False-Positive STR100 inspection on local scope string in class method?
martinpakosch opened this issue · 1 comments
Hi,
today I updated to PyCharm 2020.2.2 with the latest compatible Python-Security plugin. Noticed a new inspection error I did not get with PyCharm 2020.1.3 and the corresponding plugin version (no idea which one).
However, I understand the background of this STR100 inspection. But in my case (see example) I assume it is a false-positive error. It shows up on the template.format()
call where template
is a local scope variable inside the class method. Maybe I do not understand the vulnerability completely, but how can this (constant) format string template
be a risk/manipulated from outside?
Do I get something wrong with the vulnerability? Or is the inspection just unable to differentiate between scopes/variable context/definition (would be fine to know)? Or is it a bug?
class anything(object):
# ...
def report(self):
template = "{C}{left:37}{N} {EQ} {C}{right:37}{N}" # Using max. 80 chars.
if False in self.equal.values():
for key in self.datakeys:
self.print(
template.format(
left=self.left.get(key, 'Unknown'),
right=self.right.get(key, 'Unknown'),
EQ='>>' if not self.equal.get(key) else '==',
C=fg.BLUE if not self.equal.get(key) else '',
N=fg.NONE if not self.equal.get(key) else '',
)
)
Kind regards, Martin
This occurs for any .format()
it sees. I encounter the same issue with pendulum.DateTime.format as well.