diff --git a/Pipfile b/Pipfile index a7a292cc8c..3367bca2db 100644 --- a/Pipfile +++ b/Pipfile @@ -4,7 +4,7 @@ url = "https://pypi.org/simple" verify_ssl = true [dev-packages] -jinja2 = "~=3.1.3" +jinja2 = "~=3.1.4" pytest = "*" semgrep = "*" pyyaml = "*" diff --git a/Pipfile.lock b/Pipfile.lock index e8bb09e9b3..3b4275666c 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "762f3c7cbb0a3ecd999e7b644a02421c6132ab10439b5eb9a2531519c86351b9" + "sha256": "d1c4d570ba8e1837ab876d9ac9bbd71c2463c3ca16501a5bb380c8ead66baa40" }, "pipfile-spec": 6, "requires": { @@ -279,11 +279,12 @@ }, "tqdm": { "hashes": [ - "sha256:d302b3c5b53d47bce91fea46679d9c3c6508cf6332229aa1e7d8653723793386", - "sha256:d88e651f9db8d8551a62556d3cff9e3034274ca5d66e93197cf2490e2dcb69c7" + "sha256:23097a41eba115ba99ecae40d06444c15d1c0c698d527a01c6c8bd1c5d0647e5", + "sha256:4f41d54107ff9a223dca80b53efe4fb654c67efaba7f47bada3ee9d50e05bd53" ], + "index": "pypi", "markers": "python_version >= '3.7'", - "version": "==4.66.1" + "version": "==4.66.3" }, "urllib3": { "hashes": [ @@ -434,12 +435,12 @@ }, "jinja2": { "hashes": [ - "sha256:7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa", - "sha256:ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90" + "sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369", + "sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d" ], "index": "pypi", "markers": "python_version >= '3.7'", - "version": "==3.1.3" + "version": "==3.1.4" }, "jsonschema": { "hashes": [ @@ -450,69 +451,69 @@ }, "markupsafe": { "hashes": [ - "sha256:05fb21170423db021895e1ea1e1f3ab3adb85d1c2333cbc2310f2a26bc77272e", - "sha256:0a4e4a1aff6c7ac4cd55792abf96c915634c2b97e3cc1c7129578aa68ebd754e", - "sha256:10bbfe99883db80bdbaff2dcf681dfc6533a614f700da1287707e8a5d78a8431", - "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686", - "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c", - "sha256:1577735524cdad32f9f694208aa75e422adba74f1baee7551620e43a3141f559", - "sha256:1b40069d487e7edb2676d3fbdb2b0829ffa2cd63a2ec26c4938b2d34391b4ecc", - "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb", - "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939", - "sha256:282c2cb35b5b673bbcadb33a585408104df04f14b2d9b01d4c345a3b92861c2c", - "sha256:2c1b19b3aaacc6e57b7e25710ff571c24d6c3613a45e905b1fde04d691b98ee0", - "sha256:2ef12179d3a291be237280175b542c07a36e7f60718296278d8593d21ca937d4", - "sha256:338ae27d6b8745585f87218a3f23f1512dbf52c26c28e322dbe54bcede54ccb9", - "sha256:3c0fae6c3be832a0a0473ac912810b2877c8cb9d76ca48de1ed31e1c68386575", - "sha256:3fd4abcb888d15a94f32b75d8fd18ee162ca0c064f35b11134be77050296d6ba", - "sha256:42de32b22b6b804f42c5d98be4f7e5e977ecdd9ee9b660fda1a3edf03b11792d", - "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd", - "sha256:504b320cd4b7eff6f968eddf81127112db685e81f7e36e75f9f84f0df46041c3", - "sha256:525808b8019e36eb524b8c68acdd63a37e75714eac50e988180b169d64480a00", - "sha256:56d9f2ecac662ca1611d183feb03a3fa4406469dafe241673d521dd5ae92a155", - "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac", - "sha256:65c1a9bcdadc6c28eecee2c119465aebff8f7a584dd719facdd9e825ec61ab52", - "sha256:68e78619a61ecf91e76aa3e6e8e33fc4894a2bebe93410754bd28fce0a8a4f9f", - "sha256:69c0f17e9f5a7afdf2cc9fb2d1ce6aabdb3bafb7f38017c0b77862bcec2bbad8", - "sha256:6b2b56950d93e41f33b4223ead100ea0fe11f8e6ee5f641eb753ce4b77a7042b", - "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007", - "sha256:787003c0ddb00500e49a10f2844fac87aa6ce977b90b0feaaf9de23c22508b24", - "sha256:7ef3cb2ebbf91e330e3bb937efada0edd9003683db6b57bb108c4001f37a02ea", - "sha256:8023faf4e01efadfa183e863fefde0046de576c6f14659e8782065bcece22198", - "sha256:8758846a7e80910096950b67071243da3e5a20ed2546e6392603c096778d48e0", - "sha256:8afafd99945ead6e075b973fefa56379c5b5c53fd8937dad92c662da5d8fd5ee", - "sha256:8c41976a29d078bb235fea9b2ecd3da465df42a562910f9022f1a03107bd02be", - "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2", - "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1", - "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707", - "sha256:962f82a3086483f5e5f64dbad880d31038b698494799b097bc59c2edf392fce6", - "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c", - "sha256:9dcdfd0eaf283af041973bff14a2e143b8bd64e069f4c383416ecd79a81aab58", - "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823", - "sha256:aa7bd130efab1c280bed0f45501b7c8795f9fdbeb02e965371bbef3523627779", - "sha256:ab4a0df41e7c16a1392727727e7998a467472d0ad65f3ad5e6e765015df08636", - "sha256:ad9e82fb8f09ade1c3e1b996a6337afac2b8b9e365f926f5a61aacc71adc5b3c", - "sha256:af598ed32d6ae86f1b747b82783958b1a4ab8f617b06fe68795c7f026abbdcad", - "sha256:b076b6226fb84157e3f7c971a47ff3a679d837cf338547532ab866c57930dbee", - "sha256:b7ff0f54cb4ff66dd38bebd335a38e2c22c41a8ee45aa608efc890ac3e3931bc", - "sha256:bfce63a9e7834b12b87c64d6b155fdd9b3b96191b6bd334bf37db7ff1fe457f2", - "sha256:c011a4149cfbcf9f03994ec2edffcb8b1dc2d2aede7ca243746df97a5d41ce48", - "sha256:c9c804664ebe8f83a211cace637506669e7890fec1b4195b505c214e50dd4eb7", - "sha256:ca379055a47383d02a5400cb0d110cef0a776fc644cda797db0c5696cfd7e18e", - "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b", - "sha256:cd0f502fe016460680cd20aaa5a76d241d6f35a1c3350c474bac1273803893fa", - "sha256:ceb01949af7121f9fc39f7d27f91be8546f3fb112c608bc4029aef0bab86a2a5", - "sha256:d080e0a5eb2529460b30190fcfcc4199bd7f827663f858a226a81bc27beaa97e", - "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb", - "sha256:df0be2b576a7abbf737b1575f048c23fb1d769f267ec4358296f31c2479db8f9", - "sha256:e09031c87a1e51556fdcb46e5bd4f59dfb743061cf93c4d6831bf894f125eb57", - "sha256:e4dd52d80b8c83fdce44e12478ad2e85c64ea965e75d66dbeafb0a3e77308fcc", - "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc", - "sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2", - "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11" + "sha256:00e046b6dd71aa03a41079792f8473dc494d564611a8f89bbbd7cb93295ebdcf", + "sha256:075202fa5b72c86ad32dc7d0b56024ebdbcf2048c0ba09f1cde31bfdd57bcfff", + "sha256:0e397ac966fdf721b2c528cf028494e86172b4feba51d65f81ffd65c63798f3f", + "sha256:17b950fccb810b3293638215058e432159d2b71005c74371d784862b7e4683f3", + "sha256:1f3fbcb7ef1f16e48246f704ab79d79da8a46891e2da03f8783a5b6fa41a9532", + "sha256:2174c595a0d73a3080ca3257b40096db99799265e1c27cc5a610743acd86d62f", + "sha256:2b7c57a4dfc4f16f7142221afe5ba4e093e09e728ca65c51f5620c9aaeb9a617", + "sha256:2d2d793e36e230fd32babe143b04cec8a8b3eb8a3122d2aceb4a371e6b09b8df", + "sha256:30b600cf0a7ac9234b2638fbc0fb6158ba5bdcdf46aeb631ead21248b9affbc4", + "sha256:397081c1a0bfb5124355710fe79478cdbeb39626492b15d399526ae53422b906", + "sha256:3a57fdd7ce31c7ff06cdfbf31dafa96cc533c21e443d57f5b1ecc6cdc668ec7f", + "sha256:3c6b973f22eb18a789b1460b4b91bf04ae3f0c4234a0a6aa6b0a92f6f7b951d4", + "sha256:3e53af139f8579a6d5f7b76549125f0d94d7e630761a2111bc431fd820e163b8", + "sha256:4096e9de5c6fdf43fb4f04c26fb114f61ef0bf2e5604b6ee3019d51b69e8c371", + "sha256:4275d846e41ecefa46e2015117a9f491e57a71ddd59bbead77e904dc02b1bed2", + "sha256:4c31f53cdae6ecfa91a77820e8b151dba54ab528ba65dfd235c80b086d68a465", + "sha256:4f11aa001c540f62c6166c7726f71f7573b52c68c31f014c25cc7901deea0b52", + "sha256:5049256f536511ee3f7e1b3f87d1d1209d327e818e6ae1365e8653d7e3abb6a6", + "sha256:58c98fee265677f63a4385256a6d7683ab1832f3ddd1e66fe948d5880c21a169", + "sha256:598e3276b64aff0e7b3451b72e94fa3c238d452e7ddcd893c3ab324717456bad", + "sha256:5b7b716f97b52c5a14bffdf688f971b2d5ef4029127f1ad7a513973cfd818df2", + "sha256:5dedb4db619ba5a2787a94d877bc8ffc0566f92a01c0ef214865e54ecc9ee5e0", + "sha256:619bc166c4f2de5caa5a633b8b7326fbe98e0ccbfacabd87268a2b15ff73a029", + "sha256:629ddd2ca402ae6dbedfceeba9c46d5f7b2a61d9749597d4307f943ef198fc1f", + "sha256:656f7526c69fac7f600bd1f400991cc282b417d17539a1b228617081106feb4a", + "sha256:6ec585f69cec0aa07d945b20805be741395e28ac1627333b1c5b0105962ffced", + "sha256:72b6be590cc35924b02c78ef34b467da4ba07e4e0f0454a2c5907f473fc50ce5", + "sha256:7502934a33b54030eaf1194c21c692a534196063db72176b0c4028e140f8f32c", + "sha256:7a68b554d356a91cce1236aa7682dc01df0edba8d043fd1ce607c49dd3c1edcf", + "sha256:7b2e5a267c855eea6b4283940daa6e88a285f5f2a67f2220203786dfa59b37e9", + "sha256:823b65d8706e32ad2df51ed89496147a42a2a6e01c13cfb6ffb8b1e92bc910bb", + "sha256:8590b4ae07a35970728874632fed7bd57b26b0102df2d2b233b6d9d82f6c62ad", + "sha256:8dd717634f5a044f860435c1d8c16a270ddf0ef8588d4887037c5028b859b0c3", + "sha256:8dec4936e9c3100156f8a2dc89c4b88d5c435175ff03413b443469c7c8c5f4d1", + "sha256:97cafb1f3cbcd3fd2b6fbfb99ae11cdb14deea0736fc2b0952ee177f2b813a46", + "sha256:a17a92de5231666cfbe003f0e4b9b3a7ae3afb1ec2845aadc2bacc93ff85febc", + "sha256:a549b9c31bec33820e885335b451286e2969a2d9e24879f83fe904a5ce59d70a", + "sha256:ac07bad82163452a6884fe8fa0963fb98c2346ba78d779ec06bd7a6262132aee", + "sha256:ae2ad8ae6ebee9d2d94b17fb62763125f3f374c25618198f40cbb8b525411900", + "sha256:b91c037585eba9095565a3556f611e3cbfaa42ca1e865f7b8015fe5c7336d5a5", + "sha256:bc1667f8b83f48511b94671e0e441401371dfd0f0a795c7daa4a3cd1dde55bea", + "sha256:bec0a414d016ac1a18862a519e54b2fd0fc8bbfd6890376898a6c0891dd82e9f", + "sha256:bf50cd79a75d181c9181df03572cdce0fbb75cc353bc350712073108cba98de5", + "sha256:bff1b4290a66b490a2f4719358c0cdcd9bafb6b8f061e45c7a2460866bf50c2e", + "sha256:c061bb86a71b42465156a3ee7bd58c8c2ceacdbeb95d05a99893e08b8467359a", + "sha256:c8b29db45f8fe46ad280a7294f5c3ec36dbac9491f2d1c17345be8e69cc5928f", + "sha256:ce409136744f6521e39fd8e2a24c53fa18ad67aa5bc7c2cf83645cce5b5c4e50", + "sha256:d050b3361367a06d752db6ead6e7edeb0009be66bc3bae0ee9d97fb326badc2a", + "sha256:d283d37a890ba4c1ae73ffadf8046435c76e7bc2247bbb63c00bd1a709c6544b", + "sha256:d9fad5155d72433c921b782e58892377c44bd6252b5af2f67f16b194987338a4", + "sha256:daa4ee5a243f0f20d528d939d06670a298dd39b1ad5f8a72a4275124a7819eff", + "sha256:db0b55e0f3cc0be60c1f19efdde9a637c32740486004f20d1cff53c3c0ece4d2", + "sha256:e61659ba32cf2cf1481e575d0462554625196a1f2fc06a1c777d3f48e8865d46", + "sha256:ea3d8a3d18833cf4304cd2fc9cbb1efe188ca9b5efef2bdac7adc20594a0e46b", + "sha256:ec6a563cff360b50eed26f13adc43e61bc0c04d94b8be985e6fb24b81f6dcfdf", + "sha256:f5dfb42c4604dddc8e4305050aa6deb084540643ed5804d7455b5df8fe16f5e5", + "sha256:fa173ec60341d6bb97a89f5ea19c85c5643c1e7dedebc22f5181eb73573142c5", + "sha256:fa9db3f79de01457b03d4f01b34cf91bc0048eb2c3846ff26f66687c2f6d16ab", + "sha256:fce659a462a1be54d2ffcacea5e3ba2d74daa74f30f5f143fe0c58636e355fdd", + "sha256:ffee1f21e5ef0d712f9033568f8344d5da8cc2869dbd08d87c84656e6a2d2f68" ], "markers": "python_version >= '3.7'", - "version": "==2.1.3" + "version": "==2.1.5" }, "packaging": { "hashes": [ diff --git a/README.md b/README.md index 2e33554bd7..3500e141b8 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,34 @@ # semgrep-rules -[![powered by semgrep](https://img.shields.io/badge/powered%20by-semgrep-1B2F3D?labelColor=lightgrey&link=https://semgrep.live/&style=flat-square&logo=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAAA0AAAAOCAYAAAD0f5bSAAAABmJLR0QA/gD+AP+cH+QUAAAACXBIWXMAAA3XAAAN1wFCKJt4AAAAB3RJTUUH5AYMEy0l8dkqrQAAAvFJREFUKBUB5gIZ/QEAAP8BAAAAAAMG6AD9+hn/GzA//wD//wAAAAD+AAAAAgABAQDl0MEBAwbmAf36GQAAAAAAAQEC9QH//gv/Gi1GFQEC+OoAAAAAAAAAAAABAQAA//8AAAAAAAAAAAD//ggX5tO66gID9AEBFSRxAgYLzRQAAADpAAAAAP7+/gDl0cMPAAAA+wAAAPkbLz39AgICAAAAAAAAAAAs+vU12AEbLz4bAAAA5P8AAAAA//4A5NDDEwEBAO///wABAQEAAP//ABwcMD7hAQEBAAAAAAAAAAAaAgAAAOAAAAAAAQEBAOXRwxUAAADw//8AAgAAAAD//wAAAAAA5OXRwhcAAQEAAAAAAAAAAOICAAAABP3+/gDjzsAT//8A7gAAAAEAAAD+AAAA/wAAAAAAAAAA//8A7ePOwA/+/v4AAAAABAIAAAAAAAAAAAAAAO8AAAABAAAAAAAAAAIAAAABAAAAAAAAAAgAAAD/AAAA8wAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA8AAAAEAAAA/gAAAP8AAAADAAAA/gAAAP8AAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAA7wAAAPsAAAARAAAABAAAAP4AAAAAAAAAAgAAABYAAAAAAAAAAAIAAAD8AwICAB0yQP78/v4GAAAA/wAAAPAAAAD9AAAA/wAAAPr9//8aHTJA6AICAgAAAAD8AgAAADIAAAAAAP//AB4wPvgAAAARAQEA/gEBAP4BAQABAAAAGB0vPeIA//8AAAAAAAAAABAC+vUz1QAAAA8AAAAAAwMDABwwPu3//wAe//8AAv//ABAcMD7lAwMDAAAAAAAAAAAG+vU0+QEBAvUB//4L/xotRhUBAvjqAAAAAAAAAAAAAQEAAP//AAAAAAAAAAAA//4IF+bTuuoCA/QBAQAA/wEAAAAAAwboAP36Gf8bMD//AP//AAAAAP4AAAACAAEBAOXQwQEDBuYB/foZAAAAAAD4I6qbK3+1zQAAAABJRU5ErkJggg==)](https://semgrep.dev/) -[![Semgrep community slack](https://img.shields.io/badge/slack-join-green?style=flat-square)](https://go.semgrep.dev/slack) +[![powered by semgrep](https://img.shields.io/badge/powered%20by%20semgrep-2ACFA6)](https://semgrep.dev/) + +Join Semgrep community Slack + -| branch | using semgrep docker image | test status | -| ------------ | ------------------------ | -------------------- | -| `develop` | `returntocorp/semgrep:develop` | [![semgrep-rules-test-develop](https://github.com/returntocorp/semgrep-rules/workflows/semgrep-develop/badge.svg)](https://github.com/returntocorp/semgrep-rules/actions?query=workflow%3Asemgrep-develop+branch%3Adevelop) | +Welcome! This repository is the standard library for open source [Semgrep](https://semgrep.dev/) rules. -Welcome! This repository is the standard library for [Semgrep](https://semgrep.dev/) rules. There are many more rules available in the [Semgrep Registry](https://semgrep.dev/explore) written by [Semgrep, Inc.](https://semgrep.dev/) and other contributors. The [Semgrep Registry](https://semgrep.dev/explore) includes rules from this repository and additional rules that are accessible within [Semgrep Cloud Platform](https://semgrep.dev/pricing). If there is a specific rule you are looking for, see the [Semgrep registry search](https://semgrep.dev/r). To contribute, find details about contributing in the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation. +In addition to the rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) offers proprietary [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules) that enable interfile and interprocedural analysis. -## Using Semgrep rules repository +- Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r). +- Use rules: Scan your code with these rules through [Semgrep AppSec Platform](https://semgrep.dev/login) +- Contribute to rules: see [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) for more information. -Run existing and custom Semgrep rules locally with the Semgrep command line interface (Semgrep CLI) or continuously with Semgrep in CI while using Semgrep App. To start using Semgrep rules, see [Semgrep tutorial](https://semgrep.dev/learn), [Getting started with Semgrep CLI](https://semgrep.dev/docs/getting-started/), and [Getting started with Semgrep App](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). +## Using the Semgrep rules repository + +To start writing and using Semgrep rules, see [Learn Semgrep syntax](https://semgrep.dev/learn) and [Writing rules](https://semgrep.dev/docs/writing-rules/overview/). Then, run existing and custom Semgrep rules locally with the [Semgrep command line interface (Semgrep CLI)](https://semgrep.dev/docs/getting-started/) or [continuously with Semgrep in CI while using Semgrep AppSec Platform](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). + +## Writing Semgrep rules + +See [Writing rules](https://semgrep.dev/docs/writing-rules/overview/) for information including: + +- Pattern syntax, describing what Semgrep patterns can do in detail, and example use cases of the ellipsis operator, metavariables. +- Rule syntax, describing Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators. + +You can also learn how to write rules using the [interactive, example-based Semgrep rule tutorial](https://semgrep.dev/learn). ## Contributing -We welcome Semgrep rule contributions directly to this repository! When you submit your contribution to the `semgrep-rules` repository we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE). +We welcome Semgrep rule contributions directly to this repository! When submitting your contribution to this repository, we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE). Note: To contribute, review the **[Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/)** documentation. @@ -29,8 +42,7 @@ Join [Slack](https://go.semgrep.dev/slack) for the fastest answers to your quest ### GitHub action to run tests -If you fork this repository or create your own, you can add a special [semgrep --rules-test](https://github.com/marketplace/actions/semgrep-rules-test) GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our [semgrep-rules-test](https://github.com/returntocorp/semgrep-rules/blob/develop/.github/workflows/semgrep-rules-test.yml). +If you fork this repository or create your own, you can add a GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our [semgrep-rules-test example](https://github.com/returntocorp/semgrep-rules/blob/develop/.github/workflows/semgrep-rules-test.yml). ### Rulesets diff --git a/go/gorilla/security/audit/session-cookie-samesitenone.go b/go/gorilla/security/audit/session-cookie-samesitenone.go new file mode 100644 index 0000000000..56b52c7906 --- /dev/null +++ b/go/gorilla/security/audit/session-cookie-samesitenone.go @@ -0,0 +1,40 @@ +package main + +import ( + "net/http" + "github.com/gorilla/sessions" +) + +var store = sessions.NewCookieStore([]byte("")) + +func setSessionWithSameSiteNone(w http.ResponseWriter, r *http.Request) { + session, _ := store.Get(r, "session-name") + // ruleid: session-cookie-samesitenone + session.Options = &sessions.Options{ + Path: "/", + MaxAge: 3600, + HttpOnly: true, + Secure: true, + SameSite: http.SameSiteNoneMode, + } + session.Save(r, w) +} + +func setSessionWithSameSiteStrict(w http.ResponseWriter, r *http.Request) { + session, _ := store.Get(r, "session-name") + // ok: session-cookie-samesitenone + session.Options = &sessions.Options{ + Path: "/", + MaxAge: 3600, + HttpOnly: true, + Secure: true, + SameSite: http.SameSiteStrictMode, + } + session.Save(r, w) +} + +func main() { + http.HandleFunc("/set-none", setSessionWithSameSiteNone) + http.HandleFunc("/set-strict", setSessionWithSameSiteStrict) + http.ListenAndServe(":8080", nil) +} diff --git a/go/gorilla/security/audit/session-cookie-samesitenone.yaml b/go/gorilla/security/audit/session-cookie-samesitenone.yaml new file mode 100644 index 0000000000..bcec859903 --- /dev/null +++ b/go/gorilla/security/audit/session-cookie-samesitenone.yaml @@ -0,0 +1,36 @@ +rules: +- id: session-cookie-samesitenone + patterns: + - pattern-inside: | + &sessions.Options{ + ..., + SameSite: http.SameSiteNoneMode, + ..., + } + - pattern: | + &sessions.Options{ + ..., + } + message: Found SameSiteNoneMode setting in Gorilla session options. Consider setting + SameSite to Lax, Strict or Default for enhanced security. + metadata: + cwe: + - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://pkg.go.dev/github.com/gorilla/sessions#Options + category: security + technology: + - gorilla + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: LOW + fix-regex: + regex: (SameSite\s*:\s+)http.SameSiteNoneMode + replacement: \1http.SameSiteDefaultMode + severity: WARNING + languages: + - go diff --git a/javascript/express/security/audit/xss/direct-response-write.js b/javascript/express/security/audit/xss/direct-response-write.js index 3898522ff5..f0718cd16f 100644 --- a/javascript/express/security/audit/xss/direct-response-write.js +++ b/javascript/express/security/audit/xss/direct-response-write.js @@ -132,6 +132,15 @@ app.get('/xss', function (req, res) { res.write('Response
' + html); }); +const jsonRouter = express.Router(); +jsonRouter.use(express.json()); +jsonRouter.get('/noxss-json', function (req, res) { + var name = req.query.name; + // ok: direct-response-write + res.write({ name }); +}); +app.use(jsonRouter); + // For https://github.com/returntocorp/semgrep-rules/issues/2872 app.post( "/:id", diff --git a/javascript/express/security/audit/xss/direct-response-write.yaml b/javascript/express/security/audit/xss/direct-response-write.yaml index 370edab86c..25959b5687 100644 --- a/javascript/express/security/audit/xss/direct-response-write.yaml +++ b/javascript/express/security/audit/xss/direct-response-write.yaml @@ -1,10 +1,9 @@ rules: - id: direct-response-write message: >- - Detected directly writing to a Response object from user-defined input. This bypasses - any HTML escaping and may expose your application to a Cross-Site-scripting - (XSS) vulnerability. Instead, use 'resp.render()' to render - safely escaped HTML. + Detected directly writing to a Response object from user-defined input. + This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting + (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. options: interfile: true metadata: @@ -15,7 +14,8 @@ rules: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' category: security technology: - express @@ -26,6 +26,9 @@ rules: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) languages: - javascript - typescript @@ -112,6 +115,7 @@ rules: - pattern: $RES.send($ARG) - pattern-not: $RES. ... .set('...'). ... .send($ARG) - pattern-not: $RES. ... .type('...'). ... .send($ARG) + - pattern-not-inside: $RES.$METHOD({ ... }) - focus-metavariable: $ARG pattern-sanitizers: - patterns: @@ -222,7 +226,7 @@ rules: - metavariable-regex: metavariable: $F regex: (?!.*text/html) - - patterns: + - patterns: - pattern-inside: | $X = [...]; ... diff --git a/javascript/express/security/injection/tainted-sql-string.yaml b/javascript/express/security/injection/tainted-sql-string.yaml index e5d078f933..6f16c720ab 100644 --- a/javascript/express/security/injection/tainted-sql-string.yaml +++ b/javascript/express/security/injection/tainted-sql-string.yaml @@ -10,10 +10,10 @@ rules: protect your queries. metadata: owasp: - - A07:2017 - Cross-Site Scripting (XSS) + - A01:2017 - Injection - A03:2021 - Injection cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" references: - https://owasp.org/www-community/attacks/SQL_Injection category: security diff --git a/scala/play/security/webservice-ssrf.yaml b/scala/play/security/webservice-ssrf.yaml index 1d9c19aa9a..93423165d7 100644 --- a/scala/play/security/webservice-ssrf.yaml +++ b/scala/play/security/webservice-ssrf.yaml @@ -27,7 +27,7 @@ rules: A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. - They could also probe internal servers or other resources that the server runnig this code can access. + They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host. metadata: diff --git a/solidity/security/missing-self-transfer-check-ercx.sol b/solidity/security/missing-self-transfer-check-ercx.sol new file mode 100644 index 0000000000..d3d1c50206 --- /dev/null +++ b/solidity/security/missing-self-transfer-check-ercx.sol @@ -0,0 +1,90 @@ +function _update(address from, address to, uint256 value, bool mint) internal virtual { + uint256 fromBalance = _balances[from]; + uint256 toBalance = _balances[to]; + if (fromBalance < value) { + revert ERC20InsufficientBalance(from, fromBalance, value); + } + + //No need to adjust balances when transfer is to self, prevent self NFT-grind + + unchecked { + // Overflow not possible: value <= fromBalance <= totalSupply. + // ruleid: missing-self-transfer-check-ercx + _balances[from] = fromBalance - value; + // ruleid: missing-self-transfer-check-ercx + _balances[to] = toBalance + value; + + + if(mint) { + // Skip