flake8-bandit import check should not trigger on TYPE_CHECKING imports or classes not in defusedxml · astral-sh/ruff#14901

(3 留言) (0 反應) (0 負責人)Rust (47,527 star) (2,088 fork)batch import

help wanted

描述

The following code triggers S408 ("xml.dom.minidom is vulnerable to XML attacks"):

from typing import TYPE_CHECKING

if TYPE_CHECKING:
    from xml.dom.minidom import Element

As far as I know, defusedxml, which this rule suggests as an alternative, does not supply alternative implementations for most of the types, only of some functions. In other words, I have to import types like these for the standard library; there is no defusedxml alternative.

So in order to signal to Ruff that "this is fine"™, I've tried moving the import to TYPE_CHECKING, but still received the same error.

This probably applies to other rules in the S4xx range, too.

貢獻者指南

技術棧: python
領域: developer experiencesecurity
議題類型: bug
難度: 3
預計時間: 1-3 hours
活動狀態: fresh
清晰度: clear
前置要求: PythonRustRuff internals
新手友善度: 35
研究方向: The issue describes a false positive for rule S408 when importing from xml.dom.minidom inside TYPE CHECKING. The fix likely requires modifying the rule implementation in the flake8 bandit plugin within Ruff's source code (e.g., in `crates/ruff linter/src/rules/flake8 bandit`). Look for the rule that triggers on `xml.dom.minidom` imports and add a condition to skip imports inside TYPE CHECKING blocks. Consider also checking if the imported class is not available in defusedxml. No linked pull requests exist yet, so start by familiarizing with the rule's logic and then implement the skip.