-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modify diagnostic ranges for shell-related bandit
rules
#10667
Conversation
|
code | total | + violation | - violation | + fix | - fix |
---|---|---|---|---|---|
ANN101 | 35382 | 0 | 35382 | 0 | 0 |
ANN102 | 674 | 0 | 674 | 0 | 0 |
S603 | 454 | 227 | 227 | 0 | 0 |
S602 | 21 | 11 | 10 | 0 | 0 |
S604 | 16 | 8 | 8 | 0 | 0 |
S605 | 8 | 4 | 4 | 0 | 0 |
D107 | 2 | 1 | 1 | 0 | 0 |
RUF100 | 1 | 1 | 0 | 0 | 0 |
Linter (preview)
ℹ️ ecosystem check detected linter changes. (+251 -249 violations, +0 -0 fixes in 5 projects; 45 projects unchanged)
apache/airflow (+171 -171 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL
+ airflow/cli/commands/dag_command.py:309:14: S603 `subprocess` call: check for execution of untrusted input - airflow/cli/commands/dag_command.py:309:31: S603 `subprocess` call: check for execution of untrusted input + airflow/cli/commands/info_command.py:199:18: S603 `subprocess` call: check for execution of untrusted input - airflow/cli/commands/info_command.py:199:35: S603 `subprocess` call: check for execution of untrusted input + airflow/cli/commands/internal_api_command.py:166:17: S603 `subprocess` call: check for execution of untrusted input - airflow/cli/commands/internal_api_command.py:166:34: S603 `subprocess` call: check for execution of untrusted input + airflow/cli/commands/internal_api_command.py:179:22: S603 `subprocess` call: check for execution of untrusted input - airflow/cli/commands/internal_api_command.py:179:39: S603 `subprocess` call: check for execution of untrusted input + airflow/cli/commands/standalone_command.py:267:24: S603 `subprocess` call: check for execution of untrusted input ... 294 additional changes omitted for rule S603 + airflow/example_dags/example_kubernetes_executor.py:132:35: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell` - airflow/example_dags/example_kubernetes_executor.py:132:45: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell` + airflow/example_dags/example_kubernetes_executor.py:94:27: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell` - airflow/example_dags/example_kubernetes_executor.py:94:37: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell` + airflow/providers/apache/beam/hooks/beam.py:575:25: S604 Function call with `shell=True` parameter identified, security issue - airflow/providers/apache/beam/hooks/beam.py:577:13: S604 Function call with `shell=True` parameter identified, security issue + dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1082:13: S604 Function call with `shell=True` parameter identified, security issue - dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1091:17: S604 Function call with `shell=True` parameter identified, security issue + dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1094:13: S604 Function call with `shell=True` parameter identified, security issue - dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1103:17: S604 Function call with `shell=True` parameter identified, security issue + dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1106:13: S604 Function call with `shell=True` parameter identified, security issue - dev/breeze/src/airflow_breeze/commands/kubernetes_commands.py:1115:17: S604 Function call with `shell=True` parameter identified, security issue - dev/breeze/src/airflow_breeze/commands/release_candidate_command.py:160:87: S604 Function call with `shell=True` parameter identified, security issue ... 8 additional changes omitted for rule S604 + hatch_build.py:660:13: S602 `subprocess` call with `shell=True` identified, security issue - hatch_build.py:660:59: S602 `subprocess` call with `shell=True` identified, security issue + hatch_build.py:673:13: S602 `subprocess` call with `shell=True` identified, security issue - hatch_build.py:673:59: S602 `subprocess` call with `shell=True` identified, security issue + scripts/ci/pre_commit/ruff_format.py:26:1: S602 `subprocess` call with `shell=True` identified, security issue - scripts/ci/pre_commit/ruff_format.py:26:33: S602 `subprocess` call with `shell=True` identified, security issue + tests/dags/test_on_kill.py:44:13: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell` - tests/dags/test_on_kill.py:44:23: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell` + tests/system/providers/amazon/aws/example_emr_eks.py:102:13: S602 `subprocess` call with `shell=True` identified, security issue - tests/system/providers/amazon/aws/example_emr_eks.py:104:9: S602 `subprocess` call with `shell=True` identified, security issue + tests/system/providers/amazon/aws/example_emr_eks.py:120:13: S602 `subprocess` call with `shell=True` identified, security issue ... 8 additional changes omitted for rule S602 - tests/task/task_runner/test_standard_task_runner.py:340:19: S605 Starting a process with a shell, possible injection detected ... 308 additional changes omitted for project
bokeh/bokeh (+38 -38 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL
+ examples/output/apis/server_document/flask_server.py:45:17: S603 `subprocess` call: check for execution of untrusted input - examples/output/apis/server_document/flask_server.py:46:5: S603 `subprocess` call: check for execution of untrusted input + release/system.py:43:18: S602 `subprocess` call with `shell=True` identified, security issue - release/system.py:43:34: S602 `subprocess` call with `shell=True` identified, security issue - scripts/hooks/install.py:5:20: S603 `subprocess` call: check for execution of untrusted input + scripts/hooks/install.py:5:5: S603 `subprocess` call: check for execution of untrusted input + scripts/hooks/protect_branches.py:10:22: S603 `subprocess` call: check for execution of untrusted input - scripts/hooks/protect_branches.py:10:26: S603 `subprocess` call: check for execution of untrusted input ... 69 additional changes omitted for rule S603 ... 68 additional changes omitted for project
