Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid raising S310 if user explicitly checks for URL scheme #7918

Open
q0w opened this issue Oct 11, 2023 · 9 comments
Open

Avoid raising S310 if user explicitly checks for URL scheme #7918

q0w opened this issue Oct 11, 2023 · 9 comments
Assignees
@charliermarsh
Labels
wish Not on the current roadmap; maybe in the future

Comments

@q0w
Copy link

q0w commented Oct 11, 2023

  • A minimal code snippet that reproduces the bug.
import urllib.request


def foo(url: str) -> None:
    if not url.startswith(("https://", "http://")):
        raise ValueError
    req = urllib.request.Request(
        url,
        headers=headers,
        data=data,
        method=method,
    )
    resp = urllib.request.urlopen(req)

Also it would be great if ruff could recognize asserts (like assert url.startswith(("https://", "http://")))

  • The command you invoked (e.g., ruff /path/to/file.py --fix), ideally including the --isolated flag.

ruff --isolated --select S t.py

  • The current Ruff settings (any relevant sections from your pyproject.toml).

No pyproject.toml

  • The current Ruff version (ruff --version).

ruff 0.0.292
@qdegraaf
Copy link
Contributor

qdegraaf commented Oct 12, 2023
edited

Could you clarify why urllib.request.Request should be flagged under S310? Bandit's blacklist for the relevant rule does not include it as an issue.

@q0w
Copy link
Author

q0w commented Oct 12, 2023

I think s310 should not be triggered because I check the URL in the first lines.

@qdegraaf
Copy link
Contributor

Ah I misunderstood. I thought from your description that the rule was not triggering and it should. But if I understand you correctly now, it is being flagged, and you want to change rule S310 to not flag if the URL passed to it has been checked to start with https:// or http:// and not say file://. This would not be specific to just urllib.request.Request I take it but all urlopen calls flagged by S310.

@charliermarsh is that something that is desirable to implement or is this something that should be manually marked as a check skip by the dev in question. Docs just suggest:

/// To mitigate this risk, audit all uses of URL open functions and ensure that
/// only permitted schemes are used (e.g., allowing `http:` and `https:` and
/// disallowing `file:` and `ftp:`).

@charliermarsh
Copy link
Member

I think this will be hard to get right with absolute certainty and so I'm somewhat hesitant to invest in it given that it's a security-related rule. If someone wants to try, though, I am happy to review it.

@charliermarsh charliermarsh added the wish Not on the current roadmap; maybe in the future label Oct 13, 2023
@charliermarsh charliermarsh changed the title S310 does not handle urllib.request.Request Avoid raising S310 if user explicitly checks for URL scheme Oct 13, 2023
@charliermarsh
Copy link
Member

We now no longer flag this if you use a string literal, which is at least an improvement.

@henryiii
Copy link
Contributor

What about string literal but not in place? This is currently triggering the warning:

url = "https://pypi.org/pypi?:action=list_classifiers"
context = ssl.create_default_context()
with urlopen(url, context=context) as response:

@PieterCK PieterCK mentioned this issue Apr 2, 2024
Open
@Hawk777
Copy link

Hawk777 commented Apr 15, 2024

A string literal passed through Request is also flagged when it ideally shouldn’t be:

import urllib

urllib.request.urlopen(urllib.request.Request("https://example.com/"))

(obviously in this case I could just pass the string literal directly; in reality, I’m constructing the Request because I have extra headers to add)

@charliermarsh
Copy link
Member

I can fix a few of these.

@charliermarsh charliermarsh self-assigned this Apr 16, 2024
@charliermarsh charliermarsh mentioned this issue Apr 16, 2024
Merged
charliermarsh added a commit that referenced this issue Apr 16, 2024
@charliermarsh
[flake8-bandit] Allow urllib.request.urlopen calls with static `R…
effd518 
…equest` argument (#10964)

## Summary

Allows, e.g.:

```python
import urllib

urllib.request.urlopen(urllib.request.Request("https://example.com/"))
```

...in
[`suspicious-url-open-usage`](https://docs.astral.sh/ruff/rules/suspicious-url-open-usage/).

See:
#7918 (comment)
@retu2libc
Copy link

It would be cool if stuff like

url = f"https://{self.target_url}{self.path}"

didn't trigger this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@charliermarsh charliermarsh

Labels
wish Not on the current roadmap; maybe in the future
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Hawk777 @charliermarsh @henryiii @qdegraaf @retu2libc @q0w