Skip to content

[flake8-bandit] Don't flag BaseLoader/CBaseLoader as unsafe in preview (S506)#23510

Merged
ntBre merged 2 commits intoastral-sh:mainfrom
o1x3:s506-baseloader-safe
Feb 23, 2026
Merged

[flake8-bandit] Don't flag BaseLoader/CBaseLoader as unsafe in preview (S506)#23510
ntBre merged 2 commits intoastral-sh:mainfrom
o1x3:s506-baseloader-safe

Conversation

@o1x3
Copy link
Contributor

@o1x3 o1x3 commented Feb 23, 2026

Summary

yaml.BaseLoader and yaml.CBaseLoader use BaseConstructor + BaseResolver, which do not resolve tags or construct arbitrary Python objects — they only produce basic types (lists, dicts, strings). They are strictly less capable than SafeLoader, not less safe.

Currently, S506 flags yaml.load(..., Loader=yaml.BaseLoader) as unsafe. This is a false positive.

This PR adds BaseLoader and CBaseLoader (the C-accelerated variant from yaml.cyaml) to the list of recognized safe loaders, gated behind preview mode per maintainer guidance.

Closes #13604

Test Plan

  • Added test fixtures covering BaseLoader/CBaseLoader via all import paths (yaml.*, yaml.loader.*, yaml.cyaml.*, aliased imports)
  • Added preview diff test case using assert_diagnostics_diff! to verify BaseLoader diagnostics are suppressed only in preview mode
  • Verified with cargo test -p ruff_linter, cargo clippy, and uvx prek run -a

@o1x3
[flake8-bandit] Don't flag BaseLoader/CBaseLoader as unsafe in …
9e38d6d 
…preview (`S506`)

`yaml.BaseLoader` and `yaml.CBaseLoader` use `BaseConstructor` +
`BaseResolver`, which do not resolve tags or construct arbitrary Python
objects. They are strictly less capable than `SafeLoader`, not less safe.

Gate the change behind preview mode to avoid breaking existing `noqa`
comments.

Closes astral-sh#13604
ntBre
ntBre approved these changes Feb 23, 2026
View reviewed changes
Copy link
Contributor

@ntBre ntBre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@ntBre ntBre added rule Implementing or modifying a lint rule preview Related to preview mode features labels Feb 23, 2026
@ntBre ntBre enabled auto-merge (squash) February 23, 2026 15:56
@ntBre ntBre merged commit fe09504 into astral-sh:main Feb 23, 2026
43 checks passed
@o1x3 o1x3 deleted the s506-baseloader-safe branch February 24, 2026 06:59
@BrewTestBot BrewTestBot mentioned this pull request Feb 26, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ntBre ntBre ntBre approved these changes

Assignees

No one assigned

Labels

preview Related to preview mode features rule Implementing or modifying a lint rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[flake8-bandit/S506] Dont report violation when using BaseLoader

2 participants

@o1x3 @ntBre