burn for certain addresses to save gas + bool wlf = whitelist[from]; + if (!wlf) { + uint256 tokens_to_burn = (fromBalance / tokensPerNFT) - ((fromBalance - value) / tokensPerNFT); + if(tokens_to_burn > 0) + _burnBatch(from, tokens_to_burn); + } + + // Skip minting for certain addresses to save gas + if (!whitelist[to]) { + if(easyLaunch == 1 && wlf && from == owner()) { + //auto-initialize first (assumed) LP + whitelist[to] = true; + easyLaunch = 2; + } else { + uint256 tokens_to_mint = ((toBalance + value) / tokensPerNFT) - (toBalance / tokensPerNFT); + if(tokens_to_mint > 0) + _mintWithoutCheck(to, tokens_to_mint); + } + } + } + } + + emit Transfer(from, to, value); +} + + +function _update(address from, address to, uint256 value, bool mint) internal virtual { + uint256 fromBalance = _balances[from]; + uint256 toBalance = _balances[to]; + if (fromBalance < value) { + revert ERC20InsufficientBalance(from, fromBalance, value); + } + + //No need to adjust balances when transfer is to self, prevent self NFT-grind + if (from != to) { + unchecked { + // Overflow not possible: value <= fromBalance <= totalSupply. + //ok: missing-self-transfer-check-ercx + _balances[from] = fromBalance - value; + + // Overflow not possible: balance + value is at most totalSupply, which we know fits into a uint256. + //ok: missing-self-transfer-check-ercx + _balances[to] = toBalance + value; + } + + if(mint) { + // Skip burn for certain addresses to save gas + bool wlf = whitelist[from]; + if (!wlf) { + uint256 tokens_to_burn = (fromBalance / tokensPerNFT) - ((fromBalance - value) / tokensPerNFT); + if(tokens_to_burn > 0) + _burnBatch(from, tokens_to_burn); + } + + // Skip minting for certain addresses to save gas + if (!whitelist[to]) { + if(easyLaunch == 1 && wlf && from == owner()) { + //auto-initialize first (assumed) LP + whitelist[to] = true; + easyLaunch = 2; + } else { + uint256 tokens_to_mint = ((toBalance + value) / tokensPerNFT) - (toBalance / tokensPerNFT); + if(tokens_to_mint > 0) + _mintWithoutCheck(to, tokens_to_mint); + } + } + } + } + + emit Transfer(from, to, value); +} diff --git a/solidity/security/missing-self-transfer-check-ercx.yaml b/solidity/security/missing-self-transfer-check-ercx.yaml new file mode 100644 index 0000000000..017d499125 --- /dev/null +++ b/solidity/security/missing-self-transfer-check-ercx.yaml @@ -0,0 +1,43 @@ +rules: +- id: missing-self-transfer-check-ercx + languages: + - solidity + message: >- + Missing check for 'from' and 'to' being the same before updating balances + could lead to incorrect balance manipulation on self-transfers. + Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers. + severity: ERROR + metadata: + category: security + technology: + - blockchain + - solidity + cwe: 'CWE-682: Incorrect Calculation' + subcategory: + - vuln + confidence: HIGH + likelihood: HIGH + impact: HIGH + owasp: + - A7:2021 Identification and Authentication Failures + references: + - https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities + - https://x.com/shoucccc/status/1757777764646859121 + patterns: + - pattern-either: + - pattern: | + _balances[$FROM] = $FROM_BALANCE - value; + - pattern: | + _balances[$TO] = $TO_BALANCE + value; + - pattern-not-inside: | + if ($FROM != $TO) { + ... + _balances[$FROM] = $FROM_BALANCE - value; + ... + _balances[$TO] = $TO_BALANCE + value; + ... + } + - pattern-inside: | + function _update(address $FROM, address $TO, uint256 value, bool mint) internal virtual { + ... + } diff --git a/yaml/openapi/security/api-key-in-query-parameter.test.yaml b/yaml/openapi/security/api-key-in-query-parameter.test.yaml new file mode 100644 index 0000000000..22c2df921e --- /dev/null +++ b/yaml/openapi/security/api-key-in-query-parameter.test.yaml @@ -0,0 +1,37 @@ +openapi: 3.1.0 +info: + title: Example API + description: Example API + version: 