[flake8-bandit] Treat sys.executable as trusted input in S603#24106
Merged
MichaReiser merged 1 commit intoastral-sh:mainfrom Mar 25, 2026
Merged
[flake8-bandit] Treat sys.executable as trusted input in S603#24106MichaReiser merged 1 commit intoastral-sh:mainfrom
MichaReiser merged 1 commit intoastral-sh:mainfrom
Conversation
|
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S603 | 10 | 0 | 10 | 0 | 0 |
Linter (preview)
ℹ️ ecosystem check detected linter changes. (+0 -10 violations, +0 -0 fixes in 2 projects; 54 projects unchanged)
apache/airflow (+0 -9 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --no-fix --output-format concise --preview --select ALL
- airflow-core/tests/unit/cli/test_cli_parser.py:648:18: S603 `subprocess` call: check for execution of untrusted input - airflow-core/tests/unit/cli/test_cli_parser.py:663:18: S603 `subprocess` call: check for execution of untrusted input - airflow-core/tests/unit/cli/test_cli_parser.py:678:18: S603 `subprocess` call: check for execution of untrusted input - airflow-core/tests/unit/utils/test_process_utils.py:128:19: S603 `subprocess` call: check for execution of untrusted input - airflow-core/tests/unit/utils/test_process_utils.py:137:19: S603 `subprocess` call: check for execution of untrusted input - airflow-ctl-tests/tests/airflowctl_tests/conftest.py:154:18: S603 `subprocess` call: check for execution of untrusted input - scripts/in_container/run_prepare_airflow_distributions.py:73:23: S603 `subprocess` call: check for execution of untrusted input - scripts/in_container/verify_providers.py:782:16: S603 `subprocess` call: check for execution of untrusted input - task-sdk-integration-tests/tests/task_sdk_tests/conftest.py:364:18: S603 `subprocess` call: check for execution of untrusted input
bokeh/bokeh (+0 -1 violations, +0 -0 fixes)
ruff check --no-cache --exit-zero --no-fix --output-format concise --preview --select ALL
- tests/codebase/test_python_execution_with_OO.py:45:12: S603 `subprocess` call: check for execution of untrusted input
Changes by rule (1 rules affected)
| code | total | + violation | - violation | + fix | - fix |
|---|---|---|---|---|---|
| S603 | 10 | 0 | 10 | 0 | 0 |
carljm
added a commit
that referenced
this pull request
Mar 25, 2026
* main: [ty] make `test-case` a dev-dependency (#24187) [ty] implement cycle normalization for more types to prevent too-many-cycle panics (#24061) [ty] Silence all diagnostics in unreachable code (#24179) [ty] Intern `InferableTypeVars` (#24161) Implement unnecessary-if (RUF050) (#24114) Recognize `Self` annotation and `self` assignment in SLF001 (#24144) Bump the npm version before publish (#24178) [ty] Disallow Self in metaclass and static methods (#23231) Use trusted publishing for NPM packages (#24171) [ty] Respect non-explicitly defined dataclass params (#24170) Add RUF072: warn when using operator on an f-string (#24162) [ty] Check return type of generator functions (#24026) Implement useless-finally (RUF-072) (#24165) [ty] Add test for a dataclass with a default field converter (#24169) [ty] Dataclass field converters (#23088) [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106) [ty] Add support for `typing.Concatenate` (#23689) `ASYNC115`: autofix to use full qualified `anyio.lowlevel` import (#24166) [ty] Disallow read-only fields in TypedDict updates (#24128) Speed up diagnostic rendering (#24146)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Treat
sys.executableas trusted input inS603.sys.executableis the path to the running Python interpreter and is not user-controlled. Subprocess calls likesubprocess.run([sys.executable, "-m", "pip"])should not be flagged as untrusted input.Closes #24084
Test plan
sys.executabletest cases toS603.pyfixture (standalone, in list, in tuple)sys.executablecalls