LGTM
complains about the following code in writerbase.py line 66:
Code: Select all
# if dir_name was not given or if it exists but is not empty: create a temporary dir
# Purpose: makes sure the analysis can be run even on wired situation
if not dir_name:
self.dir_name = self.document.TransientDir.replace(
"\\", "/"
) + "/FemAnl_" + analysis_obj.Uid[-4:]
The analyzer does not like the use of something called "Uid" (which it is interpreting as "user ID", I think) in a way that will expose it to the outside world in cleartext. LGTM actually classifies this as an "error", one of only two remaining in our code. So I'd like to make it go away, even if it's wrong
.
Obviously we could tell LGTM to ignore it by adding a comment:
Code: Select all
# lgtm [py/clear-text-storage-sensitive-data]
... but I hate those things, and you have to customize them for every analyzer you run (and we run three on a semi-regular basis!). So I'd rather solve it in the code itself. It looks to me like that is almost serving as a sort of random number to create a unique temp directory. If that is the case, there are a few simple solutions:
- Use the Python tempfile.TemporaryDirectory method to create a standard temp directory
- Use an actual random number instead of analysis_obj.Uid[-4:]
- Hash the Uid and use that instead (this will probably shut LGTM up, but give consistent, repeatable directories)
First, is my understanding correct? And second, does anyone have an opinion about which path I take?