18 if cs.x86.X86_GRP_BRANCH_RELATIVE in instruction.groups:
19 assert len(instruction.operands) > 0
20 destination = instruction.operands[0]
21 assert destination.type == cs.CS_OP_IMM 22 branch_to = destination.imm # capstone resolves addresses
23
24 return { 16 """
17 branch_to = None
18 if cs.x86.X86_GRP_BRANCH_RELATIVE in instruction.groups:
19 assert len(instruction.operands) > 0 20 destination = instruction.operands[0]
21 assert destination.type == cs.CS_OP_IMM
22 branch_to = destination.imm # capstone resolves addresses 97 return offsets
98
99 # all that remain are call/jmp to imm
100 assert len(instruction.operands) > 0101 destination = instruction.operands[0]
102 assert destination.type == cs.CS_OP_IMM
103 99 # all that remain are call/jmp to imm
100 assert len(instruction.operands) > 0
101 destination = instruction.operands[0]
102 assert destination.type == cs.CS_OP_IMM103
104 offsets.append(destination.imm) # capstone resolves addresses
105 18
19class Arch:
20 def __init__(self, dependencies):
21 assert MEM_RESERVED_INDICES > 6 + STACK_PROP 22
23 self.matrix = dependencies
24 self.size, _ = dependencies.shapeUsage of assert statement in application logic is discouraged. assert is removed with compiling to optimized byte code. Consider raising an exception instead. Ideally, assert statement should be used only in tests.
Python has an option to compile the optimized bytecode and create the respective .pyo files by using the options -O and -OO. When used, these basic optimizations are done:
- All the assert statements are removed
- All docstrings are removed (when -OO is selected)
- Value of the
__debug__built-in variable is set toFalse
It is recommended not to use assert in non-test files. A better way for internal self-checks is to check explicitly and raise respective error using an if statement.
Tip: Make sure test_patterns are defined in .deepsource.toml to avoid false-positives. Please check the documentation to know more.
Consider this code snippet:
def read_secret(self):
assert self.is_admin, "You are unauthorized to read this"
return self._secret
If python is run with the -O flag, the check for self.is_admin is
completely ignored, which can cause secrets to be leaked.
This is how you can ensure the code always works:
def read_secret(self):
if not self.is_admin:
raise AssertionError("You are unauthorized to read this")
return self._secret
Here's a more detailed example. Consider the following script foo.py:
import sys
def run():
assert len(sys.argv) == 5 # Insecure, statement will be removed when compiled to optimized byte code
print("Argument variables are: ", sys.argv)
run()
When optimization is disabled:
$ python foo.py 1 2 3 4 5
Traceback (most recent call last):
File "foo.py", line 7, in <module>
run()
File "foo.py", line 4, in run
assert len(sys.argv) == 5 # Insecure, statement will be removed when compiled to optimized byte code
AssertionError
When optimization is enabled:
$ python -O foo.pyo 1 2 3 4 5 6
Argument variables are: ['foo.pyo', '1', '2', '3', '4', '5', '6']
Here, all the internal self-checks using the assert statements are removed, as we can see. Therefore, there's a chance for an application to behave strangely in this case. It is better do raise the Exception explicitly:
import sys
def run():
if not len(sys.argv) == 5:
raise ValueError
print("Argument variables are: ", sys.argv)
run()
Note: During autofix, DeepSource will change the assert statements to if statements raising AssertionError.
This is done to replicate the existing behavior.
References:
- -O flag in python
- -OO flag in python
- Discuss blogpost - Using assert outside tests