Aug. 5, 2021
11:40 a.m.
On Thu, Aug 5, 2021 at 1:50 AM Guido van Rossum <guido@python.org> wrote:
I think you are looking for the concept named “tainting” in other languages.
Guido: No, I wasn't looking for full-fledged taint analysis for finding security vulnerabilities. (We do that with Pysa [1], for example :) ) Format strings, explicit database queries, etc. are places where we simply don't want to allow any non-literals. As Jelle had pointed out, people already write ad hoc tools to check for literalness. I think the concept of arbitrary literal strings gives us a simple, readable way to express our intentions. [1]: https://pyre-check.org/docs/pysa-basics -- S Pradeep Kumar