[FALSE NEGATIVE] "S608 Possible SQL injection"

astral-sh / ruff

An extremely fast Python linter and code formatter, written in Rust.

https://docs.astral.sh/ruff

MIT License

28.75k stars 933 forks source link

[FALSE NEGATIVE] "S608 Possible SQL injection" #12044

Open mpolyakov-plutoflume opened 1 week ago

mpolyakov-plutoflume commented 1 week ago

Hello. I'm very exited to migrate our codebase to ruff. However, while doing so I've noticed, that rule S608 works different from the corresponding B608. It only triggers if SELECT is on the same line. So SELECT * FROM {foo}.table is an error and

SELECT *
FROM {foo}.table

Is not.

Kind regards, Mikhail

B608
S608
sql injection

MichaReiser commented 1 week ago

I just tried and the rule works as expected for triple-quoted f-strings. Any chance that you're using a line continuation token?

https://play.ruff.rs/1c1c9715-2f69-48e1-9e31-f2edcef405ac

mpolyakov-plutoflume commented 1 week ago

Than you for a quick reply. I've added a couple of examples to https://play.ruff.rs/d3adeb3f-9657-4314-8d99-a45d426d6674

Basically, it does not work, when SELECT is on a new line or SELECT and FROM are on different lines.