My Webpage

rules: - id: ajinabraham.njsscan.redirect.open_redirect.express_open_redirect2 patterns: - pattern-inside: | $APP.$METHOD(..., function $FUNC($REQ, $RES) { ... }) - pattern-either: - pattern: | $RES.header(..., "=~/location/i", <... $REQ.$VAR ...>, ...) - pattern: | $RES.header(..., "=~/location/i", <... $REQ.$VAR.$VARR ...>, ...) - pattern: | $RES.writeHead(..., "=~/location/i", <... $REQ.$VAR ...>, ...) - pattern: | $RES.writeHead(..., "=~/location/i", <... $REQ.$VAR.$VARR ...>, ...) - pattern: | $RES.writeHead(..., {"=~/location/i": <... $REQ.$VAR ...> }, ...) - pattern: | $RES.writeHead(..., {"=~/location/i": <... $REQ.$VAR.$VARR ...> }, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $RES.header(..., "=~/location/i", <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$VARR ...>; ... $RES.header(..., "=~/location/i", <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $RES.writeHead(..., "=~/location/i", <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$VARR ...>; ... $RES.writeHead(..., "=~/location/i", <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $RES.writeHead(..., {"=~/location/i": <... $INP ...> }, ...) - pattern: | $INP = <... $REQ.$VAR.$VARR ...>; ... $RES.writeHead(..., {"=~/location/i": <... $INP ...> }, ...) message: Untrusted user input in response header('Location') can result in Open Redirect vulnerability. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance. Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-601 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.redirect.open_redirect.express_open_redirect2 shortlink: https://sg.run/36Np semgrep.dev: rule: r_id: 43687 rv_id: 923783 rule_id: qNUrgk version_id: LjTz352 url: https://semgrep.dev/playground/r/LjTz352/ajinabraham.njsscan.redirect.open_redirect.express_open_redirect2 origin: community - id: ajinabraham.njsscan.xss.xss_templates.handlebars_safestring pattern-either: - pattern: $X.SafeString(...) - pattern: new Handlebars.SafeString(...) message: When you use SafeString or triple curly braces ({{{ }}}), Handlebars does not escape the content, allowing raw HTML to be rendered in the browser. This is useful if you want to insert valid HTML content into your template, like bold text () or links (), but it becomes dangerous if you are dealing with untrusted or user-generated content, as it can cause a Cross-site scripting attack (XSS). You should only use SafeString when the content is trusted. For example, if the content is generated by the server and does not come from user input or an untrusted source. If you are dealing with user-generated content, make sure to sanitize it to remove any malicious scripts before marking it as "safe". languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-79 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xss.xss_templates.handlebars_safestring shortlink: https://sg.run/KzE7 semgrep.dev: rule: r_id: 43711 rv_id: 923784 rule_id: nJUlA0 version_id: 8KTvZzj url: https://semgrep.dev/playground/r/8KTvZzj/ajinabraham.njsscan.xss.xss_templates.handlebars_safestring origin: community - id: gitlab.bar patterns: - pattern: func bar() {...} message: | Function bar detected metadata: cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' license: MIT source: https://semgrep.dev/r/gitlab.bar shortlink: https://sg.run/gB8J semgrep.dev: rule: r_id: 39385 rv_id: 47431 rule_id: WAU68Z version_id: X0TeoB url: https://semgrep.dev/playground/r/X0TeoB/gitlab.bar origin: community severity: ERROR languages: - go - id: gitlab.bandit.B308.B703 patterns: - pattern-not-inside: django.utils.html.format_html(...) - pattern: django.utils.safestring.mark_safe(...) message: | 'mark_safe()' is used to mark a string as "safe" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use 'django.utils.html.format_html()' to build HTML for rendering instead. metadata: cwe: 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: 'A7: Cross-Site Scripting (XSS)' license: MIT source: https://semgrep.dev/r/gitlab.bandit.B308.B703 shortlink: https://sg.run/58xj semgrep.dev: rule: r_id: 11547 rv_id: 13275 rule_id: d8UzRp version_id: JdTQjX url: https://semgrep.dev/playground/r/JdTQjX/gitlab.bandit.B308.B703 origin: community severity: WARNING languages: - python - id: c.lang.security.function-use-after-free.function-use-after-free patterns: - pattern-either: - pattern: $FUNC(..., <... $VAR ...>, ...) - pattern: $FUNC(..., <... $VAR->$ACCESSOR ...>, ...) - pattern: $FUNC(..., <... (*$VAR).$ACCESSOR ...>, ...) - pattern: $FUNC(..., <... $VAR[$NUM] ...>, ...) - metavariable-regex: metavariable: $FUNC regex: (?!^free$) - pattern-inside: free($VAR); ... - pattern-not-inside: free($VAR); ... $VAR = NULL; ... - pattern-not-inside: free($VAR); ... $VAR = malloc(...); ... message: Variable '$VAR' was passed to a function after being freed. This can lead to undefined behavior. metadata: cwe: - 'CWE-416: Use After Free' references: - https://cwe.mitre.org/data/definitions/416.html - https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/use_after_free/ category: security technology: - c confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Memory Issues source: https://semgrep.dev/r/c.lang.security.function-use-after-free.function-use-after-free shortlink: https://sg.run/eWyZ semgrep.dev: rule: r_id: 57376 rv_id: 945168 rule_id: WAU9Dz version_id: qkT4jQj url: https://semgrep.dev/playground/r/qkT4jQj/c.lang.security.function-use-after-free.function-use-after-free origin: community languages: - c severity: WARNING - id: c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn message: Avoid using user-controlled format strings passed into 'sprintf', 'printf' and 'vsprintf'. These functions put you at risk of buffer overflow vulnerabilities through the use of format string exploits. Instead, use 'snprintf' and 'vsnprintf'. metadata: cwe: - 'CWE-134: Use of Externally-Controlled Format String' references: - https://doc.castsoftware.com/display/SBX/Never+use+sprintf%28%29+or+vsprintf%28%29+functions - https://www.cvedetails.com/cwe-details/134/Uncontrolled-Format-String.html category: security technology: - c confidence: LOW subcategory: - vuln likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn shortlink: https://sg.run/ZvJx semgrep.dev: rule: r_id: 8835 rv_id: 945172 rule_id: ReUgWx version_id: o5TZeB2 url: https://semgrep.dev/playground/r/o5TZeB2/c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn origin: community languages: - c severity: WARNING patterns: - pattern-either: - pattern: | $FUNC($BUFFER, argv[$NUM], ...); ... vsprintf(..., $BUFFER, ...); - pattern: vsprintf(..., argv[$NUM], ...) - pattern: | $FUNC($BUFFER, argv[$NUM], ...); ... sprintf(..., $BUFFER, ...); - pattern: sprintf(...,argv[$NUM],...) - pattern: | $FUNC($BUFFER, argv[$NUM], ...); ... printf(..., $BUFFER, ...); - pattern: printf(...,argv[$NUM],...) - metavariable-comparison: metavariable: $NUM comparison: int($NUM) > 0 - id: gitlab.eslint.detect-object-injection patterns: - pattern: $O[$ARG] - pattern-not: $O["..."] - pattern-not: '$O[($ARG : float)]' - pattern-not-inside: | $ARG = [$V]; ... <... $O[$ARG] ...>; - pattern-not-inside: | $ARG = $V; ... <... $O[$ARG] ...>; - metavariable-regex: metavariable: $ARG regex: (?![0-9]+) message: Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution. languages: - javascript - typescript severity: WARNING metadata: cwe: 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' primary_identifier: eslint.detect-object-injection secondary_identifiers: - name: ESLint rule ID security/detect-object-injection type: eslint_rule_id value: security/detect-object-injection license: MIT source: https://semgrep.dev/r/gitlab.eslint.detect-object-injection shortlink: https://sg.run/8nbQ semgrep.dev: rule: r_id: 11584 rv_id: 56280 rule_id: NbUAnd version_id: rxTqor url: https://semgrep.dev/playground/r/rxTqor/gitlab.eslint.detect-object-injection origin: community - id: ajinabraham.njsscan.database.nosql_find_injection.node_nosqli_injection patterns: - pattern-not-inside: | $SEQUELIZE = require('sequelize') ... $SEQUELIZE(...) ... - pattern-not-inside: | import $SEQUELIZE from 'sequelize' ... $SEQUELIZE(...) ... - pattern-not-inside: | $SANITIZE = require('mongo-sanitize') ... $SANITIZE(...) ... - pattern-not-inside: | import $SANITIZE from 'mongo-sanitize' ... $SANITIZE(...) ... - pattern-either: - pattern: | $OBJ.findOne({$KEY : <... $REQ.$FOO.$BAR ...> }, ...) - pattern: | $OBJ.findOne({$KEY: <... $REQ.$FOO ...> }, ...) - pattern: | $INP = <... $REQ.$FOO.$BAR ...>; ... $OBJ.findOne({$KEY : <... $INP ...> }, ...) - pattern: | $INP = <... $REQ.$FOO ...>; ... $OBJ.findOne({$KEY: <... $INP ...> }, ...) - pattern: | $QUERY = {$KEY: <... $REQ.$FOO.$BAR ...>}; ... $OBJ.findOne($QUERY, ...) - pattern: | $QUERY = {$KEY: <... $REQ.$FOO ...>}; ... $OBJ.findOne($QUERY, ...) - pattern: | $INP = <... $REQ.$FOO.$BAR ...>; ... $QUERY = {$KEY : <... $INP ...> }; ... $OBJ.findOne(<... $QUERY ...>, ...) - pattern: | $INP = <... $REQ.$FOO ...>; ... $QUERY = {$KEY : <... $INP ...> }; ... $OBJ.findOne(<... $QUERY ...>, ...) - pattern: | $QUERY[$KEY] = <... $REQ.$FOO.$BAR ...>; ... $OBJ.findOne($QUERY, ...) - pattern: | $QUERY[$KEY] = <... $REQ.$FOO ...>; ... $OBJ.findOne($QUERY, ...) - pattern: | $INP = <... $REQ.$FOO.$BAR ...>; ... $QUERY[$KEY] = <... $INP ...>; ... $OBJ.findOne(<... $QUERY ...>, ...) - pattern: | $INP = <... $REQ.$FOO ...>; ... $QUERY[$KEY] = <... $INP ...>; ... $OBJ.findOne(<... $QUERY ...>, ...) message: Untrusted user input in findOne() function can result in NoSQL Injection. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-943 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.database.nosql_find_injection.node_nosqli_injection shortlink: https://sg.run/0q35 semgrep.dev: rule: r_id: 43610 rv_id: 833104 rule_id: nJUl5r version_id: YDTl0ZA url: https://semgrep.dev/playground/r/YDTl0ZA/ajinabraham.njsscan.database.nosql_find_injection.node_nosqli_injection origin: community - id: python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2 message: Detected RC2 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://cwe.mitre.org/data/definitions/326.html - https://www.pycryptodome.org/src/cipher/cipher category: security technology: - pycryptodome subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: HIGH functional-categories: - crypto::search::symmetric-algorithm::pycryptodome - crypto::search::symmetric-algorithm::pycryptodomex license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2 shortlink: https://sg.run/nAbY semgrep.dev: rule: r_id: 33636 rv_id: 1263547 rule_id: GdUYlW version_id: LjTkgn6 url: https://semgrep.dev/playground/r/LjTkgn6/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2 origin: community options: symbolic_propagation: true severity: WARNING languages: - python pattern-either: - pattern: Cryptodome.Cipher.ARC2.new(...) - pattern: Crypto.Cipher.ARC2.new(...) - id: ajinabraham.njsscan.good.good_anti_csrf.anti_csrf_control patterns: - pattern-inside: | $CSRUF = require('csurf') ... - pattern-either: - pattern: $X = csrf(...) - pattern: $X = csurf(...) - pattern: $APP.use(csrf(...)) - pattern: $APP.use(csurf(...)) message: This application has anti CSRF protection which prevents cross site request forgery attacks. languages: - javascript severity: INFO metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_anti_csrf.anti_csrf_control shortlink: https://sg.run/BDJ2 semgrep.dev: rule: r_id: 43651 rv_id: 833145 rule_id: X5Upew version_id: K3Trqo4 url: https://semgrep.dev/playground/r/K3Trqo4/ajinabraham.njsscan.good.good_anti_csrf.anti_csrf_control origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_check_csp message: 'Content Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {contentSecurityPolicy: false}, ...) - pattern-either: - pattern: | helmet({contentSecurityPolicy: {directives: ...}}) - pattern: | helmet.contentSecurityPolicy({directives: ...}) - pattern: | csp({directives: ...}) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_check_csp shortlink: https://sg.run/D0Go semgrep.dev: rule: r_id: 43652 rv_id: 833146 rule_id: j2Upev version_id: qkTQnOb url: https://semgrep.dev/playground/r/qkTQnOb/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_check_csp origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_check_expect_ct message: 'Expect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {expectCt: false}, ...) - pattern-either: - pattern: | expectCt({maxAge: ...,}) - pattern: | helmet.expectCt({maxAge: ...,}) - pattern: | expectCt({enforce: ...,}) - pattern: | hemlet.expectCt({enforce: ...,}) - pattern: | helmet({expectCt: { enforce: ... }}) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_check_expect_ct shortlink: https://sg.run/0qx5 semgrep.dev: rule: r_id: 43654 rv_id: 833148 rule_id: 9AULNk version_id: YDTl0EA url: https://semgrep.dev/playground/r/YDTl0EA/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_check_expect_ct origin: community - id: mobsf.mobsfscan.crypto.rsa_no_oeap.rsa_no_oeap patterns: - pattern-either: - pattern: | Cipher.getInstance($X, ...) - pattern: | javax.crypto.Cipher.getInstance($X, ...) - metavariable-regex: metavariable: $X regex: (?i:^.{0,100}rsa/.{1,23}/nopadding.{0,100}) message: This App uses RSA Crypto without OAEP padding. The purpose of the padding scheme is to prevent a number of attacks on RSA that only work when the encryption is performed without padding. languages: - java severity: ERROR metadata: cwe: cwe-780 owasp-mobile: m5 masvs: crypto-3 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#mobile-app-cryptography license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.rsa_no_oeap.rsa_no_oeap shortlink: https://sg.run/ZZED semgrep.dev: rule: r_id: 43735 rv_id: 833229 rule_id: 5rUx0n version_id: 7ZTx9Zg url: https://semgrep.dev/playground/r/7ZTx9Zg/mobsf.mobsfscan.crypto.rsa_no_oeap.rsa_no_oeap origin: community - id: go.lang.security.bad_tmp.bad-tmp-file-creation message: File creation in shared tmp directory without using `io.CreateTemp`. languages: - go severity: WARNING metadata: cwe: - 'CWE-377: Insecure Temporary File' source-rule-url: https://github.com/securego/gosec category: security technology: - go confidence: LOW owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://pkg.go.dev/io/ioutil#TempFile - https://pkg.go.dev/os#CreateTemp - https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67 subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation shortlink: https://sg.run/Gejn semgrep.dev: rule: r_id: 9104 rv_id: 1262965 rule_id: 6JUjnL version_id: 2KTv2pJ url: https://semgrep.dev/playground/r/2KTv2pJ/go.lang.security.bad_tmp.bad-tmp-file-creation origin: community pattern-either: - pattern: ioutil.WriteFile("=~//tmp/.*$/", ...) - pattern: os.Create("=~//tmp/.*$/", ...) - pattern: os.WriteFile("=~//tmp/.*$/", ...) - id: gitlab.security_code_scan.SCS0011-1 patterns: - pattern-either: - pattern: new XsltSettings() {EnableScript = true}; - pattern: | var $SETTINGS = new XsltSettings(); ... $SETTINGS.EnableScript = true; message: | By setting `XsltSettings.EnableScript` to true, an adversary who is able to influence the loaded XSL document could directly inject code to compromise the system. It is strongly recommended that an alternative approach is used to work with XML data. For increased security: - Never process user-supplied XSL style sheets - Ensure `XsltSettings.EnableScript` is set to false - Ensure `XsltSettings.EnableDocumentFunction` is set to false If the application must calculate values from XML input, instead of using XSL scripts to execute functions, modify the XML document prior to running the `XslCompiledTransform.Transform` method. Example of modifying the XML prior to running `Transform`: ``` const String filename = "number.xml"; const String stylesheet = "calc.xsl"; // Compile the style sheet. XsltSettings xslt_settings = new XsltSettings(); xslt_settings.EnableScript = false; // disable script xslt_settings.EnableDocumentFunction = false; // disable document() function XslCompiledTransform xslt = new XslCompiledTransform(); XmlResolver resolver = null; // set a null entity resolver xslt.Load(stylesheet, xslt_settings, resolver); // Load the XML source file, using XDocument for safety XDocument doc = XDocument.Load(filename); // do our modifications to the document before the transformation // instead of inside of a script. doc.Element("data").Add(new XElement("circle", new XElement("radius", 12))); // Create an XmlWriter. XmlWriterSettings settings = new XmlWriterSettings(); settings.OmitXmlDeclaration = true; settings.Indent = true; XmlWriter writer = XmlWriter.Create("output.xml", settings); // Finally, execute the transformation. xslt.Transform(doc.CreateReader(), writer); writer.Close(); ``` For more information on security considerations when using XSL see the following URLs: - https://learn.microsoft.com/en-us/dotnet/standard/data/xml/xslt-security-considerations - https://learn.microsoft.com/en-us/dotnet/api/system.xml.xsl.xslcompiledtransform?view=net-7.0#security-considerations languages: - csharp severity: WARNING metadata: shortDescription: Improper restriction of XML external entity reference category: security cwe: CWE-611 primary_identifier: security_code_scan.SCS0011-1 secondary_identifiers: - name: SCS0011 type: security_code_scan_rule_id value: SCS0011 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0011-1 shortlink: https://sg.run/64k1 semgrep.dev: rule: r_id: 31459 rv_id: 835753 rule_id: ReUE21 version_id: ExTrW7v url: https://semgrep.dev/playground/r/ExTrW7v/gitlab.security_code_scan.SCS0011-1 origin: community - id: gitlab.security_code_scan.SCS0032-1.SCS0033-1.SCS0034-1 languages: - csharp patterns: - pattern: | new PasswordValidator { ..., }; - pattern: | new PasswordValidator { ..., RequiredLength = $LEN, ..., }; - pattern-not: | new PasswordValidator { ..., RequireNonLetterOrDigit = true, ..., }; - pattern-not: | new PasswordValidator { ..., RequireDigit = true, ..., }; - pattern-not: | new PasswordValidator { ..., RequireLowercase = true, ..., }; - pattern-not: | new PasswordValidator { ..., RequireUppercase = true, ..., }; - metavariable-comparison: metavariable: $LEN comparison: $LEN < 8 message: | The application's `PasswordValidator.RequiredLength` property allows passwords to be less than 8 characters. Consider requiring a length of at least 8 or more characters to reduce the chance of passwords being brute forced. Example of setting the RequiredLength to 8 in ASP.NET Core Identity: ``` builder.Services.Configure(options => { // Default Password settings. options.Password.RequireDigit = true; options.Password.RequireLowercase = true; options.Password.RequireNonAlphanumeric = true; options.Password.RequireUppercase = true; options.Password.RequiredLength = 8; options.Password.RequiredUniqueChars = 1; }); ``` For more information on configuring ASP.NET Core Identity see: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration severity: WARNING metadata: shortDescription: Weak password requirements category: security cwe: CWE-521 primary_identifier: security_code_scan.SCS0032-1.SCS0033-1.SCS0034-1 secondary_identifiers: - name: SCS0032 type: security_code_scan_rule_id value: SCS0032 - name: SCS0033 type: security_code_scan_rule_id value: SCS0033 - name: SCS0034 type: security_code_scan_rule_id value: SCS0034 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0032-1.SCS0033-1.SCS0034-1 shortlink: https://sg.run/o1e0 semgrep.dev: rule: r_id: 31460 rv_id: 835754 rule_id: AbUEJj version_id: 7ZTxR0P url: https://semgrep.dev/playground/r/7ZTxR0P/gitlab.security_code_scan.SCS0032-1.SCS0033-1.SCS0034-1 origin: community - id: gitlab.security_code_scan.SCS0018-1 languages: - csharp mode: taint pattern-sources: - patterns: - pattern-inside: | public class $CLASS : Controller { ... } - pattern: $PARAM - pattern-either: - patterns: - metavariable-regex: metavariable: $HTTP_ANNO regex: ^(Http) - pattern-inside: | [$HTTP_ANNO] public string $METHOD(...,$PARAM,...){...