freedomofpress/securedrop (+2 -0 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview
+ devops/scripts/verify-mo.py:116:16: S602 `subprocess` call with `shell=True` identified, security issue + devops/scripts/verify-mo.py:120:26: RUF100 [*] Unused `noqa` directive (unused: `S602`)
rotki/rotki (+3 -3 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview
+ packaging/docker/entrypoint.py:144:11: S603 `subprocess` call: check for execution of untrusted input - packaging/docker/entrypoint.py:144:28: S603 `subprocess` call: check for execution of untrusted input - packaging/docker/entrypoint.py:166:26: S603 `subprocess` call: check for execution of untrusted input + packaging/docker/entrypoint.py:166:9: S603 `subprocess` call: check for execution of untrusted input - packaging/docker/entrypoint.py:174:52: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell` + packaging/docker/entrypoint.py:174:9: S602 `subprocess` call with `shell=True` seems safe, but may be changed in the future; consider rewriting without `shell`
zulip/zulip (+37 -37 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL
+ scripts/lib/check_rabbitmq_queue.py:143:26: S603 `subprocess` call: check for execution of untrusted input - scripts/lib/check_rabbitmq_queue.py:144:9: S603 `subprocess` call: check for execution of untrusted input + scripts/lib/check_rabbitmq_queue.py:160:23: S603 `subprocess` call: check for execution of untrusted input - scripts/lib/check_rabbitmq_queue.py:161:9: S603 `subprocess` call: check for execution of untrusted input + scripts/lib/hash_reqs.py:38:12: S603 `subprocess` call: check for execution of untrusted input - scripts/lib/hash_reqs.py:38:36: S603 `subprocess` call: check for execution of untrusted input + scripts/lib/puppet_cache.py:25:30: S603 `subprocess` call: check for execution of untrusted input - scripts/lib/puppet_cache.py:27:9: S603 `subprocess` call: check for execution of untrusted input + scripts/lib/setup_venv.py:179:31: S603 `subprocess` call: check for execution of untrusted input - scripts/lib/setup_venv.py:179:55: S603 `subprocess` call: check for execution of untrusted input ... 64 additional changes omitted for project
Changes by rule (5 rules affected)
code | total | + violation | - violation | + fix | - fix |
---|---|---|---|---|---|
S603 | 454 | 227 | 227 | 0 | 0 |
S602 | 21 | 11 | 10 | 0 | 0 |
S604 | 16 | 8 | 8 | 0 | 0 |
S605 | 8 | 4 | 4 | 0 | 0 |
RUF100 | 1 | 1 | 0 | 0 | 0 |
Formatter (stable)
✅ ecosystem check detected no format changes.
Formatter (preview)
✅ ecosystem check detected no format changes.
ef6415c
to
1de2e90
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has the side effect that some of the noqa
comments would need to be moved like in the case highlighted by the ecosystem checks: https://github.com/freedomofpress/securedrop/blob/da8ac79a2017001e017b2a742fcb8c81b2f3e7b0/devops/scripts/verify-mo.py#L120:
return subprocess.run( # <- The below `noqa` comment should be here now
cmd,
capture_output=True,
env=os.environ,
shell=True, # noqa: S602 # <- This `noqa` command needs to be moved up
)
This now raises RUF100 [*] Unused noqa directive (unused: S602)
.
I think this change should go either under preview or in the next minor release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code looks good to me. I'm not sure if the incompatibility with another tool warrants a breaking change
arguments: &'a Arguments, | ||
semantic: &SemanticModel, | ||
) -> Option<ShellKeyword<'a>> { | ||
fn find_shell_keyword(arguments: &Arguments, semantic: &SemanticModel) -> Option<ShellKeyword> { | ||
arguments.find_keyword("shell").map(|keyword| ShellKeyword { | ||
truthiness: Truthiness::from_expr(&keyword.value, |id| semantic.is_builtin(id)), | ||
keyword, | ||
}) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Rename to evaluate_shell_keywrod
and return a Option<Truthiness>
directly. The ShellKeyword
type seems superfluous now that it only stores Truthiness
20 | subprocess.getoutput("true") | ||
21 | subprocess.getstatusoutput("true") | ||
| | ||
|
||
S605.py:20:22: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell` | ||
S605.py:20:1: S605 Starting a process with a shell: seems safe, but may be changed in the future; consider rewriting without `shell` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To me it's now unclear what shell
is referring to. What I assumed from before is that the first argument ("true") is the shell
argument. Now, that context is lost. I'm not saying that we shouldn't make this change but it might require fine-tuning the diagnostic message as well.
To be clear, the motivation here isn't achieving complete compatibility with another tool. Some of our ranges are still different. The motivation is that the current ranges don't really make sense (why highlight (We definitely can't ship these without a minor bump though.) |
1de2e90
to
d701d1c
Compare
This makes sense to me. I'll pick this for 0.5 |
Summary
The rules that flag shell calls now center on the function name, rather than the shell argument (which isn't really relevant -- especially it it's falsy). The rules that center on specific arguments (e.g., a wildcard in a string) now highlight the argument.
Closes #9994.