[flake8-bandit]: Implement deny-list rules for suspicious member calls

crates/ruff/resources/test/fixtures/flake8_bandit/S301.py

@@ -0,0 +1,3 @@
+import pickle
+
+pickle.loads()

crates/ruff/resources/test/fixtures/flake8_bandit/S312.py

@@ -0,0 +1,3 @@
+from telnetlib import Telnet
+
+Telnet("localhost", 23)

crates/ruff/src/checkers/ast/mod.rs

@@ -2444,6 +2444,33 @@ where
                     flake8_print::rules::print_call(self, func, keywords);
                 }
 
+                // flake8-bandit
+                if self.settings.rules.any_enabled(&[
+                    Rule::SuspiciousPickleUsage,
+                    Rule::SuspiciousMarshalUsage,
+                    Rule::SuspiciousInsecureHashUsage,
+                    Rule::SuspiciousInsecureCipherUsage,
+                    Rule::SuspiciousInsecureCipherModeUsage,
+                    Rule::SuspiciousMktempUsage,
+                    Rule::SuspiciousEvalUsage,
+                    Rule::SuspiciousMarkSafeUsage,
+                    Rule::SuspiciousURLOpenUsage,
+                    Rule::SuspiciousNonCryptographicRandomUsage,
+                    Rule::SuspiciousXMLCElementTreeUsage,
+                    Rule::SuspiciousXMLElementTreeUsage,
+                    Rule::SuspiciousXMLExpatReaderUsage,
+                    Rule::SuspiciousXMLExpatBuilderUsage,
+                    Rule::SuspiciousXMLSaxUsage,
+                    Rule::SuspiciousXMLMiniDOMUsage,
+                    Rule::SuspiciousXMLPullDOMUsage,
+                    Rule::SuspiciousXMLETreeUsage,
+                    Rule::SuspiciousUnverifiedContextUsage,
+                    Rule::SuspiciousTelnetUsage,
+                    Rule::SuspiciousFTPLibUsage,
+                ]) {
+                    flake8_bandit::rules::suspicious_function_call(self, expr);
+                }
+
                 // flake8-bugbear
                 if self.settings.rules.enabled(Rule::UnreliableCallableCheck) {
                     flake8_bugbear::rules::unreliable_callable_check(self, expr, func, args);

crates/ruff/src/codes.rs

@@ -470,16 +470,37 @@ pub fn code_to_rule(linter: Linter, code: &str) -> Option<Rule> {
         (Flake8Bandit, "105") => Rule::HardcodedPasswordString,
         (Flake8Bandit, "106") => Rule::HardcodedPasswordFuncArg,
         (Flake8Bandit, "107") => Rule::HardcodedPasswordDefault,
-        (Flake8Bandit, "608") => Rule::HardcodedSQLExpression,
         (Flake8Bandit, "108") => Rule::HardcodedTempFile,
         (Flake8Bandit, "110") => Rule::TryExceptPass,
         (Flake8Bandit, "112") => Rule::TryExceptContinue,
         (Flake8Bandit, "113") => Rule::RequestWithoutTimeout,
+        (Flake8Bandit, "301") => Rule::SuspiciousPickleUsage,
+        (Flake8Bandit, "302") => Rule::SuspiciousMarshalUsage,
+        (Flake8Bandit, "303") => Rule::SuspiciousInsecureHashUsage,
+        (Flake8Bandit, "304") => Rule::SuspiciousInsecureCipherUsage,
+        (Flake8Bandit, "305") => Rule::SuspiciousInsecureCipherModeUsage,
+        (Flake8Bandit, "306") => Rule::SuspiciousMktempUsage,
+        (Flake8Bandit, "307") => Rule::SuspiciousEvalUsage,
+        (Flake8Bandit, "308") => Rule::SuspiciousMarkSafeUsage,
+        (Flake8Bandit, "310") => Rule::SuspiciousURLOpenUsage,
+        (Flake8Bandit, "311") => Rule::SuspiciousNonCryptographicRandomUsage,
+        (Flake8Bandit, "312") => Rule::SuspiciousTelnetUsage,
+        (Flake8Bandit, "313") => Rule::SuspiciousXMLCElementTreeUsage,
+        (Flake8Bandit, "314") => Rule::SuspiciousXMLElementTreeUsage,
+        (Flake8Bandit, "315") => Rule::SuspiciousXMLExpatReaderUsage,
+        (Flake8Bandit, "316") => Rule::SuspiciousXMLExpatBuilderUsage,
+        (Flake8Bandit, "317") => Rule::SuspiciousXMLSaxUsage,
+        (Flake8Bandit, "318") => Rule::SuspiciousXMLMiniDOMUsage,
+        (Flake8Bandit, "319") => Rule::SuspiciousXMLPullDOMUsage,
+        (Flake8Bandit, "320") => Rule::SuspiciousXMLETreeUsage,
+        (Flake8Bandit, "321") => Rule::SuspiciousFTPLibUsage,
+        (Flake8Bandit, "323") => Rule::SuspiciousUnverifiedContextUsage,
         (Flake8Bandit, "324") => Rule::HashlibInsecureHashFunction,
         (Flake8Bandit, "501") => Rule::RequestWithNoCertValidation,
         (Flake8Bandit, "506") => Rule::UnsafeYAMLLoad,
         (Flake8Bandit, "508") => Rule::SnmpInsecureVersion,
         (Flake8Bandit, "509") => Rule::SnmpWeakCryptography,
+        (Flake8Bandit, "608") => Rule::HardcodedSQLExpression,
         (Flake8Bandit, "612") => Rule::LoggingConfigInsecureListen,
         (Flake8Bandit, "701") => Rule::Jinja2AutoescapeFalse,
 

