shell-injection: Give hint about unnecessary parentheses (#605)

This hint was inspired by sipaynehsl who mentioned adding unnecessary parentheses. See: https://forum.linuxfoundation.org/discussion/866580/how-do-i-run-the-lab-exercises Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
ossf · Sep 13, 2024 · d2e8441 · d2e8441
1 parent 24c6f55
commit d2e8441
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/docs/labs/shell-injection.html b/docs/labs/shell-injection.html
@@ -115,6 +115,17 @@
     By convention these strings usually 'raw' strings, so they
     have the form `r'PATTERN'`. You have the "r" but not the following
     single or double quote character.
+- present: |-
+    re \. sub \( r?['"]\(
+  text: >
+    It is syntactically *legal* to use unnecessary parentheses in a
+    regular expression, e.g., `([^a-zA-Z0-9])`. However, it's usually best
+    to make regular expressions as simple as possible. So please don't use
+    unnecessary parentheses.
+  examples:
+  -
+    - "  clean_dir = re.sub(r'([^a-zA-Z0-9])', '', dir_to_list)"
+    - '  subprocess.run(f"ls -l {dir_to_list}", shell=True)'
 - absent: |-
     re \. sub \( r?['"]\[
   text: >