`S604` shows warning for any type, not just `True` #8310

adamhl8 · 2023-10-28T16:54:07Z

Say you have something like this:

def do_stuff(shell):
    pass

Calling this function with any argument for shell will show S604, not just True as the warning/documentation implies.

do_stuff(shell="bash")
# S604 Function call with `shell=True` parameter identified, security issue

do_stuff(shell=123)
# S604 Function call with `shell=True` parameter identified, security issue

The text was updated successfully, but these errors were encountered:

charliermarsh · 2023-10-28T22:36:35Z

I believe this is as intended and matches Bandit's behavior -- I think the documentation is the problem.

…cs (#8359) ## Summary If the value of `shell` wasn't literally `True`, we now show a message describing it as truthy, rather than the (misleading) `shell=True` literal in the diagnostic. Closes #8310.

charliermarsh added the documentation Improvements or additions to documentation label Oct 28, 2023

charliermarsh self-assigned this Oct 30, 2023

charliermarsh mentioned this issue Oct 30, 2023

Avoid including literal shell=True for truthy, non-True diagnostics #8359

Merged

charliermarsh closed this as completed in #8359 Oct 30, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`S604` shows warning for any type, not just `True` #8310

`S604` shows warning for any type, not just `True` #8310

adamhl8 commented Oct 28, 2023

charliermarsh commented Oct 28, 2023

S604 shows warning for any type, not just True #8310

S604 shows warning for any type, not just True #8310

Comments

adamhl8 commented Oct 28, 2023

charliermarsh commented Oct 28, 2023

`S604` shows warning for any type, not just `True` #8310

`S604` shows warning for any type, not just `True` #8310