# Insecure Temporary File Creation via tempfile.mktemp

Language: Python
Severity: High
CWE: CWE-377

## Source
5

## Flow
5-13

## Sink
13

## Vulnerable Code
```python
import tempfile
import json
import os

def store_iot_sensor_telemetry(device_id, temperature, humidity, pressure):
    telemetry_cache = tempfile.mktemp(suffix='.json', prefix=f'iot_{device_id}_')
    sensor_data = {
        'device': device_id,
        'temp': temperature,
        'humidity': humidity,
        'pressure': pressure
    }
    with open(telemetry_cache, 'w') as f:
        json.dump(sensor_data, f)
    os.system(f'curl -X POST https://cloud.iot-platform.com/ingest -d @{telemetry_cache}')
    os.remove(telemetry_cache)
    return telemetry_cache
```

## Explanation

The code uses the deprecated tempfile.mktemp() which creates a predictable filename without atomically creating the file, leading to a race condition vulnerability (TOCTOU - Time of Check Time of Use). An attacker can predict the filename and create a malicious file or symlink at that path before the legitimate code opens it. Additionally, the predictable filename is directly interpolated into an os.system() command, enabling command injection if an attacker controls the file path or creates a malicious filename.

## Remediation

The fix replaces tempfile.mktemp() with tempfile.NamedTemporaryFile(delete=False) which atomically creates the file with secure permissions, eliminating the TOCTOU race condition. It also replaces os.system() with subprocess.run() using an argument list to prevent command injection, and adds input validation on device_id to reject malicious characters.

## Secure Code
```python
import tempfile
import json
import os
import subprocess
import re

def store_iot_sensor_telemetry(device_id, temperature, humidity, pressure):
    # Validate device_id to prevent injection attacks
    if not re.match(r'^[a-zA-Z0-9_\-]+$', str(device_id)):
        raise ValueError("Invalid device_id: must contain only alphanumeric characters, hyphens, and underscores")
    
    sensor_data = {
        'device': device_id,
        'temp': temperature,
        'humidity': humidity,
        'pressure': pressure
    }
    
    # Use NamedTemporaryFile to atomically create the file with secure permissions
    with tempfile.NamedTemporaryFile(mode='w', suffix='.json', prefix=f'iot_{device_id}_',
                                      delete=False, dir=None) as f:
        telemetry_cache = f.name
        os.chmod(telemetry_cache, 0o600)
        json.dump(sensor_data, f)
    
    try:
        # Use subprocess with argument list to prevent command injection
        subprocess.run(
            ['curl', '-X', 'POST', 'https://cloud.iot-platform.com/ingest',
             '-d', f'@{telemetry_cache}'],
            check=True,
            timeout=30
        )
    finally:
        # Ensure temp file is always cleaned up
        if os.path.exists(telemetry_cache):
            os.remove(telemetry_cache)
    
    return telemetry_cache
```