Split into separate rules

astral-sh · Mar 21, 2023 · 5b29182 · 5b29182
1 parent 6c2d430
commit 5b29182
Show file tree

Hide file tree

Showing 14 changed files with 660 additions and 396 deletions.
diff --git a/crates/ruff/resources/test/fixtures/flake8_bandit/S301.py b/crates/ruff/resources/test/fixtures/flake8_bandit/S301.py
@@ -0,0 +1,3 @@
+import pickle
+
+pickle.loads()
diff --git a/...urces/test/fixtures/flake8_bandit/S001.py → ...urces/test/fixtures/flake8_bandit/S312.py b/...urces/test/fixtures/flake8_bandit/S001.py → ...urces/test/fixtures/flake8_bandit/S312.py
@@ -1,6 +1,3 @@
-import pickle
 from telnetlib import Telnet
 
-pickle.loads()
-
 Telnet("localhost", 23)
diff --git a/crates/ruff/src/checkers/ast/mod.rs b/crates/ruff/src/checkers/ast/mod.rs
@@ -2445,8 +2445,29 @@ where
                 }
 
                 // flake8-bandit
-                if self.settings.rules.enabled(Rule::DeniedFunctionCall) {
-                    flake8_bandit::rules::denied_function_call(self, expr);
+                if self.settings.rules.any_enabled(&[
+                    Rule::SuspiciousPickleUsage,
+                    Rule::SuspiciousMarshalUsage,
+                    Rule::SuspiciousInsecureHashUsage,
+                    Rule::SuspiciousInsecureCipherUsage,
+                    Rule::SuspiciousMktempUsage,
+                    Rule::SuspiciousEvalUsage,
+                    Rule::SuspiciousMarkSafeUsage,
+                    Rule::SuspiciousURLOpenUsage,
+                    Rule::SuspiciousNonCryptographicRandomUsage,
+                    Rule::SuspiciousXMLCElementTreeUsage,
+                    Rule::SuspiciousXMLElementTreeUsage,
+                    Rule::SuspiciousXMLExpatReaderUsage,
+                    Rule::SuspiciousXMLExpatBuilderUsage,
+                    Rule::SuspiciousXMLSaxUsage,
+                    Rule::SuspiciousXMLMiniDOMUsage,
+                    Rule::SuspiciousXMLPullDOMUsage,
+                    Rule::SuspiciousXMLETreeUsage,
+                    Rule::SuspiciousUnverifiedContextUsage,
+                    Rule::SuspiciousTelnetUsage,
+                    Rule::SuspiciousFTPLibUsage,
+                ]) {
+                    flake8_bandit::rules::suspicious_function_call(self, expr);
                 }
 
                 // flake8-bugbear

diff --git a/crates/ruff/src/codes.rs b/crates/ruff/src/codes.rs
@@ -463,24 +463,43 @@ pub fn code_to_rule(linter: Linter, code: &str) -> Option<Rule> {
         (Eradicate, "001") => Rule::CommentedOutCode,
 
         // flake8-bandit
-        (Flake8Bandit, "001") => Rule::DeniedFunctionCall,
         (Flake8Bandit, "101") => Rule::Assert,
         (Flake8Bandit, "102") => Rule::ExecBuiltin,
         (Flake8Bandit, "103") => Rule::BadFilePermissions,
         (Flake8Bandit, "104") => Rule::HardcodedBindAllInterfaces,
         (Flake8Bandit, "105") => Rule::HardcodedPasswordString,
         (Flake8Bandit, "106") => Rule::HardcodedPasswordFuncArg,
         (Flake8Bandit, "107") => Rule::HardcodedPasswordDefault,
-        (Flake8Bandit, "608") => Rule::HardcodedSQLExpression,
         (Flake8Bandit, "108") => Rule::HardcodedTempFile,
         (Flake8Bandit, "110") => Rule::TryExceptPass,
         (Flake8Bandit, "112") => Rule::TryExceptContinue,
         (Flake8Bandit, "113") => Rule::RequestWithoutTimeout,
+        (Flake8Bandit, "301") => Rule::SuspiciousPickleUsage,
+        (Flake8Bandit, "302") => Rule::SuspiciousMarshalUsage,
+        (Flake8Bandit, "303") => Rule::SuspiciousInsecureHashUsage,
+        (Flake8Bandit, "304") => Rule::SuspiciousInsecureCipherUsage,
+        (Flake8Bandit, "306") => Rule::SuspiciousMktempUsage,
+        (Flake8Bandit, "307") => Rule::SuspiciousEvalUsage,
+        (Flake8Bandit, "308") => Rule::SuspiciousMarkSafeUsage,
+        (Flake8Bandit, "310") => Rule::SuspiciousURLOpenUsage,
+        (Flake8Bandit, "311") => Rule::SuspiciousNonCryptographicRandomUsage,
+        (Flake8Bandit, "312") => Rule::SuspiciousTelnetUsage,
+        (Flake8Bandit, "313") => Rule::SuspiciousXMLCElementTreeUsage,
+        (Flake8Bandit, "314") => Rule::SuspiciousXMLElementTreeUsage,
+        (Flake8Bandit, "315") => Rule::SuspiciousXMLExpatReaderUsage,
+        (Flake8Bandit, "316") => Rule::SuspiciousXMLExpatBuilderUsage,
+        (Flake8Bandit, "317") => Rule::SuspiciousXMLSaxUsage,
+        (Flake8Bandit, "318") => Rule::SuspiciousXMLMiniDOMUsage,
+        (Flake8Bandit, "319") => Rule::SuspiciousXMLPullDOMUsage,
+        (Flake8Bandit, "320") => Rule::SuspiciousXMLETreeUsage,
+        (Flake8Bandit, "321") => Rule::SuspiciousFTPLibUsage,
+        (Flake8Bandit, "323") => Rule::SuspiciousUnverifiedContextUsage,
         (Flake8Bandit, "324") => Rule::HashlibInsecureHashFunction,
         (Flake8Bandit, "501") => Rule::RequestWithNoCertValidation,
         (Flake8Bandit, "506") => Rule::UnsafeYAMLLoad,
         (Flake8Bandit, "508") => Rule::SnmpInsecureVersion,
         (Flake8Bandit, "509") => Rule::SnmpWeakCryptography,
+        (Flake8Bandit, "608") => Rule::HardcodedSQLExpression,
         (Flake8Bandit, "612") => Rule::LoggingConfigInsecureListen,
         (Flake8Bandit, "701") => Rule::Jinja2AutoescapeFalse,
 

diff --git a/crates/ruff/src/registry.rs b/crates/ruff/src/registry.rs
@@ -429,25 +429,44 @@ ruff_macros::register_rules!(
     rules::eradicate::rules::CommentedOutCode,
     // flake8-bandit
     rules::flake8_bandit::rules::Assert,
-    rules::flake8_bandit::rules::DeniedFunctionCall,
-    rules::flake8_bandit::rules::ExecBuiltin,
     rules::flake8_bandit::rules::BadFilePermissions,
+    rules::flake8_bandit::rules::ExecBuiltin,
     rules::flake8_bandit::rules::HardcodedBindAllInterfaces,
-    rules::flake8_bandit::rules::HardcodedPasswordString,
-    rules::flake8_bandit::rules::HardcodedPasswordFuncArg,
     rules::flake8_bandit::rules::HardcodedPasswordDefault,
+    rules::flake8_bandit::rules::HardcodedPasswordFuncArg,
+    rules::flake8_bandit::rules::HardcodedPasswordString,
     rules::flake8_bandit::rules::HardcodedSQLExpression,
     rules::flake8_bandit::rules::HardcodedTempFile,
-    rules::flake8_bandit::rules::TryExceptPass,
-    rules::flake8_bandit::rules::TryExceptContinue,
-    rules::flake8_bandit::rules::RequestWithoutTimeout,
     rules::flake8_bandit::rules::HashlibInsecureHashFunction,
+    rules::flake8_bandit::rules::Jinja2AutoescapeFalse,
+    rules::flake8_bandit::rules::LoggingConfigInsecureListen,
     rules::flake8_bandit::rules::RequestWithNoCertValidation,
-    rules::flake8_bandit::rules::UnsafeYAMLLoad,
+    rules::flake8_bandit::rules::RequestWithoutTimeout,
     rules::flake8_bandit::rules::SnmpInsecureVersion,
     rules::flake8_bandit::rules::SnmpWeakCryptography,
-    rules::flake8_bandit::rules::LoggingConfigInsecureListen,
-    rules::flake8_bandit::rules::Jinja2AutoescapeFalse,
+    rules::flake8_bandit::rules::SuspiciousEvalUsage,
+    rules::flake8_bandit::rules::SuspiciousFTPLibUsage,
+    rules::flake8_bandit::rules::SuspiciousInsecureCipherUsage,
+    rules::flake8_bandit::rules::SuspiciousInsecureHashUsage,
+    rules::flake8_bandit::rules::SuspiciousMarkSafeUsage,
+    rules::flake8_bandit::rules::SuspiciousMarshalUsage,
+    rules::flake8_bandit::rules::SuspiciousMktempUsage,
+    rules::flake8_bandit::rules::SuspiciousNonCryptographicRandomUsage,
+    rules::flake8_bandit::rules::SuspiciousPickleUsage,
+    rules::flake8_bandit::rules::SuspiciousTelnetUsage,
+    rules::flake8_bandit::rules::SuspiciousURLOpenUsage,
+    rules::flake8_bandit::rules::SuspiciousUnverifiedContextUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLCElementTreeUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLETreeUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLElementTreeUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLExpatBuilderUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLExpatReaderUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLMiniDOMUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLPullDOMUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLSaxUsage,
+    rules::flake8_bandit::rules::TryExceptContinue,
+    rules::flake8_bandit::rules::TryExceptPass,
+    rules::flake8_bandit::rules::UnsafeYAMLLoad,
     // flake8-boolean-trap
     rules::flake8_boolean_trap::rules::BooleanPositionalArgInFunctionDefinition,
     rules::flake8_boolean_trap::rules::BooleanDefaultValueInFunctionDefinition,

