Skip S608 for expressionless f-strings (#17999)

2025-09-28 12:55:05 +00:00 · 2025-05-10 12:37:58 +02:00 · 2025-05-10 12:37:58 +02:00 · b765dc48e9
commit b765dc48e9
parent cd1d906ffa
3 changed files with 14 additions and 1 deletions
--- a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S608.py
+++ b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S608.py
@ -166,3 +166,6 @@ query60 = f"""
        foo
    FROM ({user_input}) raw
 """
+
+# https://github.com/astral-sh/ruff/issues/17967
+query61 = f"SELECT * FROM table" # skip expressionless f-strings
--- a/crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs
+++ b/crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs
@ -100,7 +100,15 @@ pub(crate) fn hardcoded_sql_expression(checker: &Checker, expr: &Expr) {
        }

        // f"select * from table where val = {val}"
-        Expr::FString(f_string) => concatenated_f_string(f_string, checker.locator()),
+        Expr::FString(f_string)
+            if f_string
+                .value
+                .f_strings()
+                .any(|fs| fs.elements.iter().any(ast::FStringElement::is_expression)) =>
+        {
+            concatenated_f_string(f_string, checker.locator())
+        }
+
        _ => return,
    };

--- a/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linterrulesflake8_bandittestsS608_S608.py.snap
+++ b/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linterrulesflake8_bandittestsS608_S608.py.snap
@ -601,4 +601,6 @@ S608.py:164:11: S608 Possible SQL injection vector through string-based query co
 167 | |     FROM ({user_input}) raw
 168 | | """
    | |___^ S608
+169 |
+170 |   # https://github.com/astral-sh/ruff/issues/17967
    |