flake8-bandit import check should not trigger on TYPE_CHECKING imports or classes not in defusedxml #14901
Labels
help wanted
Contributions especially welcome
Comments
|
The following code has a similar problem, triggering S409 on the from xml.dom import pulldom
from defusedxml.pulldom import parseString
doc = parseString("<foo></foo>")
for ev, node in doc:
if ev == pulldom.START_ELEMENT:
print(node)Again, |
scy
added a commit
to AKVorrat/dearmep
that referenced
this issue
Dec 11, 2024
This is a security warning, but I'm only importing types that don't have a defusedxml alternative anyway. Furthermore, there should be no warnings in a `TYPE_CHECKING` block. I've opened <astral-sh/ruff#14901> for this. Signed-off-by: Tim Weber <[email protected]>
scy
added a commit
to AKVorrat/dearmep
that referenced
this issue
Dec 11, 2024
Again, this is a false positive; `defusedxml` doesn't provide the constants we import `pulldom` for. Added to the existing issue report at <astral-sh/ruff#14901 (comment)>. Signed-off-by: Tim Weber <[email protected]>
|
Thanks. This makes sense to me. So what we need to do here is to allow some imports from |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following code triggers S408 ("
xml.dom.minidomis vulnerable to XML attacks"):As far as I know, defusedxml, which this rule suggests as an alternative, does not supply alternative implementations for most of the types, only of some functions. In other words, I have to import types like these for the standard library; there is no defusedxml alternative.
So in order to signal to Ruff that "this is fine"™, I've tried moving the import to
TYPE_CHECKING, but still received the same error.This probably applies to other rules in the S4xx range, too.
The text was updated successfully, but these errors were encountered: