From 3c6c86727268e59d50d6438673e846c85eaadaa2 Mon Sep 17 00:00:00 2001 From: GrosQuildu Date: Tue, 2 Jan 2024 13:28:12 +0100 Subject: [PATCH 1/8] add prettier linter, fix job ids --- .github/workflows/semgrep-rules-format.yml | 21 +++++++++++++++++++ .github/workflows/semgrep-rules-test.yml | 2 +- .github/workflows/update-semgrep-registry.yml | 2 +- 3 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/semgrep-rules-format.yml diff --git a/.github/workflows/semgrep-rules-format.yml b/.github/workflows/semgrep-rules-format.yml new file mode 100644 index 0000000..a110f0d --- /dev/null +++ b/.github/workflows/semgrep-rules-format.yml @@ -0,0 +1,21 @@ +name: semgrep-rules-format +on: + pull_request: + push: + branches: + - main +jobs: + semgrep-rules-format: + name: run semgrep rules format + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: "npm" + # Use this file as the cache-dependency-path because the dependencies + # are manually specified below, and not in a package-lock.json + cache-dependency-path: .github/workflows/semgrep-rules-format.yml + - run: npm install --global prettier + - run: prettier --check './**/*.{yaml,yml}' diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml index 3e7482d..2df7b4c 100644 --- a/.github/workflows/semgrep-rules-test.yml +++ b/.github/workflows/semgrep-rules-test.yml @@ -5,7 +5,7 @@ on: branches: - main jobs: - build: + semgrep-rules-test: name: run semgrep rules tests runs-on: ubuntu-latest steps: diff --git a/.github/workflows/update-semgrep-registry.yml b/.github/workflows/update-semgrep-registry.yml index b10be5d..a6b4d92 100644 --- a/.github/workflows/update-semgrep-registry.yml +++ b/.github/workflows/update-semgrep-registry.yml @@ -4,7 +4,7 @@ on: branches: - main jobs: - build: + update-semgrep-registry: name: Update semgrep.dev runs-on: ubuntu-latest steps: From c12bb5b7bf893466c24bdad5b234dcd3ad3b42df Mon Sep 17 00:00:00 2001 From: GrosQuildu Date: Tue, 2 Jan 2024 13:30:27 +0100 Subject: [PATCH 2/8] prettify all rules, add git-blame exception --- .git-blame-ignore-revs | 1 + go/anonymous-race-condition.yaml | 166 +++++------ go/hanging-goroutine.yaml | 250 ++++++++--------- go/invalid-usage-of-modified-variable.yaml | 81 +++--- go/iterate-over-empty-map.yaml | 92 +++--- go/missing-runlock-on-rwmutex.yaml | 68 ++--- go/missing-unlock-before-return.yaml | 72 ++--- go/nil-check-after-call.yaml | 148 +++++----- go/racy-append-to-slice.yaml | 86 +++--- go/racy-write-to-map.yaml | 58 ++-- ...ercodec-readrequestbody-unhandled-nil.yaml | 68 ++--- go/string-to-int-signedness-cast.yaml | 263 +++++++++--------- go/sync-mutex-value-copied.yaml | 67 +++-- go/unsafe-dll-loading.yaml | 81 +++--- go/waitgroup-add-called-inside-goroutine.yaml | 85 +++--- go/waitgroup-wait-inside-loop.yaml | 140 +++++----- .../apollo-graphql/schema-directives.yaml | 6 +- python/automatic-memory-pinning.yaml | 42 +-- python/lxml-in-pandas.yaml | 74 ++--- python/numpy-distutils.yaml | 37 ++- python/numpy-f2py-compile.yaml | 37 ++- python/numpy-in-pytorch-datasets.yaml | 48 ++-- python/numpy-in-pytorch-modules.yaml | 40 +-- python/numpy-load-library.yaml | 39 ++- python/onnx-session-options.yaml | 43 ++- python/pickles-in-numpy.yaml | 64 ++--- python/pickles-in-pandas.yaml | 58 ++-- python/pickles-in-pytorch-distributed.yaml | 44 +-- python/pickles-in-pytorch.yaml | 50 ++-- python/pytorch-classes-load-library.yaml | 36 +-- python/pytorch-package.yaml | 34 +-- python/pytorch-tensor.yaml | 26 +- python/scikit-joblib-load.yaml | 40 +-- python/tarfile-extractall-traversal.yaml | 70 ++--- python/tensorflow-load-library.yaml | 45 ++- python/waiting-with-pytorch-distributed.yaml | 45 ++- rs/panic-in-function-returning-result.yaml | 88 +++--- 37 files changed, 1340 insertions(+), 1352 deletions(-) create mode 100644 .git-blame-ignore-revs diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs new file mode 100644 index 0000000..8a9c6a9 --- /dev/null +++ b/.git-blame-ignore-revs @@ -0,0 +1 @@ +# Formatted Semgrep YAML files using prettier diff --git a/go/anonymous-race-condition.yaml b/go/anonymous-race-condition.yaml index e644679..3bcf075 100644 --- a/go/anonymous-race-condition.yaml +++ b/go/anonymous-race-condition.yaml @@ -1,25 +1,77 @@ rules: -- id: anonymous-race-condition - message: >- - Possible race condition due to memory aliasing of variable `$X` - languages: [go] - severity: ERROR - metadata: - category: security - cwe: "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" - subcategory: [vuln] - confidence: MEDIUM - likelihood: HIGH - impact: MEDIUM - technology: [--no-technology--] - description: "Race conditions within anonymous goroutines" - references: - - https://github.com/golang/go/wiki/CommonMistakes#using-goroutines-on-loop-iterator-variables + - id: anonymous-race-condition + message: >- + Possible race condition due to memory aliasing of variable `$X` + languages: [go] + severity: ERROR + metadata: + category: security + cwe: "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" + subcategory: [vuln] + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: [--no-technology--] + description: "Race conditions within anonymous goroutines" + references: + - https://github.com/golang/go/wiki/CommonMistakes#using-goroutines-on-loop-iterator-variables - patterns: - - pattern-either: - - pattern: | - for $Y, $X := range ... { + patterns: + - pattern-either: + - pattern: | + for $Y, $X := range ... { + ... + go func(...){ + ... + $FOO(..., $X, ...) + ... + }(...) + ... + } + - pattern: | + for $Y, $X := range ... { + ... + go func(...){ + ... + $FOO(..., $Y, ...) + ... + }(...) + ... + } + - pattern: | + for $Y, $X := range ... { + ... + go func(...){ + ... + $X(...) + ... + }(...) + ... + } + - pattern: | + for $X:=...;$Y;$Z { + ... + go func(...) { + ... + $FOO(..., $X,...) + ... + }(...) + ... + } + - pattern: | + for $Y, $X := range ... { + ... + go func(...){ + ... + $X. ... .$M(...) + ... + }(...) + ... + } + - pattern-not: | + for ..., $X := range ... { + ... + ..., $X := ..., $X ... go func(...){ ... @@ -28,77 +80,25 @@ rules: }(...) ... } - - pattern: | - for $Y, $X := range ... { - ... - go func(...){ - ... - $FOO(..., $Y, ...) - ... - }(...) - ... - } - - pattern: | - for $Y, $X := range ... { - ... - go func(...){ + - pattern-not: | + for ..., $X := range ... { ... - $X(...) - ... - }(...) - ... - } - - pattern: | - for $X:=...;$Y;$Z { - ... - go func(...) { + $X, ... := $X, ... ... - $FOO(..., $X,...) + go func(...){ + ... + $FOO(..., $X, ...) + ... + }(...) ... - }(...) - ... } - - pattern: | + - pattern-not: | for $Y, $X := range ... { ... - go func(...){ - ... - $X. ... .$M(...) - ... - }(...) - ... - } - - pattern-not: | - for ..., $X := range ... { - ... - ..., $X := ..., $X - ... - go func(...){ - ... - $FOO(..., $X, ...) - ... - }(...) - ... - } - - pattern-not: | - for ..., $X := range ... { - ... - $X, ... := $X, ... + $Y, $X := $Y, $X ... go func(...){ ... - $FOO(..., $X, ...) - ... }(...) ... - } - - pattern-not: | - for $Y, $X := range ... { - ... - $Y, $X := $Y, $X - ... - go func(...){ - ... - }(...) - ... - } + } diff --git a/go/hanging-goroutine.yaml b/go/hanging-goroutine.yaml index 05b7e45..a0a5bd5 100644 --- a/go/hanging-goroutine.yaml +++ b/go/hanging-goroutine.yaml @@ -1,155 +1,155 @@ rules: -- id: hanging-goroutine - message: >- - Potential goroutine leak due to unbuffered channel send inside loop or unbuffered channel receive in select block - languages: [go] - severity: ERROR - metadata: - category: security - cwe: "CWE-833: Deadlock" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: LOW - technology: [--no-technology--] - description: "Goroutine leaks" - references: - - https://blog.trailofbits.com/2021/11/08/discovering-goroutine-leaks-with-semgrep + - id: hanging-goroutine + message: >- + Potential goroutine leak due to unbuffered channel send inside loop or unbuffered channel receive in select block + languages: [go] + severity: ERROR + metadata: + category: security + cwe: "CWE-833: Deadlock" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: LOW + technology: [--no-technology--] + description: "Goroutine leaks" + references: + - https://blog.trailofbits.com/2021/11/08/discovering-goroutine-leaks-with-semgrep - patterns: - - pattern-either: - - pattern: | - for ... { - ... - go func(...) { + patterns: + - pattern-either: + - pattern: | + for ... { + ... + go func(...) { + ... + $CHANNEL <- $VAL + ... + }(...) + } ... - $CHANNEL <- $VAL + $Y = <- $CHANNEL ... - }(...) - } - ... - $Y = <- $CHANNEL - ... - - pattern: | - for ... { - ... - go func(...) { + - pattern: | + for ... { + ... + go func(...) { + ... + $CHANNEL <- $VAL + ... + }(...) + } ... - $CHANNEL <- $VAL + $Y := <- $CHANNEL ... - }(...) - } - ... - $Y := <- $CHANNEL - ... - - pattern: | - for ... { - ... - go func(...) { + - pattern: | + for ... { + ... + go func(...) { + ... + $CHANNEL <- $VAL + ... + }(...) + } ... - $CHANNEL <- $VAL + return <- $CHANNEL + - pattern: | + for ... { + ... + go func(...) { + ... + select { + case ... + case $CHANNEL <- $VAL: ... + case ... + } + ... + }(...) ... - }(...) - } - ... - return <- $CHANNEL - - pattern: | + } + ... + return <- $CHANNEL + - pattern: | + go func(...){ + ... + $CHANNEL <- $X + ... + }(...) + ... + select { + case ... + case $Y = <- $CHANNEL: + ... + } + - pattern: | + go func(...){ + ... + $CHANNEL <- $X + ... + }(...) + ... + select { + case ... + case $Y := <- $CHANNEL: + ... + } + - pattern: | + go func(...){ + ... + $CHANNEL <- $X + ... + }(...) + ... + select { + case ... + case <- $CHANNEL: + ... + } + - pattern: | + go func(...){ + ... + $CHANNEL <- $X + ... + }(...) + ... + select { + case ... + case $Y <- $CHANNEL: + ... + } + - pattern-not: | for ... { ... go func(...) { ... - select { - case ... - case $CHANNEL <- $VAL: ... - case ... - } + $CHANNEL <- $VAL ... }(...) - ... } ... - return <- $CHANNEL - - pattern: | - go func(...){ - ... - $CHANNEL <- $X - ... - }(...) + $Y = <- $CHANNEL ... - select { - case ... - case $Y = <- $CHANNEL: + - pattern-inside: | + $CHANNEL := make(...) ... - } - - pattern: | - go func(...){ - ... - $CHANNEL <- $X - ... - }(...) + - pattern-not-inside: | ... select { case ... - case $Y := <- $CHANNEL: - ... - } - - pattern: | - go func(...){ + case ...: ... - $CHANNEL <- $X + ... =<- $CHANNEL ... - }(...) - ... - select { - case ... - case <- $CHANNEL: - ... } - - pattern: | - go func(...){ - ... - $CHANNEL <- $X - ... - }(...) + - pattern-not-inside: | ... select { case ... - case $Y <- $CHANNEL: - ... - } - - pattern-not: | - for ... { - ... - go func(...) { + case ...: ... - $CHANNEL <- $VAL + <-$CHANNEL ... - }(...) - } - ... - $Y = <- $CHANNEL - ... - - pattern-inside: | - $CHANNEL := make(...) - ... - - pattern-not-inside: | - ... - select { - case ... - case ...: - ... - ... =<- $CHANNEL - ... - } - - pattern-not-inside: | - ... - select { - case ... - case ...: - ... - <-$CHANNEL + } + - pattern-not-inside: | + $CHANNEL := make(..., $T) ... - } - - pattern-not-inside: | - $CHANNEL := make(..., $T) - ... diff --git a/go/invalid-usage-of-modified-variable.yaml b/go/invalid-usage-of-modified-variable.yaml index 7f631e8..6db447f 100644 --- a/go/invalid-usage-of-modified-variable.yaml +++ b/go/invalid-usage-of-modified-variable.yaml @@ -1,44 +1,43 @@ rules: -- id: invalid-usage-of-modified-variable - message: >- - Variable `$X` is likely modified and later used on error. In some cases this could result - in panics due to a nil dereference - languages: [go] - severity: WARNING - metadata: - category: security - cwe: "CWE-665: Improper Initialization" - subcategory: [audit] - confidence: HIGH - likelihood: MEDIUM - impact: MEDIUM - technology: [--no-technology--] - description: "Possible unintentional assignment when an error occurs" - references: - - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ + - id: invalid-usage-of-modified-variable + message: >- + Variable `$X` is likely modified and later used on error. In some cases this could result + in panics due to a nil dereference + languages: [go] + severity: WARNING + metadata: + category: security + cwe: "CWE-665: Improper Initialization" + subcategory: [audit] + confidence: HIGH + likelihood: MEDIUM + impact: MEDIUM + technology: [--no-technology--] + description: "Possible unintentional assignment when an error occurs" + references: + - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ - patterns: - - pattern: | - ..., $X, ..., $ERR = ... - if $ERR != nil { - ... - <... $X.$Y ...> - } + patterns: + - pattern: | + ..., $X, ..., $ERR = ... + if $ERR != nil { + ... + <... $X.$Y ...> + } - - pattern-not: | - ..., $X, ..., $ERR = ... - if $ERR != nil { - ... - $X, ... = ... - ... - <... $X.$Y ...> - } - - pattern-not: | - ..., $X, ..., $ERR = ... - if $ERR != nil { - ... - $X = ... - ... - <... $X.$Y ...> - } - \ No newline at end of file + - pattern-not: | + ..., $X, ..., $ERR = ... + if $ERR != nil { + ... + $X, ... = ... + ... + <... $X.$Y ...> + } + - pattern-not: | + ..., $X, ..., $ERR = ... + if $ERR != nil { + ... + $X = ... + ... + <... $X.$Y ...> + } diff --git a/go/iterate-over-empty-map.yaml b/go/iterate-over-empty-map.yaml index ded1426..8086e72 100644 --- a/go/iterate-over-empty-map.yaml +++ b/go/iterate-over-empty-map.yaml @@ -1,49 +1,47 @@ rules: -- id: iterate-over-empty-map - message: >- - Iteration over a possibly empty map `$C`. This is likely a bug or redundant code - languages: [go] - severity: WARNING - metadata: - category: security - cwe: "CWE-665: Improper Initialization" - subcategory: [audit] - confidence: MEDIUM - likelihood: LOW - impact: LOW - technology: [--no-technology--] - description: "Probably redundant iteration over an empty map" - references: - - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ - - patterns: - - pattern: | - $C = make(map[$T1] $T2, ...) - ... - for $K := range $C { ... } - - pattern-not: | - $C = make(map[$T1] $T2, ...) - ... - $C[$X] = $V - ... - for $K := range $C { ... } - - pattern-not: | - $C = make(map[$T1] $T2, ...) - ... - $C[$X]++ - ... - for $K := range $C { ... } - - pattern-not: | - $C = make(map[$T1] $T2, ...) - ... - $C[$X]-- - ... - for $K := range $C { ... } - - pattern-not: | - $C = make(map[$T1] $T2, ...) - ... - $CODEC.Unmarshal($BYTES, &$C) - ... - for $K := range $C { ... } + - id: iterate-over-empty-map + message: >- + Iteration over a possibly empty map `$C`. This is likely a bug or redundant code + languages: [go] + severity: WARNING + metadata: + category: security + cwe: "CWE-665: Improper Initialization" + subcategory: [audit] + confidence: MEDIUM + likelihood: LOW + impact: LOW + technology: [--no-technology--] + description: "Probably redundant iteration over an empty map" + references: + - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ - \ No newline at end of file + patterns: + - pattern: | + $C = make(map[$T1] $T2, ...) + ... + for $K := range $C { ... } + - pattern-not: | + $C = make(map[$T1] $T2, ...) + ... + $C[$X] = $V + ... + for $K := range $C { ... } + - pattern-not: | + $C = make(map[$T1] $T2, ...) + ... + $C[$X]++ + ... + for $K := range $C { ... } + - pattern-not: | + $C = make(map[$T1] $T2, ...) + ... + $C[$X]-- + ... + for $K := range $C { ... } + - pattern-not: | + $C = make(map[$T1] $T2, ...) + ... + $CODEC.Unmarshal($BYTES, &$C) + ... + for $K := range $C { ... } diff --git a/go/missing-runlock-on-rwmutex.yaml b/go/missing-runlock-on-rwmutex.yaml index 170bbf8..d076278 100644 --- a/go/missing-runlock-on-rwmutex.yaml +++ b/go/missing-runlock-on-rwmutex.yaml @@ -1,36 +1,36 @@ rules: -- id: missing-runlock-on-rwmutex - message: >- - Missing `RUnlock` on an `RWMutex` lock before returning from a function - languages: [go] - severity: ERROR - metadata: - category: security - cwe: "CWE-667: Improper Locking" - subcategory: [vuln] - confidence: MEDIUM - likelihood: HIGH - impact: MEDIUM - technology: [--no-technology--] - description: "Missing `RUnlock` on an `RWMutex` lock before returning from a function" - references: - - https://pkg.go.dev/sync#RWMutex - - https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/ + - id: missing-runlock-on-rwmutex + message: >- + Missing `RUnlock` on an `RWMutex` lock before returning from a function + languages: [go] + severity: ERROR + metadata: + category: security + cwe: "CWE-667: Improper Locking" + subcategory: [vuln] + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: [--no-technology--] + description: "Missing `RUnlock` on an `RWMutex` lock before returning from a function" + references: + - https://pkg.go.dev/sync#RWMutex + - https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/ - patterns: - - pattern-either: - - pattern: panic(...) - - pattern: return ... - - pattern-inside: | - $T.RLock() - ... - - pattern-not-inside: | - $T.RUnlock() - ... - - pattern-not-inside: | - defer $T.RUnlock() - ... - - pattern-not-inside: | - $FOO(..., ..., func(...) { - ... - }) + patterns: + - pattern-either: + - pattern: panic(...) + - pattern: return ... + - pattern-inside: | + $T.RLock() + ... + - pattern-not-inside: | + $T.RUnlock() + ... + - pattern-not-inside: | + defer $T.RUnlock() + ... + - pattern-not-inside: | + $FOO(..., ..., func(...) { + ... + }) diff --git a/go/missing-unlock-before-return.yaml b/go/missing-unlock-before-return.yaml index 5a70f45..4d45b6a 100644 --- a/go/missing-unlock-before-return.yaml +++ b/go/missing-unlock-before-return.yaml @@ -1,37 +1,37 @@ rules: -- id: missing-unlock-before-return - message: >- - Missing mutex unlock before returning from a function. - This could result in panics resulting from double lock operations - languages: [go] - severity: ERROR - metadata: - category: security - cwe: "CWE-667: Improper Locking" - subcategory: [vuln] - confidence: MEDIUM - likelihood: HIGH - impact: MEDIUM - technology: [--no-technology--] - description: "Missing `mutex` unlock before returning from a function" - references: - - https://pkg.go.dev/sync#Mutex - - https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/ - - patterns: - - pattern-either: - - pattern: panic(...) - - pattern: return ... - - pattern-inside: | - $T.Lock() - ... - - pattern-not-inside: | - $T.Unlock() - ... - - pattern-not-inside: | - defer $T.Unlock() - ... - - pattern-not-inside: | - $FOO(..., ..., func(...) { - ... - }) + - id: missing-unlock-before-return + message: >- + Missing mutex unlock before returning from a function. + This could result in panics resulting from double lock operations + languages: [go] + severity: ERROR + metadata: + category: security + cwe: "CWE-667: Improper Locking" + subcategory: [vuln] + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: [--no-technology--] + description: "Missing `mutex` unlock before returning from a function" + references: + - https://pkg.go.dev/sync#Mutex + - https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/ + + patterns: + - pattern-either: + - pattern: panic(...) + - pattern: return ... + - pattern-inside: | + $T.Lock() + ... + - pattern-not-inside: | + $T.Unlock() + ... + - pattern-not-inside: | + defer $T.Unlock() + ... + - pattern-not-inside: | + $FOO(..., ..., func(...) { + ... + }) diff --git a/go/nil-check-after-call.yaml b/go/nil-check-after-call.yaml index 374ed9b..5da649c 100644 --- a/go/nil-check-after-call.yaml +++ b/go/nil-check-after-call.yaml @@ -1,75 +1,75 @@ rules: -- id: nil-check-after-call - message: Potential `$FOO` nil dereference when `$BAR` is called - languages: [go] - severity: WARNING - metadata: - category: security - cwe: "CWE-253: Incorrect Check of Function Return Value" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: MEDIUM - technology: [--no-technology--] - description: "Possible nil dereferences" - references: - - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ - - patterns: - - pattern-either: - - pattern: | - $FOO.$BAR(...) - ... - if $FOO != nil { ... } - - pattern: | - $FOO.$BAR(...) - ... - if $FOO == nil { ... } - - pattern: | - $FUNC(..., $FOO.$BAR(...), ...) - ... - if $FOO != nil { ... } - - pattern: | - $FUNC(..., $FOO.$BAR(...), ...) - ... - if $FOO == nil { ... } - - pattern-not: | - $FOO.$BAR(...) - ... - $FOO = ... - ... - if $FOO != nil { ... } - - pattern-not: | - $FOO.$BAR(...) - ... - ..., $FOO, ... = ... - ... - if $FOO == nil { ... } - - pattern-not: | - $FOO.$BAR(...) - ... - ..., $FOO, ... = ... - ... - if $FOO != nil { ... } - - pattern-not: | - $FOO.$BAR(...) - ... - $FOO = ... - ... - if $FOO == nil { ... } - - pattern-not: | - ..., $FOO = $FOO.$BAR(...) - ... - if $FOO == nil { ... } - - pattern-not: | - ..., $FOO = $FOO.$BAR(...) - ... - if $FOO != nil { ... } - - pattern-not: | - $FOO = $FOO.$BAR(...) - ... - if $FOO == nil { ... } - - pattern-not: | - $FOO = $FOO.$BAR(...) - ... - if $FOO != nil { ... } + - id: nil-check-after-call + message: Potential `$FOO` nil dereference when `$BAR` is called + languages: [go] + severity: WARNING + metadata: + category: security + cwe: "CWE-253: Incorrect Check of Function Return Value" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: MEDIUM + technology: [--no-technology--] + description: "Possible nil dereferences" + references: + - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ + + patterns: + - pattern-either: + - pattern: | + $FOO.$BAR(...) + ... + if $FOO != nil { ... } + - pattern: | + $FOO.$BAR(...) + ... + if $FOO == nil { ... } + - pattern: | + $FUNC(..., $FOO.$BAR(...), ...) + ... + if $FOO != nil { ... } + - pattern: | + $FUNC(..., $FOO.$BAR(...), ...) + ... + if $FOO == nil { ... } + - pattern-not: | + $FOO.$BAR(...) + ... + $FOO = ... + ... + if $FOO != nil { ... } + - pattern-not: | + $FOO.$BAR(...) + ... + ..., $FOO, ... = ... + ... + if $FOO == nil { ... } + - pattern-not: | + $FOO.$BAR(...) + ... + ..., $FOO, ... = ... + ... + if $FOO != nil { ... } + - pattern-not: | + $FOO.$BAR(...) + ... + $FOO = ... + ... + if $FOO == nil { ... } + - pattern-not: | + ..., $FOO = $FOO.$BAR(...) + ... + if $FOO == nil { ... } + - pattern-not: | + ..., $FOO = $FOO.$BAR(...) + ... + if $FOO != nil { ... } + - pattern-not: | + $FOO = $FOO.$BAR(...) + ... + if $FOO == nil { ... } + - pattern-not: | + $FOO = $FOO.$BAR(...) + ... + if $FOO != nil { ... } diff --git a/go/racy-append-to-slice.yaml b/go/racy-append-to-slice.yaml index 6249756..ba1f379 100644 --- a/go/racy-append-to-slice.yaml +++ b/go/racy-append-to-slice.yaml @@ -1,54 +1,54 @@ rules: -- id: racy-append-to-slice - message: >- - Appending `$SLICE` from multiple goroutines is not concurrency safe - languages: [go] - severity: ERROR - metadata: - category: security - cwe: "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" - subcategory: [vuln] - confidence: MEDIUM - likelihood: HIGH - impact: MEDIUM - technology: [--no-technology--] - description: "Concurrent calls to `append` from multiple goroutines" - references: - - https://go.dev/blog/maps#concurrency + - id: racy-append-to-slice + message: >- + Appending `$SLICE` from multiple goroutines is not concurrency safe + languages: [go] + severity: ERROR + metadata: + category: security + cwe: "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" + subcategory: [vuln] + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: [--no-technology--] + description: "Concurrent calls to `append` from multiple goroutines" + references: + - https://go.dev/blog/maps#concurrency - patterns: - - pattern: | + patterns: + - pattern: | $SLICE = append($SLICE, $ITEM) - - pattern-either: - - pattern-inside: | - var $SLICE []$TYPE - ... - for ... { - ... - go func(...) { - ... - $SLICE = append($SLICE, ...) - ... - }(...) - ... - } - - pattern-inside: | - $SLICE := make([]$TYPE, ...) - ... - for ... { - ... - go func(...) { + - pattern-either: + - pattern-inside: | + var $SLICE []$TYPE ... - $SLICE = append($SLICE, ...) + for ... { + ... + go func(...) { + ... + $SLICE = append($SLICE, ...) + ... + }(...) + ... + } + - pattern-inside: | + $SLICE := make([]$TYPE, ...) ... - }(...) - ... - } - - pattern-not-inside: | + for ... { + ... + go func(...) { + ... + $SLICE = append($SLICE, ...) + ... + }(...) + ... + } + - pattern-not-inside: | $MUTEX.Lock() ... $MUTEX.Unlock() - - pattern-not-inside: | + - pattern-not-inside: | $MUTEX.Lock() ... defer $MUTEX.Unlock() diff --git a/go/racy-write-to-map.yaml b/go/racy-write-to-map.yaml index c3bfe86..e5aeaed 100644 --- a/go/racy-write-to-map.yaml +++ b/go/racy-write-to-map.yaml @@ -1,41 +1,41 @@ rules: -- id: racy-write-to-map - message: >- - Writing `$MAP` from multiple goroutines is not concurrency safe - languages: [go] - severity: ERROR - metadata: - category: security - cwe: "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" - subcategory: [vuln] - confidence: MEDIUM - likelihood: HIGH - impact: MEDIUM - technology: [--no-technology--] - description: "Concurrent writes to the same map in multiple goroutines" - references: - - https://go.dev/blog/maps#concurrency + - id: racy-write-to-map + message: >- + Writing `$MAP` from multiple goroutines is not concurrency safe + languages: [go] + severity: ERROR + metadata: + category: security + cwe: "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" + subcategory: [vuln] + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + technology: [--no-technology--] + description: "Concurrent writes to the same map in multiple goroutines" + references: + - https://go.dev/blog/maps#concurrency - patterns: - - pattern: | + patterns: + - pattern: | $MAP[$KEY] = $VALUE - - pattern-inside: | - $MAP = make(map[$KTYPE]$VTYPE) - ... - for ... { + - pattern-inside: | + $MAP = make(map[$KTYPE]$VTYPE) ... - go func(...) { + for ... { ... - $MAP[$KEY] = $VALUE + go func(...) { + ... + $MAP[$KEY] = $VALUE + ... + }(...) ... - }(...) - ... - } - - pattern-not-inside: | + } + - pattern-not-inside: | $MUTEX.Lock() ... $MUTEX.Unlock() - - pattern-not-inside: | + - pattern-not-inside: | $MUTEX.Lock() ... defer $MUTEX.Unlock() diff --git a/go/servercodec-readrequestbody-unhandled-nil.yaml b/go/servercodec-readrequestbody-unhandled-nil.yaml index a65f2c1..e7cc67d 100644 --- a/go/servercodec-readrequestbody-unhandled-nil.yaml +++ b/go/servercodec-readrequestbody-unhandled-nil.yaml @@ -1,36 +1,36 @@ rules: -- id: servercodec-readrequestbody-unhandled-nil - message: >- - The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. - An incorrect implementation could lead to denial of service - languages: [go] - severity: WARNING - metadata: - category: security - cwe: "CWE-476: NULL Pointer Dereference" - subcategory: [vuln] - confidence: HIGH - likelihood: MEDIUM - impact: LOW - technology: [--no-technology--] - description: "Possible incorrect `ServerCodec` interface implementation" - references: - - https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658 + - id: servercodec-readrequestbody-unhandled-nil + message: >- + The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. + An incorrect implementation could lead to denial of service + languages: [go] + severity: WARNING + metadata: + category: security + cwe: "CWE-476: NULL Pointer Dereference" + subcategory: [vuln] + confidence: HIGH + likelihood: MEDIUM + impact: LOW + technology: [--no-technology--] + description: "Possible incorrect `ServerCodec` interface implementation" + references: + - https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658 - patterns: - - pattern: | - func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { - ... - } - - pattern-not: | - func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { - ... - if $ARG == nil { ... } - ... - } - - pattern-not: | - func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { - ... - if $ARG != nil { ... } - ... - } + patterns: + - pattern: | + func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { + ... + } + - pattern-not: | + func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { + ... + if $ARG == nil { ... } + ... + } + - pattern-not: | + func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { + ... + if $ARG != nil { ... } + ... + } diff --git a/go/string-to-int-signedness-cast.yaml b/go/string-to-int-signedness-cast.yaml index 4689e4d..0f1a307 100644 --- a/go/string-to-int-signedness-cast.yaml +++ b/go/string-to-int-signedness-cast.yaml @@ -1,133 +1,132 @@ rules: -- id: string-to-int-signedness-cast - message: Downcasting or changing sign of an integer with `$CAST_METHOD` method - languages: [go] - severity: WARNING - metadata: - category: security - cwe: "CWE-681: Incorrect Conversion between Numeric Types" - subcategory: [audit] - confidence: HIGH - likelihood: LOW - impact: MEDIUM - technology: [--no-technology--] - description: "Integer underflows" - references: - - https://github.com/golang/go/issues/30209 - - pattern-either: - # 64 -> lower or sign - - patterns: - - metavariable-pattern: - metavariable: $CAST_METHOD - pattern-either: - - pattern: uint8 - - pattern: uint16 - - pattern: uint32 - - pattern: int8 - - pattern: int16 - - pattern: int32 - - - pattern-either: - - pattern: | - $X, ... = strconv.Atoi(...) - ... - $CAST_METHOD($X) - - - pattern: | - $X, ... = strconv.ParseInt(..., ..., 64) - ... - $CAST_METHOD($X) - - - pattern: | - $X, ... = strconv.ParseUint(..., ..., 64) - ... - $CAST_METHOD($X) - - # assume int has 64 bits - - pattern: | - $X, ... = strconv.Atoi(...) - ... - uint64($X) - - - pattern: | - $X, ... = strconv.ParseInt(..., ..., 64) - ... - uint64($X) - - - pattern: | - $X, ... = strconv.ParseUint(..., ..., 64) - ... - int64($X) - - # 32 -> lower or sign - - patterns: - - metavariable-pattern: - metavariable: $CAST_METHOD - pattern-either: - - pattern: uint8 - - pattern: uint16 - - pattern: int8 - - pattern: int16 - - - pattern-either: - - pattern: | - $X, ... = strconv.ParseInt(..., ..., 32) - ... - $CAST_METHOD($X) - - - pattern: | - $X, ... = strconv.ParseUint(..., ..., 32) - ... - $CAST_METHOD($X) - - - pattern: | - $X, ... = strconv.ParseInt(..., ..., 32) - ... - uint32($X) - - - pattern: | - $X, ... = strconv.ParseUint(..., ..., 32) - ... - int32($X) - - # 16 -> lower or sign - - patterns: - - metavariable-pattern: - metavariable: $CAST_METHOD - pattern-either: - - pattern: uint8 - - pattern: int8 - - - pattern-either: - - pattern: | - $X, ... = strconv.ParseInt(..., ..., 16) - ... - $CAST_METHOD($X) - - - pattern: | - $X, ... = strconv.ParseUint(..., ..., 16) - ... - $CAST_METHOD($X) - - - pattern: | - $X, ... = strconv.ParseInt(..., ..., 16) - ... - uint16($X) - - - pattern: | - $X, ... = strconv.ParseUint(..., ..., 16) - ... - int16($X) - - - # 8 -> sign - - pattern: | - $X, ... = strconv.ParseInt(..., ..., 8) - ... - uint8($X) - - - pattern: | - $X, ... = strconv.ParseUint(..., ..., 8) - ... - int8($X) + - id: string-to-int-signedness-cast + message: Downcasting or changing sign of an integer with `$CAST_METHOD` method + languages: [go] + severity: WARNING + metadata: + category: security + cwe: "CWE-681: Incorrect Conversion between Numeric Types" + subcategory: [audit] + confidence: HIGH + likelihood: LOW + impact: MEDIUM + technology: [--no-technology--] + description: "Integer underflows" + references: + - https://github.com/golang/go/issues/30209 + + pattern-either: + # 64 -> lower or sign + - patterns: + - metavariable-pattern: + metavariable: $CAST_METHOD + pattern-either: + - pattern: uint8 + - pattern: uint16 + - pattern: uint32 + - pattern: int8 + - pattern: int16 + - pattern: int32 + + - pattern-either: + - pattern: | + $X, ... = strconv.Atoi(...) + ... + $CAST_METHOD($X) + + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 64) + ... + $CAST_METHOD($X) + + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 64) + ... + $CAST_METHOD($X) + + # assume int has 64 bits + - pattern: | + $X, ... = strconv.Atoi(...) + ... + uint64($X) + + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 64) + ... + uint64($X) + + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 64) + ... + int64($X) + + # 32 -> lower or sign + - patterns: + - metavariable-pattern: + metavariable: $CAST_METHOD + pattern-either: + - pattern: uint8 + - pattern: uint16 + - pattern: int8 + - pattern: int16 + + - pattern-either: + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 32) + ... + $CAST_METHOD($X) + + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 32) + ... + $CAST_METHOD($X) + + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 32) + ... + uint32($X) + + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 32) + ... + int32($X) + + # 16 -> lower or sign + - patterns: + - metavariable-pattern: + metavariable: $CAST_METHOD + pattern-either: + - pattern: uint8 + - pattern: int8 + + - pattern-either: + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 16) + ... + $CAST_METHOD($X) + + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 16) + ... + $CAST_METHOD($X) + + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 16) + ... + uint16($X) + + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 16) + ... + int16($X) + + # 8 -> sign + - pattern: | + $X, ... = strconv.ParseInt(..., ..., 8) + ... + uint8($X) + + - pattern: | + $X, ... = strconv.ParseUint(..., ..., 8) + ... + int8($X) diff --git a/go/sync-mutex-value-copied.yaml b/go/sync-mutex-value-copied.yaml index 5e2d928..e35bba3 100644 --- a/go/sync-mutex-value-copied.yaml +++ b/go/sync-mutex-value-copied.yaml @@ -1,38 +1,37 @@ rules: -- id: sync-mutex-value-copied - message: >- - A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. - As a result, the struct `$T` may not be locked as intended - languages: [go] - severity: ERROR - metadata: - category: security - cwe: "CWE-688: Function Call With Incorrect Variable or Reference as Argument" - subcategory: [vuln] - confidence: HIGH - likelihood: HIGH - impact: LOW - technology: [--no-technology--] - description: "Copying of `sync.Mutex` via value receivers" - references: - - https://go101.org/article/concurrent-common-mistakes.html + - id: sync-mutex-value-copied + message: >- + A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. + As a result, the struct `$T` may not be locked as intended + languages: [go] + severity: ERROR + metadata: + category: security + cwe: "CWE-688: Function Call With Incorrect Variable or Reference as Argument" + subcategory: [vuln] + confidence: HIGH + likelihood: HIGH + impact: LOW + technology: [--no-technology--] + description: "Copying of `sync.Mutex` via value receivers" + references: + - https://go101.org/article/concurrent-common-mistakes.html - patterns: - - pattern-either: - - pattern: | - func ($T $TYPE) $FUNC(...){ - ... - $T.Lock() - ... - } - - pattern: | - func ($T $TYPE) $FUNC(...){ - ... - $T.RLock() + patterns: + - pattern-either: + - pattern: | + func ($T $TYPE) $FUNC(...){ + ... + $T.Lock() + ... + } + - pattern: | + func ($T $TYPE) $FUNC(...){ + ... + $T.RLock() + ... + } + - pattern-not: | + func ($T2 *$TYPE2) $FUNC(...){ ... } - - pattern-not: | - func ($T2 *$TYPE2) $FUNC(...){ - ... - } - \ No newline at end of file diff --git a/go/unsafe-dll-loading.yaml b/go/unsafe-dll-loading.yaml index 3cfad88..495b685 100644 --- a/go/unsafe-dll-loading.yaml +++ b/go/unsafe-dll-loading.yaml @@ -1,43 +1,42 @@ rules: -- id: unsafe-dll-loading - message: >- - The function is vulnerable to DLL hijacking attacks. - Use `windows.NewLazySystemDLL()` function to limit DLL search to the Windows directory - languages: [go] - severity: ERROR - metadata: - category: security - cwe: "CWE-427: Uncontrolled Search Path Element" - subcategory: [vuln] - confidence: HIGH - likelihood: MEDIUM - impact: HIGH - technology: [--no-technology--] - description: "Use of function vulnerable to DLL hijacking attacks" - references: - - https://pkg.go.dev/golang.org/x/sys/windows#LazyDLL + - id: unsafe-dll-loading + message: >- + The function is vulnerable to DLL hijacking attacks. + Use `windows.NewLazySystemDLL()` function to limit DLL search to the Windows directory + languages: [go] + severity: ERROR + metadata: + category: security + cwe: "CWE-427: Uncontrolled Search Path Element" + subcategory: [vuln] + confidence: HIGH + likelihood: MEDIUM + impact: HIGH + technology: [--no-technology--] + description: "Use of function vulnerable to DLL hijacking attacks" + references: + - https://pkg.go.dev/golang.org/x/sys/windows#LazyDLL - patterns: - - pattern-either: - - pattern: syscall.LoadDLL(...) - - pattern: syscall.LoadLibrary(...) - - pattern: windows.LoadDLL(...) - - pattern: windows.MustLoadDLL(...) - - pattern: syscall.NewLazyDLL(...) - - pattern: | - $X = windows.NewLazyDLL(...) - ... - $X.$Y() - ... - $X.System = true - - pattern: | - $X = windows.NewLazyDLL(...) - ... - $X.$Y() - - pattern-not: | - $X = windows.NewLazyDLL(...) - ... - $X.System = true - ... - $X.$Y() - \ No newline at end of file + patterns: + - pattern-either: + - pattern: syscall.LoadDLL(...) + - pattern: syscall.LoadLibrary(...) + - pattern: windows.LoadDLL(...) + - pattern: windows.MustLoadDLL(...) + - pattern: syscall.NewLazyDLL(...) + - pattern: | + $X = windows.NewLazyDLL(...) + ... + $X.$Y() + ... + $X.System = true + - pattern: | + $X = windows.NewLazyDLL(...) + ... + $X.$Y() + - pattern-not: | + $X = windows.NewLazyDLL(...) + ... + $X.System = true + ... + $X.$Y() diff --git a/go/waitgroup-add-called-inside-goroutine.yaml b/go/waitgroup-add-called-inside-goroutine.yaml index 5ba575e..a22f80b 100644 --- a/go/waitgroup-add-called-inside-goroutine.yaml +++ b/go/waitgroup-add-called-inside-goroutine.yaml @@ -1,48 +1,47 @@ rules: -- id: waitgroup-add-called-inside-goroutine - message: | - Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait` - waiting for more or less calls to `$WG.Done()` than expected - languages: [go] - severity: ERROR - metadata: - category: security - cwe: "CWE-667: Improper Locking" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: MEDIUM - technology: [--no-technology--] - description: "Calls to `sync.WaitGroup.Add` inside of anonymous goroutines" - references: - - https://go101.org/article/concurrent-common-mistakes.html + - id: waitgroup-add-called-inside-goroutine + message: | + Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait` + waiting for more or less calls to `$WG.Done()` than expected + languages: [go] + severity: ERROR + metadata: + category: security + cwe: "CWE-667: Improper Locking" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: MEDIUM + technology: [--no-technology--] + description: "Calls to `sync.WaitGroup.Add` inside of anonymous goroutines" + references: + - https://go101.org/article/concurrent-common-mistakes.html - patterns: - - pattern-either: - - pattern: | - $WG := &sync.WaitGroup{} - ... - go func(...) { + patterns: + - pattern-either: + - pattern: | + $WG := &sync.WaitGroup{} + ... + go func(...) { + ... + $WG.Add(...) + ... + }(...) + ... + $WG.Wait() + - pattern: | + var $WG sync.WaitGroup + ... + go func(...) { + ... + $WG.Add(...) + ... + }(...) + ... + $WG.Wait() + - pattern-not-inside: | + for ... { ... $WG.Add(...) ... - }(...) - ... - $WG.Wait() - - pattern: | - var $WG sync.WaitGroup - ... - go func(...) { - ... - $WG.Add(...) - ... - }(...) - ... - $WG.Wait() - - pattern-not-inside: | - for ... { - ... - $WG.Add(...) - ... - } - \ No newline at end of file + } diff --git a/go/waitgroup-wait-inside-loop.yaml b/go/waitgroup-wait-inside-loop.yaml index 416410e..e87e3b1 100644 --- a/go/waitgroup-wait-inside-loop.yaml +++ b/go/waitgroup-wait-inside-loop.yaml @@ -1,76 +1,76 @@ rules: -- id: waitgroup-wait-inside-loop - message: >- - Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()` - languages: [go] - severity: WARNING - metadata: - category: security - cwe: "CWE-667: Improper Locking" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: MEDIUM - technology: [--no-technology--] - description: "Calls to `sync.WaitGroup.Wait` inside a loop" - references: - - https://go101.org/article/concurrent-common-mistakes.html + - id: waitgroup-wait-inside-loop + message: >- + Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()` + languages: [go] + severity: WARNING + metadata: + category: security + cwe: "CWE-667: Improper Locking" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: MEDIUM + technology: [--no-technology--] + description: "Calls to `sync.WaitGroup.Wait` inside a loop" + references: + - https://go101.org/article/concurrent-common-mistakes.html - patterns: - - pattern-either: - - pattern: | - var $WG sync.WaitGroup - ... - for ... { - ... - go func(...){ + patterns: + - pattern-either: + - pattern: | + var $WG sync.WaitGroup ... - defer $WG.Done() + for ... { + ... + go func(...){ + ... + defer $WG.Done() + ... + }() + ... + $WG.Wait() + ... + } + - pattern: | + $WG := &sync.WaitGroup{} ... - }() - ... - $WG.Wait() - ... - } - - pattern: | - $WG := &sync.WaitGroup{} - ... - for ... { - ... - go func(...){ + for ... { + ... + go func(...){ + ... + defer $WG.Done() + ... + }() + ... + $WG.Wait() + ... + } + - pattern: | + var $WG sync.WaitGroup ... - defer $WG.Done() + for ... { + ... + go func(...){ + ... + $WG.Done() + ... + }() + ... + $WG.Wait() + ... + } + - pattern: | + $WG := &sync.WaitGroup{} ... - }() - ... - $WG.Wait() - ... - } - - pattern: | - var $WG sync.WaitGroup - ... - for ... { - ... - go func(...){ - ... - $WG.Done() - ... - }() - ... - $WG.Wait() - ... - } - - pattern: | - $WG := &sync.WaitGroup{} - ... - for ... { - ... - go func(...){ - ... - $WG.Done() - ... - }() - ... - $WG.Wait() - ... - } + for ... { + ... + go func(...){ + ... + $WG.Done() + ... + }() + ... + $WG.Wait() + ... + } diff --git a/javascript/apollo-graphql/schema-directives.yaml b/javascript/apollo-graphql/schema-directives.yaml index a7b5066..fbafffd 100644 --- a/javascript/apollo-graphql/schema-directives.yaml +++ b/javascript/apollo-graphql/schema-directives.yaml @@ -1,7 +1,7 @@ rules: - id: schema-directives message: >- - The Apollo GraphQL uses the 'schemaDirectives' option. This works in ApolloServer v2, but does nothing in version >=3. Depending on what the directives are used for, this can expose authenticated endpoints, disable rate limiting, and more. See the references on how to create custom directives in v3 and v4. + The Apollo GraphQL uses the 'schemaDirectives' option. This works in ApolloServer v2, but does nothing in version >=3. Depending on what the directives are used for, this can expose authenticated endpoints, disable rate limiting, and more. See the references on how to create custom directives in v3 and v4. languages: [js, ts] severity: ERROR metadata: @@ -18,6 +18,6 @@ rules: references: - https://www.apollographql.com/docs/apollo-server/schema/directives/#custom-directives - pattern-either: + pattern-either: - pattern: | - new ApolloServer({..., schemaDirectives: ..., ...}) \ No newline at end of file + new ApolloServer({..., schemaDirectives: ..., ...}) diff --git a/python/automatic-memory-pinning.yaml b/python/automatic-memory-pinning.yaml index d5d1c75..5284d1b 100644 --- a/python/automatic-memory-pinning.yaml +++ b/python/automatic-memory-pinning.yaml @@ -1,23 +1,23 @@ rules: -- id: automatic-memory-pinning - message: >- - If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency - languages: [python] - severity: WARNING - metadata: - category: security - cwe: "CWE-676: Use of Potentially Dangerous Function" - subcategory: [audit] - confidence: HIGH - likelihood: LOW - impact: LOW - technology: [pytorch] - description: "`PyTorch` memory not automatically pinned" - references: - - https://pytorch.org/docs/stable/data.html#memory-pinning + - id: automatic-memory-pinning + message: >- + If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency + languages: [python] + severity: WARNING + metadata: + category: security + cwe: "CWE-676: Use of Potentially Dangerous Function" + subcategory: [audit] + confidence: HIGH + likelihood: LOW + impact: LOW + technology: [pytorch] + description: "`PyTorch` memory not automatically pinned" + references: + - https://pytorch.org/docs/stable/data.html#memory-pinning - pattern-either: - - patterns: - - pattern: torch.utils.data.DataLoader(...) - - pattern-not: torch.utils.data.DataLoader(..., pin_memory=$VALUE, ...) - - pattern: torch.utils.data.DataLoader(..., pin_memory=False, ...) \ No newline at end of file + pattern-either: + - patterns: + - pattern: torch.utils.data.DataLoader(...) + - pattern-not: torch.utils.data.DataLoader(..., pin_memory=$VALUE, ...) + - pattern: torch.utils.data.DataLoader(..., pin_memory=False, ...) diff --git a/python/lxml-in-pandas.yaml b/python/lxml-in-pandas.yaml index 66a96d3..78172da 100644 --- a/python/lxml-in-pandas.yaml +++ b/python/lxml-in-pandas.yaml @@ -1,42 +1,42 @@ rules: -- id: lxml-in-pandas - message: >- - Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-611: Improper Restriction of XML External Entity Reference" - subcategory: [vuln] - confidence: HIGH - likelihood: MEDIUM - impact: MEDIUM - technology: [pandas] - description: "Potential XXE attacks from loading `lxml` in pandas" - references: - - https://lxml.de/FAQ.html + - id: lxml-in-pandas + message: >- + Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-611: Improper Restriction of XML External Entity Reference" + subcategory: [vuln] + confidence: HIGH + likelihood: MEDIUM + impact: MEDIUM + technology: [pandas] + description: "Potential XXE attacks from loading `lxml` in pandas" + references: + - https://lxml.de/FAQ.html - pattern-either: - - patterns: - - pattern: pandas.read_html($IO) - - pattern-not: pandas.read_html(**$KWARGS) + pattern-either: + - patterns: + - pattern: pandas.read_html($IO) + - pattern-not: pandas.read_html(**$KWARGS) - - patterns: - - metavariable-pattern: - metavariable: $FLAVOR - patterns: - - pattern: "..." - - pattern-not: | - "bs4" - - pattern-not: | - "html5lib" + - patterns: + - metavariable-pattern: + metavariable: $FLAVOR + patterns: + - pattern: "..." + - pattern-not: | + "bs4" + - pattern-not: | + "html5lib" - - pattern-either: - - pattern: pandas.read_html(..., flavor=$FLAVOR, ...) - - patterns: - - pattern-inside: | - $KWARGS = {..., "flavor": $FLAVOR, ...} - ... + - pattern-either: + - pattern: pandas.read_html(..., flavor=$FLAVOR, ...) + - patterns: + - pattern-inside: | + $KWARGS = {..., "flavor": $FLAVOR, ...} + ... - - pattern: | - pandas.read_html(**$KWARGS) + - pattern: | + pandas.read_html(**$KWARGS) diff --git a/python/numpy-distutils.yaml b/python/numpy-distutils.yaml index 7c8baee..e34e760 100644 --- a/python/numpy-distutils.yaml +++ b/python/numpy-distutils.yaml @@ -1,21 +1,20 @@ rules: -- id: numpy-distutils - message: NumPy distutils is deprecated, and will be removed in the future - languages: [python] - severity: WARNING - metadata: - category: security - cwe: "CWE-676: Use of Potentially Dangerous Function" - subcategory: [audit] - confidence: HIGH - likelihood: MEDIUM - impact: LOW - technology: [numpy] - description: "Use of deprecated `numpy.distutils`" - references: - - https://numpy.org/doc/stable/reference/distutils.html + - id: numpy-distutils + message: NumPy distutils is deprecated, and will be removed in the future + languages: [python] + severity: WARNING + metadata: + category: security + cwe: "CWE-676: Use of Potentially Dangerous Function" + subcategory: [audit] + confidence: HIGH + likelihood: MEDIUM + impact: LOW + technology: [numpy] + description: "Use of deprecated `numpy.distutils`" + references: + - https://numpy.org/doc/stable/reference/distutils.html - patterns: - - pattern: | - import numpy.distutils - + patterns: + - pattern: | + import numpy.distutils diff --git a/python/numpy-f2py-compile.yaml b/python/numpy-f2py-compile.yaml index 0d65ba3..69932f9 100644 --- a/python/numpy-f2py-compile.yaml +++ b/python/numpy-f2py-compile.yaml @@ -1,21 +1,20 @@ rules: -- id: numpy-f2py-compile - message: Compiling arbitrary code can result in code execution. Ensure the source code is from a trusted location - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-676: Use of Potentially Dangerous Function" - subcategory: [audit] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [numpy] - description: "Potential arbitrary code execution from `NumPy` `f2py` compilation" - references: - - https://numpy.org/doc/stable/f2py/usage.html + - id: numpy-f2py-compile + message: Compiling arbitrary code can result in code execution. Ensure the source code is from a trusted location + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-676: Use of Potentially Dangerous Function" + subcategory: [audit] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [numpy] + description: "Potential arbitrary code execution from `NumPy` `f2py` compilation" + references: + - https://numpy.org/doc/stable/f2py/usage.html - patterns: - - pattern: numpy.f2py.compile(...) - - pattern-not: numpy.f2py.compile("...", ...) - + patterns: + - pattern: numpy.f2py.compile(...) + - pattern-not: numpy.f2py.compile("...", ...) diff --git a/python/numpy-in-pytorch-datasets.yaml b/python/numpy-in-pytorch-datasets.yaml index cd78142..99f106f 100644 --- a/python/numpy-in-pytorch-datasets.yaml +++ b/python/numpy-in-pytorch-datasets.yaml @@ -1,27 +1,27 @@ rules: -- id: numpy-in-pytorch-datasets - message: >- - Using the NumPy RNG inside of a PyTorch dataset can lead to a number of issues with loading data, including identical augmentations. - Instead, use the random number generators built into Python and PyTorch - languages: [python] - severity: WARNING - metadata: - category: security - cwe: "CWE-330: Use of Insufficiently Random Values" - subcategory: [audit] - confidence: HIGH - likelihood: MEDIUM - impact: LOW - technology: [pytorch, numpy] - description: "Calls to the `NumPy` RNG inside of a `Torch` dataset" - references: - - https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects + - id: numpy-in-pytorch-datasets + message: >- + Using the NumPy RNG inside of a PyTorch dataset can lead to a number of issues with loading data, including identical augmentations. + Instead, use the random number generators built into Python and PyTorch + languages: [python] + severity: WARNING + metadata: + category: security + cwe: "CWE-330: Use of Insufficiently Random Values" + subcategory: [audit] + confidence: HIGH + likelihood: MEDIUM + impact: LOW + technology: [pytorch, numpy] + description: "Calls to the `NumPy` RNG inside of a `Torch` dataset" + references: + - https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects - patterns: - - pattern: | - class $X(torch.utils.data.Dataset): - ... - def __getitem__(...): - ... - numpy.random.randint(...) + patterns: + - pattern: | + class $X(torch.utils.data.Dataset): ... + def __getitem__(...): + ... + numpy.random.randint(...) + ... diff --git a/python/numpy-in-pytorch-modules.yaml b/python/numpy-in-pytorch-modules.yaml index d7710ee..eba7341 100644 --- a/python/numpy-in-pytorch-modules.yaml +++ b/python/numpy-in-pytorch-modules.yaml @@ -1,21 +1,21 @@ rules: -- id: numpy-in-pytorch-modules - message: >- - Usage of NumPy library inside PyTorch `$MODULE` module was found. - Avoid mixing these libraries for efficiency and proper ONNX loading - languages: [python] - severity: WARNING - metadata: - category: performance - subcategory: [audit] - confidence: MEDIUM - technology: [pytorch, numpy] - description: "Uses of `NumPy` functions inside `PyTorch` modules" - references: - - https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects - - patterns: - - pattern: $RESULT = numpy.$FUNCTION(...) - - pattern-inside: | - class $MODULE(torch.nn.Module): - ... + - id: numpy-in-pytorch-modules + message: >- + Usage of NumPy library inside PyTorch `$MODULE` module was found. + Avoid mixing these libraries for efficiency and proper ONNX loading + languages: [python] + severity: WARNING + metadata: + category: performance + subcategory: [audit] + confidence: MEDIUM + technology: [pytorch, numpy] + description: "Uses of `NumPy` functions inside `PyTorch` modules" + references: + - https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects + + patterns: + - pattern: $RESULT = numpy.$FUNCTION(...) + - pattern-inside: | + class $MODULE(torch.nn.Module): + ... diff --git a/python/numpy-load-library.yaml b/python/numpy-load-library.yaml index f9c9748..476b322 100644 --- a/python/numpy-load-library.yaml +++ b/python/numpy-load-library.yaml @@ -1,21 +1,20 @@ rules: -- id: numpy-load-library - message: Loading custom operator libraries can result in arbitrary code execution - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-676: Use of Potentially Dangerous Function" - subcategory: [audit] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [numpy] - description: "Potential arbitrary code execution from `NumPy` library loading" - references: - - https://numpy.org/doc/stable/reference/routines.ctypeslib.html#numpy.ctypeslib.load_library - - patterns: - - pattern: numpy.ctypeslib.load_library(...) - - pattern-not: numpy.ctypeslib.load_library("...", "...") - + - id: numpy-load-library + message: Loading custom operator libraries can result in arbitrary code execution + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-676: Use of Potentially Dangerous Function" + subcategory: [audit] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [numpy] + description: "Potential arbitrary code execution from `NumPy` library loading" + references: + - https://numpy.org/doc/stable/reference/routines.ctypeslib.html#numpy.ctypeslib.load_library + + patterns: + - pattern: numpy.ctypeslib.load_library(...) + - pattern-not: numpy.ctypeslib.load_library("...", "...") diff --git a/python/onnx-session-options.yaml b/python/onnx-session-options.yaml index 0e022e6..7839838 100644 --- a/python/onnx-session-options.yaml +++ b/python/onnx-session-options.yaml @@ -1,24 +1,23 @@ rules: -- id: onnx-session-options - message: Loading custom operator libraries can result in arbitrary code execution - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-676: Use of Potentially Dangerous Function" - subcategory: [audit] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [onnx] - description: "Potential arbitrary code execution from `ONNX` library loading" - references: - - https://onnxruntime.ai/docs/reference/operators/add-custom-op.html + - id: onnx-session-options + message: Loading custom operator libraries can result in arbitrary code execution + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-676: Use of Potentially Dangerous Function" + subcategory: [audit] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [onnx] + description: "Potential arbitrary code execution from `ONNX` library loading" + references: + - https://onnxruntime.ai/docs/reference/operators/add-custom-op.html - patterns: - - pattern-inside: | - $SESSION = onnxruntime.SessionOptions(...) - ... - - pattern: $SESSION.register_custom_ops_library(...) - - pattern-not: $SESSION.register_custom_ops_library("...") - \ No newline at end of file + patterns: + - pattern-inside: | + $SESSION = onnxruntime.SessionOptions(...) + ... + - pattern: $SESSION.register_custom_ops_library(...) + - pattern-not: $SESSION.register_custom_ops_library("...") diff --git a/python/pickles-in-numpy.yaml b/python/pickles-in-numpy.yaml index 49d9eb2..91366b0 100644 --- a/python/pickles-in-numpy.yaml +++ b/python/pickles-in-numpy.yaml @@ -1,34 +1,34 @@ rules: -- id: pickles-in-numpy - message: >- - Functions reliant on pickle can result in arbitrary code execution. - Consider using fickling or switching to a safer serialization method - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-502: Deserialization of Untrusted Data" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [numpy] - description: "Potential arbitrary code execution from `NumPy` functions reliant on pickling" - references: - - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ + - id: pickles-in-numpy + message: >- + Functions reliant on pickle can result in arbitrary code execution. + Consider using fickling or switching to a safer serialization method + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-502: Deserialization of Untrusted Data" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [numpy] + description: "Potential arbitrary code execution from `NumPy` functions reliant on pickling" + references: + - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ - patterns: - - pattern: numpy.load(..., allow_pickle=$VALUE, ...) - - pattern-not: numpy.load("...", ...) - - pattern-not: numpy.load(..., file="...", ...) - - metavariable-pattern: - metavariable: $VALUE - patterns: - - pattern-not: | - False - - pattern-not: | - [] - - pattern-not: | - None - - pattern-not: | - "" \ No newline at end of file + patterns: + - pattern: numpy.load(..., allow_pickle=$VALUE, ...) + - pattern-not: numpy.load("...", ...) + - pattern-not: numpy.load(..., file="...", ...) + - metavariable-pattern: + metavariable: $VALUE + patterns: + - pattern-not: | + False + - pattern-not: | + [] + - pattern-not: | + None + - pattern-not: | + "" diff --git a/python/pickles-in-pandas.yaml b/python/pickles-in-pandas.yaml index 40df088..9c97361 100644 --- a/python/pickles-in-pandas.yaml +++ b/python/pickles-in-pandas.yaml @@ -1,32 +1,32 @@ rules: -- id: pickles-in-pandas - message: >- - Functions reliant on pickle can result in arbitrary code execution. - Consider using fickling or switching to a safer serialization method - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-502: Deserialization of Untrusted Data" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [pandas] - description: "Potential arbitrary code execution from `Pandas` functions reliant on pickling" - references: - - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ + - id: pickles-in-pandas + message: >- + Functions reliant on pickle can result in arbitrary code execution. + Consider using fickling or switching to a safer serialization method + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-502: Deserialization of Untrusted Data" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [pandas] + description: "Potential arbitrary code execution from `Pandas` functions reliant on pickling" + references: + - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ - patterns: - - pattern-either: - - pattern: pandas.read_pickle(...) - - pattern: pandas.to_pickle(...) - - patterns: - - pattern-inside: | - import pandas - ... - - pattern: $SMTH.to_pickle(...) + patterns: + - pattern-either: + - pattern: pandas.read_pickle(...) + - pattern: pandas.to_pickle(...) + - patterns: + - pattern-inside: | + import pandas + ... + - pattern: $SMTH.to_pickle(...) - - pattern-not: pandas.read_pickle("...") - - pattern-not: pandas.to_pickle(..., "...") - - pattern-not: $SMTH.to_pickle("...") + - pattern-not: pandas.read_pickle("...") + - pattern-not: pandas.to_pickle(..., "...") + - pattern-not: $SMTH.to_pickle("...") diff --git a/python/pickles-in-pytorch-distributed.yaml b/python/pickles-in-pytorch-distributed.yaml index d20a5fe..69ace2b 100644 --- a/python/pickles-in-pytorch-distributed.yaml +++ b/python/pickles-in-pytorch-distributed.yaml @@ -1,24 +1,24 @@ rules: -- id: pickles-in-pytorch-distributed - message: >- - Functions reliant on pickle can result in arbitrary code execution - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-502: Deserialization of Untrusted Data" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [pytorch] - description: "Potential arbitrary code execution from `PyTorch.Distributed` functions reliant on pickling" - references: - - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ + - id: pickles-in-pytorch-distributed + message: >- + Functions reliant on pickle can result in arbitrary code execution + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-502: Deserialization of Untrusted Data" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [pytorch] + description: "Potential arbitrary code execution from `PyTorch.Distributed` functions reliant on pickling" + references: + - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ - patterns: - - pattern-either: - - pattern: torch.distributed.broadcast_object_list(...) - - pattern: torch.distributed.all_gather_object(...) - - pattern: torch.distributed.gather_object(...) - - pattern: torch.distributed.scatter_object_list(...) + patterns: + - pattern-either: + - pattern: torch.distributed.broadcast_object_list(...) + - pattern: torch.distributed.all_gather_object(...) + - pattern: torch.distributed.gather_object(...) + - pattern: torch.distributed.scatter_object_list(...) diff --git a/python/pickles-in-pytorch.yaml b/python/pickles-in-pytorch.yaml index a12af33..cce6ac6 100644 --- a/python/pickles-in-pytorch.yaml +++ b/python/pickles-in-pytorch.yaml @@ -1,27 +1,27 @@ rules: -- id: pickles-in-pytorch - message: >- - Functions reliant on pickle can result in arbitrary code execution. - Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-502: Deserialization of Untrusted Data" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [pytorch] - description: "Potential arbitrary code execution from `PyTorch` functions reliant on pickling" - references: - - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ + - id: pickles-in-pytorch + message: >- + Functions reliant on pickle can result in arbitrary code execution. + Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-502: Deserialization of Untrusted Data" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [pytorch] + description: "Potential arbitrary code execution from `PyTorch` functions reliant on pickling" + references: + - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ - patterns: - - pattern-either: - - pattern: torch.save(...) - - pattern: torch.load(...) - - pattern-not: torch.load("...") - - pattern-not: torch.save(..., "...") - - pattern-not: torch.save($M.state_dict(), ...) - - pattern-not-inside: $M.load_state_dict(torch.load(...)) \ No newline at end of file + patterns: + - pattern-either: + - pattern: torch.save(...) + - pattern: torch.load(...) + - pattern-not: torch.load("...") + - pattern-not: torch.save(..., "...") + - pattern-not: torch.save($M.state_dict(), ...) + - pattern-not-inside: $M.load_state_dict(torch.load(...)) diff --git a/python/pytorch-classes-load-library.yaml b/python/pytorch-classes-load-library.yaml index b98e78f..3a6ea60 100644 --- a/python/pytorch-classes-load-library.yaml +++ b/python/pytorch-classes-load-library.yaml @@ -1,20 +1,20 @@ rules: -- id: pytorch-classes-load-library - message: Loading custom operator libraries can result in arbitrary code execution - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-676: Use of Potentially Dangerous Function" - subcategory: [audit] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [pytorch] - description: "Potential arbitrary code execution from `PyTorch` library loading" - references: - - https://pytorch.org/tutorials/advanced/torch_script_custom_classes.html + - id: pytorch-classes-load-library + message: Loading custom operator libraries can result in arbitrary code execution + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-676: Use of Potentially Dangerous Function" + subcategory: [audit] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [pytorch] + description: "Potential arbitrary code execution from `PyTorch` library loading" + references: + - https://pytorch.org/tutorials/advanced/torch_script_custom_classes.html - patterns: - - pattern: torch.classes.load_library(...) - - pattern-not: torch.classes.load_library("...") + patterns: + - pattern: torch.classes.load_library(...) + - pattern-not: torch.classes.load_library("...") diff --git a/python/pytorch-package.yaml b/python/pytorch-package.yaml index f347eca..d1e307d 100644 --- a/python/pytorch-package.yaml +++ b/python/pytorch-package.yaml @@ -1,19 +1,19 @@ rules: -- id: pytorch-package - message: Avoid importing torch.package - it can result in arbitrary code execution via pickle - languages: [python] - severity: WARNING - metadata: - category: security - cwe: "CWE-502: Deserialization of Untrusted Data" - subcategory: [audit] - confidence: LOW - likelihood: MEDIUM - impact: HIGH - technology: [pytorch] - description: "Potential arbitrary code execution from `torch.package`" - references: - - https://pytorch.org/docs/1.13/package.html#torch-package - - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ + - id: pytorch-package + message: Avoid importing torch.package - it can result in arbitrary code execution via pickle + languages: [python] + severity: WARNING + metadata: + category: security + cwe: "CWE-502: Deserialization of Untrusted Data" + subcategory: [audit] + confidence: LOW + likelihood: MEDIUM + impact: HIGH + technology: [pytorch] + description: "Potential arbitrary code execution from `torch.package`" + references: + - https://pytorch.org/docs/1.13/package.html#torch-package + - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ - pattern: import torch.package \ No newline at end of file + pattern: import torch.package diff --git a/python/pytorch-tensor.yaml b/python/pytorch-tensor.yaml index e8b1d60..c384ffc 100644 --- a/python/pytorch-tensor.yaml +++ b/python/pytorch-tensor.yaml @@ -1,15 +1,15 @@ rules: -- id: pytorch-tensor - message: Avoid using `torch.Tensor()` to directly create a tensor for efficiency and proper parsing - languages: [python] - severity: WARNING - metadata: - category: performance - subcategory: [audit] - confidence: HIGH - technology: [pytorch] - description: "Possible parsing issues and inefficiency from improper tensor creation" - references: - - https://pytorch.org/docs/stable/tensors.html + - id: pytorch-tensor + message: Avoid using `torch.Tensor()` to directly create a tensor for efficiency and proper parsing + languages: [python] + severity: WARNING + metadata: + category: performance + subcategory: [audit] + confidence: HIGH + technology: [pytorch] + description: "Possible parsing issues and inefficiency from improper tensor creation" + references: + - https://pytorch.org/docs/stable/tensors.html - pattern: torch.Tensor(...) \ No newline at end of file + pattern: torch.Tensor(...) diff --git a/python/scikit-joblib-load.yaml b/python/scikit-joblib-load.yaml index 574c50f..4207ba3 100644 --- a/python/scikit-joblib-load.yaml +++ b/python/scikit-joblib-load.yaml @@ -1,22 +1,22 @@ rules: -- id: scikit-joblib-load - message: >- - Scikit `joblib` uses pickle under the hood. Functions reliant on pickle can result in arbitrary code execution. - Consider using `skops` instead. - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-502: Deserialization of Untrusted Data" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [scikit] - description: "Potential arbitrary code execution from `SciKit.Joblib` functions reliant on pickling" - references: - - https://scikit-learn.org/stable/model_persistence.html + - id: scikit-joblib-load + message: >- + Scikit `joblib` uses pickle under the hood. Functions reliant on pickle can result in arbitrary code execution. + Consider using `skops` instead. + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-502: Deserialization of Untrusted Data" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [scikit] + description: "Potential arbitrary code execution from `SciKit.Joblib` functions reliant on pickling" + references: + - https://scikit-learn.org/stable/model_persistence.html - patterns: - - pattern: joblib.load(...) - - pattern-not: joblib.load("...") + patterns: + - pattern: joblib.load(...) + - pattern-not: joblib.load("...") diff --git a/python/tarfile-extractall-traversal.yaml b/python/tarfile-extractall-traversal.yaml index eb617c7..206ae17 100644 --- a/python/tarfile-extractall-traversal.yaml +++ b/python/tarfile-extractall-traversal.yaml @@ -1,41 +1,41 @@ rules: -- id: tarfile-extractall-traversal - message: >- - Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" - subcategory: [vuln] - confidence: MEDIUM - likelihood: MEDIUM - impact: MEDIUM - technology: [--no-technology--] - description: "Potential path traversal in call to `extractall` for a `tarfile`" - references: - - https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall + - id: tarfile-extractall-traversal + message: >- + Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + subcategory: [vuln] + confidence: MEDIUM + likelihood: MEDIUM + impact: MEDIUM + technology: [--no-technology--] + description: "Potential path traversal in call to `extractall` for a `tarfile`" + references: + - https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall - patterns: - - pattern-either: - - pattern: | - with tarfile.open(...) as $TAR: + patterns: + - pattern-either: + - pattern: | + with tarfile.open(...) as $TAR: + ... + $TAR.extractall(...) + - pattern: | + tarfile.open(...).extractall(...) + - pattern: | + $TAR = tarfile.open(...) ... $TAR.extractall(...) - - pattern: | - tarfile.open(...).extractall(...) - - pattern: | + + - pattern-not: | + with tarfile.open(...) as $TAR: + ... + $TAR.extractall(..., members=$MEMBERS, ...) + - pattern-not: | + tarfile.open(...).extractall(..., members=$MEMBERS, ...) + - pattern-not: | $TAR = tarfile.open(...) ... - $TAR.extractall(...) - - - pattern-not: | - with tarfile.open(...) as $TAR: - ... - $TAR.extractall(..., members=$MEMBERS, ...) - - pattern-not: | - tarfile.open(...).extractall(..., members=$MEMBERS, ...) - - pattern-not: | - $TAR = tarfile.open(...) - ... - $TAR.extractall(..., members=$MEMBERS, ...) + $TAR.extractall(..., members=$MEMBERS, ...) diff --git a/python/tensorflow-load-library.yaml b/python/tensorflow-load-library.yaml index 6bdd814..4db4d60 100644 --- a/python/tensorflow-load-library.yaml +++ b/python/tensorflow-load-library.yaml @@ -1,25 +1,24 @@ rules: -- id: tensorflow-load-library - message: Loading custom operator libraries can result in arbitrary code execution - languages: [python] - severity: ERROR - metadata: - category: security - cwe: "CWE-676: Use of Potentially Dangerous Function" - subcategory: [audit] - confidence: MEDIUM - likelihood: MEDIUM - impact: HIGH - technology: [tensorflow] - description: "Potential arbitrary code execution from `TensorFlow` library loading" - references: - - https://www.tensorflow.org/api_docs/python/tf/load_library - - https://www.tensorflow.org/api_docs/python/tf/load_op_library + - id: tensorflow-load-library + message: Loading custom operator libraries can result in arbitrary code execution + languages: [python] + severity: ERROR + metadata: + category: security + cwe: "CWE-676: Use of Potentially Dangerous Function" + subcategory: [audit] + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + technology: [tensorflow] + description: "Potential arbitrary code execution from `TensorFlow` library loading" + references: + - https://www.tensorflow.org/api_docs/python/tf/load_library + - https://www.tensorflow.org/api_docs/python/tf/load_op_library - patterns: - - pattern-either: - - pattern: tensorflow.load_library(...) - - pattern: tensorflow.load_op_library(...) - - pattern-not: tensorflow.load_library("...") - - pattern-not: tensorflow.load_op_library("...") - + patterns: + - pattern-either: + - pattern: tensorflow.load_library(...) + - pattern: tensorflow.load_op_library(...) + - pattern-not: tensorflow.load_library("...") + - pattern-not: tensorflow.load_op_library("...") diff --git a/python/waiting-with-pytorch-distributed.yaml b/python/waiting-with-pytorch-distributed.yaml index 0e5f1ff..c57ea1b 100644 --- a/python/waiting-with-pytorch-distributed.yaml +++ b/python/waiting-with-pytorch-distributed.yaml @@ -1,26 +1,25 @@ rules: -- id: waiting-with-pytorch-distributed - message: Not waiting for requests is a source of undefined behavior - languages: [python] - severity: WARNING - metadata: - category: security - cwe: "CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior" - subcategory: [vuln] - confidence: MEDIUM - likelihood: LOW - impact: LOW - technology: [pytorch] - description: "Possible `PyTorch` undefined behavior when not waiting for requests" - references: - - https://pytorch.org/docs/stable/distributed.html#torch.distributed.isend + - id: waiting-with-pytorch-distributed + message: Not waiting for requests is a source of undefined behavior + languages: [python] + severity: WARNING + metadata: + category: security + cwe: "CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior" + subcategory: [vuln] + confidence: MEDIUM + likelihood: LOW + impact: LOW + technology: [pytorch] + description: "Possible `PyTorch` undefined behavior when not waiting for requests" + references: + - https://pytorch.org/docs/stable/distributed.html#torch.distributed.isend - patterns: - - pattern-either: - - pattern: $REQ = torch.distributed.irecv(...) - - pattern: $REQ = torch.distributed.isend(...) + patterns: + - pattern-either: + - pattern: $REQ = torch.distributed.irecv(...) + - pattern: $REQ = torch.distributed.isend(...) - - pattern-not-inside: | - ... - $REQ.wait() - \ No newline at end of file + - pattern-not-inside: | + ... + $REQ.wait() diff --git a/rs/panic-in-function-returning-result.yaml b/rs/panic-in-function-returning-result.yaml index 8fedd5e..a93e231 100644 --- a/rs/panic-in-function-returning-result.yaml +++ b/rs/panic-in-function-returning-result.yaml @@ -1,53 +1,53 @@ rules: -- id: panic-in-function-returning-result - message: >- - `expect` or `unwrap` called in function returning a `Result` - languages: [rust] - severity: WARNING - metadata: - category: security - cwe: "CWE-755: Improper Handling of Exceptional Conditions" - subcategory: [audit] - confidence: HIGH - likelihood: MEDIUM - impact: LOW - technology: [--no-technology--] - description: "Calling `unwrap` or `expect` in a function returning a `Result`" - references: - - https://doc.rust-lang.org/std/result/ - - patterns: - - pattern-either: - - pattern: $EXPR.unwrap() - - pattern: $EXPR.expect(...) + - id: panic-in-function-returning-result + message: >- + `expect` or `unwrap` called in function returning a `Result` + languages: [rust] + severity: WARNING + metadata: + category: security + cwe: "CWE-755: Improper Handling of Exceptional Conditions" + subcategory: [audit] + confidence: HIGH + likelihood: MEDIUM + impact: LOW + technology: [--no-technology--] + description: "Calling `unwrap` or `expect` in a function returning a `Result`" + references: + - https://doc.rust-lang.org/std/result/ - - pattern-either: - - pattern-inside: | - fn $FUNC(...) -> Result<$T1, $T2> { - ... - } + patterns: + - pattern-either: + - pattern: $EXPR.unwrap() + - pattern: $EXPR.expect(...) - - pattern-inside: | - fn $FUNC(...) -> Result<$T> { - ... - } - - - patterns: - - pattern-inside: | - fn $FUNC(...) -> $RETTYPE { - ... - } - - - pattern-either: + - pattern-either: - pattern-inside: | - type $RETTYPE = Result<$T>; - ... - fn $FUNC(...) -> $RETTYPE { + fn $FUNC(...) -> Result<$T1, $T2> { ... } + - pattern-inside: | - type $RETTYPE = Result<$T1, $T2>; - ... - fn $FUNC(...) -> $RETTYPE { + fn $FUNC(...) -> Result<$T> { ... } + + - patterns: + - pattern-inside: | + fn $FUNC(...) -> $RETTYPE { + ... + } + + - pattern-either: + - pattern-inside: | + type $RETTYPE = Result<$T>; + ... + fn $FUNC(...) -> $RETTYPE { + ... + } + - pattern-inside: | + type $RETTYPE = Result<$T1, $T2>; + ... + fn $FUNC(...) -> $RETTYPE { + ... + } From 85218e141db6b2ebfe8c955db1b4b1c0ee6418da Mon Sep 17 00:00:00 2001 From: GrosQuildu Date: Tue, 2 Jan 2024 13:31:25 +0100 Subject: [PATCH 3/8] git blame - provide commit --- .git-blame-ignore-revs | 1 + 1 file changed, 1 insertion(+) diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs index 8a9c6a9..63ccc09 100644 --- a/.git-blame-ignore-revs +++ b/.git-blame-ignore-revs @@ -1 +1,2 @@ # Formatted Semgrep YAML files using prettier +c12bb5b7bf893466c24bdad5b234dcd3ad3b42df \ No newline at end of file From ab5507fb225c2f1dc2133794d2c0381235bc79c6 Mon Sep 17 00:00:00 2001 From: GrosQuildu Date: Tue, 2 Jan 2024 13:38:06 +0100 Subject: [PATCH 4/8] auto-validate schema --- .github/workflows/semgrep-rules-test.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml index 2df7b4c..249ac74 100644 --- a/.github/workflows/semgrep-rules-test.yml +++ b/.github/workflows/semgrep-rules-test.yml @@ -22,3 +22,8 @@ jobs: run: semgrep --validate --config . - name: tests run: semgrep --test --test-ignore-todo + - name: metadata-tests + run: | + wget https://raw.githubusercontent.com/returntocorp/semgrep-rules/c5ad4bb0f4c7ee5b8cd47276b582e8bb57bd0a4d/.github/scripts/validate-metadata.py + wget https://raw.githubusercontent.com/returntocorp/semgrep-rules/develop/metadata-schema.yaml.schm + python ./validate-metadata.py -s ./metadata-schema.yaml.schm -f . From 4a5d2f11807326c27f8c04eae9241c428af5a0da Mon Sep 17 00:00:00 2001 From: GrosQuildu Date: Tue, 2 Jan 2024 13:42:07 +0100 Subject: [PATCH 5/8] fix py deps --- .github/workflows/semgrep-rules-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml index 249ac74..d88066f 100644 --- a/.github/workflows/semgrep-rules-test.yml +++ b/.github/workflows/semgrep-rules-test.yml @@ -18,6 +18,7 @@ jobs: run: | python -m pip install --upgrade pip python3 -m pip install semgrep + python3 -m pip install jsonschema pyyaml - name: validations run: semgrep --validate --config . - name: tests From 9be0a0a7628b77376598c3231cefda2b6be1ff34 Mon Sep 17 00:00:00 2001 From: GrosQuildu Date: Tue, 2 Jan 2024 13:51:06 +0100 Subject: [PATCH 6/8] use semgrep to test rules --- .github/workflows/semgrep-rules-test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml index d88066f..b2c4859 100644 --- a/.github/workflows/semgrep-rules-test.yml +++ b/.github/workflows/semgrep-rules-test.yml @@ -28,3 +28,5 @@ jobs: wget https://raw.githubusercontent.com/returntocorp/semgrep-rules/c5ad4bb0f4c7ee5b8cd47276b582e8bb57bd0a4d/.github/scripts/validate-metadata.py wget https://raw.githubusercontent.com/returntocorp/semgrep-rules/develop/metadata-schema.yaml.schm python ./validate-metadata.py -s ./metadata-schema.yaml.schm -f . + - name: x + run: semgrep --config="r/yaml.semgrep" --severity ERROR . \ No newline at end of file From 8c9844fcb2db65b90ca248e5df284b93cb7730ae Mon Sep 17 00:00:00 2001 From: GrosQuildu Date: Tue, 2 Jan 2024 13:52:41 +0100 Subject: [PATCH 7/8] fix from lints --- .github/workflows/semgrep-rules-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml index b2c4859..f66007a 100644 --- a/.github/workflows/semgrep-rules-test.yml +++ b/.github/workflows/semgrep-rules-test.yml @@ -29,4 +29,4 @@ jobs: wget https://raw.githubusercontent.com/returntocorp/semgrep-rules/develop/metadata-schema.yaml.schm python ./validate-metadata.py -s ./metadata-schema.yaml.schm -f . - name: x - run: semgrep --config="r/yaml.semgrep" --severity ERROR . \ No newline at end of file + run: semgrep --config="r/yaml.semgrep" --severity ERROR . From 250c4b174520d02c85ab8033bd14cc8a65ea8fc8 Mon Sep 17 00:00:00 2001 From: GrosQuildu Date: Tue, 2 Jan 2024 15:33:59 +0100 Subject: [PATCH 8/8] fix job name --- .github/workflows/semgrep-rules-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml index f66007a..69981ef 100644 --- a/.github/workflows/semgrep-rules-test.yml +++ b/.github/workflows/semgrep-rules-test.yml @@ -28,5 +28,5 @@ jobs: wget https://raw.githubusercontent.com/returntocorp/semgrep-rules/c5ad4bb0f4c7ee5b8cd47276b582e8bb57bd0a4d/.github/scripts/validate-metadata.py wget https://raw.githubusercontent.com/returntocorp/semgrep-rules/develop/metadata-schema.yaml.schm python ./validate-metadata.py -s ./metadata-schema.yaml.schm -f . - - name: x + - name: rules-tests run: semgrep --config="r/yaml.semgrep" --severity ERROR .