1.0.0 + +servers: + - url: https://api.example.com/ + +paths: + /test/{param}: + get: + operationId: test + parameters: + - name: param + in: path + required: true + description: test + schema: + type: string + +security: + - apiKeyAuthQuery: [] + - apiKeyAuthHeader: [] + +components: + securitySchemes: + # ruleid: api-key-in-query-parameter + apiKeyAuthQuery: + type: apiKey + in: query + name: api_key + # ok: api-key-in-query-parameter + apiKeyAuthHeader: + type: apiKey + in: header + name: X-API-Key diff --git a/yaml/openapi/security/api-key-in-query-parameter.yaml b/yaml/openapi/security/api-key-in-query-parameter.yaml new file mode 100644 index 0000000000..673c01b8bb --- /dev/null +++ b/yaml/openapi/security/api-key-in-query-parameter.yaml @@ -0,0 +1,45 @@ +rules: + - id: api-key-in-query-parameter + languages: [yaml] + message: >- + The $SECURITY_SCHEME security scheme passes an API key in a query parameter. + API keys should not be passed as query parameters in security schemes. + Pass the API key in the header or body. + If using a query parameter is necessary, ensure that the API key is tightly scoped and short lived. + severity: ERROR + patterns: + - pattern-inside: | + openapi: $VERSION + ... + components: + ... + securitySchemes: + ... + - metavariable-regex: + metavariable: $VERSION + regex: 3.* + - pattern: | + $SECURITY_SCHEME: + ... + type: apiKey + ... + in: query + + metadata: + category: security + subcategory: + - vuln + technology: + - openapi + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + cwe: 'CWE-598: Use of GET Request Method With Sensitive Query Strings' + owasp: + - 'A04:2021 Insecure Design' + - 'A07:2021 Identification and Authentication Failures' + references: + - https://datatracker.ietf.org/doc/html/rfc6749 + - https://cwe.mitre.org/data/definitions/598.html + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ diff --git a/yaml/openapi/security/use-of-basic-authentication.test.yaml b/yaml/openapi/security/use-of-basic-authentication.test.yaml new file mode 100644 index 0000000000..63b30365e3 --- /dev/null +++ b/yaml/openapi/security/use-of-basic-authentication.test.yaml @@ -0,0 +1,36 @@ +openapi: 3.1.0 +info: + title: Example API + description: Example API + version: 1.0.0 + +servers: + - url: https://api.example.com/ + +paths: + /test/{param}: + get: + operationId: test + parameters: + - name: param + in: path + required: true + description: test + schema: + type: string + +security: + - basicAuth: [] + - apiKeyAuth: [] + +components: + securitySchemes: + basicAuth: + # ruleid: use-of-basic-authentication + type: http + scheme: basic + apiKeyAuth: + # ok: use-of-basic-authentication + type: apiKey + in: header + name: X-API-Key diff --git a/yaml/openapi/security/use-of-basic-authentication.yaml b/yaml/openapi/security/use-of-basic-authentication.yaml new file mode 100644 index 0000000000..eb95190a77 --- /dev/null +++ b/yaml/openapi/security/use-of-basic-authentication.yaml @@ -0,0 +1,42 @@ +rules: + - id: use-of-basic-authentication + languages: [yaml] + message: >- + Basic authentication is considered weak and should be avoided. + Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS. + severity: ERROR + patterns: + - pattern-inside: | + openapi: $VERSION + ... + components: + ... + securitySchemes: + ... + $SCHEME: + ... + - metavariable-regex: + metavariable: $VERSION + regex: 3.* + - pattern: | + type: http + ... + scheme: basic + metadata: + category: security + subcategory: + - vuln + technology: + - openapi + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + cwe: 'CWE-287: Improper Authentication' + owasp: + - 'A04:2021 Insecure Design' + - 'A07:2021 Identification and Authentication Failures' + references: + - https://cwe.mitre.org/data/definitions/287.html + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ + \ No newline at end of file