Support openTempFile and friends, fixes #2

Author: hasufell

System/File/OsPath.hs

@@ -23,6 +23,10 @@ module System.File.OsPath (
 , appendFile'
 , openFile
 , openExistingFile
+, openTempFile
+, openBinaryTempFile
+, openTempFileWithDefaultPermissions
+, openBinaryTempFileWithDefaultPermissions
 ) where
 
 

System/File/OsPath/Internal.hs

@@ -1,12 +1,14 @@
 {-# LANGUAGE TypeApplications #-}
 {-# LANGUAGE BangPatterns #-}
+{-# LANGUAGE ViewPatterns #-}
+{-# LANGUAGE QuasiQuotes #-}
 
 module System.File.OsPath.Internal where
 
 
 import qualified System.File.Platform as P
 
-import Prelude ((.), ($), String, IO, ioError, pure, either, const, flip, Maybe(..), fmap, (<$>), id, Bool(..), FilePath, (++), return, show, (>>=))
+import Prelude ((.), ($), String, IO, ioError, pure, either, const, flip, Maybe(..), fmap, (<$>), id, Bool(..), FilePath, (++), return, show, (>>=), (==), otherwise, errorWithoutStackTrace)
 import GHC.IO (catchException)
 import GHC.IO.Exception (IOException(..))
 import GHC.IO.Handle (hClose_help)
@@ -18,11 +20,15 @@ import Control.DeepSeq (force)
 import Control.Exception (SomeException, try, evaluate, mask, onException)
 import System.IO (IOMode(..), hSetBinaryMode, hClose)
 import System.IO.Unsafe (unsafePerformIO)
+import System.OsString (osstr)
 import System.OsPath as OSP
 import System.OsString.Internal.Types
 
 import qualified Data.ByteString as BS
 import qualified Data.ByteString.Lazy as BSL
+import qualified System.OsString as OSS
+import System.Posix.Types (CMode)
+import GHC.Base (failIO)
 
 -- | Like 'openFile', but open the file in binary mode.
 -- On Windows, reading a file in text mode (which is the default)
@@ -127,6 +133,56 @@ openFileWithCloseOnExec osfp iomode = augmentError "openFileWithCloseOnExec" osf
 openExistingFileWithCloseOnExec :: OsPath -> IOMode -> IO Handle
 openExistingFileWithCloseOnExec osfp iomode = augmentError "openExistingFileWithCloseOnExec" osfp $ withOpenFile' osfp iomode False True True pure False
 
+
+-- | The function creates a temporary file in ReadWrite mode.
+-- The created file isn\'t deleted automatically, so you need to delete it manually.
+--
+-- The file is created with permissions such that only the current
+-- user can read\/write it.
+--
+-- With some exceptions (see below), the file will be created securely
+-- in the sense that an attacker should not be able to cause
+-- openTempFile to overwrite another file on the filesystem using your
+-- credentials, by putting symbolic links (on Unix) in the place where
+-- the temporary file is to be created.  On Unix the @O_CREAT@ and
+-- @O_EXCL@ flags are used to prevent this attack, but note that
+-- @O_EXCL@ is sometimes not supported on NFS filesystems, so if you
+-- rely on this behaviour it is best to use local filesystems only.
+--
+-- @since 0.1.3
+openTempFile :: OsPath     -- ^ Directory in which to create the file
+             -> OsString   -- ^ File name template. If the template is \"foo.ext\" then
+                           -- the created file will be \"fooXXX.ext\" where XXX is some
+                           -- random number. Note that this should not contain any path
+                           -- separator characters. On Windows, the template prefix may
+                           -- be truncated to 3 chars, e.g. \"foobar.ext\" will be
+                           -- \"fooXXX.ext\".
+             -> IO (OsPath, Handle)
+openTempFile tmp_dir template = openTempFile' "openTempFile" tmp_dir template False 0o600
+
+-- | Like 'openTempFile', but opens the file in binary mode. See 'openBinaryFile' for more comments.
+--
+-- @since 0.1.3
+openBinaryTempFile :: OsPath -> OsString -> IO (OsPath, Handle)
+openBinaryTempFile tmp_dir template
+    = openTempFile' "openBinaryTempFile" tmp_dir template True 0o600
+
+-- | Like 'openTempFile', but uses the default file permissions
+--
+-- @since 0.1.3
+openTempFileWithDefaultPermissions :: OsPath -> OsString
+                                   -> IO (OsPath, Handle)
+openTempFileWithDefaultPermissions tmp_dir template
+    = openTempFile' "openTempFileWithDefaultPermissions" tmp_dir template False 0o666
+
+-- | Like 'openBinaryTempFile', but uses the default file permissions
+--
+-- @since 0.1.3
+openBinaryTempFileWithDefaultPermissions :: OsPath -> OsString
+                                         -> IO (OsPath, Handle)
+openBinaryTempFileWithDefaultPermissions tmp_dir template
+    = openTempFile' "openBinaryTempFileWithDefaultPermissions" tmp_dir template True 0o666
+
 -- ---------------------------------------------------------------------------
 -- Internals
 
