[flake8-bandit] Fix truthiness: dict-only ** displays not truthy for shell (S602, S604, S609) (#20177)

## Summary
Fixes #19927

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S602.py

@@ -18,3 +18,18 @@ var_string = "true"
 Popen(var_string, shell=True)
 Popen([var_string], shell=True)
 Popen([var_string, ""], shell=True)
+
+# Check dict display with only double-starred expressions can be falsey.
+Popen("true", shell={**{}})
+Popen("true", shell={**{**{}}})
+
+# Check pattern with merged defaults/configs
+class ShellConfig:
+    def __init__(self):
+        self.shell_defaults = {}
+
+    def fetch_shell_config(self, username):
+        return {}
+
+    def run(self, username):
+        Popen("true", shell={**self.shell_defaults, **self.fetch_shell_config(username)})

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S604.py

@@ -3,3 +3,6 @@ def foo(shell):
 
 
 foo(shell=True)
+
+foo(shell={**{}})
+foo(shell={**{**{}}})

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S609.py

@@ -6,3 +6,6 @@ subprocess.Popen("/bin/chown root: *", shell=True)
 subprocess.Popen(["/usr/local/bin/rsync", "*", "some_where:"], shell=True)
 subprocess.Popen("/usr/local/bin/rsync * no_injection_here:")
 os.system("tar cf foo.tar bar/*")
+
+subprocess.Popen(["chmod", "+w", "*.py"], shell={**{}})
+subprocess.Popen(["chmod", "+w", "*.py"], shell={**{**{}}})

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S602_S602.py.snap

@@ -124,4 +124,6 @@ S602 `subprocess` call with `shell=True` identified, security issue
 19 | Popen([var_string], shell=True)
 20 | Popen([var_string, ""], shell=True)
    | ^^^^^
+21 |
+22 | # Check dict display with only double-starred expressions can be falsey.
    |

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S604_S604.py.snap

@@ -6,4 +6,6 @@ S604 Function call with `shell=True` parameter identified, security issue
   |
 5 | foo(shell=True)
   | ^^^
+6 |
+7 | foo(shell={**{}})
   |

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S609_S609.py.snap

@@ -34,10 +34,12 @@ S609 Possible wildcard injection in call due to `*` usage
   |
 
 S609 Possible wildcard injection in call due to `*` usage
- --> S609.py:8:11
+  --> S609.py:8:11
-  |
+   |
-6 | subprocess.Popen(["/usr/local/bin/rsync", "*", "some_where:"], shell=True)
+ 6 | subprocess.Popen(["/usr/local/bin/rsync", "*", "some_where:"], shell=True)
-7 | subprocess.Popen("/usr/local/bin/rsync * no_injection_here:")
+ 7 | subprocess.Popen("/usr/local/bin/rsync * no_injection_here:")
-8 | os.system("tar cf foo.tar bar/*")
+ 8 | os.system("tar cf foo.tar bar/*")
-  |           ^^^^^^^^^^^^^^^^^^^^^^
+   |           ^^^^^^^^^^^^^^^^^^^^^^
-  |
+ 9 |
+10 | subprocess.Popen(["chmod", "+w", "*.py"], shell={**{}})
+   |

crates/ruff_python_ast/src/helpers.rs

@@ -1294,15 +1294,14 @@ impl Truthiness {
                     return Self::Falsey;
                 }
 
-                if dict.items.iter().all(|item| {
+                // If the dict consists only of double-starred items (e.g., {**x, **y}),
-                    matches!(
+                // consider its truthiness unknown. This matches lists/sets/tuples containing
-                        item,
+                // only starred elements, which are also Unknown.
-                        DictItem {
+                if dict
-                            key: None,
+                    .items
-                            value: Expr::Name(..)
+                    .iter()
-                        }
+                    .all(|item| matches!(item, DictItem { key: None, .. }))
-                    )
+                {
-                }) {
                     // {**foo} / {**foo, **bar}
                     Self::Unknown
                 } else {