Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix improper method call mktemp #2195

Merged
merged 3 commits into from
Nov 22, 2023
Merged

Fix improper method call mktemp #2195

merged 3 commits into from
Nov 22, 2023

Conversation

fazledyn-or
Copy link
Contributor

Details

While triaging your project, our bug fixing tool generated the following message(s)-

In file: generators.py, there is a method that creates a temporary file using an unsafe API mktemp. The use of this method is discouraged in the Python documentation. iCR suggested that a temporary file should be created using mkstemp which is a safe API. iCR replaced the usage of mktemp with mkstemp.

Resources Related to mktemp

Changes

  • Replaced mktemp() method with mkstemp()
  • Closed the opened file-descriptor in file spikeinterface/src/spikeinterface/extractors/mdaextractors.py

Previously Found & Fixed

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

All contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).
- Git Commit SignOff documentation

Sponsorship and Support

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.

@h-mayorquin
Copy link
Collaborator

Hi, Thanks a lot your contribution.

changing the mktemp method makes sense. Can you elaborate on the problem with the file descriptor?

@fazledyn-or
Copy link
Contributor Author

Hi, Thanks a lot your contribution.

changing the mktemp method makes sense. Can you elaborate on the problem with the file descriptor?

Certainly!

In Linux, each processes are allocated 1024 file descriptors by default. Among those, 0 to 2 are assigned to stdin, stdout, and stderr by default. As a result, only 1021 more file descriptors can be opened by the process itself. Opening files using file-descriptors but not closing them can lead to a file-descriptor exhaustion. CWE-7775

For example -

from tempfile import mkstemp

def call_mkstemp():
    fd, name = mkstemp()

for i in range(1100):
    print(i, end=", ")
    call_mkstemp()

Executing this code will result in an error when the 1022nd file desciptor is asked to be opened. Since the fd isn't getting closed, it's resulting in a file descriptor leak. As a good practice, we must close the file-descriptors that we open ourselves.

@alejoe91 alejoe91 added core Changes to core module generators Related to generator tools enhancement New feature or request extractors Related to extractors module and removed core Changes to core module labels Nov 14, 2023
@alejoe91
Copy link
Member

Thanks @fazledyn-or

@fazledyn-or fazledyn-or requested a review from alejoe91 November 14, 2023 11:26
@fazledyn-or
Copy link
Contributor Author

Is it okay to be merged?

@h-mayorquin
Copy link
Collaborator

It is fine by me, @samuelgarcia , anything you remember about why that descriptor is open? I don't know whether you or @alejoe91 ported that code.

@samuelgarcia
Copy link
Member

Hi.
Thanks for this.
Coudl we have a better approach wit a with: rather than an explicit os.close ?

@fazledyn-or
Copy link
Contributor Author

I'm afraid that there's no context manager available for mkstemp method. See, the mkstemp method itself opens the fd and returns the value to us. It's upon us to close it. We have even seen other open source projects doing it (os.close(fd))

  1. However, there's another approach to this by using NamedTemporaryFile. In that case, you can use a context manager.
with tempfile.NamedTemporaryFile() as temp:
    temp.write('Some data')
    temp.flush()
  1. If you're still interested in using mkstemp, then doing something as below won't require an os.close(fd) statement
from tempfile import mkstemp
fd, name = mkstemp()
with open(fd, "w") as f:
    f.write("something")
  1. Same approach as 2 but using os.fdopen() to open the file.

References

@alejoe91
Copy link
Member

Let's merge this but change to context with tempfile.TemporaryFile() later @h-mayorquin

@alejoe91 alejoe91 merged commit 1cdcd5b into SpikeInterface:main Nov 22, 2023
9 checks passed
@h-mayorquin h-mayorquin mentioned this pull request Nov 22, 2023
Merged
@h-mayorquin
Copy link
Collaborator

Thanks for your contribution @fazledyn-or!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alejoe91 alejoe91 Awaiting requested review from alejoe91

Assignees
No one assigned
Labels
enhancement New feature or request extractors Related to extractors module generators Related to generator tools
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fazledyn-or @h-mayorquin @alejoe91 @samuelgarcia