/licenses/bsd-license.php +from ast import Delete import glob from io import BytesIO import os @@ -351,7 +352,10 @@ def from_tree(cls, repo: "Repo", *treeish: Treeish, **kwargs: Any) -> "IndexFile # tmp file created in git home directory to be sure renaming # works - /tmp/ dirs could be on another device - tmp_index = tempfile.mktemp("", "", repo.git_dir) + + # OpenRefactory Warning: The method 'tempfile.mktemp' creates temporary file in an insecure way. + # use 'NamedTemporaryFile' instead of using 'mktemp' to create temporary file + tmp_index = tempfile.NamedTemporaryFile("", "", repo.git_dir).name arg_list.append("--index-output=%s" % tmp_index) arg_list.extend(treeish) diff --git a/git/index/util.py b/git/index/util.py index bfc7fadd6..a3aac43de 100644 --- a/git/index/util.py +++ b/git/index/util.py @@ -40,7 +40,9 @@ class TemporaryFileSwap(object): def __init__(self, file_path: PathLike) -> None: self.file_path = file_path - self.tmp_file_path = str(self.file_path) + tempfile.mktemp("", "", "") + # OpenRefactory Warning: The method 'tempfile.mktemp' creates temporary file in an insecure way. + # use 'NamedTemporaryFile' instead of using 'mktemp' to create temporary file + self.tmp_file_path = str(self.file_path) + tempfile.NamedTemporaryFile("", "", "").name # it may be that the source does not exist try: os.rename(self.file_path, self.tmp_file_path)