edx-platform icon indicating copy to clipboard operation
edx-platform copied to clipboard
verified publisher icon openedx

Fixed Improper Method Call: Replaced `mktemp`

Open nydelzaf opened this issue 2 years ago • 14 comments

Description

While triaging your project, our bug fixing tool generated the following message(s)-

In file: export_olx.py, there is a method that creates a temporary file using an unsafe API mktemp. The use of this method is discouraged in the Python documentation. iCR suggested that a temporary file should be created using mkstemp which is a safe API. iCR replaced the usage of mktemp with mkstemp.

Resources Related to mktemp

Changes

  • Replaced mktemp() method with mkstemp()

Previously Found & Fixed

  • https://www.github.com/spcl/dace/pull/1428
  • https://www.github.com/invesalius/invesalius3/pull/679
  • https://www.github.com/Azure/azure-linux-extensions/pull/1816
  • https://www.github.com/celery/billiard/pull/394

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

All contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information). - Git Commit SignOff documentation

Sponsorship and Support

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.

nydelzaf avatar Dec 04 '23 11:12 nydelzaf

Thanks for the pull request, @fazledyn-or!

What's next?

Please work through the following steps to get your changes ready for engineering review:

:radio_button: Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.

:radio_button: Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads

:radio_button: Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

:radio_button: Let us know that your PR is ready for review:

Who will review my changes?

This repository is currently maintained by @openedx/wg-maintenance-edx-platform. Tag them in a comment and let them know that your changes are ready for review.

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

:bulb: As a result it may take up to several weeks or months to complete a review and merge your PR.

openedx-webhooks avatar Dec 04 '23 11:12 openedx-webhooks

Hi @fazledyn-or, thank you for this contribution! Please let me know if you have any questions regarding completing a CLA form. Thanks!

mphilbrick211 avatar Dec 04 '23 15:12 mphilbrick211

Hi @fazledyn-or, thank you for this contribution! Please let me know if you have any questions regarding completing a CLA form. Thanks!

Yeah, thanks for asking. Actually, I do need some help. image

What do I put in these two fields?

nydelzaf avatar Dec 04 '23 20:12 nydelzaf

@fazledyn-or I notice there are some commit-lint failures. Please note that we use conventional commits across Open edX projects. You can read about the details here. Can you please amend your commit messages to follow our standard?

@fazledyn-or in contributions field you can just put "N/A."

Are you contributing on bahalf of OpenRefactory-Inc or on your own behalf?

e0d avatar Dec 14 '23 19:12 e0d

@fazledyn-or I notice there are some commit-lint failures. Please note that we use conventional commits across Open edX projects. You can read about the details here. Can you please amend your commit messages to follow our standard?

I've updated my commit message. Please have a look

nydelzaf avatar Dec 18 '23 07:12 nydelzaf

Hi @fazledyn-or! Just checking to see if you plan to pursue this pull request? If so, it looks like you'll need to re-run the checks. Thanks!

mphilbrick211 avatar Feb 21 '24 17:02 mphilbrick211

Hi @fazledyn-or! Just checking to see if you plan to pursue this pull request? If so, it looks like you'll need to re-run the checks. Thanks!

Yes, I do. My first commit message had a lint failure, so I updated the commit message and pushed. Looks like the workflows need to be re-run by one of the maintainers. Without re-running them, I can't say whether I need to update something or not.

nydelzaf avatar Feb 22 '24 04:02 nydelzaf

Hi @fazledyn-or! Just checking to see if you plan to pursue this pull request? If so, it looks like you'll need to re-run the checks. Thanks!

Yes, I do. My first commit message had a lint failure, so I updated the commit message and pushed. Looks like the workflows need to be re-run by one of the maintainers. Without re-running them, I can't say whether I need to update something or not.

@fazledyn-or great! I'll mark this for our team to re-run the checks.

mphilbrick211 avatar Feb 22 '24 17:02 mphilbrick211

Your branch is behind the base. I've pulled in changes from master as a merge commit which will update your branch and cause the tests to be re-run.

e0d avatar Feb 26 '24 21:02 e0d

Your branch is behind the base. I've pulled in changes from master as a merge commit which will update your branch and cause the tests to be re-run.

e0d avatar Mar 22 '24 14:03 e0d

Your branch is behind the base. I've pulled in changes from master as a merge commit which will update your branch and cause the tests to be re-run.

Hi @fazledyn-or! Is this still in-progress?

mphilbrick211 avatar Jul 30 '24 19:07 mphilbrick211

Yes. I don't think I have anything more to add. I've already made changes that were required, filled and submitted the form.

If you need me to do anything to get it merged to the source code, please let me know.

I'll be glad to do so.

On Wed, Jul 31, 2024, 1:28 AM Michelle Philbrick @.***> wrote:

Your branch is behind the base. I've pulled in changes from master as a merge commit which will update your branch and cause the tests to be re-run.

Hi @fazledyn-or https://github.com/fazledyn-or! Is this still in-progress?

— Reply to this email directly, view it on GitHub https://github.com/openedx/edx-platform/pull/33874#issuecomment-2259056824, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBB3LA5F2YJPXDBVOXK6AYLZO7SMLAVCNFSM6AAAAABAFZZQQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJZGA2TMOBSGQ . You are receiving this because you were mentioned.Message ID: @.***>

nydelzaf avatar Jul 30 '24 19:07 nydelzaf

Yes. I don't think I have anything more to add. I've already made changes that were required, filled and submitted the form. If you need me to do anything to get it merged to the source code, please let me know. I'll be glad to do so.

@fazledyn-or - It looks like a few more tests need to be run. Please let me know if you have any questions!

mphilbrick211 avatar Jul 31 '24 20:07 mphilbrick211

Yes, you're correct.

One of the maintainers should run the tests. I don't have the permissions to do so. I've already mentioned it in one of my old comments.

On Thu, Aug 1, 2024, 2:21 AM Michelle Philbrick @.***> wrote:

Yes. I don't think I have anything more to add. I've already made changes that were required, filled and submitted the form. If you need me to do anything to get it merged to the source code, please let me know. I'll be glad to do so. … <#m_7199204017778239836_>

@fazledyn-or https://github.com/fazledyn-or - It looks like a few more tests need to be run. Please let me know if you have any questions!

— Reply to this email directly, view it on GitHub https://github.com/openedx/edx-platform/pull/33874#issuecomment-2261382454, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBB3LA2THRKAOXSCJNVDWKDZPFBLBAVCNFSM6AAAAABAFZZQQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRRGM4DENBVGQ . You are receiving this because you were mentioned.Message ID: @.***>

nydelzaf avatar Jul 31 '24 20:07 nydelzaf