New check: .format() over translated string _()

[yajo]

Today I noticed in https://github.com/OCA/server-tools/pull/1941#discussion_r537426404 that our friend @legalsylvain didn't know about the implicit dangers of using format string syntax for translated content. Certainly it's not something very obvious, but it's quite dangerous, as it lets a translator to inject malicious translations that execute server-side code in the odoo server. Translated content must always use printf style formatting, which is dumber but secure.

Until today, I have never noticed any such usage in our code base, but I think a linter would be very helpful here.

[pedrobaeza]

Not only dangerous, but can't be possible to be used with translatable fields, as the symbol replacement is done on linking time, and thus, with that, you won't have any translation.

[yajo]

I think you're talking about f-strings, which is a different thing (that indeed could also be linted)

AFAIK yes you could have a translation with _("My name is {}").format("Jairo")

[legalsylvain]

@Yajo thanks a lot !

[pedrobaeza]

Yes, I'm taking about f-strings

[moylop260]

@Yajo So, Should we do a dance to kukulcan to resurrect the following old proposal?

• https://github.com/OCA/pylint-odoo/pull/65

[moylop260]

Could you check the following PR, please?

• https://github.com/OCA/pylint-odoo/pull/304

[moylop260]

@Yajo Could you make a PR to change the following section:

• Prefer % over .format(), prefer %(varname) instead of positional. This is better for translation and clarity.

In order to warn a security risk instead of a translation matter

Please

[yajo]

So, Should we do a dance to kukulcan to resurrect the following old proposal?

No, that one's fixed by python 3 which is the norm these days (finally). The problem we're talking here is just about translations.

[yajo]

Could you make a PR to change the following section:

* [Prefer % over .format(), prefer %(varname) instead of positional. This is better for translation and clarity.](https://github.com/OCA/odoo-community.org/blob/master/website/Contribution/CONTRIBUTING.rst#33idioms)

In order to warn a security risk instead of a translation matter

Done in https://github.com/OCA/odoo-community.org/pull/58

[StefanRijnhart]

I just found out that pyupgrade from the OCA's pre-commit replaces printf formatting by str.format() when it's safe to do so (https://github.com/asottile/pyupgrade#printf-style-string-formatting). That to me looks like a huge encouragement for contributors to use str.format() without giving consideration whether it's safe to do so. We may not be able to rely on pylint-odoo to catch all cases when it's not safe. Would it be a good idea to disable this feature from pyupgrade?

[yajo]

Would it be a good idea to disable this feature from pyupgrade?

Yes, maybe it would be less confusing.