From d2e8441664cbcd0087c5cadadf928b3a38e29e7b Mon Sep 17 00:00:00 2001
From: "David A. Wheeler" <dwheeler@dwheeler.com>
Date: Fri, 13 Sep 2024 13:40:35 -0400
Subject: [PATCH] shell-injection: Give hint about unnecessary parentheses
 (#605)

This hint was inspired by sipaynehsl
who mentioned adding unnecessary parentheses. See:
https://forum.linuxfoundation.org/discussion/866580/how-do-i-run-the-lab-exercises

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
---
 docs/labs/shell-injection.html | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/labs/shell-injection.html b/docs/labs/shell-injection.html
index 360b4980..28a27f49 100644
--- a/docs/labs/shell-injection.html
+++ b/docs/labs/shell-injection.html
@@ -115,6 +115,17 @@
     By convention these strings usually 'raw' strings, so they
     have the form `r'PATTERN'`. You have the "r" but not the following
     single or double quote character.
+- present: |-
+    re \. sub \( r?['"]\(
+  text: >
+    It is syntactically *legal* to use unnecessary parentheses in a
+    regular expression, e.g., `([^a-zA-Z0-9])`. However, it's usually best
+    to make regular expressions as simple as possible. So please don't use
+    unnecessary parentheses.
+  examples:
+  -
+    - "  clean_dir = re.sub(r'([^a-zA-Z0-9])', '', dir_to_list)"
+    - '  subprocess.run(f"ls -l {dir_to_list}", shell=True)'
 - absent: |-
     re \. sub \( r?['"]\[
   text: >