mirror of https://github.com/astral-sh/ruff.git synced 2025-09-27 20:42:10 +00:00

Implement bandit's 'hardcoded-sql-expressions' S608 (#2698 )

This is an attempt to implement `bandit` rule `B608` (renamed here `S608`).
- https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html

The rule inspects strings constructed via `+`, `%`, `.format`, and `f""`.

- `+` and `%` via `BinOp`
- `.format` via `Call`
- `f""` via `JoinedString`

Any SQL-ish strings that use Python string formatting are flagged.

The expressions and targeted expression types for the rule come from here:
- 7104b336d3/bandit/plugins/injection_sql.py

> Related Issue: https://github.com/charliermarsh/ruff/issues/1646

2023-02-09 19:28:17 -05:00

498 B

Raw Blame History

hardcoded-sql-expression (S608)

Derived from the flake8-bandit linter.

What it does

Checks for strings that resemble SQL statements involved in some form string building operation.

Why is this bad?

SQL injection is a common attack vector for web applications. Unless care is taken to sanitize and control the input data when building such SQL statement strings, an injection attack becomes possible.

Example

query = "DELETE FROM foo WHERE id = '%s'" % identifier

498 B Raw Blame History

hardcoded-sql-expression (S608)

What it does

Why is this bad?

Example

498 B

Raw Blame History