Remove raw string from hardcoded-sql-expression (#2780)

astral-sh · Feb 11, 2023 · 19fc410 · 19fc410
1 parent 5a70a57
commit 19fc410
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 100 deletions.
diff --git a/README.md b/README.md
@@ -933,7 +933,7 @@ For more, see [flake8-bandit](https://pypi.org/project/flake8-bandit/) on PyPI.
 | S506 | unsafe-yaml-load | Probable use of unsafe loader `{name}` with `yaml.load`. Allows instantiation of arbitrary objects. Consider `yaml.safe_load`. |  |
 | S508 | snmp-insecure-version | The use of SNMPv1 and SNMPv2 is insecure. Use SNMPv3 if able. |  |
 | S509 | snmp-weak-cryptography | You should not use SNMPv3 without encryption. `noAuthNoPriv` & `authNoPriv` is insecure. |  |
-| S608 | [hardcoded-sql-expression](https://github.com/charliermarsh/ruff/blob/main/docs/rules/hardcoded-sql-expression.md) | Possible SQL injection vector through string-based query construction: "{}" |  |
+| S608 | [hardcoded-sql-expression](https://github.com/charliermarsh/ruff/blob/main/docs/rules/hardcoded-sql-expression.md) | Possible SQL injection vector through string-based query construction |  |
 | S612 | logging-config-insecure-listen | Use of insecure `logging.config.listen` detected |  |
 | S701 | jinja2-autoescape-false | Using jinja2 templates with `autoescape=False` is dangerous and can lead to XSS. Ensure `autoescape=True` or use the `select_autoescape` function. |  |
 

diff --git a/crates/ruff/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs b/crates/ruff/src/rules/flake8_bandit/rules/hardcoded_sql_expression.rs
@@ -35,18 +35,12 @@ define_violation!(
     /// ## References
     /// * [B608: Test for SQL injection](https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html)
     /// * [psycopg3: Server-side binding](https://www.psycopg.org/psycopg3/docs/basic/from_pg2.html#server-side-binding)
-    pub struct HardcodedSQLExpression {
-        pub string: String,
-    }
+    pub struct HardcodedSQLExpression;
 );
 impl Violation for HardcodedSQLExpression {
     #[derive_message_formats]
     fn message(&self) -> String {
-        let HardcodedSQLExpression { string } = self;
-        format!(
-            "Possible SQL injection vector through string-based query construction: \"{}\"",
-            string.escape_debug()
-        )
+        format!("Possible SQL injection vector through string-based query construction")
     }
 }
 
@@ -102,7 +96,7 @@ pub fn hardcoded_sql_expression(checker: &mut Checker, expr: &Expr) {
     match unparse_string_format_expression(checker, expr) {
         Some(string) if matches_sql_statement(&string) => {
             checker.diagnostics.push(Diagnostic::new(
-                HardcodedSQLExpression { string },
+                HardcodedSQLExpression,
                 Range::from_located(expr),
             ));
         }