[flake8-bandit] Stabilize more trusted inputs in subprocess-without-shell-equals-true (S603) (#18521)

Author: dylwil3

crates/ruff_linter/src/preview.rs

@@ -18,13 +18,6 @@ pub(crate) const fn is_full_path_match_source_strategy_enabled(settings: &Linter
 
 // Rule-specific behavior
 
-// https://github.com/astral-sh/ruff/pull/17136
-pub(crate) const fn is_shell_injection_only_trusted_input_enabled(
-    settings: &LinterSettings,
-) -> bool {
-    settings.preview.is_enabled()
-}
-
 // https://github.com/astral-sh/ruff/pull/15541
 pub(crate) const fn is_suspicious_function_reference_enabled(settings: &LinterSettings) -> bool {
     settings.preview.is_enabled()

crates/ruff_linter/src/rules/flake8_bandit/mod.rs

@@ -104,7 +104,6 @@ mod tests {
     #[test_case(Rule::SuspiciousURLOpenUsage, Path::new("S310.py"))]
     #[test_case(Rule::SuspiciousNonCryptographicRandomUsage, Path::new("S311.py"))]
     #[test_case(Rule::SuspiciousTelnetUsage, Path::new("S312.py"))]
-    #[test_case(Rule::SubprocessWithoutShellEqualsTrue, Path::new("S603.py"))]
     fn preview_rules(rule_code: Rule, path: &Path) -> Result<()> {
         let snapshot = format!(
             "preview__{}_{}",

crates/ruff_linter/src/rules/flake8_bandit/rules/shell_injection.rs

@@ -7,7 +7,6 @@ use ruff_python_semantic::SemanticModel;
 use ruff_text_size::Ranged;
 
 use crate::Violation;
-use crate::preview::is_shell_injection_only_trusted_input_enabled;
 use crate::{
     checkers::ast::Checker, registry::Rule, rules::flake8_bandit::helpers::string_literal,
 };
@@ -325,9 +324,7 @@ pub(crate) fn shell_injection(checker: &Checker, call: &ast::ExprCall) {
                 }
                 // S603
                 _ => {
-                    if !is_trusted_input(arg)
-                        || !is_shell_injection_only_trusted_input_enabled(checker.settings)
-                    {
+                    if !is_trusted_input(arg) {
                         if checker.enabled(Rule::SubprocessWithoutShellEqualsTrue) {
                             checker.report_diagnostic(
                                 SubprocessWithoutShellEqualsTrue,

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S603_S603.py.snap

@@ -106,74 +106,6 @@ S603.py:21:1: S603 `subprocess` call: check for execution of untrusted input
 23 | # Literals are fine, they're trusted.
    |
 
-S603.py:24:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-23 | # Literals are fine, they're trusted.
-24 | run("true")
-   | ^^^ S603
-25 | Popen(["true"])
-26 | Popen("true", shell=False)
-   |
-
-S603.py:25:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-23 | # Literals are fine, they're trusted.
-24 | run("true")
-25 | Popen(["true"])
-   | ^^^^^ S603
-26 | Popen("true", shell=False)
-27 | call("true", shell=False)
-   |
-
-S603.py:26:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-24 | run("true")
-25 | Popen(["true"])
-26 | Popen("true", shell=False)
-   | ^^^^^ S603
-27 | call("true", shell=False)
-28 | check_call("true", shell=False)
-   |
-
-S603.py:27:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-25 | Popen(["true"])
-26 | Popen("true", shell=False)
-27 | call("true", shell=False)
-   | ^^^^ S603
-28 | check_call("true", shell=False)
-29 | check_output("true", shell=False)
-   |
-
-S603.py:28:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-26 | Popen("true", shell=False)
-27 | call("true", shell=False)
-28 | check_call("true", shell=False)
-   | ^^^^^^^^^^ S603
-29 | check_output("true", shell=False)
-30 | run("true", shell=False)
-   |
-
-S603.py:29:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-27 | call("true", shell=False)
-28 | check_call("true", shell=False)
-29 | check_output("true", shell=False)
-   | ^^^^^^^^^^^^ S603
-30 | run("true", shell=False)
-   |
-
-S603.py:30:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-28 | check_call("true", shell=False)
-29 | check_output("true", shell=False)
-30 | run("true", shell=False)
-   | ^^^ S603
-31 |
-32 | # Not through assignments though.
-   |
-
 S603.py:34:1: S603 `subprocess` call: check for execution of untrusted input
    |
 32 | # Not through assignments though.
@@ -184,36 +116,10 @@ S603.py:34:1: S603 `subprocess` call: check for execution of untrusted input
 36 | # Instant named expressions are fine.
    |
 
-S603.py:37:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-36 | # Instant named expressions are fine.
-37 | run(c := "true")
-   | ^^^ S603
-38 |
-39 | # But non-instant are not.
-   |
-
 S603.py:41:1: S603 `subprocess` call: check for execution of untrusted input
    |
 39 | # But non-instant are not.
 40 | (e := "echo")
 41 | run(e)
    | ^^^ S603
    |
-
-S603.py:46:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-44 | # https://github.com/astral-sh/ruff/issues/17798
-45 | # Tuple literals are trusted
-46 | check_output(("literal", "cmd", "using", "tuple"), text=True)
-   | ^^^^^^^^^^^^ S603
-47 | Popen(("literal", "cmd", "using", "tuple"))
-   |
-
-S603.py:47:1: S603 `subprocess` call: check for execution of untrusted input
-   |
-45 | # Tuple literals are trusted
-46 | check_output(("literal", "cmd", "using", "tuple"), text=True)
-47 | Popen(("literal", "cmd", "using", "tuple"))
-   | ^^^^^ S603
-   |