} - pattern-inside: | public IActionResult $METHOD(...,$PARAM,...){...} pattern-sanitizers: - pattern-either: - pattern: (Microsoft.Extensions.FileProviders.PhysicalFileProvider $E).GetFileInfo(...) - pattern: (System.Web.HttpServerUtility $E).MapPath(...) - pattern: (System.Web.HttpServerUtilityBase $E).MapPath(...) - pattern: (System.Web.HttpRequest $E).MapPath(...) pattern-sinks: - pattern-either: - pattern: System.IO.Directory.Delete(...) - pattern: System.IO.Directory.GetFiles(...) - pattern: System.IO.Directory.Move(...) - pattern: System.IO.File.AppendAllLines(...) - pattern: System.IO.File.AppendAllLinesAsync(...) - pattern: System.IO.File.AppendAllText(...) - pattern: System.IO.File.AppendAllTextAsync(...) - pattern: System.IO.File.AppendText(...) - pattern: System.IO.File.Copy(...) - pattern: System.IO.File.Create(...) - pattern: System.IO.File.CreateText(...) - pattern: System.IO.File.Delete(...) - pattern: System.IO.File.Move(...) - pattern: System.IO.File.Open(...) - pattern: System.IO.File.OpenRead(...) - pattern: System.IO.File.OpenText(...) - pattern: System.IO.File.OpenWrite(...) - pattern: System.IO.File.ReadAllBytes(...) - pattern: System.IO.File.ReadAllBytesAsync(...) - pattern: System.IO.File.ReadAllLines(...) - pattern: System.IO.File.ReadAllLinesAsync(...) - pattern: System.IO.File.ReadAllText(...) - pattern: System.IO.File.ReadAllTextAsync(...) - pattern: System.IO.File.ReadLines(...) - pattern: System.IO.File.Replace(...) - pattern: System.IO.File.SetAccessControl(...) - pattern: System.IO.File.WriteAllBytes(...) - pattern: System.IO.File.WriteAllBytesAsync(...) - pattern: System.IO.File.WriteAllLines(...) - pattern: System.IO.File.WriteAllLinesAsync(...) - pattern: System.IO.File.WriteAllText(...) - pattern: System.IO.File.WriteAllTextAsync(...) - pattern: new System.IO.FileInfo(...) - pattern: (System.IO.FileInfo $E).CopyTo(...) - pattern: (System.IO.FileInfo $E).MoveTo(...) - pattern: (System.IO.FileInfo $E).Replace(...) - pattern: System.Reflection.Assembly.LoadFile(...) - pattern: System.Reflection.Assembly.LoadFrom(...) - pattern: System.Reflection.Assembly.ReflectionOnlyLoadFrom(...) - pattern: System.Reflection.Assembly.UnsafeLoadFrom(...) - pattern: System.AppDomain.AppendPrivatePath(...) - pattern: System.Xml.XmlReader.Create(...) - pattern: new System.IO.StreamReader.ctor(...) - pattern: new System.IO.StreamWriter.ctor(...) - pattern: new System.IO.FileStream.ctor(...) - pattern: new System.Web.Mvc.FilePathResult(...) - pattern: new Microsoft.AspNetCore.Mvc.PhysicalFileResult(...) - pattern: (Microsoft.AspNetCore.Mvc.RazorPages.PageModel $E).PhysicalFile(...) - pattern: (System.Web.UI.WebControls.FileUpload $E).SaveAs(...) - pattern: (System.Web.HttpResponse $E).TransmitFile(...) - pattern: (System.Web.HttpResponse $E).WriteFile(...) - pattern: (System.Web.HttpResponseBase $E).TransmitFile(...) - pattern: (System.Web.HttpResponseBase $E).WriteFile(...) - pattern: (System.IO.Compression.ZipFileExtensions $E).CreateEntryFromFile(...) - pattern: (System.IO.Compression.ZipFileExtensions $E).ExtractToFile(...) - pattern: (System.IO.Compression.ZipFileExtensions $E).ExtractToDirectory(...) - pattern: (System.Net.WebClient $E).DownloadFile(...) - pattern: (System.Net.WebClient $E).DownloadFileAsync(...) - pattern: (System.Net.WebClient $E).DownloadFileTaskAsync(...) message: | The application dynamically constructs file or path information. If the path information comes from user input, it could be abused to read sensitive files, access other users data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible consider hashing user input or replacing it with unique values and use `System.IO.Path.GetFullPath` to resolve and validate the path information prior to processing any file functionality. Example using `Path.GetFullPath` and not allowing direct user input: ``` // store user input alongside an ID we control struct userData { public string userFilename; public Guid id; } class Program { public static void Main() { userData data = new userData(); // user input, saved only as a reference data.userFilename = "..\\test.txt"; // random id as the filename data.id = Guid.NewGuid(); // restrict all file processing to this directory only string basePath = "C:\\Restricted\\"; // resolve the full path, but only use our random generated id string fullPath = Path.GetFullPath(basePath + data.id); // verify the path is contained within our basePath if (!fullPath.StartsWith(basePath)) { Console.WriteLine("Invalid path specified!"); return; } // process / work with file } } ``` For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal metadata: shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') cwe: CWE-22 primary_identifier: security_code_scan.SCS0018-1 secondary_identifiers: - name: SCS0018 type: security_code_scan_rule_id value: SCS0018 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0018-1 shortlink: https://sg.run/zrpd semgrep.dev: rule: r_id: 31461 rv_id: 835755 rule_id: BYUy1X version_id: LjTEeZl url: https://semgrep.dev/playground/r/LjTEeZl/gitlab.security_code_scan.SCS0018-1 origin: community severity: WARNING - id: gitlab.security_code_scan.SCS0017-1 languages: - csharp patterns: - pattern: | [ValidateInput(false)] public $RET $FOO(...) { ... } message: | By using the `[ValidateInput(false)]` attribute in a controller class, the application will disable request validation for that method. This disables ASP.NET from examining requests for injection attacks such as Cross-Site-Scripting (XSS). If possible, re-enable validation by using `ValidateInput(true)`. In some cases this may not be possible, in which case ensure how the request data used is validated and this method does not output user input directly into the view. For more information on protecting ASP.NET Core applications from XSS see: https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting Example of enabling `ValidateInput` attribute: ``` class ControllerClass { [ValidateInput(true)] public void SomeActionMethod() { } } ``` For more information on ASP.NET request validation see OWASP: https://owasp.org/www-community/ASP-NET_Request_Validation severity: WARNING metadata: shortDescription: ASP.NET input validation disabled category: security cwe: CWE-554 primary_identifier: security_code_scan.SCS0017-1 secondary_identifiers: - name: SCS0017 type: security_code_scan_rule_id value: SCS0017 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0017-1 shortlink: https://sg.run/p16Z semgrep.dev: rule: r_id: 31462 rv_id: 835756 rule_id: DbUwNq version_id: 8KTGlRL url: https://semgrep.dev/playground/r/8KTGlRL/gitlab.security_code_scan.SCS0017-1 origin: community - id: gitlab.security_code_scan.SCS0029-1 mode: taint pattern-sources: - patterns: - pattern: $PARAM - metavariable-regex: metavariable: $HTTP_ANNO regex: ^(Http) - pattern-inside: | public class $CLASS : Controller { ... } - pattern-inside: | [$HTTP_ANNO] public string $METHOD(...,$PARAM,...){...} pattern-sanitizers: - patterns: - metavariable-regex: metavariable: $FUNC regex: (SerializeObject|HtmlAttributeEncode|HtmlEncode|HtmlFormUrlEncode|UrlEncode|UrlPathEncode|XmlAttributeEncode|XmlEncode|Encode) - pattern: $CLASS.$FUNC(...) pattern-sinks: - pattern: (System.Web.Mvc.HtmlHelper $E).Raw(...) - pattern: (Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper $E).Raw(...) - pattern: (System.Web.HttpResponse $E).AddHeader(...) - pattern: (System.Web.HttpResponse $E).AppendHeader(...) - pattern: (System.Web.HttpResponse $E).Write(...) - pattern: (System.Web.HttpResponse $E).BinaryWrite(...) - pattern: (System.Web.HttpResponse $E).TransmitFile(...) - pattern: (System.Web.HttpResponse $E).WriteFile(...) - pattern: (System.Web.HttpResponseBase $E).AddHeader(...) - pattern: (System.Web.HttpResponseBase $E).AppendHeader(...) - pattern: (System.Web.HttpResponseBase $E).Write(...) - pattern: (System.Web.HttpResponseBase $E).BinaryWrite(...) - pattern: (System.Web.HttpResponseBase $E).WriteFile(...) - pattern: (System.Web.UI.HtmlTextWriter $E).AddAttribute(...) - pattern: (System.Web.UI.HtmlTextWriter $E).AddStyleAttribute(...) - pattern: (System.Web.UI.HtmlTextWriter $E).RenderBeginTag(...) - pattern: (System.Web.UI.HtmlTextWriter $E).Write(...) - pattern: (System.Web.UI.HtmlTextWriter $E).WriteAttribute(...) - pattern: (System.Web.UI.HtmlTextWriter $E).WriteBeginTag(...) - pattern: (System.Web.UI.HtmlTextWriter $E).WriteEndTag(...) - pattern: (System.Web.UI.HtmlTextWriter $E).WriteFullBeginTag(...) - pattern: (System.Web.UI.HtmlTextWriter $E).WriteStyleAttribute(...) - pattern: (System.Web.UI.ClientScriptManager $E).RegisterStartupScript(...) - pattern: (System.Web.UI.ClientScriptManager $E).RegisterClientScriptBlock(...) - pattern: (System.Web.UI.Page $E).RegisterStartupScript(...) - pattern: (System.Web.UI.Page $E).RegisterClientScriptBlock(...) - pattern: return ...; languages: - csharp message: | Cross Site Scripting (XSS) is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types: - Inside HTML tags `
context 1
` - Inside attributes: `
` - Inside event attributes `` - Inside script blocks: `` - Unsafe element HTML assignment: `element.innerHTML = "context 5"` - Inside URLs: `link` Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 7*7 }} which may execute client-side templating features. It is _NOT_ advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Consider using built-in framework capabilities for automatically encoding user input. Depending on output context, consider using the following `System.Text.Encodings.Web` encoders: - [HtmlEncoder](https://learn.microsoft.com/en-us/dotnet/api/system.text.encodings.web.htmlencoder) - [JavaScriptEncoder](https://learn.microsoft.com/en-us/dotnet/api/system.text.encodings.web.javascriptencoder) - [UrlEncoder](https://learn.microsoft.com/en-us/dotnet/api/system.text.encodings.web.urlencoder) For more information on protecting ASP.NET Core applications from XSS see: https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting#accessing-encoders-in-code metadata: shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') category: security cwe: CWE-79 primary_identifier: security_code_scan.SCS0029-1 secondary_identifiers: - name: SCS0029 type: security_code_scan_rule_id value: SCS0029 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0029-1 shortlink: https://sg.run/2e5L semgrep.dev: rule: r_id: 31463 rv_id: 835757 rule_id: WAU7El version_id: gETyXdL url: https://semgrep.dev/playground/r/gETyXdL/gitlab.security_code_scan.SCS0029-1 origin: community severity: WARNING - id: gitlab.bandit.B303-6 patterns: - pattern-either: - pattern: Crypto.Hash.SHA.new(...) - pattern: Cryptodome.Hash.SHA.new (...) message: | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. metadata: cwe: CWE-327 shortDescription: Use of a Broken or Risky Cryptographic Algorithm owasp: A3:2017-Sensitive Data Exposure primary_identifier: bandit.B303-6 secondary_identifiers: - name: Bandit Test ID B303 type: bandit_test_id value: B303 license: MIT source: https://semgrep.dev/r/gitlab.bandit.B303-6 shortlink: https://sg.run/L0KY semgrep.dev: rule: r_id: 11539 rv_id: 73121 rule_id: bwUOkX version_id: qkTy8y url: https://semgrep.dev/playground/r/qkTy8y/gitlab.bandit.B303-6 origin: community severity: WARNING languages: - python - id: ajinabraham.njsscan.crypto.crypto_node.node_sha1 patterns: - pattern: | $X.createHash("sha1") message: SHA1 is a a weak hash which is known to have collision. Use a strong hashing function. languages: - javascript severity: WARNING metadata: owasp-web: a9 cwe: cwe-327 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.crypto.crypto_node.node_sha1 shortlink: https://sg.run/JooW semgrep.dev: rule: r_id: 43602 rv_id: 833096 rule_id: kxU99A version_id: A8T37gj url: https://semgrep.dev/playground/r/A8T37gj/ajinabraham.njsscan.crypto.crypto_node.node_sha1 origin: community - id: ajinabraham.njsscan.crypto.crypto_node.node_aes_ecb patterns: - pattern-either: - pattern: | $X.createCipheriv("=~/^aes-([0-9]+)-ecb$/i", ...) - pattern: | $X.createDecipheriv("=~/^aes-([0-9]+)-ecb$/i", ...) message: AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data. languages: - javascript severity: ERROR metadata: owasp-web: a9 cwe: cwe-327 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.crypto.crypto_node.node_aes_ecb shortlink: https://sg.run/5zzX semgrep.dev: rule: r_id: 43603 rv_id: 833097 rule_id: wdUvvQ version_id: BjTe0kX url: https://semgrep.dev/playground/r/BjTe0kX/ajinabraham.njsscan.crypto.crypto_node.node_aes_ecb origin: community - id: ajinabraham.njsscan.crypto.crypto_node.node_aes_noiv patterns: - pattern-either: - pattern: | $X.createCipheriv("=~/^aes-/i", $KEY, "", ...) message: AES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier. languages: - javascript severity: WARNING metadata: owasp-web: a9 cwe: cwe-327 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.crypto.crypto_node.node_aes_noiv shortlink: https://sg.run/G302 semgrep.dev: rule: r_id: 43604 rv_id: 833098 rule_id: x8U1lL version_id: DkTG0Rq url: https://semgrep.dev/playground/r/DkTG0Rq/ajinabraham.njsscan.crypto.crypto_node.node_aes_noiv origin: community - id: ajinabraham.njsscan.crypto.crypto_node.node_weak_crypto patterns: - pattern-either: - pattern: | $X.createCipher('des', ...) message: A weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application. languages: - javascript severity: ERROR metadata: owasp-web: a9 cwe: cwe-327 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.crypto.crypto_node.node_weak_crypto shortlink: https://sg.run/Rxje semgrep.dev: rule: r_id: 43605 rv_id: 833099 rule_id: OrUrAN version_id: WrTdpql url: https://semgrep.dev/playground/r/WrTdpql/ajinabraham.njsscan.crypto.crypto_node.node_weak_crypto origin: community - id: ajinabraham.njsscan.crypto.crypto_node.node_insecure_random_generator patterns: - pattern-either: - pattern: | $X.pseudoRandomBytes(...) - pattern: | Math.random(...) message: crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. languages: - javascript severity: WARNING metadata: owasp-web: a9 cwe: cwe-327 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.crypto.crypto_node.node_insecure_random_generator shortlink: https://sg.run/ABG8 semgrep.dev: rule: r_id: 43606 rv_id: 833100 rule_id: eqUwYg version_id: 0bTwbK5 url: https://semgrep.dev/playground/r/0bTwbK5/ajinabraham.njsscan.crypto.crypto_node.node_insecure_random_generator origin: community - id: ajinabraham.njsscan.crypto.tls_node.node_curl_ssl_verify_disable patterns: - pattern: | $X(..., {SSL_VERIFYPEER : 0}, ...) message: SSL Certificate verification for node-curl is disabled. languages: - javascript severity: ERROR metadata: owasp-web: a6 cwe: cwe-599 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.crypto.tls_node.node_curl_ssl_verify_disable shortlink: https://sg.run/Wx5g semgrep.dev: rule: r_id: 43609 rv_id: 833103 rule_id: ZqUJkq version_id: l4TyOJ8 url: https://semgrep.dev/playground/r/l4TyOJ8/ajinabraham.njsscan.crypto.tls_node.node_curl_ssl_verify_disable origin: community - id: ajinabraham.njsscan.database.nosql_injection.node_nosqli_js_injection patterns: - pattern-either: - pattern: | $OBJ.