Mercurial Repositories > eric / file diff

diff: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionSql.py

src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionSql.py

branch
eric7
changeset 10638
12558008c269
parent 10507
d1c6608155ef
child 10683
779cda568acb
--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionSql.py	Mon Mar 11 15:35:12 2024 +0100
+++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionSql.py	Mon Mar 11 16:13:14 2024 +0100
@@ -63,24 +63,26 @@
 
     @param node ast node to be analyzed
     @type ast.Constant
-    @return tuple containing a flag indicating an execute call and
-        the resulting statement
-    @rtype tuple of (bool, str)
+    @return tuple containing a flag indicating an execute call, the resulting
+        statement and a flag indicating a string replace call
+    @rtype tuple of (bool, str, bool)
     """
     wrapper = None
     statement = ""
+    strReplace = False
 
     if isinstance(node._securityParent, ast.BinOp):
         out = SecurityUtils.concatString(node, node._securityParent)
         wrapper = out[0]._securityParent
         statement = out[1]
-    elif (
-        isinstance(node._securityParent, ast.Attribute)
-        and node._securityParent.attr == "format"
-    ):
+    elif isinstance(
+        node._securityParent, ast.Attribute
+    ) and node._securityParent.attr in ("format", "replace"):
         statement = node.value
         # Hierarchy for "".format() is Wrapper -> Call -> Attribute -> Str
         wrapper = node._securityParent._securityParent._securityParent
+        if node._securityParent.attr == "replace":
+            strReplace = True
     elif hasattr(ast, "JoinedStr") and isinstance(node._securityParent, ast.JoinedStr):
         substrings = [
             child
@@ -98,9 +100,9 @@
     if isinstance(wrapper, ast.Call):  # wrapped in "execute" call?
         names = ["execute", "executemany"]
         name = SecurityUtils.getCalledName(wrapper)
-        return (name in names, statement)
+        return (name in names, statement, strReplace)
     else:
-        return (False, statement)
+        return (False, statement, strReplace)
 
 
 def checkHardcodedSqlExpressions(reportError, context, config):  # noqa: U100
@@ -114,12 +116,12 @@
     @param config dictionary with configuration data
     @type dict
     """
-    val = _evaluateAst(context.node)
-    if _checkString(val[1]):
+    executeCall, statement, strReplace = _evaluateAst(context.node)
+    if _checkString(statement):
         reportError(
             context.node.lineno - 1,
             context.node.col_offset,
             "S608",
             "M",
-            "M" if val[0] else "L",
+            "M" if executeCall and not strReplace else "L",
         )

Mercurial Repository: eric

eric ide

mercurial