Fix B615 false positive when revision is set via variable (#1358)

Fridayai700 · claude · web-flow · commit 8f2f9284fca8 · 2026-02-22T16:30:37.000-08:00
Fix B615 false positive when revision is a variable or expression When `revision` or `commit_id` is passed as a variable, attribute, subscript, or other non-literal expression, `get_call_arg_value()` cannot resolve the actual value. This caused false positives because the check treated unresolvable values as missing. Inspect the raw AST keywords before calling `get_call_arg_value()`. If a `revision` or `commit_id` keyword has a non-Constant value (Name, Attribute, Subscript, Call, etc.), give the user the benefit of the doubt and suppress the warning. Fixes #1345 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/bandit/plugins/huggingface_unsafe_download.py b/bandit/plugins/huggingface_unsafe_download.py
@@ -59,6 +59,7 @@
 .. versionadded:: 1.8.6
 
 """
+import ast
 import string
 
 import bandit
@@ -113,7 +114,19 @@ def huggingface_unsafe_download(context):
     if not any(module in qualname_parts for module in required_modules):
         return
 
-    # Check for revision parameter (the key security control)
+    # Check for revision parameter (the key security control).
+    # First, check the raw AST to see if a revision/commit_id keyword was
+    # passed as a non-literal expression (variable, attribute, subscript,
+    # function call, etc.).  In those cases we cannot statically determine
+    # the value, so we give the user the benefit of the doubt.
+    call_node = context._context.get("call")
+    if call_node is not None:
+        for kw in getattr(call_node, "keywords", []):
+            if kw.arg in ("revision", "commit_id") and not isinstance(
+                kw.value, ast.Constant
+            ):
+                return
+
     revision_value = context.get_call_arg_value("revision")
     commit_id_value = context.get_call_arg_value("commit_id")
 
diff --git a/examples/huggingface_unsafe_download.py b/examples/huggingface_unsafe_download.py
@@ -147,3 +147,18 @@
     repo_id="org/model_name",
     revision="5d0f2e8a7f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d"
 )
+
+
+# Example #24: Revision passed as a variable (can't be statically checked)
+MODEL_REVISION = "548fc3543a"
+safe_model_variable = AutoModel.from_pretrained(
+    "org/model_name",
+    revision=MODEL_REVISION
+)
+
+# Example #25: Revision from a dict/subscript access
+config = {"revision": "abc1234567"}
+safe_model_subscript = AutoModel.from_pretrained(
+    "org/model_name",
+    revision=config["revision"]
+)
