flake8-bandit import check should not trigger on TYPE_CHECKING imports or classes not in defusedxml

[scy]

The following code triggers S408 ("xml.dom.minidom is vulnerable to XML attacks"):

from typing import TYPE_CHECKING

if TYPE_CHECKING:
    from xml.dom.minidom import Element

As far as I know, defusedxml, which this rule suggests as an alternative, does not supply alternative implementations for most of the types, only of some functions. In other words, I have to import types like these for the standard library; there is no defusedxml alternative.

So in order to signal to Ruff that "this is fine"™, I've tried moving the import to TYPE_CHECKING, but still received the same error.

This probably applies to other rules in the S4xx range, too.

[scy]

The following code has a similar problem, triggering S409 on the pulldom import, but this time I can't even move the import into a TYPE_CHECKING block:

from xml.dom import pulldom

from defusedxml.pulldom import parseString


doc = parseString("<foo></foo>")

for ev, node in doc:
    if ev == pulldom.START_ELEMENT:
        print(node)

Again, defusedxml does not provide everything required for parsing XML; here it's the event constant to compare against. Nevertheless I'm using defusedxml for the actual parsing, which means I'm not vulnerable.

[MichaReiser]

Thanks. This makes sense to me. So what we need to do here is to allow some imports from xml.dom or at least when under the TYPE_CHECKING

[ntBre]

The TYPE_CHECKING part of this issue will be resolved by #23441, but I think allowing some specific imports will be a bit more involved.