$FUNC({$where: <... $REQ.$FOO.$BAR ...>}, ...) - pattern: | $OBJ.$FUNC({$where: <... $REQ.$QUERY ...>}, ...) - pattern: | $NSQL = <... $REQ.$QUERY.$...>; ... $OBJ.$FUNC({$where: <... $NSQL ...>}, ...) - pattern: | $NSQL = <... $REQ.$QUERY ...>; ... $OBJ.$FUNC({$where: <... $NSQL ...>}, ...) - pattern: | $INP = $REQ.$FOO.$BAR; ... $QRY = {$where: <... $INP ...>}; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $INP = $REQ.$FOO; ... $QRY = {$where: <... $INP ...>}; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $QRY["$where"] = <... $REQ.$FOO ...>; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $QRY["$where"] = <... $REQ.$FOO.$BAR ...>; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $INP = $REQ.$FOO; ... $QRY["$where"] = <... $INP ...>; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $INP = $REQ.$FOO.$BAR; ... $QRY["$where"] = <... $INP ...>; ... $OBJ.$FUNC(<... $QRY ...>, ...) message: Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-943 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.database.nosql_injection.node_nosqli_js_injection shortlink: https://sg.run/KzYX semgrep.dev: rule: r_id: 43611 rv_id: 833105 rule_id: EwUbyK version_id: 6xTDg2D url: https://semgrep.dev/playground/r/6xTDg2D/ajinabraham.njsscan.database.nosql_injection.node_nosqli_js_injection origin: community - id: ajinabraham.njsscan.database.sequelize_tls_validation.sequelize_tls_cert_validation message: | The Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database. severity: ERROR languages: - javascript metadata: owasp-web: a6 cwe: cwe-295 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.database.sequelize_tls_validation.sequelize_tls_cert_validation shortlink: https://sg.run/lAQ9 semgrep.dev: rule: r_id: 43613 rv_id: 833107 rule_id: L1UJLE version_id: zyTWJbl url: https://semgrep.dev/playground/r/zyTWJbl/ajinabraham.njsscan.database.sequelize_tls_validation.sequelize_tls_cert_validation origin: community patterns: - pattern: | { host: $HOST, database: $DATABASE, dialect: $DIALECT, dialectOptions: { ssl: { rejectUnauthorized: false } } } - metavariable-regex: metavariable: $DIALECT regex: '[''"](mariadb|mysql|postgres)[''"]' - id: ajinabraham.njsscan.database.sequelize_weak_tls.sequelize_weak_tls message: | The Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it's recommended to use TLS1.3. Not applicable to SQLite database. metadata: owasp-web: a6 cwe: cwe-757 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.database.sequelize_weak_tls.sequelize_weak_tls shortlink: https://sg.run/YeR4 semgrep.dev: rule: r_id: 43614 rv_id: 833108 rule_id: 8GU0Pv version_id: pZTXj0y url: https://semgrep.dev/playground/r/pZTXj0y/ajinabraham.njsscan.database.sequelize_weak_tls.sequelize_weak_tls origin: community severity: ERROR languages: - javascript patterns: - pattern-inside: | { host: $HOST, database: $DATABASE, dialect: $DIALECT, dialectOptions: { ssl: ... } } - pattern-either: - pattern: | { minVersion: 'TLSv1' } - pattern: | { minVersion: 'TLSv1.1' } - metavariable-regex: metavariable: $DIALECT regex: '[''"](mariadb|mysql|postgres)[''"]' - id: ajinabraham.njsscan.database.sql_injection.node_sqli_injection patterns: - pattern-either: - pattern-inside: | require('sql-client') ... - pattern-inside: | require('mysql') ... - pattern-inside: | require('pg') ... - pattern-inside: | require('mssql') ... - pattern-inside: | require('oracledb') ... - pattern-either: - pattern: | $CON.query(<... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $CON.query(<... $REQ.$QUERY ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY.$VAR ...>; ... $CON.query(<... $SQL ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY ...>; ... $CON.query(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $SQL = <... $INP ...>; ... $CON.query(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $SQL = <... $INP ...>; ... $CON.query(<... $SQL ...>, ...) message: Untrusted input concatinated with raw SQL query can result in SQL Injection. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-89 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.database.sql_injection.node_sqli_injection shortlink: https://sg.run/6poB semgrep.dev: rule: r_id: 43615 rv_id: 833109 rule_id: gxUpve version_id: 2KT7xv3 url: https://semgrep.dev/playground/r/2KT7xv3/ajinabraham.njsscan.database.sql_injection.node_sqli_injection origin: community - id: ajinabraham.njsscan.database.sql_injection_knex.node_knex_sqli_injection patterns: - pattern-either: - pattern-inside: | $KNEX = require('knex') ... - pattern-inside: | $KNEX = require('knex')(...) ... - pattern-either: - pattern: | $K.raw(<... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $K.raw(<... $REQ.$QUERY ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY.$VAR ...>; ... $K.raw(<... $SQL ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY ...>; ... $K.raw(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $SQL = <... $INP ...>; ... $K.raw(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $SQL = <... $INP ...>; ... $K.raw(<... $SQL ...>, ...) - pattern: | $K.whereRaw(<... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $K.whereRaw(<... $REQ.$QUERY ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY.$VAR ...>; ... $K.whereRaw(<... $SQL ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY ...>; ... $K.whereRaw(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $SQL = <... $INP ...>; ... $K.whereRaw(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $SQL = <... $INP ...>; ... $K.whereRaw(<... $SQL ...>, ...) message: Untrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-89 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.database.sql_injection_knex.node_knex_sqli_injection shortlink: https://sg.run/oWQR semgrep.dev: rule: r_id: 43616 rv_id: 833110 rule_id: QrULR0 version_id: X0T5Nzz url: https://semgrep.dev/playground/r/X0T5Nzz/ajinabraham.njsscan.database.sql_injection_knex.node_knex_sqli_injection origin: community - id: ajinabraham.njsscan.dos.express_bodyparser_dos.express_bodyparser patterns: - pattern-inside: | $APP = express() ... - pattern-inside: | $APP.use(...) - pattern: $X.bodyParser(...) message: POST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space. languages: - javascript severity: ERROR metadata: owasp-web: a9 cwe: cwe-400 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.dos.express_bodyparser_dos.express_bodyparser shortlink: https://sg.run/zXQW semgrep.dev: rule: r_id: 43617 rv_id: 833111 rule_id: 3qUg5r version_id: jQTrXnB url: https://semgrep.dev/playground/r/jQTrXnB/ajinabraham.njsscan.dos.express_bodyparser_dos.express_bodyparser origin: community - id: ajinabraham.njsscan.dos.layer7_object_dos.layer7_object_dos patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern-inside: | $OBJ = $REQ.body; ... - pattern-inside: | $OBJ = $REQ.body.$FOO; ... - pattern-inside: | for(...){...} - pattern: | $OBJ.length message: Layer7 Denial of Service. Looping over user controlled objects can result in DoS. languages: - javascript severity: ERROR metadata: owasp-web: a6 cwe: cwe-400 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.dos.layer7_object_dos.layer7_object_dos shortlink: https://sg.run/p0QL semgrep.dev: rule: r_id: 43618 rv_id: 833112 rule_id: 4bUJKE version_id: 1QTPLyE url: https://semgrep.dev/playground/r/1QTPLyE/ajinabraham.njsscan.dos.layer7_object_dos.layer7_object_dos origin: community - id: ajinabraham.njsscan.dos.regex_dos.regex_dos patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $REGEX.test(<... $REQ ...>) - pattern: | $REGEX.test(<... $REQ.$QUERY ...>) - pattern: | $REGEX.test(<... $REQ.$BODY.$PARAM ...>) - pattern: | $INP = <... $REQ ...>; ... $REGEX.test(<... $INP ...>) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $REGEX.test(<... $INP ...>) - pattern: | $INP = <... $REQ.$BODY.$PARAM ...>; ... $REGEX.test(<... $INP ...>) - pattern: | /.../g.exec(<... $REQ ...>) - pattern: | /.../g.exec(<... $REQ.$QUERY ...>) - pattern: | /.../.exec(<... $REQ.$BODY.$PARAM ...>) - pattern: | $INP = <... $REQ ...>; ... /.../.exec(<... $INP ...>) - pattern: | $INP = <... $REQ.$QUERY ...>; ... /.../.exec(<... $INP ...>) - pattern: | $INP = <... $REQ.$BODY.$PARAM ...>; ... /.../.exec(<... $INP ...>) - pattern: | $RE = /.../; ... $RE.exec(<... $REQ ...>) - pattern: | $RE = /.../; ... $RE.exec(<... $REQ.$QUERY ...>) - pattern: | $RE = /.../; ... $RE.exec(<... $REQ.$BODY.$PARAM ...>) message: Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. languages: - javascript severity: WARNING metadata: owasp-web: a6 cwe: cwe-185 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.dos.regex_dos.regex_dos shortlink: https://sg.run/23qD semgrep.dev: rule: r_id: 43619 rv_id: 833113 rule_id: PeUK7z version_id: 9lTJ04q url: https://semgrep.dev/playground/r/9lTJ04q/ajinabraham.njsscan.dos.regex_dos.regex_dos origin: community - id: ajinabraham.njsscan.electronjs.security_electron.electron_disable_websecurity patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {webSecurity: false}}) - pattern: | var $X = {webPreferences: {webSecurity: false}}; message: Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain. languages: - javascript severity: ERROR metadata: owasp-web: a6 cwe: cwe-346 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.electronjs.security_electron.electron_disable_websecurity shortlink: https://sg.run/jG1J semgrep.dev: rule: r_id: 43621 rv_id: 833115 rule_id: 5rUxKr version_id: rxTDzAG url: https://semgrep.dev/playground/r/rxTDzAG/ajinabraham.njsscan.electronjs.security_electron.electron_disable_websecurity origin: community - id: ajinabraham.njsscan.electronjs.security_electron.electron_allow_http patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {allowRunningInsecureContent: true}}) - pattern: | var $X = {webPreferences: {allowRunningInsecureContent: true}}; message: Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks. languages: - javascript severity: ERROR metadata: owasp-web: a6 cwe: cwe-319 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.electronjs.security_electron.electron_allow_http shortlink: https://sg.run/1lKv semgrep.dev: rule: r_id: 43622 rv_id: 833116 rule_id: GdUgbB version_id: bZTBe54 url: https://semgrep.dev/playground/r/bZTBe54/ajinabraham.njsscan.electronjs.security_electron.electron_allow_http origin: community - id: ajinabraham.njsscan.eval.eval_vm2_injection.vm2_code_injection patterns: - pattern-inside: | require('vm2') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $VM.run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... $VM.run(<... $CODE ...>,...) - pattern: | new VM(...).run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | new NodeVM(...).run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... new NodeVM(...).run(<... $CODE ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... new VMScript(<... $CODE ...>,...) - pattern: | $VM.run(<... $REQ.$BODY ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... $VM.run(<... $CODE ...>,...) - pattern: | new VM(...).run(<... $REQ.$BODY ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... new VM(...).run($CODE,...) - pattern: | new NodeVM(...).run(<... $REQ.$BODY ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... new NodeVM(...).run(<... $CODE ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... new VMScript(<... $CODE ...>,...) message: Untrusted user input reaching `vm2` can result in code injection. severity: WARNING languages: - javascript metadata: owasp-web: a1 cwe: cwe-94 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_vm2_injection.vm2_code_injection shortlink: https://sg.run/voQb semgrep.dev: rule: r_id: 43633 rv_id: 833127 rule_id: JDU4Ob version_id: ExTrDEZ url: https://semgrep.dev/playground/r/ExTrDEZ/ajinabraham.njsscan.eval.eval_vm2_injection.vm2_code_injection origin: community - id: ajinabraham.njsscan.eval.eval_vm2_injection.vm2_context_injection patterns: - pattern-inside: | require('vm2') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | new VM({sandbox: <... $REQ.$QUERY.$FOO ...>},...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $OPTS = {sandbox: <... $REQ.$QUERY.$FOO ...>}; ... new VM($OPTS,...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | new NodeVM({sandbox: <... $REQ.$QUERY.$FOO ...>},...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $OPTS = {sandbox: <... $REQ.$QUERY.$FOO ...>}; ... new NodeVM($OPTS,...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: | new VM({sandbox: <... $REQ.$BODY ...>},...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $OPTS = {sandbox: <... $REQ.$BODY ...>}; ... new VM($OPTS,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | new NodeVM({sandbox: <... $REQ.$BODY ...>},...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $OPTS = {sandbox: <... $REQ.$BODY ...>}; ... new NodeVM($OPTS,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: |- $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) message: Untrusted user input reaching `vm2` sandbox can result in context injection. severity: ERROR languages: - javascript metadata: owasp-web: a1 cwe: cwe-94 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_vm2_injection.vm2_context_injection shortlink: https://sg.run/dnod semgrep.dev: rule: r_id: 43634 rv_id: 833128 rule_id: 5rUxKW version_id: 7ZTx9Ek url: https://semgrep.dev/playground/r/7ZTx9Ek/ajinabraham.njsscan.eval.eval_vm2_injection.vm2_context_injection origin: community - id: ajinabraham.njsscan.eval.eval_vm_injection.vm_runincontext_injection patterns: - pattern-inside: | require('vm') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) message: Untrusted user input in `vm.runInContext()` can result in code injection. severity: ERROR languages: - javascript metadata: owasp-web: a1 cwe: cwe-94 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_vm_injection.vm_runincontext_injection shortlink: https://sg.run/ZZAo semgrep.dev: rule: r_id: 43635 rv_id: 833129 rule_id: GdUgb1 version_id: LjTEbk8 url: https://semgrep.dev/playground/r/LjTEbk8/ajinabraham.njsscan.eval.eval_vm_injection.vm_runincontext_injection origin: community - id: ajinabraham.njsscan.eval.eval_vm_injection.vm_runinnewcontext_injection patterns: - pattern-inside: | require('vm') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $VM.runInNewContext($CODE,<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VM.runInNewContext($CODE,<... $REQ.$BODY ...>,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) message: Untrusted user input in `vm.runInNewContext()` can result in code injection. severity: ERROR languages: - javascript metadata: owasp-web: a1 cwe: cwe-94 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_vm_injection.vm_runinnewcontext_injection shortlink: https://sg.run/nDQ2 semgrep.dev: rule: r_id: 43636 rv_id: 833130 rule_id: ReUdNj version_id: 8KTGk5k url: https://semgrep.dev/playground/r/8KTGk5k/ajinabraham.njsscan.eval.eval_vm_injection.vm_runinnewcontext_injection origin: community - id: ajinabraham.njsscan.eval.eval_vm_injection.vm_compilefunction_injection patterns: - pattern-inside: | require('vm') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $REQ.$QUERY.$FOO ...>},...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $OPTS = {parsingContext: <... $REQ.$QUERY.$FOO ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $REQ.$BODY ...>},...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $OPTS = {parsingContext: <... $REQ.$BODY ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) message: Untrusted user input in `vm.compileFunction()` can result in code injection. severity: ERROR languages: - javascript metadata: owasp-web: a1 cwe: cwe-94 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_vm_injection.vm_compilefunction_injection shortlink: https://sg.run/EKDe semgrep.dev: rule: r_id: 43637 rv_id: 833131 rule_id: AbUxvo version_id: gETy2BX url: https://semgrep.dev/playground/r/gETy2BX/ajinabraham.njsscan.eval.eval_vm_injection.vm_compilefunction_injection origin: community - id: ajinabraham.njsscan.eval.eval_vm_injection.vm_code_injection patterns: - pattern-inside: | $VM = require('vm') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $VM.runInContext(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $VM.runInContext(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInContext($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $VM.runInContext($INPUT,...) - pattern: $VM.runInNewContext(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $VM.runInNewContext(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInNewContext($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $VM.runInNewContext($INPUT,...) - pattern: $VM.runInThisContext(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $VM.runInThisContext(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInThisContext($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $VM.runInThisContext($INPUT,...) - pattern: $VM.compileFunction(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $VM.compileFunction(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $VM.compileFunction($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $VM.compileFunction($INPUT,...) - pattern: new $VM.Script(<... $REQ.$QUERY.$FOO ...>,...) - pattern: new $VM.Script(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... new $VM.Script($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... new $VM.Script($INPUT,...) message: Untrusted user input reaching `vm` can result in code injection. severity: ERROR languages: - javascript metadata: owasp-web: a1 cwe: cwe-94 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_vm_injection.vm_code_injection shortlink: https://sg.run/72zW semgrep.dev: rule: r_id: 43638 rv_id: 833132 rule_id: BYUo40 version_id: QkTkrGq url: https://semgrep.dev/playground/r/QkTkrGq/ajinabraham.njsscan.eval.eval_vm_injection.vm_code_injection origin: community - id: ajinabraham.njsscan.eval.eval_yaml_deserialize.yaml_deserialize patterns: - pattern-inside: | require('js-yaml') ... - pattern: | $X.load(...) message: User controlled data in 'yaml.load()' function can result in Remote Code Injection. languages: - javascript severity: ERROR metadata: owasp-web: a8 cwe: cwe-502 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_yaml_deserialize.yaml_deserialize shortlink: https://sg.run/Lp6o semgrep.dev: rule: r_id: 43639 rv_id: 833133 rule_id: DbULBy version_id: 3ZT3A41 url: https://semgrep.dev/playground/r/3ZT3A41/ajinabraham.njsscan.eval.eval_yaml_deserialize.yaml_deserialize origin: community - id: ajinabraham.njsscan.eval.server_side_template_injection.server_side_template_injection patterns: - pattern-either: - pattern-inside: | require('handlebars') ... - pattern-inside: | require('pug') ... - pattern-inside: | require('hamljs') ... - pattern-inside: | require('ejs') ... - pattern-inside: | require('squirrelly') ... - pattern-inside: | require('eta') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $HB.compile(..., <... $REQ.$FOO ...>, ...) - pattern: | $HB.compile(..., <... $REQ.$FOO.$BAR ...>, ...) - pattern: | $X = <... $REQ.$FOO ...>; ... $HB.compile(..., <... $X ...>, ...) - pattern: | $X = <... $REQ.$FOO.$BAR ...>; ... $HB.compile(..., <... $X ...>, ...) - pattern: | $X = $SOURCE.replace('...', <... $REQ.$FOO ...>, ...) ... $HB.compile(..., <... $X ...>, ...) - pattern: | $X = $SOURCE.replace('...', <... $REQ.$FOO.$BAR ...>, ...) ... $HB.compile(..., <... $X ...>, ...) - pattern: | $HB.Compile(..., <... $REQ.$FOO ...>, ...) - pattern: | $HB.Compile(..., <... $REQ.$FOO.$BAR ...>, ...) - pattern: | $X = <... $REQ.$FOO ...>; ... $HB.Compile(..., <... $X ...>, ...) - pattern: | $X = <... $REQ.$FOO.$BAR ...>; ... $HB.Compile(..., <... $X ...>, ...) - pattern: | $X = $SOURCE.replace('...', <... $REQ.$FOO ...>, ...) ... $HB.Compile(..., <... $X ...>, ...) - pattern: | $X = $SOURCE.replace('...', <... $REQ.$FOO.$BAR ...>, ...) ... $HB.Compile(..., <... $X ...>, ...) message: Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-94 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.server_side_template_injection.server_side_template_injection shortlink: https://sg.run/8XpE semgrep.dev: rule: r_id: 43640 rv_id: 833134 rule_id: WAUgeK version_id: 44TQPEO url: https://semgrep.dev/playground/r/44TQPEO/ajinabraham.njsscan.eval.server_side_template_injection.server_side_template_injection origin: community - id: ajinabraham.njsscan.exec.exec_os_command.generic_os_command_exec patterns: - pattern-inside: | require('child_process') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $EXEC.exec(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $EXEC.exec(..., <... $REQ.$QUERY ...>, ...) - pattern: | $EXEC.execSync(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $EXEC.execSync(..., <... $REQ.$QUERY ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $EXEC.exec(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $EXEC.exec(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $EXEC.execSync(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $EXEC.execSync(..., <... $INP ...>, ...) message: User controlled data in 'child_process.exec()' can result in Remote OS Command Execution. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-78 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.exec.exec_os_command.generic_os_command_exec shortlink: https://sg.run/gP2Z semgrep.dev: rule: r_id: 43641 rv_id: 833135 rule_id: 0oUZ0X version_id: PkTxrRg url: https://semgrep.dev/playground/r/PkTxrRg/ajinabraham.njsscan.exec.exec_os_command.generic_os_command_exec origin: community - id: ajinabraham.njsscan.exec.exec_shelljs.shelljs_os_command_exec patterns: - pattern-inside: | require('shelljs') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $EXEC.exec(<... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $EXEC.exec( <... $REQ.$QUERY ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $EXEC.exec(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $EXEC.exec(<... $INP ...>, ...) message: User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-78 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.exec.exec_shelljs.shelljs_os_command_exec shortlink: https://sg.run/QxXQ semgrep.dev: rule: r_id: 43642 rv_id: 833136 rule_id: KxURA0 version_id: JdTlrzJ url: https://semgrep.dev/playground/r/JdTlrzJ/ajinabraham.njsscan.exec.exec_shelljs.shelljs_os_command_exec origin: community - id: ajinabraham.njsscan.generic.error_disclosure.node_error_disclosure patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $ERR = $ERROR.stack; ... $RES.end($ERR) - pattern: | $ERR = $ERROR.stack; ... $RES.send($ERR) - pattern: | $RES.end($ERR.stack) - pattern: | $RES.send($ERR.stack) message: Error messages with stack traces can expose sensitive information about the application. languages: - javascript severity: ERROR metadata: owasp-web: a3 cwe: cwe-209 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.generic.error_disclosure.node_error_disclosure shortlink: https://sg.run/36lp semgrep.dev: rule: r_id: 43643 rv_id: 833137 rule_id: qNUrAk version_id: 5PTyDo6 url: https://semgrep.dev/playground/r/5PTyDo6/ajinabraham.njsscan.generic.error_disclosure.node_error_disclosure origin: community - id: ajinabraham.njsscan.generic.error_disclosure.generic_error_disclosure patterns: - pattern-either: - pattern: | console.trace(...) - pattern: | try { ... } catch($ERR){ console.error(<... $ERR ...>, ...) } message: Error messages with stack traces may expose sensitive information about the application. languages: - javascript severity: WARNING metadata: owasp-web: a3 cwe: cwe-209 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.generic.error_disclosure.generic_error_disclosure shortlink: https://sg.run/4oYz semgrep.dev: rule: r_id: 43644 rv_id: 833138 rule_id: lBUY3L version_id: GxTDEkw url: https://semgrep.dev/playground/r/GxTDEkw/ajinabraham.njsscan.generic.error_disclosure.generic_error_disclosure origin: community - id: ajinabraham.njsscan.generic.hardcoded_passport.hardcoded_passport_secret pattern-either: - pattern: | $F = require("passport-auth0").Strategy; ... new $F({clientSecret: "..."}, ...) - pattern: | $F = require("passport-auth0").Strategy; ... var $P = {clientSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-auth0").Strategy; ... var $S = "..."; ... new $F({clientSecret: $S}, ...) - pattern: | $F = require("passport-auth0").Strategy; ... var $S = "..."; ... $P.clientSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-auth0").Strategy; ... var $S = "..."; ... var $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-auth0").Strategy; ... $P.clientSecret = "..."; ... new $F($P, ...) - pattern: | $F = require("passport-auth0").Strategy; ... $P = {clientSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-auth0").Strategy; ... $S = "..."; ... new $F({clientSecret: $S}, ...) - pattern: | $F = require("passport-auth0").Strategy; ... $S = "..."; ... var $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-auth0").Strategy; ... $S = "..."; ... $P.clientSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-auth0").Strategy; ... $S = "..."; ... $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... new $F({clientSecret: "..."}, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... var $P = {clientSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... var $S = "..."; ... new $F({clientSecret: $S}, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... var $S = "..."; ... $P.clientSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... var $S = "..."; ... var $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... $P.clientSecret = "..."; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... $P = {clientSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... $S = "..."; ... new $F({clientSecret: $S}, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... $S = "..."; ... var $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... $S = "..."; ... $P.clientSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth2").Strategy; ... $S = "..."; ... $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-jwt").Strategy; ... new $F({secretOrKey: "..."}, ...) - pattern: | $F = require("passport-jwt").Strategy; ... var $P = {secretOrKey: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-jwt").Strategy; ... var $S = "..."; ... new $F({secretOrKey: $S}, ...) - pattern: | $F = require("passport-jwt").Strategy; ... var $S = "..."; ... $P.secretOrKey = $S; ... new $F($P, ...) - pattern: | $F = require("passport-jwt").Strategy; ... var $S = "..."; ... var $P = {secretOrKey: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-jwt").Strategy; ... $P.secretOrKey = "..."; ... new $F($P, ...) - pattern: | $F = require("passport-jwt").Strategy; ... $P = {secretOrKey: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-jwt").Strategy; ... $S = "..."; ... new $F({secretOrKey: $S}, ...) - pattern: | $F = require("passport-jwt").Strategy; ... $S = "..."; ... var $P = {secretOrKey: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-jwt").Strategy; ... $S = "..."; ... $P.secretOrKey = $S; ... new $F($P, ...) - pattern: | $F = require("passport-jwt").Strategy; ... $S = "..."; ... $P = {secretOrKey: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... new $F({consumerSecret: "..."}, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... var $P = {consumerSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... var $S = "..."; ... new $F({consumerSecret: $S}, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... var $S = "..."; ... $P.consumerSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... var $S = "..."; ... var $P = {consumerSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... $P.consumerSecret = "..."; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... $P = {consumerSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... $S = "..."; ... new $F({consumerSecret: $S}, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... $S = "..."; ... var $P = {consumerSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... $S = "..."; ... $P.consumerSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-google-oauth1").Strategy; ... $S = "..."; ... $P = {consumerSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... new $F({clientSecret: "..."}, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... var $P = {clientSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... var $S = "..."; ... new $F({clientSecret: $S}, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... var $S = "..."; ... $P.clientSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... var $S = "..."; ... var $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... $P.clientSecret = "..."; ... new $F($P, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... $P = {clientSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... $S = "..."; ... new $F({clientSecret: $S}, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... $S = "..."; ... var $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... $S = "..."; ... $P.clientSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-oauth2").Strategy; ... $S = "..."; ... $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-facebook").Strategy; ... new $F({clientSecret: "..."}, ...) - pattern: | $F = require("passport-facebook").Strategy; ... var $P = {clientSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-facebook").Strategy; ... var $S = "..."; ... new $F({clientSecret: $S}, ...) - pattern: | $F = require("passport-facebook").Strategy; ... var $S = "..."; ... $P.clientSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-facebook").Strategy; ... var $S = "..."; ... var $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-facebook").Strategy; ... $P.clientSecret = "..."; ... new $F($P, ...) - pattern: | $F = require("passport-facebook").Strategy; ... $P = {clientSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-facebook").Strategy; ... $S = "..."; ... new $F({clientSecret: $S}, ...) - pattern: | $F = require("passport-facebook").Strategy; ... $S = "..."; ... var $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-facebook").Strategy; ... $S = "..."; ... $P.clientSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-facebook").Strategy; ... $S = "..."; ... $P = {clientSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-twitter").Strategy; ... new $F({consumerSecret: "..."}, ...) - pattern: | $F = require("passport-twitter").Strategy; ... var $P = {consumerSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-twitter").Strategy; ... var $S = "..."; ... new $F({consumerSecret: $S}, ...) - pattern: | $F = require("passport-twitter").Strategy; ... var $S = "..."; ... $P.consumerSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-twitter").Strategy; ... var $S = "..."; ... var $P = {consumerSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-twitter").Strategy; ... $P.consumerSecret = "..."; ... new $F($P, ...) - pattern: | $F = require("passport-twitter").Strategy; ... $P = {consumerSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-twitter").Strategy; ... $S = "..."; ... new $F({consumerSecret: $S}, ...) - pattern: | $F = require("passport-twitter").Strategy; ... $S = "..."; ... var $P = {consumerSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-twitter").Strategy; ... $S = "..."; ... $P.consumerSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-twitter").Strategy; ... $S = "..."; ... $P = {consumerSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... new $F({consumerSecret: "..."}, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... var $P = {consumerSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... var $S = "..."; ... new $F({consumerSecret: $S}, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... var $S = "..."; ... $P.consumerSecret = $S; ... new $F($P, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... var $S = "..."; ... var $P = {consumerSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... $P.consumerSecret = "..."; ... new $F($P, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... $P = {consumerSecret: "..."}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... $S = "..."; ... new $F({consumerSecret: $S}, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... $S = "..."; ... var $P = {consumerSecret: $S}; ... new $F($P, ...) - pattern: | $F = require("passport-oauth1").Strategy; ... $S = "..."; ... $P.consumerSecret = $S; ... new $F($P, ...) - pattern: |- $F = require("passport-oauth1").Strategy; ... $S = "..."; ... $P = {consumerSecret: $S}; ... new $F($P, ...) message: Hardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable. metadata: cwe: cwe-522 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.generic.hardcoded_passport.hardcoded_passport_secret shortlink: https://sg.run/Px2W semgrep.dev: rule: r_id: 43645 rv_id: 833139 rule_id: YGUxgo version_id: RGTKG01 url: https://semgrep.dev/playground/r/RGTKG01/ajinabraham.njsscan.generic.hardcoded_passport.hardcoded_passport_secret origin: community languages: - javascript severity: ERROR - id: ajinabraham.njsscan.generic.hardcoded_secrets.node_password patterns: - pattern-not: $X = '' - pattern-not: $OBJ[$X] = '' - pattern-not: $OBJ.$X = '' - pattern-either: - pattern: | $X = '...' - metavariable-regex: metavariable: $X regex: (?i:.*pass.*) message: A hardcoded password in plain text is identified. Store it properly in an environment variable. languages: - javascript severity: ERROR metadata: owasp-web: a3 cwe: cwe-798 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.generic.hardcoded_secrets.node_password shortlink: https://sg.run/JolW semgrep.dev: rule: r_id: 43646 rv_id: 833140 rule_id: 6JUk4K version_id: A8T37qj url: https://semgrep.dev/playground/r/A8T37qj/ajinabraham.njsscan.generic.hardcoded_secrets.node_password origin: community - id: ajinabraham.njsscan.generic.hardcoded_secrets.node_username patterns: - pattern-not: $X = '' - pattern-not: $OBJ[$X] = '' - pattern-not: $OBJ.$X = '' - pattern-either: - pattern: | $X = '...' - metavariable-regex: metavariable: $X regex: (?i:.*user.*) message: A hardcoded username in plain text is identified. Store it properly in an environment variable. languages: - javascript severity: WARNING metadata: owasp-web: a3 cwe: cwe-798 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.generic.hardcoded_secrets.node_username shortlink: https://sg.run/5z6X semgrep.dev: rule: r_id: 43647 rv_id: 833141 rule_id: oqUPGY version_id: BjTe0bX url: https://semgrep.dev/playground/r/BjTe0bX/ajinabraham.njsscan.generic.hardcoded_secrets.node_username origin: community - id: ajinabraham.njsscan.generic.hardcoded_secrets.node_api_key patterns: - pattern-not: $X = '' - pattern-not: $OBJ[$X] = '' - pattern-not: $OBJ.$X = '' - pattern-not: $OBJ($X, '') - pattern-either: - pattern: | $X = '...' - pattern: | $Y($X, '...') - metavariable-regex: metavariable: $X regex: (?i).