fix(rules): do not check for django import in S610

astral-sh · Mar 11, 2024 · 4e88142 · 4e88142
1 parent 709045a
commit 4e88142
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 17 deletions.
diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/django_extra.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/django_extra.rs
@@ -1,7 +1,6 @@
 use ruff_diagnostics::{Diagnostic, Violation};
 use ruff_macros::{derive_message_formats, violation};
 use ruff_python_ast::{self as ast, Expr, ExprAttribute, ExprDict, ExprList};
-use ruff_python_semantic::Modules;
 use ruff_text_size::Ranged;
 
 use crate::checkers::ast::Checker;
@@ -29,16 +28,12 @@ pub struct DjangoExtra;
 impl Violation for DjangoExtra {
     #[derive_message_formats]
     fn message(&self) -> String {
-        format!("Use of `extra` can lead to SQL injection vulnerabilities")
+        format!("Use of Django `extra` can lead to SQL injection vulnerabilities")
     }
 }
 
 /// S610
 pub(crate) fn django_extra(checker: &mut Checker, call: &ast::ExprCall) {
-    if !checker.semantic().seen_module(Modules::DJANGO) {
-        return;
-    }
-
     let Expr::Attribute(ExprAttribute { attr, .. }) = call.func.as_ref() else {
         return;
     };

diff --git a/...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S610_S610.py.snap b/...rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S610_S610.py.snap
@@ -1,7 +1,7 @@
 ---
 source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
 ---
-S610.py:4:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:4:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
   |
 3 | # Errors
 4 | User.objects.filter(username='admin').extra(dict(could_be='insecure'))
@@ -10,7 +10,7 @@ S610.py:4:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
 6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'})
   |
 
-S610.py:5:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:5:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
   |
 3 | # Errors
 4 | User.objects.filter(username='admin').extra(dict(could_be='insecure'))
@@ -20,7 +20,7 @@ S610.py:5:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
 7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')})
   |
 
-S610.py:6:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:6:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
   |
 4 | User.objects.filter(username='admin').extra(dict(could_be='insecure'))
 5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure'))
@@ -30,7 +30,7 @@ S610.py:6:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
 8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos'])
   |
 
-S610.py:7:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:7:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
   |
 5 | User.objects.filter(username='admin').extra(select=dict(could_be='insecure'))
 6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'})
@@ -40,7 +40,7 @@ S610.py:7:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
 9 | User.objects.filter(username='admin').extra(where=['{}secure'.format('no')])
   |
 
-S610.py:8:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:8:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
   |
 6 | User.objects.filter(username='admin').extra(select={'test': '%secure' % 'nos'})
 7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')})
@@ -49,7 +49,7 @@ S610.py:8:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
 9 | User.objects.filter(username='admin').extra(where=['{}secure'.format('no')])
   |
 
-S610.py:9:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:9:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
    |
  7 | User.objects.filter(username='admin').extra(select={'test': '{}secure'.format('nos')})
  8 | User.objects.filter(username='admin').extra(where=['%secure' % 'nos'])
@@ -59,7 +59,7 @@ S610.py:9:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
 11 | query = '"username") AS "username", * FROM "auth_user" WHERE 1=1 OR "username"=? --'
    |
 
-S610.py:12:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:12:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
    |
 11 | query = '"username") AS "username", * FROM "auth_user" WHERE 1=1 OR "username"=? --'
 12 | User.objects.filter(username='admin').extra(select={'test': query})
@@ -68,7 +68,7 @@ S610.py:12:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
 14 | where_var = ['1=1) OR 1=1 AND (1=1']
    |
 
-S610.py:15:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:15:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
    |
 14 | where_var = ['1=1) OR 1=1 AND (1=1']
 15 | User.objects.filter(username='admin').extra(where=where_var)
@@ -77,7 +77,7 @@ S610.py:15:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
 17 | where_str = '1=1) OR 1=1 AND (1=1'
    |
 
-S610.py:18:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:18:44: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
    |
 17 | where_str = '1=1) OR 1=1 AND (1=1'
 18 | User.objects.filter(username='admin').extra(where=[where_str])
@@ -86,7 +86,7 @@ S610.py:18:44: S610 Use of `extra` can lead to SQL injection vulnerabilities
 20 | tables_var = ['django_content_type" WHERE "auth_user"."username"="admin']
    |
 
-S610.py:21:25: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:21:25: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
    |
 20 | tables_var = ['django_content_type" WHERE "auth_user"."username"="admin']
 21 | User.objects.all().extra(tables=tables_var).distinct()
@@ -95,7 +95,7 @@ S610.py:21:25: S610 Use of `extra` can lead to SQL injection vulnerabilities
 23 | tables_str = 'django_content_type" WHERE "auth_user"."username"="admin'
    |
 
-S610.py:24:25: S610 Use of `extra` can lead to SQL injection vulnerabilities
+S610.py:24:25: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
    |
 23 | tables_str = 'django_content_type" WHERE "auth_user"."username"="admin'
 24 | User.objects.all().extra(tables=[tables_str]).distinct()