Unintended behaviour in absltest.py

It seems like this section of code allows someone to pass in an arbitrary path name in tempfile, which then causes the code to zero out the provided path (rather than a temporary file) if the person running the test also happens to own the file: https://github.com/abseil/abseil-py/blob/976413320682f8fd1c05c36f24a9475050702699/absl/testing/absltest.py#L390-L396 
Example:
```
import pathlib

from adric-work.testing.pybase import test

class BugTest(test.TestCase):

def testBug(self):
    # bad_path = pathlib.Path.home() / 'hello_bug' / 'a_file.txt'
    # my_file = self.create_tempfile(bad_path.as_posix())
    bad_path = '/usr/local/work/home/adric-work/hello_bug/a_file.txt'
    my_file = self.create_tempfile(bad_path)


if __name__ == '__main__':
  test.main()
```

	path = os.path.join(base_path, file_path)
	os.makedirs(os.path.dirname(path), exist_ok=True)
	# The file may already exist, in which case, ensure it's writable so that
	# it can be truncated.
	if os.path.exists(path) and not os.access(path, os.W_OK):
	stat_info = os.stat(path)
	os.chmod(path, stat_info.st_mode \| stat.S_IWUSR)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Unintended behaviour in absltest.py #248

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Unintended behaviour in absltest.py #248

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions