rspec/rules/S2317/python/rule.adoc

This rule raises an issue when the exec statement is used.

== Why is this an issue?

Use of the ``++exec++`` statement could be dangerous, and should be avoided. Moreover, the ``++exec++`` statement was removed in Python 3.0. Instead, the built-in ``++exec()++`` function can be used.

Use of the ``++exec++`` statement is strongly discouraged for several reasons such as:

* *Security Risks:* Executing code from a string opens up the possibility of code injection attacks.
* *Readability and Maintainability:* Code executed with ``++exec++`` statement is often harder to read and understand since it is not explicitly written in the source code.
* *Performance Implications:* The use of ``++exec++`` statement can have performance implications since the code is compiled and executed at runtime.
* *Limited Static Analysis:* Since the code executed with ``++exec++`` statement is only known at runtime, static code analysis tools may not be able to catch certain errors or issues, leading to potential bugs.

=== Code examples

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
exec 'print 1' # Noncompliant
----


==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
exec('print 1')
----


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Use the "exec()" function instead.


'''
== Comments And Links
(visible only on this page)

=== on 25 Feb 2019, 17:14:43 Tibor Blenessy wrote:
Changing this to code smell, as this rule is mostly about migration towards Python 3. The security aspect of this rule is covered in hotspot RSPEC-1523

endif::env-github,rspecator-view[]
Modify rule S2317: LaYC format (#2677) 2023-08-08 11:11:03 +02:00			`This rule raises an issue when the exec statement is used.`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			Use of the ``++exec++`` statement could be dangerous, and should be avoided. Moreover, the ``++exec++`` statement was removed in Python 3.0. Instead, the built-in ``++exec()++`` function can be used.

Modify rule S2317: LaYC format (#2677) 2023-08-08 11:11:03 +02:00			Use of the ``++exec++`` statement is strongly discouraged for several reasons such as:

			`* Security Risks: Executing code from a string opens up the possibility of code injection attacks.`
			* Readability and Maintainability: Code executed with ``++exec++`` statement is often harder to read and understand since it is not explicitly written in the source code.
			* Performance Implications: The use of ``++exec++`` statement can have performance implications since the code is compiled and executed at runtime.
			* Limited Static Analysis: Since the code executed with ``++exec++`` statement is only known at runtime, static code analysis tools may not be able to catch certain errors or issues, leading to potential bugs.

			`=== Code examples`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify rule S2317: LaYC format (#2677) 2023-08-08 11:11:03 +02:00			`==== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify rule S2317: LaYC format (#2677) 2023-08-08 11:11:03 +02:00			`[source,python,diff-id=1,diff-type=noncompliant]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`exec 'print 1' # Noncompliant`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify rule S2317: LaYC format (#2677) 2023-08-08 11:11:03 +02:00			`==== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify rule S2317: LaYC format (#2677) 2023-08-08 11:11:03 +02:00			`[source,python,diff-id=1,diff-type=compliant]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`exec('print 1')`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Use the "exec()" function instead.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 25 Feb 2019, 17:14:43 Tibor Blenessy wrote:`
			`Changing this to code smell, as this rule is mostly about migration towards Python 3. The security aspect of this rule is covered in hotspot RSPEC-1523`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`