Implicit string concatenation in a list — CodeQL query help documentation

ID: py/implicit-string-concatenation-in-list
Kind: problem
Security severity: 
Severity: warning
Precision: high
Tags:
   - quality
   - maintainability
   - readability
   - external/cwe/cwe-665
Query suites:
   - python-code-quality.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

When two string literals abut each other the Python interpreter implicitly concatenates them into a single string. On occasion this can be useful, but is more commonly misleading or incorrect.

Recommendation¶

If the concatenation is deliberate, then use + to join the strings. This has no runtime overhead, and makes the intention clear.

Example¶

In the first function below, unclear, implicit string concatenation is used twice; once deliberately and once by accident. In the second function, clarified, the first concatenation is made explicit and the second is removed.


def unclear():
    # Returns [ "first part of long string and the second part", "/usr/local/usr/bin" ]
    return [

        "first part of long string"
        " and the second part",
        "/usr/local"
        "/usr/bin"
    ]

def clarified():
    # Returns [ "first part of long string and the second part", "/usr/local", "/usr/bin" ]
    return [
        "first part of long string" +
        " and the second part",
        "/usr/local",
        "/usr/bin"
    ]

References¶

Python language reference: String literal concatenation.
Common Weakness Enumeration: CWE-665.