Use `mkstemp` to replace deprecated `mktemp` #23372

ready-research · 2023-05-15T13:20:11Z

The tempfile.mktemp function is deprecated due to security issues.

What does this PR do?

Fixes Tempfile issue disclosed in huntr.

Before submitting

This PR fixes a typo or improves the docs (you can dismiss the other checks if that's the case).
Did you read the contributor guideline,
Pull Request section?
Was this discussed/approved via a Github issue or the forum? Please add a link
to it if that's the case.
Did you make sure to update the documentation with your changes? Here are the
documentation guidelines, and
here are tips on formatting docstrings.
Did you write any new necessary tests?

Who can review?

Anyone in the community is free to review the PR once the tests have passed. Feel free to tag
members/contributors who may be interested in your PR.

@sgugger Can you please review these changes and approve this fix? Thanks.

The `tempfile.mktemp` function is [deprecated](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp) due to [security issues](https://cwe.mitre.org/data/definitions/377.html).

HuggingFaceDocBuilderDev · 2023-05-15T13:35:33Z

The documentation is not available anymore as the PR was closed or merged.

src/transformers/utils/hub.py

Co-authored-by: amyeroberts <22614925+amyeroberts@users.noreply.github.com>

amyeroberts

Thanks for updating this!

ready-research · 2023-05-18T15:37:59Z

Hi @sgugger /@amyeroberts, Can you please add this patch in huntr report. Thanks.

sgugger · 2023-05-18T15:50:06Z

@ready-research Should be done now!

AustinScola · 2023-05-31T18:48:48Z

Is this change going to be included in a release soon?

* Use `mkstemp` to replace deprecated `mktemp` The `tempfile.mktemp` function is [deprecated](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp) due to [security issues](https://cwe.mitre.org/data/definitions/377.html). * Update src/transformers/utils/hub.py Co-authored-by: amyeroberts <22614925+amyeroberts@users.noreply.github.com> --------- Co-authored-by: amyeroberts <22614925+amyeroberts@users.noreply.github.com>

jacwalte · 2023-06-05T20:06:16Z

This is being reported as having the fix for https://nvd.nist.gov/vuln/detail/CVE-2023-2800

Is there an estimate on the time to release?

ashahba · 2023-06-07T05:17:47Z

You can install HF from the commit ID with the fix this way:

$ pip install --no-cache-dir git+https://github.com/huggingface/transformers.git@80ca924

and you should have:

Collecting git+https://github.com/huggingface/transformers.git@80ca924
  Cloning https://github.com/huggingface/transformers.git (to revision 80ca924) to /tmp/pip-req-build-f13han_v
  Running command git clone --filter=blob:none --quiet https://github.com/huggingface/transformers.git /tmp/pip-req-build-f13han_v
  WARNING: Did not find branch or tag '80ca924', assuming revision or ref.
  Running command git checkout -q 80ca924
  Resolved https://github.com/huggingface/transformers.git to commit 80ca924
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting filelock (from transformers==4.30.0.dev0)
  Downloading filelock-3.12.0-py3-none-any.whl (10 kB)
Collecting huggingface-hub<1.0,>=0.14.1 (from transformers==4.30.0.dev0)
  Downloading huggingface_hub-0.15.1-py3-none-any.whl (236 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 236.8/236.8 kB 48.8 MB/s eta 0:00:00
Collecting numpy>=1.17 (from transformers==4.30.0.dev0)
  Downloading numpy-1.24.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (17.3 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 17.3/17.3 MB 132.3 MB/s eta 0:00:00
Collecting packaging>=20.0 (from transformers==4.30.0.dev0)
  Downloading packaging-23.1-py3-none-any.whl (48 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.9/48.9 kB 249.5 MB/s eta 0:00:00
Collecting pyyaml>=5.1 (from transformers==4.30.0.dev0)
  Downloading PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (661 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 661.8/661.8 kB 253.8 MB/s eta 0:00:00
Collecting regex!=2019.12.17 (from transformers==4.30.0.dev0)
  Downloading regex-2023.6.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (769 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 769.9/769.9 kB 311.6 MB/s eta 0:00:00
Collecting requests (from transformers==4.30.0.dev0)
  Downloading requests-2.31.0-py3-none-any.whl (62 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.6/62.6 kB 269.3 MB/s eta 0:00:00
Collecting tokenizers!=0.11.3,<0.14,>=0.11.1 (from transformers==4.30.0.dev0)
  Downloading tokenizers-0.13.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (7.8 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7.8/7.8 MB 160.6 MB/s eta 0:00:00
Collecting tqdm>=4.27 (from transformers==4.30.0.dev0)
  Downloading tqdm-4.65.0-py3-none-any.whl (77 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 77.1/77.1 kB 277.1 MB/s eta 0:00:00
Collecting fsspec (from huggingface-hub<1.0,>=0.14.1->transformers==4.30.0.dev0)
  Downloading fsspec-2023.5.0-py3-none-any.whl (160 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 160.1/160.1 kB 304.7 MB/s eta 0:00:00
Collecting typing-extensions>=3.7.4.3 (from huggingface-hub<1.0,>=0.14.1->transformers==4.30.0.dev0)
  Downloading typing_extensions-4.6.3-py3-none-any.whl (31 kB)
Collecting charset-normalizer<4,>=2 (from requests->transformers==4.30.0.dev0)
  Downloading charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (199 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 199.2/199.2 kB 312.4 MB/s eta 0:00:00
Collecting idna<4,>=2.5 (from requests->transformers==4.30.0.dev0)
  Downloading idna-3.4-py3-none-any.whl (61 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.5/61.5 kB 269.7 MB/s eta 0:00:00
Collecting urllib3<3,>=1.21.1 (from requests->transformers==4.30.0.dev0)
  Downloading urllib3-2.0.2-py3-none-any.whl (123 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 123.2/123.2 kB 182.9 MB/s eta 0:00:00
Collecting certifi>=2017.4.17 (from requests->transformers==4.30.0.dev0)
  Downloading certifi-2023.5.7-py3-none-any.whl (156 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 157.0/157.0 kB 308.0 MB/s eta 0:00:00
Building wheels for collected packages: transformers
  Building wheel for transformers (pyproject.toml) ... done
  Created wheel for transformers: filename=transformers-4.30.0.dev0-py3-none-any.whl size=7079671 sha256=6be8d9585811de7b3573d50a1e9577a90a36b77b73af16c3b1a0e5dabd679f7b
  Stored in directory: /tmp/pip-ephem-wheel-cache-rdzrdy92/wheels/45/b0/e3/2eeba5f2822725123eba400b020e96ec93e60e14fa21699a10
Successfully built transformers
Installing collected packages: tokenizers, urllib3, typing-extensions, tqdm, regex, pyyaml, packaging, numpy, idna, fsspec, filelock, charset-normalizer, certifi, requests, huggingface-hub, transformers
Successfully installed certifi-2023.5.7 charset-normalizer-3.1.0 filelock-3.12.0 fsspec-2023.5.0 huggingface-hub-0.15.1 idna-3.4 numpy-1.24.3 packaging-23.1 pyyaml-6.0 regex-2023.6.3 requests-2.31.0 tokenizers-0.13.3 tqdm-4.65.0 transformers-4.30.0.dev0 typing-extensions-4.6.3 urllib3-2.0.2

