Use a linter to ban certain Python imports

Question

Use a linter to ban certain Python imports

rntz opened this issue a year ago · 4 comments

@lunixbochs thinks that for security reasons we should lint for/ban certain Python imports. From slack:

I submit this list (and any imports under them, e.g. both http and http.server should be blocked, or from http import server etc):

aiohttp
asynchat
asyncio
asyncore
cffi
ctypes
ftplib
http
idlelib
mailbox
multiprocessing
nntplib
pip
poplib
requests
smtplib
socket
socketserver
ssl
telnetlib
threading
urllib.request
urllib3

I haven't done this in python before, but import-linter doesn't seem to be the worst

cc @wenkokke

Answer 1 · 2023-07-13T13:14:51.000Z

Using import-linter isn't tenable in the current form of the community repository, because it relies on the repository to be a Python package, i.e., we'd have to add __init__.py files to each directory. There are options for namespace packages, but they'd require us to exhaustively list all files—or at least directories, I'm unsure, haven't gotten that to work—in the package, which is untenable and incredibly error prone.

Answer 2 · 2023-07-13T13:15:42.000Z

@lunixbochs Would there be an problems with Talon if we were to add __init__.py files to the community repository?

Answer 3 · 2023-07-13T13:23:09.000Z

We could consider using bandit, but it does not seem to be able to work with allowlists:
https://bandit.readthedocs.io/en/latest/blacklists/index.html

The import-linter package also doesn't support allowlists, but it does support blocklists with wildcards and ignore statements, which is... less than ideal, but workable.

Answer 4 · 2023-07-17T12:13:57.000Z

There's also flake8-tidy-imports, which is also partially implemented by ruff - I think the rule we'd want is there: https://beta.ruff.rs/docs/settings/#flake8-tidy-imports-banned-api

I think it'd also be worth running bandit.