[`flake8-bandit`]: try-except-continue (#2674)

2023-02-08 21:44:01 -05:00 · 2023-02-08 21:44:01 -05:00 · 31027497c6
parent dabfdf718e
commit 31027497c6
9 changed files with 101 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -631,17 +631,17 @@ for more.

 By default, Ruff exits with the following status codes:

- `0` if no violations were found, or if all present violations were fixed automatically.
- `1` if violations were found.
- `2` if Ruff terminates abnormally due to invalid configuration, invalid CLI options, or an internal error.
+* `0` if no violations were found, or if all present violations were fixed automatically.
+* `1` if violations were found.
+* `2` if Ruff terminates abnormally due to invalid configuration, invalid CLI options, or an internal error.

 This convention mirrors that of tools like ESLint, Prettier, and RuboCop.

 Ruff supports two command-line flags that alter its exit code behavior:

- `--exit-zero` will cause Ruff to exit with a status code of `0` even if violations were found.
+* `--exit-zero` will cause Ruff to exit with a status code of `0` even if violations were found.
  Note that Ruff will still exit with a status code of `2` if it terminates abnormally.
- `--exit-non-zero-on-fix` will cause Ruff to exit with a status code of `1` if violations were
+* `--exit-non-zero-on-fix` will cause Ruff to exit with a status code of `1` if violations were
  found, _even if_ all such violations were fixed automatically. Note that the use of
  `--exit-non-zero-on-fix` can result in a non-zero exit code even if no violations remain after
  autofixing.
@ -930,6 +930,7 @@ For more, see [flake8-bandit](https://pypi.org/project/flake8-bandit/) on PyPI.
 | S107 | hardcoded-password-default | Possible hardcoded password: "{}" |  |
 | S108 | hardcoded-temp-file | Probable insecure usage of temporary file or directory: "{}" |  |
 | S110 | try-except-pass | `try`-`except`-`pass` detected, consider logging the exception |  |
+| S112 | try-except-continue | `try`-`except`-`continue` detected, consider logging the exception |  |
 | S113 | request-without-timeout | Probable use of requests call with timeout set to `{value}` |  |
 | S324 | hashlib-insecure-hash-function | Probable use of insecure hash functions in `hashlib`: "{}" |  |
 | S501 | request-with-no-cert-validation | Probable use of `{string}` call with `verify=False` disabling SSL certificate checks |  |
--- a/crates/ruff/resources/test/fixtures/flake8_bandit/S112.py
+++ b/crates/ruff/resources/test/fixtures/flake8_bandit/S112.py
@ -0,0 +1,14 @@
+try:
+    pass
+except Exception:
+    continue
+
+try:
+    pass
+except:
+    continue
+
+try:
+    pass
+except ValueError:
+    continue
--- a/crates/ruff/src/checkers/ast.rs
+++ b/crates/ruff/src/checkers/ast.rs
@ -3555,6 +3555,15 @@ where
                        self.settings.flake8_bandit.check_typed_exception,
                    );
                }
+                if self.settings.rules.enabled(&Rule::TryExceptContinue) {
+                    flake8_bandit::rules::try_except_continue(
+                        self,
+                        type_.as_deref(),
+                        name.as_deref(),
+                        body,
+                        self.settings.flake8_bandit.check_typed_exception,
+                    );
+                }
                if self.settings.rules.enabled(&Rule::ReraiseNoCause) {
                    tryceratops::rules::reraise_no_cause(self, body);
                }
--- a/crates/ruff/src/registry.rs
+++ b/crates/ruff/src/registry.rs
@ -385,6 +385,7 @@ ruff_macros::define_rule_mapping!(
    S107 => rules::flake8_bandit::rules::HardcodedPasswordDefault,
    S108 => rules::flake8_bandit::rules::HardcodedTempFile,
    S110 => rules::flake8_bandit::rules::TryExceptPass,
+    S112 => rules::flake8_bandit::rules::TryExceptContinue,
    S113 => rules::flake8_bandit::rules::RequestWithoutTimeout,
    S324 => rules::flake8_bandit::rules::HashlibInsecureHashFunction,
    S501 => rules::flake8_bandit::rules::RequestWithNoCertValidation,
--- a/crates/ruff/src/rules/flake8_bandit/mod.rs
+++ b/crates/ruff/src/rules/flake8_bandit/mod.rs
@ -32,6 +32,7 @@ mod tests {
    #[test_case(Rule::LoggingConfigInsecureListen, Path::new("S612.py"); "S612")]
    #[test_case(Rule::Jinja2AutoescapeFalse, Path::new("S701.py"); "S701")]
    #[test_case(Rule::TryExceptPass, Path::new("S110.py"); "S110")]
+    #[test_case(Rule::TryExceptContinue, Path::new("S112.py"); "S112")]
    fn rules(rule_code: Rule, path: &Path) -> Result<()> {
        let snapshot = format!("{}_{}", rule_code.code(), path.to_string_lossy());
        let diagnostics = test_path(
--- a/crates/ruff/src/rules/flake8_bandit/rules/mod.rs
+++ b/crates/ruff/src/rules/flake8_bandit/rules/mod.rs
@ -23,6 +23,7 @@ pub use request_with_no_cert_validation::{
 pub use request_without_timeout::{request_without_timeout, RequestWithoutTimeout};
 pub use snmp_insecure_version::{snmp_insecure_version, SnmpInsecureVersion};
 pub use snmp_weak_cryptography::{snmp_weak_cryptography, SnmpWeakCryptography};
+pub use try_except_continue::{try_except_continue, TryExceptContinue};
 pub use try_except_pass::{try_except_pass, TryExceptPass};
 pub use unsafe_yaml_load::{unsafe_yaml_load, UnsafeYAMLLoad};