crates/ruff/src/registry.rs

@@ -429,24 +429,45 @@ ruff_macros::register_rules!(
     rules::eradicate::rules::CommentedOutCode,
     // flake8-bandit
     rules::flake8_bandit::rules::Assert,
-    rules::flake8_bandit::rules::ExecBuiltin,
     rules::flake8_bandit::rules::BadFilePermissions,
+    rules::flake8_bandit::rules::ExecBuiltin,
     rules::flake8_bandit::rules::HardcodedBindAllInterfaces,
-    rules::flake8_bandit::rules::HardcodedPasswordString,
-    rules::flake8_bandit::rules::HardcodedPasswordFuncArg,
     rules::flake8_bandit::rules::HardcodedPasswordDefault,
+    rules::flake8_bandit::rules::HardcodedPasswordFuncArg,
+    rules::flake8_bandit::rules::HardcodedPasswordString,
     rules::flake8_bandit::rules::HardcodedSQLExpression,
     rules::flake8_bandit::rules::HardcodedTempFile,
-    rules::flake8_bandit::rules::TryExceptPass,
-    rules::flake8_bandit::rules::TryExceptContinue,
-    rules::flake8_bandit::rules::RequestWithoutTimeout,
     rules::flake8_bandit::rules::HashlibInsecureHashFunction,
+    rules::flake8_bandit::rules::Jinja2AutoescapeFalse,
+    rules::flake8_bandit::rules::LoggingConfigInsecureListen,
     rules::flake8_bandit::rules::RequestWithNoCertValidation,
-    rules::flake8_bandit::rules::UnsafeYAMLLoad,
+    rules::flake8_bandit::rules::RequestWithoutTimeout,
     rules::flake8_bandit::rules::SnmpInsecureVersion,
     rules::flake8_bandit::rules::SnmpWeakCryptography,
-    rules::flake8_bandit::rules::LoggingConfigInsecureListen,
-    rules::flake8_bandit::rules::Jinja2AutoescapeFalse,
+    rules::flake8_bandit::rules::SuspiciousEvalUsage,
+    rules::flake8_bandit::rules::SuspiciousFTPLibUsage,
+    rules::flake8_bandit::rules::SuspiciousInsecureCipherUsage,
+    rules::flake8_bandit::rules::SuspiciousInsecureCipherModeUsage,
+    rules::flake8_bandit::rules::SuspiciousInsecureHashUsage,
+    rules::flake8_bandit::rules::SuspiciousMarkSafeUsage,
+    rules::flake8_bandit::rules::SuspiciousMarshalUsage,
+    rules::flake8_bandit::rules::SuspiciousMktempUsage,
+    rules::flake8_bandit::rules::SuspiciousNonCryptographicRandomUsage,
+    rules::flake8_bandit::rules::SuspiciousPickleUsage,
+    rules::flake8_bandit::rules::SuspiciousTelnetUsage,
+    rules::flake8_bandit::rules::SuspiciousURLOpenUsage,
+    rules::flake8_bandit::rules::SuspiciousUnverifiedContextUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLCElementTreeUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLETreeUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLElementTreeUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLExpatBuilderUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLExpatReaderUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLMiniDOMUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLPullDOMUsage,
+    rules::flake8_bandit::rules::SuspiciousXMLSaxUsage,
+    rules::flake8_bandit::rules::TryExceptContinue,
+    rules::flake8_bandit::rules::TryExceptPass,
+    rules::flake8_bandit::rules::UnsafeYAMLLoad,
     // flake8-boolean-trap
     rules::flake8_boolean_trap::rules::BooleanPositionalArgInFunctionDefinition,
     rules::flake8_boolean_trap::rules::BooleanDefaultValueInFunctionDefinition,

crates/ruff/src/rules/flake8_bandit/mod.rs

@@ -16,24 +16,26 @@ mod tests {
     use crate::test::test_path;
 
