[Solved] Use of Uid in FemInputWriter temp dir

About the development of the FEM module/workbench.

Moderator: bernd

Post Reply
User avatar
chennes
Veteran
Posts: 3876
Joined: Fri Dec 23, 2016 3:38 pm
Location: Norman, OK, USA
Contact:

[Solved] Use of Uid in FemInputWriter temp dir

Post by chennes »

LGTM complains about the following code in writerbase.py line 66:

Code: Select all

# if dir_name was not given or if it exists but is not empty: create a temporary dir
# Purpose: makes sure the analysis can be run even on wired situation
        if not dir_name:
            self.dir_name = self.document.TransientDir.replace(
                "\\", "/"
            ) + "/FemAnl_" + analysis_obj.Uid[-4:]
The analyzer does not like the use of something called "Uid" (which it is interpreting as "user ID", I think) in a way that will expose it to the outside world in cleartext. LGTM actually classifies this as an "error", one of only two remaining in our code. So I'd like to make it go away, even if it's wrong :D .

Obviously we could tell LGTM to ignore it by adding a comment:

Code: Select all

# lgtm [py/clear-text-storage-sensitive-data]
... but I hate those things, and you have to customize them for every analyzer you run (and we run three on a semi-regular basis!). So I'd rather solve it in the code itself. It looks to me like that is almost serving as a sort of random number to create a unique temp directory. If that is the case, there are a few simple solutions:
  1. Use the Python tempfile.TemporaryDirectory method to create a standard temp directory
  2. Use an actual random number instead of analysis_obj.Uid[-4:]
  3. Hash the Uid and use that instead (this will probably shut LGTM up, but give consistent, repeatable directories)
First, is my understanding correct? And second, does anyone have an opinion about which path I take?
Chris Hennes
Pioneer Library System
GitHub profile, LinkedIn profile, chrishennes.com
User avatar
bernd
Veteran
Posts: 12849
Joined: Sun Sep 08, 2013 8:07 pm
Location: Zürich, Switzerland
Contact:

Re: Use of Uid in FemInputWriter temp dir

Post by bernd »

I totally agree with you.

I wondered when and how this came in Because in all other places we do use tempfile. ... https://github.com/FreeCAD/FreeCAD/comm ... 334794R222

This is even before I started to code on FreeCAD ...

It is just one of these code snippets moved and moved and never touched.

Sure we just could use tempfile. For me it will take a few days to get this addressed. If you would not like to wait go ahead and change it in master.

cheers bernd
Post Reply