S602, S604, and S609 treat `{**{}}` as truthy

[dscorbett]

Summary

As the value of a shell argument, subprocess-popen-with-shell-equals-true (S602), call-with-shell-equals-true (S604), and unix-command-wildcard-injection (S609) treat a dictionary display as truthy when its elements are all double-starred non-name expressions, but a non-name expression can evaluate to an empty mapping, so the shell value might actually be falsey. These rules should check the truthiness of the double-starred expressions, or they should treat them as having unknown truthiness. Example:

$ cat >s60.py <<'# EOF'
import subprocess
subprocess.Popen(["chmod", "777", "*.py"], shell={**{}})
dict(shell={**{}})
# EOF

$ ruff --isolated check s60.py --select S602,S604,S609 --output-format concise -q
s60.py:2:1: S602 `subprocess` call with truthy `shell` identified, security issue
s60.py:2:18: S609 Possible wildcard injection in call due to `*` usage
s60.py:3:1: S604 Function call with truthy `shell` parameter identified, security issue

Version

ruff 0.12.9 (ef42246 2025-08-14)

[hauntsaninja]

What does the real world code where this comes up in look like?

[dscorbett]

This is a bug in the general helper function Truthiness::from_expr which happens to manifest in these three rules. {**{}} is the simplest way to reproduce it. A more realistic example would be something like {**self.shell_defaults, **self.fetch_shell_config(self.username)}.