tmpdir: prevent symlink attacks and TOCTOU races (CVE-2025-71176)

AUTHORS

@@ -264,6 +264,7 @@ Kojo Idrissa
 Kostis Anagnostopoulos
 Kristoffer Nordström
 Kyle Altendorf
+Laura Kaminskiy
 Lawrence Mitchell
 Lee Kamentsky
 Leonardus Chen

changelog/13669.bugfix.rst

@@ -0,0 +1,9 @@
+Fixed a symlink attack vulnerability ([CVE-2025-71176](https://github.com/pytest-dev/pytest/issues/13669)) in
+the [tmp_path](https://github.com/pytest-dev/pytest/blob/295d9da900a0dbe8b4093d6a6bc977cd567aa4b0/src/_pytest/tmpdir.py#L258)
+fixture's base directory handling.
+
+The ``pytest-of-<user>`` directory under the system temp root is now opened
+with [O_NOFOLLOW](https://man7.org/linux/man-pages/man2/open.2.html#:~:text=not%20have%20one.-,O_NOFOLLOW,-If%20the%20trailing)
+and verified using
+file-descriptor-based [fstat](https://linux.die.net/man/2/fstat)/[fchmod](https://linux.die.net/man/2/fchmod),
+preventing symlink attacks and [TOCTOU](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use) races.

src/_pytest/pathlib.py

@@ -159,9 +159,59 @@ def get_extended_length_path_str(path: str) -> str:
     return long_path_prefix + path
 
 
+def _check_symlink_attack_safety(path: Path) -> None:
+    """Guard against symlink attacks before recursive directory removal.
+
+    If ``shutil.rmtree.avoids_symlink_attacks`` is True the platform's
+    rmtree implementation uses fd-based operations that are inherently
+    resistant to symlink races; we only need to verify *path* itself is
+    not a symlink.
+
+    When the attribute is False the platform cannot guarantee safety.  We
+    still refuse to remove a symlink, but a TOCTOU window remains for
+    contents *inside* the tree, so we emit a one-time warning.
+
+    Raises ``OSError`` if *path* is a symlink.
+    """
+    if path.is_symlink():
+        raise OSError(
+            f"Refusing to recursively remove {path}: "
+            "path is a symlink, not a real directory."
+        )
+    if not shutil.rmtree.avoids_symlink_attacks:
+        warnings.warn(
+            PytestWarning(
+                "shutil.rmtree.avoids_symlink_attacks is False on this platform: "
+                "recursive directory removal may be susceptible to symlink attacks."
+            ),
+            stacklevel=3,
+        )
+
+
+def safe_rmtree(path: Path, *, ignore_errors: bool = False) -> None:
+    """Remove a directory tree with protection against symlink attacks.
+
+    Verifies that ``shutil.rmtree.avoids_symlink_attacks`` is True (the
+    platform provides a symlink-attack-resistant implementation) before
+    proceeding.  On platforms without this guarantee an explicit symlink
+    check is performed and a warning is emitted.
+
+    When *ignore_errors* is True, a symlink at *path* is silently skipped
+    rather than raising.
+    """
+    try:
+        _check_symlink_attack_safety(path)
+    except OSError:
+        if not ignore_errors:
+            raise
+        return
+    shutil.rmtree(str(path), ignore_errors=ignore_errors)
+
+
 def rm_rf(path: Path) -> None:
     """Remove the path contents recursively, even if some elements
     are read-only."""
+    _check_symlink_attack_safety(path)
     path = ensure_extended_length_path(path)
     onerror = partial(on_rm_rf_error, start_path=path)
     if sys.version_info >= (3, 12):

src/_pytest/tmpdir.py

@@ -4,11 +4,11 @@
 from __future__ import annotations
 
 from collections.abc import Generator
+import contextlib
 import dataclasses
 import os
 from pathlib import Path
 import re
-from shutil import rmtree
 import tempfile
 from typing import Any
 from typing import final
@@ -19,6 +19,7 @@
 from .pathlib import make_numbered_dir
 from .pathlib import make_numbered_dir_with_cleanup
 from .pathlib import rm_rf
+from .pathlib import safe_rmtree
 from _pytest.compat import get_user_id
 from _pytest.config import Config
 from _pytest.config import ExitCode
@@ -37,6 +38,70 @@
 RetentionType = Literal["all", "failed", "none"]
 
 
+@contextlib.contextmanager
+def _safe_open_dir(path: Path) -> Generator[int]:
+    """Open a directory without following symlinks and yield its file descriptor.
+
+    Uses O_NOFOLLOW and O_DIRECTORY (when available) to prevent symlink
+    attacks (CVE-2025-71176).  The fd-based operations (fstat, fchmod)
+    also eliminate TOCTOU races.
+
+    Args:
+        path: Directory to open.
+
+    Yields:
+        An open file descriptor for the directory.
+
+    Raises:
+        OSError: If the path cannot be safely opened (e.g. it is a symlink).
+    """
+    open_flags = os.O_RDONLY
+    for _flag in ("O_NOFOLLOW", "O_DIRECTORY"):
+        open_flags |= getattr(os, _flag, 0)
+    try:
+        dir_fd = os.open(str(path), open_flags)
+    except OSError as e:
+        raise OSError(
+            f"The temporary directory {path} could not be "
+            "safely opened (it may be a symlink). "
+            "Remove the symlink or directory and try again."
+        ) from e
+    try:
+        yield dir_fd
+    finally:
+        os.close(dir_fd)
+
+
+def _cleanup_old_rootdirs(
+    temproot: Path, prefix: str, keep: int, current: Path
+) -> None:
+    """Remove old randomly-named rootdirs, keeping the *keep* most recent.
+
+    *current* is excluded so the running session's rootdir is never removed.
+    Errors are silently ignored (other sessions may hold locks, etc.).
+
+    Uses ``os.scandir`` with ``follow_symlinks=False`` so that symlinks
+    planted under *temproot* are never followed during enumeration —
+    defense-in-depth against symlink attacks (CVE-2025-71176).
+    """
+    try:
+        candidates = sorted(
+            (
+                Path(entry.path)
+                for entry in os.scandir(temproot)
+                if entry.is_dir(follow_symlinks=False)
+                and entry.name.startswith(prefix)
+                and Path(entry.path) != current
+            ),
+            key=lambda p: p.lstat().st_mtime,
+            reverse=True,
+        )
+    except OSError:
+        return
+    for old in candidates[keep:]:
+        safe_rmtree(old, ignore_errors=True)
+
+
 @final
 @dataclasses.dataclass
 class TempPathFactory:
@@ -157,29 +222,32 @@ def getbasetemp(self) -> Path:
             user = get_user() or "unknown"
             # use a sub-directory in the temproot to speed-up
             # make_numbered_dir() call
-            rootdir = temproot.joinpath(f"pytest-of-{user}")
+            # Use a randomly-named rootdir created via mkdtemp to avoid
+            # the entire class of predictable-name attacks (symlink races,
+            # DoS via pre-created files/dirs, etc.).  See #13669.
+            rootdir_prefix = f"pytest-of-{user}-"
             try:
-                rootdir.mkdir(mode=0o700, exist_ok=True)
+                rootdir = Path(tempfile.mkdtemp(prefix=rootdir_prefix, dir=temproot))
             except OSError:
-                # getuser() likely returned illegal characters for the platform, use unknown back off mechanism
-                rootdir = temproot.joinpath("pytest-of-unknown")
-                rootdir.mkdir(mode=0o700, exist_ok=True)
-            # Because we use exist_ok=True with a predictable name, make sure
-            # we are the owners, to prevent any funny business (on unix, where
-            # temproot is usually shared).
-            # Also, to keep things private, fixup any world-readable temp
-            # rootdir's permissions. Historically 0o755 was used, so we can't
-            # just error out on this, at least for a while.
+                # getuser() likely returned illegal characters for the
+                # platform, fall back to a safe prefix.
+                rootdir_prefix = "pytest-of-unknown-"
+                rootdir = Path(tempfile.mkdtemp(prefix=rootdir_prefix, dir=temproot))
+            # mkdtemp applies the umask; ensure 0o700 unconditionally.
+            os.chmod(rootdir, 0o700)
+            # Defense-in-depth: verify ownership and tighten permissions
+            # via fd-based ops to eliminate TOCTOU races (CVE-2025-71176).
             uid = get_user_id()
             if uid is not None:
-                rootdir_stat = rootdir.stat()
-                if rootdir_stat.st_uid != uid:
-                    raise OSError(
-                        f"The temporary directory {rootdir} is not owned by the current user. "
-                        "Fix this and try again."
-                    )
-                if (rootdir_stat.st_mode & 0o077) != 0:
-                    os.chmod(rootdir, rootdir_stat.st_mode & ~0o077)
+                with _safe_open_dir(rootdir) as dir_fd:
+                    rootdir_stat = os.fstat(dir_fd)
+                    if rootdir_stat.st_uid != uid:
+                        raise OSError(
+                            f"The temporary directory {rootdir} is not owned by the current user. "
+                            "Fix this and try again."
+                        )
+                    if (rootdir_stat.st_mode & 0o077) != 0:
+                        os.fchmod(dir_fd, rootdir_stat.st_mode & ~0o077)
             keep = self._retention_count
             if self._retention_policy == "none":
                 keep = 0
@@ -190,6 +258,8 @@ def getbasetemp(self) -> Path:
                 lock_timeout=LOCK_TIMEOUT,
                 mode=0o700,
             )
+            # Clean up old rootdirs from previous sessions.
+            _cleanup_old_rootdirs(temproot, rootdir_prefix, keep, current=rootdir)
         assert basetemp is not None, basetemp
         self._basetemp = basetemp
         self._trace("new basetemp", basetemp)
@@ -274,7 +344,7 @@ def tmp_path(
     if policy == "failed" and result_dict.get("call", True):
         # We do a "best effort" to remove files, but it might not be possible due to some leaked resource,
         # permissions, etc, in which case we ignore it.
-        rmtree(path, ignore_errors=True)
+        safe_rmtree(path, ignore_errors=True)
 
     del request.node.stash[tmppath_result_key]
 
@@ -297,7 +367,7 @@ def pytest_sessionfinish(session, exitstatus: int | ExitCode):
         if basetemp.is_dir():
             # We do a "best effort" to remove files, but it might not be possible due to some leaked resource,
             # permissions, etc, in which case we ignore it.
-            rmtree(basetemp, ignore_errors=True)
+            safe_rmtree(basetemp, ignore_errors=True)
 
     # Remove dead symlinks.
     if basetemp.is_dir():