*(api_key|apikey) message: A hardcoded API Key is identified. Store it properly in an environment variable. languages: - javascript severity: ERROR metadata: owasp-web: a3 cwe: cwe-798 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.generic.hardcoded_secrets.node_api_key shortlink: https://sg.run/G3B2 semgrep.dev: rule: r_id: 43648 rv_id: 833142 rule_id: zdU9gq version_id: DkTG0kq url: https://semgrep.dev/playground/r/DkTG0kq/ajinabraham.njsscan.generic.hardcoded_secrets.node_api_key origin: community - id: ajinabraham.njsscan.generic.hardcoded_secrets.node_secret patterns: - pattern-not: $X = '' - pattern-not: $OBJ[$X] = '' - pattern-not: $OBJ.$X = '' - pattern-not: $OBJ($X, '') - pattern-either: - pattern: | $X = '...' - pattern: | $Y($X, '...') - metavariable-regex: metavariable: $X regex: (?i:.*secret) message: A hardcoded secret is identified. Store it properly in an environment variable. languages: - javascript severity: ERROR metadata: owasp-web: a3 cwe: cwe-798 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.generic.hardcoded_secrets.node_secret shortlink: https://sg.run/Rxpe semgrep.dev: rule: r_id: 43649 rv_id: 833143 rule_id: pKUJg1 version_id: WrTdp8l url: https://semgrep.dev/playground/r/WrTdp8l/ajinabraham.njsscan.generic.hardcoded_secrets.node_secret origin: community - id: ajinabraham.njsscan.generic.logic_bypass.node_logic_bypass patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $REQ.$FOO.$BAR !== $REQ.$ZOO.$ZAR - pattern: | $REQ.$FOO.$BAR === $REQ.$ZOO.$ZAR - pattern: | $REQ.$FOO.$BAR >= $REQ.$ZOO.$ZAR - pattern: | $REQ.$FOO.$BAR <= $REQ.$ZOO.$ZAR - pattern: | $REQ.$FOO.$BAR < $REQ.$ZOO.$ZAR - pattern: | $REQ.$FOO.$BAR > $REQ.$ZOO.$ZAR - pattern: | $REQ.$FOO['...'] !== $REQ.$ZOO['...'] - pattern: | $REQ.$FOO['...'] === $REQ.$ZOO['...'] - pattern: | $REQ.$FOO['...'] >= $REQ.$ZOO['...'] - pattern: | $REQ.$FOO['...'] <= $REQ.$ZOO['...'] - pattern: | $REQ.$FOO['...'] < $REQ.$ZOO['...'] - pattern: | $REQ.$FOO['...'] > $REQ.$ZOO['...'] - pattern: | $REQ.$FOO('...') !== $REQ.$ZOO('...') - pattern: | $REQ.$FOO('...') === $REQ.$ZOO('...') - pattern: | $REQ.$FOO('...') >= $REQ.$ZOO('...') - pattern: | $REQ.$FOO('...') <= $REQ.$ZOO('...') - pattern: | $REQ.$FOO('...') < $REQ.$ZOO('...') - pattern: | $REQ.$FOO('...') > $REQ.$ZOO('...') message: User controlled data is used for application business logic decision making. This expose protected data or functionality. languages: - javascript severity: ERROR metadata: owasp-web: a5 cwe: cwe-807 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.generic.logic_bypass.node_logic_bypass shortlink: https://sg.run/AB38 semgrep.dev: rule: r_id: 43650 rv_id: 833144 rule_id: 2ZUXNG version_id: 0bTwbo5 url: https://semgrep.dev/playground/r/0bTwbo5/ajinabraham.njsscan.generic.logic_bypass.node_logic_bypass origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_check_crossdomain message: 'X-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {permittedCrossDomainPolicies: false}, ...) - pattern-either: - pattern: | permittedCrossDomainPolicies() - pattern: | permittedCrossDomainPolicies({ permittedPolicies: ... }) - pattern: | helmet.permittedCrossDomainPolicies({ permittedPolicies: ... }) - pattern: | helmet({permittedCrossDomainPolicies: { permittedPolicies: ... }}) - pattern: | helmet.permittedCrossDomainPolicies() metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_check_crossdomain shortlink: https://sg.run/Wx9g semgrep.dev: rule: r_id: 43653 rv_id: 833147 rule_id: 10UnWZ version_id: l4TyOZ8 url: https://semgrep.dev/playground/r/l4TyOZ8/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_check_crossdomain origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_feature_policy message: 'Feature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {featurePolicy: false}, ...) - pattern-either: - pattern: | featurePolicy(..., {features: ...}, ...) - pattern: | helmet.featurePolicy(..., {features: ...}, ...) - pattern: | helmet({featurePolicy: {features: ...}}) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_feature_policy shortlink: https://sg.run/KzKX semgrep.dev: rule: r_id: 43655 rv_id: 833149 rule_id: yyUzbP version_id: JdTlrkl url: https://semgrep.dev/playground/r/JdTlrkl/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_feature_policy origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_frame_guard message: 'X-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {frameguard: false}, ...) - pattern-either: - pattern: | $APP.use(hemlet()) - pattern: | helmet.frameguard(...) - pattern: | frameguard(...) - pattern: | helmet({frameguard: ...}) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_frame_guard shortlink: https://sg.run/q3by semgrep.dev: rule: r_id: 43656 rv_id: 833150 rule_id: r6UXg2 version_id: 5PTyDqN url: https://semgrep.dev/playground/r/5PTyDqN/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_frame_guard origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_dns_prefetch message: 'X-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {dnsPrefetchControl: false}, ...) - pattern-either: - pattern: | $APP.use(helmet()) - pattern: | helmet.dnsPrefetchControl() - pattern: | dnsPrefetchControl() - pattern: | helmet.dnsPrefetchControl({ allow: false }) - pattern: | helmet({dnsPrefetchControl: {allow: false}}) - pattern: | dnsPrefetchControl({ allow: false }) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_dns_prefetch shortlink: https://sg.run/lAX9 semgrep.dev: rule: r_id: 43657 rv_id: 833151 rule_id: bwUJWB version_id: GxTDEqP url: https://semgrep.dev/playground/r/GxTDEqP/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_dns_prefetch origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_x_powered_by message: 'Default X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {hidePoweredBy: false}, ...) - pattern-either: - pattern: | $APP.use(helmet()) - pattern: | app.disable('x-powered-by') - pattern: | helmet.hidePoweredBy(...) - pattern: | hidePoweredBy(...) - pattern: | helmet({hidePoweredBy: ...}) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_x_powered_by shortlink: https://sg.run/YeP4 semgrep.dev: rule: r_id: 43658 rv_id: 833152 rule_id: NbUEWe version_id: RGTKGpk url: https://semgrep.dev/playground/r/RGTKGpk/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_x_powered_by origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_hsts message: 'HSTS header is present. More information: https://helmetjs.github.io/docs/hsts/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {hsts: false}, ...) - pattern-either: - pattern: | $APP.use(helmet()) - pattern: | helmet.hsts(...) - pattern: | hsts({ maxAge: ...}) - pattern: | helmet({hsts: ...}) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_hsts shortlink: https://sg.run/6peB semgrep.dev: rule: r_id: 43659 rv_id: 833153 rule_id: kxU9vY version_id: A8T37qX url: https://semgrep.dev/playground/r/A8T37qX/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_hsts origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_ienoopen message: 'X-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {ieNoOpen: false}, ...) - pattern-either: - pattern: | $APP.use(helmet()) - pattern: | helmet.ieNoOpen() - pattern: | ieNoOpen() - pattern: "helmet({ieNoOpen: ...}) \n" metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_ienoopen shortlink: https://sg.run/oW9R semgrep.dev: rule: r_id: 43660 rv_id: 833154 rule_id: wdUvgn version_id: BjTe0bk url: https://semgrep.dev/playground/r/BjTe0bk/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_ienoopen origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_nosniff message: 'Content-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {noSniff: false}, ...) - pattern-either: - pattern: | $APP.use(helmet()) - pattern: | helmet.noSniff() - pattern: | noSniff() - pattern: | helmet({noSniff: ...}) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_nosniff shortlink: https://sg.run/zXbW semgrep.dev: rule: r_id: 43661 rv_id: 833155 rule_id: x8U1bp version_id: DkTG0kk url: https://semgrep.dev/playground/r/DkTG0kk/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_nosniff origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_referrer_policy message: 'Referrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {referrerPolicy: false}, ...) - pattern-either: - pattern: | helmet.referrerPolicy(...) - pattern: | referrerPolicy(...) - pattern: | helmet({referrerPolicy: ...}) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_referrer_policy shortlink: https://sg.run/p0bL semgrep.dev: rule: r_id: 43662 rv_id: 833156 rule_id: OrUrLp version_id: WrTdp87 url: https://semgrep.dev/playground/r/WrTdp87/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_referrer_policy origin: community - id: ajinabraham.njsscan.good.good_helmet_checks.helmet_header_xss_filter message: 'X-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/' languages: - javascript severity: INFO patterns: - pattern-not: | $HELMET(..., {xssFilter: false}, ...) - pattern-either: - pattern: | $APP.use(helmet()) - pattern: | helmet.xssFilter(...) - pattern: | xssFilter(...) - pattern: | helmet({xssFilter: ...}) metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_xss_filter shortlink: https://sg.run/23QD semgrep.dev: rule: r_id: 43663 rv_id: 833157 rule_id: eqUwPe version_id: 0bTwbog url: https://semgrep.dev/playground/r/0bTwbog/ajinabraham.njsscan.good.good_helmet_checks.helmet_header_xss_filter origin: community - id: ajinabraham.njsscan.good.good_ratelimiting.rate_limit_control patterns: - pattern-either: - pattern: require("express-rate-limit") - pattern: require("express-limiter") - pattern: require("@authentication/rate-limit") message: This application has API rate limiting controls. languages: - javascript severity: INFO metadata: license: LGPL-3.0-or-later source: https://semgrep.dev/r/ajinabraham.njsscan.good.good_ratelimiting.rate_limit_control shortlink: https://sg.run/Xx4b semgrep.dev: rule: r_id: 43664 rv_id: 833158 rule_id: v8UJbL version_id: K3Trqo3 url: https://semgrep.dev/playground/r/K3Trqo3/ajinabraham.njsscan.good.good_ratelimiting.rate_limit_control origin: community - id: ajinabraham.njsscan.headers.header_cookie.cookie_session_default patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {name:...} ...>,...) - pattern-not-inside: | $OPTS = <... {name:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.name = ...; ... $SESSION($OPTS,...) message: Consider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly. severity: INFO languages: - javascript metadata: cwe: cwe-522 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_cookie.cookie_session_default shortlink: https://sg.run/jGpJ semgrep.dev: rule: r_id: 43665 rv_id: 833159 rule_id: d8UEN7 version_id: qkTQnOe url: https://semgrep.dev/playground/r/qkTQnOe/ajinabraham.njsscan.headers.header_cookie.cookie_session_default origin: community - id: ajinabraham.njsscan.headers.header_cookie.cookie_session_no_secure patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{secure:true}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{secure:true}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {secure:true} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {secure:true} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.secure = true; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.secure = true; ... $SESSION($OPTS,...) message: 'Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.' severity: WARNING languages: - javascript metadata: cwe: cwe-614 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_secure shortlink: https://sg.run/1lNv semgrep.dev: rule: r_id: 43666 rv_id: 833160 rule_id: ZqUJRW version_id: l4TyOZN url: https://semgrep.dev/playground/r/l4TyOZN/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_secure origin: community - id: ajinabraham.njsscan.headers.header_cookie.cookie_session_no_samesite patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{sameSite:true}} ...>,...) - pattern-not-inside: $SESSION(<... {cookie:{sameSite:'lax'}} ...>,...) - pattern-not-inside: $SESSION(<... {cookie:{sameSite:'strict'}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{sameSite:true}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {sameSite:true} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {sameSite:true} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.sameSite = true; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.sameSite = true; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = <... {cookie:{sameSite:'strict'}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {sameSite:'strict'} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {sameSite:'strict'} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.sameSite = 'strict'; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.sameSite = 'strict'; ... $SESSION($OPTS,...) message: 'Default session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.' severity: WARNING languages: - javascript metadata: cwe: cwe-1275 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_samesite shortlink: https://sg.run/9jg8 semgrep.dev: rule: r_id: 43667 rv_id: 833161 rule_id: nJUlD0 version_id: YDTl0Ez url: https://semgrep.dev/playground/r/YDTl0Ez/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_samesite origin: community - id: ajinabraham.njsscan.headers.header_cookie.cookie_session_no_httponly patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern-either: - pattern-inside: $SESSION(<... {cookie:{httpOnly:false}} ...>,...) - pattern-inside: | $OPTS = <... {cookie:{httpOnly:false}} ...>; ... $SESSION($OPTS,...) - pattern-inside: | $OPTS = ...; ... $COOKIE = <... {httpOnly:false} ...>; ... $SESSION($OPTS,...) - pattern-inside: | $OPTS = ...; ... $OPTS.cookie = <... {httpOnly:false} ...>; ... $SESSION($OPTS,...) - pattern-inside: | $OPTS = ...; ... $COOKIE.httpOnly = false; ... $SESSION($OPTS,...) - pattern-inside: | $OPTS = ...; ... $OPTS.cookie.httpOnly = false; ... $SESSION($OPTS,...) message: 'Session middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.' severity: WARNING languages: - javascript metadata: cwe: cwe-1004 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_httponly shortlink: https://sg.run/y2ZR semgrep.dev: rule: r_id: 43668 rv_id: 833162 rule_id: EwUb5Y version_id: 6xTDg8k url: https://semgrep.dev/playground/r/6xTDg8k/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_httponly origin: community - id: ajinabraham.njsscan.headers.header_cookie.cookie_session_no_domain patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{domain:...}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{domain:...}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {domain:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {domain:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.domain = ...; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.domain = ...; ... $SESSION($OPTS,...) message: 'Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.' severity: INFO languages: - javascript metadata: cwe: cwe-522 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_domain shortlink: https://sg.run/rqbR semgrep.dev: rule: r_id: 43669 rv_id: 833163 rule_id: 7KUw65 version_id: o5TBEdG url: https://semgrep.dev/playground/r/o5TBEdG/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_domain origin: community - id: ajinabraham.njsscan.headers.header_cookie.cookie_session_no_path patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{path:...}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{path:...}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {path:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {path:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.path = ...; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.path = ...; ... $SESSION($OPTS,...) message: 'Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.' severity: INFO languages: - javascript metadata: cwe: cwe-522 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_path shortlink: https://sg.run/bE0E semgrep.dev: rule: r_id: 43670 rv_id: 833164 rule_id: L1UJdJ version_id: zyTWJLg url: https://semgrep.dev/playground/r/zyTWJLg/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_path origin: community - id: ajinabraham.njsscan.headers.header_cookie.cookie_session_no_maxage patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{maxAge:...}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{maxAge:...}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {maxAge:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {maxAge:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.maxAge = ...; ... $SESSION($OPTS,...) - pattern-not-inside: |- $OPTS = ...; ... $OPTS.cookie.maxAge = ...; ... $SESSION($OPTS,...) message: 'Session middleware settings: `maxAge` not set. Use it to set expiration date for cookies.' severity: INFO languages: - javascript metadata: cwe: cwe-613 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_maxage shortlink: https://sg.run/NXYz semgrep.dev: rule: r_id: 43671 rv_id: 833165 rule_id: 8GU0oP version_id: pZTXjnv url: https://semgrep.dev/playground/r/pZTXjnv/ajinabraham.njsscan.headers.header_cookie.cookie_session_no_maxage origin: community - id: ajinabraham.njsscan.headers.header_cors_star.generic_cors patterns: - pattern: | $APP.options('*', cors(...)) message: Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. languages: - javascript severity: WARNING metadata: owasp-web: a6 cwe: cwe-346 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_cors_star.generic_cors shortlink: https://sg.run/kR22 semgrep.dev: rule: r_id: 43672 rv_id: 833166 rule_id: gxUp88 version_id: 2KT7xpo url: https://semgrep.dev/playground/r/2KT7xpo/ajinabraham.njsscan.headers.header_cors_star.generic_cors origin: community - id: ajinabraham.njsscan.headers.header_cors_star.express_cors patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $APP.options('*', cors(...)) - pattern: | $RES.set("=~/access-control-allow-origin/i", '*', ...) - pattern: | $RES.set(..., { "=~/access-control-allow-origin/i" : '*' }, ...) - pattern: | $RES.header("=~/access-control-allow-origin/i", '*', ...) - pattern: | $RES.writeHead(..., {"=~/access-control-allow-origin/i": '*' }, ...) message: Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. languages: - javascript severity: WARNING metadata: owasp-web: a6 cwe: cwe-346 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_cors_star.express_cors shortlink: https://sg.run/wzbP semgrep.dev: rule: r_id: 43673 rv_id: 833167 rule_id: QrUL3l version_id: X0T5N4j url: https://semgrep.dev/playground/r/X0T5N4j/ajinabraham.njsscan.headers.header_cors_star.express_cors origin: community - id: ajinabraham.njsscan.redirect.open_redirect.express_open_redirect patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $X.redirect(..., <... $REQ.$QUERY ...>, ...) - pattern: | $X.redirect(..., <... $REQ.$QUERY.$FOO ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $X.redirect(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$FOO ...>; ... $X.redirect(..., <... $INP ...>, ...) message: Untrusted user input in redirect() can result in Open Redirect vulnerability. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance. Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-601 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.redirect.open_redirect.express_open_redirect shortlink: https://sg.run/QxzQ semgrep.dev: rule: r_id: 43686 rv_id: 923782 rule_id: KxUR90 version_id: 7ZTbyvD url: https://semgrep.dev/playground/r/7ZTbyvD/ajinabraham.njsscan.redirect.open_redirect.express_open_redirect origin: community - id: ajinabraham.njsscan.traversal.express_hbs_lfr.express_lfr_warning patterns: - pattern-not-inside: | require('hbs') ... - pattern-inside: | require('express') ... - pattern-either: - pattern: | $INP = <... $REQ.$QUERY ...>; ... $RES.render($VIEW, <... $INP ...>) - pattern: | $INP = <... $REQ.$QUERY.$FOO ...>; ... $RES.render($VIEW, <... $INP ...>) - pattern: $RES.render($VIEW, <... $REQ.$QUERY.$FOO ...>) - pattern: $RES.render($VIEW, <... $REQ.$BODY ...>) message: Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used. languages: - javascript severity: WARNING metadata: owasp-web: a5 cwe: cwe-23 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.traversal.express_hbs_lfr.express_lfr_warning shortlink: https://sg.run/KzEX semgrep.dev: rule: r_id: 43699 rv_id: 833193 rule_id: yyUz9P version_id: JdTlrnl url: https://semgrep.dev/playground/r/JdTlrnl/ajinabraham.njsscan.traversal.express_hbs_lfr.express_lfr_warning origin: community - id: ajinabraham.njsscan.headers.header_helmet_disabled.helmet_feature_disabled patterns: - pattern-either: - pattern: | $HELMET(..., {frameguard: false}, ...) - pattern: | $HELMET(..., {contentSecurityPolicy: false}, ...) - pattern: | $HELMET(..., {permittedCrossDomainPolicies: false}, ...) - pattern: | $HELMET(..., {dnsPrefetchControl: false}, ...) - pattern: | $HELMET(..., {expectCt: false}, ...) - pattern: | $HELMET(..., {featurePolicy: false}, ...) - pattern: | $HELMET(..., {hsts: false}, ...) - pattern: | $HELMET(..., {ieNoOpen: false}, ...) - pattern: | $HELMET(..., {noSniff: false}, ...) - pattern: | $HELMET(..., {hidePoweredBy: false}, ...) - pattern: | $HELMET(..., {referrerPolicy: false}, ...) - pattern: | $HELMET(..., {xssFilter: false}, ...) message: One or more Security Response header is explicitly disabled in Helmet. languages: - javascript severity: WARNING metadata: owasp-web: a6 cwe: cwe-693 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_helmet_disabled.helmet_feature_disabled shortlink: https://sg.run/xpNg semgrep.dev: rule: r_id: 43674 rv_id: 833168 rule_id: 3qUgKz version_id: jQTrXB8 url: https://semgrep.dev/playground/r/jQTrXB8/ajinabraham.njsscan.headers.header_helmet_disabled.helmet_feature_disabled origin: community - id: ajinabraham.njsscan.headers.header_xss_protection.header_xss_lusca patterns: - pattern-inside: | $X = require('lusca') ... - pattern-not: | $X.use(helmet()) - pattern-either: - pattern: | $X.xssProtection(false) - pattern: | $X({ xssProtection: false}) message: X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter. languages: - javascript severity: ERROR metadata: owasp-web: a6 cwe: cwe-693 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_xss_protection.header_xss_lusca shortlink: https://sg.run/egly semgrep.dev: rule: r_id: 43676 rv_id: 833170 rule_id: PeUKw9 version_id: 9lTJ0lr url: https://semgrep.dev/playground/r/9lTJ0lr/ajinabraham.njsscan.headers.header_xss_protection.header_xss_lusca origin: community - id: ajinabraham.njsscan.headers.header_xss_protection.header_xss_generic patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $RES.header("=~/x-xss-protection/i", 0, ...) - pattern: | $RES.set("=~/x-xss-protection/i", 0, ...) - pattern: | $RES.set(..., { "=~/x-xss-protection/i" : 0 }, ...) - pattern: | $RES.writeHead(..., {"=~/x-xss-protection/i": 0 }, ...) message: X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter. languages: - javascript severity: ERROR metadata: owasp-web: a6 cwe: cwe-693 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_xss_protection.header_xss_generic shortlink: https://sg.run/vowb semgrep.dev: rule: r_id: 43677 rv_id: 833171 rule_id: JDU4wb version_id: yeTN1Oo url: https://semgrep.dev/playground/r/yeTN1Oo/ajinabraham.njsscan.headers.header_xss_protection.header_xss_generic origin: community - id: ajinabraham.njsscan.headers.host_header_injection.host_header_injection patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $X = <... "=~/.*http[s]*:///i" + $REQ.host ...>; - pattern: | $X = <... "=~/.*http[s]*:///i" + $REQ["host"] ...>; - pattern: | $X = <... "=~/.*http[s]*:///i" + $REQ("host") ...>; - pattern: | $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ.host ...>}; - pattern: | $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ["host"] ...>}; - pattern: | $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ("host") ...>}; - pattern: | $Z = $REQ.host; ... $X = <... "=~/.*http[s]*:///i" + $Z ...>; - pattern: | $Z = $REQ["host"]; ... $X = <... "=~/.*http[s]*:///i" + $Z ...>; - pattern: | $Z = $REQ("host") ... $X = <... "=~/.*http[s]*:///i" + $Z ...>; - pattern: | $Z = $REQ.host; ... $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ.host ...>}; - pattern: | $Z = $REQ["host"]; ... $X = { $Y: <... "=~/.*http[s]*:///i" + $Z ...>}; - pattern: | $Z = $REQ("host") ... $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ("host") ...>}; message: Using untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-20 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.host_header_injection.host_header_injection shortlink: https://sg.run/dnqd semgrep.dev: rule: r_id: 43678 rv_id: 833172 rule_id: 5rUxlW version_id: rxTDz1Q url: https://semgrep.dev/playground/r/rxTDz1Q/ajinabraham.njsscan.headers.host_header_injection.host_header_injection origin: community - id: ajinabraham.njsscan.jwt.jwt_exposed_credentials.jwt_exposed_credentials patterns: - pattern-either: - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $T = JWT.sign({password:...},...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $P = {password:...}; ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $P = {password:...}; ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P = {password:...}; ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P = {password:...}; ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P.password = ...; ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P.password = ...; ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $P = Object.assign(...,{password:...},...) ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $P = Object.assign(...,{password:...},...) ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P = Object.assign(...,{password:...},...) ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P = Object.assign(...,{password:...},...) ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $T = JWT.sign(Object.assign(...,{password:...},...),...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $T = JWT.sign(Object.assign(...,{password:...},...),...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $T = JWT.sign({$U:{password:...}},...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $T = JWT.sign({$U:{password:...}},...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $P = {$U:{password:...}}; ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $P = {$U:{password:...}}; ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P = {$U:{password:...}}; ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P = {$U:{password:...}}; ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P.$U.password = ...; ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P.$U.password = ...; ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $P = Object.assign(...,{$U:{password:...}},...) ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $P = Object.assign(...,{$U:{password:...}},...) ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P = Object.assign(...,{$U:{password:...}},...) ... var $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $P = Object.assign(...,{$U:{password:...}},...) ... $T = JWT.sign($P,...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... var $T = JWT.sign(Object.assign(...,{$U:{password:...}},...),...) - pattern: | $JOSE = require("jose") ... var { JWT } = $JOSE; ... $T = JWT.sign(Object.assign(...,{$U:{password:...}},...),...) severity: ERROR languages: - javascript metadata: cwe: cwe-522 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.jwt.jwt_exposed_credentials.jwt_exposed_credentials shortlink: https://sg.run/ZZJo semgrep.dev: rule: r_id: 43679 rv_id: 833173 rule_id: GdUgO1 version_id: bZTBeZj url: https://semgrep.dev/playground/r/bZTBeZj/ajinabraham.njsscan.jwt.jwt_exposed_credentials.jwt_exposed_credentials origin: community message: Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens. - id: ajinabraham.njsscan.jwt.jwt_hardcoded.hardcoded_jwt_secret patterns: - pattern-either: - pattern: | $JWT = require("jsonwebtoken") ... $JWT.sign($P, "...", ...) - pattern: | $JWT = require("jsonwebtoken") ... $JWT.verify($P, "...", ...) - pattern: | $JWT = require("jsonwebtoken") ... $SECRET = "..."; ... $JWT.sign($P, $SECRET, ...) - pattern: | $JWT = require("jsonwebtoken") ... $SECRET = "..."; ... $JWT.verify($P, $SECRET, ...) - pattern: | $JOSE = require("jose") ... $JOSE.JWT.sign($P, "...", ...) - pattern: | $JOSE = require("jose") ... $JOSE.JWT.verify($P, "...", ...) - pattern: | $JOSE = require("jose") ... $JOSE.JWT.sign($P, $JOSE.JWK.asKey("..."), ...) - pattern: | $JOSE = require("jose") ... $JOSE.JWT.verify($P, $JOSE.JWK.asKey("..."), ...) - pattern: | $JOSE = require("jose") ... $SECRET = "..."; ... $JOSE.JWT.sign($P, $SECRET, ...) - pattern: | $JOSE = require("jose") ... $SECRET = "..."; ... $JOSE.JWT.verify($P, $SECRET, ...) - pattern: | $JOSE = require("jose") ... $SECRET = "..."; ... $JOSE.JWT.sign($P, $JOSE.JWK.asKey($SECRET), ...) - pattern: | $JOSE = require("jose") ... $SECRET = "..."; ... $JOSE.JWT.verify($P, $JOSE.JWK.asKey($SECRET), ...) message: Hardcoded JWT secret was found. Store it properly in an environment variable. languages: - javascript severity: ERROR metadata: owasp-web: a3 cwe: cwe-798 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.jwt.jwt_hardcoded.hardcoded_jwt_secret shortlink: https://sg.run/72NW semgrep.dev: rule: r_id: 43682 rv_id: 833176 rule_id: BYUoj0 version_id: w8TAxpo url: https://semgrep.dev/playground/r/w8TAxpo/ajinabraham.njsscan.jwt.jwt_hardcoded.hardcoded_jwt_secret origin: community - id: ajinabraham.njsscan.jwt.jwt_none_algorithm.node_jwt_none_algorithm patterns: - pattern-either: - pattern: | $JWT = require("jsonwebtoken") ... $T = $JWT.verify($P, $X, {algorithms:[...,'none',...]},...) - pattern: | $JWT = require("jsonwebtoken") ... $JWT.verify($P, $X, {algorithms:[...,'none',...]},...) - pattern: | $JOSE = require("jose") ... var { JWK, JWT } = $JOSE; ... $T = JWT.verify($P, JWK.None,...) - pattern: | $JOSE = require("jose") ... var { JWK, JWT } = $JOSE; ... JWT.verify($P, JWK.None,...) message: Algorithm is set to none for JWT token. This can nullify the integrity of JWT signature. languages: - javascript severity: ERROR metadata: owasp-web: a9 cwe: cwe-327 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.jwt.jwt_none_algorithm.node_jwt_none_algorithm shortlink: https://sg.run/Lpqo semgrep.dev: rule: r_id: 43683 rv_id: 833177 rule_id: DbULoy version_id: xyTNe85 url: https://semgrep.dev/playground/r/xyTNe85/ajinabraham.njsscan.jwt.jwt_none_algorithm.node_jwt_none_algorithm origin: community - id: ajinabraham.njsscan.jwt.jwt_not_revoked.jwt_not_revoked patterns: - pattern-inside: | $JWT = require('express-jwt') ... - pattern: $JWT(...) - pattern-not-inside: $JWT(<... {isRevoked:...} ...>,...) - pattern-not-inside: |- $OPTS = <... {isRevoked:...} ...>; ... $JWT($OPTS,...) message: No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option. severity: WARNING languages: - javascript metadata: cwe: cwe-522 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.jwt.jwt_not_revoked.jwt_not_revoked shortlink: https://sg.run/8XNE semgrep.dev: rule: r_id: 43684 rv_id: 833178 rule_id: WAUg5K version_id: O9TJW8Y url: https://semgrep.dev/playground/r/O9TJW8Y/ajinabraham.njsscan.jwt.jwt_not_revoked.jwt_not_revoked origin: community - id: ajinabraham.njsscan.memory.buffer_noassert.buffer_noassert pattern-either: - pattern: $OBJ.readUInt8(..., true) - pattern: $OBJ.readUInt16LE(..., true) - pattern: $OBJ.readUInt16BE(..., true) - pattern: $OBJ.readUInt32LE(..., true) - pattern: $OBJ.readUInt32BE(..., true) - pattern: $OBJ.readInt8(..., true) - pattern: $OBJ.readInt16LE(..., true) - pattern: $OBJ.readInt16BE(..., true) - pattern: $OBJ.readInt32LE(..., true) - pattern: $OBJ.readInt32BE(..., true) - pattern: $OBJ.readFloatLE(..., true) - pattern: $OBJ.readFloatBE(..., true) - pattern: $OBJ.readDoubleLE(..., true) - pattern: $OBJ.readDoubleBE(..., true) - pattern: $OBJ.writeUInt8(..., true) - pattern: $OBJ.writeUInt16LE(..., true) - pattern: $OBJ.writeUInt16BE(..., true) - pattern: $OBJ.writeUInt32LE(..., true) - pattern: $OBJ.writeUInt32BE(..., true) - pattern: $OBJ.writeInt8(..., true) - pattern: $OBJ.writeInt16LE(..., true) - pattern: $OBJ.writeInt16BE(..., true) - pattern: $OBJ.writeInt32LE(..., true) - pattern: $OBJ.writeInt32BE(..., true) - pattern: $OBJ.writeFloatLE(..., true) - pattern: $OBJ.writeFloatBE(..., true) - pattern: $OBJ.writeDoubleLE(..., true) - pattern: $OBJ.writeDoubleBE(..., true) severity: WARNING languages: - javascript metadata: owasp-web: a6 cwe: cwe-119 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.memory.buffer_noassert.buffer_noassert shortlink: https://sg.run/gP6Z semgrep.dev: rule: r_id: 43685 rv_id: 833179 rule_id: 0oUZkX version_id: e1TDkeW url: https://semgrep.dev/playground/r/e1TDkeW/ajinabraham.njsscan.memory.buffer_noassert.buffer_noassert origin: community message: Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer. - id: ajinabraham.njsscan.headers.header_injection.generic_header_injection patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $INP = $REQ.$QUERY; ... $RES.set(..., <... $INP ...>, ...) - pattern: | $INP = $REQ.$QUERY.$VAR; ... $RES.set(..., <... $INP ...>, ...) - pattern: | $INP = $REQ.$VAR; ... $RES.set(..., { $X: <... $INP ...>}, ...) - pattern: | $INP = $REQ.$QUERY.$FOO; ... $RES.set(..., { $X: <... $INP ...>}, ...) - pattern: | $INP = $REQ.$VAR; ... $RES.writeHead(..., { $X: <... $INP ...> }, ...) - pattern: | $INP = $REQ.$QUERY.$FOO; ... $RES.writeHead(..., { $X: <... $INP ...> }, ...) - pattern: | $RES.set(..., <... $REQ.$QUERY ...>, ...) - pattern: | $RES.set(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $RES.set(..., { $X: <... $REQ.$VAR ...>}, ...) - pattern: | $RES.set(..., { $X: <... $REQ.$QUERY.$FOO ...>}, ...) - pattern: | $RES.writeHead(..., { $X: <... $REQ.$VAR ...> }, ...) - pattern: | $RES.writeHead(..., { $X: <... $REQ.$QUERY.$FOO ...> }, ...) message: If user input is not properly sanitized, an attacker can insert malicious data into response headers. This can lead to HTTP response splitting, where an attacker injects additional headers or even full HTTP responses, potentially altering how clients or intermediaries (e.g., proxies) handle the request. This can lead to vulnerabilities like Cross-Site Scripting (XSS) and cache poisoning. Always sanitize and validate user inputs to ensure they do not contain characters or data that could alter the header structure (e.g., newline characters, control characters). Another good option is to leverage well-established libraries or frameworks that handle headers securely. Many frameworks offer built-in methods for setting headers that ensure they are correctly formatted and safe. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-644 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.headers.header_injection.generic_header_injection shortlink: https://sg.run/Oj6n semgrep.dev: rule: r_id: 43675 rv_id: 930058 rule_id: 4bUJNL version_id: DkT2OXl url: https://semgrep.dev/playground/r/DkT2OXl/ajinabraham.njsscan.headers.header_injection.generic_header_injection origin: community - id: ajinabraham.njsscan.ssrf.ssrf_node.node_ssrf patterns: - pattern-either: - pattern-inside: | require('request') ... - pattern-inside: | require('axios') ... - pattern-inside: | require('needle') ... - pattern-inside: | require('bent') ... - pattern-inside: | require('urllib') ... - pattern-inside: | require('net') ... - pattern-inside: | require('https') ... - pattern-inside: | require('superagent') ... - pattern-inside: | require('got') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $PKG.get(<... $REQ.$VAR ...>, ...) - pattern: | $PKG.get(<... $REQ.$VAR.$FOO ...>, ...) - pattern: | $PKG.post(<... $REQ.$VAR ...>, ...) - pattern: | $PKG.post(<... $REQ.$VAR.$FOO ...>, ...) - pattern: | $PKG.put(<... $REQ.$VAR ...>, ...) - pattern: | $PKG.put(<... $REQ.$VAR.$FOO ...>, ...) - pattern: | needle("=~/^[get|post|put]+$/i", <... $REQ.$VAR.$FOO ...>, ...) - pattern: | needle("=~/^[get|post|put]+$/i", <... $REQ.$VAR ...>, ...) - pattern: | request(<... $REQ.$VAR ...>, ...) - pattern: | request(<... $REQ.$VAR.$FOO ...>, ...) - pattern: | $PKG.request(<... $REQ.$VAR ...>, ...) - pattern: | $PKG.request(<... $REQ.$VAR.$FOO ...>, ...) - pattern: | getJSON(<... $REQ.$VAR ...>, ...) - pattern: | getJSON(<... $REQ.$VAR.$FOO ...>, ...) - pattern: | getBuffer(<... $REQ.$VAR ...>, ...) - pattern: | getBuffer(<... $REQ.$VAR.$FOO ...>, ...) - pattern: | fetch(<... $REQ.$VAR ...>, ...) - pattern: | fetch(<... $REQ.$VAR.$FOO ...>, ...) - pattern: | $SOCKET.connect($PORT, <... $REQ.$VAR ...>, ...) - pattern: | $SOCKET.connect($PORT, <... $REQ.$VAR.$FOO ...>, ...) - pattern: | $PKG.get(..., {host: <... $REQ.$VAR ...>}, ...) - pattern: | $PKG.get(..., {host: <... $REQ.$VAR.$FOO ...>}, ...) - pattern: | $PKG.get(..., {hostname: <... $REQ.$VAR ...>}, ...) - pattern: | $PKG.get(..., {hostname: <... $REQ.$VAR.$FOO ...>}, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $PKG.get(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... $PKG.get(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $PKG.post(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... $PKG.post(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $PKG.put(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... $PKG.put(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... needle("=~/^[get|post|put]+$/i", <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... needle("=~/^[get|post|put]+$/i", <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... request(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... request(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $PKG.request(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... $PKG.request(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... getJSON(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... getJSON(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... getBuffer(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... getBuffer(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... fetch(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... fetch(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $SOCKET.connect($PORT, <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... $SOCKET.connect($PORT, <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $PKG.get(..., {host: <... $INP ...>}, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... $PKG.get(..., {host: <... $INP ...>}, ...) - pattern: | $INP = <... $REQ.$VAR ...>; ... $PKG.get(..., {hostname: <... $INP ...>}, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... $PKG.get(..., {hostname: <... $INP ...>}, ...) message: User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF). languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-918 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.ssrf.ssrf_node.node_ssrf shortlink: https://sg.run/4oZz semgrep.dev: rule: r_id: 43688 rv_id: 833182 rule_id: lBUYqL version_id: ZRTlP2E url: https://semgrep.dev/playground/r/ZRTlP2E/ajinabraham.njsscan.ssrf.ssrf_node.node_ssrf origin: community - id: ajinabraham.njsscan.ssrf.ssrf_phantomjs.phantom_ssrf patterns: - pattern-inside: | require('phantom') ... - pattern-either: - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $PAGE.open(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.setContent(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.open(<... $REQ.$BODY ...>,...) - pattern: $PAGE.setContent(<... $REQ.$BODY ...>,...) - pattern: $PAGE.openUrl(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.openUrl(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateJavaScript(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateJavaScript(<... $REQ.$BODY ...>,...) - pattern: $PAGE.property("content",<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.property("content",<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.open(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.open(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.openUrl(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.openUrl(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateJavaScript(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateJavaScript(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.property("content",<... $INPUT ...>,...) - pattern: |- $INPUT = <... $REQ.$BODY ...>; ... $PAGE.property("content",<... $INPUT ...>,...) message: | If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities. metadata: owasp-web: a1 cwe: cwe-918 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.ssrf.ssrf_phantomjs.phantom_ssrf shortlink: https://sg.run/PxoW semgrep.dev: rule: r_id: 43689 rv_id: 833183 rule_id: YGUxGo version_id: nWTy49q url: https://semgrep.dev/playground/r/nWTy49q/ajinabraham.njsscan.ssrf.ssrf_phantomjs.phantom_ssrf origin: community severity: ERROR languages: - javascript - id: ajinabraham.njsscan.ssrf.ssrf_playwright.playwright_ssrf patterns: - pattern-inside: | require('playwright') ... - pattern-either: - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $PAGE.goto(<... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.goto(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.setContent(<... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.setContent(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluate(<... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.evaluate(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluate($CODE,..., <... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.evaluate($CODE,..., <... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluateHandle(<... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.evaluateHandle(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluateHandle($CODE,..., <... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.evaluateHandle($CODE,..., <... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluateOnNewDocument(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluateOnNewDocument(<... $REQ.$BODY.$FOO ...>, ...) - pattern: $CONTEXT.addInitScript(<... $REQ.$BODY ...>,...) - pattern: $CONTEXT.addInitScript(<... $REQ.$BODY.$FOO ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.goto(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.goto(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluate($CODE,..., <... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluate($CODE,..., <... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluate(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluate(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateHandle(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateHandle(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateHandle($CODE,..., <... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateHandle($CODE,..., <... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateOnNewDocument(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateOnNewDocument(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $CONTEXT.addInitScript($INPUT,...) message: If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities. metadata: owasp-web: a1 cwe: cwe-918 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.ssrf.ssrf_playwright.playwright_ssrf shortlink: https://sg.run/Jo0W semgrep.dev: rule: r_id: 43690 rv_id: 833184 rule_id: 6JUk7K version_id: ExTrDe8 url: https://semgrep.dev/playground/r/ExTrDe8/ajinabraham.njsscan.ssrf.ssrf_playwright.playwright_ssrf origin: community severity: ERROR languages: - javascript - id: ajinabraham.njsscan.ssrf.ssrf_puppeteer.puppeteer_ssrf patterns: - pattern-inside: | require('puppeteer') ... - pattern-either: - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $PAGE.goto(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.goto(<... $REQ.$BODY ...>,...) - pattern: $PAGE.setContent(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.setContent(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluate(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluate(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateHandle(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateHandle(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateOnNewDocument(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateOnNewDocument(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluate($CODE,<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluate($CODE,<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateHandle($CODE,<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateHandle($CODE,<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateOnNewDocument($CODE,<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateOnNewDocument($CODE,<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.goto(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.goto(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluate(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluate(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateHandle(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateHandle(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateOnNewDocument(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateOnNewDocument(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluate($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluate($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateHandle($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateHandle($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateOnNewDocument($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateOnNewDocument($CODE,<... $INPUT ...>,...) message: If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities. metadata: owasp-web: a1 cwe: cwe-918 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.ssrf.ssrf_puppeteer.puppeteer_ssrf shortlink: https://sg.run/5zNX semgrep.dev: rule: r_id: 43691 rv_id: 833185 rule_id: oqUPQY version_id: 7ZTx9Kg url: https://semgrep.dev/playground/r/7ZTx9Kg/ajinabraham.njsscan.ssrf.ssrf_puppeteer.puppeteer_ssrf origin: community severity: ERROR languages: - javascript - id: ajinabraham.njsscan.ssrf.ssrf_wkhtmltoimage.wkhtmltoimage_ssrf patterns: - pattern-inside: | require('wkhtmltoimage') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $INP = <... $REQ.$VAR ...>; ... $PKG.generate(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... $PKG.generate(<... $INP ...>, ...) - pattern: | $PKG.generate(<... $REQ.$VAR ...>, ...) - pattern: | $PKG.generate(<... $REQ.$VAR.$FOO ...>, ...) message: User controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF). languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-918 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.ssrf.ssrf_wkhtmltoimage.wkhtmltoimage_ssrf shortlink: https://sg.run/G3E2 semgrep.dev: rule: r_id: 43692 rv_id: 833186 rule_id: zdU9vq version_id: LjTEbR7 url: https://semgrep.dev/playground/r/LjTEbR7/ajinabraham.njsscan.ssrf.ssrf_wkhtmltoimage.wkhtmltoimage_ssrf origin: community - id: ajinabraham.njsscan.ssrf.ssrf_wkhtmltopdf.wkhtmltopdf_ssrf patterns: - pattern-inside: | require('wkhtmltopdf') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $INP = <... $REQ.$VAR ...>; ... wkhtmltopdf(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... wkhtmltopdf(<... $INP ...>, ...) - pattern: | wkhtmltopdf(<... $REQ.$VAR ...>, ...) - pattern: | wkhtmltopdf(<... $REQ.$VAR.$FOO ...>, ...) message: User controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF). languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-918 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.ssrf.ssrf_wkhtmltopdf.wkhtmltopdf_ssrf shortlink: https://sg.run/RxEe semgrep.dev: rule: r_id: 43693 rv_id: 833187 rule_id: pKUJv1 version_id: 8KTGk3q url: https://semgrep.dev/playground/r/8KTGk3q/ajinabraham.njsscan.ssrf.ssrf_wkhtmltopdf.wkhtmltopdf_ssrf origin: community - id: ajinabraham.njsscan.traversal.archive_path_overwrite.zip_path_overwrite patterns: - pattern-either: - pattern-inside: | $X = require('unzip') ... - pattern-inside: | $X = require('unzipper') ... - pattern-inside: | $Y.pipe($UNZIP.Parse(...)).on('entry', function $FUNC(...) { ... }, ...) - pattern-not: | $X = $FILENAME.indexOf(...) - pattern-not: | $FUNC.pipe($FS.createWriteStream($PATH.join(..., $PATH.basename($FILENAME, ...)))) - pattern-not: | $FUNC.pipe($FS.writeFile($PATH.join(..., $PATH.basename($FILENAME, ...)))) - pattern-not: | $FUNC.pipe($FS.writeFileSync($PATH.join(..., $PATH.basename($FILENAME, ...)))) - pattern-either: - pattern: | $FUNC.pipe($FS.createWriteStream($FIL, ...)) - pattern: | $FUNC.pipe($FS.writeFile($FIL, ...)) - pattern: | $FUNC.pipe($FS.writeFileSync($FIL, ...)) message: Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection. languages: - javascript severity: ERROR metadata: owasp-web: a5 cwe: cwe-22 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.traversal.archive_path_overwrite.zip_path_overwrite shortlink: https://sg.run/ABO8 semgrep.dev: rule: r_id: 43694 rv_id: 833188 rule_id: 2ZUXBG version_id: gETy2r1 url: https://semgrep.dev/playground/r/gETy2r1/ajinabraham.njsscan.traversal.archive_path_overwrite.zip_path_overwrite origin: community - id: ajinabraham.njsscan.traversal.archive_path_overwrite.zip_path_overwrite2 patterns: - pattern-either: - pattern-inside: | $X = require('unzip') ... - pattern-inside: | $X = require('unzipper') ... - pattern-inside: | $UNZIP.Parse(...).on('entry', function $FUNC($ENTRY) { ... }, ...) - pattern-not: | if ($FILENAME.indexOf('..')) - pattern-not: | $FS.createWriteStream($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-not: | $FS.writeFile($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-not: | $FS.writeFileSync($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-either: - pattern: | $FS.createWriteStream($FIL, ...) - pattern: | $FS.writeFile($FIL, ...) - pattern: | $FS.writeFileSync($FIL, ...) message: Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection. languages: - javascript severity: ERROR metadata: owasp-web: a5 cwe: cwe-22 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.traversal.archive_path_overwrite.zip_path_overwrite2 shortlink: https://sg.run/BD82 semgrep.dev: rule: r_id: 43695 rv_id: 833189 rule_id: X5UpXw version_id: QkTkrE6 url: https://semgrep.dev/playground/r/QkTkrE6/ajinabraham.njsscan.traversal.archive_path_overwrite.zip_path_overwrite2 origin: community - id: ajinabraham.njsscan.traversal.archive_path_overwrite.admzip_path_overwrite patterns: - pattern-inside: | $X = require('adm-zip') ... - pattern-not: | if ($FILENAME.indexOf('..')) - pattern-not: | $FS.createWriteStream($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-not: | $FS.writeFile($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-not: | $FS.writeFileSync($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-either: - pattern: $ZIPENTZ.forEach(function $FUNC($ENTRY, ...) { $FS.createWriteStream(...) }, ...) - pattern: $ZIPENTZ.forEach(function $FUNC($ENTRY, ...) { $FS.writeFile(...) }, ...) - pattern: $ZIPENTZ.forEach(function $FUNC($ENTRY, ...) { $FS.writeFileSync(...) }, ...) message: Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection. languages: - javascript severity: ERROR metadata: owasp-web: a5 cwe: cwe-22 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.traversal.archive_path_overwrite.admzip_path_overwrite shortlink: https://sg.run/D0Eo semgrep.dev: rule: r_id: 43696 rv_id: 833190 rule_id: j2UpAv version_id: 3ZT3A2E url: https://semgrep.dev/playground/r/3ZT3A2E/ajinabraham.njsscan.traversal.archive_path_overwrite.admzip_path_overwrite origin: community - id: ajinabraham.njsscan.traversal.archive_path_overwrite.tar_path_overwrite patterns: - pattern-inside: | $X = require('tar-stream') ... - pattern-not-inside: | $Y.pipe($UNZIP.Parse(...)).on('entry', function $FUNC(...) { ... }, ...) - pattern-inside: | $EXTRACT.on('entry', function $FUNC(...) { ... }, ...) - pattern-not: | if ($FILENAME.indexOf('..')) - pattern-not: | $FS.createWriteStream($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-not: | $FS.writeFile($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-not: | $FS.writeFileSync($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-either: - pattern: | $FS.createWriteStream($FIL, ...) - pattern: | $FS.writeFile($FIL, ...) - pattern: | $FS.writeFileSync($FIL, ...) message: Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection. languages: - javascript severity: ERROR metadata: owasp-web: a5 cwe: cwe-22 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.traversal.archive_path_overwrite.tar_path_overwrite shortlink: https://sg.run/WxEg semgrep.dev: rule: r_id: 43697 rv_id: 833191 rule_id: 10UnAZ version_id: 44TQPb1 url: https://semgrep.dev/playground/r/44TQPb1/ajinabraham.njsscan.traversal.archive_path_overwrite.tar_path_overwrite origin: community - id: ajinabraham.njsscan.traversal.express_hbs_lfr.express_lfr patterns: - pattern-inside: | require('hbs') ... - pattern-inside: | require('express') ... - pattern-either: - pattern: | $INP = <... $REQ.