[flake8-bandit] Treat sys.executable as trusted input in S603#24106
Merged
MichaReiser merged 1 commit intoastral-sh:mainfrom Mar 25, 2026
Merged
[flake8-bandit] Treat sys.executable as trusted input in S603#24106MichaReiser merged 1 commit intoastral-sh:mainfrom
MichaReiser merged 1 commit intoastral-sh:mainfrom
Conversation
|
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S603 | 10 | 0 | 10 | 0 | 0 |
Linter (preview)
ℹ️ ecosystem check detected linter changes. (+0 -10 violations, +0 -0 fixes in 2 projects; 54 projects unchanged)
apache/airflow (+0 -9 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --no-fix --output-format concise --preview --select ALL
- airflow-core/tests/unit/cli/test_cli_parser.py:648:18: S603 `subprocess` call: check for execution of untrusted input - airflow-core/tests/unit/cli/test_cli_parser.py:663:18: S603 `subprocess` call: check for execution of untrusted input - airflow-core/tests/unit/cli/test_cli_parser.py:678:18: S603 `subprocess` call: check for execution of untrusted input - airflow-core/tests/unit/utils/test_process_utils.py:128:19: S603 `subprocess` call: check for execution of untrusted input - airflow-core/tests/unit/utils/test_process_utils.py:137:19: S603 `subprocess` call: check for execution of untrusted input - airflow-ctl-tests/tests/airflowctl_tests/conftest.py:154:18: S603 `subprocess` call: check for execution of untrusted input - scripts/in_container/run_prepare_airflow_distributions.py:73:23: S603 `subprocess` call: check for execution of untrusted input - scripts/in_container/verify_providers.py:782:16: S603 `subprocess` call: check for execution of untrusted input - task-sdk-integration-tests/tests/task_sdk_tests/conftest.py:364:18: S603 `subprocess` call: check for execution of untrusted input
bokeh/bokeh (+0 -1 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --no-fix --output-format concise --preview --select ALL
- tests/codebase/test_python_execution_with_OO.py:45:12: S603 `subprocess` call: check for execution of untrusted input
Changes by rule (1 rules affected)
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S603 | 10 | 0 | 10 | 0 | 0 |
carljm
added a commit
that referenced
this pull request
Mar 25, 2026
* main: [ty] make `test-case` a dev-dependency (#24187) [ty] implement cycle normalization for more types to prevent too-many-cycle panics (#24061) [ty] Silence all diagnostics in unreachable code (#24179) [ty] Intern `InferableTypeVars` (#24161) Implement unnecessary-if (RUF050) (#24114) Recognize `Self` annotation and `self` assignment in SLF001 (#24144) Bump the npm version before publish (#24178) [ty] Disallow Self in metaclass and static methods (#23231) Use trusted publishing for NPM packages (#24171) [ty] Respect non-explicitly defined dataclass params (#24170) Add RUF072: warn when using operator on an f-string (#24162) [ty] Check return type of generator functions (#24026) Implement useless-finally (RUF-072) (#24165) [ty] Add test for a dataclass with a default field converter (#24169) [ty] Dataclass field converters (#23088) [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106) [ty] Add support for `typing.Concatenate` (#23689) `ASYNC115`: autofix to use full qualified `anyio.lowlevel` import (#24166) [ty] Disallow read-only fields in TypedDict updates (#24128) Speed up diagnostic rendering (#24146)
nicopauss
pushed a commit
to Intersec/lib-common
that referenced
this pull request
Apr 1, 2026
##### [\`v0.15.8\`](https://github.com/astral-sh/ruff/blob/HEAD/CHANGELOG.md#0158) Released on 2026-03-26. ##### Preview features - \[`ruff`] New rule `unnecessary-if` (`RUF050`) ([#24114](astral-sh/ruff#24114)) - \[`ruff`] New rule `useless-finally` (`RUF072`) ([#24165](astral-sh/ruff#24165)) - \[`ruff`] New rule `f-string-percent-format` (`RUF073`): warn when using `%` operator on an f-string ([#24162](astral-sh/ruff#24162)) - \[`pyflakes`] Recognize `frozendict` as a builtin for Python 3.15+ ([#24100](astral-sh/ruff#24100)) ##### Bug fixes - \[`flake8-async`] Use fully-qualified `anyio.lowlevel` import in autofix (`ASYNC115`) ([#24166](astral-sh/ruff#24166)) - \[`flake8-bandit`] Check tuple arguments for partial paths in `S607` ([#24080](astral-sh/ruff#24080)) - \[`pyflakes`] Skip `undefined-name` (`F821`) for conditionally deleted variables ([#24088](astral-sh/ruff#24088)) - `E501`/`W505`/formatter: Exclude nested pragma comments from line width calculation ([#24071](astral-sh/ruff#24071)) - Fix `%foo?` parsing in IPython assignment expressions ([#24152](astral-sh/ruff#24152)) - `analyze graph`: resolve string imports that reference attributes, not just modules ([#24058](astral-sh/ruff#24058)) ##### Rule changes - \[`eradicate`] ignore `ty: ignore` comments in `ERA001` ([#24192](astral-sh/ruff#24192)) - \[`flake8-bandit`] Treat `sys.executable` as trusted input in `S603` ([#24106](astral-sh/ruff#24106)) - \[`flake8-self`] Recognize `Self` annotation and `self` assignment in `SLF001` ([#24144](astral-sh/ruff#24144)) - \[`pyflakes`] `F507`: Fix false negative for non-tuple RHS in `%`-formatting ([#24142](astral-sh/ruff#24142)) - \[`refurb`] Parenthesize generator arguments in `FURB142` fixer ([#24200](astral-sh/ruff#24200)) ##### Performance - Speed up diagnostic rendering ([#24146](astral-sh/ruff#24146)) ##### Server - Warn when Markdown files are skipped due to preview being disabled ([#24150](astral-sh/ruff#24150)) ##### Documentation - Clarify `extend-ignore` and `extend-select` settings documentation ([#24064](astral-sh/ruff#24064)) - Mention AI policy in PR template ([#24198](astral-sh/ruff#24198)) ##### Other changes - Use trusted publishing for NPM packages ([#24171](astral-sh/ruff#24171)) ##### Contributors - [@bitloi](https://github.com/bitloi) - [@Sim-hu](https://github.com/Sim-hu) - [@mvanhorn](https://github.com/mvanhorn) - [@chinar-amrutkar](https://github.com/chinar-amrutkar) - [@markjm](https://github.com/markjm) - [@RenzoMXD](https://github.com/RenzoMXD) - [@vivekkhimani](https://github.com/vivekkhimani) - [@seroperson](https://github.com/seroperson) - [@moktamd](https://github.com/moktamd) - [@charliermarsh](https://github.com/charliermarsh) - [@ntBre](https://github.com/ntBre) - [@zanieb](https://github.com/zanieb) - [@dylwil3](https://github.com/dylwil3) - [@MichaReiser](https://github.com/MichaReiser) Renovate-Branch: renovate/2024.6-ruff-0.15.x Change-Id: Ifd4216a963962ffb24a4df69802bc60fcc29628d Priv-Id: 46d2f61be3a5e65a9fdd2fef998ba41ea3388f12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Treat
sys.executableas trusted input inS603.sys.executableis the path to the running Python interpreter and is not user-controlled. Subprocess calls likesubprocess.run([sys.executable, "-m", "pip"])should not be flagged as untrusted input.Closes #24084
Test plan
sys.executabletest cases toS603.pyfixture (standalone, in list, in tuple)sys.executablecalls