@@ -173,3 +229,33 @@ addFilePathToIOError fun fp ioe = unsafePerformIO $ do
 augmentError :: String -> OsPath -> IO a -> IO a
 augmentError str osfp = flip catchException (ioError . addFilePathToIOError str osfp)
 
+
+openTempFile' :: String -> OsPath -> OsString -> Bool -> CMode
+              -> IO (OsPath, Handle)
+openTempFile' loc (OsString tmp_dir) template@(OsString tmpl) binary mode
+    | OSS.any (== OSP.pathSeparator) template
+    = failIO $ "openTempFile': Template string must not contain path separator characters: " ++ P.lenientDecode tmpl
+    | otherwise = do
+        (fp, hdl) <- P.findTempName (prefix, suffix) loc tmp_dir mode
+        when binary $ hSetBinaryMode hdl True
+        pure (OsString fp, hdl)
+  where
+    -- We split off the last extension, so we can use .foo.ext files
+    -- for temporary files (hidden on Unix OSes). Unfortunately we're
+    -- below filepath in the hierarchy here.
+    (OsString prefix, OsString suffix) =
+       case OSS.break (== OSS.unsafeFromChar '.') $ OSS.reverse template of
+         -- First case: template contains no '.'s. Just re-reverse it.
+         (rev_suffix, [osstr||])       -> (OSS.reverse rev_suffix, OSS.empty)
+         -- Second case: template contains at least one '.'. Strip the
+         -- dot from the prefix and prepend it to the suffix (if we don't
+         -- do this, the unique number will get added after the '.' and
+         -- thus be part of the extension, which is wrong.)
+         (rev_suffix, xs)
+           | (h:rest) <- OSS.unpack xs
+           , h == unsafeFromChar '.' -> (OSS.reverse (OSS.pack rest), OSS.cons (unsafeFromChar '.') $ OSS.reverse rev_suffix)
+         -- Otherwise, something is wrong, because (break (== '.')) should
+         -- always return a pair with either the empty string or a string
+         -- beginning with '.' as the second component.
+         _                      -> errorWithoutStackTrace "bug in System.IO.openTempFile"
+

posix/System/File/Platform.hs

@@ -1,7 +1,9 @@
+{-# LANGUAGE TupleSections    #-}
 {-# LANGUAGE TypeApplications #-}
 
