flake8-bandit import check should not trigger on TYPE_CHECKING imports or classes not in defusedxml · astral-sh/ruff#14901

(3 comments) (0 reactions) (0 assignees)Rust (47,527 stars) (2,088 forks)batch import

help wanted

Description

The following code triggers S408 ("xml.dom.minidom is vulnerable to XML attacks"):

from typing import TYPE_CHECKING

if TYPE_CHECKING:
    from xml.dom.minidom import Element

As far as I know, defusedxml, which this rule suggests as an alternative, does not supply alternative implementations for most of the types, only of some functions. In other words, I have to import types like these for the standard library; there is no defusedxml alternative.

So in order to signal to Ruff that "this is fine"™, I've tried moving the import to TYPE_CHECKING, but still received the same error.

This probably applies to other rules in the S4xx range, too.

Contributor guide

Tech stack: python
Domain: developer experiencesecurity
Issue type: bug
Difficulty: 3
Estimated time: 1-3 hours
Activity status: fresh
Clarity: clear
Prerequisites: PythonRustRuff internals
Newbie friendliness: 35
Research direction: The issue describes a false positive for rule S408 when importing from xml.dom.minidom inside TYPE CHECKING. The fix likely requires modifying the rule implementation in the flake8 bandit plugin within Ruff's source code (e.g., in `crates/ruff linter/src/rules/flake8 bandit`). Look for the rule that triggers on `xml.dom.minidom` imports and add a condition to skip imports inside TYPE CHECKING blocks. Consider also checking if the imported class is not available in defusedxml. No linked pull requests exist yet, so start by familiarizing with the rule's logic and then implement the skip.