* [pre-commit.ci] pre-commit autoupdate
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Ran Benita <ran@unusedvar.com>
pytest uses a root temp directory named `/tmp/pytest-of-<username>`. The
name is predictable, and the directory might already exists from a
previous run, so that's allowed.
This makes it possible for my_user to pre-create
`/tmp/pytest-of-another_user`, thus giving my_user control of
another_user's tempdir.
Prevent this scenario by adding a couple of safety checks. I believe
they are sufficient.
Testing the first check requires changing the owner, which requires
root permissions, so can't be unit-tested easily, but I checked it
manually.
(Written for a Unix system, but might be applicable to Windows as well).
pytest creates a root temporary directory under /tmp, named
`pytest-of-<username>`, and creates tmp_path's and other under it.
/tmp is shared between all users of the system.
This root temporary directory was created with 0o777&~umask permissions,
which usually becomes 0o755, meaning any user in the system could list
and read the files, which is undesirable.
Use 0o700 permissions instead. Also for subdirectories, because the root
dir is adjustable.
Calling pkg_resources.fixup_namespace_packages() is only needed for packages
that use pkg_resources.declare_namespace() and hence they already imported
pkg_resources. When pkg_resources is not imported, we don't need to use it.
This avoids an unneeded runtime dependency on setuptools.
The code is tested by test_syspath_prepend_with_namespace_packages,
behavior should remain unchanged, hence no new test was added.
When people drop pkg_resources from sys.modules, they are on their own.
If someone has a actual use case making this valid to support,
they can come in and provide a test, a reference and a fix.
This type is most prominent in `pytest.raises` and we should allow to
refer to it by a public name.
The type is not in a perfectly "exposable" state. In particular:
- The `traceback` property with type `Traceback` which is derived from
the `py.code` API and exposes a bunch more types transitively. This
stuff is *not* exported and probably won't be.
- The `getrepr` method which probably should be private.
But they're already used in the wild so no point in just hiding them
now.
The __init__ API is hidden -- the public API for this are the `from_*`
classmethods.
The prefixes make the API Reference docs (for e.g. `pytest.raises`,
`pytest.fixture`) uglier.
Being under `_pytest` is sufficient from a privacy perspective, so let's
drop them.