Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore empty string for S105/S106/S107 #2383

Closed
ngnpope opened this issue Jan 31, 2023 · 4 comments · Fixed by #2421
Closed

Ignore empty string for S105/S106/S107 #2383

ngnpope opened this issue Jan 31, 2023 · 4 comments · Fixed by #2421
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@ngnpope
Copy link
Contributor

ngnpope commented Jan 31, 2023

Using v0.0.237 I get: S105 Possible hardcoded password: ""

This was in some code that was checking whether a password/secret matched the empty string, i.e. if secret == "".

I think we want to ignore any comparisons to "" (or None if that's not already handled) for S105, S106, and S107.
@charliermarsh
Copy link
Member

I'm tempted to follow bandit here even if it's not totally ideal. (Not sure what their exact behavior is for this.)

@ngnpope
Copy link
Contributor Author

ngnpope commented Jan 31, 2023

So I checked, see #2384 (comment), and bandit doesn't ignore empty string.

While I was being thorough, I checked what happens if we have a byte string, e.g. password = b"shh, don't tell anyone!" and neither ruff, nor bandit complain. Wondering if they should? 🤔

@charliermarsh
Copy link
Member

Yeah maybe we should ignore "" at least.

@charliermarsh charliermarsh added the bug Something isn't working label Jan 31, 2023
@charliermarsh
Copy link
Member

I'll call it a "bug", even though it's really a refinement :)

@charliermarsh charliermarsh added the good first issue Good for newcomers label Jan 31, 2023
@charliermarsh charliermarsh mentioned this issue Jan 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Avoid Bandit false-positives for empty-string-as-password astral-sh/ruff
2 participants
@charliermarsh @ngnpope