oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

luigi tmp vuln

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 09 Sep 2014 00:57:12 -0600
https://pypi.python.org/pypi/luigi
luigi-1.0.17/luigi/hdfs.py

We have a creative attempt to implement mkstemp:

def tmppath(path=None):
    """
    @param path: target path for which it is needed to generate
temporary location
    @type path: str
    @rtype: str
    """
    addon = "luigitemp-%08d" % random.randrange(1e9)
    temp_dir = tempfile.gettempdir()

    #1. Figure out to which temporary directory to place
    configured_hdfs_tmp_dir = configuration.get_config().get('core',
'hdfs-tmp-dir', None)
    if configured_hdfs_tmp_dir is not None:
        #config is superior
        base_dir = configured_hdfs_tmp_dir
    elif path is not None:
        #need to copy correct schema and network location
        parsed = urlparse.urlparse(path)
        base_dir = urlparse.urlunparse((parsed.scheme, parsed.netloc,
temp_dir, '', '', ''))
    else:
        #just system temporary directory
        base_dir = temp_dir

    #2. Figure out what to place
    if path is not None:
        if path.startswith(temp_dir + '/'):
            #Not 100%, but some protection from directories like
/tmp/tmp/file
            subdir = path[len(temp_dir):]
        else:
            #Protection from /tmp/hdfs:/dir/file
            parsed = urlparse.urlparse(path)
            subdir = parsed.path
        subdir = subdir.lstrip('/') + '-'
    else:
        #just return any random temporary location
        subdir = ''

    return os.path.join(base_dir, subdir + addon)


And then it gets used:

class HdfsAtomicWriteDirPipe(luigi.format.OutputPipeProcessWrapper):
    """ Writes a data<data_extension> file to a directory at <path> """
    def __init__(self, path, data_extension=""):
        self.path = path
        self.tmppath = tmppath(self.path)
        self.datapath = self.tmppath + ("/data%s" % data_extension)
        super(HdfsAtomicWriteDirPipe, self).__init__([load_hadoop_cmd(),
'fs', '-put', '-', self.datapath])

===================================
                
luigi-1.0.17/luigi/interface.py

Also we have a PID file:

    lock_pid_dir = parameter.Parameter(
        is_global=True, default='/var/tmp/luigi',
        description='Directory to store the pid file')



-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: