add ruff bandit linting

fixes #50
willkg · Mar 1, 2024 · 6b4d3e9 · 6b4d3e9
1 parent d19f45b
commit 6b4d3e9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,14 +4,19 @@ src = ["src", "tests"]
 target-version = "py38"
 
 [tool.ruff.lint]
-# Enable pycodestyle (E), pyflakes (F), and bugbear (B) rules
-select = ["E", "F", "B"]
+# Enable pycodestyle (E), pyflakes (F), bugbear (B), and bandit (S) rules
+select = ["E", "F", "B", "S"]
 
 ignore = ["E501"]
 
 [tool.ruff.lint.flake8-quotes]
 docstring-quotes = "double"
 
+[tool.ruff.lint.per-file-ignores]
+"tests/*" = ["S101"]
+"src/license-check.py" = ["S603", "S607"]
+"src/release.py" = ["S310", "S603", "S607"]
+
 
 [tool.release]
 github_user = "willkg"

diff --git a/src/service-status.py b/src/service-status.py
@@ -88,7 +88,10 @@ def fetch(url, is_json=True):
     errors if it's not valid JSON.
 
     """
-    fp = urlopen(url, timeout=5)
+    if not url.startswith(("http:", "https:")):
+        raise ValueError("URL must start with 'http:' or 'https:'")
+    # NOTE(willkg): ruff S310 can't determine whether we've validated the url or not
+    fp = urlopen(url, timeout=5)  # noqa: S310
     data = fp.read()
     if is_json:
         return json.loads(data)