flake8-bandit import check should not trigger on TYPE_CHECKING imports or classes not in defusedxml · astral-sh/ruff#14901

(3 评论) (0 反应) (0 负责人)Rust (47,527 star) (2,088 fork)batch import

help wanted

描述

The following code triggers S408 ("xml.dom.minidom is vulnerable to XML attacks"):

from typing import TYPE_CHECKING

if TYPE_CHECKING:
    from xml.dom.minidom import Element

As far as I know, defusedxml, which this rule suggests as an alternative, does not supply alternative implementations for most of the types, only of some functions. In other words, I have to import types like these for the standard library; there is no defusedxml alternative.

So in order to signal to Ruff that "this is fine"™, I've tried moving the import to TYPE_CHECKING, but still received the same error.

This probably applies to other rules in the S4xx range, too.

贡献者指南

技术栈: python
领域: developer experiencesecurity
议题类型: bug
难度: 3
预计时间: 1-3 hours
活动状态: fresh
清晰度: clear
前置要求: PythonRustRuff internals
新手友好度: 35
研究方向: The issue describes a false positive for rule S408 when importing from xml.dom.minidom inside TYPE CHECKING. The fix likely requires modifying the rule implementation in the flake8 bandit plugin within Ruff's source code (e.g., in `crates/ruff linter/src/rules/flake8 bandit`). Look for the rule that triggers on `xml.dom.minidom` imports and add a condition to skip imports inside TYPE CHECKING blocks. Consider also checking if the imported class is not available in defusedxml. No linked pull requests exist yet, so start by familiarizing with the rule's logic and then implement the skip.