Return values of methods and functions should always be checked to ensure operations have been performed correctly.
When immutable objects are used, methods that aim to modify them have to create a new object with the desired changed and return it. For the results of such methods to take place, the developer must remember to assign the new value to a variable, otherwise it won’t be accessible. They can also be used to handle unexpected behaviors by returning specific values (such as None
or a other default values) that may require additional safety checks.
This non-compliant code example shows a common mistake when trying to update an immutable object. Since str
is an immutable type, str.replace()
creates a new str
object with the desired change [Python Docs - str.replace]. This object must be then assigned, typically in place of the original string. If not, the new value remains unused.
# SPDX-FileCopyrightText: OpenSSF project contributors
# SPDX-License-Identifier: MIT
""" Non-compliant Code Example """
def silly_string(user_input):
"""Function that changes the content of a string"""
user_input.replace("un", "very ")
return user_input
#####################
# exploiting above code example
#####################
print(silly_string("unsafe string"))
Despite calling silly_string()
, “unsafe string” is printed instead of the expected “very safe string” as the return value of str.replace()
has been ignored.
This compliant solution correctly returns the value from str.replace()
and then prints it:
# SPDX-FileCopyrightText: OpenSSF project contributors
# SPDX-License-Identifier: MIT
""" Compliant Code Example """
def silly_string(user_input):
"""Function that changes the content of a string"""
return user_input.replace("un", "very ")
#####################
# exploiting above code example
#####################
print(silly_string("unsafe string"))
Return values are also important when they may be used as an alternative to raising exceptions. str.find()
, unlike str.index()
returns -1 [Python Docs - str.find] instead of raising a ValueError
[Python Docs - str.index] when it cannot find the given sub-string.
This non-compliant code example shows that using this value will point to the last element of the string regardless of what it is.
# SPDX-FileCopyrightText: OpenSSF project contributors
# SPDX-License-Identifier: MIT
""" Non-compliant Code Example """
def find_in_string(full_string, sub_string):
"""Function that searches for a sub-string in a given string"""
index = full_string.find(sub_string)
print(f"Sub-string '{sub_string}' appears in '{full_string}' at index {index}'")
#####################
# exploiting above code example
#####################
my_string = "Secure Python coding"
find_in_string(my_string, "Python")
find_in_string(my_string, "I'm evil")
Even though I'm evil
is clearly not a part of “Secure Python coding”, the find_in_string()
method will suggest otherwise.
Since str.find()
indicates the fact that the sub-string couldn’t be found with a negative index, a simple if
check is enough to tackle the issue from the previous code example.
# SPDX-FileCopyrightText: OpenSSF project contributors
# SPDX-License-Identifier: MIT
""" Non-compliant Code Example """
def find_in_string(full_string, sub_string):
"""Function that searches for a sub-string in a given string"""
index = full_string.find(sub_string)
if index >= 0:
print(f"Sub-string '{sub_string}' appears in '{full_string}' at index {index}'")
else:
print(f"There is no '{sub_string}' in '{full_string}'")
#####################
# exploiting above code example
#####################
my_string = "Secure Python coding"
find_in_string(my_string, "Python")
find_in_string(my_string, "I'm evil")
Now, the latter print will correctly indicate the lack of I'm evil
in Secure Python coding
.
Tool | Version | Checker | Description |
---|---|---|---|
Bandit | 1.7.4 on Python 3.10.4 | Not Available | |
Flake8 | 8-4.0.1 on Python 3.10.4 | Not Available |
MITRE CWE | Pillar: CWE-703: Improper Check or Handling of Exceptional Conditions (4.13) (mitre.org) |
MITRE CWE | Base: CWE-252: Unchecked Return Value |
SEI CERT Coding Standard for Java | EXP00-J. Do not ignore values returned by methods |
SEI CERT C Coding Standard | EXP12-C. Do not ignore values returned by functions |
ISO/IEC TR 24772:2019 | Passing Parameters and Return Values [CSJ] |
[Python Docs - str.replace] [Python Docs - str.find] [Python Docs - str.index] |
Python Software Foundation. (2025). Built-in Types [online]. Available from: https://docs.python.org/3.9/library/stdtypes.html [accessed 17 June 2025] |