pi-lens 3.8.21 → 3.8.23

package/rules/tree-sitter-queries/go/go-log-fatal.yml

@@ -0,0 +1,49 @@
+# Go Reliability
+# Detects process-terminating log calls in non-boundary code.
+id: go-log-fatal
+name: log.Fatal / log.Panic Call
+severity: warning
+category: reliability
+defect_class: safety
+inline_tier: warning
+language: go
+
+message: "log.Fatal/log.Panic terminates execution — prefer returning errors from core logic"
+
+description: |
+  `log.Fatal*` exits the process and `log.Panic*` panics. In shared/internal logic,
+  this makes control flow hard to test and recover.
+
+  ✅ FIX: return errors upward and let program entrypoints decide termination policy.
+
+query: |
+  (call_expression
+    function: (selector_expression
+      operand: (identifier) @PKG
+      field: (field_identifier) @METHOD)
+    arguments: (argument_list) @ARGS)
+  (#eq? @PKG "log")
+  (#match? @METHOD "^(Fatal|Fatalf|Fatalln|Panic|Panicf|Panicln)$")
+
+metavars:
+  - PKG
+  - METHOD
+  - ARGS
+
+has_fix: false
+
+tags:
+  - go
+  - reliability
+  - testability
+
+examples:
+  bad: |
+    if err != nil {
+        log.Fatal(err)
+    }
+
+  good: |
+    if err != nil {
+        return err
+    }

package/rules/tree-sitter-queries/go/go-path-traversal.yml

@@ -0,0 +1,51 @@
+# Go Security
+# Detects file-system sink calls with dynamic path expressions.
+id: go-path-traversal
+name: Path Traversal Risk
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: go
+
+message: "Potential path traversal sink — sanitize and constrain file paths"
+
+description: |
+  File operations with user-controlled paths can access unintended files.
+
+  ✅ FIX: clean/canonicalize paths and enforce a fixed base directory.
+
+query: |
+  (call_expression
+    function: (selector_expression
+      operand: (identifier) @PKG
+      field: (field_identifier) @FN)
+    arguments: (argument_list
+      [(identifier) (binary_expression) (call_expression)] @PATH
+      (_)*))
+  (#match? @PKG "^(os|ioutil)$")
+  (#match? @FN "^(Open|OpenFile|ReadFile|WriteFile|Create|Remove|RemoveAll)$")
+
+metavars:
+  - PKG
+  - FN
+  - PATH
+
+post_filter: go_path_traversal_sink
+
+has_fix: false
+
+tags:
+  - go
+  - security
+  - path-traversal
+  - cwe-22
+  - owasp-a01
+
+examples:
+  bad: |
+    os.ReadFile(base + userPath)
+
+  good: |
+    p := filepath.Clean(userPath)
+    os.ReadFile(filepath.Join(baseDir, p))

package/rules/tree-sitter-queries/go/go-shared-map-write-goroutine.yml

@@ -0,0 +1,54 @@
+# Go Concurrency
+# Detects map writes inside goroutines, often indicating unsafe shared mutation.
+id: go-shared-map-write-goroutine
+name: Shared Map Write in Goroutine
+severity: warning
+category: concurrency
+defect_class: async-misuse
+inline_tier: warning
+language: go
+
+message: "Map write inside goroutine may race — guard with synchronization or ownership boundaries"
+
+description: |
+  Native Go maps are not safe for concurrent writes without synchronization.
+
+  ✅ FIX: use sync.Mutex/RWMutex, channels, or sync.Map based on access patterns.
+
+query: |
+  (go_statement
+    expression: (call_expression
+      function: (func_literal
+        body: (block
+          (assignment_statement
+            left: (index_expression) @MAPWRITE
+            right: (_) @VALUE)))
+      arguments: (argument_list) @ARGS))
+
+metavars:
+  - MAPWRITE
+  - VALUE
+  - ARGS
+
+cwe:
+  - CWE-362
+owasp:
+  - A09
+confidence: medium
+
+has_fix: false
+
+tags:
+  - go
+  - concurrency
+  - map
+  - race
+
+examples:
+  bad: |
+    go func() { m[key] = value }()
+
+  good: |
+    mu.Lock()
+    m[key] = value
+    mu.Unlock()

