add java tests #53
Merged
add java tests #53
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DrewDennison
added a commit
that referenced
this pull request
May 19, 2020
* improve test suite output (#39)
* use the new decorator support to pass more tests (#29)
* use the new decorator support to pass more tests
* Revert "Disable bad rules with return pattern" (#37)
* Revert "Disable bad rules with return pattern"
* enable tests with todo ruleids
* mark rule as working (#40)
* mark return-in-init as working
* javascript tests (#25)
* add javascript tests
* improve test suite output (#42)
* Update useless-assign.yaml (#41)
* enable more tests (#43)
* enable more tests
* better sleepyness (#46)
* initial test case for golang (#47)
* check for pass in for loop or body of a function (#48)
* check for pass in for loop or body of a function
* fix syntax
* update messages
* update message
* Update README.md (#49)
* Create template.yaml (#50)
* Update test.py (#51)
* use the new decorator support to pass more tests (#58)
use the new decorator support to pass more tests
* better test output for debugging (#56)
* test case for echo style (#55)
* Add rule for detecting file objects opened without corresponding close (#52)
Add rule for detecting file objects opened without corresponding close
* many rules are no longer TODOs thanks to sgrep improvements
* more JS tests; python tests should be passing, but are not (#44)
* more JS tests
* tweak false positives found in python rules (#57)
* correct a few false positives
* pass in init is ok
* more go tests (#54)
* more go tests
* add java tests (#53)
* add java tests
* unchecked subprocess call (#59)
* unchecked subprocess call with test case
* Update README.md (#62)
* Update template.yaml (#63)
* fix parse error in one python test (#65)
* Add wtf-python string comparison using 'is' (#36)
* Add wtf-python string comparison using 'is'
Co-authored-by: minusworld <locrian.vii@gmail.com>
Co-authored-by: Isaac Evans <409041+ievans@users.noreply.github.com>
* improve precision issues noted with platform runs (#67)
* improve precision issues noted with platform runs
* fix invalid rule key
* update assert filters
* ignore useless-assign for now
* add but not ready for primetime yet
* unchecked return logic
* add useless comparison check (#69)
* test case (#70)
* remove greeting and add pre-commit to format our yaml (#73)
* remove greeting and add pre-commit to format our yaml
* remove exclude
* add pre-commit GH action
* add rule to detect modification of lists while editing (#72)
* add rule to detect modification of lists while editing
* change hooks on block
* catch elements being deleted from python dictionary during iteration (#144)
* cleaner test cases using new sgrep functionality (#173)
* clenaer test cases using new sgrep functionality
* django: add model save missing super call rule (#177)
* django: add model save missing super call rule
Fixes #109
* fix pattern; thx Isaac!
* update test comments
* change tests to run different versions of sgrep on develop and master (#178)
* Add flask duplicate handler name check (#180)
Fixes #156
* fix on: block in gh action to include pull_requests too :) (#182)
* Use jsonify upsell check (#181)
* Add JsonResponse Upsell check (#176)
* Use JsonResposne
* fix broken test
* Revert "fix broken test"
This reverts commit d5b28adede1deba12dc4c6d3c796a01fca6378c0.
Co-authored-by: Drew Dennison <dennison@mit.edu>
* Clean up smells/list-modify-iterating check (#184)
The existing implementation of this check had to use a large number of
patterns, as matching class inclusion in a pattern means only
a statement can be matched.
Instead, use the pattern-inside helper to determine class inclusion, in
which case a pattern can match any expression.
As a bonus, the check now reports the smell line, as opposed to the line
at which the enclosing class is defined.
* add simple csrf_exempt example (#186)
* fixup: csrf_exempt for full-qualified import names (#187)
* add simple csrf_exempt example
* support fully qualified decorator
* Initial set of django 2.0 compatibility rules (#183)
This commit implements five Django 2.0 compatibility rules for sgrep.
I'm pushing these as an initial set to see what our fire frequency is on
Django projects. If the enterprise seems worthwhile, I'll continue
implementing compatibility checks.
These checks are sourced from
https://docs.djangoproject.com/en/3.0/internals/deprecation/.
* Flask/secure cookies (#193)
* [wip] Flask secure cookies checks. One for session cookies and one for response.set_cookie
* [wip] Secure session cookie for flask check. Currently fires too many times.
* Adding Flask secure cookie checks. Introduces two checks: 1) a check for setting secure session cookies in the application config, and 2) a check for setting secure user cookies (different from session cookies) in response.set_cookie(). (2) is an sgrep version of https://checks.bento.dev/en/latest/flake8-flask/secure-set-cookie/.
* Django Field setting null=True checks (#179)
* Added rules for
- https://github.com/returntocorp/sgrep-rules/issues/107 -- null=True when blank and unique are True
- https://github.com/returntocorp/sgrep-rules/issues/108 -- null=True when blank=True on nontext fields
* Utilize sgrep's python import resolution
* Take advantage of sgrep import resolution
* Add test case for TextField
* Add TextField condition
* Add check to discourage null in string fields
* Renamed charfield-must-set-null-true to string-field-null-checks
* fmt
* Added ruleid annotations for test files for nontext-field-must-set-null-true.py and string-field-null-checks*.py
* Addressed comments.
