Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix line breaks in codemod descriptions #109

Merged
merged 1 commit into from
Oct 27, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
This codemod separates creating a threading lock instance from calling it as a context manager.
Calling `with threading.Lock()` does not have the effect you would expect. The lock is not acquired.
Instead, to correctly acquire a lock, create the instance separately, before calling it as a context manager.
This codemod separates creating a threading lock instance from calling it as a context manager. Calling `with threading.Lock()` does not have the effect you would expect. The lock is not acquired. Instead, to correctly acquire a lock, create the instance separately, before calling it as a context manager.

The change will apply to any of these `threading` classes: `Lock`, `RLock`, `Condition`, `Semaphore`, and `BoundedSemaphore`.

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
This codemod enables autoescaping of HTML content in `jinja2`. Unfortunately, the jinja2
default behavior is to not autoescape when rendering templates, which makes your applications
potentially vulnerable to Cross-Site Scripting (XSS) attacks.
This codemod enables autoescaping of HTML content in `jinja2`. Unfortunately, the jinja2 default behavior is to not autoescape when rendering templates, which makes your applications potentially vulnerable to Cross-Site Scripting (XSS) attacks.

Our codemod checks if you forgot to enable autoescape or if you explicitly disabled it. The change looks as follows:

Expand Down
19 changes: 5 additions & 14 deletions src/core_codemods/docs/pixee_python_fix-mutable-params.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,7 @@ def foo(x, y=[]):
print(y)
```

The function `foo` doesn't do anything very interesting; it just prints the
result of `x` appended to `y`. Naively we might expect this to simply print an
array containing only `x` every time `foo` is called, like this:
The function `foo` doesn't do anything very interesting; it just prints the result of `x` appended to `y`. Naively we might expect this to simply print an array containing only `x` every time `foo` is called, like this:

