From c883f6cd3100d7073ee800b7f424e46c0d181c5c Mon Sep 17 00:00:00 2001 From: Mikael Arguedas Date: Thu, 28 Dec 2023 13:26:55 +0100 Subject: [PATCH 1/3] [bandit/S506] support impoprting loader from yaml or from yaml.loader Avoid false positives like: S506 Probable use of unsafe loader `SafeLoader` with `yaml.load`. Allows instantiation of arbitrary objects. Consider `yaml.safe_load`. Signed-off-by: Mikael Arguedas --- .../src/rules/flake8_bandit/rules/unsafe_yaml_load.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/unsafe_yaml_load.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/unsafe_yaml_load.rs index 68b8f59647361..b2b30892dcf94 100644 --- a/crates/ruff_linter/src/rules/flake8_bandit/rules/unsafe_yaml_load.rs +++ b/crates/ruff_linter/src/rules/flake8_bandit/rules/unsafe_yaml_load.rs @@ -71,6 +71,10 @@ pub(crate) fn unsafe_yaml_load(checker: &mut Checker, call: &ast::ExprCall) { .resolve_call_path(loader_arg) .is_some_and(|call_path| { matches!(call_path.as_slice(), ["yaml", "SafeLoader" | "CSafeLoader"]) + || matches!( + call_path.as_slice(), + ["yaml", "loader", "SafeLoader" | "CSafeLoader"] + ) }) { let loader = match loader_arg { From a45c3310773d778e695aebce91b2b924eefc91b0 Mon Sep 17 00:00:00 2001 From: Mikael Arguedas Date: Thu, 28 Dec 2023 14:45:02 +0100 Subject: [PATCH 2/3] [bandit/S506] extend test to test Loader kwarg and importing from yaml.loader Signed-off-by: Mikael Arguedas --- .../resources/test/fixtures/flake8_bandit/S506.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S506.py b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S506.py index b332cbe14314d..9fd87de3e31de 100644 --- a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S506.py +++ b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S506.py @@ -2,7 +2,7 @@ import yaml from yaml import CSafeLoader from yaml import SafeLoader -from yaml import SafeLoader as NewSafeLoader +from yaml.loader import SafeLoader as NewSafeLoader def test_yaml_load(): @@ -29,3 +29,8 @@ def test_json_load(): yaml.load("{}", CSafeLoader) yaml.load("{}", yaml.CSafeLoader) yaml.load("{}", NewSafeLoader) +yaml.load("{}", Loader=SafeLoader) +yaml.load("{}", Loader=yaml.SafeLoader) +yaml.load("{}", Loader=CSafeLoader) +yaml.load("{}", Loader=yaml.CSafeLoader) +yaml.load("{}", Loader=NewSafeLoader) From 85ac5e30bfb94f8a391ac428de3fa50ef6a4a399 Mon Sep 17 00:00:00 2001 From: Charlie Marsh Date: Thu, 28 Dec 2023 09:24:05 -0500 Subject: [PATCH 3/3] Collapse match --- .../src/rules/flake8_bandit/rules/unsafe_yaml_load.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/unsafe_yaml_load.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/unsafe_yaml_load.rs index b2b30892dcf94..22b100c1d844c 100644 --- a/crates/ruff_linter/src/rules/flake8_bandit/rules/unsafe_yaml_load.rs +++ b/crates/ruff_linter/src/rules/flake8_bandit/rules/unsafe_yaml_load.rs @@ -70,11 +70,11 @@ pub(crate) fn unsafe_yaml_load(checker: &mut Checker, call: &ast::ExprCall) { .semantic() .resolve_call_path(loader_arg) .is_some_and(|call_path| { - matches!(call_path.as_slice(), ["yaml", "SafeLoader" | "CSafeLoader"]) - || matches!( - call_path.as_slice(), - ["yaml", "loader", "SafeLoader" | "CSafeLoader"] - ) + matches!( + call_path.as_slice(), + ["yaml", "SafeLoader" | "CSafeLoader"] + | ["yaml", "loader", "SafeLoader" | "CSafeLoader"] + ) }) { let loader = match loader_arg {