Flag str.replace as possible sql injection #1044
Merged
Commits on Dec 15, 2023
-
Flag str.replace as possible sql injection
This extends the existing implementation for detecting possible cases of SQL injection to account for `str.replace` used in the string construction. Use of `str.replace` can lead to SQL injection in much the same way as `str.format` can, and that is already considered in the pre-existing implementation, along with other common string constructions. Resolves PyCQA#878
-
-
-
Reduce str.replace to LOW confidence in all cases
Since the rate of false positives may be higher for str.replace over other string constructions like str.format, we should reduce to LOW confidence to compensate for this.
-
Update bandit/plugins/injection_sql.py
Correct version in versionchanged directive Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.