-
Notifications
You must be signed in to change notification settings - Fork 974
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into dhruv/custom-methods
- Loading branch information
Showing
21 changed files
with
456 additions
and
19 deletions.
There are no files selected for viewing
65 changes: 65 additions & 0 deletions
65
crates/ruff_linter/resources/test/fixtures/flake8_bandit/S202.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
import sys | ||
import tarfile | ||
import tempfile | ||
|
||
|
||
def unsafe_archive_handler(filename): | ||
tar = tarfile.open(filename) | ||
tar.extractall(path=tempfile.mkdtemp()) | ||
tar.close() | ||
|
||
|
||
def managed_members_archive_handler(filename): | ||
tar = tarfile.open(filename) | ||
tar.extractall(path=tempfile.mkdtemp(), members=members_filter(tar)) | ||
tar.close() | ||
|
||
|
||
def list_members_archive_handler(filename): | ||
tar = tarfile.open(filename) | ||
tar.extractall(path=tempfile.mkdtemp(), members=[]) | ||
tar.close() | ||
|
||
|
||
def provided_members_archive_handler(filename): | ||
tar = tarfile.open(filename) | ||
tarfile.extractall(path=tempfile.mkdtemp(), members=tar) | ||
tar.close() | ||
|
||
|
||
def filter_data(filename): | ||
tar = tarfile.open(filename) | ||
tarfile.extractall(path=tempfile.mkdtemp(), filter="data") | ||
tar.close() | ||
|
||
|
||
def filter_fully_trusted(filename): | ||
tar = tarfile.open(filename) | ||
tarfile.extractall(path=tempfile.mkdtemp(), filter="fully_trusted") | ||
tar.close() | ||
|
||
|
||
def filter_tar(filename): | ||
tar = tarfile.open(filename) | ||
tarfile.extractall(path=tempfile.mkdtemp(), filter="tar") | ||
tar.close() | ||
|
||
|
||
def members_filter(tarfile): | ||
result = [] | ||
for member in tarfile.getmembers(): | ||
if '../' in member.name: | ||
print('Member name container directory traversal sequence') | ||
continue | ||
elif (member.issym() or member.islnk()) and ('../' in member.linkname): | ||
print('Symlink to external resource') | ||
continue | ||
result.append(member) | ||
return result | ||
|
||
|
||
if __name__ == "__main__": | ||
if len(sys.argv) > 1: | ||
filename = sys.argv[1] | ||
unsafe_archive_handler(filename) | ||
managed_members_archive_handler(filename) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7 changes: 7 additions & 0 deletions
7
crates/ruff_linter/resources/test/fixtures/flake8_pie/PIE796.pyi
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
import enum | ||
|
||
|
||
class FakeEnum1(enum.Enum): | ||
A = ... | ||
B = ... | ||
C = ... |
94 changes: 94 additions & 0 deletions
94
crates/ruff_linter/resources/test/fixtures/pycodestyle/E703.ipynb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
{ | ||
"cells": [ | ||
{ | ||
"cell_type": "code", | ||
"execution_count": 1, | ||
"id": "33faf7ad-a3fd-4ac4-a0c3-52e507ed49df", | ||
"metadata": {}, | ||
"outputs": [], | ||
"source": [ | ||
"x = 1" | ||
] | ||
}, | ||
{ | ||
"cell_type": "code", | ||
"execution_count": 2, | ||
"id": "481fb4bf-c1b9-47da-927f-3cfdfe4b49ec", | ||
"metadata": {}, | ||
"outputs": [], | ||
"source": [ | ||
"# Simple case\n", | ||
"x;" | ||
] | ||
}, | ||
{ | ||
"cell_type": "code", | ||
"execution_count": 3, | ||
"id": "2f0c65a5-0a0e-4080-afce-5a8ed0d706df", | ||
"metadata": {}, | ||
"outputs": [], | ||
"source": [ | ||
"# Only skip the last expression\n", | ||
"x; # E703\n", | ||
"x;" | ||
] | ||
}, | ||
{ | ||
"cell_type": "code", | ||
"execution_count": 4, | ||
"id": "5a3fd75d-26d9-44f7-b013-1684aabfd0ae", | ||
"metadata": {}, | ||
"outputs": [], | ||
"source": [ | ||
"# Nested expressions isn't relevant\n", | ||
"if True:\n", | ||
" x;" | ||
] | ||
}, | ||
{ | ||
"cell_type": "code", | ||
"execution_count": 5, | ||
"id": "05eab5b9-e2ba-4954-8ef3-b035a79573fe", | ||
