Fix Improper Method Call (Close file descriptors to prevent leaks)

[fazledyn-or]

Details

While triaging your project, we found that your project had used mkstemp() method in several places to create temporary files. However, it came to our attention that the file descriptors that were generated by the method weren't being closed at all. This can lead to a file descriptor leak which should be prevented. It is suggested that file descriptors should be closed after use.

Proof of Concept

For the file descriptor leak related proof, one can execute the following script:

from tempfile import mkstemp

for i in range(10000):
    print(f"Opening file descriptor for {i}-th time")
    fd, name = mkstemp()
    print(f"FD: {fd}")

During execution, the program is going to face an error/exception, since in Linux, each processes are allowed to have 1024 file descriptors associated with them. Among them, file descriptor 0, 1, 2 are assigned to stdin, stdout, and stderr respectively.

Changes

• As a prevention, I have used os.close() method to close the file descriptors after their use.

Suggestions related to these changes are welcomed.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

All contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).
- Git Commit SignOff documentation

Sponsorship and Support

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 13 lines in your changes missing coverage. Please review.

Project coverage is 52.98%. Comparing base (2d66012) to head (9de39e9).
Report is 695 commits behind head on master.

Files with missing lines	Patch %	Lines
crmsh/crash_test/task.py	0.00%	8 Missing ⚠️
crmsh/corosync.py	0.00%	2 Missing ⚠️
crmsh/cibstatus.py	0.00%	1 Missing ⚠️
crmsh/ui_cib.py	0.00%	1 Missing ⚠️
crmsh/utils.py	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1262      +/-   ##
==========================================
- Coverage   53.01%   52.98%   -0.03%     
==========================================
  Files          79       79              
  Lines       25065    25075      +10     
==========================================
  Hits        13287    13287              
- Misses      11778    11788      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[fazledyn-or]

Hello @liangxin1300 , sorry for bothering you. Can please review again?
Thanks

[liangxin1300]

Hello @liangxin1300 , sorry for bothering you. Can please review again? Thanks

Your commits looks good, thanks!
But we need to wait since one of a codecov checking not passed, maybe need to adjust the check rules for those 0% diff hit cases

[nicholasyang2022]

Leaving these file descriptors open does not cause problems. As crmsh is a one-shot utility tool instead of a daemon, all file descriptors are closed when the process exits.