[FALSE POSITIVE] "S608 Possible SQL injection" when not applicable #8717

amotl · 2023-11-16T11:45:53Z

Hi there,

thank you for your continued efforts in conceiving Ruff.

While working on crate/cratedb-toolkit#81, we just observed a funny case of S608 Possible SQL injection vector through string-based query construction we would like to share with you. It is easy to reproduce using the most recent ruff 0.1.5.

variants = ["foo", "bar"]
raise ValueError(f"Please select a value from the list of possible variants: {variants}.")

It looks like S608 is tripping because the f-string includes the keywords select and from. If you remove any of it, it will not trip. I don't know if there will be any solution for this worth to follow up on. It is easy for me to slap a # noqa: S608 into the code, so you may want to close this issue right away.

With kind regards,
Andreas.

The text was updated successfully, but these errors were encountered:

zanieb · 2023-11-16T15:49:40Z

Thanks for the report!

zanieb added the bug Something isn't working label Nov 16, 2023

zanieb mentioned this issue Nov 16, 2023

Fix false positive for S608 where SQL-like expression follows other text #8723

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FALSE POSITIVE] "S608 Possible SQL injection" when not applicable #8717

[FALSE POSITIVE] "S608 Possible SQL injection" when not applicable #8717

amotl commented Nov 16, 2023

zanieb commented Nov 16, 2023

[FALSE POSITIVE] "S608 Possible SQL injection" when not applicable #8717

[FALSE POSITIVE] "S608 Possible SQL injection" when not applicable #8717

Comments

amotl commented Nov 16, 2023

zanieb commented Nov 16, 2023