Skip to content

Commit

Permalink
Modify diagnostic ranges for shell-related bandit rules
Browse files Browse the repository at this point in the history
  • Loading branch information
charliermarsh committed Mar 30, 2024
1 parent 9f56902 commit ef6415c
Show file tree
Hide file tree
Showing 6 changed files with 100 additions and 109 deletions.
21 changes: 10 additions & 11 deletions crates/ruff_linter/src/rules/flake8_bandit/rules/shell_injection.rs
Original file line number Diff line number Diff line change
Expand Up @@ -296,27 +296,27 @@ pub(crate) fn shell_injection(checker: &mut Checker, call: &ast::ExprCall) {
// S602
Some(ShellKeyword {
truthiness: truthiness @ (Truthiness::True | Truthiness::Truthy),
keyword,
keyword: _,
}) => {
if checker.enabled(Rule::SubprocessPopenWithShellEqualsTrue) {
checker.diagnostics.push(Diagnostic::new(
SubprocessPopenWithShellEqualsTrue {
safety: Safety::from(arg),
is_exact: matches!(truthiness, Truthiness::True),
},
keyword.range(),
call.func.range(),
));
}
}
// S603
Some(ShellKeyword {
truthiness: Truthiness::False | Truthiness::Falsey | Truthiness::Unknown,
keyword,
keyword: _,
}) => {
if checker.enabled(Rule::SubprocessWithoutShellEqualsTrue) {
checker.diagnostics.push(Diagnostic::new(
SubprocessWithoutShellEqualsTrue,
keyword.range(),
call.func.range(),
));
}
}
Expand All @@ -325,7 +325,7 @@ pub(crate) fn shell_injection(checker: &mut Checker, call: &ast::ExprCall) {
if checker.enabled(Rule::SubprocessWithoutShellEqualsTrue) {
checker.diagnostics.push(Diagnostic::new(
SubprocessWithoutShellEqualsTrue,
arg.range(),
call.func.range(),
));
}
}
Expand All @@ -342,7 +342,7 @@ pub(crate) fn shell_injection(checker: &mut Checker, call: &ast::ExprCall) {
CallWithShellEqualsTrue {
is_exact: matches!(truthiness, Truthiness::True),
},
keyword.range(),
call.func.range(),
));
}
}
Expand All @@ -355,7 +355,7 @@ pub(crate) fn shell_injection(checker: &mut Checker, call: &ast::ExprCall) {
StartProcessWithAShell {
safety: Safety::from(arg),
},
arg.range(),
call.func.range(),
));
}
}
Expand Down Expand Up @@ -399,10 +399,9 @@ pub(crate) fn shell_injection(checker: &mut Checker, call: &ast::ExprCall) {
{
if let Some(arg) = call.arguments.args.first() {
if is_wildcard_command(arg) {
checker.diagnostics.push(Diagnostic::new(
UnixCommandWildcardInjection,
call.func.range(),
));
checker
.diagnostics
.push(Diagnostic::new(UnixCommandWildcardInjection, arg.range()));
}
}
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,117 +1,115 @@
---
source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
---
S602.py:4:15: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
S602.py:4:1: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
|
3 | # Check different Popen wrappers are checked.
4 | Popen("true", shell=True)
| ^^^^^^^^^^ S602
| ^^^^^ S602
5 | call("true", shell=True)
6 | check_call("true", shell=True)
|

S602.py:5:14: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
S602.py:5:1: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
|
3 | # Check different Popen wrappers are checked.
4 | Popen("true", shell=True)
5 | call("true", shell=True)
| ^^^^^^^^^^ S602
| ^^^^ S602
6 | check_call("true", shell=True)
7 | check_output("true", shell=True)
|

S602.py:6:20: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
S602.py:6:1: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
|
4 | Popen("true", shell=True)
5 | call("true", shell=True)
6 | check_call("true", shell=True)
| ^^^^^^^^^^ S602
| ^^^^^^^^^^ S602
7 | check_output("true", shell=True)
8 | run("true", shell=True)
|

S602.py:7:22: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
S602.py:7:1: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
|
5 | call("true", shell=True)
6 | check_call("true", shell=True)
7 | check_output("true", shell=True)
| ^^^^^^^^^^ S602
| ^^^^^^^^^^^^ S602
8 | run("true", shell=True)
|

S602.py:8:13: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
S602.py:8:1: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
|
6 | check_call("true", shell=True)
7 | check_output("true", shell=True)
8 | run("true", shell=True)
| ^^^^^^^^^^ S602
| ^^^ S602
9 |
10 | # Check values that truthy values are treated as true.
|

S602.py:11:15: S602 `subprocess` call with truthy `shell` seems safe, but may be changed in the future; consider rewriting without `shell`
S602.py:11:1: S602 `subprocess` call with truthy `shell` seems safe, but may be changed in the future; consider rewriting without `shell`
|
10 | # Check values that truthy values are treated as true.
11 | Popen("true", shell=1)
| ^^^^^^^ S602
| ^^^^^ S602
12 | Popen("true", shell=[1])
13 | Popen("true", shell={1: 1})
|

S602.py:12:15: S602 `subprocess` call with truthy `shell` seems safe, but may be changed in the future; consider rewriting without `shell`
S602.py:12:1: S602 `subprocess` call with truthy `shell` seems safe, but may be changed in the future; consider rewriting without `shell`
|
10 | # Check values that truthy values are treated as true.
11 | Popen("true", shell=1)
12 | Popen("true", shell=[1])
| ^^^^^^^^^ S602
| ^^^^^ S602
13 | Popen("true", shell={1: 1})
14 | Popen("true", shell=(1,))
|

S602.py:13:15: S602 `subprocess` call with truthy `shell` seems safe, but may be changed in the future; consider rewriting without `shell`
S602.py:13:1: S602 `subprocess` call with truthy `shell` seems safe, but may be changed in the future; consider rewriting without `shell`
|
11 | Popen("true", shell=1)
12 | Popen("true", shell=[1])
13 | Popen("true", shell={1: 1})
| ^^^^^^^^^^^^ S602
| ^^^^^ S602
14 | Popen("true", shell=(1,))
|

S602.py:14:15: S602 `subprocess` call with truthy `shell` seems safe, but may be changed in the future; consider rewriting without `shell`
S602.py:14:1: S602 `subprocess` call with truthy `shell` seems safe, but may be changed in the future; consider rewriting without `shell`
|
12 | Popen("true", shell=[1])
13 | Popen("true", shell={1: 1})
14 | Popen("true", shell=(1,))
| ^^^^^^^^^^ S602
| ^^^^^ S602
15 |
16 | # Check command argument looks unsafe.
|

S602.py:18:19: S602 `subprocess` call with `shell=True` identified, security issue
S602.py:18:1: S602 `subprocess` call with `shell=True` identified, security issue
|
16 | # Check command argument looks unsafe.
17 | var_string = "true"
18 | Popen(var_string, shell=True)
| ^^^^^^^^^^ S602
| ^^^^^ S602
19 | Popen([var_string], shell=True)
20 | Popen([var_string, ""], shell=True)
|

S602.py:19:21: S602 `subprocess` call with `shell=True` identified, security issue
S602.py:19:1: S602 `subprocess` call with `shell=True` identified, security issue
|
17 | var_string = "true"
18 | Popen(var_string, shell=True)
19 | Popen([var_string], shell=True)
| ^^^^^^^^^^ S602
| ^^^^^ S602
20 | Popen([var_string, ""], shell=True)
|

S602.py:20:25: S602 `subprocess` call with `shell=True` identified, security issue
S602.py:20:1: S602 `subprocess` call with `shell=True` identified, security issue
|
18 | Popen(var_string, shell=True)
19 | Popen([var_string], shell=True)
20 | Popen([var_string, ""], shell=True)
| ^^^^^^^^^^ S602
| ^^^^^ S602
|


Original file line number Diff line number Diff line change
@@ -1,106 +1,104 @@
---
source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
---
S603.py:4:15: S603 `subprocess` call: check for execution of untrusted input
S603.py:4:1: S603 `subprocess` call: check for execution of untrusted input
|
3 | # Different Popen wrappers are checked.
4 | Popen("true", shell=False)
| ^^^^^^^^^^^ S603
| ^^^^^ S603
5 | call("true", shell=False)
6 | check_call("true", shell=False)
|

