-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
## Summary Adds `S504` rule for the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. Checks for calls to `ssl.wrap_socket` which have no `ssl_version` argument set. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_no_version ## Test Plan Fixture added ## Issue Link Refers: #1646
- Loading branch information
Showing
10 changed files
with
98 additions
and
2 deletions.
There are no files selected for viewing
15 changes: 15 additions & 0 deletions
15
crates/ruff_linter/resources/test/fixtures/flake8_bandit/S504.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
import ssl | ||
from ssl import wrap_socket | ||
|
||
ssl.wrap_socket() # S504 | ||
wrap_socket() # S504 | ||
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2) # OK | ||
|
||
|
||
class Class: | ||
def wrap_socket(self): | ||
pass | ||
|
||
|
||
obj = Class() | ||
obj.wrap_socket() # OK |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
51 changes: 51 additions & 0 deletions
51
crates/ruff_linter/src/rules/flake8_bandit/rules/ssl_with_no_version.rs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
use ruff_diagnostics::{Diagnostic, Violation}; | ||
use ruff_macros::{derive_message_formats, violation}; | ||
use ruff_python_ast::ExprCall; | ||
use ruff_text_size::Ranged; | ||
|
||
use crate::checkers::ast::Checker; | ||
|
||
/// ## What it does | ||
/// Checks for calls to `ssl.wrap_socket()` without an `ssl_version`. | ||
/// | ||
/// ## Why is this bad? | ||
/// This method is known to provide a default value that maximizes | ||
/// compatibility, but permits use of insecure protocols. | ||
/// | ||
/// ## Example | ||
/// ```python | ||
/// import ssl | ||
/// | ||
/// ssl.wrap_socket() | ||
/// ``` | ||
/// | ||
/// Use instead: | ||
/// ```python | ||
/// import ssl | ||
/// | ||
/// ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2) | ||
/// ``` | ||
#[violation] | ||
pub struct SslWithNoVersion; | ||
|
||
impl Violation for SslWithNoVersion { | ||
#[derive_message_formats] | ||
fn message(&self) -> String { | ||
format!("`ssl.wrap_socket` called without an `ssl_version``") | ||
} | ||
} | ||
|
||
/// S504 | ||
pub(crate) fn ssl_with_no_version(checker: &mut Checker, call: &ExprCall) { | ||
if checker | ||
.semantic() | ||
.resolve_call_path(call.func.as_ref()) | ||
.is_some_and(|call_path| matches!(call_path.as_slice(), ["ssl", "wrap_socket"])) | ||
{ | ||
if call.arguments.find_keyword("ssl_version").is_none() { | ||
checker | ||
.diagnostics | ||
.push(Diagnostic::new(SslWithNoVersion, call.range())); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S504_S504.py.snap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
--- | ||
source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs | ||
--- | ||
S504.py:4:1: S504 `ssl.wrap_socket` called without an `ssl_version`` | ||
| | ||
2 | from ssl import wrap_socket | ||
3 | | ||
4 | ssl.wrap_socket() # S504 | ||
| ^^^^^^^^^^^^^^^^^ S504 | ||
5 | wrap_socket() # S504 | ||
6 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2) # OK | ||
| | ||
S504.py:5:1: S504 `ssl.wrap_socket` called without an `ssl_version`` | ||
| | ||
4 | ssl.wrap_socket() # S504 | ||
5 | wrap_socket() # S504 | ||
| ^^^^^^^^^^^^^ S504 | ||
6 | ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2) # OK | ||
| | ||
|
||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.