[flake8-bandit] Mark tuples of string literals as trusted input in S603
#17801
Conversation
|
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S603 | 1 | 0 | 1 | 0 | 0 |
|
Might be a nitpick, but technically the python type is |
| 44 | # https://github.com/astral-sh/ruff/issues/17798 | ||
| 45 | # Tuple literals are trusted | ||
| 46 | check_output(("literal", "cmd", "using", "tuple"), text=True) | ||
| | ^^^^^^^^^^^^ S603 | ||
| 47 | Popen(("literal", "cmd", "using", "tuple")) | ||
| | | ||
|
|
||
| S603.py:47:1: S603 `subprocess` call: check for execution of untrusted input | ||
| | | ||
| 45 | # Tuple literals are trusted | ||
| 46 | check_output(("literal", "cmd", "using", "tuple"), text=True) | ||
| 47 | Popen(("literal", "cmd", "using", "tuple")) | ||
| | ^^^^^ S603 |
There was a problem hiding this comment.
Aren't these both showing that tuples are still flagged? I thought we should expect not to see a diagnostic here now.
There was a problem hiding this comment.
Oh shoot, I forgot to comment about that. So, if I run using the check command in this code, no diagnostics are flagged.
from subprocess import Popen, check_output
check_output(("literal", "cmd", "using", "tuple"), text=True)
Popen(("literal", "cmd", "using", "tuple"))$ cargo run -p ruff -- check sample.py --preview --no-cache --select S603
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.19s
Running `target/debug/ruff check sample2.py --preview --no-cache --select S603`
All checks passed!
I don't know why it's only creating the diagnostics for the snapshot test. Do you have any idea?
There was a problem hiding this comment.
Ohhh, I see. The same Python file (S603.py) is passed to both the rules test and the preview_rules case. We're not seeing a snapshot for the preview version because your change is working properly! This snapshot is for the non-preview version, which correctly shows the diagnostic, my mistake.
flake8-bandit] Mark tuple[str] literal as trusted input in S603flake8-bandit] Mark tuples of string literals as trusted input in S603
…`S603` (#17801) <!-- Thank you for contributing to Ruff! To help us out with reviewing, please consider the following: - Does this pull request include a summary of the change? (See below.) - Does this pull request include a descriptive title? - Does this pull request include references to any relevant issues? --> ## Summary Fixes #17798 <!-- What's the purpose of the change? What does it do, and why? --> ## Test Plan Snapshot tests <!-- How was it tested? -->
…`S603` (astral-sh#17801) <!-- Thank you for contributing to Ruff! To help us out with reviewing, please consider the following: - Does this pull request include a summary of the change? (See below.) - Does this pull request include a descriptive title? - Does this pull request include references to any relevant issues? --> ## Summary Fixes astral-sh#17798 <!-- What's the purpose of the change? What does it do, and why? --> ## Test Plan Snapshot tests <!-- How was it tested? -->
Summary
Fixes #17798
Test Plan
Snapshot tests