-
Notifications
You must be signed in to change notification settings - Fork 893
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
…7503) Part of #1646. ## Summary Implement `S201` ([`flask_debug_true`](https://bandit.readthedocs.io/en/latest/plugins/b201_flask_debug_true.html)) rule from `bandit`. I am fairly new to Rust and Ruff's codebase, so there might be better ways to implement the rule or write the code. ## Test Plan Snapshot test from https://github.com/PyCQA/bandit/blob/1.7.5/examples/flask_debug.py, with a few additions in the "unrelated" part to test a bit more cases.
- Loading branch information
1 parent
40f6456
commit c6ba7df
Showing
8 changed files
with
137 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
from flask import Flask | ||
|
||
app = Flask(__name__) | ||
|
||
@app.route('/') | ||
def main(): | ||
raise | ||
|
||
# OK | ||
app.run(debug=True) | ||
|
||
# Errors | ||
app.run() | ||
app.run(debug=False) | ||
|
||
# Unrelated | ||
run() | ||
run(debug=True) | ||
run(debug) | ||
foo.run(debug=True) | ||
app = 1 | ||
app.run(debug=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
92 changes: 92 additions & 0 deletions
92
crates/ruff/src/rules/flake8_bandit/rules/flask_debug_true.rs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
use ruff_diagnostics::{Diagnostic, Violation}; | ||
use ruff_macros::{derive_message_formats, violation}; | ||
use ruff_python_ast::helpers::is_const_true; | ||
use ruff_python_ast::{Expr, ExprAttribute, ExprCall, Stmt, StmtAssign}; | ||
use ruff_text_size::Ranged; | ||
|
||
use crate::checkers::ast::Checker; | ||
|
||
/// ## What it does | ||
/// Checks for uses of `debug=True` in Flask. | ||
/// | ||
/// ## Why is this bad? | ||
/// Enabling debug mode shows an interactive debugger in the browser if an | ||
/// error occurs, and allows running arbitrary Python code from the browser. | ||
/// This could leak sensitive information, or allow an attacker to run | ||
/// arbitrary code. | ||
/// | ||
/// ## Example | ||
/// ```python | ||
/// import flask | ||
/// | ||
/// app = Flask() | ||
/// | ||
/// app.run(debug=True) | ||
/// ``` | ||
/// | ||
/// Use instead: | ||
/// ```python | ||
/// import flask | ||
/// | ||
/// app = Flask() | ||
/// | ||
/// app.run(debug=os.environ["ENV"] == "dev") | ||
/// ``` | ||
/// | ||
/// ## References | ||
/// - [Flask documentation: Debug Mode](https://flask.palletsprojects.com/en/latest/quickstart/#debug-mode) | ||
#[violation] | ||
pub struct FlaskDebugTrue; | ||
|
||
impl Violation for FlaskDebugTrue { | ||
#[derive_message_formats] | ||
fn message(&self) -> String { | ||
format!("Use of `debug=True` in Flask app detected") | ||
} | ||
} | ||
|
||
/// S201 | ||
pub(crate) fn flask_debug_true(checker: &mut Checker, call: &ExprCall) { | ||
let Expr::Attribute(ExprAttribute { attr, value, .. }) = call.func.as_ref() else { | ||
return; | ||
}; | ||
|
||
if attr.as_str() != "run" { | ||
return; | ||
} | ||
|
||
let Some(debug_argument) = call.arguments.find_keyword("debug") else { | ||
return; | ||
}; | ||
|
||
if !is_const_true(&debug_argument.value) { | ||
return; | ||
} | ||
|
||
let Expr::Name(name) = value.as_ref() else { | ||
return; | ||
}; | ||
|
||
checker | ||
.semantic() | ||
.resolve_name(name) | ||
.map_or((), |binding_id| { | ||
if let Some(Stmt::Assign(StmtAssign { value, .. })) = checker | ||
.semantic() | ||
.binding(binding_id) | ||
.statement(checker.semantic()) | ||
{ | ||
if let Expr::Call(ExprCall { func, .. }) = value.as_ref() { | ||
if checker | ||
.semantic() | ||
.resolve_call_path(func) | ||
.is_some_and(|call_path| matches!(call_path.as_slice(), ["flask", "Flask"])) | ||
{ | ||
checker | ||
.diagnostics | ||
.push(Diagnostic::new(FlaskDebugTrue, debug_argument.range())); | ||
} | ||
} | ||
} | ||
}); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 13 additions & 0 deletions
13
...ff/src/rules/flake8_bandit/snapshots/ruff__rules__flake8_bandit__tests__S201_S201.py.snap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
--- | ||
source: crates/ruff/src/rules/flake8_bandit/mod.rs | ||
--- | ||
S201.py:10:9: S201 Use of `debug=True` in Flask app detected | ||
| | ||
9 | # OK | ||
10 | app.run(debug=True) | ||
| ^^^^^^^^^^ S201 | ||
11 | | ||
12 | # Errors | ||
| | ||
|
||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.