Avoid S108 if path is inside tempfile.* call (#6416)

crates/ruff/resources/test/fixtures/flake8_bandit/S108.py

@@ -14,3 +14,19 @@ with open("/dev/shm/unit/test", "w") as f:
 # not ok by config
 with open("/foo/bar", "w") as f:
     f.write("def")
+
+# Using `tempfile` module should be ok
+import tempfile
+from tempfile import TemporaryDirectory
+
+with tempfile.NamedTemporaryFile(dir="/tmp") as f:
+    f.write(b"def")
+
+with tempfile.NamedTemporaryFile(dir="/var/tmp") as f:
+    f.write(b"def")
+
+with tempfile.TemporaryDirectory(dir="/dev/shm") as d:
+    pass
+
+with TemporaryDirectory(dir="/tmp") as d:
+    pass

crates/ruff/src/checkers/ast/analyze/expression.rs

@@ -1229,13 +1229,7 @@ pub(crate) fn expression(expr: &Expr, checker: &mut Checker) {
                 }
             }
             if checker.enabled(Rule::HardcodedTempFile) {
-                if let Some(diagnostic) = flake8_bandit::rules::hardcoded_tmp_directory(
+                flake8_bandit::rules::hardcoded_tmp_directory(checker, expr, value);
-                    expr,
-                    value,
-                    &checker.settings.flake8_bandit.hardcoded_tmp_directory,
-                ) {
-                    checker.diagnostics.push(diagnostic);
-                }
             }
             if checker.enabled(Rule::UnicodeKindPrefix) {
                 pyupgrade::rules::unicode_kind_prefix(checker, expr, kind.as_deref());

crates/ruff/src/rules/flake8_bandit/rules/hardcoded_tmp_directory.rs

@@ -1,8 +1,10 @@
-use ruff_python_ast::{Expr, Ranged};
+use ruff_python_ast::{self as ast, Expr, Ranged};
 
 use ruff_diagnostics::{Diagnostic, Violation};
 use ruff_macros::{derive_message_formats, violation};
 
+use crate::checkers::ast::Checker;
+
 /// ## What it does
 /// Checks for the use of hardcoded temporary file or directory paths.
 ///
@@ -49,19 +51,33 @@ impl Violation for HardcodedTempFile {
 }
 
 /// S108
-pub(crate) fn hardcoded_tmp_directory(
+pub(crate) fn hardcoded_tmp_directory(checker: &mut Checker, expr: &Expr, value: &str) {
-    expr: &Expr,
+    if !checker
-    value: &str,
+        .settings
-    prefixes: &[String],
+        .flake8_bandit
-) -> Option<Diagnostic> {
+        .hardcoded_tmp_directory
-    if prefixes.iter().any(|prefix| value.starts_with(prefix)) {
+        .iter()
-        Some(Diagnostic::new(
+        .any(|prefix| value.starts_with(prefix))
-            HardcodedTempFile {
+    {
-                string: value.to_string(),
+        return;
-            },
-            expr.range(),
-        ))
-    } else {
-        None
     }
+
+    if let Some(Expr::Call(ast::ExprCall { func, .. })) =
+        checker.semantic().current_expression_parent()
+    {
+        if checker
+            .semantic()
+            .resolve_call_path(func)
+            .is_some_and(|call_path| matches!(call_path.as_slice(), ["tempfile", ..]))
+        {
+            return;
+        }
+    }
+
+    checker.diagnostics.push(Diagnostic::new(
+        HardcodedTempFile {
+            string: value.to_string(),
+        },
+        expr.range(),
+    ));
 }