     #[test_case(Rule::Assert, Path::new("S101.py"); "S101")]
-    #[test_case(Rule::ExecBuiltin, Path::new("S102.py"); "S102")]
     #[test_case(Rule::BadFilePermissions, Path::new("S103.py"); "S103")]
+    #[test_case(Rule::ExecBuiltin, Path::new("S102.py"); "S102")]
     #[test_case(Rule::HardcodedBindAllInterfaces, Path::new("S104.py"); "S104")]
-    #[test_case(Rule::HardcodedPasswordString, Path::new("S105.py"); "S105")]
-    #[test_case(Rule::HardcodedPasswordFuncArg, Path::new("S106.py"); "S106")]
     #[test_case(Rule::HardcodedPasswordDefault, Path::new("S107.py"); "S107")]
+    #[test_case(Rule::HardcodedPasswordFuncArg, Path::new("S106.py"); "S106")]
+    #[test_case(Rule::HardcodedPasswordString, Path::new("S105.py"); "S105")]
     #[test_case(Rule::HardcodedSQLExpression, Path::new("S608.py"); "S608")]
     #[test_case(Rule::HardcodedTempFile, Path::new("S108.py"); "S108")]
-    #[test_case(Rule::RequestWithoutTimeout, Path::new("S113.py"); "S113")]
     #[test_case(Rule::HashlibInsecureHashFunction, Path::new("S324.py"); "S324")]
+    #[test_case(Rule::Jinja2AutoescapeFalse, Path::new("S701.py"); "S701")]
+    #[test_case(Rule::LoggingConfigInsecureListen, Path::new("S612.py"); "S612")]
     #[test_case(Rule::RequestWithNoCertValidation, Path::new("S501.py"); "S501")]
-    #[test_case(Rule::UnsafeYAMLLoad, Path::new("S506.py"); "S506")]
+    #[test_case(Rule::RequestWithoutTimeout, Path::new("S113.py"); "S113")]
     #[test_case(Rule::SnmpInsecureVersion, Path::new("S508.py"); "S508")]
     #[test_case(Rule::SnmpWeakCryptography, Path::new("S509.py"); "S509")]
-    #[test_case(Rule::LoggingConfigInsecureListen, Path::new("S612.py"); "S612")]
-    #[test_case(Rule::Jinja2AutoescapeFalse, Path::new("S701.py"); "S701")]
-    #[test_case(Rule::TryExceptPass, Path::new("S110.py"); "S110")]
+    #[test_case(Rule::SuspiciousPickleUsage, Path::new("S301.py"); "S301")]
+    #[test_case(Rule::SuspiciousTelnetUsage, Path::new("S312.py"); "S312")]
     #[test_case(Rule::TryExceptContinue, Path::new("S112.py"); "S112")]
+    #[test_case(Rule::TryExceptPass, Path::new("S110.py"); "S110")]
+    #[test_case(Rule::UnsafeYAMLLoad, Path::new("S506.py"); "S506")]
     fn rules(rule_code: Rule, path: &Path) -> Result<()> {
         let snapshot = format!("{}_{}", rule_code.noqa_code(), path.to_string_lossy());
         let diagnostics = test_path(

crates/ruff/src/rules/flake8_bandit/rules/mod.rs

@@ -24,6 +24,16 @@ pub use request_with_no_cert_validation::{
 pub use request_without_timeout::{request_without_timeout, RequestWithoutTimeout};
 pub use snmp_insecure_version::{snmp_insecure_version, SnmpInsecureVersion};
 pub use snmp_weak_cryptography::{snmp_weak_cryptography, SnmpWeakCryptography};
+pub use suspicious_function_call::{
+    suspicious_function_call, SuspiciousEvalUsage, SuspiciousFTPLibUsage,
+    SuspiciousInsecureCipherModeUsage, SuspiciousInsecureCipherUsage, SuspiciousInsecureHashUsage,
+    SuspiciousMarkSafeUsage, SuspiciousMarshalUsage, SuspiciousMktempUsage,
+    SuspiciousNonCryptographicRandomUsage, SuspiciousPickleUsage, SuspiciousTelnetUsage,
+    SuspiciousURLOpenUsage, SuspiciousUnverifiedContextUsage, SuspiciousXMLCElementTreeUsage,
+    SuspiciousXMLETreeUsage, SuspiciousXMLElementTreeUsage, SuspiciousXMLExpatBuilderUsage,
+    SuspiciousXMLExpatReaderUsage, SuspiciousXMLMiniDOMUsage, SuspiciousXMLPullDOMUsage,
+    SuspiciousXMLSaxUsage,
+};
 pub use try_except_continue::{try_except_continue, TryExceptContinue};
 pub use try_except_pass::{try_except_pass, TryExceptPass};
 pub use unsafe_yaml_load::{unsafe_yaml_load, UnsafeYAMLLoad};
@@ -44,6 +54,7 @@ mod request_with_no_cert_validation;
 mod request_without_timeout;
 mod snmp_insecure_version;
 mod snmp_weak_cryptography;
+mod suspicious_function_call;
 mod try_except_continue;
 mod try_except_pass;
 mod unsafe_yaml_load;