Continuous improvement for Python security

[ganncamp]

Hi all,

At SonarSource we're pushing hard this year on Code Quality and Security for Python. Most recently, we've been working on detection of Cross-Site Scripting (XXS) in DLT and Jinja2 templates. That plus a number of other OWASP Top 10-related rules were recently added to SonarCloud, and will be available in the next release of SonarQube (E.T.A. end of June).

For more details, check out the blog post I just published.



Ann

[DeaD_EyE]

I like this one: https://rules.sonarsource.com/python/RSPEC-2201
It's not multiline, it's string concatenation.

I would format it like this:

myvar = (
    "this is a multiline"
    "message from {}".format(sender)
)

But black thinks it fits on one line:

myvar = "this is a multiline" "message from {}".format(sender)

which could be written as:

myvar = "this is not a multiline message from {}".format(sender)

A multi-line string literal is this one:

multiline = """
Sit consectetur aliquam tempora quiquia dolorem eius. Eius dolorem
consectetur eius. Neque quisquam quaerat porro. Voluptatem etincidunt
dolor aliquam voluptatem dolor. Dolore modi quaerat non. Est labore
adipisci est adipisci.  Etincidunt voluptatem labore adipisci est sit.
Amet numquam eius porro. Adipisci non ut numquam amet. Numquam ut
velit neque ipsum non. Ipsum quaerat est eius labore dolore ipsum
etincidunt. Etincidunt dolorem magnam quiquia neque numquam modi.
Quisquam aliquam sed labore numquam tempora.  Dolorem quaerat
voluptatem quiquia eius eius amet dolor. Dolore est est eius amet
dolor velit quisquam. Est aliquam dolorem non eius. Quiquia dolore
eius neque dolor amet etincidunt. Quaerat tempora sed quaerat
consectetur tempora. Aliquam voluptatem ut quaerat. Labore ipsum
dolorem adipisci. Sit quiquia dolor ut voluptatem non aliquam.
"""

The difference here is, that a newline in the string-literal, is also a newline of the final str.