Skip to content

[flake8-bandit] S601 does not account for calls through clients #19006

New issue
New issue
Open
Open
[flake8-bandit] S601 does not account for calls through clients#19006
Labels
ruleImplementing or modifying a lint rule
@MeGaGiGaGon

Description

@MeGaGiGaGon
MeGaGiGaGon
opened on Jun 28, 2025

Summary

I found this while working on #18972

paramiko-call (S601) only checks for a paramiko.exec_command, as seen in the test case:

ruff/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S601.py

Lines 1 to 3 in 90cb0d3

import paramiko
paramiko.exec_command('something; really; unsafe')

And the given example code does not raise: https://play.ruff.rs/6b4aa322-f3b1-49cd-997d-f14b5c1bac41

However, as both the example in S601's docs show, and on paramiko's docs, this call can also be done through an intermediary client object:

client = SSHClient()
client.load_system_host_keys()
client.connect('ssh.example.com')
stdin, stdout, stderr = client.exec_command('ls -l')

The rule needs to either be more general like how suspicious-subprocess-import (S404) is a blanket search for importing subprocess, or have additional cases added, since reading through the paramiko docs it looks like exec_command is just a convenience wrapper around functionality provided in the Client object, which would share the same security concerns. I'm also not certain paramiko.exec_command is even valid code using paramiko, as a github search for "paramiko.exec_command" only returned it in flake8-bandit/ruff test cases.

Version

playground

Metadata

Metadata

Assignees

No one assigned

    Labels

    ruleImplementing or modifying a lint rule

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions