Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Metavariable patterns #3257

Closed
kiwiz opened this issue Jun 2, 2021 · 3 comments · Fixed by #3292
Closed

Metavariable patterns #3257

kiwiz opened this issue Jun 2, 2021 · 3 comments · Fixed by #3292
Assignees
@IagoAbal
Labels
enhancement New feature or request user:external requested by someone outside of r2c

Comments

@kiwiz
Copy link

kiwiz commented Jun 2, 2021

Is your feature request related to a problem? Please describe.

Let's say I'm looking for calls to the following functions:

  • sqlx.Get($_X, $_Y, $QUERY, ...)
  • $OBJ.Get($_X, $QUERY, ...)

I'd like to be able to match cases where $QUERY is an expression like:

  • $X + $Y
  • fmt.Sprintf("...", $X)
  • etc

Describe the solution you'd like

It'd be nice to be able to define patterns that $QUERY must match in a concise way.

Describe alternatives you've considered

It's possible to work around this by just enumerating all the cases - for the example above, we'd have:

  • sqlx.Get($_X, $_Y, $X + $Y, ...)
  • sqlx.Get($_X, $_Y, fmt.Sprintf("...", $X), ...)
  • $OBJ.Get($_X, $X + $Y, ...)
  • $OBJ.Get($_X, fmt.Sprintf("...", $X), ...), ...)

... but this gets unwieldy as more clauses are introduced.
@ievans
Copy link
Member

ievans commented Jun 2, 2021

@kiwiz thanks for this feedback. We have a different solution in mind for cases like this that I wonder if you found in the experiments section of the docs: taint mode. https://semgrep.dev/docs/experiments/overview/#taint-tracking. Would be curious for your feedback!

@aryx aryx mentioned this issue Jun 3, 2021
Merged
1 task
@emjin emjin added enhancement New feature or request user:external requested by someone outside of r2c labels Jun 3, 2021
@kiwiz
Copy link
Author

kiwiz commented Jun 3, 2021
edited

@ievans Oh, good point! I've played around with taint tracing, but I haven't used it for any real rules yet. After some consideration, I think that isn't quite what I'm looking for (in this specific case) as I don't have any specific sources in mind - I just want to discourage this pattern.

@aryx
Copy link
Collaborator

aryx commented Jun 5, 2021

metavariable-pattern is now supported in semgrep-core! It just remains a little bit of work
to make it available in the semgrep python wrapper.

IagoAbal added a commit that referenced this issue Jun 7, 2021
@IagoAbal
Add support for metavariable-pattern in Semgrep
66f8454 
NOTE: This is only available via semgrep-core (requires --optimizations)!

Closes #3257

test plan:
semgrep --config semgrep-core/tests/OTHER/rules/metavar_pattern_nested.yaml \
    semgrep-core/tests/OTHER/rules/metavar_pattern_nested.py
    #^ works!
@IagoAbal IagoAbal mentioned this issue Jun 7, 2021
Merged
1 task
@aryx aryx closed this as completed in #3292 Jun 7, 2021
aryx pushed a commit that referenced this issue Jun 7, 2021
@IagoAbal
Add support for metavariable-pattern in Semgrep (#3292)
f7f4cd9 
NOTE: This is only available via semgrep-core (requires --optimizations)!

Closes #3257

test plan:
semgrep --config semgrep-core/tests/OTHER/rules/metavar_pattern_nested.yaml \
    semgrep-core/tests/OTHER/rules/metavar_pattern_nested.py
    #^ works!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IagoAbal IagoAbal

Labels
enhancement New feature or request user:external requested by someone outside of r2c
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for metavariable-pattern in Semgrep semgrep/semgrep
5 participants
@aryx @ievans @kiwiz @IagoAbal @emjin