[`flake8-bandit`] Check `S105` for annotated assignment by tarasmatsyk · Pull Request #15059 · astral-sh/ruff

tarasmatsyk · 2024-12-19T12:00:45Z

Summary

A follow up PR on #14991
Ruff ignores hardcoded passwords for typed variables. Add a rule to catch passwords in typed code bases

Test Plan

Includes 2 more test typed variables

github-actions · 2024-12-19T12:07:46Z

`ruff-ecosystem` results

Linter (stable)

ℹ️ ecosystem check detected linter changes. (+4 -0 violations, +0 -0 fixes in 3 projects; 52 projects unchanged)

latchbio/latch (+2 -0 violations, +0 -0 fixes)

+ src/latch_sdk_config/latch.py:64:23: S105 Possible hardcoded password assigned to: "get_secret"
+ src/latch_sdk_config/latch.py:65:29: S105 Possible hardcoded password assigned to: "get_secret_local"

pandas-dev/pandas (+0 -0 violations, +0 -0 fixes)

zulip/zulip (+2 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --no-preview --select ALL

+ zerver/migrations/0209_user_profile_no_empty_password.py:69:44: S105 Possible hardcoded password assigned to: "USER_PASSWORD_CHANGED"
+ zerver/tests/test_signup.py:934:32: S105 Possible hardcoded password assigned to: "password"

Changes by rule (1 rules affected)

code	total	+ violation	- violation	+ fix	- fix
S105	4	4	0	0	0

Linter (preview)

ℹ️ ecosystem check detected linter changes. (+4 -0 violations, +0 -0 fixes in 2 projects; 53 projects unchanged)

latchbio/latch (+2 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview

+ src/latch_sdk_config/latch.py:64:23: S105 Possible hardcoded password assigned to: "get_secret"
+ src/latch_sdk_config/latch.py:65:29: S105 Possible hardcoded password assigned to: "get_secret_local"

zulip/zulip (+2 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

+ zerver/migrations/0209_user_profile_no_empty_password.py:69:44: S105 Possible hardcoded password assigned to: "USER_PASSWORD_CHANGED"
+ zerver/tests/test_signup.py:934:32: S105 Possible hardcoded password assigned to: "password"

Changes by rule (1 rules affected)

code	total	+ violation	- violation	+ fix	- fix
S105	4	4	0	0	0

dhruvmanila · 2024-12-19T12:17:11Z

crates/ruff_linter/src/checkers/ast/analyze/statement.rs

+            if let Some(value) = value.as_deref() {
+                if checker.enabled(Rule::HardcodedPasswordString) {
+                    flake8_bandit::rules::assign_hardcoded_password_string(
+                        checker,
+                        value,
+                        std::slice::from_ref(target),
+                    );
+                }
+            }


I think we should switch the condition so that we only check when the rule is enabled

Suggested change

if let Some(value) = value.as_deref() {

if checker.enabled(Rule::HardcodedPasswordString) {

flake8_bandit::rules::assign_hardcoded_password_string(

checker,

value,

std::slice::from_ref(target),

);

}

}

if checker.enabled(Rule::HardcodedPasswordString) {

if let Some(value) = value.as_deref() {

flake8_bandit::rules::assign_hardcoded_password_string(

checker,

value,

std::slice::from_ref(target),

);

}

}

done,

I was using Rule::LambdaAssignment as an example:
https://github.com/astral-sh/ruff/blob/main/crates/ruff_linter/src/checkers/ast/analyze/statement.rs#L1633

[flake8-bandit] Fix false negative S105 for typed variables

902ab83

tarasmatsyk mentioned this pull request Dec 19, 2024

False negative for S105 when variable is typed #14991

Closed

MichaReiser added the rule Implementing or modifying a lint rule label Dec 19, 2024

dhruvmanila approved these changes Dec 19, 2024

View reviewed changes

dhruvmanila changed the title ~~[flake8-bandit] Fix false negative S105 for typed variables~~ [flake8-bandit] Check S105 for annotated assignment Dec 19, 2024

Switch if statements

b12f54f

MichaReiser enabled auto-merge (squash) December 19, 2024 12:22

MichaReiser merged commit 85e71ba into astral-sh:main Dec 19, 2024

tarasmatsyk deleted the fix-S105-false-negative branch December 19, 2024 12:27

BrewTestBot mentioned this pull request Dec 19, 2024

ruff 0.8.4 Homebrew/homebrew-core#201772

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[`flake8-bandit`] Check `S105` for annotated assignment#15059

[`flake8-bandit`] Check `S105` for annotated assignment#15059
MichaReiser merged 2 commits intoastral-sh:mainfrom
tarasmatsyk:fix-S105-false-negative

tarasmatsyk commented Dec 19, 2024 •

edited

Loading

Uh oh!

github-actions bot commented Dec 19, 2024 •

edited

Loading

Uh oh!

dhruvmanila Dec 19, 2024

Uh oh!

tarasmatsyk Dec 19, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

tarasmatsyk commented Dec 19, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test Plan

Uh oh!

github-actions bot commented Dec 19, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

ruff-ecosystem results

Linter (stable)

Linter (preview)

Uh oh!

dhruvmanila Dec 19, 2024

Choose a reason for hiding this comment

Uh oh!

tarasmatsyk Dec 19, 2024

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

tarasmatsyk commented Dec 19, 2024 •

edited

Loading

github-actions bot commented Dec 19, 2024 •

edited

Loading

`ruff-ecosystem` results