- added pattern-inside to no-null-string-field
- added assignment pattern to no-null-string-field
- added a test for no-null-string-field
- added a test for TextField for string-field-must-set-null-true
Co-authored-by: Drew Dennison <dennison@mit.edu>
* Upsell count() method (#192)
Addresses https://github.com/returntocorp/sgrep-rules/issues/97
Test with:
```
docker run --rm -v $(pwd):/home/repo returntocorp/sgrep:develop --config python/django/db/upsell_count.yaml python/django/db/upsell_count.py
```
* Non type-aware django .extra() detection (#190)
Addresses https://github.com/returntocorp/sgrep-rules/issues/80
To test:
```
docker run --rm -v $(pwd):/home/repo returntocorp/sgrep:develop --config python/django/db/query/query_set_extra.yaml python/django/db/query/query_set_extra.py
```
* Avoid raw()/RawSQL() API-s (#194)
Addresses https://github.com/returntocorp/sgrep-rules/issues/81
Test with
```
docker run --rm -v $(pwd):/home/repo returntocorp/sgrep:develop --config python/django/security/raw_query.yaml python/django/security/raw_query.py
```
* use sgrep instead of yaml syntax (#188)
* use strict parsing flag from https://github.com/returntocorp/sgrep/pull/194 (#189)
* Upsell latest/earliest (#197)
Addresses https://github.com/returntocorp/sgrep-rules/issues/92
Test with:
```
docker run --rm -v $(pwd):/home/repo returntocorp/sgrep:develop --config python/django/performance/upsell_earliest_latest.yaml python/django/performance
```
Co-Authored-By: Nathaniel Brahms <nbrahms@users.noreply.github.com>
Co-authored-by: Nathaniel Brahms <nbrahms@users.noreply.github.com>
* Update README.md (#198)
* remove strict parsing flag (#201)
* baseclass override working (#205)
* Update README.md (#206)
* Open Redirects in Flask (#202)
* Added checks for open redirects.
* Updated check to include assignment cases
* Add ruleid comment to test
* Formatting
* Update message for open redirect in Flask
* check for connections over HTTP or disabling certs with HTTPS (superset of DUO132) (#196)
* use python-where for cert validation
* Upsell environ (#208)
* New Check for Flask: Rendering string-formatted templates (#203)
* Added check for rendering template strings that have been string formatted or appended to
* Removed test case for test #3
* Add rule for detecting manual reimplementation of 'collections' funtionality (#200)
* Add rule for detecting manual reimplementation of 'collections' functionality
* Add negative test cases and search for dict.items instead of dict
* Flask secure cookies checks (#195)
* [wip] Flask secure cookies checks. One for session cookies and one for response.set_cookie
* [wip] Secure session cookie for flask check. Currently fires too many times.
* Adding Flask secure cookie checks. Introduces two checks: 1) a check for setting secure session cookies in the application config, and 2) a check for setting secure user cookies (different from session cookies) in response.set_cookie(). (2) is an sgrep version of https://checks.bento.dev/en/latest/flake8-flask/secure-set-cookie/.
* Remove *-2.py tests which are not supported yet
* Update secure-session-cookies to use metavars instead of constants to account for the case when these are set using variables
* Removed backup file
* Added checks for setting secure session cookies in the case where the dev uses dictionary assignment to app.config instead of app.config.update(...). Was running into issues trying to make the pattern elegant, so I did the brute-force method. Added two checks, *dict-set.py and *dict-some-set.py for testing.
* Removed backup file
* Formatting
* Added more tests
* Flask/open redirect (#213)
* Added checks for open redirects.
* Updated check to include assignment cases
* Add ruleid comment to test
* Formatting
* Updated flask/open-redirect to include ... in redirect calls
* Django/open redirect (#212)
* Added rule for open redirects in Django
* Fixed a bug where I had forgotten to remove flask. from request. Added in cases for HttpResponseRedirect. Added test for HttpResponseRedirect
* New check for https://github.com/returntocorp/sgrep-rules/issues/106: use OneToOneField instead of ForeignKey(..., unique=True, ...) (#204)
* python is-not-is-not check (#191)
* python is-not-is-not check
In python `X is not ...` is different from `X is (not ...)`
in the latter the not converts the ... to boolean.
* Update message for is-not-is-not
Co-authored-by: minusworld <locrian.vii@gmail.com>
* Copy secure-set-cookie to django (#217)
This was a relatively successful check in our flask corpus. I've ported
it to Django here.
Interestingly, there's not a good way to identify that the set_cookie
method is being called on an HttpResponse object without some
rudimentary typing or dataflow. So I just use the common identifier
"response" as the invocation target. Note that this means that this
check fires on Flask projects.
In order to have this not fire on random Django middleware vendored
code, I excluded expressions from common Django middlewares.
After doing this, the fire frequency on non-test, non-vendored code is
1 finding in the entire Django-500 corpus. It's a true positive.
For details, see:
https://dev.massive.ret2.co/jobs/618?page=1&sort_on=repo_url&sort_by=asc
* Use decimalfield for money (#185)
* Potential check for use-decimalfield-for-money. Dependent on where-python completion
* [wip] Prototype check for 'use-decimalfield-for-money'.
* use sgrep support for where-python to pass checks
* Switch to 'currency' from 'money' in description
Co-Authored-By: Nathaniel Brahms <nbrahms@users.noreply.github.com>
* Added additional words for use-decimalfield-for-money
* Added in a list of words that could potentially be money/currency fields
Co-authored-by: minusworld <locrian.vii@gmail.com>
Co-authored-by: Nathaniel Brahms <nbrahms@users.noreply.github.com>
* ci: Add bento check for pull requests (#64)
* Avoid calling people out over their bugs (#219)
* Avoid calling people out over their bugs
* Better yet, let's use sgrep's default generate-config
* mark rule as regression (#226)
* move test.py (#225)
* move test.py
* Update Makefile
Co-authored-by: Drew Dennison <dennison@mit.edu>
* two simple checks for golang (#142)
* two simple checks for golang JWT tokens
* detect different route names in flask (#228)
* Fix #159, add rule for deprecated Flask APIs (#218)
* Update README.md (#229)
* Added an issue template for new checks. (#220)
This includes instructions for information to include in the ticket before closing the ticket.
* fix tests (#238)
Fix failing tests using todook
Move java/hardcoded-conditional tests and rules to their own file so they
do not interfear with the other tests and cause tests to fail.