"metadata": {}, | ||
"outputs": [], | ||
"source": [ | ||
"# Semicolons with multiple expressions\n", | ||
"x; x;" | ||
] | ||
}, | ||
{ | ||
"cell_type": "code", | ||
"execution_count": 6, | ||
"id": "9cbbddc5-83fc-4fdb-81ab-53a3912ae898", | ||
"metadata": {}, | ||
"outputs": [], | ||
"source": [ | ||
"# Comments, newlines and whitespace\n", | ||
"x; # comment\n", | ||
"\n", | ||
"# another comment" | ||
] | ||
} | ||
], | ||
"metadata": { | ||
"kernelspec": { | ||
"display_name": "Python (ruff-playground)", | ||
"language": "python", | ||
"name": "ruff-playground" | ||
}, | ||
"language_info": { | ||
"codemirror_mode": { | ||
"name": "ipython", | ||
"version": 3 | ||
}, | ||
"file_extension": ".py", | ||
"mimetype": "text/x-python", | ||
"name": "python", | ||
"nbconvert_exporter": "python", | ||
"pygments_lexer": "ipython3", | ||
"version": "3.11.3" | ||
} | ||
}, | ||
"nbformat": 4, | ||
"nbformat_minor": 5 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
75 changes: 75 additions & 0 deletions
75
crates/ruff_linter/src/rules/flake8_bandit/rules/tarfile_unsafe_members.rs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
use crate::checkers::ast::Checker; | ||
use ruff_diagnostics::Diagnostic; | ||
use ruff_diagnostics::Violation; | ||
use ruff_macros::{derive_message_formats, violation}; | ||
use ruff_python_ast::{self as ast}; | ||
use ruff_text_size::Ranged; | ||
|
||
/// ## What it does | ||
/// Checks for uses of `tarfile.extractall`. | ||
/// | ||
/// ## Why is this bad? | ||
/// | ||
/// Extracting archives from untrusted sources without prior inspection is | ||
/// a security risk, as maliciously crafted archives may contain files that | ||
/// will be written outside of the target directory. For example, the archive | ||
/// could include files with absolute paths (e.g., `/etc/passwd`), or relative | ||
/// paths with parent directory references (e.g., `../etc/passwd`). | ||
/// | ||
/// On Python 3.12 and later, use `filter='data'` to prevent the most dangerous | ||
/// security issues (see: [PEP 706]). On earlier versions, set the `members` | ||
/// argument to a trusted subset of the archive's members. | ||
/// | ||
/// ## Example | ||
/// ```python | ||
/// import tarfile | ||
/// import tempfile | ||
/// | ||
/// tar = tarfile.open(filename) | ||
/// tar.extractall(path=tempfile.mkdtemp()) | ||
/// tar.close() | ||
/// ``` | ||
/// | ||
/// ## References | ||
/// - [Common Weakness Enumeration: CWE-22](https://cwe.mitre.org/data/definitions/22.html) | ||
/// - [Python Documentation: `TarFile.extractall`](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall) | ||
/// - [Python Documentation: Extraction filters](https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter) | ||
/// | ||
/// [PEP 706]: https://peps.python.org/pep-0706/#backporting-forward-compatibility | ||
#[violation] | ||
pub struct TarfileUnsafeMembers; | ||
|
||
impl Violation for TarfileUnsafeMembers { | ||
#[derive_message_formats] | ||
fn message(&self) -> String { | ||
format!("Uses of `tarfile.extractall()`") | ||
} | ||
} | ||
|
||
/// S202 | ||
pub(crate) fn tarfile_unsafe_members(checker: &mut Checker, call: &ast::ExprCall) { | ||
if !call | ||
.func | ||
.as_attribute_expr() | ||
.is_some_and(|attr| attr.attr.as_str() == "extractall") | ||
{ | ||
return; | ||
} | ||
|
||
if call | ||
.arguments | ||
.find_keyword("filter") | ||
.and_then(|keyword| keyword.value.as_string_literal_expr()) | ||
.is_some_and(|value| matches!(value.value.as_str(), "data" | "tar")) | ||
{ | ||
return; | ||
} | ||
|
||
if !checker.semantic().seen(&["tarfile"]) { | ||
return; | ||
} | ||
|
||
checker | ||
.diagnostics | ||
.push(Diagnostic::new(TarfileUnsafeMembers, call.func.range())); | ||
} |
Oops, something went wrong.