[flake8-bandit] Detect patterns from multi line SQL statements (S608)#13574
[flake8-bandit] Detect patterns from multi line SQL statements (S608)#13574MichaReiser merged 21 commits intoastral-sh:mainfrom DataEnggNerd:main
flake8-bandit] Detect patterns from multi line SQL statements (S608)#13574Conversation
|
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S608 | 6 | 5 | 1 | 0 | 0 |
Linter (preview)
ℹ️ ecosystem check detected linter changes. (+5 -1 violations, +0 -0 fixes in 2 projects; 52 projects unchanged)
apache/airflow (+1 -0 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL
+ providers/tests/system/google/cloud/dataproc_metastore/example_dataproc_metastore_hive_partition_sensor.py:105:35: S608 Possible SQL injection vector through string-based query construction
apache/superset (+4 -1 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL
- superset/migrations/versions/2022-04-01_14-38_a9422eeaae74_new_dataset_models_take_2.py:871:9: S608 Possible SQL injection vector through string-based query construction + tests/unit_tests/databases/filters_test.py:125:12: S608 Possible SQL injection vector through string-based query construction + tests/unit_tests/jinja_context_test.py:477:12: S608 Possible SQL injection vector through string-based query construction + tests/unit_tests/jinja_context_test.py:485:12: S608 Possible SQL injection vector through string-based query construction + tests/unit_tests/jinja_context_test.py:493:12: S608 Possible SQL injection vector through string-based query construction
Changes by rule (1 rules affected)
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S608 | 6 | 5 | 1 | 0 | 0 |
|
@MichaReiser Can you review the changes please? |
crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs
Outdated
Show resolved
Hide resolved
crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs
Show resolved
Hide resolved
|
|
|
@DataEnggNerd is the PR now ready for review again or are there still issues with the snapshots? |
@MichaReiser I am facing trouble in terms of test cases. When I revert to last version in which @dhruvmanila has given reviews, only 37 out of 58 patterns are detected. Not able to understand why such changes are happening. Additionally, with the changes recommended, 52 test patterns are identified. |
|
@DataEnggNerd I suggest reverting the regex changes. Reverting them makes most diagnostic reappear. Could you let me know which diagnostics are missing when using the existing regex? It would help me helping you :) |
|
@MichaReiser query10 = f"DELETE FROM table WHERE var = {var}"
query18 = f"UPDATE {table} SET var = {var}"
query23 = f"select * from table where var = {var}"
query28 = f"delete from table where var = {var}"
query32 = f"insert into {table} values var = {var}"
query36 = f"update {table} set var = {var}"
query43 = cursor.execute(f"SELECT * FROM table WHERE var = {var}") |
|
@DataEnggNerd would you mind pushing your latest changes? The PR still shows changes to the Regex and it comments out f-string handling. I did copy paste the examples into Regex101 and it at least matches the first example (I didnt' test th other examples) |
|
@MichaReiser I have pushed the changes. def query40():
return f"""
SELECT *
FROM table
WHERE var = {var}
"""
query46 = "INSERT table VALUES (%s)" % (var,)
# # REPLACE (e.g. MySQL and derivatives, SQLite)
query47 = "REPLACE INTO table VALUES (%s)" % (var,)
query48 = "REPLACE table VALUES (%s)" % (var,)
def query52():
return f"""
SELECT {var}
FROM bar
"""
def query53():
return f"""
SELECT
{var}
FROM bar
"""
def query54():
return f"""
SELECT {var}
FROM
bar
"""
query56 = f"""SELECT *
FROM {var}.table
"""
query57 = f"""
SELECT *
FROM {var}.table
"""
query58 = f"SELECT\
* FROM {var}.table" |
crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs
Show resolved
Hide resolved
flake8-bandit] Detect patterns from multi line SQL statements (S608)
|
@MichaReiser @dhruvmanila Sorry to bug you again. error[E0463]: can't find crate for `salsa`
--> crates/ruff_db/src/files.rs:6:5
|
6 | use salsa::{Durability, Setter};
| ^^^^^ can't find crate |
This issue is resolved. Seems to be something irrelevant to the changes in this PR. |
dhruvmanila
left a comment
There was a problem hiding this comment.
Thanks for your patience. There are only a few minor changes required but otherwise this looks good to go.
crates/ruff_linter/resources/test/fixtures/flake8_bandit/S608.py
Outdated
Show resolved
Hide resolved
crates/ruff_linter/resources/test/fixtures/flake8_bandit/S608.py
Outdated
Show resolved
Hide resolved
crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs
Show resolved
Hide resolved
crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs
Show resolved
Hide resolved
MichaReiser
left a comment
There was a problem hiding this comment.
Thanks for your persistent work on this.
I went ahead and addressed @dhruvmanila's feedback. Let's merge this PR :)
|
@MichaReiser @dhruvmanila |
Summary
The regex written for identifying possible sql injections was not identifying some patterns, mostly multiple lined queries.
Fixes include:
concatenated_f_stringfunction, which was escaping\nFixes #12044
Test Plan
S608.pytest fixtures.