Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
flake8-string-format
Advanced tools
.. image:: https://travis-ci.org/xZise/flake8-string-format.svg?branch=0.3.0 :alt: Build Status :target: https://travis-ci.org/xZise/flake8-string-format
.. image:: http://codecov.io/github/xZise/flake8-string-format/coverage.svg?branch=master :alt: Coverage Status :target: http://codecov.io/github/xZise/flake8-string-format?branch=master
.. image:: https://badge.fury.io/py/flake8-string-format.svg :alt: Pypi Entry :target: https://pypi.python.org/pypi/flake8-string-format
An extension for Flake8 <https://pypi.python.org/pypi/flake8>
_ to check the
strings and parameters using str.format
. It checks all strings whether they
use numbered parameters with an implicit index which isn't support in
Python 2.6.
In all instances of '…'.format(…)
it will also check whether there are
enough parameters given. If the format call uses variable arguments, it'll just
check whether the right types of arguments are present.
When both Flake8 and flake8-string-format
are installed, the plugin
is available in flake8
::
$ flake8 --version 3.0.2 (flake8-string-format: 0.2.3, […]
This plugin supports Flake8 2.6 as well as Flake8 3.0. Older or newer versions may be supported too but they weren't tested.
Via --ignore
it's possible to ignore unindexed parameters::
$ flake8 some_file.py ... some_file.py:1:1: P101 format string does contain unindexed parameters
$ flake8 --ignore P101 some_file.py ...
This module doesn't add any additional parameters to Flake8.
This plugin is using the following error codes:
+--------------------------------------------------------------------+ | Presence of implicit parameters | +------+-------------------------------------------------------------+ | P101 | format string does contain unindexed parameters | +------+-------------------------------------------------------------+ | P102 | docstring does contain unindexed parameters | +------+-------------------------------------------------------------+ | P103 | other string does contain unindexed parameters | +------+-------------------------------------------------------------+ | Missing values in the parameters | +------+-------------------------------------------------------------+ | P201 | format call uses too large index (INDEX) | +------+-------------------------------------------------------------+ | P202 | format call uses missing keyword (KEYWORD) | +------+-------------------------------------------------------------+ | P203 | format call uses keyword arguments but no named entries | +------+-------------------------------------------------------------+ | P204 | format call uses variable arguments but no numbered entries | +------+-------------------------------------------------------------+ | P205 | format call uses implicit and explicit indexes together | +------+-------------------------------------------------------------+ | Unused values in the parameters | +------+-------------------------------------------------------------+ | P301 | format call provides unused index (INDEX) | +------+-------------------------------------------------------------+ | P302 | format call provides unused keyword (KEYWORD) | +------+-------------------------------------------------------------+
The plugin will go through all bytes
, str
and unicode
instances. If
it encounters bytes
instances on Python 3, it'll decode them using ASCII and
if that fails it'll skip that entry.
The strings are basically sorted into three types corresponding to the P1XX range. Only the format string can cause all errors while any other string can only cause the corresponding P1XX error.
For this plugin all strings which are the first expression of the module or after a function or class definition are considered docstrings.
If the format
method is used on a string or str.format
with the string
as the first parameter, it will consider this a format string and will analyze
the parameters of that call. If that call uses variable arguments, it cannot
issue P201 and P202 as missing entries might be hidden in those variable
arguments. P301 and P302 can still be checked for any argument which is defined
statically.
Python 2.6 support
Python 2.6 is only partially supported as it's using Python's capability to
format a string. So if a string contains implicit parameters, it won't be
detected as a parameter on Python 2.6 and thus it won't cause any P1XX errors.
But it might still cause an error P301 when variable arguments aren't used.
So if Python 2.6 compatibility is wished and thus implicit parameters aren't
allowed, this plugin won't cause false positives.
Changes
-------
0.3.0 - 2020-02-16
0.2.3 - 2016-07-27
* Properly register with Flake8 so it will be selected on Flake8 3.x by default
and it can be selected on Flake8 2.x.
0.2.2 - 2016-05-29
0.2.1 - 2015-09-20
* Support ``str.format("…", …)`` calls and handle them like ``"…".format(…)``
0.2.0 - 2015-09-12
0.1.0 - 2015-09-10
* Detect unindexed parameters in all strings
* Separate error code for docstrings
FAQs
string format checker, plugin for flake8
We found that flake8-string-format demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.