affirm our usage of /tmp inside containers

mr-c · mr-c · commit 4f16af836dd2 · 2019-04-20T12:34:41.000+02:00
diff --git a/cwltool/command_line_tool.py b/cwltool/command_line_tool.py
@@ -302,7 +302,7 @@ def job(self,
         if runtimeContext.cachedir and enableReuse:
             cachecontext = runtimeContext.copy()
             cachecontext.outdir = "/out"
-            cachecontext.tmpdir = "/tmp"
+            cachecontext.tmpdir = "/tmp"  # nosec
             cachecontext.stagedir = "/stage"
             cachebuilder = self._init_job(job_order, cachecontext)
             cachebuilder.pathmapper = PathMapper(cachebuilder.files,
diff --git a/cwltool/docker.py b/cwltool/docker.py
@@ -296,7 +296,8 @@ def create_runtime(self,
             runtime = [u"docker", u"run", u"-i"]
         self.append_volume(runtime, os.path.realpath(self.outdir),
                            self.builder.outdir, writable=True)
-        self.append_volume(runtime, os.path.realpath(self.tmpdir), "/tmp",
+        tmpdir = "/tmp"  # nosec
+        self.append_volume(runtime, os.path.realpath(self.tmpdir), tmpdir,
                            writable=True)
         self.add_volumes(self.pathmapper, runtime, any_path_okay=True,
                          secret_store=runtimeContext.secret_store,
diff --git a/cwltool/process.py b/cwltool/process.py
@@ -672,7 +672,7 @@ def inc(d):  # type: (List[int]) -> None
                         runtime_context.docker_outdir or random_outdir()
             elif default_docker is not None:
                 outdir = runtime_context.docker_outdir or random_outdir()
-            tmpdir = runtime_context.docker_tmpdir or "/tmp"
+            tmpdir = runtime_context.docker_tmpdir or "/tmp"  # nosec
             stagedir = runtime_context.docker_stagedir or "/var/lib/cwl"
         else:
             outdir = fs_access.realpath(
diff --git a/cwltool/singularity.py b/cwltool/singularity.py
@@ -267,8 +267,9 @@ def create_runtime(self,
             docker_windows_path_adjust(os.path.realpath(self.outdir)),
             self.builder.outdir))
         runtime.append(u"--bind")
+        tmpdir = "/tmp"  # nosec
         runtime.append(u"{}:{}:rw".format(
-            docker_windows_path_adjust(os.path.realpath(self.tmpdir)), "/tmp"))
+            docker_windows_path_adjust(os.path.realpath(self.tmpdir)), tmpdir))
 
         self.add_volumes(self.pathmapper, runtime, any_path_okay=True,
                          secret_store=runtime_context.secret_store,
@@ -288,7 +289,7 @@ def create_runtime(self,
         elif runtime_context.disable_net:
             runtime.append(u"--net")
 
-        env["SINGULARITYENV_TMPDIR"] = "/tmp"
+        env["SINGULARITYENV_TMPDIR"] = tmpdir
         env["SINGULARITYENV_HOME"] = self.builder.outdir
 
         for name, value in self.environment.items():
