From 1a3ee45b236d93632289544ed54001d048064fbf Mon Sep 17 00:00:00 2001 From: Tim Chan Date: Sat, 13 Jul 2024 13:57:05 -0700 Subject: [PATCH] [`flake8-bandit`] Avoid `S310` violations for HTTP-safe f-strings (#12305) this resolves https://github.com/astral-sh/ruff/issues/12245 --- .../test/fixtures/flake8_bandit/S310.py | 16 +- .../rules/suspicious_function_call.rs | 57 +++- ...s__flake8_bandit__tests__S310_S310.py.snap | 262 +++++++++++------- 3 files changed, 223 insertions(+), 112 deletions(-) diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S310.py b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S310.py index 14c9ee2690..734ee185a7 100644 --- a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S310.py +++ b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S310.py @@ -1,25 +1,37 @@ import urllib.request urllib.request.urlopen(url='http://www.google.com') +urllib.request.urlopen(url=f'http://www.google.com') urllib.request.urlopen(url='http://www.google.com', **kwargs) +urllib.request.urlopen(url=f'http://www.google.com', **kwargs) urllib.request.urlopen('http://www.google.com') +urllib.request.urlopen(f'http://www.google.com') urllib.request.urlopen('file:///foo/bar/baz') urllib.request.urlopen(url) -urllib.request.Request(url='http://www.google.com', **kwargs) urllib.request.Request(url='http://www.google.com') +urllib.request.Request(url=f'http://www.google.com') +urllib.request.Request(url='http://www.google.com', **kwargs) +urllib.request.Request(url=f'http://www.google.com', **kwargs) urllib.request.Request('http://www.google.com') +urllib.request.Request(f'http://www.google.com') urllib.request.Request('file:///foo/bar/baz') urllib.request.Request(url) -urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) urllib.request.URLopener().open(fullurl='http://www.google.com') +urllib.request.URLopener().open(fullurl=f'http://www.google.com') +urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) +urllib.request.URLopener().open(fullurl=f'http://www.google.com', **kwargs) urllib.request.URLopener().open('http://www.google.com') +urllib.request.URLopener().open(f'http://www.google.com') urllib.request.URLopener().open('file:///foo/bar/baz') urllib.request.URLopener().open(url) urllib.request.urlopen(url=urllib.request.Request('http://www.google.com')) +urllib.request.urlopen(url=urllib.request.Request(f'http://www.google.com')) urllib.request.urlopen(url=urllib.request.Request('http://www.google.com'), **kwargs) +urllib.request.urlopen(url=urllib.request.Request(f'http://www.google.com'), **kwargs) urllib.request.urlopen(urllib.request.Request('http://www.google.com')) +urllib.request.urlopen(urllib.request.Request(f'http://www.google.com')) urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) urllib.request.urlopen(urllib.request.Request(url)) diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_function_call.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_function_call.rs index 00aa3d1cdf..3221aaf4e3 100644 --- a/crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_function_call.rs +++ b/crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_function_call.rs @@ -850,16 +850,28 @@ pub(crate) fn suspicious_function_call(checker: &mut Checker, call: &ExprCall) { // MarkSafe ["django", "utils", "safestring" | "html", "mark_safe"] => Some(SuspiciousMarkSafeUsage.into()), // URLOpen (`Request`) - ["urllib", "request","Request"] | + ["urllib", "request", "Request"] | ["six", "moves", "urllib", "request","Request"] => { - // If the `url` argument is a string literal, allow `http` and `https` schemes. + // If the `url` argument is a string literal or an f string, allow `http` and `https` schemes. if call.arguments.args.iter().all(|arg| !arg.is_starred_expr()) && call.arguments.keywords.iter().all(|keyword| keyword.arg.is_some()) { - if let Some(Expr::StringLiteral(ast::ExprStringLiteral { value, .. })) = &call.arguments.find_argument("url", 0) { + match call.arguments.find_argument("url", 0) { + // If the `url` argument is a string literal, allow `http` and `https` schemes. + Some(Expr::StringLiteral(ast::ExprStringLiteral { value, .. })) => { let url = value.to_str().trim_start(); if url.starts_with("http://") || url.starts_with("https://") { return None; } - + }, + // If the `url` argument is an f-string literal, allow `http` and `https` schemes. + Some(Expr::FString(ast::ExprFString { value, .. })) => { + if let Some(ast::FStringElement::Literal(ast::FStringLiteralElement { value, .. })) = value.elements().next() { + let url = value.trim_start(); + if url.starts_with("http://") || url.starts_with("https://") { + return None; + } + } + }, + _ => {} } } Some(SuspiciousURLOpenUsage.into()) @@ -868,27 +880,52 @@ pub(crate) fn suspicious_function_call(checker: &mut Checker, call: &ExprCall) { ["urllib", "request", "urlopen" | "urlretrieve" ] | ["six", "moves", "urllib", "request", "urlopen" | "urlretrieve" ] => { if call.arguments.args.iter().all(|arg| !arg.is_starred_expr()) && call.arguments.keywords.iter().all(|keyword| keyword.arg.is_some()) { - if let Some(arg) = &call.arguments.find_argument("url", 0) { + match call.arguments.find_argument("url", 0) { // If the `url` argument is a string literal, allow `http` and `https` schemes. - if let Expr::StringLiteral(ast::ExprStringLiteral { value, .. }) = arg { + Some(Expr::StringLiteral(ast::ExprStringLiteral { value, .. })) => { let url = value.to_str().trim_start(); if url.starts_with("http://") || url.starts_with("https://") { return None; } - } + }, + + // If the `url` argument is an f-string literal, allow `http` and `https` schemes. + Some(Expr::FString(ast::ExprFString { value, .. })) => { + if let Some(ast::FStringElement::Literal(ast::FStringLiteralElement { value, .. })) = value.elements().next() { + let url = value.trim_start(); + if url.starts_with("http://") || url.starts_with("https://") { + return None; + } + } + }, // If the `url` argument is a `urllib.request.Request` object, allow `http` and `https` schemes. - if let Expr::Call(ExprCall { func, arguments, .. }) = arg { + Some(Expr::Call(ExprCall { func, arguments, .. })) => { if checker.semantic().resolve_qualified_name(func.as_ref()).is_some_and(|name| name.segments() == ["urllib", "request", "Request"]) { - if let Some( Expr::StringLiteral(ast::ExprStringLiteral { value, .. })) = arguments.find_argument("url", 0) { + match arguments.find_argument("url", 0) { + // If the `url` argument is a string literal, allow `http` and `https` schemes. + Some(Expr::StringLiteral(ast::ExprStringLiteral { value, .. })) => { let url = value.to_str().trim_start(); if url.starts_with("http://") || url.starts_with("https://") { return None; } + }, + // If the `url` argument is an f-string literal, allow `http` and `https` schemes. + Some(Expr::FString(ast::ExprFString { value, .. })) => { + if let Some(ast::FStringElement::Literal(ast::FStringLiteralElement { value, .. })) = value.elements().next() { + let url = value.trim_start(); + if url.starts_with("http://") || url.starts_with("https://") { + return None; + } + } + }, + _ => {} } } - } + }, + + _ => {} } } Some(SuspiciousURLOpenUsage.into()) diff --git a/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S310_S310.py.snap b/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S310_S310.py.snap index a58da3774b..7cb003c7ba 100644 --- a/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S310_S310.py.snap +++ b/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S310_S310.py.snap @@ -1,150 +1,212 @@ --- source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs --- -S310.py:4:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. +S310.py:5:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | 3 | urllib.request.urlopen(url='http://www.google.com') -4 | urllib.request.urlopen(url='http://www.google.com', **kwargs) +4 | urllib.request.urlopen(url=f'http://www.google.com') +5 | urllib.request.urlopen(url='http://www.google.com', **kwargs) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -5 | urllib.request.urlopen('http://www.google.com') -6 | urllib.request.urlopen('file:///foo/bar/baz') +6 | urllib.request.urlopen(url=f'http://www.google.com', **kwargs) +7 | urllib.request.urlopen('http://www.google.com') | S310.py:6:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | -4 | urllib.request.urlopen(url='http://www.google.com', **kwargs) -5 | urllib.request.urlopen('http://www.google.com') -6 | urllib.request.urlopen('file:///foo/bar/baz') - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -7 | urllib.request.urlopen(url) - | - -S310.py:7:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. - | -5 | urllib.request.urlopen('http://www.google.com') -6 | urllib.request.urlopen('file:///foo/bar/baz') -7 | urllib.request.urlopen(url) - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -8 | -9 | urllib.request.Request(url='http://www.google.com', **kwargs) +4 | urllib.request.urlopen(url=f'http://www.google.com') +5 | urllib.request.urlopen(url='http://www.google.com', **kwargs) +6 | urllib.request.urlopen(url=f'http://www.google.com', **kwargs) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +7 | urllib.request.urlopen('http://www.google.com') +8 | urllib.request.urlopen(f'http://www.google.com') | S310.py:9:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | - 7 | urllib.request.urlopen(url) - 8 | - 9 | urllib.request.Request(url='http://www.google.com', **kwargs) - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -10 | urllib.request.Request(url='http://www.google.com') -11 | urllib.request.Request('http://www.google.com') - | - -S310.py:12:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. - | -10 | urllib.request.Request(url='http://www.google.com') -11 | urllib.request.Request('http://www.google.com') -12 | urllib.request.Request('file:///foo/bar/baz') + 7 | urllib.request.urlopen('http://www.google.com') + 8 | urllib.request.urlopen(f'http://www.google.com') + 9 | urllib.request.urlopen('file:///foo/bar/baz') | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -13 | urllib.request.Request(url) +10 | urllib.request.urlopen(url) | -S310.py:13:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. +S310.py:10:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | -11 | urllib.request.Request('http://www.google.com') -12 | urllib.request.Request('file:///foo/bar/baz') -13 | urllib.request.Request(url) + 8 | urllib.request.urlopen(f'http://www.google.com') + 9 | urllib.request.urlopen('file:///foo/bar/baz') +10 | urllib.request.urlopen(url) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -14 | -15 | urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) +11 | +12 | urllib.request.Request(url='http://www.google.com') + | + +S310.py:14:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +12 | urllib.request.Request(url='http://www.google.com') +13 | urllib.request.Request(url=f'http://www.google.com') +14 | urllib.request.Request(url='http://www.google.com', **kwargs) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +15 | urllib.request.Request(url=f'http://www.google.com', **kwargs) +16 | urllib.request.Request('http://www.google.com') | S310.py:15:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | -13 | urllib.request.Request(url) -14 | -15 | urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) - | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -16 | urllib.request.URLopener().open(fullurl='http://www.google.com') -17 | urllib.request.URLopener().open('http://www.google.com') - | - -S310.py:16:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. - | -15 | urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) -16 | urllib.request.URLopener().open(fullurl='http://www.google.com') - | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -17 | urllib.request.URLopener().open('http://www.google.com') -18 | urllib.request.URLopener().open('file:///foo/bar/baz') - | - -S310.py:17:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. - | -15 | urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) -16 | urllib.request.URLopener().open(fullurl='http://www.google.com') -17 | urllib.request.URLopener().open('http://www.google.com') - | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -18 | urllib.request.URLopener().open('file:///foo/bar/baz') -19 | urllib.request.URLopener().open(url) +13 | urllib.request.Request(url=f'http://www.google.com') +14 | urllib.request.Request(url='http://www.google.com', **kwargs) +15 | urllib.request.Request(url=f'http://www.google.com', **kwargs) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +16 | urllib.request.Request('http://www.google.com') +17 | urllib.request.Request(f'http://www.google.com') | S310.py:18:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | -16 | urllib.request.URLopener().open(fullurl='http://www.google.com') -17 | urllib.request.URLopener().open('http://www.google.com') -18 | urllib.request.URLopener().open('file:///foo/bar/baz') - | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -19 | urllib.request.URLopener().open(url) +16 | urllib.request.Request('http://www.google.com') +17 | urllib.request.Request(f'http://www.google.com') +18 | urllib.request.Request('file:///foo/bar/baz') + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +19 | urllib.request.Request(url) | S310.py:19:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | -17 | urllib.request.URLopener().open('http://www.google.com') -18 | urllib.request.URLopener().open('file:///foo/bar/baz') -19 | urllib.request.URLopener().open(url) - | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +17 | urllib.request.Request(f'http://www.google.com') +18 | urllib.request.Request('file:///foo/bar/baz') +19 | urllib.request.Request(url) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 20 | -21 | urllib.request.urlopen(url=urllib.request.Request('http://www.google.com')) +21 | urllib.request.URLopener().open(fullurl='http://www.google.com') + | + +S310.py:21:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +19 | urllib.request.Request(url) +20 | +21 | urllib.request.URLopener().open(fullurl='http://www.google.com') + | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +22 | urllib.request.URLopener().open(fullurl=f'http://www.google.com') +23 | urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) | S310.py:22:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | -21 | urllib.request.urlopen(url=urllib.request.Request('http://www.google.com')) -22 | urllib.request.urlopen(url=urllib.request.Request('http://www.google.com'), **kwargs) - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -23 | urllib.request.urlopen(urllib.request.Request('http://www.google.com')) -24 | urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) +21 | urllib.request.URLopener().open(fullurl='http://www.google.com') +22 | urllib.request.URLopener().open(fullurl=f'http://www.google.com') + | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +23 | urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) +24 | urllib.request.URLopener().open(fullurl=f'http://www.google.com', **kwargs) + | + +S310.py:23:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +21 | urllib.request.URLopener().open(fullurl='http://www.google.com') +22 | urllib.request.URLopener().open(fullurl=f'http://www.google.com') +23 | urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +24 | urllib.request.URLopener().open(fullurl=f'http://www.google.com', **kwargs) +25 | urllib.request.URLopener().open('http://www.google.com') | S310.py:24:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | -22 | urllib.request.urlopen(url=urllib.request.Request('http://www.google.com'), **kwargs) -23 | urllib.request.urlopen(urllib.request.Request('http://www.google.com')) -24 | urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -25 | urllib.request.urlopen(urllib.request.Request(url)) - | - -S310.py:24:24: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. - | -22 | urllib.request.urlopen(url=urllib.request.Request('http://www.google.com'), **kwargs) -23 | urllib.request.urlopen(urllib.request.Request('http://www.google.com')) -24 | urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 -25 | urllib.request.urlopen(urllib.request.Request(url)) +22 | urllib.request.URLopener().open(fullurl=f'http://www.google.com') +23 | urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) +24 | urllib.request.URLopener().open(fullurl=f'http://www.google.com', **kwargs) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +25 | urllib.request.URLopener().open('http://www.google.com') +26 | urllib.request.URLopener().open(f'http://www.google.com') | S310.py:25:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | -23 | urllib.request.urlopen(urllib.request.Request('http://www.google.com')) -24 | urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) -25 | urllib.request.urlopen(urllib.request.Request(url)) +23 | urllib.request.URLopener().open(fullurl='http://www.google.com', **kwargs) +24 | urllib.request.URLopener().open(fullurl=f'http://www.google.com', **kwargs) +25 | urllib.request.URLopener().open('http://www.google.com') + | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +26 | urllib.request.URLopener().open(f'http://www.google.com') +27 | urllib.request.URLopener().open('file:///foo/bar/baz') + | + +S310.py:26:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +24 | urllib.request.URLopener().open(fullurl=f'http://www.google.com', **kwargs) +25 | urllib.request.URLopener().open('http://www.google.com') +26 | urllib.request.URLopener().open(f'http://www.google.com') + | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +27 | urllib.request.URLopener().open('file:///foo/bar/baz') +28 | urllib.request.URLopener().open(url) + | + +S310.py:27:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +25 | urllib.request.URLopener().open('http://www.google.com') +26 | urllib.request.URLopener().open(f'http://www.google.com') +27 | urllib.request.URLopener().open('file:///foo/bar/baz') + | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +28 | urllib.request.URLopener().open(url) + | + +S310.py:28:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +26 | urllib.request.URLopener().open(f'http://www.google.com') +27 | urllib.request.URLopener().open('file:///foo/bar/baz') +28 | urllib.request.URLopener().open(url) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +29 | +30 | urllib.request.urlopen(url=urllib.request.Request('http://www.google.com')) + | + +S310.py:32:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +30 | urllib.request.urlopen(url=urllib.request.Request('http://www.google.com')) +31 | urllib.request.urlopen(url=urllib.request.Request(f'http://www.google.com')) +32 | urllib.request.urlopen(url=urllib.request.Request('http://www.google.com'), **kwargs) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +33 | urllib.request.urlopen(url=urllib.request.Request(f'http://www.google.com'), **kwargs) +34 | urllib.request.urlopen(urllib.request.Request('http://www.google.com')) + | + +S310.py:33:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +31 | urllib.request.urlopen(url=urllib.request.Request(f'http://www.google.com')) +32 | urllib.request.urlopen(url=urllib.request.Request('http://www.google.com'), **kwargs) +33 | urllib.request.urlopen(url=urllib.request.Request(f'http://www.google.com'), **kwargs) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +34 | urllib.request.urlopen(urllib.request.Request('http://www.google.com')) +35 | urllib.request.urlopen(urllib.request.Request(f'http://www.google.com')) + | + +S310.py:36:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +34 | urllib.request.urlopen(urllib.request.Request('http://www.google.com')) +35 | urllib.request.urlopen(urllib.request.Request(f'http://www.google.com')) +36 | urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +37 | urllib.request.urlopen(urllib.request.Request(url)) + | + +S310.py:36:24: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +34 | urllib.request.urlopen(urllib.request.Request('http://www.google.com')) +35 | urllib.request.urlopen(urllib.request.Request(f'http://www.google.com')) +36 | urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 +37 | urllib.request.urlopen(urllib.request.Request(url)) + | + +S310.py:37:1: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. + | +35 | urllib.request.urlopen(urllib.request.Request(f'http://www.google.com')) +36 | urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) +37 | urllib.request.urlopen(urllib.request.Request(url)) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 | -S310.py:25:24: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. +S310.py:37:24: S310 Audit URL open for permitted schemes. Allowing use of `file:` or custom schemes is often unexpected. | -23 | urllib.request.urlopen(urllib.request.Request('http://www.google.com')) -24 | urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) -25 | urllib.request.urlopen(urllib.request.Request(url)) +35 | urllib.request.urlopen(urllib.request.Request(f'http://www.google.com')) +36 | urllib.request.urlopen(urllib.request.Request('file:///foo/bar/baz')) +37 | urllib.request.urlopen(urllib.request.Request(url)) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ S310 |