metavariable-regex not working with pattern-inside? #2548
Comments
|
@xmo-odoo thanks for the bug report. Just checking what the priority of this fix is for you and if there are any timelines you're looking for a fix by? |
|
@DrewDennison this is a low priority thing, I'm looking into semgrep and trying to use it personally (in part in order to better understand the quirks of pattern combinations, I don't think my mental model is correct yet) but that's about it. This I decided to report because I spent a while trying to find out what I was doing wrong and a reduced test case showed it didn't seem to be supported (sometimes I can't get a rule to work properly in situ but I can't get the mismatch to trigger in a reduced test case, in those cases I rather assume I am doing something wrong somehow, even if I don't know what). Maybe accessing a metavariable which doesn't exist should trigger an error or something? At least optionally? Or is there a tracing / debugging mode through which it'd be possible to see the flow of an item through a rule? |
It does look like the same issue (just revealing itself in a different context). Should I close this one? Maybe edit the title of #1699 so there's more chance people will find it when searching? Given #2154 it looks like I'm not the only one which missed the original. |
|
Hey @xmo-odoo, After looking into this I understand what's going on. The The bad news is I don't see any code improvements we can make to get around this, the good news is we can create a rule that meets your needs, we just have to be crafty with our More on why we can't make any code improvements: as mentioned above, metavariables are only propagated when they're present in all sub-operators. If this was not the case then Hope this is helpful! Let me know if this solves your problem and/or if there's anything else I can help with. |
|
@mschwager thanks for the example, I'll take a look at it.
I understand the reasoning for |
Hmm, after thinking about it a bit more, I think you're correct that it makes sense to propagate metavariables in some situations. My initial thought is that this propagation makes sense when using I'm trying to think through any obvious bugs that might occur with this change, but, again, I think we're okay due to the conjunctive nature of I think the general flow would be something like:
Thoughts? |
|
Yeah propagating metavariables in patterns and pattern-inside but not in pattern-either makes sense. |
|
Subscribe |
|
@mschwager awesome
That I've not used negative-filtering patterns much yet and thus didn't really think of them when I answered is probably why I had a much more optimistic view than you did. But glad to know it seems to work out in the end. It'd make sense that only "positive" assertions "export" metavariables and negative ones don't, though from what you're writing it feels like semgrep uses metavariables more like unified terms so a negative assertion could theoretically bind a metavar if it was not bound by an other pattern? |
You first need to create a token to access github API. Then you can create a "base" board with ./curl.shell $GITHUB_TOKEN > yesterday.json test plan: ``` $ ./curl.sh $GITHUB_TOKEN > today.json $ ./_build/default/oncall.exe -base yesterday.json today.json To Discuss (UNASSIGNED) - [story] Figma can run `nginx` rules on their codebase and report that the performance was good <semgrep/semgrep-app#1736> () - read timeout on downloading the semgrep config !PRIORITY:HIGH! <#2620> () Unassigned To do Assigned To do - Analyzing the entire Figma codebase with Figma's policies takes less than 5 minutes !PRIORITY:HIGH! <semgrep/semgrep-app#1727> (DrewDennison colleend) - Parser error when parsing obfuscated JavaScript (CLI and Online Rules Editor) !PRIORITY:HIGH! <semgrep/enterprise#572> (underyx) - Negation not working with subexpressions <#2457> (aryx) - Clearly document that metavariables match all expressions, and how to exclude array assignment <#2305> (brendongo) - metavariable-regex not working with pattern-inside? <#2548> (mschwager) - Prevent users from naming two notifications the same thing _without_ sending a Sentry error <semgrep/semgrep-app#1724> (chmccreery) - Make deployment id and org name more visible in UI <semgrep/semgrep-app#1739> (chmccreery) Closed since last email (good job guys!) - [Php] Add ellipsis nested statement feature support <#2622> (aryx) - Go parsed with pfff does not do nested statement matching <#2636> (aryx) - [MacOS] semgrep-core now uses libpcre but is not linked statically in macOS !PRIORITY:HIGH! <#2624> (mjambon brendongo) - [Python] Constant tracking do not follow assignment operators <#2616> (IagoAbal) ```
Yeah the problem with negative assertion is there could be many things to "match" against. E.g. If we're looking for Generally I think it makes sense to propagate metavariables as outlined in my comment above, so I'll go ahead with the implementation 👍 |
* Script to automate the oncall email You first need to create a token to access github API. Then you can create a "base" board with ./curl.shell $GITHUB_TOKEN > yesterday.json test plan: ``` $ ./curl.sh $GITHUB_TOKEN > today.json $ ./_build/default/oncall.exe -base yesterday.json today.json To Discuss (UNASSIGNED) - [story] Figma can run `nginx` rules on their codebase and report that the performance was good <semgrep/semgrep-app#1736> () - read timeout on downloading the semgrep config !PRIORITY:HIGH! <#2620> () Unassigned To do Assigned To do - Analyzing the entire Figma codebase with Figma's policies takes less than 5 minutes !PRIORITY:HIGH! <semgrep/semgrep-app#1727> (DrewDennison colleend) - Parser error when parsing obfuscated JavaScript (CLI and Online Rules Editor) !PRIORITY:HIGH! <semgrep/enterprise#572> (underyx) - Negation not working with subexpressions <#2457> (aryx) - Clearly document that metavariables match all expressions, and how to exclude array assignment <#2305> (brendongo) - metavariable-regex not working with pattern-inside? <#2548> (mschwager) - Prevent users from naming two notifications the same thing _without_ sending a Sentry error <semgrep/semgrep-app#1724> (chmccreery) - Make deployment id and org name more visible in UI <semgrep/semgrep-app#1739> (chmccreery) Closed since last email (good job guys!) - [Php] Add ellipsis nested statement feature support <#2622> (aryx) - Go parsed with pfff does not do nested statement matching <#2636> (aryx) - [MacOS] semgrep-core now uses libpcre but is not linked statically in macOS !PRIORITY:HIGH! <#2624> (mjambon brendongo) - [Python] Constant tracking do not follow assignment operators <#2616> (IagoAbal) ``` * Report new semgrep issues not in the customer board Report also issues not updated since last time * Fix CI, follow semgrep recommendations or skip file * Adding more documentation
nbrahms
added
bug
* Add metavariable propagation within 'patterns' Fixes #2548. * Fix snapshot tests * Stabilize evaluation ordering
|
Hey @xmo-odoo, you're rule matches now! https://semgrep.dev/s/8ykq?version=0.42.0 |
|
@mschwager awesome! Thanks ❤️ |
|
I think there is no need to propagate metavariables during the match; we just need to AND the metavariable-regexp with the relevant patterns; |
|
I think this was a simple solution that didn't need any change to the engine: https://semgrep.dev/s/Doq2/ just group the metavariable-regexp with a nested patterns: |
Not entirely sure why, but that rule errors out in |
When using
pattern-insideandmetavariable-regexwhich tries to filter one of thepattern-inside's metavariables, the match seems to never happen https://semgrep.dev/s/8ykqThe intent is to match all methods which are "public" (not starting with
_) and use a barereturnor areturn None. Commenting themetavariable-regex, all methods with the return are matched (including those we want to exclude).Duplicating the
pattern-insideso the metavariables are extracted from apattern, things work as expected: https://semgrep.dev/s/gLGxThe problem with the workaround is that I also want to match functions which don't return (and thus have an implicit
return None), but I don't see how I could match apattern-not: return $Xinside a method with the proper name.The text was updated successfully, but these errors were encountered: