[flake8-bandit] Permit suspicious imports within stub files (S4) (#…

…15822) ## Summary Permits suspicious imports (the `S4` namespaced diagnostics) from stub files. Closes #15207. ## Test Plan Added tests and ran `cargo nextest run`. The test files are copied from the `.py` variants.
astral-sh · Jan 30, 2025 · 7a10a40 · 7a10a40
1 parent 3125332
commit 7a10a40
Show file tree

Hide file tree

Showing 30 changed files with 128 additions and 0 deletions.
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S401.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S401.pyi
@@ -0,0 +1,2 @@
+import telnetlib
+from telnetlib import Telnet
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S402.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S402.pyi
@@ -0,0 +1,2 @@
+import ftplib
+from ftplib import FTP
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S403.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S403.pyi
@@ -0,0 +1,8 @@
+import dill
+from dill import objects
+import shelve
+from shelve import open
+import cPickle
+from cPickle import load
+import pickle
+from pickle import load
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S404.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S404.pyi
@@ -0,0 +1,3 @@
+import subprocess
+from subprocess import Popen
+from subprocess import Popen as pop
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S405.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S405.pyi
@@ -0,0 +1,4 @@
+import xml.etree.cElementTree
+from xml.etree import cElementTree
+import xml.etree.ElementTree
+from xml.etree import ElementTree
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S406.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S406.pyi
@@ -0,0 +1,3 @@
+from xml import sax
+import xml.sax as xmls
+import xml.sax
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S407.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S407.pyi
@@ -0,0 +1,2 @@
+from xml.dom import expatbuilder
+import xml.dom.expatbuilder
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S408.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S408.pyi
@@ -0,0 +1,2 @@
+from xml.dom.minidom import parseString
+import xml.dom.minidom
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S409.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S409.pyi
@@ -0,0 +1,2 @@
+from xml.dom.pulldom import parseString
+import xml.dom.pulldom
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S410.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S410.pyi
@@ -0,0 +1,2 @@
+import lxml
+from lxml import etree
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S411.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S411.pyi
@@ -0,0 +1,2 @@
+import xmlrpc
+from xmlrpc import server
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S412.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S412.pyi
@@ -0,0 +1 @@
+from twisted.web.twcgi import CGIScript
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S413.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S413.pyi
@@ -0,0 +1,4 @@
+import Crypto.Hash
+from Crypto.Hash import MD2
+import Crypto.PublicKey
+from Crypto.PublicKey import RSA
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S415.pyi b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S415.pyi
@@ -0,0 +1,2 @@
+import pyghmi
+from pyghmi import foo
diff --git a/crates/ruff_linter/src/rules/flake8_bandit/mod.rs b/crates/ruff_linter/src/rules/flake8_bandit/mod.rs
@@ -52,19 +52,33 @@ mod tests {
     #[test_case(Rule::SuspiciousNonCryptographicRandomUsage, Path::new("S311.py"))]
     #[test_case(Rule::SuspiciousTelnetUsage, Path::new("S312.py"))]
     #[test_case(Rule::SuspiciousTelnetlibImport, Path::new("S401.py"))]
+    #[test_case(Rule::SuspiciousTelnetlibImport, Path::new("S401.pyi"))]
     #[test_case(Rule::SuspiciousFtplibImport, Path::new("S402.py"))]
+    #[test_case(Rule::SuspiciousFtplibImport, Path::new("S402.pyi"))]
     #[test_case(Rule::SuspiciousPickleImport, Path::new("S403.py"))]
+    #[test_case(Rule::SuspiciousPickleImport, Path::new("S403.pyi"))]
     #[test_case(Rule::SuspiciousSubprocessImport, Path::new("S404.py"))]
+    #[test_case(Rule::SuspiciousSubprocessImport, Path::new("S404.pyi"))]
     #[test_case(Rule::SuspiciousXmlEtreeImport, Path::new("S405.py"))]
+    #[test_case(Rule::SuspiciousXmlEtreeImport, Path::new("S405.pyi"))]
     #[test_case(Rule::SuspiciousXmlSaxImport, Path::new("S406.py"))]
+    #[test_case(Rule::SuspiciousXmlSaxImport, Path::new("S406.pyi"))]
     #[test_case(Rule::SuspiciousXmlExpatImport, Path::new("S407.py"))]
+    #[test_case(Rule::SuspiciousXmlExpatImport, Path::new("S407.pyi"))]
     #[test_case(Rule::SuspiciousXmlMinidomImport, Path::new("S408.py"))]
+    #[test_case(Rule::SuspiciousXmlMinidomImport, Path::new("S408.pyi"))]
     #[test_case(Rule::SuspiciousXmlPulldomImport, Path::new("S409.py"))]
+    #[test_case(Rule::SuspiciousXmlPulldomImport, Path::new("S409.pyi"))]
     #[test_case(Rule::SuspiciousLxmlImport, Path::new("S410.py"))]
+    #[test_case(Rule::SuspiciousLxmlImport, Path::new("S410.pyi"))]
     #[test_case(Rule::SuspiciousXmlrpcImport, Path::new("S411.py"))]
+    #[test_case(Rule::SuspiciousXmlrpcImport, Path::new("S411.pyi"))]
     #[test_case(Rule::SuspiciousHttpoxyImport, Path::new("S412.py"))]
+    #[test_case(Rule::SuspiciousHttpoxyImport, Path::new("S412.pyi"))]
     #[test_case(Rule::SuspiciousPycryptoImport, Path::new("S413.py"))]
+    #[test_case(Rule::SuspiciousPycryptoImport, Path::new("S413.pyi"))]
     #[test_case(Rule::SuspiciousPyghmiImport, Path::new("S415.py"))]
+    #[test_case(Rule::SuspiciousPyghmiImport, Path::new("S415.pyi"))]
     #[test_case(Rule::TryExceptContinue, Path::new("S112.py"))]
     #[test_case(Rule::TryExceptPass, Path::new("S110.py"))]
     #[test_case(Rule::UnixCommandWildcardInjection, Path::new("S609.py"))]

diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_imports.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_imports.rs
@@ -352,6 +352,11 @@ impl Violation for SuspiciousPyghmiImport {
 
 /// S401, S402, S403, S404, S405, S406, S407, S408, S409, S410, S411, S412, S413, S415
 pub(crate) fn suspicious_imports(checker: &mut Checker, stmt: &Stmt) {
+    // Skip stub files.
+    if checker.source_type.is_stub() {
+        return;
+    }
+
     match stmt {
         Stmt::Import(ast::StmtImport { names, .. }) => {
             for name in names {

diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S401_S401.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S401_S401.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S402_S402.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S402_S402.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S403_S403.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S403_S403.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S404_S404.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S404_S404.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S405_S405.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S405_S405.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S406_S406.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S406_S406.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S407_S407.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S407_S407.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S408_S408.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S408_S408.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S409_S409.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S409_S409.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S410_S410.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S410_S410.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S411_S411.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S411_S411.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S412_S412.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S412_S412.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S413_S413.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S413_S413.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
diff --git a/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S415_S415.pyi.snap b/...ules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S415_S415.pyi.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+snapshot_kind: text
+---
+
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		from xml.dom import expatbuilder
		import xml.dom.expatbuilder
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		from xml.dom.minidom import parseString
		import xml.dom.minidom
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		from xml.dom.pulldom import parseString
		import xml.dom.pulldom