Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upAdd functions susceptible to AST stack overflow to calls blacklist #423
Conversation
|
I think you must create first the Issue. |
I'm not sure what you mean by this.
I think it's a fair addition to the list of rules. I don't think it will cause too much pain for existing consumers (beyond other PyCQA projects). I do wonder, however, if this is project is starting to be treated less as a list of security vulnerabilities and more as a "Well this could be used in a highly specialized case" stick to hit people with. |
@sigmavirus24, thanks for feedback. I can't comment on the intended scope of the project. I can see how this rule can introduce potential false positives, but that can be said about most other rules as well. My biggest issue is with |
|
I see. So what's confusing here is the differences between
So it's not so much that one is going to be doing ast.literal_eval('log.warning(f"{GLOBAL_SECRET}")')But more ast.literal_eval('{"foo": "bar", "biz": "baz"}')If we document " I think what's necessary here is this rule as you've written it, with the other functions included. I think we also need to update the documentation for the existing I think the tool should be consistent though. Along similar lines, I think the severity of our |
| @@ -574,4 +595,18 @@ def gen_blacklist(): | |||
| 'attacks. Consider using tmpfile() instead.' | |||
| )) | |||
|
|
|||
| # omitted eval() and exec() as they are already covered by B307 and B102 | |||
This comment has been minimized.
This comment has been minimized.
@sigmavirus24 I mean that maybe is not importat add rule for denial of services caused by known bug on python |
@ehooo then should we remove the checks for other standard libraries too? I think we do our best to warn folks about things in the language/standard library enough that this makes sense to add. That's just my 2 pence though. I think I definitely want to hear @ericwb's opinion on this as well at least. |
|
updated PR to lower rule severity to low, added both
Should this be covered in this PR? |
| @@ -0,0 +1,45 @@ | |||
| # -*- coding:utf-8 -*- | |||
| # | |||
| # Copyright 2018 Hewlett-Packard Development Company, L.P. | |||
This comment has been minimized.
This comment has been minimized.
lukehinds
Jan 10, 2019
Member
Don't need HP in the copyright (unless you work there and did this under HP's time and salary).
naglis commentedNov 9, 2018
This adds the following calls to the blacklist:
ast.literal_evalast.parsecompiledbm.dumb.openI did not add
evalandexecas they are already covered by B307 and B102, respectively, and I'm not sure if duplicating them would make sense.References: