r2c-best-practices
r2cA collection of opinionated rules for best practices in popular languages. Recommended for users who want really strict coding standards.
Run Locally
Rules (134)
returntocorpFunction $F mutates default dict $D. Python only instantiates default function arguments once and shares the instance across the function calls. If the default function argument is mutated, that will modify the instance used by all future function calls. This can cause unexpected results, or lead to security vulnerabilities whereby one function consumer can view or modify the data of another function consumer. Instead, use a default argument (like None) to indicate that no argument was provided and instantiate a new dictionary at that time. For example: `if $D is None: $D = {}`.
returntocorpFunction $F mutates default list $D. Python only instantiates default function arguments once and shares the instance across the function calls. If the default function argument is mutated, that will modify the instance used by all future function calls. This can cause unexpected results, or lead to security vulnerabilities whereby one function consumer can view or modify the data of another function consumer. Instead, use a default argument (like None) to indicate that no argument was provided and instantiate a new list at that time. For example: `if $D is None: $D = []`.
returntocorpIt appears that `$DICT[$KEY]` is a dict with items being deleted while in a for loop. This is usually a bad idea and will likely lead to a RuntimeError: dictionary changed size during iteration
returntocorpThis expression is always True: `$X == $X` or `$X != $X`. If testing for floating point NaN, use `math.isnan($X)`, or `cmath.isnan($X)` if the number is complex.
returntocorpUsing '$F.name' without '.flush()' or '.close()' may cause an error because the file may not exist when '$F.name' is used. Use '.flush()' or close the file before using '$F.name'.
returntocorpif block checks for the same condition on both branches (`$X`)
returntocorpkey `$X` is uselessly assigned twice
returntocorpDetected useless if statement. 'if (True)' and 'if (False)' always result in the same behavior, and therefore is not necessary in the code. Remove the 'if (False)' expression completely or just the 'if (True)' comparison depending on which expression is in the code.
returntocorpFound string comparison using 'is' operator. The 'is' operator is for reference equality, not value equality, and therefore should not be used to compare strings. For more information, see https://github.com/satwikkansal/wtfpython#-how-not-to-use-is-operator"
returntocorpIt appears that `$LIST` is a list that is being modified while in a for loop. This will likely cause a runtime error or an infinite loop.
returntocorpUsing strings as booleans in Python has unexpected results. `"one" and "two"` will return "two". `"one" or "two"` will return "one". In Python, strings are truthy, and strings with a non-zero length evaluate to True.
returntocorpDetected identical statements in the if body and the else body of an if-statement. This will lead to the same code being executed no matter what the if-expression evaluates to. Instead, remove the if statement.
returntocorpDetected an if block that checks for the same condition on both branches (`$X`). The second condition check is useless as it is the same as the first, and therefore can be removed from the code,
returntocorp`$X == $X` or `$X != $X` is always true. (Unless the value compared is a float or double). To test if `$X` is not-a-number, use `Double.isNaN($X)`.
returntocorpIn Python 'X is not ...' is different from 'X is (not ...)'. In the latter the 'not' converts the '...' directly to boolean.
returntocorpStrings should not be compared with '=='. This is a reference comparison operator. Use '.equals()' instead.
returntocorp`return` should never appear inside a class __init__ function. This will cause a runtime error.
returntocorp`yield` should never appear inside a class __init__ function. This will cause a runtime error.
returntocorpDetected a useless comparison operation `$X == $X` or `$X != $X`. This operation is always true. If testing for floating point NaN, use `math.isnan`, or `cmath.isnan` if the number is complex.
returntocorpThis is not checking the return value of this subprocess call; if it fails no exception will be raised. Consider subprocess.check_call() instead
returntocorpFound identical comparison using is. Ensure this is what you intended.
returntocorpIn Python3, a runtime `TypeError` will be thrown if you attempt to raise an object or class which does not inherit from `BaseException`
returntocorpDetected use of `exit`. Use `sys.exit` over the python shell `exit` built-in. `exit` is a helper for the interactive shell and may not be available on all Python implementations.
returntocorpDetected strings that are implicitly concatenated inside a list. Python will implicitly concatenate strings when not explicitly delimited. Was this supposed to be individual elements of the list?
returntocorpDetected a 'requests' call without a timeout set. By default, 'requests' calls wait until the connection is closed. This means a 'requests' call without a timeout will hang the program if a response is never received. Consider setting a timeout for all 'requests'.
returntocorpUse tempfile.NamedTemporaryFile instead. From the official Python documentation: THIS FUNCTION IS UNSAFE AND SHOULD NOT BE USED. The file name may refer to a file that did not exist at some point, but by the time you get around to creating it, someone else may have beaten you to the punch.
returntocorpnull=True should be set if blank=True is set on non-text fields.
