[flake8-bandit] Detect patterns from multi line SQL statements (S608)

[DataEnggNerd]

Summary

The regex written for identifying possible sql injections was not identifying some patterns, mostly multiple lined queries.

Fixes include:

• updated regex with the pattern from https://github.com/PyCQA/bandit/blob/4ac55dfaaacf2083497831294b2dcd7e679f8428/bandit/plugins/injection_sql.py
• removed concatenated_f_string function, which was escaping \n

Fixes #12044

Test Plan

• Added reported patterns from [FALSE NEGATIVE] "S608 Possible SQL injection" #12044 to S608.py test fixtures.

[github-actions]

ruff-ecosystem results

Linter (stable)

ℹ️ ecosystem check detected linter changes. (+5 -1 violations, +0 -0 fixes in 3 projects; 51 projects unchanged)

apache/airflow (+1 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --no-preview --select ALL

+ providers/tests/system/google/cloud/dataproc_metastore/example_dataproc_metastore_hive_partition_sensor.py:105:35: S608 Possible SQL injection vector through string-based query construction

apache/superset (+4 -1 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --no-preview --select ALL

- superset/migrations/versions/2022-04-01_14-38_a9422eeaae74_new_dataset_models_take_2.py:871:9: S608 Possible SQL injection vector through string-based query construction
+ tests/unit_tests/databases/filters_test.py:125:12: S608 Possible SQL injection vector through string-based query construction
+ tests/unit_tests/jinja_context_test.py:477:12: S608 Possible SQL injection vector through string-based query construction
+ tests/unit_tests/jinja_context_test.py:485:12: S608 Possible SQL injection vector through string-based query construction
+ tests/unit_tests/jinja_context_test.py:493:12: S608 Possible SQL injection vector through string-based query construction

pandas-dev/pandas (+0 -0 violations, +0 -0 fixes)

Changes by rule (1 rules affected)

code	total	+ violation	- violation	+ fix	- fix
S608	6	5	1	0	0

Linter (preview)

ℹ️ ecosystem check detected linter changes. (+5 -1 violations, +0 -0 fixes in 2 projects; 52 projects unchanged)

apache/airflow (+1 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

+ providers/tests/system/google/cloud/dataproc_metastore/example_dataproc_metastore_hive_partition_sensor.py:105:35: S608 Possible SQL injection vector through string-based query construction

apache/superset (+4 -1 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

- superset/migrations/versions/2022-04-01_14-38_a9422eeaae74_new_dataset_models_take_2.py:871:9: S608 Possible SQL injection vector through string-based query construction
+ tests/unit_tests/databases/filters_test.py:125:12: S608 Possible SQL injection vector through string-based query construction
+ tests/unit_tests/jinja_context_test.py:477:12: S608 Possible SQL injection vector through string-based query construction
+ tests/unit_tests/jinja_context_test.py:485:12: S608 Possible SQL injection vector through string-based query construction
+ tests/unit_tests/jinja_context_test.py:493:12: S608 Possible SQL injection vector through string-based query construction

Changes by rule (1 rules affected)

code	total	+ violation	- violation	+ fix	- fix
S608	6	5	1	0	0

[DataEnggNerd]

@MichaReiser Can you review the changes please?

[DataEnggNerd]

⚠️ Do not consider previous commit for review. Something messed up and I have accepted wrong snap.

[MichaReiser]

@DataEnggNerd is the PR now ready for review again or are there still issues with the snapshots?

[DataEnggNerd]

@DataEnggNerd is the PR now ready for review again or are there still issues with the snapshots?

@MichaReiser I am facing trouble in terms of test cases. When I revert to last version in which @dhruvmanila has given reviews, only 37 out of 58 patterns are detected. Not able to understand why such changes are happening.

Additionally, with the changes recommended, 52 test patterns are identified.

[MichaReiser]

@DataEnggNerd I suggest reverting the regex changes. Reverting them makes most diagnostic reappear. Could you let me know which diagnostics are missing when using the existing regex? It would help me helping you :)

[DataEnggNerd]

@MichaReiser
Below are the few of the patterns not being identified

query10 = f"DELETE FROM table WHERE var = {var}"
query18 = f"UPDATE {table} SET var = {var}"
query23 = f"select * from table where var = {var}"
query28 = f"delete from table where var = {var}"
query32 = f"insert into {table} values var = {var}"
query36 = f"update {table} set var = {var}"
query43 = cursor.execute(f"SELECT * FROM table WHERE var = {var}")

[MichaReiser]

@DataEnggNerd would you mind pushing your latest changes? The PR still shows changes to the Regex and it comments out f-string handling.

I did copy paste the examples into Regex101 and it at least matches the first example (I didnt' test th other examples)

[DataEnggNerd]

@MichaReiser I have pushed the changes.
This version of code is able to identify 48 patterns only.
Unidentified patterns

def query40():
    return f"""
    SELECT *
    FROM table
    WHERE var = {var}
    """

query46 = "INSERT table VALUES (%s)" % (var,)

# # REPLACE (e.g. MySQL and derivatives, SQLite)
query47 = "REPLACE INTO table VALUES (%s)" % (var,)
query48 = "REPLACE table VALUES (%s)" % (var,)

def query52():
    return f"""
SELECT {var}
    FROM bar
    """

def query53():
    return f"""
    SELECT
        {var}
    FROM bar
    """

def query54():
    return f"""
    SELECT {var}
    FROM
        bar
    """

query56 = f"""SELECT *
FROM {var}.table
"""

query57 = f"""
SELECT *
FROM {var}.table
"""

query58 = f"SELECT\
 * FROM {var}.table"

[DataEnggNerd]

@MichaReiser @dhruvmanila Sorry to bug you again.
Tests are failing related to salsa crate 😓 . Not able to figure out how to handle this

error[E0463]: can't find crate for `salsa`
 --> crates/ruff_db/src/files.rs:6:5
  |
6 | use salsa::{Durability, Setter};
  |     ^^^^^ can't find crate

[DataEnggNerd]

@MichaReiser @dhruvmanila Sorry to bug you again. Tests are failing related to salsa crate 😓 . Not able to figure out how to handle this

error[E0463]: can't find crate for `salsa`
 --> crates/ruff_db/src/files.rs:6:5
  |
6 | use salsa::{Durability, Setter};
  |     ^^^^^ can't find crate

This issue is resolved. Seems to be something irrelevant to the changes in this PR.

[dhruvmanila]

Thanks for your patience. There are only a few minor changes required but otherwise this looks good to go.

[MichaReiser]

Thanks for your persistent work on this.
I went ahead and addressed @dhruvmanila's feedback. Let's merge this PR :)

[DataEnggNerd]

@MichaReiser @dhruvmanila
Thank for the detailed guidance throughout this issue.
Looking forward to contribute more, with lesser noob questions 😅.