@ -41,5 +42,6 @@ mod request_with_no_cert_validation;
 mod request_without_timeout;
 mod snmp_insecure_version;
 mod snmp_weak_cryptography;
+mod try_except_continue;
 mod try_except_pass;
 mod unsafe_yaml_load;
--- a/crates/ruff/src/rules/flake8_bandit/rules/try_except_continue.rs
+++ b/crates/ruff/src/rules/flake8_bandit/rules/try_except_continue.rs
@ -0,0 +1,42 @@
+use ruff_macros::{define_violation, derive_message_formats};
+use rustpython_parser::ast::{Expr, Stmt, StmtKind};
+
+use crate::ast::types::Range;
+use crate::checkers::ast::Checker;
+use crate::registry::Diagnostic;
+use crate::violation::Violation;
+
+define_violation!(
+    pub struct TryExceptContinue;
+);
+impl Violation for TryExceptContinue {
+    #[derive_message_formats]
+    fn message(&self) -> String {
+        format!("`try`-`except`-`continue` detected, consider logging the exception")
+    }
+}
+
+/// S112
+pub fn try_except_continue(
+    checker: &mut Checker,
+    type_: Option<&Expr>,
+    _name: Option<&str>,
+    body: &[Stmt],
+    check_typed_exception: bool,
+) {
+    if body.len() == 1
+        && body[0].node == StmtKind::Continue
+        && (check_typed_exception
+            || type_.map_or(true, |type_| {
+                checker.resolve_call_path(type_).map_or(true, |call_path| {
+                    call_path.as_slice() == ["", "Exception"]
+                        || call_path.as_slice() == ["", "BaseException"]
+                })
+            }))
+    {
+        checker.diagnostics.push(Diagnostic::new(
+            TryExceptContinue,
+            Range::from_located(&body[0]),
+        ));
+    }
+}
--- a/crates/ruff/src/rules/flake8_bandit/snapshots/ruffrulesflake8_bandittestsS112_S112.py.snap
+++ b/crates/ruff/src/rules/flake8_bandit/snapshots/ruffrulesflake8_bandittestsS112_S112.py.snap
@ -0,0 +1,25 @@
+---
+source: crates/ruff/src/rules/flake8_bandit/mod.rs
+expression: diagnostics
+---
+- kind:
+    TryExceptContinue: ~
+  location:
+    row: 4
+    column: 4
+  end_location:
+    row: 4
+    column: 12
+  fix: ~
+  parent: ~
+- kind:
+    TryExceptContinue: ~
+  location:
+    row: 9
+    column: 4
+  end_location:
+    row: 9
+    column: 12
+  fix: ~
+  parent: ~
+
--- a/ruff.schema.json
+++ b/ruff.schema.json
@ -1831,6 +1831,7 @@
        "S108",
        "S11",
        "S110",
+        "S112",
        "S113",
        "S3",
        "S32",