New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Metavariable patterns #3257
Comments
@kiwiz thanks for this feedback. We have a different solution in mind for cases like this that I wonder if you found in the experiments section of the docs: taint mode. https://semgrep.dev/docs/experiments/overview/#taint-tracking. Would be curious for your feedback! |
@ievans Oh, good point! I've played around with taint tracing, but I haven't used it for any real rules yet. After some consideration, I think that isn't quite what I'm looking for (in this specific case) as I don't have any specific sources in mind - I just want to discourage this pattern. |
metavariable-pattern is now supported in semgrep-core! It just remains a little bit of work |
NOTE: This is only available via semgrep-core (requires --optimizations)! Closes #3257 test plan: semgrep --config semgrep-core/tests/OTHER/rules/metavar_pattern_nested.yaml \ semgrep-core/tests/OTHER/rules/metavar_pattern_nested.py #^ works!
NOTE: This is only available via semgrep-core (requires --optimizations)! Closes #3257 test plan: semgrep --config semgrep-core/tests/OTHER/rules/metavar_pattern_nested.yaml \ semgrep-core/tests/OTHER/rules/metavar_pattern_nested.py #^ works!
Is your feature request related to a problem? Please describe.
Let's say I'm looking for calls to the following functions:
sqlx.Get($_X, $_Y, $QUERY, ...)
$OBJ.Get($_X, $QUERY, ...)
I'd like to be able to match cases where
$QUERY
is an expression like:$X + $Y
fmt.Sprintf("...", $X)
Describe the solution you'd like
It'd be nice to be able to define patterns that
$QUERY
must match in a concise way.Describe alternatives you've considered
It's possible to work around this by just enumerating all the cases - for the example above, we'd have:
sqlx.Get($_X, $_Y, $X + $Y, ...)
sqlx.Get($_X, $_Y, fmt.Sprintf("...", $X), ...)
$OBJ.Get($_X, $X + $Y, ...)
$OBJ.Get($_X, fmt.Sprintf("...", $X), ...), ...)
... but this gets unwieldy as more clauses are introduced.
The text was updated successfully, but these errors were encountered: