astral-sh/ruff

flake8-bandit import check should not trigger on TYPE_CHECKING imports or classes not in defusedxml

Open

#14.901 aperta il 10 dic 2024

Vedi su GitHub
 (3 commenti) (0 reazioni) (0 assegnatari)Rust (2088 fork)batch import
help wanted

Metriche repository

Star
 (47.527 star)
Metriche merge PR
 (Merge medio 3g 8h) (573 PR mergiate in 30 g)

Descrizione

The following code triggers S408 ("xml.dom.minidom is vulnerable to XML attacks"):

from typing import TYPE_CHECKING

if TYPE_CHECKING:
    from xml.dom.minidom import Element

As far as I know, defusedxml, which this rule suggests as an alternative, does not supply alternative implementations for most of the types, only of some functions. In other words, I have to import types like these for the standard library; there is no defusedxml alternative.

So in order to signal to Ruff that "this is fine"™, I've tried moving the import to TYPE_CHECKING, but still received the same error.

This probably applies to other rules in the S4xx range, too.

Guida contributor