S608 improvements (#4499)

astral-sh · May 18, 2023 · fdd8941 · fdd8941
1 parent 85f67b2
commit fdd8941
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 7 deletions.
diff --git a/crates/ruff/resources/test/fixtures/flake8_bandit/S608.py b/crates/ruff/resources/test/fixtures/flake8_bandit/S608.py
@@ -74,8 +74,8 @@ def query40():
 
 def query41():
     return (
-        "SELECT *"
-        "FROM table"
+        "SELECT * "
+        "FROM table "
         f"WHERE var = {var}"
     )
 
@@ -84,7 +84,7 @@ def query41():
 query43 = cursor.execute(f"SELECT * FROM table WHERE var = {var}")
 query44 = cursor.execute("SELECT * FROM table WHERE var = {}".format(var))
 query45 = cursor.executemany("SELECT * FROM table WHERE var = %s" % var, [])
- 
+
 # # pass
 query = "SELECT * FROM table WHERE id = 1"
 query = "DELETE FROM table WHERE id = 1"
@@ -93,3 +93,12 @@ def query41():
 cursor.execute('SELECT * FROM table WHERE id = %s', var)
 cursor.execute('SELECT * FROM table WHERE id = 1')
 cursor.executemany('SELECT * FROM table WHERE id = %s', [var, var2])
+
+# # INSERT without INTO (e.g. MySQL and derivatives)
+query = "INSERT table VALUES (%s)" % (var,)
+
+# # REPLACE (e.g. MySQL and derivatives, SQLite)
+query = "REPLACE INTO table VALUES (%s)" % (var,)
+query = "REPLACE table VALUES (%s)" % (var,)
+
+query = "Deselect something that is not SQL even though it has a ' from ' somewhere in %s." % "there"
diff --git a/crates/ruff/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs b/crates/ruff/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs
@@ -11,7 +11,7 @@ use crate::checkers::ast::Checker;
 use super::super::helpers::string_literal;
 
 static SQL_REGEX: Lazy<Regex> = Lazy::new(|| {
-    Regex::new(r"(?i)(select\s.*from\s|delete\s+from\s|insert\s+into\s.*values\s|update\s.*set\s)")
+    Regex::new(r"(?i)\b(select\s.+\sfrom\s|delete\s+from\s|(insert|replace)\s.+\svalues\s|update\s.+\sset\s)")
         .unwrap()
 });
 

diff --git a/...ff/src/rules/flake8_bandit/snapshots/ruff__rules__flake8_bandit__tests__S608_S608.py.snap b/...ff/src/rules/flake8_bandit/snapshots/ruff__rules__flake8_bandit__tests__S608_S608.py.snap
@@ -406,9 +406,9 @@ S608.py:77:9: S608 Possible SQL injection vector through string-based query cons
    |
 77 |   def query41():
 78 |       return (
-79 |           "SELECT *"
+79 |           "SELECT * "
    |  _________^
-80 | |         "FROM table"
+80 | |         "FROM table "
 81 | |         f"WHERE var = {var}"
    | |____________________________^ S608
 82 |       )
@@ -448,8 +448,35 @@ S608.py:86:30: S608 Possible SQL injection vector through string-based query con
 87 | query44 = cursor.execute("SELECT * FROM table WHERE var = {}".format(var))
 88 | query45 = cursor.executemany("SELECT * FROM table WHERE var = %s" % var, [])
    |                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S608
-89 |  
+89 | 
 90 | # # pass
    |
 
+S608.py:98:9: S608 Possible SQL injection vector through string-based query construction
+    |
+ 98 | # # INSERT without INTO (e.g. MySQL and derivatives)
+ 99 | query = "INSERT table VALUES (%s)" % (var,)
+    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S608
+100 | 
+101 | # # REPLACE (e.g. MySQL and derivatives, SQLite)
+    |
+
+S608.py:101:9: S608 Possible SQL injection vector through string-based query construction
+    |
+101 | # # REPLACE (e.g. MySQL and derivatives, SQLite)
+102 | query = "REPLACE INTO table VALUES (%s)" % (var,)
+    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S608
+103 | query = "REPLACE table VALUES (%s)" % (var,)
+    |
+
+S608.py:102:9: S608 Possible SQL injection vector through string-based query construction
+    |
+102 | # # REPLACE (e.g. MySQL and derivatives, SQLite)
+103 | query = "REPLACE INTO table VALUES (%s)" % (var,)
+104 | query = "REPLACE table VALUES (%s)" % (var,)
+    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S608
+105 | 
+106 | query = "Deselect something that is not SQL even though it has a ' from ' somewhere in %s." % "there"
+    |
+