mirror of
https://github.com/astral-sh/ruff.git
synced 2025-09-28 04:45:01 +00:00
Implement bandit's 'hardcoded-sql-expressions' S608 (#2698)
This is an attempt to implement `bandit` rule `B608` (renamed here `S608`).
- https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
The rule inspects strings constructed via `+`, `%`, `.format`, and `f""`.
- `+` and `%` via `BinOp`
- `.format` via `Call`
- `f""` via `JoinedString`
Any SQL-ish strings that use Python string formatting are flagged.
The expressions and targeted expression types for the rule come from here:
- 7104b336d3/bandit/plugins/injection_sql.py
> Related Issue: https://github.com/charliermarsh/ruff/issues/1646
This commit is contained in:
Matt Oberle
GitHub
parent
9e2418097c
commit
fc628de667
10 changed files with 736 additions and 0 deletions
17
docs/rules/hardcoded-sql-expression.md
Normal file
17
docs/rules/hardcoded-sql-expression.md
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
# hardcoded-sql-expression (S608)
|
||||
|
||||
Derived from the **flake8-bandit** linter.
|
||||
|
||||
### What it does
|
||||
Checks for strings that resemble SQL statements involved in some form
|
||||
string building operation.
|
||||
|
||||
### Why is this bad?
|
||||
SQL injection is a common attack vector for web applications. Unless care
|
||||
is taken to sanitize and control the input data when building such
|
||||
SQL statement strings, an injection attack becomes possible.
|
||||
|
||||
### Example
|
||||
```python
|
||||
query = "DELETE FROM foo WHERE id = '%s'" % identifier
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue