Add support for os.tempnam and os.tmpnam.

Author: taus-semmle

python/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp

@@ -3,13 +3,14 @@
 
 <overview>
 <p>
-Creating a new temporary file using the <code>mktemp</code> function in the
-<code>tempfile</code> does not ensure exclusive access to the file, as it simply
-returns a filename that is guaranteed to be unique at the point when
-<code>mktemp</code> returns. Opening a file with this name must then happen
-separately, and there is no guarantee that these operations will happen
-atomically. Because of this, it may be possible for an attacker to interfere
-with the file before it is opened.
+Functions that create temporary file names (such as <code>tempfile.mktemp</code>
+and <code>os.tempnam</code>) are fundamentally insecure, as they do not
+ensure exclusive access to a file with the temporary name they return.
+The file name returned by these functions is guaranteed to be unique on
+creation but the file must be opened in a separate operation. There is no
+guarantee that the creation and open operations will happen atomically. This
+provides an opportunity for an attacker to interfere with the file before it is
+opened.
 </p>
 <p>
 Note that <code>mktemp</code> has been deprecated since Python 2.3.
@@ -28,8 +29,8 @@ file is intended to be accessed from other processes, consider using the
 <example>
 <p>
 The following piece of code opens a temporary file and writes a set of results
-to it. Because the filename is created using <code>mktemp</code>, another
-process may have accessed this file before it is opened using <code>open</code>.
+to it. Because the file name is created using <code>mktemp</code>, another
+process may access this file before it is opened using <code>open</code>.
 </p>
 <sample src="InsecureTemporaryFile.py" />
 

python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql

@@ -1,6 +1,6 @@
 /**
  * @name Insecure temporary file
- * @description Creating a temporary file using mktemp may be insecure.
+ * @description Creating a temporary file name may be insecure.
  * @id py/insecure-temporary-file
  * @problem.severity error
  * @sub-severity high
@@ -11,10 +11,21 @@
 
 import python
 
-FunctionObject mktemp() {
-    result = any(ModuleObject m | m.getName() = "tempfile").getAttribute("mktemp")
+FunctionObject temporary_name_function(string mod, string function) {
+    (
+        mod = "tempfile" and function = "mktemp"
+        or
+        mod = "os" and
+        (
+            function = "tmpnam"
+            or
+            function = "tempnam"
+        )
+    ) and
+    result = any(ModuleObject m | m.getName() = mod).getAttribute(function)
 }
 
-from CallNode c
-where c.getFunction().refersTo(mktemp())
-select c, "Call to deprecated function mktemp may be insecure."
+from CallNode c, string mod, string function
+where
+  c.getFunction().refersTo(temporary_name_function(mod, function))
+select c, "Call to deprecated function $@.$@ may be insecure.", mod, function

python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.expected

@@ -1 +1 @@
-| InsecureTemporaryFile.py:4:16:4:23 | ControlFlowNode for mktemp() | Call to deprecated function mktemp may be insecure. |
+| InsecureTemporaryFile.py:5:16:5:23 | ControlFlowNode for mktemp() | Call to deprecated function $@.$@ may be insecure. | tempfile | mktemp |

python/ql/test/query-tests/Security/CWE-377/InsecureTemporaryFile.py

@@ -1,7 +1,20 @@
 from tempfile import mktemp
+import os
 
-def write_results(results):
+def write_results1(results):
     filename = mktemp()
     with open(filename, "w+") as f:
         f.write(results)
     print("Results written to", filename)
+
+def write_results2(results):
+    filename = os.tempnam()
+    with open(filename, "w+") as f:
+        f.write(results)
+    print("Results written to", filename)
+
+def write_results3(results):
+    filename = os.tmpnam()
+    with open(filename, "w+") as f:
+        f.write(results)
+    print("Results written to", filename)