SONARPY-2941 Rule S7501: Async functions should not contain input() calls (#257)

GitOrigin-RevId: a7599a3d09c37d4b74b614fc428bb5c019bc7d73

Author: ghislainpiot

python-checks/src/main/java/org/sonar/python/checks/InputInAsyncCheck.java

@@ -0,0 +1,103 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.AliasedName;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.ImportName;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.types.v2.TriBool;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckBuilder;
+
+@Rule(key = "S7501")
+public class InputInAsyncCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE_TO_THREAD = "Wrap this call to input() with await %s.to_thread(input).";
+  private static final String MESSAGE_TO_THREAD_RUN_SYNC = "Wrap this call to input() with await %s.to_thread.run_sync(input).";
+  private static final String MESSAGE_FALLBACK = "Wrap this call to input() with the appropriate function from the asynchronous library.";
+  private static final String SECONDARY_MESSAGE = "This function is async.";
+
+  private static final String LIB_ASYNCIO = "asyncio";
+  private static final String LIB_TRIO = "trio";
+  private static final String LIB_ANYIO = "anyio";
+
+  private TypeCheckBuilder isInputCall;
+  private final Map<String, String> asyncLibraryAliases = new HashMap<>();
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, ctx -> {
+      isInputCall = ctx.typeChecker().typeCheckBuilder().isTypeWithName("input");
+      asyncLibraryAliases.clear();
+    });
+    context.registerSyntaxNodeConsumer(Tree.Kind.IMPORT_NAME, this::checkImportName);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkInputInAsync);
+  }
+
+  private void checkImportName(SubscriptionContext ctx) {
+    ImportName importName = (ImportName) ctx.syntaxNode();
+    for (AliasedName module : importName.modules()) {
+      List<Name> names = module.dottedName().names();
+      if (names.size() > 1) {
+        continue;
+      }
+      String moduleName = names.get(0).name();
+      Name alias = module.alias();
+      String moduleAlias = alias != null ? alias.name() : moduleName;
+      if (LIB_ASYNCIO.equals(moduleName) || LIB_TRIO.equals(moduleName) || LIB_ANYIO.equals(moduleName)) {
+        asyncLibraryAliases.put(moduleName, moduleAlias);
+      }
+    }
+  }
+
+  private void checkInputInAsync(SubscriptionContext context) {
+    CallExpression callExpression = (CallExpression) context.syntaxNode();
+    Expression callee = callExpression.callee();
+    if (isInputCall.check(callee.typeV2()) != TriBool.TRUE) {
+      return;
+    }
+    TreeUtils.asyncTokenOfEnclosingFunction(callExpression)
+      .ifPresent(asyncKeyword -> {
+        String message = getMessage();
+        context.addIssue(callee, message).secondary(asyncKeyword, SECONDARY_MESSAGE);
+      });
+  }
+
+  private String getMessage() {
+    if (asyncLibraryAliases.size() != 1) {
+      return MESSAGE_FALLBACK;
+    }
+    var library = asyncLibraryAliases.keySet().iterator().next();
+    if (LIB_ASYNCIO.equals(library)) {
+      return String.format(MESSAGE_TO_THREAD, asyncLibraryAliases.get(LIB_ASYNCIO));
+    } else if (LIB_TRIO.equals(library)) {
+      return String.format(MESSAGE_TO_THREAD_RUN_SYNC, asyncLibraryAliases.get(LIB_TRIO));
+    } else {
+      return String.format(MESSAGE_TO_THREAD_RUN_SYNC, asyncLibraryAliases.get(LIB_ANYIO));
+    }
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -240,6 +240,7 @@ public Stream<Class<?>> getChecks() {
       InitReturnsValueCheck.class,
       InstanceAndClassMethodsAtLeastOnePositionalCheck.class,
       InstanceMethodSelfAsFirstCheck.class,
+      InputInAsyncCheck.class,
       InvalidOpenModeCheck.class,
       InvalidRegexCheck.class,
       InvariantReturnCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7501.html

