diff --git a/crates/ruff_linter/src/preview.rs b/crates/ruff_linter/src/preview.rs index c7d0fed7fa..3bc09c0ea2 100644 --- a/crates/ruff_linter/src/preview.rs +++ b/crates/ruff_linter/src/preview.rs @@ -18,13 +18,6 @@ pub(crate) const fn is_full_path_match_source_strategy_enabled(settings: &Linter // Rule-specific behavior -// https://github.com/astral-sh/ruff/pull/17136 -pub(crate) const fn is_shell_injection_only_trusted_input_enabled( - settings: &LinterSettings, -) -> bool { - settings.preview.is_enabled() -} - // https://github.com/astral-sh/ruff/pull/15541 pub(crate) const fn is_suspicious_function_reference_enabled(settings: &LinterSettings) -> bool { settings.preview.is_enabled() diff --git a/crates/ruff_linter/src/rules/flake8_bandit/mod.rs b/crates/ruff_linter/src/rules/flake8_bandit/mod.rs index 868367d6f7..48f3fe251f 100644 --- a/crates/ruff_linter/src/rules/flake8_bandit/mod.rs +++ b/crates/ruff_linter/src/rules/flake8_bandit/mod.rs @@ -104,7 +104,6 @@ mod tests { #[test_case(Rule::SuspiciousURLOpenUsage, Path::new("S310.py"))] #[test_case(Rule::SuspiciousNonCryptographicRandomUsage, Path::new("S311.py"))] #[test_case(Rule::SuspiciousTelnetUsage, Path::new("S312.py"))] - #[test_case(Rule::SubprocessWithoutShellEqualsTrue, Path::new("S603.py"))] fn preview_rules(rule_code: Rule, path: &Path) -> Result<()> { let snapshot = format!( "preview__{}_{}", diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/shell_injection.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/shell_injection.rs index e8bc2204f1..6a423ea5b8 100644 --- a/crates/ruff_linter/src/rules/flake8_bandit/rules/shell_injection.rs +++ b/crates/ruff_linter/src/rules/flake8_bandit/rules/shell_injection.rs @@ -7,7 +7,6 @@ use ruff_python_semantic::SemanticModel; use ruff_text_size::Ranged; use crate::Violation; -use crate::preview::is_shell_injection_only_trusted_input_enabled; use crate::{ checkers::ast::Checker, registry::Rule, rules::flake8_bandit::helpers::string_literal, }; @@ -325,9 +324,7 @@ pub(crate) fn shell_injection(checker: &Checker, call: &ast::ExprCall) { } // S603 _ => { - if !is_trusted_input(arg) - || !is_shell_injection_only_trusted_input_enabled(checker.settings) - { + if !is_trusted_input(arg) { if checker.enabled(Rule::SubprocessWithoutShellEqualsTrue) { checker.report_diagnostic( SubprocessWithoutShellEqualsTrue, diff --git a/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S603_S603.py.snap b/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S603_S603.py.snap index 13003f8def..2b8d7c974f 100644 --- a/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S603_S603.py.snap +++ b/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S603_S603.py.snap @@ -106,74 +106,6 @@ S603.py:21:1: S603 `subprocess` call: check for execution of untrusted input 23 | # Literals are fine, they're trusted. | -S603.py:24:1: S603 `subprocess` call: check for execution of untrusted input - | -23 | # Literals are fine, they're trusted. -24 | run("true") - | ^^^ S603 -25 | Popen(["true"]) -26 | Popen("true", shell=False) - | - -S603.py:25:1: S603 `subprocess` call: check for execution of untrusted input - | -23 | # Literals are fine, they're trusted. -24 | run("true") -25 | Popen(["true"]) - | ^^^^^ S603 -26 | Popen("true", shell=False) -27 | call("true", shell=False) - | - -S603.py:26:1: S603 `subprocess` call: check for execution of untrusted input - | -24 | run("true") -25 | Popen(["true"]) -26 | Popen("true", shell=False) - | ^^^^^ S603 -27 | call("true", shell=False) -28 | check_call("true", shell=False) - | - -S603.py:27:1: S603 `subprocess` call: check for execution of untrusted input - | -25 | Popen(["true"]) -26 | Popen("true", shell=False) -27 | call("true", shell=False) - | ^^^^ S603 -28 | check_call("true", shell=False) -29 | check_output("true", shell=False) - | - -S603.py:28:1: S603 `subprocess` call: check for execution of untrusted input - | -26 | Popen("true", shell=False) -27 | call("true", shell=False) -28 | check_call("true", shell=False) - | ^^^^^^^^^^ S603 -29 | check_output("true", shell=False) -30 | run("true", shell=False) - | - -S603.py:29:1: S603 `subprocess` call: check for execution of untrusted input - | -27 | call("true", shell=False) -28 | check_call("true", shell=False) -29 | check_output("true", shell=False) - | ^^^^^^^^^^^^ S603 -30 | run("true", shell=False) - | - -S603.py:30:1: S603 `subprocess` call: check for execution of untrusted input - | -28 | check_call("true", shell=False) -29 | check_output("true", shell=False) -30 | run("true", shell=False) - | ^^^ S603 -31 | -32 | # Not through assignments though. - | - S603.py:34:1: S603 `subprocess` call: check for execution of untrusted input | 32 | # Not through assignments though. @@ -184,15 +116,6 @@ S603.py:34:1: S603 `subprocess` call: check for execution of untrusted input 36 | # Instant named expressions are fine. | -S603.py:37:1: S603 `subprocess` call: check for execution of untrusted input - | -36 | # Instant named expressions are fine. -37 | run(c := "true") - | ^^^ S603 -38 | -39 | # But non-instant are not. - | - S603.py:41:1: S603 `subprocess` call: check for execution of untrusted input | 39 | # But non-instant are not. @@ -200,20 +123,3 @@ S603.py:41:1: S603 `subprocess` call: check for execution of untrusted input 41 | run(e) | ^^^ S603 | - -S603.py:46:1: S603 `subprocess` call: check for execution of untrusted input - | -44 | # https://github.com/astral-sh/ruff/issues/17798 -45 | # Tuple literals are trusted -46 | check_output(("literal", "cmd", "using", "tuple"), text=True) - | ^^^^^^^^^^^^ S603 -47 | Popen(("literal", "cmd", "using", "tuple")) - | - -S603.py:47:1: S603 `subprocess` call: check for execution of untrusted input - | -45 | # Tuple literals are trusted -46 | check_output(("literal", "cmd", "using", "tuple"), text=True) -47 | Popen(("literal", "cmd", "using", "tuple")) - | ^^^^^ S603 - | diff --git a/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__preview__S603_S603.py.snap b/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__preview__S603_S603.py.snap deleted file mode 100644 index 2b8d7c974f..0000000000 --- a/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__preview__S603_S603.py.snap +++ /dev/null @@ -1,125 +0,0 @@ ---- -source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs ---- -S603.py:5:1: S603 `subprocess` call: check for execution of untrusted input - | -3 | # Different Popen wrappers are checked. -4 | a = input() -5 | Popen(a, shell=False) - | ^^^^^ S603 -6 | call(a, shell=False) -7 | check_call(a, shell=False) - | - -S603.py:6:1: S603 `subprocess` call: check for execution of untrusted input - | -4 | a = input() -5 | Popen(a, shell=False) -6 | call(a, shell=False) - | ^^^^ S603 -7 | check_call(a, shell=False) -8 | check_output(a, shell=False) - | - -S603.py:7:1: S603 `subprocess` call: check for execution of untrusted input - | -5 | Popen(a, shell=False) -6 | call(a, shell=False) -7 | check_call(a, shell=False) - | ^^^^^^^^^^ S603 -8 | check_output(a, shell=False) -9 | run(a, shell=False) - | - -S603.py:8:1: S603 `subprocess` call: check for execution of untrusted input - | -6 | call(a, shell=False) -7 | check_call(a, shell=False) -8 | check_output(a, shell=False) - | ^^^^^^^^^^^^ S603 -9 | run(a, shell=False) - | - -S603.py:9:1: S603 `subprocess` call: check for execution of untrusted input - | - 7 | check_call(a, shell=False) - 8 | check_output(a, shell=False) - 9 | run(a, shell=False) - | ^^^ S603 -10 | -11 | # Falsey values are treated as false. - | - -S603.py:12:1: S603 `subprocess` call: check for execution of untrusted input - | -11 | # Falsey values are treated as false. -12 | Popen(a, shell=0) - | ^^^^^ S603 -13 | Popen(a, shell=[]) -14 | Popen(a, shell={}) - | - -S603.py:13:1: S603 `subprocess` call: check for execution of untrusted input - | -11 | # Falsey values are treated as false. -12 | Popen(a, shell=0) -13 | Popen(a, shell=[]) - | ^^^^^ S603 -14 | Popen(a, shell={}) -15 | Popen(a, shell=None) - | - -S603.py:14:1: S603 `subprocess` call: check for execution of untrusted input - | -12 | Popen(a, shell=0) -13 | Popen(a, shell=[]) -14 | Popen(a, shell={}) - | ^^^^^ S603 -15 | Popen(a, shell=None) - | - -S603.py:15:1: S603 `subprocess` call: check for execution of untrusted input - | -13 | Popen(a, shell=[]) -14 | Popen(a, shell={}) -15 | Popen(a, shell=None) - | ^^^^^ S603 -16 | -17 | # Unknown values are treated as falsey. - | - -S603.py:18:1: S603 `subprocess` call: check for execution of untrusted input - | -17 | # Unknown values are treated as falsey. -18 | Popen(a, shell=True if True else False) - | ^^^^^ S603 -19 | -20 | # No value is also caught. - | - -S603.py:21:1: S603 `subprocess` call: check for execution of untrusted input - | -20 | # No value is also caught. -21 | Popen(a) - | ^^^^^ S603 -22 | -23 | # Literals are fine, they're trusted. - | - -S603.py:34:1: S603 `subprocess` call: check for execution of untrusted input - | -32 | # Not through assignments though. -33 | cmd = ["true"] -34 | run(cmd) - | ^^^ S603 -35 | -36 | # Instant named expressions are fine. - | - -S603.py:41:1: S603 `subprocess` call: check for execution of untrusted input - | -39 | # But non-instant are not. -40 | (e := "echo") -41 | run(e) - | ^^^ S603 - |