* Add python mutable default datastructure checks (#209)
* Add python mutable default datastructure checks
In python, function definitions with parameters set to have a default
value of `[]` or `{}` actually have this datastructure instantiated at
start up time and all calls to the function with the default value used
all point to the same location in memory as the startup instantiated object.
This usually results in unintuitive behavior of changes to the default
object persisting over multiple calls to the function. i.e.:
```
def f(x=[]):
x.append(1)
print(x)
f() # [1]
f() # [1, 1]
```
This adds test cases of this phenomenon and instances when the mutable
structure is appropriately handled/copied. Also does a first pass effort
to include some patterns for sgrep to find instances of default datastructures
being mutated.
* fixup! Add python mutable default datastructure checks
* fixup! Add python mutable default datastructure checks
* Fix tests in CI for default-mutable checks (#242)
* Attempt to fix tests in CI
* Fix tests for default-mutable-dict
* add jwt-hardcode rule for javascript (#243)
* Added a new check for Apache Airflow BashOperator class. This check looks for formatted strings passed as the Bash command to BashOperator objects. (#247)
* Django/empty string password (#245)
* Moved open-redirect under security
* Added new check to see if the empty string is being set on Django models using the set_password method.
* Updated the check message with actionable responses
* Added new check for detecting formatted strings into SQL queries (#244)
* Added new check for detecting formatted strings into SQL queries
* Fix tests
* Delete vim swp file that snuck in there
* Some ruleid comments were on the wrong line. Fixed up
* Some test annotations were written as 'ruleid : name-of-rule'. The space after ruleid was throwing it off
* Go/assignment from multiple sources AND attribute retrieved from multiple sources (#241)
* Added two checks for Go http handlers, which originated from ideas in the gorilla framework. The checks check for reassignment of a variable in a handler function and for reading of the same attribute in a handler function.
* Renamed to handler- to showcase that this happens inside handler functions. Added filtering ti handler-assignment-from-multiple-sources based on FPs found. Added a test FP case from real code
* Deleted old files
* Added more filters based on FPs found
* Updated test files to reflect proper check id names
* Fix tests
* Attempt to fix tests in CI
* Fix tests for default-mutable-dict
* Added two checks for Go http handlers, which originated from ideas in the gorilla framework. The checks check for reassignment of a variable in a handler function and for reading of the same attribute in a handler function.
* Renamed to handler- to showcase that this happens inside handler functions. Added filtering ti handler-assignment-from-multiple-sources based on FPs found. Added a test FP case from real code
* Deleted old files
* Added more filters based on FPs found
* Updated test files to reflect proper check id names
* Fix tests
* Fix whitespace
* Fix whitespace again
* Added cases for . || . and its cousins. Added tests for these as well.
* Add semicolons in to two patterns that were missing them (#250)
* Add semicolons in to two patterns that were missing them
* Added ruleid comments to examples. Renamed example5.js to jwt-hardcode.js to minimally test the branch in CI.
* Added todo for test case in jwt-hardcode.js
* fix fp in js useless assignment (#251)
* Fix two false positives in flask-view-func-match-route-params (#254)
1. Using single instead of double quotes in string literals (IMO sgrep
should deal with this for you)
2. Defining converters in the route (see
https://flask.palletsprojects.com/en/1.1.x/quickstart/#variable-rules)
* Add new golang check for guarded channels based on https://hackmongo.com/page/golang-antipatterns/#guarded-channel. The check makes sure that channels are not guarded by mutexes, since channels already have their own mutexes. (#249)
* Go/hidden goroutine (#248)
* Add check based on https://hackmongo.com/page/golang-antipatterns/#hidden-goroutine that looks for hidden goroutines.
* Added a test case where the goroutine is called first, then other things are done, and then updated the patterns to exclude this case because it was caught by the original pattern even though it wasn't supposed to be.
* Improve java.eqeq-is-bad message (#252)
x != x is often used to test if x is a numeric value. Since Java
1.early, one can just use Double.isNaN, so recommend this.
Co-Authored-By: Isaac Evans <409041+ievans@users.noreply.github.com>
* Fix FP in python/smells/open-never-closed (#253)
In many cases, this pattern is a true positive:
fd = open(...)
do_something()
fd.close()
As do_something() can raise an exception.
However, this pattern is correct:
fd = open(...)
try:
do_something()
finally:
fd.close()
In this commit I merely remove the false positive, rather than
broadening the scope of the check to include these true positives.
* Added golang check for ListenAndServe without TLS. (#255)
* Remove FP in python/smells/list-modify-iterating (#257)
Leverages deep-expression matching to remove a false positive where this
would fire on _any_ list modification in a for loop, even if it was not
the list under iteration.
A downside of this change is that the rule now fires on the enclosing
iteration, instead of the offending list modification.
* Added a new check for formatted/concatenated strings into template.HTML (#256)
* Added a new check for formatted/concatenated strings into template.HTML which does not escape input.
* Fixup tests
* Updated tests and added a filter case to filter out concatenating static strings
* Fixed spelling error in 'salary' (#258)
* update test suite (#276)
* update test suite for https://github.com/returntocorp/sgrep/pull/339
* Django: scope secure cookie check to Django (#262)
Previously, this check fired on Flask as well.
To validate, just run on
python/flask/secure-cookies/response-set-cookie.py.
* SQLi for raw/rawSQL sinks using const propagation (#277)
Adds SQLi checks for raw() and RawSQL() using const propagation.
Addresses: https://github.com/returntocorp/sgrep-rules/issues/263
* SQLi check for extra() (#281)
Adds SQLi checks for extra() using const propagation.
Addresses last piece of https://github.com/returntocorp/sgrep-rules/issues/263
* Update Check issue template to include a "Check Description"
* Check for unsanitized reflection into flask.make_response (#261)
Looks for calls to make_response using unsanitized request parameters.