returntocorpIf a text field declares unique=True and blank=True, null=True must also be set to avoid unique constraint violations when saving multiple objects with blank values.
returntocorpUse JsonResponse instead
returntocorpLooks like you need to determine the number of records. Django provides the count() method which is more efficient than .len(). See https://docs.djangoproject.com/en/3.0/ref/models/querysets/
returntocorpLooks like you are only accessing first element of an ordered QuerySet. Use `latest()` or `earliest()` instead. See https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.latest
returntocorpYou are using environment variables inside django app. Use `django-environ` as it a better alternative for deployment.
returntocorpClass $C inherits from both `$A` and `$B` which both have a method named `$F`; one of these methods will be overwritten.
returntocorpValues returned by thread pool map must be read in order to raise exceptions. Consider using `for _ in $EXECUTOR.map(...): pass`.
returntocorpDetected a file object that is redefined and never closed. This could leak file descriptors and unnecessarily consume system resources.
returntocorppdb is an interactive debugging tool and you may have forgotten to remove it before committing your code
returntocorpThe file object '$FD' was opened in read mode, but is being written to. This will cause a runtime error.
returntocorpAccessing request object inside a route handle for HTTP GET command will throw due to missing request body.
returntocorpflask.jsonify() is a Flask helper method which handles the correct settings for returning JSON from Flask routes
returntocorpDetected a django model `$MODEL` is not calling super().save() inside of the save method.
returntocorpLooks like `$R` is a flask function handler that registered to two different routes. This will cause a runtime error
returntocorp.delete().where(...) results in a no-op in SQLAlchemy unless the command is executed, use .filter(...).delete() instead.
returntocorpUse `click.secho($X)` instead. It combines click.echo() and click.style().
returntocorpThe host argument to assertRedirects is removed in Django 2.0.
returntocorpThe assignment_tag helper is removed in Django 2.0.
returntocorpdjango.db.backends.base.BaseDatabaseOperations.check_aggregate_support() is removed in Django 2.0.
returntocorpThe django.forms.extras package is removed in Django 2.0.
returntocorpThe weak argument to django.dispatch.signals.Signal.disconnect() is removed in Django 2.0.
returntocorpYou should use ITEM.user_id rather than ITEM.user.id to prevent running an extra query.
returntocorpdeprecated Flask API
returntocorpRather than adding one element at a time, consider batch loading to improve performance.
returntocorpUsing QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.
returntocorpmanually creating a counter - use collections.Counter
returntocorpmanually creating a defaultdict - use collections.defaultdict(dict)
returntocorpmanually creating a defaultdict - use collections.defaultdict(list)
returntocorpmanually creating a defaultdict - use collections.defaultdict(set)
returntocorpClass `$A` has defined `__eq__` which means it should also have defined `__hash__`;
returntocorpfile object opened without corresponding close
returntocorp`pass` is the body of function $X. Consider removing this or raise NotImplementedError() if this is a TODO
returntocorp`pass` is the body of for $X in $Y. Consider removing this or raise NotImplementedError() if this is a TODO
returntocorpImporting the python debugger; did you mean to leave this in?
returntocorptime.sleep() call; did you mean to leave this in?
returntocorpthe `errors` argument to Popen is only available on Python 3.6+
returntocorpthe `encoding` argument to Popen is only available on Python 3.6+
returntocorpthis function is only available on Python 3.6+
returntocorpthis function is only available on Python 3.7+
returntocorpFound usage of the 'blocksize' argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.
returntocorpFound usage of the 'blocksize' argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.
returntocorpsource_hash' is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.
returntocorpFound 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.
returntocorpFound usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.
returntocorpIPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'.
returntocorpIPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in 'supernet'.
returntocorpIPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'.
returntocorpIPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in 'supernet'.
returntocorpFound usage of the 'monetary' argument in a function call of 'locale.format_string'. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the 'monetary' argument.
returntocorpmath.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.
returntocorpmultiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join().
returntocorpmultiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().
returntocorpos.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().
returntocorpos.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().
returntocorppdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.
returntocorpFound usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.
returntocorpcode after return statement will not be executed
returntocorp`return` only makes sense inside a function
returntocorpkey `$Y` in `$X` is assigned twice; the first assignment is useless
returntocorpUseless if statement; both blocks have the same body
returntocorpfunction `$FF` is defined inside a function but never used
returntocorp`$X` is uselessly assigned twice inside the creation of the set
returntocorpAvoid using null on string-based fields such as CharField and TextField. If a string-based field has null=True, that means it has two possible values for "no data": NULL, and the empty string. In most cases, it's redundant to have two possible values for "no data;" the Django convention is to use the empty string, not NULL.
returntocorpUse 'django.db.models.OneToOneField' instead of 'ForeignKey' with unique=True. 'OneToOneField' is used to create one-to-one relationships.
returntocorpDetected hardcoded temp directory. Consider using 'tempfile.TemporaryFile' instead.
returntocorpYou probably want the structural inequality operator =
returntocorpYou probably want the structural inequality operator <>
returntocorpThis is always true. If testing for floating point NaN, use `Float.is_nan` instead.
returntocorpUseless if. Both branches are equal.
returntocorpUseless let
returntocorpYou should probably use Filename.get_temp_dirname().
returntocorpThere's an HTTP request made with requests, but the raise_for_status() utility method isn't used. This can result in request errors going unnoticed and your code behaving in unexpected ways, such as if your authorization API returns a 500 error while you're only checking for a 401.
returntocorpDetected conversion of the result of a strconv.Atoi command to an int16. This could lead to an integer overflow, which could possibly result in unexpected behavior and even privilege escalation. Instead, use `strconv.ParseInt`.
returntocorpDetected conversion of the result of a strconv.Atoi command to an int32. This could lead to an integer overflow, which could possibly result in unexpected behavior and even privilege escalation. Instead, use `strconv.ParseInt`.
returntocorpDetected file permissions that are set to more than `0600` (user/owner can read and write). Setting file permissions to higher than `0600` is most likely unnecessary and violates the principle of least privilege. Instead, set permissions to be `0600` or less for os.Chmod, os.Mkdir, os.OpenFile, os.MkdirAll, and ioutil.WriteFile
returntocorpDetected useless comparison operation `$X == $X` or `$X != $X`. This will always return 'True' or 'False' and therefore is not necessary. Instead, remove this comparison operation or use another comparison expression that is not deterministic.
returntocorpThe value of `$X` is being ignored and will be used in the conditional test
returntocorpThis if statement will always have the same behavior and is therefore unnecessary.
returntocorpFound a FloatField used for variable $F. Use DecimalField for currency fields to avoid float-rounding errors.
returntocorpComparison to boolean. Just use `not $X`
returntocorpComparison to boolean. Just use `$X`
returntocorpYou should not use Hashtbl.find outside of a try, or you should use Hashtbl.find_opt
returntocorpBackwards if. Rewrite the code as 'if not $E then $E2'.
returntocorpUseless else. Just remove the else branch;
returntocorpYou should not use List.find outside of a try, or you should use List.find_opt
returntocorpYou should use `decr`
returntocorpYou should use `incr`
returntocorpUse instead `Str.first_chars`
returntocorpUse instead `Str.last_chars`
returntocorpUse instead `Str.string_after`
returntocorpUseless sprintf
returntocorpPervasives is deprecated and will not be available after 4.10. Use Stdlib.
returntocorpYou probably want $X = [], which is faster.
returntocorpYou probably want $X <> [], which is faster.
returntocorp`$X` is assigned twice; the first assignment is useless
returntocorpUnsafe usage of mutable initializer with attr.s decorator. Multiple instances of this class will re-use the same data structure, which is likely not the desired behavior. Consider instead: replace assignment to mutable initializer (ex. dict() or {}) with attr.ib(factory=type) where type is dict, set, or list
returntocorpOnly comparison operators should be used inside SQLAlchemy filter expressions. Use `==` instead of `is`, `!=` instead of `is not`, `sqlalchemy.and_` instead of `and`, `sqlalchemy.or_` instead of `or`, `sqlalchemy.not_` instead of `not`, and `sqlalchemy.in_` instead of `in_`.
returntocorp`undefined` is not a reserved keyword in Javascript, so this is "valid" Javascript but highly confusing and likely to result in bugs.
returntocorpfound alert() call; should this be in production code?
returntocorpfound confirm() call; should this be in production code?
returntocorpfound debugger call; should this be in production code?
returntocorpfound prompt() call; should this be in production code?
returntocorpThese APIs are deprecated in Bokeh see https://docs.bokeh.org/en/latest/docs/releases.html#api-deprecations
returntocorpFlask class method GET with side effects
returntocorpThe string method replaceAll is not supported in all versions of javascript, and is not supported by older browser versions. Consider using replace() with a regex as the first argument instead like mystring.replace(/bad/g, "good") instead of mystring.replaceAll("bad", "good") (https://discourse.threejs.org/t/replaceall-is-not-a-function/14585)
returntocorpDetected a channel guarded with a mutex. Channels already have an internal mutex, so this is unnecessary. Remove the mutex. See https://hackmongo.com/page/golang-antipatterns/#guarded-channel for more information.
returntocorpDetected a hidden goroutine. Function invocations are expected to synchronous, and this function will execute asynchronously because all it does is call a goroutine. Instead, remove the internal goroutine and call the function using 'go'.