astral-sh/ruff

flake8-bandit import check should not trigger on TYPE_CHECKING imports or classes not in defusedxml

Open

#14,901 opened on 2024年12月10日

GitHub で見る
 (3 comments) (0 reactions) (0 assignees)Rust (2,088 forks)batch import
help wanted

Repository metrics

Stars
 (47,527 stars)
PR merge metrics
 (平均マージ 3d 8h) (30d で 573 merged PRs)

説明

The following code triggers S408 ("xml.dom.minidom is vulnerable to XML attacks"):

from typing import TYPE_CHECKING

if TYPE_CHECKING:
    from xml.dom.minidom import Element

As far as I know, defusedxml, which this rule suggests as an alternative, does not supply alternative implementations for most of the types, only of some functions. In other words, I have to import types like these for the standard library; there is no defusedxml alternative.

So in order to signal to Ruff that "this is fine"™, I've tried moving the import to TYPE_CHECKING, but still received the same error.

This probably applies to other rules in the S4xx range, too.

コントリビューターガイド