```python
>>> foo(1)
Expand All @@ -27,16 +25,11 @@ But that's not what happens!
[1, 2]
```

The value of `y` is preserved between calls! This might seem surprising, and it is.
It's due to the way that scope works for function arguments in Python.
The value of `y` is preserved between calls! This might seem surprising, and it is. It's due to the way that scope works for function arguments in Python.

The result is that any default argument value will be preserved between
function calls. This is problematic for *mutable* types, including things
like `list`, `dict`, and `set`.
The result is that any default argument value will be preserved between function calls. This is problematic for *mutable* types, including things like `list`, `dict`, and `set`.

Relying on this behavior is unpredictable and generally considered to be
unsafe. Most of us who write code like this were not anticipating the
surprising behavior, so it's best to fix it.
Relying on this behavior is unpredictable and generally considered to be unsafe. Most of us who write code like this were not anticipating the surprising behavior, so it's best to fix it.

Our codemod makes an update that looks like this:
```diff
Expand All @@ -47,6 +40,4 @@ Our codemod makes an update that looks like this:
print(y)
```

Using `None` is a much safer default. The new code checks if `None` is passed,
and if so uses an empty `list` for the value of `y`. This will guarantee
consistent and safe behavior between calls.
Using `None` is a much safer default. The new code checks if `None` is passed, and if so uses an empty `list` for the value of `y`. This will guarantee consistent and safe behavior between calls.
3 changes: 1 addition & 2 deletions src/core_codemods/docs/pixee_python_jwt-decode-verify.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
This codemod ensures calls to [jwt.decode](https://pyjwt.readthedocs.io/en/stable/api.html#jwt.decode) do not disable signature validation and other
verifications. It checks that both the `verify` parameter (soon to be deprecated) and any `verify` key in the `options` dict parameter are not assigned to `False`.
This codemod ensures calls to [jwt.decode](https://pyjwt.readthedocs.io/en/stable/api.html#jwt.decode) do not disable signature validation and other verifications. It checks that both the `verify` parameter (soon to be deprecated) and any `verify` key in the `options` dict parameter are not assigned to `False`.

Our change looks as follows:

Expand Down
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
This codemod configures safe parameter values when initializing `lxml.etree.XMLParser`, `lxml.etree.ETCompatXMLParser`,
`lxml.etree.XMLTreeBuilder`, or `lxml.etree.XMLPullParser`. If parameters `resolve_entities`, `no_network`,
and `dtd_validation` are not set to safe values, your code may be vulnerable to entity expansion
attacks and external entity (XXE) attacks.
This codemod configures safe parameter values when initializing `lxml.etree.XMLParser`, `lxml.etree.ETCompatXMLParser`, `lxml.etree.XMLTreeBuilder`, or `lxml.etree.XMLPullParser`. If parameters `resolve_entities`, `no_network`, and `dtd_validation` are not set to safe values, your code may be vulnerable to entity expansion attacks and external entity (XXE) attacks.

Parameters `no_network` and `dtd_validation` have safe default values of `True` and `False`, respectively, so this
codemod will set each to the default safe value if your code has assigned either to an unsafe value.
Parameters `no_network` and `dtd_validation` have safe default values of `True` and `False`, respectively, so this codemod will set each to the default safe value if your code has assigned either to an unsafe value.

Parameter `resolve_entities` has an unsafe default value of `True`. This codemod will set `resolve_entities=False` if set to `True` or omitted.

Expand Down
5 changes: 1 addition & 4 deletions src/core_codemods/docs/pixee_python_safe-lxml-parsing.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
This codemod sets the `parser` parameter in calls to `lxml.etree.parse` and `lxml.etree.fromstring`
if omitted or set to `None` (the default value). Unfortunately, the default `parser=None` means `lxml`
will rely on an unsafe parser, making your code potentially vulnerable to entity expansion
attacks and external entity (XXE) attacks.
This codemod sets the `parser` parameter in calls to `lxml.etree.parse` and `lxml.etree.fromstring` if omitted or set to `None` (the default value). Unfortunately, the default `parser=None` means `lxml` will rely on an unsafe parser, making your code potentially vulnerable to entity expansion attacks and external entity (XXE) attacks.

The changes look as follows:

Expand Down
16 changes: 3 additions & 13 deletions src/core_codemods/docs/pixee_python_use-defusedxml.md
Original file line number Diff line number Diff line change
@@ -1,18 +1,8 @@
You might be surprised to learn that Python's built-in XML libraries are
[considered insecure](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)
against various kinds of attacks.
You might be surprised to learn that Python's built-in XML libraries are [considered insecure](https://docs.python.org/3/library/xml.html#xml-vulnerabilities) against various kinds of attacks.

In fact, the [Python documentation
itself](https://docs.python.org/3/library/xml.html#the-defusedxml-package)
recommends the use of [defusedxml](https://pypi.org/project/defusedxml/) for
parsing untrusted XML data. `defusedxml` is an
[open-source](https://github.com/tiran/defusedxml), permissively licensed
project that is intended as a drop-in replacement for Python's standard library
XML parsers.
In fact, the [Python documentation itself](https://docs.python.org/3/library/xml.html#the-defusedxml-package) recommends the use of [defusedxml](https://pypi.org/project/defusedxml/) for parsing untrusted XML data. `defusedxml` is an [open-source](https://github.com/tiran/defusedxml), permissively licensed project that is intended as a drop-in replacement for Python's standard library XML parsers.

This codemod updates all relevant uses of the standard library parsers with
safe versions from `defusedxml`. It also adds the `defusedxml` dependency to
your project where possible.
This codemod updates all relevant uses of the standard library parsers with safe versions from `defusedxml`. It also adds the `defusedxml` dependency to your project where possible.

The changes from this codemod look like this:
```diff
Expand Down
8 changes: 2 additions & 6 deletions src/core_codemods/docs/pixee_python_use-walrus-if.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
This codemod updates places where two separate statements involving an assignment
and conditional can be replaced with a single Assignment Expression (commonly
known as the walrus operator).
This codemod updates places where two separate statements involving an assignment and conditional can be replaced with a single Assignment Expression (commonly known as the walrus operator).

Many developers use this operator in new code that they write but don't have
the time to find and update every place in existing code. So we do it for you!
We believe this leads to more concise and readable code.
Many developers use this operator in new code that they write but don't have the time to find and update every place in existing code. So we do it for you! We believe this leads to more concise and readable code.

The changes from this codemod look like this:

Expand Down