diff --git a/crates/ruff/src/rules/flake8_bandit/mod.rs b/crates/ruff/src/rules/flake8_bandit/mod.rs
@@ -12,30 +12,30 @@ mod tests {
     use test_case::test_case;
 
     use crate::registry::Rule;
-    use crate::rules::flake8_bandit::settings::Severity;
     use crate::settings::Settings;
     use crate::test::test_path;
 
-    #[test_case(Rule::DeniedFunctionCall, Path::new("S001.py"); "S001")]
     #[test_case(Rule::Assert, Path::new("S101.py"); "S101")]
-    #[test_case(Rule::ExecBuiltin, Path::new("S102.py"); "S102")]
     #[test_case(Rule::BadFilePermissions, Path::new("S103.py"); "S103")]
+    #[test_case(Rule::ExecBuiltin, Path::new("S102.py"); "S102")]
     #[test_case(Rule::HardcodedBindAllInterfaces, Path::new("S104.py"); "S104")]
-    #[test_case(Rule::HardcodedPasswordString, Path::new("S105.py"); "S105")]
-    #[test_case(Rule::HardcodedPasswordFuncArg, Path::new("S106.py"); "S106")]
     #[test_case(Rule::HardcodedPasswordDefault, Path::new("S107.py"); "S107")]
+    #[test_case(Rule::HardcodedPasswordFuncArg, Path::new("S106.py"); "S106")]
+    #[test_case(Rule::HardcodedPasswordString, Path::new("S105.py"); "S105")]
     #[test_case(Rule::HardcodedSQLExpression, Path::new("S608.py"); "S608")]
     #[test_case(Rule::HardcodedTempFile, Path::new("S108.py"); "S108")]
-    #[test_case(Rule::RequestWithoutTimeout, Path::new("S113.py"); "S113")]
     #[test_case(Rule::HashlibInsecureHashFunction, Path::new("S324.py"); "S324")]
+    #[test_case(Rule::Jinja2AutoescapeFalse, Path::new("S701.py"); "S701")]
+    #[test_case(Rule::LoggingConfigInsecureListen, Path::new("S612.py"); "S612")]
     #[test_case(Rule::RequestWithNoCertValidation, Path::new("S501.py"); "S501")]
-    #[test_case(Rule::UnsafeYAMLLoad, Path::new("S506.py"); "S506")]
+    #[test_case(Rule::RequestWithoutTimeout, Path::new("S113.py"); "S113")]
     #[test_case(Rule::SnmpInsecureVersion, Path::new("S508.py"); "S508")]
     #[test_case(Rule::SnmpWeakCryptography, Path::new("S509.py"); "S509")]
-    #[test_case(Rule::LoggingConfigInsecureListen, Path::new("S612.py"); "S612")]
-    #[test_case(Rule::Jinja2AutoescapeFalse, Path::new("S701.py"); "S701")]
-    #[test_case(Rule::TryExceptPass, Path::new("S110.py"); "S110")]
+    #[test_case(Rule::SuspiciousPickleUsage, Path::new("S301.py"); "S301")]
+    #[test_case(Rule::SuspiciousTelnetUsage, Path::new("S312.py"); "S312")]
     #[test_case(Rule::TryExceptContinue, Path::new("S112.py"); "S112")]
+    #[test_case(Rule::TryExceptPass, Path::new("S110.py"); "S110")]
+    #[test_case(Rule::UnsafeYAMLLoad, Path::new("S506.py"); "S506")]
     fn rules(rule_code: Rule, path: &Path) -> Result<()> {
         let snapshot = format!("{}_{}", rule_code.noqa_code(), path.to_string_lossy());
         let diagnostics = test_path(
@@ -59,7 +59,6 @@ mod tests {
                         "/foo".to_string(),
                     ],
                     check_typed_exception: false,
-                    severity: Severity::Low,
                 },
                 ..Settings::for_rule(Rule::HardcodedTempFile)
             },