* Add SQLi detection for execute() sink (#285)
Add SQLi detection for execute() sink
* * python/deadcode/baseclass-attribute-override.py: should now pass (#286)
* * python/deadcode/baseclass-attribute-override.py: should now pass
* * python/deadcode/baseclass-attribute-override.py: no change, just to rerun
CI
* * python/deadcode/baseclass-attribute-override.py: empty change just to rerun CI
with latest sgrep-develop
* F-string detection in sqli examples (#284)
F-string detection in sqli examples
* Django/unvalidated passwords (#271)
* New check for using the empty string as the default when using .get(var, default), promoting the use of None instead.
* New check for calling model.set_password without calling validate_password first.
* Formatting for password-empty-string
* Fixed check_id for unvalidated-password. Also added a pattern-not clause to filter out a special case in vendored code which runs the set_password routine once, discarding the result, in order to prevent timing attacks.
* Added a test case for the previous commit
* Placate flake8
* Added a new pattern which detects the empty string as a default keyword argument. Added a test case based on real-world finding.
* Added check for user data going into open() (#273)
* Added check for user data going into open()
* Added a test-case based on real-world code
* Update user-open.yaml
* Updated test for no-csrf-exempt now that https://github.com/returntocorp/sgrep/issues/294 is working. Renamed check_id to 'no-csrf-exempt' and renamed files to 'csrf-exempt'.
* Updated test for no-csrf-exempt now that https://github.com/returntocorp/sgrep/issues/294 is working. Renamed check_id to 'no-csrf-exempt' and renamed files to 'csrf-exempt'. (#288)
* Added checks for user data going into eval and exec. (#272)
* Updated test for no-csrf-exempt now that https://github.com/returntocorp/sgrep/issues/294 is working. Renamed check_id to 'no-csrf-exempt' and renamed files to 'csrf-exempt'.
* Added checks for user data going into eval and exec.
* Added new checks to account for format string cases of user data flowing into exec and eval.
* Fix tests
* Updated check message for user-eval* and user-exec checks. Added f-string cases to user-eval-format-string and user-exec-format-string. Added test cases for these.
* Add python/django/security/ssrf-injection-requests (#290)
* Add python/django/security/ssrf-injection-requests
Detects SSRF injection attacks into the requests API.
Neither of these checks actually fire on anything in platform, so
they're pretty speculative.
For completeness, I had to write 48 different patterns for each sink. :(
This cardinality is the product space of
- URL APIs (requests and urllib)
- Django import identification (import HttpResponse and import render)
- Request-object data extraction (request[], request.get,
request.body[], request.body.get)
- Possible ways of embedding the injection expression (bare, assignment, return) -- note that this is incomplete, as there is also call site
- Injection methods (method call, e.g. by string format, and f-strint)
In order to streamline this generation in the future, I add jinja
templating.
For instance, to generate ssrf-injection-requests.yaml, I ran:
./generate-injection.py --id ssrf-injection-requests --sink 'requests.$METHOD' --message 'Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against a whitelist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.' > ssrf-injection-requests.yaml
* Path traversal detection (#291)
* Path traversal detection
* more patterns
* fix test
* message
* precommit
* address feedback
* Django/command injection os system (#294)
* New check for request data going into os.system, which is a command injection.
* Formatting
* Formatting
* new line is expected
Co-authored-by: Ulzii Otgonbaatar <ulzii@returntocorp.com>
* Django/reflected httpresponse (#296)
* New check for reflected data into HttpResponse
* Added HttpResponseBadRequest
* Fixed FP finding. Added test for it
* Fixed FP in HttpResponseBadRequest
* New check for data going from request -> open -> FileResponse.
* Fix test
* Django/email (#295)
* Add new check for detecting request data as the contents of an HTML email. This is dangerous because HTML emails are susceptible to XSS depending on the email client.
* Updated injection template script and template. Now utilized for loops in the template to make it easy to enumerate new sources, sinks, and 'format trajectories.'
* Formatting
* More formatting
* Template now trims whitespace
* Really fixed whitespace this time.
* new line is expected
* Added whitespace at the end of injection template
Co-authored-by: Ulzii Otgonbaatar <ulzii@returntocorp.com>
* Injection to file name (#297)
* Injection to file name
* New check for request data going into .write (#293)
* New check for request data going into .write
* Add test annotation
* Formatting
* Get rid of newlines in request-data-write.yaml
* Add a true negative case
* Fixed the true negative test just added
* New check for mass assignment. (#298)
* New check for mass assignment.
* Added a reference link for mass assignment
* Added reference comment for test cases
* Fixed trailing whitespace
* New check for send_mail, which is slightly different than EmailMessage. (#299)
* Reduce FP rate of generated injection checks by limiting to .format instead of any combination of functions.
* Add new check for html content injected into django.core.mail.send_mail(...)
* Added a message to the check -_-
* Removed try blocks to allow tests to work
* Added new check for globals misuse, which uses request data as an index to globals(). This is inspired by https://github.com/mpirnat/lets-be-bad-guys/blob/master/badguys/vulnerable/views.py#L182. Also added a new template for this use-case. (#300)
* Use new operator <... ...> for deep expression matching and fix (#303)
current regression
Test plan:
~/github/sgrep/sgrep_lint/sgrep.py --test --strict --test-ignore-todo --dangerously-allow-arbitrary-code-execution-from-rules .
All tests passed.
* Add pprof check (G108) to sgrep (#304)
This is a one of 4 high severity checks in gosec.
The check detects import "_ net/http/pprof" with non-local http server. Blank imports assumes the side-effect of the package which in this case opens a /debug route.
This furthers [the check G108](https://github.com/securego/gosec/blob/master/rules/pprof.go
) by adding a filter for localhost.
More on the problem in https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/
* Add G109 check for overflow (#305)
Adds integer overflow detection for int16/int32 calls with
data flowing from strconv.Atoi.
It furthers [G109](https://github.com/securego/gosec/blob/master/rules/integer_overflow.go
) by actually validating the data flow and validating the string literal against against https://golang.org/pkg/builtin/#int32
* add bokeh
* add missing keys
* fix typo
* fix tests
* Fix regression of https://github.com/returntocorp/sgrep/pull/432 (#329)
* Fix regression of https://github.com/returntocorp/sgrep/pull/432
Thx to https://github.com/returntocorp/sgrep/pull/432 a few new errors
can be detected!
Test plan:
with a build of sgrep after pull/432:
~/github/sgrep/sgrep_lint/sgrep.py --dangerously-allow-arbitrary-code-execution-from-rules --strict --test --test-ignore-todo .
pass now all tests
* retrigger CI
* * javascript/jwt-hardcode/jwt-hardcode.js: Fix todoruleid (#330)
* * javascript/jwt-hardcode/jwt-hardcode.js: Fix todoruleid
Really deep stmt matching probably allows to report this new error
test plan:
~/github/sgrep/sgrep_lint/sgrep.py --dangerously-allow-arbitrary-code-execution-from-rules --strict --test --test-ignore-todo .
* * javascript/jwt-hardcode/jwt-hardcode.js: trigger CI
* space
* Add math.rand (G404) checks (#306)
* Add math.random (G404) checks
* New Published Rules - javascript.smells.assigned-undefined (#340)
* add javascript/smells/assigned-undefined.js
* add javascript/smells/assigned-undefined.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* remove number from metavar (#339)
* remove number from metavar
* remove todo
* New Published Rules - python.logging.listeneval (#319)
* add python/logging/listeneval.py
* add python/logging/listeneval.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* New Published Rules - python.multiprocessing.conn_recv (#322)
* add python/multiprocessing/conn_recv.py
* add python/multiprocessing/conn_recv.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* New Published Rules - python.marshal (#327)
* add python/marshal.py
* add python/marshal.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* New Published Rules - javascript.jwt.jwt-exposed-credentials (#341)
* add javascript/jwt/jwt-exposed-credentials.js
* add javascript/jwt/jwt-exposed-credentials.yaml
Co-authored-by: Vasilii Ermilov <inkz@xakep.ru>
* New Published Rules - python.django.db.audit.extends-custom-expression (#331)
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* New Published Rules - python.django.db.audit.custom-expression-as-sql (#332)
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* Remove Bento Action (#342)
This project is nothing but test code that fails Bento by design. We
shouldn't run Bento on it.
* New Published Rules - python.smells.exit (#343)
* add python/smells/exit.py
* add python/smells/exit.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* javascript.jwt-none-alg (#328)
* Add jwt-none-alg rule
* Update jwt-none-alg examples
* Update jwt-none-alg rule
* Update jwt-none-alg.yaml
* Update jwt-none-alg.yaml
* Run pre-commit hooks
Co-authored-by: grayson <grayson@returntocorp.com>
* remove some aggressive pre-commit hooks
* New Published Rules - wip-xss-using-responsewriter-and-printf (#345)
* add wip-xss-using-responsewriter-and-printf.go
* add wip-xss-using-responsewriter-and-printf.yaml
authored-by: Isaac Evans <ine@mit.edu>
* Update jwt-none-alg.yaml
JWT pipe operator captures things that look like YAML comments :/
* rename to use semgrep instead of sgrep (#348)
* Fix/update injection checks (#324)
* Reorganized python.django.security checks into audit/ injection/ and passwords/.
* Moved query-set-extra check from db/query to security/audit
* Renamed user-open to path-traversal-open.
* Changed check id of path-traversal-join to match filename
* Changed check id of path-traversal-file-name to match filename
* Updated template with inline format patterns
* Updated open-redirect pattern with more patterns, including inline formatting and intermediate patterns.
* Updated command-injection-os-system with inline format patterns
* Updated path-traversal-join with inline patterns
* Removed left_pattern from inline format patterns. THis should help remove a few patterns and add a small performance boost.
* Updated reflected-data-httpresponse with inline patterns. Added a test case for it.
* Add inline patterns to reflected-data-httpresponsebadrequest. Added test case too
* Added extra patterns to sql-injection-extra. Added intermediate patterns and inline formatting patterns.
* Removed todo from one of the tests
* Added intermediate and inline patterns to sql-injection-rawsql.
* Added intermediate patterns to sql-injection-using-db-cursor-execute
* Added intermediate and inline patterns for sql-injection-using-raw
* Added intermediate and inline format patterns to ssrf-injection-requests
* Added intermediate and inline format patterns to ssrf-injection-urllib
* Add intermediate and inline formatting patterns.
* Updated path-traversal-join with new patterns based on a real-world false negative. Added a test case for this.
* Add new patterns for when decoding base64 data. This is to catch a real-world example. Example added to test cases.
* Added tuple % formatting pattern
* Added todoruleid test for tuple % format case
* Added tuple % format case to all sql-injection checks
* Moved sql-injection checks into sql folder
* Added FN case for path-traversal-open
* Added FN cases: one deep in an if statement (can't find this one yet) and one inline.
* Updated open-redirect to filter out inline is_safe_url case. Deep if is still being deteted even though it shouldn't.
* Add test case for filtering out is_safe_url
* Add todo annotation for FP in open-redirect
* Changed todo from previous commit to regular ruleid to satisfy tests.
Co-authored-by: Drew Dennison <drew@returntocorp.com>
* Moved python/django/db/audit to python/django/security/audit to be alongside SQL extra and parameterized SQL query checks that were already present in security/audit. (#349)
* Inkz/hardcoded jwt secret (#356)
* Move hardcoded-jwt-secret files
* Update hardcoded-jwt-secret rule
* clean up badly formatted yaml (#357)
* clean up badly formatted yaml
* replace '' with "
* fix tests
* Update README.md
* Update README.md
* Add hardcoded-passport-secret rule (#361)
* move rules under namespace
* Port gosec G401 (#368)
* Port G401
* address @mschwager's comments
* rename to use -
Co-authored-by: minusworld <grayson@returntocorp.com>
* Port over G403 (#369)
Co-authored-by: minusworld <grayson@returntocorp.com>
* TLS blacklist rule (#374)
* tls stuff
* rejigger lines
* Fix/django path traversal filename (#375)
* Added false positive case for path-traversal-file-name.
* Fixed bug in path-traversal-file-name
* SSLv3 blacklist rule (#370)
* SSLv3 blacklist rule
* New Published Rules - java.security.audit.command-injection-formatted-runtime-call (#373)
* add java/security/audit/command-injection-formatted-runtime-call.java
* add java/security/audit/command-injection-formatted-runtime-call.yaml
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - java.security.crypto.no-null-cipher (#376)
* add java/security/crypto/no-null-cipher.java
* add java/security/crypto/no-null-cipher.yaml
* Add an OWASP reference to check message.
Co-authored-by: minusworld <grayson@returntocorp.com>
* Port over G203 (#379)
* New Published Rules - java.security.audit.spring-csrf-disabled (#380)
* add java/security/audit/spring-csrf-disabled.java
* add java/security/audit/spring-csrf-disabled.yaml
* Update rule message based on feedback.
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* Port over G201, G202 (#378)
* Port over G201, G202
* precommit
* WIP: jwt-decode-without-verify rule (#350)
* add jwt-decode-without-verify rule
* Update jwt-decode-without-verify rule
* Add example for jwt-decode-without-verify
* Add missing keys for jwt-decode-without-verify
Co-authored-by: minusworld <grayson@returntocorp.com>
Co-authored-by: Ulzii <ulzii@returntocorp.com>
* New Published Rules - python.smells.unchecked-returns.unchecked-subprocess.call (#351)
* add python/smells/unchecked-returns/unchecked-subprocess/call.py
* add python/smells/unchecked-returns/unchecked-subprocess/call.yaml
* fix test
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: Ulzii Otgonbaatar <ulzii@returntocorp.com>
* consolidate rules (#396)
* Update unchecked-returns.yaml
Co-authored-by: Isaac Evans <ine@mit.edu>
* New Published Rules - java.security.audit.insecure-trust-manager (#403)
* add java/security/audit/insecure-trust-manager.java
* add java/security/audit/insecure-trust-manager.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* Add spawn-git-clone rule (#404)
* New Published Rules - java.security.audit.spring-cookie-missing-secure-flag (#383)
* add java/security/audit/spring-cookie-missing-secure-flag.java
* add java/security/audit/spring-cookie-missing-secure-flag.yaml
* Add metadata. Add better message.
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - java.security.audit.spring-cookie-missing-httponly (#386)
* add java/security/audit/spring-cookie-missing-httponly.java
* add java/security/audit/spring-cookie-missing-httponly.yaml
* Add metadata. Add better check message.
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - python.requests.best-practice.use-timeout (#408)
* add python/requests/best-practice/use-timeout.py
* add python/requests/best-practice/use-timeout.yaml
* Update rule message
* Added false positive patterns to filter out based on platform run.
* Switch approaches to specify methods to catch, rather than filtering methods
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - python.requests.security.no-auth-over-http (#410)
* add python/requests/security/no-auth-over-http.py
* add python/requests/security/no-auth-over-http.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - python.flask.security.audit.secure-set-cookie (#412)
* add python/flask/security/audit/secure-set-cookie.py
* add python/flask/security/audit/secure-set-cookie.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - python.boto3.security.hardcoded-token (#414)
* add python/boto3/security/hardcoded-token.py
* add python/boto3/security/hardcoded-token.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - java.security.audit.insecure-hostname-verifier (#406)
* add java/security/audit/insecure-hostname-verifier.java
* add java/security/audit/insecure-hostname-verifier.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - java.security.crypto.no-static-initialization-vector (#382)
* add java/security/crypto/no-static-initialization-vector.java
* add java/security/crypto/no-static-initialization-vector.yaml
* Add True Negatve test case
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* Port over G102 (#411)
* Port over G102
* Added True Negative test
* Added bind_default test case to bind_all.go to run test in CI
Co-authored-by: minusworld <grayson@returntocorp.com>
* Port over G106 (#417)
* Port over G106
* Added True Negative test case
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - go.gosec.unsafe (#418)
* add go/gosec/unsafe.go
* add go/gosec/unsafe.yaml
* use hyphen and add inline ruleid for CI test
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: Ulzii Otgonbaatar <ulzii@returntocorp.com>
* Port over bad imports check G501-G505 (#377)
* Port over bad imports check G501-G505
* inline for des.go
* rename test go file
* Port G301, G302, G306 (#381)
* Port over G305 (#407)
* Port over G305
* add ruleid
* add true negative
* Port over G303 (#409)
* Port over G303
* adding tempfile tn
* New check for Java: DefaultHttpClient is deprecated (#398)
* add java/security/audit/defaulthttpclient-is-deprecated.java
* add java/security/audit/defaulthttpclient-is-deprecated.yaml
* Added test annotations; updated check message
* Add metadata
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* New Published Rules - java.sql.security.audit.formatted-sql-string (#426)
* add java/sql/security/audit/formatted-sql-string.java
* add java/sql/security/audit/formatted-sql-string.yaml
* Updated owasp metadata field
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - java.security.audit.avoid-implementing-custom-digests (#395)
* add java/security/audit/avoid-implementing-custom-digests.java
* add java/security/audit/avoid-implementing-custom-digests.yaml
* Add metadata.
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* Port over G110 (#415)
* New Published Rules - python.flask.wtf-csrf-disabled (#432)
* add python/flask/wtf-csrf-disabled.py
* add python/flask/wtf-csrf-disabled.yaml
Co-authored-by: Drew Dennison <drew@drewdennison.com>
* add path-join-resolve-traversal rule (#427)
Co-authored-by: minusworld <grayson@returntocorp.com>
* Catalog and label everything (#468)
* - Begin process of cataloging and labeling everything.
- Moved Go jwt checks to go/jwt-go/security/.
- Moved Go overflow checks to go/correctness/overflow/.
- Moved gosec crypto checks to go/crypto/security/audit/.
- Moved gosec html-template checks to go/net/security/audit/.
- Moved Go net/ checks to go/net/security/audit/.
-
- Fixed Go integer overflow check, which was not being tested in CI and was hitting FPs due to an indentation error.
* - Moved C goto-fail to c/correctness/.
- Moved Go gorilla checks to gorilla/security/audit/.
* - Moved Go gosec/tls_ssl_blacklist/* to crypto/security/audit/.
- Moved Go gosec/socket to net/security/audit/.
* Renamed pprof tests so that at least one of them gets picked up by CI
* - Moved gosec bad_imports to crypto/security/audit/.
- Moved gosec sql to database/security/audit.
- Moved gosec pprof to net/security/audit.
* - Broke out basic-rules into 'eqeq' and 'assignment-comparison'.
- Moved the above to correctness/.
- Switched security/crypto/ to be crypto/security/.
- Moved Spring-specific checks into spring/.
* - Added tests for hardcoded-config.
- Categorized all framework checks into one of security, correctness, or best-practice.
- Moved smells/ checks into correctness or best-practice.
- Moved wtf-python checks into correctness.
- Moved top-level Python checks into appropriate categories or domains.
- Moved top-level Flask checks into categories.
- Created flask/experimental/ which contains WIP checks.
* - Properly added java/correctness/eqeq
* Added secure-session-cookies check for Flask back in, which probably got dropped amidst the shuffle.
* - Added test for flask/security/audit/app-run-param-config
* - Renamed python eqeq-is-bad to useless-eqeq
- Moved some python/deadcode checksinto correctness
- Reorganized python/django into categories.
- Further specified types of injection in django/security/finding/injection
- "Vulnerability" category is now called "finding". Checks will show up as 'python.django.security.finding.open-redirect'
* - Moved smells/ to best-practice/.
- Moved deadcode/ to correctness/.
- Moved JWT token checks into folders that represent the library they are checking: jose, jsonwebtoken, and passport-jwt
- Moved git check to security/finding/
* - Moved python/sqlalchemy checks into categories
* - Renamed go/antipatterns to go/best-practice.
- Moved deprecated/ into maintainability/deprectated/ for all languages and frameworks.
- Moved deadcode into maintainability.
* - Moved language and 'stdlib' type checks into lang/[category].
* - Moved c/correctness/ to c/lang/correctness/
* - Moved all checks in anything under security/finding/ to just security/.
* Merged with develop and moved checks into appropriate places
* Fix conn_recv
* Updated test annotations for go pprof check
* Updated test annotations for flask hardcoded configs
Co-authored-by: grayson <grayson@starnomaddigital.com>
* Standardize file extensions and other terms (#479)
* - Standardized on 'yaml' file extension instead of 'yml'.
* - Standardized on 'javascript' as the language for JavaScript checks instead of 'js'.
* add url-rewriting rule (#477)
Co-authored-by: minusworld <grayson@returntocorp.com>
* add xml-decoder rule (#476)
* New Published Rules - java.security.audit.weak-ssl-context (#402)
* add java/security/audit/weak-ssl-context.java
* add java/security/audit/weak-ssl-context.yaml
* Add test case for TLS1.3
* Filter out TLS1.3
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* add bad-hexa-conversion rule (#475)
* add unvalidated-redirect rule (#474)
* add unencrypted-socket rule (#473)
* - Moved weak-ssl-context to java/lang/security/audit/ (#480)
* add crlf-injection-logs rule (#471)
* New Published Rules - python.flask.security.unescaped-template-extension (#413)
* add python/flask/security/unescaped-template-extension.py
* add python/flask/security/unescaped-template-extension.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* Pulled out metadata. Got rid of left-hand-side of check to detect more cases.
* New Published Rules - java.lang.security.audit.jdbc-sql-formatted-string (#483)
* add java/lang/security/audit/jdbc-sql-formatted-string.java
* add java/lang/security/audit/jdbc-sql-formatted-string.yaml
* Update jdbc-sql-formatted-string.yaml
* Update jdbc-sql-formatted-string.java
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: Vasilii Ermilov <inkz@xakep.ru>
* Create update-semgrep-live.yml
* Label Security Rules (#488)
* - Added CWEs, OWASPs, and sometimes references to all security rules for Java, JavaScript, and Go.
* - Added CWEs, OWASPs, and references to Python security rules.
* - Updated go/lang/security/audit/net/bind_all.yaml
* Updated python/django/security/injection/code/user-exec-format-string.yaml with CWE and OWASP
* Add a script for calculating OWASP and CWE stats
* Add OWASP and CWE to rules that were missing one.
* After merge with develop, add CWEs and OWASPs for rules without them.
* Fix per_framework layout
* Fixed tests failing due to underscore instead of hyphen
* Update OWASP to A7
* Updated OWASP to A2
* Updated CWE798 to OWASP A2
* nodejsscan rules 2020-05-12 (#481)
* nodejsscan rules 2020-05-12
* move rules and tests to same directory
* fixed test
* Moved nodejsscan to contrib/ folder to match testing plan. (#490)
* add script-engine-injection rule (#485)
* add script-engine-injection rule
* Added metadata and moved message link to metadata
Co-authored-by: minusworld <grayson@returntocorp.com>
* Add FindSec Java weak hash func checks (#487)
* Add FindSec Java weak hash func checks
* Underscores to hyphens
Co-authored-by: minusworld <grayson@returntocorp.com>
* add ldap-injection rule (#489)
* add ldap-injection rule
* Added metadata and moved message link to metadata
Co-authored-by: minusworld <grayson@returntocorp.com>
* add el-injection rule (#491)
Co-authored-by: minusworld <grayson@returntocorp.com>
* Add owasp
* add spel-injection rule (#492)
* add spel-injection rule
* Add owasp. Change underscores to hyphens
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - java.security.audit.anonymous-ldap-bind (#464)
* add java/security/audit/anonymous-ldap-bind.java
* add java/security/audit/anonymous-ldap-bind.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* Java LDAP poisoning check (#494)
* Java LDAP poisoning check
* address CWE
* New Published Rules - java.security.servletresponse-writer-xss (#496)
* add java/security/servletresponse-writer-xss.java
* add java/security/servletresponse-writer-xss.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* Cipher in ECB mode check (#501)
* Cipher in ECB mode check
* Typo
Co-authored-by: minusworld <grayson@returntocorp.com>
* RSA weak key check (#497)
* RSA no padding check (#499)
* RSA no padding check
* Add owasp
Co-authored-by: minusworld <grayson@returntocorp.com>
* Update message to include bit about not including integrity check.
* New Published Rules - java.security.audit.desede-is-deprecated (#498)
* add java/security/audit/desede-is-deprecated.java
* add java/security/audit/desede-is-deprecated.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* Moved some stray Java checks to lang/ (#502)
* New Published Rules - java.security.finding.jax-rs-path-traversal (#430)
* add java/security/finding/jax-rs-path-traversal.java
* add java/security/finding/jax-rs-path-traversal.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* New Published Rules - java.security.audit.object-deserialization (#431)
* add java/security/audit/object-deserialization.java
* add java/security/audit/object-deserialization.yaml
* Add check message
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* New Published Rules - java.security.finding.httpservlet-path-traversal (#429)
* add java/security/finding/httpservlet-path-traversal.java
* add java/security/finding/httpservlet-path-traversal.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* New Published Rules - java.security.audit.xssrequestwrapper-is-insecure (#466)
* add java/security/audit/xssrequestwrapper-is-insecure.java
* add java/security/audit/xssrequestwrapper-is-insecure.yaml
* Add reference in check message.
* Add test annotations
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* Add check for java: blowfish-insufficient-key-size. (#467)
* Add check for java: blowfish-insufficient-key-size.
* Add test annotations
Co-authored-by: grayson <grayson@starnomaddigital.com>
* New Published Rules - java.security.audit.insecure-smtp-connection (#465)
* add java/security/audit/insecure-smtp-connection.java
* add java/security/audit/insecure-smtp-connection.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* New Published Rules - java.security.audit.http-response-splitting (#463)
* add java/security/audit/http-response-splitting.java
* add java/security/audit/http-response-splitting.yaml
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
* Shuffled Java checks around to match new registry layout. These were merged in by PRs that were ~2 weeks old, so they missed the reshuffle last week. (#506)
* (Linter assisted) Prune equivalent rules from httpresponse.yaml (#504)
* New Published Rules - java.security.audit.cbc-padding-oracle (#500)
* add java/security/audit/cbc-padding-oracle.java
* add java/security/audit/cbc-padding-oracle.yaml
* Update check message about CBC mode not including integrity check
* Pulled out cipher getInstance mode and now analyze for CBC mode in pattern-where-python
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: minusworld <grayson@returntocorp.com>
* Add check for des-is-deprecated (#515)
* Add check for des-is-deprecated. https://github.com/returntocorp/semgrep-rules/issues/444
* Fix des-is-deprecated
* add ognl-injection rule (#505)
* add ognl-injection rule
* Add owasp. Underscores to hyphens.
Co-authored-by: minusworld <grayson@returntocorp.com>
* semgrep --lint is clean now (#522)
* New Published Rules - python.lang.correctness.common-mistakes (#521)
* add python/lang/correctness/common-mistakes.py
* add python/lang/correctness/common-mistakes.yaml
* Move file to correct directory
* Placate test suite by using new hyphenated names
Co-authored-by: Russell Cohen <Russell Cohen>
Co-authored-by: Russell Cohen <russell.r.cohen@gmail.com>
Co-authored-by: minusworld <grayson@returntocorp.com>
* Add Pickle related deserialization checks (#516)
* Add Pickle related deserialization checks
* add CWE
* fix test
Co-authored-by: Isaac Evans <409041+ievans@users.noreply.github.com>
Co-authored-by: mschwager <mschwager@users.noreply.github.com>
Co-authored-by: minusworld <locrian.vii@gmail.com>
Co-authored-by: Ulzii <ulzii@returntocorp.com>
Co-authored-by: Nathaniel Brahms <nbrahms@users.noreply.github.com>
Co-authored-by: minusworld <grayson@returntocorp.com>
Co-authored-by: Brendon Go <brendon.go@gmail.com>
Co-authored-by: Vasilii Ermilov <inkz@xakep.ru>
Co-authored-by: Yoann Padioleau <pad@returntocorp.com>
Co-authored-by: sgrep-live-pr-bot[bot] <63393893+sgrep-live-pr-bot[bot]@users.noreply.github.com>
Co-authored-by: sgrep.live-bot <sgrep@r2c.dev>
Co-authored-by: Isaac Evans <ine@mit.edu>
Co-authored-by: grayson <grayson@starnomaddigital.com>
Co-authored-by: semgrep-live-pr-bot[bot] <63393893+semgrep-live-pr-bot[bot]@users.noreply.github.com>
Co-authored-by: Ajin Abraham <ajin25@gmail.com>
Co-authored-by: Russell Cohen <russell.r.cohen@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.