@@ -0,0 +1,84 @@
+<p>This rule raises an issue when the built-in <code>input()</code> function is called in an asynchronous function.</p>
+<h2>Why is this an issue?</h2>
+<p>In Python’s asynchronous programming (using <code>asyncio</code>, <code>Trio</code>, or <code>AnyIO</code>), an event loop manages concurrent tasks
+by having them yield control during time-consuming operations, enabling other tasks to run.</p>
+<p>However, the synchronous <code>input()</code> function blocks the current thread until user input is received, and when called from a coroutine, it
+blocks the entire event loop, preventing other tasks from executing and making the application unresponsive - effectively defeating the purpose of
+asynchronous programming for applications requiring concurrent operations or user interaction.</p>
+<h2>How to fix it in Asyncio</h2>
+<p>You can use <code>asyncio.to_thread()</code> to run the <code>input()</code> function in a separate thread.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import asyncio
+
+async def get_name():
+    print("Please enter your name:")
+    name = input() # Noncompliant
+    return name
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+import asyncio
+
+async def get_name():
+    print("Please enter your name:")
+    name = await asyncio.to_thread(input) # Compliant
+    return name
+</pre>
+<h2>How to fix it in Trio</h2>
+<p>You can use <code>trio.to_thread.run_sync()</code> to run the <code>input()</code> function in a separate thread.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+import trio
+
+async def get_name():
+    print("Please enter your name:")
+    name = input() # Noncompliant
+    return name
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+import trio
+
+async def get_name():
+    print("Please enter your name:")
+    name = await trio.to_thread.run_sync(input) # Compliant
+    return name
+</pre>
+<h2>How to fix it in AnyIO</h2>
+<p>You can use <code>anyio.to_thread.run_sync()</code> to run the <code>input()</code> function in a separate thread.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="3" data-diff-type="noncompliant">
+import anyio
+
+async def get_name():
+    print("Please enter your name:")
+    name = input() # Noncompliant
+    return name
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="3" data-diff-type="compliant">
+import anyio
+
+async def get_name():
+    print("Please enter your name:")
+    name = await anyio.to_thread.run_sync(input) # Compliant
+    return name
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> Python asyncio - <a href="https://docs.python.org/3/library/asyncio-task.html#asyncio.to_thread">Running in threads</a> </li>
+  <li> Trio - <a href="https://trio.readthedocs.io/en/stable/reference-core.html#trio.to_thread.run_sync">Putting blocking I/O into worker threads</a>
+  </li>
+  <li> AnyIO - <a href="https://anyio.readthedocs.io/en/stable/threads.html#calling-synchronous-code-from-a-worker-thread">Calling synchronous code
+  from a worker thread</a> </li>
+</ul>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li> Python - <a href="https://realpython.com/python-concurrency/">Concurrency and Parallelism in Python</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7501.json

@@ -0,0 +1,26 @@
+{
+  "title": "Async functions should not contain input() calls",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "async",
+    "asyncio",
+    "trio",
+    "anyio"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7501",
+  "sqKey": "S7501",
+  "scope": "All",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "HIGH"
+    },
+    "attribute": "LOGICAL"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -257,6 +257,7 @@
     "S7488",
     "S7491",
     "S7483",
-    "S7488"
+    "S7488",
+    "S7501"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/InputInAsyncCheckTest.java

@@ -0,0 +1,44 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class InputInAsyncCheckTest {
+
+  @Test
+  void testAsyncIO() {
+    PythonCheckVerifier.verify("src/test/resources/checks/inputInAsyncAsyncIO.py", new InputInAsyncCheck());
+  }
+
+  @Test
+  void testTrio() {
+    PythonCheckVerifier.verify("src/test/resources/checks/inputInAsyncTrio.py", new InputInAsyncCheck());
+  }
+
+  @Test
+  void testAnyIO() {
+    PythonCheckVerifier.verify("src/test/resources/checks/inputInAsyncAnyIO.py", new InputInAsyncCheck());
+  }
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/inputInAsync.py", new InputInAsyncCheck());
+  }
+
+}

python-checks/src/test/resources/checks/inputInAsync.py

@@ -0,0 +1,14 @@
+import asyncio, trio, anyio as aio  # noqa: E401
+import asyncio.tasks
+import something_else
+
+
+async def foo():
+    input()  # Noncompliant {{Wrap this call to input() with the appropriate function from the asynchronous library.}}
+
+
+def prevent_optimization():
+    asyncio.run(foo)
+    trio.run(foo())
+    aio.run(foo())
+    something_else.run(foo())