search

astral-sh / ruff

An extremely fast Python linter and code formatter, written in Rust.
https://docs.astral.sh/ruff
MIT License
31k stars 1.03k forks source link

False positive for `S608` when a string contains "delete from" #13103

Open dhruvmanila opened 3 weeks ago

dhruvmanila commented 3 weeks ago

i have this problem :(

S608 Possible SQL injection vector through string-based query construction

logger.warning(f'The linked role <{1}> has been delete from the guild {2}')

Originally posted by @Arexils in https://github.com/astral-sh/ruff/issues/8723#issuecomment-2308555876

dhruvmanila commented 3 weeks ago

I think this is because the string contains "delete from" in the middle. The regex isn't anchored to the start:

https://github.com/astral-sh/ruff/blob/39ad6b9472869337ff47dcd2a52e078b7246f2a3/crates/ruff_linter/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs#L13-L16