The current query only flags deprecated/insecure temporary file APIs like tempfile.mktemp and tempfile.tmpnam. However, a modern and equally dangerous source pattern involves tempfile.NamedTemporaryFile(delete=False) where the generated filename is returned or exposed elsewhere.
I encountered this pattern in a real-world GitHub repository. When delete=False is used, the temporary file persists after the context manager exits or the file handle is closed. Returning or exposing the filename creates a race window.
def save_file_to_temp(file_obj):
with tempfile.NamedTemporaryFile(delete=False) as temp_file:
file_obj.seek(0) # Go to the start of the file
temp_file.write(file_obj.read())
return temp_file.nameSince this uses a standard API rather than a deprecated one, linters won't flag it, making it easy to overlook.
The current query only flags deprecated/insecure temporary file APIs like
tempfile.mktempandtempfile.tmpnam. However, a modern and equally dangerous source pattern involvestempfile.NamedTemporaryFile(delete=False)where the generated filename is returned or exposed elsewhere.I encountered this pattern in a real-world GitHub repository. When
delete=Falseis used, the temporary file persists after the context manager exits or the file handle is closed. Returning or exposing the filename creates a race window.Since this uses a standard API rather than a deprecated one, linters won't flag it, making it easy to overlook.