package/rules/tree-sitter-queries/go/go-sql-injection.yml

@@ -0,0 +1,55 @@
+# Go Security
+# Detects SQL query APIs fed by fmt.Sprintf/format-composed strings.
+id: go-sql-injection
+name: SQL Injection Risk
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: go
+
+message: "Potential SQL injection sink — use parameterized queries"
+
+description: |
+  Building SQL with string formatting before Query/Exec can enable injection.
+
+  ✅ FIX: use placeholders and bind parameters in Query/Exec methods.
+
+query: |
+  (call_expression
+    function: (selector_expression
+      field: (field_identifier) @DBFN)
+    arguments: (argument_list
+      (call_expression
+        function: (selector_expression
+          operand: (identifier) @FMTPKG
+          field: (field_identifier) @FMTFN)
+        arguments: (argument_list) @FMTARGS)
+      (_)*))
+  (#match? @DBFN "^(Query|QueryContext|QueryRow|QueryRowContext|Exec|ExecContext)$")
+  (#eq? @FMTPKG "fmt")
+  (#eq? @FMTFN "Sprintf")
+
+metavars:
+  - DBFN
+  - FMTPKG
+  - FMTFN
+  - FMTARGS
+
+post_filter: go_sql_injection_sink
+
+has_fix: false
+
+tags:
+  - go
+  - security
+  - sql-injection
+  - cwe-89
+  - owasp-a03
+
+examples:
+  bad: |
+    db.Query(fmt.Sprintf("SELECT * FROM users WHERE id=%s", userID))
+
+  good: |
+    db.Query("SELECT * FROM users WHERE id=$1", userID)

package/rules/tree-sitter-queries/go/go-weak-hash.yml

@@ -0,0 +1,51 @@
+# Go Security
+# Detects weak cryptographic hash package usage.
+id: go-weak-hash
+name: Weak Hash Primitive
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: go
+
+message: "Weak hash primitive detected (md5/sha1) — use sha256+ for security-sensitive contexts"
+
+description: |
+  md5/sha1 are not suitable for security-sensitive hashing.
+
+  ✅ FIX: use crypto/sha256 or stronger alternatives.
+
+query: |
+  (call_expression
+    function: (selector_expression
+      operand: (identifier) @PKG
+      field: (field_identifier) @FN)
+    arguments: (argument_list) @ARGS)
+  (#match? @PKG "^(md5|sha1)$")
+  (#match? @FN "^(New|Sum)$")
+
+metavars:
+  - PKG
+  - FN
+  - ARGS
+
+cwe:
+  - CWE-327
+owasp:
+  - A02
+confidence: high
+
+has_fix: false
+
+tags:
+  - go
+  - security
+  - crypto
+  - weak-hash
+
+examples:
+  bad: |
+    sum := md5.Sum(data)
+
+  good: |
+    sum := sha256.Sum256(data)

package/rules/tree-sitter-queries/python/python-command-injection.yml

@@ -0,0 +1,63 @@
+# Python Security
+# Detects shell command execution sinks that commonly lead to command injection.
+id: python-command-injection
+name: Command Injection Sink
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: python
+
+message: "Potential command injection sink — avoid shell execution with dynamic input"
+
+description: |
+  Calling shell execution APIs with user-controlled data can lead to command injection.
+
+  ✅ FIX: avoid shell execution; prefer argument arrays and strict input allowlists.
+
+query: |
+  (call
+    function: (attribute
+      object: (identifier) @MOD
+      attribute: (identifier) @FN)
+    arguments: (argument_list) @ARGS)
+  (#eq? @MOD "os")
+  (#match? @FN "^(system|popen)$")
+
+  (call
+    function: (attribute
+      object: (identifier) @MOD
+      attribute: (identifier) @FN)
+    arguments: (argument_list
+      (keyword_argument
+        name: (identifier) @KW
+        value: (true))))
+  (#eq? @MOD "subprocess")
+  (#match? @FN "^(run|Popen|call|check_output|check_call)$")
+  (#eq? @KW "shell")
+
+metavars:
+  - MOD
+  - FN
+  - ARGS
+  - KW
+
+post_filter: py_command_injection_sink
+
+has_fix: false
+
+tags:
+  - python
+  - security
+  - command-injection
+  - cwe-78
+  - owasp-a03
+
+examples:
+  bad: |
+    import os
+    os.system(user_input)
+
+  good: |
+    import subprocess
+    subprocess.run(["git", "status"], check=True)

package/rules/tree-sitter-queries/python/python-insecure-deserialization.yml

@@ -0,0 +1,48 @@
+# Python Security
+# Detects unsafe deserialization APIs.
+id: python-insecure-deserialization
+name: Insecure Deserialization
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: python
+
+message: "Potential insecure deserialization sink — avoid unsafe loaders"
+
+description: |
+  Deserializing untrusted input with pickle/yaml unsafe loaders can lead to code execution.
+
+  ✅ FIX: use safe parsing formats or safe loaders and strict schema validation.
+
+query: |
+  (call
+    function: (attribute
+      object: (identifier) @MOD
+      attribute: (identifier) @FN)
+    arguments: (argument_list (_) @DATA))
+  (#match? @MOD "^(pickle|yaml)$")
+  (#match? @FN "^(load|loads|unsafe_load)$")
+
+metavars:
+  - MOD
+  - FN
+  - DATA
+
+post_filter: py_insecure_deserialization_sink
+
+has_fix: false
+
+tags:
+  - python
+  - security
+  - deserialization
+  - cwe-502
+  - owasp-a08
+
+examples:
+  bad: |
+    obj = pickle.loads(request_body)
+
+  good: |
+    obj = json.loads(request_body)

package/rules/tree-sitter-queries/python/python-insecure-random.yml

@@ -0,0 +1,51 @@
+# Python Security
+# Detects non-cryptographic randomness API usage in security-sensitive code paths.
+id: python-insecure-random
+name: Insecure Randomness
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: python
+
+message: "Insecure randomness source detected — use secrets or os.urandom for security-sensitive values"
+
+description: |
+  random.* is deterministic and unsuitable for security-sensitive tokens or secrets.
+
+  ✅ FIX: use secrets.token_urlsafe, secrets.randbelow, or os.urandom.
+
+query: |
+  (call
+    function: (attribute
+      object: (identifier) @MOD
+      attribute: (identifier) @FN)
+    arguments: (argument_list) @ARGS)
+  (#eq? @MOD "random")
+  (#match? @FN "^(random|randint|randrange|choice|choices)$")
+
+metavars:
+  - MOD
+  - FN
+  - ARGS
+
+cwe:
+  - CWE-330
+owasp:
+  - A02
+confidence: medium
+
+has_fix: false
+
+tags:
+  - python
+  - security
+  - randomness
+  - weak-prng
+
+examples:
+  bad: |
+    token = random.randint(100000, 999999)
+
+  good: |
+    token = secrets.randbelow(900000) + 100000

package/rules/tree-sitter-queries/python/python-path-traversal.yml

@@ -0,0 +1,55 @@
+# Python Security
+# Detects file access APIs used with dynamic path expressions.
+id: python-path-traversal
+name: Path Traversal Risk
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: python
+
+message: "Potential path traversal sink — sanitize and constrain file paths"
+
+description: |
+  File operations with user-controlled paths can access unintended files.
+
+  ✅ FIX: normalize paths and enforce a fixed base directory allowlist.
+
+query: |
+  [
+    (call
+      function: (identifier) @FN
+      arguments: (argument_list
+        [(identifier) (binary_operator) (call)] @PATH))
+    (call
+      function: (attribute
+        object: (identifier) @MOD
+        attribute: (identifier) @FN)
+      arguments: (argument_list
+        [(identifier) (binary_operator) (call)] @PATH))
+  ]
+  (#match? @FN "^(open|read_text|read_bytes|write_text|write_bytes|remove|unlink|rmdir)$")
+
+metavars:
+  - MOD
+  - FN
+  - PATH
+
+post_filter: py_path_traversal_sink
+
+has_fix: false
+
+tags:
+  - python
+  - security
+  - path-traversal
+  - cwe-22
+  - owasp-a01
+
+examples:
+  bad: |
+    open(base + user_path)
+
+  good: |
+    safe = os.path.normpath(user_path)
+    open(os.path.join(BASE_DIR, safe))

package/rules/tree-sitter-queries/python/python-sql-injection.yml

@@ -0,0 +1,47 @@
+# Python Security
+# Detects dynamic SQL passed into execute-like APIs.
+id: python-sql-injection
+name: SQL Injection Risk
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: python
+
+message: "Potential SQL injection sink — use parameterized queries"
+
+description: |
+  Dynamic SQL strings passed to execute-style APIs can enable SQL injection.
+
+  ✅ FIX: use placeholders and parameter binding instead of string composition.
+
+query: |
+  (call
+    function: (attribute
+      attribute: (identifier) @FN)
+    arguments: (argument_list
+      [(binary_operator) (identifier) (call)] @SQL
+      (_)*))
+  (#match? @FN "^(execute|executemany|query|raw)$")
+
+metavars:
+  - FN
+  - SQL
+
+post_filter: py_sql_injection_sink
+
+has_fix: false
+
+tags:
+  - python
+  - security
+  - sql-injection
+  - cwe-89
+  - owasp-a03
+
+examples:
+  bad: |
+    cursor.execute("SELECT * FROM users WHERE id = " + user_id)
+
+  good: |
+    cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

package/rules/tree-sitter-queries/python/python-ssrf.yml

@@ -0,0 +1,50 @@
+# Python Security
+# Detects user-controlled URL usage in outbound HTTP request sinks.
+id: python-ssrf
+name: SSRF Risk
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: python
+
+message: "Potential SSRF sink — validate/allowlist outbound URLs"
+
+description: |
+  Outbound HTTP calls with untrusted URLs can allow server-side request forgery.
+
+  ✅ FIX: enforce allowlisted hosts/schemes and reject private/internal targets.
+
+query: |
+  (call
+    function: (attribute
+      object: (identifier) @MOD
+      attribute: (identifier) @FN)
+    arguments: (argument_list
+      [(identifier) (subscript) (call)] @URL))
+  (#eq? @MOD "requests")
+  (#match? @FN "^(get|post|put|patch|delete|request|head|options)$")
+
+metavars:
+  - MOD
+  - FN
+  - URL
+
+post_filter: py_ssrf_sink
+
+has_fix: false
+
+tags:
+  - python
+  - security
+  - ssrf
+  - cwe-918
+  - owasp-a10
+
+examples:
+  bad: |
+    requests.get(user_url)
+
+  good: |
+    if host in ALLOWLIST:
+        requests.get(url)

package/rules/tree-sitter-queries/python/python-thread-global-write.yml

@@ -0,0 +1,58 @@
+# Python Concurrency
+# Detects thread creation sites where shared state safety should be reviewed.
+id: python-thread-global-write
+name: Threaded Shared State Risk
+severity: warning
+category: concurrency
+defect_class: async-misuse
+inline_tier: warning
+language: python
+
+message: "Thread creation detected — ensure shared state mutations are synchronized"
+
+description: |
+  Creating threads in code paths that touch shared mutable state can introduce races.
+
+  ✅ FIX: guard shared state with Lock/RLock or redesign ownership boundaries.
+
+query: |
+  (call
+    function: (attribute
+      object: (identifier) @MOD
+      attribute: (identifier) @FN)
+    arguments: (argument_list) @ARGS)
+  (#eq? @MOD "threading")
+  (#eq? @FN "Thread")
+
+metavars:
+  - MOD
+  - FN
+  - ARGS
+
+cwe:
+  - CWE-362
+owasp:
+  - A09
+confidence: medium
+
+has_fix: false
+
+tags:
+  - python
+  - concurrency
+  - shared-state
+  - threading
+
+examples:
+  bad: |
+    counter = 0
+    def worker():
+        global counter
+        counter += 1
+    threading.Thread(target=worker).start()
+
+  good: |
+    lock = threading.Lock()
+    def worker():
+        with lock:
+            update_state()

package/rules/tree-sitter-queries/python/python-weak-hash.yml

@@ -0,0 +1,51 @@
+# Python Security
+# Detects weak cryptographic hash primitives.
+id: python-weak-hash
+name: Weak Hash Primitive
+severity: warning
+category: security
+defect_class: injection
+inline_tier: warning
+language: python
+
+message: "Weak hash primitive detected (MD5/SHA1) — use SHA-256+ for security-sensitive contexts"
+
+description: |
+  MD5 and SHA1 are collision-prone and not suitable for security-sensitive hashing.
+
+  ✅ FIX: prefer hashlib.sha256/sha512 (or stronger, context-appropriate algorithms).
+
+query: |
+  (call
+    function: (attribute
+      object: (identifier) @MOD
+      attribute: (identifier) @FN)
+    arguments: (argument_list) @ARGS)
+  (#eq? @MOD "hashlib")
+  (#match? @FN "^(md5|sha1)$")
+
+metavars:
+  - MOD
+  - FN
+  - ARGS
+
+cwe:
+  - CWE-327
+owasp:
+  - A02
+confidence: high
+
+has_fix: false
+
+tags:
+  - python
+  - security
+  - crypto
+  - weak-hash
+
+examples:
+  bad: |
+    digest = hashlib.md5(data).hexdigest()
+
+  good: |
+    digest = hashlib.sha256(data).hexdigest()