Implement S601, paramiko_calls

astral-sh · May 18, 2023 · 9d36959 · 9d36959
1 parent fdd8941
commit 9d36959
Show file tree

Hide file tree

Showing 9 changed files with 59 additions and 0 deletions.
diff --git a/crates/ruff/resources/test/fixtures/flake8_bandit/S601.py b/crates/ruff/resources/test/fixtures/flake8_bandit/S601.py
@@ -0,0 +1,3 @@
+import paramiko
+
+paramiko.exec_command('something; really; unsafe')
diff --git a/crates/ruff/src/checkers/ast/mod.rs b/crates/ruff/src/checkers/ast/mod.rs
@@ -2846,6 +2846,10 @@ where
                 if self.settings.rules.enabled(Rule::RequestWithoutTimeout) {
                     flake8_bandit::rules::request_without_timeout(self, func, args, keywords);
                 }
+                if self.settings.rules.enabled(Rule::ParamikoCalls)
+                {
+                    flake8_bandit::rules::paramiko_calls(self, func);
+                }
                 if self
                     .settings
                     .rules

diff --git a/crates/ruff/src/codes.rs b/crates/ruff/src/codes.rs
@@ -507,6 +507,7 @@ pub fn code_to_rule(linter: Linter, code: &str) -> Option<(RuleGroup, Rule)> {
         (Flake8Bandit, "506") => (RuleGroup::Unspecified, Rule::UnsafeYAMLLoad),
         (Flake8Bandit, "508") => (RuleGroup::Unspecified, Rule::SnmpInsecureVersion),
         (Flake8Bandit, "509") => (RuleGroup::Unspecified, Rule::SnmpWeakCryptography),
+        (Flake8Bandit, "601") => (RuleGroup::Unspecified, Rule::ParamikoCalls),
         (Flake8Bandit, "602") => (RuleGroup::Unspecified, Rule::SubprocessPopenWithShellEqualsTrue),
         (Flake8Bandit, "603") => (RuleGroup::Unspecified, Rule::SubprocessWithoutShellEqualsTrue),
         (Flake8Bandit, "604") => (RuleGroup::Unspecified, Rule::CallWithShellEqualsTrue),

diff --git a/crates/ruff/src/registry.rs b/crates/ruff/src/registry.rs
@@ -422,6 +422,7 @@ ruff_macros::register_rules!(
     rules::flake8_bandit::rules::HardcodedTempFile,
     rules::flake8_bandit::rules::HashlibInsecureHashFunction,
     rules::flake8_bandit::rules::Jinja2AutoescapeFalse,
+    rules::flake8_bandit::rules::ParamikoCalls,
     rules::flake8_bandit::rules::LoggingConfigInsecureListen,
     rules::flake8_bandit::rules::RequestWithNoCertValidation,
     rules::flake8_bandit::rules::RequestWithoutTimeout,

diff --git a/crates/ruff/src/rules/flake8_bandit/mod.rs b/crates/ruff/src/rules/flake8_bandit/mod.rs
@@ -43,6 +43,7 @@ mod tests {
     #[test_case(Rule::TryExceptContinue, Path::new("S112.py"); "S112")]
     #[test_case(Rule::TryExceptPass, Path::new("S110.py"); "S110")]
     #[test_case(Rule::UnsafeYAMLLoad, Path::new("S506.py"); "S506")]
+    #[test_case(Rule::ParamikoCalls, Path::new("S601.py"); "S601")]
     fn rules(rule_code: Rule, path: &Path) -> Result<()> {
         let snapshot = format!("{}_{}", rule_code.noqa_code(), path.to_string_lossy());
         let diagnostics = test_path(

diff --git a/crates/ruff/src/rules/flake8_bandit/rules/mod.rs b/crates/ruff/src/rules/flake8_bandit/rules/mod.rs
@@ -20,6 +20,7 @@ pub(crate) use jinja2_autoescape_false::{jinja2_autoescape_false, Jinja2Autoesca
 pub(crate) use logging_config_insecure_listen::{
     logging_config_insecure_listen, LoggingConfigInsecureListen,
 };
+pub(crate) use paramiko_calls::{paramiko_calls, ParamikoCalls};
 pub(crate) use request_with_no_cert_validation::{
     request_with_no_cert_validation, RequestWithNoCertValidation,
 };
@@ -57,6 +58,7 @@ mod hardcoded_tmp_directory;
 mod hashlib_insecure_hash_functions;
 mod jinja2_autoescape_false;
 mod logging_config_insecure_listen;
+mod paramiko_calls;
 mod request_with_no_cert_validation;
 mod request_without_timeout;
 mod shell_injection;

diff --git a/crates/ruff/src/rules/flake8_bandit/rules/paramiko_calls.rs b/crates/ruff/src/rules/flake8_bandit/rules/paramiko_calls.rs
@@ -0,0 +1,34 @@
+use rustpython_parser::ast::{Expr, Ranged};
+
+use ruff_diagnostics::{Diagnostic, Violation};
+use ruff_macros::{derive_message_formats, violation};
+
+use crate::checkers::ast::Checker;
+
+#[violation]
+pub struct ParamikoCalls;
+
+impl Violation for ParamikoCalls {
+    #[derive_message_formats]
+    fn message(&self) -> String {
+        format!("Possible shell injection via Paramiko call, check inputs are properly sanitized")
+    }
+}
+
+/// S601
+pub(crate) fn paramiko_calls(
+    checker: &mut Checker,
+    func: &Expr,
+) {
+    if checker
+        .ctx
+        .resolve_call_path(func)
+        .map_or(false, |call_path| {
+            call_path.as_slice() == ["paramiko", "exec_command"]
+        })
+    {
+        checker
+            .diagnostics
+            .push(Diagnostic::new(ParamikoCalls, func.range()));
+    }
+}
diff --git a/...ff/src/rules/flake8_bandit/snapshots/ruff__rules__flake8_bandit__tests__S601_S601.py.snap b/...ff/src/rules/flake8_bandit/snapshots/ruff__rules__flake8_bandit__tests__S601_S601.py.snap
@@ -0,0 +1,12 @@
+---
+source: crates/ruff/src/rules/flake8_bandit/mod.rs
+---
+S601.py:3:1: S601 Possible shell injection via Paramiko call, check inputs are properly sanitized
+  |
+3 | import paramiko
+4 | 
+5 | paramiko.exec_command('something; really; unsafe')
+  | ^^^^^^^^^^^^^^^^^^^^^ S601
+  |
+
+
diff --git a/ruff.schema.json b/ruff.schema.json
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		import paramiko

		paramiko.exec_command('something; really; unsafe')