dhrubo-os · 2023-06-12T17:25:56Z

Do we have any ETA when will we release this security fix?

sgugger · 2023-06-12T17:32:49Z

As indicated on the page, v4.30.0 (released last week) contains the fix.

* Use `mkstemp` to replace deprecated `mktemp` The `tempfile.mktemp` function is [deprecated](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp) due to [security issues](https://cwe.mitre.org/data/definitions/377.html). * Update src/transformers/utils/hub.py Co-authored-by: amyeroberts <22614925+amyeroberts@users.noreply.github.com> --------- Co-authored-by: amyeroberts <22614925+amyeroberts@users.noreply.github.com>

Use mkstemp to replace deprecated mktemp

22ad2b4

The `tempfile.mktemp` function is [deprecated](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp) due to [security issues](https://cwe.mitre.org/data/definitions/377.html).

amyeroberts reviewed May 15, 2023

View reviewed changes

src/transformers/utils/hub.py Outdated Show resolved Hide resolved

Update src/transformers/utils/hub.py

083067f

Co-authored-by: amyeroberts <22614925+amyeroberts@users.noreply.github.com>

amyeroberts approved these changes May 16, 2023

View reviewed changes

amyeroberts merged commit 80ca924 into huggingface:main May 16, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use `mkstemp` to replace deprecated `mktemp` #23372

Use `mkstemp` to replace deprecated `mktemp` #23372

ready-research commented May 15, 2023 •

edited

Loading

HuggingFaceDocBuilderDev commented May 15, 2023 •

edited

Loading

amyeroberts left a comment

ready-research commented May 18, 2023

sgugger commented May 18, 2023

AustinScola commented May 31, 2023

jacwalte commented Jun 5, 2023

ashahba commented Jun 7, 2023

dhrubo-os commented Jun 12, 2023

sgugger commented Jun 12, 2023

Use mkstemp to replace deprecated mktemp #23372

Use mkstemp to replace deprecated mktemp #23372

Conversation

ready-research commented May 15, 2023 • edited Loading

What does this PR do?

Before submitting

Who can review?

HuggingFaceDocBuilderDev commented May 15, 2023 • edited Loading

amyeroberts left a comment

Choose a reason for hiding this comment

ready-research commented May 18, 2023

sgugger commented May 18, 2023

AustinScola commented May 31, 2023

jacwalte commented Jun 5, 2023

ashahba commented Jun 7, 2023

dhrubo-os commented Jun 12, 2023

sgugger commented Jun 12, 2023

Use `mkstemp` to replace deprecated `mktemp` #23372

Use `mkstemp` to replace deprecated `mktemp` #23372

ready-research commented May 15, 2023 •

edited

Loading

HuggingFaceDocBuilderDev commented May 15, 2023 •

edited

Loading