@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/community-merged/cwe-116/missing-autoescape-disabled.yaml

@@ -0,0 +1,34 @@
+# Source: semgrep-community | Cluster: python-116
+rules:
+- id: missing-autoescape-disabled
+  patterns:
+  - pattern-not: jinja2.Environment(..., autoescape=$VAL, ...)
+  - pattern: jinja2.Environment(...)
+  fix-regex:
+    regex: (.*)\)
+    replacement: \1, autoescape=True)
+  message: >-
+    Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default.
+    This is dangerous if you are rendering to a browser because this allows for cross-site
+    scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting
+    'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable
+    automatic escaping for certain file extensions.
+  metadata:
+    source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html
+    cwe:
+    - 'CWE-116: Improper Encoding or Escaping of Output'
+    owasp:
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    references:
+    - https://jinja.palletsprojects.com/en/2.11.x/api/#basics
+    category: security
+    technology:
+    - jinja2
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages: [python]
+  severity: WARNING

package/rules/community-merged/cwe-116/no-scriptlets.yaml

@@ -0,0 +1,32 @@
+# Source: semgrep-community | Cluster: java-116
+rules:
+- id: no-scriptlets
+  message: >-
+    JSP scriptlet detected. Scriptlets are difficult to use securely and
+    are considered bad practice. See https://stackoverflow.com/a/3180202.
+    Instead, consider migrating to JSF or using the Expression Language
+    '${...}' with the escapeXml function in your JSP files.
+  metadata:
+    owasp:
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    cwe:
+    - 'CWE-116: Improper Encoding or Escaping of Output'
+    references:
+    - https://stackoverflow.com/a/3180202
+    - https://stackoverflow.com/a/4948856
+    category: security
+    technology:
+    - jsp
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  pattern-regex: |-
+    \<\%[^\@].*
+  paths:
+    include:
+    - '*.jsp'
+  languages: [regex]
+  severity: WARNING

package/rules/community-merged/cwe-116/use-escapexml.yaml

@@ -0,0 +1,34 @@
+# Source: semgrep-community | Cluster: java-116
+rules:
+- id: use-escapexml
+  message: >-
+    Detected an Expression Language segment that does not escape
+    output. This is dangerous because if any data in this expression
+    can be controlled externally, it is a cross-site scripting
+    vulnerability. Instead, use the 'escapeXml' function from
+    the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm
+    for more information.
+  metadata:
+    owasp:
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    cwe:
+    - 'CWE-116: Improper Encoding or Escaping of Output'
+    references:
+    - https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm
+    - https://stackoverflow.com/a/4948856
+    - https://stackoverflow.com/a/3180202
+    category: security
+    technology:
+    - jsp
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  pattern-regex: \$\{(?!.*escapeXml).*\}
+  paths:
+    include:
+    - '*.jsp'
+  languages: [regex]
+  severity: WARNING

package/rules/community-merged/cwe-119/detect-buffer-noassert.yaml

@@ -0,0 +1,33 @@
+# Source: semgrep-community | Cluster: javascript-119
+rules:
+- id: detect-buffer-noassert
+  message: >-
+    Detected usage of noassert in Buffer API, which allows the offset the be beyond
+    the
+    end of the buffer. This could result in writing or reading beyond the end of the
+    buffer.
+  metadata:
+    cwe:
+    - 'CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer'
+    source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-buffer-noassert.js
+    category: security
+    technology:
+    - javascript
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+    references:
+    - https://cwe.mitre.org/data/definitions/119.html
+  languages:
+  - javascript
+  - typescript
+  severity: WARNING
+  patterns:
+  - pattern: $OBJ.$API(..., true)
+  - metavariable-regex:
+      metavariable: $API
+      regex: (read|write)(U?Int8|(U?Int(16|32)|Float|Double)(LE|BE))

package/rules/community-merged/cwe-1204/create-de-cipher-no-iv.yaml

@@ -0,0 +1,32 @@
+# Source: semgrep-community | Cluster: javascript-1204
+rules:
+- id: create-de-cipher-no-iv
+  message: >-
+    The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time.
+    For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once.
+    Other modes are still affected in their strength, though they're not completely broken.
+    Use 'createCipheriv' or 'createDecipheriv' instead.
+  metadata:
+    cwe:
+    - 'CWE-1204: Generation of Weak Initialization Vector (IV)'
+    category: security
+    subcategory:
+    - vuln
+    technology:
+    - node-crypto
+    likelihood: HIGH
+    impact: MEDIUM
+    confidence: HIGH
+    references:
+    - https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options
+    - https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options
+  languages:
+  - javascript
+  - typescript
+  severity: ERROR
+  patterns:
+    - pattern-either:
+      - pattern: |
+          $CRYPTO.createCipher(...)
+      - pattern: |
+          $CRYPTO.createDecipher(...)

package/rules/community-merged/cwe-1236/csv-writer-injection.yaml

@@ -0,0 +1,56 @@
+# Source: semgrep-community | Cluster: python-1236
+rules:
+- id: csv-writer-injection
+  languages:
+  - python
+  message: Detected user input into a generated CSV file using the built-in `csv` module. If user data
+    is used to generate the data in this file, it is possible that an attacker could inject a formula
+    when the CSV is imported into a spreadsheet application that runs an attacker script, which could
+    steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv`
+    is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts.
+    You can use `defusedcsv` instead of `csv` to safely generate CSVs.
+  metadata:
+    category: security
+    confidence: MEDIUM
+    cwe:
+    - 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File'
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    references:
+    - https://github.com/raphaelm/defusedcsv
+    - https://owasp.org/www-community/attacks/CSV_Injection
+    - https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities
+    technology:
+    - django
+    - python
+    subcategory:
+    - vuln
+    impact: MEDIUM
+    likelihood: MEDIUM
+  mode: taint
+  pattern-sinks:
+  - patterns:
+    - pattern-inside: |
+        $WRITER = csv.writer(...)
+
+        ...
+
+        $WRITER.$WRITE(...)
+    - pattern: $WRITER.$WRITE(...)
+    - metavariable-regex:
+        metavariable: $WRITE
+        regex: ^(writerow|writerows|writeheader)$
+  pattern-sources:
+  - patterns:
+    - pattern-inside: |
+        def $FUNC(..., $REQUEST, ...):
+          ...
+    - focus-metavariable: $REQUEST
+    - metavariable-pattern:
+        metavariable: $REQUEST
+        patterns:
+        - pattern: request
+        - pattern-not-inside: request.build_absolute_uri
+  severity: ERROR

package/rules/community-merged/cwe-1236/use-defusedcsv.yaml

@@ -0,0 +1,38 @@
+# Source: semgrep-community | Cluster: python-1236
+rules:
+- id: use-defusedcsv
+  patterns:
+  - pattern: csv.writer(...)
+  - pattern-not: defusedcsv.writer(...)
+  message: >-
+    Detected the generation of a CSV file using the built-in `csv` module.
+    If user data is used to generate the data in this file, it is possible that
+    an attacker could inject a formula when the CSV is imported into a spreadsheet
+    application that runs an attacker script, which could steal data from the importing
+    user or, at worst, install malware on the user's computer. `defusedcsv` is a
+    drop-in replacement with the same API that will attempt to mitigate formula
+    injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.
+  metadata:
+    cwe:
+    - 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File'
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    references:
+    - https://github.com/raphaelm/defusedcsv
+    - https://owasp.org/www-community/attacks/CSV_Injection
+    - https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities
+    category: security
+    technology:
+    - python
+    confidence: LOW
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  fix-regex:
+    regex: csv
+    replacement: defusedcsv
+  languages: [python]
+  severity: INFO

package/rules/community-merged/cwe-1275/authtkt-cookie-samesite.yaml

@@ -0,0 +1,36 @@
+# Source: semgrep-community | Cluster: python-1275
+rules:
+- id: pyramid-authtkt-cookie-samesite
+  patterns:
+  - pattern-either:
+    - pattern: pyramid.authentication.AuthTktCookieHelper(..., samesite=$SAMESITE, ...)
+    - pattern: pyramid.authentication.AuthTktAuthenticationPolicy(..., samesite=$SAMESITE, ...)
+  - pattern: $SAMESITE
+  - metavariable-regex:
+      metavariable: $SAMESITE
+      regex: (?!'Lax')
+  fix: |
+    'Lax'
+  message: >-
+    Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid
+    cookies should be handled securely by setting samesite='Lax'.
+    If this parameter is not properly set, your cookies are not properly protected and
+    are at risk of being stolen by an attacker.
+  metadata:
+    cwe:
+    - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute'
+    owasp:
+    - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
+    category: security
+    technology:
+    - pyramid
+    references:
+    - https://owasp.org/Top10/A01_2021-Broken_Access_Control
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: LOW
+    confidence: MEDIUM
+  languages: [python]
+  severity: WARNING

package/rules/community-merged/cwe-1275/session-cookie-samesitenone.yaml

@@ -0,0 +1,38 @@
+# Source: semgrep-community | Cluster: go-1275
+rules:
+- id: session-cookie-samesitenone
+  patterns:
+  - pattern-inside: |
+      &sessions.Options{
+        ...,
+        SameSite: http.SameSiteNoneMode,
+        ...,
+      }
+  - pattern: |
+      &sessions.Options{
+        ...,
+      }
+  message: Found SameSiteNoneMode setting in Gorilla session options. Consider setting
+    SameSite to Lax, Strict or Default for enhanced security.
+  metadata:
+    cwe:
+    - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute'
+    owasp:
+    - A05:2021 - Security Misconfiguration
+    - A02:2025 - Security Misconfiguration
+    references:
+    - https://pkg.go.dev/github.com/gorilla/sessions#Options
+    category: security
+    technology:
+    - gorilla
+    confidence: MEDIUM
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  fix-regex:
+    regex: (SameSite\s*:\s+)http.SameSiteNoneMode
+    replacement: \1http.SameSiteDefaultMode
+  severity: WARNING
+  languages:
+  - go

package/rules/community-merged/cwe-1275/set-cookie-samesite-unsafe-default.yaml

@@ -0,0 +1,45 @@
+# Source: semgrep-community | Cluster: python-1275
+rules:
+- id: pyramid-set-cookie-samesite-unsafe-default
+  patterns:
+  - pattern-either:
+    - pattern-inside: |
+        @pyramid.view.view_config(...)
+        def $VIEW($REQUEST):
+            ...
+            $RESPONSE = $REQUEST.response
+            ...
+    - pattern-inside: |
+        def $VIEW(...):
+            ...
+            $RESPONSE = pyramid.httpexceptions.HTTPFound(...)
+            ...
+  - pattern-not: $RESPONSE.set_cookie(..., samesite=$SAMESITE, ...)
+  - pattern-not: $RESPONSE.set_cookie(..., **$PARAMS)
+  - pattern: $RESPONSE.set_cookie(...)
+  fix-regex:
+    regex: (.*)\)
+    replacement: \1, samesite='Lax')
+  message: >-
+    Found a Pyramid cookie using an unsafe value for the samesite option.
+    Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...).
+    If this parameter is not properly set, your cookies are not properly protected and
+    are at risk of being stolen by an attacker.
+  metadata:
+    cwe:
+    - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute'
+    owasp:
+    - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
+    category: security
+    technology:
+    - pyramid
+    references:
+    - https://owasp.org/Top10/A01_2021-Broken_Access_Control
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: LOW
+    confidence: MEDIUM
+  languages: [python]
+  severity: WARNING

package/rules/community-merged/cwe-1333/detect-non-literal-regexp.yaml

@@ -0,0 +1,46 @@
+# Source: semgrep-community | Cluster: javascript-1333
+rules:
+- id: detect-non-literal-regexp
+  message: >-
+    RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression
+    Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is
+    recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing
+    input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to
+    verify that the regex does not appear vulnerable to ReDoS.
+  metadata:
+    owasp:
+    - A05:2021 - Security Misconfiguration
+    - A06:2017 - Security Misconfiguration
+    - A02:2025 - Security Misconfiguration
+    cwe:
+    - "CWE-1333: Inefficient Regular Expression Complexity"
+    references:
+    - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
+    source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js
+    category: security
+    technology:
+    - javascript
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: LOW
+  languages:
+  - javascript
+  - typescript
+  severity: WARNING
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern-inside: |
+        function ... (...,$ARG,...) {...}
+    - focus-metavariable: $ARG
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: new RegExp($ARG, ...)
+      - pattern: RegExp($ARG, ...)
+    - pattern-not: RegExp("...", ...)
+    - pattern-not: new RegExp("...", ...)
+    - pattern-not: RegExp(/.../, ...)
+    - pattern-not: new RegExp(/.../, ...)

package/rules/community-merged/cwe-1333/detect-redos.yaml

@@ -0,0 +1,44 @@
+# Source: semgrep-community | Cluster: javascript-1333
+rules:
+- id: detect-redos
+  message: >-
+    Detected the use of a regular expression `$REDOS` which appears to be vulnerable to a Regular expression Denial-of-Service (ReDoS). For this reason, it is recommended to review the regex and ensure it is not vulnerable to catastrophic backtracking, and if possible use a library which offers default safety against ReDoS vulnerabilities.
+  metadata:
+    owasp:
+    - A05:2021 - Security Misconfiguration
+    - A06:2017 - Security Misconfiguration
+    - A02:2025 - Security Misconfiguration
+    cwe:
+    - "CWE-1333: Inefficient Regular Expression Complexity"
+    references:
+    - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
+    - https://www.regular-expressions.info/redos.html
+    category: security
+    technology:
+    - javascript
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: LOW
+  languages:
+  - javascript
+  - typescript
+  severity: WARNING
+  patterns:
+    - pattern-either:
+        - pattern: |
+            new RegExp(/$REDOS/,...)
+        - pattern: |
+           new RegExp("$REDOS",...)
+        - pattern: |
+            /$REDOS/.test(...)
+        - pattern: |
+            "$REDOS".test(...)
+        - pattern: |
+            $X.match(/$REDOS/)
+        - pattern: |
+            $X.match("$REDOS")
+    - metavariable-analysis:
+        analyzer: redos
+        metavariable: $REDOS

package/rules/community-merged/cwe-1333/java-pattern-from-string-parameter.yaml

@@ -0,0 +1,38 @@
+# Source: semgrep-community | Cluster: java-1333
+rules:
+  # The rule focus on specific code patterns to prevent as much as possible False Positive detection case
+  - id: java-pattern-from-string-parameter
+    languages:
+      - java
+    severity: INFO
+    message: >-
+      A regular expression is being used directly from a String method parameter.
+      This could be a Regular Expression Denial of Service (ReDoS) vulnerability if the parameter is user-controlled and not properly validated.
+      Ensure that a validation is in place to prevent evaluation using a regular expression prone to ReDoS.
+    patterns:
+      - pattern-inside: |-
+          $TYPE $METHOD(..., String $PARAM, ...) {
+            ...
+          }
+      - pattern-either:
+        - pattern: java.util.regex.Pattern.matches($PARAM, $ANY_STRING_TO_MATCH)
+        - pattern: java.util.regex.Pattern.compile($PARAM,...)
+    paths:
+      include:
+        - "**/*.java"
+    metadata:
+      category: security
+      owasp:
+        - A03:2021 Injection
+      technology:
+        - java
+      references:
+        - https://en.wikipedia.org/wiki/ReDoS
+        - https://learn.snyk.io/lesson/redos
+      cwe:
+        - "CWE-1333: Inefficient Regular Expression Complexity"
+      likelihood: LOW
+      impact: LOW
+      confidence: LOW
+      subcategory:
+        - audit

package/rules/community-merged/cwe-1333/regex-dos.yaml

@@ -0,0 +1,35 @@
+# Source: semgrep-community | Cluster: python-1333
+rules:
+- id: regex_dos
+  patterns:
+  - pattern: |
+      $A = re.compile("$B", ...)
+      ...
+      $A.$METHOD(...)
+  - metavariable-analysis:
+      analyzer: redos
+      metavariable: $B
+  - metavariable-regex:
+      metavariable: $METHOD
+      regex: (?!(escape)|(purge))
+  message: >-
+    Detected usage of re.compile with an inefficient regular expression.
+    This can lead to regular expression denial of service, which can result
+    in service down time. Instead, check all regexes or use safer alternatives
+    such as pyre2.
+  languages:
+  - python
+  severity: WARNING
+  metadata:
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW
+    subcategory:
+      - vuln
+    owasp: 'A06:2017 - Security Misconfiguration'
+    cwe: 'CWE-1333: Inefficient Regular Expression Complexity'
+    category: security
+    technology:
+    - python
+    references:
+    - 'https://docs.python.org/3/library/re.html'

package/rules/community-merged/cwe-134/flask-api-method-string-format.yaml

@@ -0,0 +1,37 @@
+# Source: semgrep-community | Cluster: python-134
+rules:
+- id: flask-api-method-string-format
+  patterns:
+  - pattern-either:
+    - pattern: |
+        def $METHOD(...,$ARG,...):
+          ...
+          $STRING = "...".format(...,$ARG,...)
+          ...
+          ... = requests.$REQMETHOD($STRING,...)
+    - pattern: |
+        def $METHOD(...,$ARG,...):
+          ...
+          ... = requests.$REQMETHOD("...".format(...,$ARG,...),...)
+  - pattern-inside: |
+      class $CLASS(...):
+        method_decorators = ...
+        ...
+  message: >-
+    Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD
+  severity: ERROR
+  languages:
+  - python
+  metadata:
+    cwe:
+    - 'CWE-134: Use of Externally-Controlled Format String'
+    category: security
+    technology:
+    - flask
+    references:
+    - https://cwe.mitre.org/data/definitions/134.html
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW

package/rules/community-merged/cwe-134/unsafe-formatstring.yaml

@@ -0,0 +1,52 @@
+# Source: semgrep-community | Cluster: javascript-134
+rules:
+- id: unsafe-formatstring
+  message: >-
+    Detected string concatenation with a non-literal variable in a util.format / console.log function.
+    If an attacker injects
+    a format specifier in the string, it will forge the log message. Try to use constant values for the
+    format string.
+  metadata:
+    cwe:
+    - 'CWE-134: Use of Externally-Controlled Format String'
+    owasp:
+    - "A01:2021 - Broken Access Control"
+    - A01:2025 - Broken Access Control
+    category: security
+    technology:
+    - javascript
+    subcategory:
+    - audit
+    likelihood: MEDIUM
+    impact: LOW
+    confidence: LOW
+    references:
+    - https://cwe.mitre.org/data/definitions/134.html
+  languages:
+  - javascript
+  - typescript
+  severity: INFO
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: $X + $Y
+      - pattern: $X.concat($Y)
+      - pattern: |
+          `...${...}...`
+    - pattern-not: |
+        "..." + "..."
+    - pattern-not: |
+        $X.concat("...")
+  pattern-sinks:
+  - patterns:
+    - focus-metavariable: $STR
+    - pattern-either:
+      - pattern: |
+          console.$LOG($STR,$PARAM,...)
+      - patterns:
+        - pattern-inside: |
+            $UTIL = require('util')
+            ...
+        - pattern: |
+            $UTIL.format($STR,$PARAM,...)

package/rules/community-merged/cwe-150/autoescape-disabled.yaml

@@ -0,0 +1,30 @@
+# Source: semgrep-community | Cluster: java-150
+rules:
+- id: autoescape-disabled
+  message: >-
+    Detected an element with disabled HTML escaping. If external
+    data can reach this, this is a cross-site scripting (XSS)
+    vulnerability. Ensure no external data can reach here, or
+    remove 'escape=false' from this element.
+  metadata:
+    owasp: 'A07:2017 - Cross-Site Scripting (XSS)'
+    cwe:
+    - 'CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences'
+    references:
+    - https://stackoverflow.com/a/7442668
+    category: security
+    technology:
+    - jsf
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW
+  pattern-regex: |-
+    .*escape.*?=.*?false.*
+  paths:
+    include:
+    - '*.html'
+    - '*.xhtml'
+  languages: [regex]
+  severity: WARNING