mirrors/ruff
1
0
Fork 0
mirror of https://github.com/astral-sh/ruff.git synced 2025-08-04 18:58:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

[flake8-bandit] Move unsafe-markup-use from RUF035 to S704 (#15957)

Browse source 
## Summary

`RUF035` has been backported into bandit as `S704` in this
[PR](https://github.com/PyCQA/bandit/pull/1225)

This moves the rule and its corresponding setting to the `flake8-bandit`
category

## Test Plan

`cargo nextest run`

---------

Co-authored-by: Micha Reiser <micha@reiser.io>
This commit is contained in:
David Salvisberg 2025-03-11 13:19:18 +01:00 committed by Micha Reiser
parent 798fa47c2e
commit c0b1413ecd
26 changed files with 436 additions and 261 deletions
Download patch file Download diff file Expand all files Collapse all files

12
crates/ruff_linter/resources/test/fixtures/ruff/RUF035.py → crates/ruff_linter/resources/test/fixtures/flake8_bandit/S704.py vendored
View file

@ -2,17 +2,17 @@ import flask
from markupsafe import Markup, escape
content = "<script>alert('Hello, world!')</script>"
Markup(f"unsafe {content}") # RUF035
flask.Markup("unsafe {}".format(content)) # RUF035
Markup(f"unsafe {content}") # S704
flask.Markup("unsafe {}".format(content)) # S704
Markup("safe {}").format(content)
flask.Markup(b"safe {}", encoding='utf-8').format(content)
escape(content)
Markup(content) # RUF035
flask.Markup("unsafe %s" % content) # RUF035
Markup(content) # S704
flask.Markup("unsafe %s" % content) # S704
Markup(object="safe")
Markup(object="unsafe {}".format(content)) # Not currently detected
# NOTE: We may be able to get rid of these false positives with red-knot
# if it includes comprehensive constant expression detection/evaluation.
Markup("*" * 8) # RUF035 (false positive)
flask.Markup("hello {}".format("world")) # RUF035 (false positive)
Markup("*" * 8) # S704 (false positive)
flask.Markup("hello {}".format("world")) # S704 (false positive)

4
crates/ruff_linter/resources/test/fixtures/ruff/RUF035_extend_markup_names.py → crates/ruff_linter/resources/test/fixtures/flake8_bandit/S704_extend_markup_names.py vendored
View file

@ -2,5 +2,5 @@ from markupsafe import Markup
from webhelpers.html import literal
content = "<script>alert('Hello, world!')</script>"
Markup(f"unsafe {content}") # RUF035
literal(f"unsafe {content}") # RUF035
Markup(f"unsafe {content}") # S704
literal(f"unsafe {content}") # S704

2
crates/ruff_linter/resources/test/fixtures/ruff/RUF035_skip_early_out.py → crates/ruff_linter/resources/test/fixtures/flake8_bandit/S704_skip_early_out.py vendored
View file

@ -4,4 +4,4 @@ from webhelpers.html import literal
# additional markup names to be skipped if we don't import either
# markupsafe or flask first.
content = "<script>alert('Hello, world!')</script>"
literal(f"unsafe {content}") # RUF035
literal(f"unsafe {content}") # S704

2
crates/ruff_linter/resources/test/fixtures/ruff/RUF035_whitelisted_markup_calls.py → crates/ruff_linter/resources/test/fixtures/flake8_bandit/S704_whitelisted_markup_calls.py vendored
View file

@ -6,4 +6,4 @@ Markup(clean(content))
# indirect assignments are currently not supported
cleaned = clean(content)
Markup(cleaned) # RUF035
Markup(cleaned) # S704