 module System.File.Platform where
 
+import Data.Either (fromRight)
 import Control.Exception (try, onException, SomeException)
 import GHC.IO.Handle.FD (fdToHandle')
 import System.IO (IOMode(..), Handle)
@@ -10,10 +12,17 @@ import System.Posix.IO.PosixString
     ( defaultFileFlags,
       openFd,
       closeFd,
-      OpenFileFlags(noctty, nonBlock, creat, append, trunc, cloexec),
+      OpenFileFlags(noctty, nonBlock, creat, append, trunc, cloexec, exclusive),
       OpenMode(ReadWrite, ReadOnly, WriteOnly) )
-import System.OsPath.Posix ( PosixPath )
+import System.OsPath.Posix ( PosixPath, PosixString, (</>) )
 import qualified System.OsPath.Posix as PS
+import Data.IORef (IORef, newIORef)
+import System.Posix (CMode)
+import System.IO (utf8, latin1)
+import System.IO.Unsafe (unsafePerformIO)
+import System.Posix.Internals (c_getpid)
+import GHC.IORef (atomicModifyIORef'_)
+import Foreign.C (getErrno, eEXIST, errnoToIOError)
 
 -- | Open a file and return the 'Handle'.
 openFile :: PosixPath -> IOMode -> IO Handle
@@ -43,7 +52,7 @@ openExistingFile_ df fp iomode = fdToHandle_ iomode fp =<< case iomode of
 
 fdToHandle_ :: IOMode -> PosixPath -> Fd -> IO Handle
 fdToHandle_ iomode fp (Fd fd) = (`onException` closeFd (Fd fd)) $ do
-    fp'  <- either (const (fmap PS.toChar . PS.unpack $ fp)) id <$> try @SomeException (PS.decodeFS fp)
+    fp'  <- fromRight (fmap PS.toChar . PS.unpack $ fp) <$> try @SomeException (PS.decodeFS fp)
     fdToHandle' fd Nothing False fp' iomode True
 
 openFileWithCloseOnExec :: PosixPath -> IOMode -> IO Handle
@@ -58,3 +67,47 @@ defaultFileFlags' = defaultFileFlags { noctty = True, nonBlock = True }
 defaultExistingFileFlags :: OpenFileFlags
 defaultExistingFileFlags = defaultFileFlags { noctty = True, nonBlock = True, creat = Nothing }
 
+findTempName :: (PosixString, PosixString)
+             -> String
+             -> PosixPath
+             -> CMode
+             -> IO (PosixPath, Handle)
+findTempName (prefix, suffix) loc tmp_dir mode = go
+ where
+  go = do
+    rs <- rand_string
+    let filename = prefix <> rs <> suffix
+        filepath = tmp_dir </> filename
+    fd <- openTempFile_ filepath mode
+    if fd < 0
+    then do
+      errno <- getErrno
+      case errno of
+          _ | errno == eEXIST -> go
+          _ -> do
+            let tmp_dir' = lenientDecode tmp_dir
+            ioError (errnoToIOError loc errno Nothing (Just tmp_dir'))
+    else fmap (filepath,) $ fdToHandle_ ReadWriteMode filepath fd
+
+  openTempFile_ :: PosixPath -> CMode -> IO Fd
+  openTempFile_ fp cmode = openFd fp ReadWrite defaultFileFlags' { creat = Just cmode, nonBlock = True, noctty = True, exclusive = True }
+
+tempCounter :: IORef Int
+tempCounter = unsafePerformIO $ newIORef 0
+{-# NOINLINE tempCounter #-}
+
+-- build large digit-alike number
+rand_string :: IO PosixString
+rand_string = do
+  r1 <- c_getpid
+  (r2, _) <- atomicModifyIORef'_ tempCounter (+1)
+  return $ PS.pack $ fmap (PS.unsafeFromChar) (show r1 ++ "-" ++ show r2)
+
+lenientDecode :: PosixString -> String
+lenientDecode ps = let utf8' = PS.decodeWith utf8 ps
+                       latin1' = PS.decodeWith latin1 ps
+                   in case (utf8', latin1') of
+                        (Right s, ~_) -> s
+                        (_, Right s) -> s
+                        (Left _, Left _) -> error "lenientDecode: failed to decode"
+

tests/Properties.hs

@@ -10,7 +10,7 @@ import Control.Exception
 import qualified System.FilePath as FP
 import Test.Tasty
 import Test.Tasty.HUnit
-import System.OsPath ((</>), osp)
+import System.OsPath ((</>), osp, OsPath, OsString)
 import qualified System.OsPath as OSP
 import qualified System.File.OsPath as OSP
 import GHC.IO.Exception (IOErrorType(..), IOException(..))
@@ -40,6 +40,18 @@ main = defaultMain $ testGroup "All"
        , testCase "openExistingFile yes (Write)" existingFile2'
        , testCase "openExistingFile yes (Append)" existingFile3'
        , testCase "openExistingFile yes (ReadWrite)" existingFile4'
+       , testCase "openTempFile" (openTempFile2 OSP.openTempFile)
+       , testCase "openTempFile (reopen file)" (openTempFile1 OSP.openTempFile)
+       , testCase "openTempFile (filepaths different)" (openTempFile3 OSP.openTempFile)
+       , testCase "openBinaryTempFile" (openTempFile2 OSP.openBinaryTempFile)
+       , testCase "openBinaryTempFile (reopen file)" (openTempFile1 OSP.openBinaryTempFile)
+       , testCase "openBinaryTempFile (filepaths different)" (openTempFile3 OSP.openBinaryTempFile)
+       , testCase "openTempFileWithDefaultPermissions" (openTempFile2 OSP.openTempFileWithDefaultPermissions)
+       , testCase "openTempFileWithDefaultPermissions (reopen file)" (openTempFile1 OSP.openTempFileWithDefaultPermissions)
+       , testCase "openTempFileWithDefaultPermissions (filepaths different)" (openTempFile3 OSP.openTempFileWithDefaultPermissions)
+       , testCase "openBinaryTempFileWithDefaultPermissions" (openTempFile2 OSP.openBinaryTempFileWithDefaultPermissions)
+       , testCase "openBinaryTempFileWithDefaultPermissions (reopen file)" (openTempFile1 OSP.openBinaryTempFileWithDefaultPermissions)
+       , testCase "openBinaryTempFileWithDefaultPermissions (filepaths different)" (openTempFile3 OSP.openBinaryTempFileWithDefaultPermissions)
        ]
     ]
 
@@ -215,6 +227,38 @@ existingFile4' = do
         pure (c, c')
     Right ("tx", "bootx") @=? r
 
+openTempFile1 :: (OsPath -> OsString -> IO (OsPath, Handle)) -> Assertion
+openTempFile1 open = do
+  withSystemTempDirectory "test" $ \baseDir' -> do
+    baseDir <- OSP.encodeFS baseDir'
+    let file = [osp|foo.ext|]
+    (fp, h') <- open baseDir file
+    hClose h'
+    r <- try @IOException $ do
+      OSP.openExistingFile fp ReadWriteMode >>= \h -> BS.hPut h "boo" >> hClose h
+      OSP.readFile fp
+    Right "boo" @=? r
+
+openTempFile2 :: (OsPath -> OsString -> IO (OsPath, Handle)) -> Assertion
+openTempFile2 open = do
+  withSystemTempDirectory "test" $ \baseDir' -> do
+    baseDir <- OSP.encodeFS baseDir'
+    let file = [osp|foo.ext|]
+    (fp, h) <- open baseDir file
+    r <- try @IOException $ do
+      BS.hPut h "boo" >> hClose h
+      OSP.readFile fp
+    Right "boo" @=? r
+
+openTempFile3 :: (OsPath -> OsString -> IO (OsPath, Handle)) -> Assertion
+openTempFile3 open = do
+  withSystemTempDirectory "test" $ \baseDir' -> do
+    baseDir <- OSP.encodeFS baseDir'
+    let file = [osp|foo.ext|]
+    (fp,  _) <- open baseDir file
+    (fp', _) <- open baseDir file
+    (fp /= fp') @? "Filepaths are different"
+
 
 compareIOError :: forall a . (Eq a, Show a, HasCallStack) => IOException -> Either IOException a -> Assertion
 compareIOError el (Left lel)  = lel { ioe_handle = Nothing