flake8-bandit import check should not trigger on TYPE_CHECKING imports or classes not in defusedxml · astral-sh/ruff#14901

(3 comments) (0 reactions) (0 assignees)Rust (47,527 stars) (2,088 forks)batch import

help wanted

説明

The following code triggers S408 ("xml.dom.minidom is vulnerable to XML attacks"):

from typing import TYPE_CHECKING

if TYPE_CHECKING:
    from xml.dom.minidom import Element

As far as I know, defusedxml, which this rule suggests as an alternative, does not supply alternative implementations for most of the types, only of some functions. In other words, I have to import types like these for the standard library; there is no defusedxml alternative.

So in order to signal to Ruff that "this is fine"™, I've tried moving the import to TYPE_CHECKING, but still received the same error.

This probably applies to other rules in the S4xx range, too.

コントリビューターガイド

技術スタック: python
領域: developer experiencesecurity
Issue 種別: bug
難度: 3
推定時間: 1-3 hours
活動状況: fresh
明確さ: clear
前提条件: PythonRustRuff internals
初心者向け度: 35
調査方針: The issue describes a false positive for rule S408 when importing from xml.dom.minidom inside TYPE CHECKING. The fix likely requires modifying the rule implementation in the flake8 bandit plugin within Ruff's source code (e.g., in `crates/ruff linter/src/rules/flake8 bandit`). Look for the rule that triggers on `xml.dom.minidom` imports and add a condition to skip imports inside TYPE CHECKING blocks. Consider also checking if the imported class is not available in defusedxml. No linked pull requests exist yet, so start by familiarizing with the rule's logic and then implement the skip.