JeffAbrahamson
commented
1 year ago Nothing jumped to me, except that I find it weird that linter prefers the old %s notation compared to f strings. LGTM
I believe there are two reasons. One is efficiency: f-strings are interpolated before the log function is called (and the log function may decided not to log), whereas % arguments are interpolated only once the log function decides to log. (Why? I'm not 100% sure.)
That said, perhaps .format() would be better, but I was just doing what lint asked.
I also read somewhere, but can't find today, that f-strings permit arbitrary computation and so are potentially dangerous when formatting user-supplied data. Little Bobby Tables territory. I can't find that reference, aside from this issue.
ChatGPT to the rescue (sort of, because I can't duplicate, but it's the essence of something I read about this).
Consider this code block:
import logging
def process_user_input(user_input):
# Arbitrary computation or validation
result = user_input.upper()
return result
user_input = input("Enter your name: ")
# Logging statement with interpolated user input
logging.warning(f"User {process_user_input(user_input)} logged in.")Now suppose the user provides the name {__import__('os').system('rm -rf /')}.
I tested this with user_input = "__import__('os').system('touch foo')", however, and I can't repeat. So perhaps this was once a bug and it's been fixed. Or the blog I read before holiday was simply incorrect.
This all seems pretty straight-forward, fixing formatting and mail presentation, mostly.
Creating a PR to make sure lint runs (tests pass locally). Comments welcome. I'll self-approve and merge Monday afternoon barring feedback.