S603.py:5:14: S603 `subprocess` call: check for execution of untrusted input
S603.py:5:1: S603 `subprocess` call: check for execution of untrusted input
|
3 | # Different Popen wrappers are checked.
4 | Popen("true", shell=False)
5 | call("true", shell=False)
| ^^^^^^^^^^^ S603
| ^^^^ S603
6 | check_call("true", shell=False)
7 | check_output("true", shell=False)
|

S603.py:6:20: S603 `subprocess` call: check for execution of untrusted input
S603.py:6:1: S603 `subprocess` call: check for execution of untrusted input
|
4 | Popen("true", shell=False)
5 | call("true", shell=False)
6 | check_call("true", shell=False)
| ^^^^^^^^^^^ S603
| ^^^^^^^^^^ S603
7 | check_output("true", shell=False)
8 | run("true", shell=False)
|

S603.py:7:22: S603 `subprocess` call: check for execution of untrusted input
S603.py:7:1: S603 `subprocess` call: check for execution of untrusted input
|
5 | call("true", shell=False)
6 | check_call("true", shell=False)
7 | check_output("true", shell=False)
| ^^^^^^^^^^^ S603
| ^^^^^^^^^^^^ S603
8 | run("true", shell=False)
|

S603.py:8:13: S603 `subprocess` call: check for execution of untrusted input
S603.py:8:1: S603 `subprocess` call: check for execution of untrusted input
|
6 | check_call("true", shell=False)
7 | check_output("true", shell=False)
8 | run("true", shell=False)
| ^^^^^^^^^^^ S603
| ^^^ S603
9 |
10 | # Values that falsey values are treated as false.
|

S603.py:11:15: S603 `subprocess` call: check for execution of untrusted input
S603.py:11:1: S603 `subprocess` call: check for execution of untrusted input
|
10 | # Values that falsey values are treated as false.
11 | Popen("true", shell=0)
| ^^^^^^^ S603
| ^^^^^ S603
12 | Popen("true", shell=[])
13 | Popen("true", shell={})
|

S603.py:12:15: S603 `subprocess` call: check for execution of untrusted input
S603.py:12:1: S603 `subprocess` call: check for execution of untrusted input
|
10 | # Values that falsey values are treated as false.
11 | Popen("true", shell=0)
12 | Popen("true", shell=[])
| ^^^^^^^^ S603
| ^^^^^ S603
13 | Popen("true", shell={})
14 | Popen("true", shell=None)
|

S603.py:13:15: S603 `subprocess` call: check for execution of untrusted input
S603.py:13:1: S603 `subprocess` call: check for execution of untrusted input
|
11 | Popen("true", shell=0)
12 | Popen("true", shell=[])
13 | Popen("true", shell={})
| ^^^^^^^^ S603
| ^^^^^ S603
14 | Popen("true", shell=None)
|

S603.py:14:15: S603 `subprocess` call: check for execution of untrusted input
S603.py:14:1: S603 `subprocess` call: check for execution of untrusted input
|
12 | Popen("true", shell=[])
13 | Popen("true", shell={})
14 | Popen("true", shell=None)
| ^^^^^^^^^^ S603
| ^^^^^ S603
15 |
16 | # Unknown values are treated as falsey.
|

S603.py:17:15: S603 `subprocess` call: check for execution of untrusted input
S603.py:17:1: S603 `subprocess` call: check for execution of untrusted input
|
16 | # Unknown values are treated as falsey.
17 | Popen("true", shell=True if True else False)
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S603
| ^^^^^ S603
18 |
19 | # No value is also caught.
|

S603.py:20:7: S603 `subprocess` call: check for execution of untrusted input
S603.py:20:1: S603 `subprocess` call: check for execution of untrusted input
|
19 | # No value is also caught.
20 | Popen("true")
| ^^^^^^ S603
| ^^^^^ S603
|


Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
---
source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
---
S604.py:5:5: S604 Function call with `shell=True` parameter identified, security issue
S604.py:5:1: S604 Function call with `shell=True` parameter identified, security issue
|
5 | foo(shell=True)
| ^^^^^^^^^^ S604
| ^^^ S604
|


Loading

0 comments on commit ef6415c

Please sign in to comment.