Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[flake8-bandit] Implement S502 SslInsecureVersion rule #9390

Merged
merged 5 commits into from
Jan 5, 2024

Conversation

qdegraaf
Copy link
Contributor

@qdegraaf qdegraaf commented Jan 4, 2024

Summary

Adds S502 rule for the flake8-bandit plugin port.

Checks for calls to any function with keywords arguments ssl_version or method or for kwargs method in calls to OpenSSL.SSL.Context and ssl_version in calls to ssl.wrap_socket which have an insecure ssl_version valu. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_version

Test Plan

Fixture added

Issue Link

Refers: #1646

Comment on lines 65 to 68
_ => vec!["ssl_version", "method"],
}
},
None => vec!["ssl_version", "method"]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upstream implementations checks for all calls at MEDIUM severity and the the specific functions at HIGH severity. Unsure if we want to replicate this, as it might be a bit heavy performance wise and Ruff/flake8-bandit has no way of separating the severity levels right now. Just copied upstream implementation for now

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I decided to reduce the rule scope for the same reason.

Copy link
Contributor

github-actions bot commented Jan 4, 2024

ruff-ecosystem results

Linter (stable)

✅ ecosystem check detected no linter changes.

Linter (preview)

✅ ecosystem check detected no linter changes.

@charliermarsh charliermarsh added rule Implementing or modifying a lint rule preview Related to preview mode features labels Jan 4, 2024
Copy link
Member

@charliermarsh charliermarsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks.

@charliermarsh charliermarsh enabled auto-merge (squash) January 5, 2024 01:20
@charliermarsh charliermarsh merged commit 6dfc1cc into astral-sh:main Jan 5, 2024
16 checks passed
charliermarsh pushed a commit that referenced this pull request Jan 5, 2024
## Summary

Adds S503 rule for the
[flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin
port.

Checks for function defs argument defaults which have an insecure
ssl_version value. See also
https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_defaults

Some logic and the `const` can be shared with
#9390. When one of the two is
merged.

## Test Plan

Fixture added

## Issue Link

Refers: #1646
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
preview Related to preview mode features rule Implementing or modifying a lint rule
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants