[bandit]: Do not treat "passed" as "password" for `S105`/`S106`/`S107` (#3222)

2023-02-25 14:32:53 -06:00 · 2023-02-25 14:32:53 -06:00 · cd9fbeb560
parent 84e96cdcd9
commit cd9fbeb560
2 changed files with 15 additions and 6 deletions
--- a/crates/ruff/resources/test/fixtures/flake8_bandit/S105.py
+++ b/crates/ruff/resources/test/fixtures/flake8_bandit/S105.py
@ -61,3 +61,13 @@ if token == "3\t4":

 if token == "5\r6":
    pass
+
+
+# These should not be flagged
+passed_msg = "You have passed!"
+compassion = "Please don't match!"
+impassable = "You shall not pass!"
+passwords = ""
+passphrases = ""
+tokens = ""
+secrets = ""
--- a/crates/ruff/src/rules/flake8_bandit/helpers.rs
+++ b/crates/ruff/src/rules/flake8_bandit/helpers.rs
@ -1,10 +1,11 @@
+use once_cell::sync::Lazy;
+use regex::Regex;
 use rustpython_parser::ast::{Constant, Expr, ExprKind};

 use crate::checkers::ast::Checker;

-const PASSWORD_NAMES: [&str; 7] = [
-    "password", "pass", "passwd", "pwd", "secret", "token", "secrete",
-];
+static PASSWORD_CANDIDATE_REGEX: Lazy<Regex> =
+    Lazy::new(|| Regex::new(r"(^|_)(pas+wo?r?d|pass(phrase)?|pwd|token|secrete?)($|_)").unwrap());

 pub fn string_literal(expr: &Expr) -> Option<&str> {
    match &expr.node {
@ -18,9 +19,7 @@ pub fn string_literal(expr: &Expr) -> Option<&str> {

 // Maybe use regex for this?
 pub fn matches_password_name(string: &str) -> bool {
-    PASSWORD_NAMES
-        .iter()
-        .any(|name| string.to_lowercase().contains(name))
+    PASSWORD_CANDIDATE_REGEX.is_match(string)
 }

 pub fn is_untyped_exception(type_: Option<&Expr>, checker: &Checker) -> bool {