tmpdir: prevent symlink attacks and TOCTOU races (CVE-2025-71176)

AUTHORS

@@ -264,6 +264,7 @@ Kojo Idrissa
 Kostis Anagnostopoulos
 Kristoffer Nordström
 Kyle Altendorf
+Laura Kaminskiy
 Lawrence Mitchell
 Lee Kamentsky
 Leonardus Chen

changelog/13669.bugfix.rst

@@ -0,0 +1,9 @@
+Fixed a symlink attack vulnerability ([CVE-2025-71176](https://github.com/pytest-dev/pytest/issues/13669)) in
+the [tmp_path](https://github.com/pytest-dev/pytest/blob/295d9da900a0dbe8b4093d6a6bc977cd567aa4b0/src/_pytest/tmpdir.py#L258)
+fixture's base directory handling.
+
+The ``pytest-of-<user>`` directory under the system temp root is now opened
+with [O_NOFOLLOW](https://man7.org/linux/man-pages/man2/open.2.html#:~:text=not%20have%20one.-,O_NOFOLLOW,-If%20the%20trailing)
+and verified using
+file-descriptor-based [fstat](https://linux.die.net/man/2/fstat)/[fchmod](https://linux.die.net/man/2/fchmod),
+preventing symlink attacks and [TOCTOU](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use) races.

src/_pytest/tmpdir.py

@@ -4,6 +4,7 @@
 from __future__ import annotations
 
 from collections.abc import Generator
+import contextlib
 import dataclasses
 import os
 from pathlib import Path
@@ -37,6 +38,64 @@
 RetentionType = Literal["all", "failed", "none"]
 
 
+@contextlib.contextmanager
+def _safe_open_dir(path: Path) -> Generator[int]:
+    """Open a directory without following symlinks and yield its file descriptor.
+
+    Uses O_NOFOLLOW and O_DIRECTORY (when available) to prevent symlink
+    attacks (CVE-2025-71176).  The fd-based operations (fstat, fchmod)
+    also eliminate TOCTOU races.
+
+    Args:
+        path: Directory to open.
+
+    Yields:
+        An open file descriptor for the directory.
+
+    Raises:
+        OSError: If the path cannot be safely opened (e.g. it is a symlink).
+    """
+    open_flags = os.O_RDONLY
+    for _flag in ("O_NOFOLLOW", "O_DIRECTORY"):
+        open_flags |= getattr(os, _flag, 0)
+    try:
+        dir_fd = os.open(str(path), open_flags)
+    except OSError as e:
+        raise OSError(
+            f"The temporary directory {path} could not be "
+            "safely opened (it may be a symlink). "
+            "Remove the symlink or directory and try again."
+        ) from e
+    try:
+        yield dir_fd
+    finally:
+        os.close(dir_fd)
+
+
+def _cleanup_old_rootdirs(
+    temproot: Path, prefix: str, keep: int, current: Path
+) -> None:
+    """Remove old randomly-named rootdirs, keeping the *keep* most recent.
+
+    *current* is excluded so the running session's rootdir is never removed.
+    Errors are silently ignored (other sessions may hold locks, etc.).
+    """
+    try:
+        candidates = sorted(
+            (
+                p
+                for p in temproot.iterdir()
+                if p.is_dir() and p.name.startswith(prefix) and p != current
+            ),
+            key=lambda p: p.stat().st_mtime,
+            reverse=True,
+        )
+    except OSError:
+        return
+    for old in candidates[keep:]:
+        rmtree(old, ignore_errors=True)
+
+
 @final
 @dataclasses.dataclass
 class TempPathFactory:
@@ -157,29 +216,32 @@ def getbasetemp(self) -> Path:
             user = get_user() or "unknown"
             # use a sub-directory in the temproot to speed-up
             # make_numbered_dir() call
-            rootdir = temproot.joinpath(f"pytest-of-{user}")
+            # Use a randomly-named rootdir created via mkdtemp to avoid
+            # the entire class of predictable-name attacks (symlink races,
+            # DoS via pre-created files/dirs, etc.).  See #13669.
+            rootdir_prefix = f"pytest-of-{user}-"
             try:
-                rootdir.mkdir(mode=0o700, exist_ok=True)
+                rootdir = Path(tempfile.mkdtemp(prefix=rootdir_prefix, dir=temproot))
             except OSError:
-                # getuser() likely returned illegal characters for the platform, use unknown back off mechanism
-                rootdir = temproot.joinpath("pytest-of-unknown")
-                rootdir.mkdir(mode=0o700, exist_ok=True)
-            # Because we use exist_ok=True with a predictable name, make sure
-            # we are the owners, to prevent any funny business (on unix, where
-            # temproot is usually shared).
-            # Also, to keep things private, fixup any world-readable temp
-            # rootdir's permissions. Historically 0o755 was used, so we can't
-            # just error out on this, at least for a while.
+                # getuser() likely returned illegal characters for the
+                # platform, fall back to a safe prefix.
+                rootdir_prefix = "pytest-of-unknown-"
+                rootdir = Path(tempfile.mkdtemp(prefix=rootdir_prefix, dir=temproot))
+            # mkdtemp applies the umask; ensure 0o700 unconditionally.
+            os.chmod(rootdir, 0o700)
+            # Defense-in-depth: verify ownership and tighten permissions
+            # via fd-based ops to eliminate TOCTOU races (CVE-2025-71176).
             uid = get_user_id()
             if uid is not None:
-                rootdir_stat = rootdir.stat()
-                if rootdir_stat.st_uid != uid:
-                    raise OSError(
-                        f"The temporary directory {rootdir} is not owned by the current user. "
-                        "Fix this and try again."
-                    )
-                if (rootdir_stat.st_mode & 0o077) != 0:
-                    os.chmod(rootdir, rootdir_stat.st_mode & ~0o077)
+                with _safe_open_dir(rootdir) as dir_fd:
+                    rootdir_stat = os.fstat(dir_fd)
+                    if rootdir_stat.st_uid != uid:
+                        raise OSError(
+                            f"The temporary directory {rootdir} is not owned by the current user. "
+                            "Fix this and try again."
+                        )
+                    if (rootdir_stat.st_mode & 0o077) != 0:
+                        os.fchmod(dir_fd, rootdir_stat.st_mode & ~0o077)
             keep = self._retention_count
             if self._retention_policy == "none":
                 keep = 0
@@ -190,6 +252,8 @@ def getbasetemp(self) -> Path:
                 lock_timeout=LOCK_TIMEOUT,
                 mode=0o700,
             )
+            # Clean up old rootdirs from previous sessions.
+            _cleanup_old_rootdirs(temproot, rootdir_prefix, keep, current=rootdir)
         assert basetemp is not None, basetemp
         self._basetemp = basetemp
         self._trace("new basetemp", basetemp)