[flake8-bandit] Fix S103 false positives and negatives in mask analysis#24424
Merged
MichaReiser merged 6 commits intoastral-sh:mainfrom Apr 10, 2026
Merged
Conversation
|
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S103 | 1 | 1 | 0 | 0 | 0 |
Linter (preview)
ℹ️ ecosystem check detected linter changes. (+1 -0 violations, +0 -0 fixes in 1 projects; 55 projects unchanged)
apache/airflow (+1 -0 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --no-fix --output-format concise --preview --select ALL
+ airflow-e2e-tests/tests/airflow_e2e_tests/conftest.py:59:39: S103 `os.chmod` setting a permissive mask `0o111` on file or directory
Changes by rule (1 rules affected)
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S103 | 1 | 1 | 0 | 0 | 0 |
MichaReiser
requested changes
Apr 8, 2026
Member
MichaReiser
left a comment
There was a problem hiding this comment.
This is clever. There's one false positve that we should look into
Contributor
Author
|
@MichaReiser Thank you so much for the review. Addressed all three comments:
Would like to request you for another look whenever you get a chance. Thank you |
MichaReiser
approved these changes
Apr 9, 2026
Contributor
Author
|
@MichaReiser Thank you so much for the re-review. Addressed both comments, would appreciate another look whenever you get a chance. Thank you |
Member
|
Perfect, thank you |
MichaReiser
reviewed
Apr 10, 2026
carljm
added a commit
that referenced
this pull request
Apr 10, 2026
* main: [ty] Fix bad diagnostic range for incorrect implicit `__init_subclass__` calls (#24541) [ty] Add a `SupportedPythonVersion` enum (#24412) [ty] Ignore unsupported editor-selected Python versions (#24498) [ty] Add snapshots for `__init_subclass__` diagnostics (#24539) [ty] Minor fix in tests (#24538) [ty] Allow `Final` variable assignments in `__post_init__` (#24529) [ty] Expand test suite for assignment errors (#24537) [ty] Use `map`, not `__map`, as the name of the mapping parameter in `TypedDict` `__init__` methods (#24535) [ty] Rework logic for synthesizing `TypedDict` methods (#24534) [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424) [ty] mdtest.py: update dependencies (#24533) Rename patterns and arguments source order iterator method (#24532) [ty] Omit invalid keyword arguments from `TypedDict` signature (#24522) [ty] support super() in metaclass methods (#24483) [ty] Synthesize `__init__` for `TypedDict` (#24476)
carljm
added a commit
that referenced
this pull request
Apr 10, 2026
* main: Bump typing conformance suite commit to latest upstream (#24553) [ty] Reject deleting`Final` attributes (#24508) [ty] Respect property deleters in attribute deletion checks (#24500) [ty] stop unioning Unknown into types of un-annotated attributes (#24531) [ty] Fix bad diagnostic range for incorrect implicit `__init_subclass__` calls (#24541) [ty] Add a `SupportedPythonVersion` enum (#24412) [ty] Ignore unsupported editor-selected Python versions (#24498) [ty] Add snapshots for `__init_subclass__` diagnostics (#24539) [ty] Minor fix in tests (#24538) [ty] Allow `Final` variable assignments in `__post_init__` (#24529) [ty] Expand test suite for assignment errors (#24537) [ty] Use `map`, not `__map`, as the name of the mapping parameter in `TypedDict` `__init__` methods (#24535) [ty] Rework logic for synthesizing `TypedDict` methods (#24534) [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424) [ty] mdtest.py: update dependencies (#24533) Rename patterns and arguments source order iterator method (#24532) [ty] Omit invalid keyword arguments from `TypedDict` signature (#24522) [ty] support super() in metaclass methods (#24483) [ty] Synthesize `__init__` for `TypedDict` (#24476)
This was referenced Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #18863
Rewrites
parse_maskas a known-bits abstract domain overu64, so partial bitwise expressions (|,&,^) are tracked through unknown operands. This fixes:mode | 0o777— previously unflagged, now reports the statically-known dangerous bits.0o777777 & 0o700— previously a false positive (u16 overflow), now correctly silent.0o777777 & 0o777— now flagged as permissive, not "invalid mask"."Invalid mask" now triggers when a bit outside
0o7777is statically set, keeping0o1000(sticky) valid per RUF064 note.Under preview, the dangerous-bit set matches upstream Bandit (
0o33) instead of the current0o12.Test Plan
|/&edges; stable snapshot updated, preview diff snapshot added.cargo nextest run -p ruff_linter -- flake8_bandit.