fix: replace insecure /tmp usage with tempfile module in tests

mashu3 · mashu3 · commit 4e190969656c · 2025-09-25T22:15:43.000+09:00
diff --git a/tests/test_messagebox.py b/tests/test_messagebox.py
@@ -1,4 +1,5 @@
 # pylint: disable=import-outside-toplevel,protected-access
+import tempfile
 from unittest.mock import MagicMock, patch
 
 import pytest
@@ -604,22 +605,32 @@ def test_custom_messagebox_icon_file_success(root):
     """Test successful icon file loading path in _get_icon_label."""
     from tkface.dialog.messagebox import CustomMessageBox, MessageBoxConfig
 
-    with (
-        patch("tkinter.Toplevel.wait_window"),
-        patch("tkinter.PhotoImage") as mock_photo,
-        patch("tkinter.Label") as mock_label,
-        patch("tkinter.Button"),
-    ):
-        mock_photo.return_value = MagicMock(name="Image")
-        CustomMessageBox(
-            master=root,
-            config=MessageBoxConfig(message="Test", icon="/tmp/icon.png"),
+    with tempfile.NamedTemporaryFile(suffix=".png", delete=False) as temp_file:
+        temp_icon_path = temp_file.name
+    
+    try:
+        with (
+            patch("tkinter.Toplevel.wait_window"),
+            patch("tkinter.PhotoImage") as mock_photo,
+            patch("tkinter.Label") as mock_label,
+            patch("tkinter.Button"),
+        ):
+            mock_photo.return_value = MagicMock(name="Image")
+            CustomMessageBox(
+                master=root,
+                config=MessageBoxConfig(message="Test", icon=temp_icon_path),
+            )
+        # Ensure a Label was created with the image returned by PhotoImage
+        assert any(
+            ("image" in call.kwargs) and (call.kwargs["image"] is mock_photo.return_value)
+            for call in mock_label.call_args_list
         )
-    # Ensure a Label was created with the image returned by PhotoImage
-    assert any(
-        ("image" in call.kwargs) and (call.kwargs["image"] is mock_photo.return_value)
-        for call in mock_label.call_args_list
-    )
+    finally:
+        import os
+        try:
+            os.unlink(temp_icon_path)
+        except OSError:
+            pass
 
 
 def test_classmethod_show_created_root(root):
diff --git a/tests/test_pathbrowser.py b/tests/test_pathbrowser.py
@@ -650,17 +650,18 @@ def test_pathbrowser_initialization(self, root):
 
     def test_pathbrowser_initialization_with_params(self, root):
         """Test PathBrowser initialization with parameters."""
-        browser = PathBrowser(
-            root,
-            select="dir",
-            multiple=True,
-            initialdir="/tmp",
-            filetypes=[("Text files", "*.txt")]
-        )
-        assert browser.config.select == "dir"
-        assert browser.config.multiple is True
-        assert browser.config.initialdir == "/tmp"
-        assert browser.config.filetypes == [("Text files", "*.txt")]
+        with tempfile.TemporaryDirectory() as temp_dir:
+            browser = PathBrowser(
+                root,
+                select="dir",
+                multiple=True,
+                initialdir=temp_dir,
+                filetypes=[("Text files", "*.txt")]
+            )
+            assert browser.config.select == "dir"
+            assert browser.config.multiple is True
+            assert browser.config.initialdir == temp_dir
+            assert browser.config.filetypes == [("Text files", "*.txt")]
 
     def test_pathbrowser_save_mode(self, root):
         """Test PathBrowser in save mode."""
@@ -669,16 +670,17 @@ def test_pathbrowser_save_mode(self, root):
 
     def test_get_selection_save_mode(self, root, dict_like_mock):
         """Test get_selection in save mode."""
-        browser = PathBrowser(root, save_mode=True)
-        # Mock the selected_var
-        browser.selected_var = dict_like_mock
-        browser.selected_var.get.return_value = "test.txt"
-        browser.state.current_dir = "/tmp"
-        
-        selection = browser.get_selection()
-        # Handle Windows path separators
-        expected_path = os.path.join("/tmp", "test.txt")
-        assert selection == [expected_path]
+        with tempfile.TemporaryDirectory() as temp_dir:
+            browser = PathBrowser(root, save_mode=True)
+            # Mock the selected_var
+            browser.selected_var = dict_like_mock
+            browser.selected_var.get.return_value = "test.txt"
+            browser.state.current_dir = temp_dir
+            
+            selection = browser.get_selection()
+            # Handle Windows path separators
+            expected_path = os.path.join(temp_dir, "test.txt")
+            assert selection == [expected_path]
 
     def test_get_selection_normal_mode(self, root):
         """Test get_selection in normal mode."""
diff --git a/tests/test_pathbrowser_view.py b/tests/test_pathbrowser_view.py
@@ -8,6 +8,7 @@
 - show_context_menu
 """
 
+import tempfile
 import tkinter as tk
 from pathlib import Path
 from types import SimpleNamespace
@@ -97,50 +98,56 @@ def test_update_selected_display_no_selection(self, browser_with_state):
             assert mock_status.called
 
     def test_update_selected_display_single_file(self, browser_with_state):
-        browser_with_state.state.selected_items = ["/tmp/a.txt"]
-        browser_with_state.selected_var = Mock()
-        browser_with_state.selected_var.set = Mock()
-        with patch.object(browser_with_state, "_update_status"):
-            with patch.object(
-                browser_with_state.file_info_manager,
-                "get_cached_file_info",
-                return_value=SimpleNamespace(is_dir=False, name="a.txt"),
-            ):
-                view.update_selected_display(browser_with_state)
-        browser_with_state.selected_var.set.assert_called_with("a.txt")
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_file_path = f"{temp_dir}/a.txt"
+            browser_with_state.state.selected_items = [temp_file_path]
+            browser_with_state.selected_var = Mock()
+            browser_with_state.selected_var.set = Mock()
+            with patch.object(browser_with_state, "_update_status"):
+                with patch.object(
+                    browser_with_state.file_info_manager,
+                    "get_cached_file_info",
+                    return_value=SimpleNamespace(is_dir=False, name="a.txt"),
+                ):
+                    view.update_selected_display(browser_with_state)
+            browser_with_state.selected_var.set.assert_called_with("a.txt")
 
     def test_update_selected_display_multiple_files_compact(self, browser_with_state):
-        browser_with_state.state.selected_items = ["/tmp/a.txt", "/tmp/b.txt", "/tmp/c.txt", "/tmp/d.txt"]
-        browser_with_state.selected_var = Mock()
-        browser_with_state.selected_var.set = Mock()
-        # Return non-dir with distinct names
-        def _get_info(path):
-            name = Path(path).name
-            m = Mock()
-            m.is_dir = False
-            m.name = name
-            return m
-        with patch.object(browser_with_state, "_update_status"):
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_files = [f"{temp_dir}/a.txt", f"{temp_dir}/b.txt", f"{temp_dir}/c.txt", f"{temp_dir}/d.txt"]
+            browser_with_state.state.selected_items = temp_files
+            browser_with_state.selected_var = Mock()
+            browser_with_state.selected_var.set = Mock()
+            # Return non-dir with distinct names
+            def _get_info(path):
+                name = Path(path).name
+                m = Mock()
+                m.is_dir = False
+                m.name = name
+                return m
+            with patch.object(browser_with_state, "_update_status"):
+                with patch.object(
+                    browser_with_state.file_info_manager,
+                    "get_cached_file_info",
+                    side_effect=_get_info,
+                ):
+                    view.update_selected_display(browser_with_state)
+            # Should show first with +n more
+            browser_with_state.selected_var.set.assert_called_with("a.txt (+3 more)")
+
+    def test_update_selected_display_dirs_only(self, browser_with_state):
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_dirs = [f"{temp_dir}/dirA", f"{temp_dir}/dirB"]
+            browser_with_state.state.selected_items = temp_dirs
+            browser_with_state.selected_var = Mock()
+            browser_with_state.selected_var.set = Mock()
             with patch.object(
                 browser_with_state.file_info_manager,
                 "get_cached_file_info",
-                side_effect=_get_info,
+                return_value=Mock(is_dir=True, name="dirA"),
             ):
                 view.update_selected_display(browser_with_state)
-        # Should show first with +n more
-        browser_with_state.selected_var.set.assert_called_with("a.txt (+3 more)")
-
-    def test_update_selected_display_dirs_only(self, browser_with_state):
-        browser_with_state.state.selected_items = ["/tmp/dirA", "/tmp/dirB"]
-        browser_with_state.selected_var = Mock()
-        browser_with_state.selected_var.set = Mock()
-        with patch.object(
-            browser_with_state.file_info_manager,
-            "get_cached_file_info",
-            return_value=Mock(is_dir=True, name="dirA"),
-        ):
-            view.update_selected_display(browser_with_state)
-        browser_with_state.selected_var.set.assert_called_with("")
+            browser_with_state.selected_var.set.assert_called_with("")
 
 
 class TestUpdateDirectoryStatus:
@@ -182,9 +189,11 @@ def name(self):  # for formatting in error branch
 class TestShowContextMenu:
     def test_show_context_menu_tree_expand_collapse(self, browser_with_state):
         # Prepare tree selection with a directory node
-        browser_with_state.tree = Mock()
-        browser_with_state.tree.selection.return_value = ["/tmp/dir"]
-        browser_with_state.tree.item.return_value = True
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_dir_path = f"{temp_dir}/dir"
+            browser_with_state.tree = Mock()
+            browser_with_state.tree.selection.return_value = [temp_dir_path]
+            browser_with_state.tree.item.return_value = True
         with patch.object(
             browser_with_state.file_info_manager,
             "get_file_info",
@@ -204,11 +213,13 @@ def test_show_context_menu_tree_expand_collapse(self, browser_with_state):
                 mock_menu.post.assert_called_once()
 
     def test_show_context_menu_file_menu(self, browser_with_state):
-        browser_with_state.file_tree = Mock()
-        browser_with_state.file_tree.selection.return_value = ["/tmp/a.txt"]
-        event = Mock()
-        event.x_root = 0
-        event.y_root = 0
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_file_path = f"{temp_dir}/a.txt"
+            browser_with_state.file_tree = Mock()
+            browser_with_state.file_tree.selection.return_value = [temp_file_path]
+            event = Mock()
+            event.x_root = 0
+            event.y_root = 0
         with patch("tkinter.Menu") as mock_menu_cls:
             mock_menu = Mock()
             mock_menu_cls.return_value = mock_menu
@@ -465,7 +476,9 @@ def test_load_files_large_directory_progress(self, browser_with_state, tmp_path)
 class TestUpdateSelectionStatus:
     def test_update_selection_status_single_folder(self, browser_with_state):
         """Test status update for single folder selection."""
-        browser_with_state.state.selected_items = ["/tmp/dir"]
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_dir_path = f"{temp_dir}/dir"
+            browser_with_state.state.selected_items = [temp_dir_path]
         browser_with_state.status_var = Mock()
         
         mock_file_info = Mock()
@@ -485,7 +498,9 @@ def test_update_selection_status_single_folder(self, browser_with_state):
 
     def test_update_selection_status_multiple_folders(self, browser_with_state):
         """Test status update for multiple folder selection."""
-        browser_with_state.state.selected_items = ["/tmp/dir1", "/tmp/dir2"]
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_dirs = [f"{temp_dir}/dir1", f"{temp_dir}/dir2"]
+            browser_with_state.state.selected_items = temp_dirs
         browser_with_state.status_var = Mock()
         
         mock_file_info = Mock()
@@ -729,7 +744,9 @@ def test_load_files_permission_error_dialog(self, browser_with_state):
 class TestUpdateSelectionStatusAdditional:
     def test_update_selection_status_single_file_with_size(self, browser_with_state):
         """Test status update for single file with size."""
-        browser_with_state.state.selected_items = ["/tmp/file.txt"]
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_file_path = f"{temp_dir}/file.txt"
+            browser_with_state.state.selected_items = [temp_file_path]
         browser_with_state.status_var = Mock()
         
         mock_file_info = Mock()
@@ -750,7 +767,9 @@ def test_update_selection_status_single_file_with_size(self, browser_with_state)
 
     def test_update_selection_status_multiple_files_with_size(self, browser_with_state):
         """Test status update for multiple files with size."""
-        browser_with_state.state.selected_items = ["/tmp/file1.txt", "/tmp/file2.txt"]
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_files = [f"{temp_dir}/file1.txt", f"{temp_dir}/file2.txt"]
+            browser_with_state.state.selected_items = temp_files
         browser_with_state.status_var = Mock()
         
         mock_file_info = Mock()