$QUERY ...>; ... $RES.render($VIEW, <... $INP ...>) - pattern: | $INP = <... $REQ.$QUERY.$FOO ...>; ... $RES.render($VIEW, <... $INP ...>) - pattern: $RES.render($VIEW, <... $REQ.$QUERY.$FOO ...>) - pattern: $RES.render($VIEW, <... $REQ.$BODY ...>) message: Untrusted user input in express render() function can result in arbitrary file read when hbs templating is used. languages: - javascript severity: ERROR metadata: owasp-web: a5 cwe: cwe-23 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.traversal.express_hbs_lfr.express_lfr shortlink: https://sg.run/0qO5 semgrep.dev: rule: r_id: 43698 rv_id: 833192 rule_id: 9AULYk version_id: PkTxre0 url: https://semgrep.dev/playground/r/PkTxre0/ajinabraham.njsscan.traversal.express_hbs_lfr.express_lfr origin: community - id: ajinabraham.njsscan.xml.xxe_xml2json.xxe_xml2json patterns: - pattern-inside: | require('xml2json') ... - pattern-either: - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $EXPAT.toJson(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $EXPAT.toJson(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $EXPAT.toJson(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $EXPAT.toJson(<... $INPUT ...>,...) message: Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities. metadata: owasp-web: a4 cwe: cwe-611 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xml.xxe_xml2json.xxe_xml2json shortlink: https://sg.run/BD8W semgrep.dev: rule: r_id: 43707 rv_id: 833201 rule_id: eqUwXe version_id: 0bTwbGg url: https://semgrep.dev/playground/r/0bTwbGg/ajinabraham.njsscan.xml.xxe_xml2json.xxe_xml2json origin: community severity: ERROR languages: - javascript - id: ajinabraham.njsscan.xss.xss_mustache_escape.xss_disable_mustache_escape pattern: $OBJ.escapeMarkup = false severity: WARNING languages: - javascript metadata: cwe: cwe-116 owasp-web: a7 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xss.xss_mustache_escape.xss_disable_mustache_escape shortlink: https://sg.run/D0EY semgrep.dev: rule: r_id: 43708 rv_id: 833202 rule_id: v8UJxL version_id: K3Trqg3 url: https://semgrep.dev/playground/r/K3Trqg3/ajinabraham.njsscan.xss.xss_mustache_escape.xss_disable_mustache_escape origin: community message: Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks. - id: ajinabraham.njsscan.xss.xss_node.express_xss patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $RES.write(..., <... $REQ.$QUERY ...>, ...) - pattern: | $RES.write(..., <... $REQ.$QUERY.$FOO ...>, ...) - pattern: | $RES.send(..., <... $REQ.$QUERY ...>, ...) - pattern: | $RES.send(..., <... $REQ.$QUERY.$FOO ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY ...>; ... $RES.write(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY.$FOO ...>; ... $RES.write(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY.$VAR ...>; ... $RES.send(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY ...>; ... $RES.send(..., <... $LOCALVAR ...>, ...) - pattern: | var {$LOCALVAR} = <... $REQ.$QUERY.$FOO ...>; ... $RES.write(..., <... $LOCALVAR ...>, ...) - pattern: | var {$LOCALVAR} = <... $REQ.$QUERY.$VAR ...>; ... $RES.send(..., <... $LOCALVAR ...>, ...) - pattern: | var {$LOCALVAR} = <... $REQ.$QUERY ...>; ... $RES.send(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR = {$KEY: <... $REQ.$QUERY ...>}; ... $RES.write(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR = {$KEY: <... $REQ.$QUERY.$FOO ...>}; ... $RES.write(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR = {$KEY: <... $REQ.$QUERY.$VAR ...>}; ... $RES.send(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR = {$KEY: <... $REQ.$QUERY ...>}; ... $RES.send(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR.push(<... $REQ.$QUERY ...>) ... $RES.write(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR.push(<... $REQ.$QUERY.$FOO ...>) ... $RES.write(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR.push(<... $REQ.$QUERY.$VAR ...>) ... $RES.send(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR.push(<... $REQ.$QUERY ...>) ... $RES.send(..., <... $LOCALVAR ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY ...>; ... $ARR.push(<... $LOCALVAR ...>) ... $RES.write(..., <... $ARR ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY.$FOO ...>; ... $ARR.push(<... $LOCALVAR ...>) ... $RES.write(..., <... $ARR ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY.$VAR ...>; ... $ARR.push(<... $LOCALVAR ...>) ... $RES.send(..., <... $ARR ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY ...>; ... $ARR.push(<... $LOCALVAR ...>) ... $RES.send(..., <... $ARR ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY ...>; ... $OUT = <... $LOCALVAR ...>; ... $RES.write(..., <... $OUT ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY.$FOO ...>; ... $OUT = <... $LOCALVAR ...>; ... $RES.write(..., <... $OUT ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY.$VAR ...>; ... $OUT = <... $LOCALVAR ...>; ... $RES.send(..., <... $OUT ...>, ...) - pattern: | $LOCALVAR = <... $REQ.$QUERY ...>; ... $OUT = <... $LOCALVAR ...>; ... $RES.send(..., <... $OUT ...>, ...) message: Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-79 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xss.xss_node.express_xss shortlink: https://sg.run/WxE4 semgrep.dev: rule: r_id: 43709 rv_id: 833203 rule_id: d8UE27 version_id: qkTQnve url: https://semgrep.dev/playground/r/qkTQnve/ajinabraham.njsscan.xss.xss_node.express_xss origin: community - id: ajinabraham.njsscan.xss.xss_serialize_js.xss_serialize_javascript patterns: - pattern-inside: | $S = require('serialize-javascript') ... - pattern-not-inside: escape(...) - pattern-not-inside: encodeURI(...) - pattern: | $S(..., {unsafe: true}) message: Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS). severity: WARNING languages: - javascript metadata: owasp-web: a1 cwe: cwe-80 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xss.xss_serialize_js.xss_serialize_javascript shortlink: https://sg.run/0qOv semgrep.dev: rule: r_id: 43710 rv_id: 833204 rule_id: ZqUJ1W version_id: l4TyOpN url: https://semgrep.dev/playground/r/l4TyOpN/ajinabraham.njsscan.xss.xss_serialize_js.xss_serialize_javascript origin: community - id: ajinabraham.njsscan.xss.xss_templates.handlebars_noescape patterns: - pattern: | $X.compile(..., {noEscape: true}, ...) message: Disabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilties. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-80 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xss.xss_templates.handlebars_noescape shortlink: https://sg.run/q3Xz semgrep.dev: rule: r_id: 43712 rv_id: 833206 rule_id: EwUbPY version_id: 6xTDgRk url: https://semgrep.dev/playground/r/6xTDgRk/ajinabraham.njsscan.xss.xss_templates.handlebars_noescape origin: community - id: ajinabraham.njsscan.xss.xss_templates.squirrelly_autoescape pattern: $X.autoEscaping(false) message: Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-79 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xss.xss_templates.squirrelly_autoescape shortlink: https://sg.run/lA6y semgrep.dev: rule: r_id: 43713 rv_id: 833207 rule_id: 7KUwq5 version_id: o5TBELG url: https://semgrep.dev/playground/r/o5TBELG/ajinabraham.njsscan.xss.xss_templates.squirrelly_autoescape origin: community - id: mobsf.mobsfscan.android.hidden_ui.android_hidden_ui patterns: - pattern-either: - pattern: | $X.setVisibility(View.GONE); - pattern: | $V = View.GONE; ... $X.setVisibility($V); - pattern: | $X.setVisibility(View.INVISIBLE); - pattern: | $V = View.INVISIBLE; ... $X.setVisibility($V); message: Hidden elements in view can be used to hide data from user. But this data can be leaked. If the view contains sensitive data, it might still be accessible through memory inspection. A good practice is to clear sensitive data before hiding it. languages: - java severity: ERROR metadata: cwe: cwe-919 owasp-mobile: m1 masvs: storage-7 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-for-sensitive-data-disclosure-through-the-user-interface-mstg-storage-7 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.android.hidden_ui.android_hidden_ui shortlink: https://sg.run/YeEe semgrep.dev: rule: r_id: 43714 rv_id: 833208 rule_id: L1UJDJ version_id: zyTWJBg url: https://semgrep.dev/playground/r/zyTWJBg/mobsf.mobsfscan.android.hidden_ui.android_hidden_ui origin: community - id: mobsf.mobsfscan.android.logging.android_logging patterns: - pattern-not: System.out.print(); - pattern-not: System.out.println(); - pattern-not: System.err.print(); - pattern-not: System.err.println(); - pattern-not: Log.$D("...", "...", ...); - pattern-not: Log.$D($T, "...", ...); - pattern-not: System.out.print("..."); - pattern-not: System.out.println("..."); - pattern-not: System.err.print("..."); - pattern-not: System.err.println("..."); - pattern-either: - pattern: | Log.$D($T, $X + "...", ...); - pattern: | Log.$D($T, "..." + $X + "...", ...); - pattern: | Log.$D($T, "..." + $X, ...); - pattern: | $Y = $Z; ... Log.$D($T,<... $Y ...>, ...); - pattern: | System.out.print(...); - pattern: | System.err.print(...); - pattern: | System.out.println(...); - pattern: | System.err.println(...); message: The App logs information. Please ensure that sensitive information is never logged. languages: - java severity: INFO metadata: cwe: cwe-532 owasp-mobile: m1 masvs: storage-3 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.android.logging.android_logging shortlink: https://sg.run/6pQo semgrep.dev: rule: r_id: 43715 rv_id: 833209 rule_id: 8GU0OP version_id: pZTXj2v url: https://semgrep.dev/playground/r/pZTXj2v/mobsf.mobsfscan.android.logging.android_logging origin: community - id: mobsf.mobsfscan.android.secrets.hardcoded_password patterns: - pattern-not: $X = ""; - pattern-not: $M($X, "", ...); - pattern-either: - pattern: | $X = "..."; - pattern: | $M($X, "...", ...); - metavariable-regex: metavariable: $X regex: (?i:^.{0,100}pass.{0,100}) message: A hardcoded password in plain text is identified. languages: - java severity: WARNING metadata: cwe: cwe-798 owasp-mobile: m9 masvs: storage-14 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#storing-a-key---example license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_password shortlink: https://sg.run/oWp9 semgrep.dev: rule: r_id: 43716 rv_id: 833210 rule_id: gxUpG8 version_id: 2KT7xRo url: https://semgrep.dev/playground/r/2KT7xRo/mobsf.mobsfscan.android.secrets.hardcoded_password origin: community - id: mobsf.mobsfscan.android.secrets.hardcoded_username patterns: - pattern-not: $X = ""; - pattern-not: $M($X, "", ...); - pattern-either: - pattern: | $X = "..."; - pattern: | $M($X, "...", ...); - metavariable-regex: metavariable: $X regex: (?i:^.{0,100}user.{0,100}) message: A hardcoded username in plain text is identified. languages: - java severity: WARNING metadata: cwe: cwe-798 owasp-mobile: m9 masvs: storage-14 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#storing-a-key---example license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_username shortlink: https://sg.run/zXGG semgrep.dev: rule: r_id: 43717 rv_id: 833211 rule_id: QrULll version_id: X0T5NYj url: https://semgrep.dev/playground/r/X0T5NYj/mobsf.mobsfscan.android.secrets.hardcoded_username origin: community - id: mobsf.mobsfscan.android.secrets.hardcoded_api_key patterns: - pattern-not: $X = ""; - pattern-not: $M($X, "", ...); - pattern-either: - pattern: | $X = "..."; - pattern: | $M($X, "...", ...); - metavariable-regex: metavariable: $X regex: (?i:^.{0,100}key.{0,100}) message: A hardcoded Key is identified. languages: - java severity: WARNING metadata: cwe: cwe-798 owasp-mobile: m9 masvs: storage-14 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#storing-a-key---example license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_api_key shortlink: https://sg.run/p02g semgrep.dev: rule: r_id: 43718 rv_id: 833212 rule_id: 3qUgDz version_id: jQTrX18 url: https://semgrep.dev/playground/r/jQTrX18/mobsf.mobsfscan.android.secrets.hardcoded_api_key origin: community - id: mobsf.mobsfscan.android.secrets.hardcoded_secret patterns: - pattern-not: $X = ""; - pattern-not: $M($X, "", ...); - pattern-either: - pattern: | $X = "..."; - pattern: | $M($X, "...", ...); - metavariable-regex: metavariable: $X regex: (?i:^.{0,100}secret.{0,100}) message: A hardcoded secret is identified. languages: - java severity: WARNING metadata: cwe: cwe-798 owasp-mobile: m9 masvs: storage-14 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#storing-a-key---example license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_secret shortlink: https://sg.run/23O0 semgrep.dev: rule: r_id: 43719 rv_id: 833213 rule_id: 4bUJWL version_id: 1QTPLEB url: https://semgrep.dev/playground/r/1QTPLEB/mobsf.mobsfscan.android.secrets.hardcoded_secret origin: community - id: mobsf.mobsfscan.android.word_readable_writable.world_writeable patterns: - pattern-either: - pattern: | Context.MODE_WORLD_WRITEABLE message: The file is World Readable and Writable. Any App can read/write to the file. languages: - java severity: WARNING metadata: cwe: cwe-276 owasp-mobile: m2 masvs: storage-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.android.word_readable_writable.world_writeable shortlink: https://sg.run/jGlY semgrep.dev: rule: r_id: 43721 rv_id: 833215 rule_id: JDU4Ab version_id: yeTN1qo url: https://semgrep.dev/playground/r/yeTN1qo/mobsf.mobsfscan.android.word_readable_writable.world_writeable origin: community - id: mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api patterns: - pattern-either: - pattern: | import com.google.android.gms.safetynet.SafetyNetApi; - pattern: | $S = SafetyNet.getClient(...); ... $T = $S.attest(...); - pattern: | new RNGoogleSafetyNetPackage(...) message: 'This app does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device''s integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device. ' languages: - java severity: INFO metadata: cwe: cwe-353 owasp-mobile: m8 masvs: resilience-1 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api shortlink: https://sg.run/1lOw semgrep.dev: rule: r_id: 43722 rv_id: 833216 rule_id: 5rUx0W version_id: rxTDznQ url: https://semgrep.dev/playground/r/rxTDznQ/mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api origin: community - id: mobsf.mobsfscan.best_practices.flag_secure.android_prevent_screenshot patterns: - pattern-either: - pattern: | getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, ...); - pattern: | $V = WindowManager.LayoutParams.FLAG_SECURE; ... getWindow().setFlags($V); - pattern: | getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE, ...); - pattern: | $V = WindowManager.LayoutParams.FLAG_SECURE; ... getWindow().addFlags($V); - pattern: | $A.getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, ...); - pattern: | $V = WindowManager.LayoutParams.FLAG_SECURE; ... $A.getWindow().setFlags($V); - pattern: | $A.getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE, ...); - pattern: | $V = WindowManager.LayoutParams.FLAG_SECURE; ... $A.getWindow().addFlags($V); message: This app does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc. languages: - java severity: INFO metadata: cwe: cwe-200 owasp-mobile: m2 masvs: storage-9 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.best_practices.flag_secure.android_prevent_screenshot shortlink: https://sg.run/9jOY semgrep.dev: rule: r_id: 43723 rv_id: 833217 rule_id: GdUg51 version_id: bZTBeEj url: https://semgrep.dev/playground/r/bZTBeEj/mobsf.mobsfscan.best_practices.flag_secure.android_prevent_screenshot origin: community - id: mobsf.mobsfscan.best_practices.root_detection.android_root_detection patterns: - pattern-either: - pattern: | $J.isJailBroken(...) - pattern: | $R.isDeviceRooted(...) - pattern: | $R.isRooted(...) - pattern: | RootTools.isAccessGiven(...) - pattern: | $MTD.contains("test-keys") message: This app does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data. languages: - java severity: INFO metadata: cwe: cwe-919 owasp-mobile: m8 masvs: resilience-1 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.best_practices.root_detection.android_root_detection shortlink: https://sg.run/y25x semgrep.dev: rule: r_id: 43724 rv_id: 833218 rule_id: ReUdYj version_id: NdTB262 url: https://semgrep.dev/playground/r/NdTB262/mobsf.mobsfscan.best_practices.root_detection.android_root_detection origin: community - id: mobsf.mobsfscan.best_practices.tapjacking.android_detect_tapjacking patterns: - pattern-either: - pattern: | $F.setFilterTouchesWhenObscured(true); message: This app does not have capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to. languages: - java severity: INFO metadata: cwe: cwe-200 owasp-mobile: m1 masvs: platform-9 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-overlay-attacks-mstg-platform-9 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.best_practices.tapjacking.android_detect_tapjacking shortlink: https://sg.run/rqjn semgrep.dev: rule: r_id: 43725 rv_id: 833219 rule_id: AbUx1o version_id: kbT2lWP url: https://semgrep.dev/playground/r/kbT2lWP/mobsf.mobsfscan.best_practices.tapjacking.android_detect_tapjacking origin: community - id: mobsf.mobsfscan.best_practices.tls_certificate_transparency.android_certificate_transparency patterns: - pattern-either: - pattern: | import com.babylon.certificatetransparency; - pattern: | new CTInterceptorBuilder(...) - pattern: | new CTHostnameVerifierBuilder(...) message: This app does not enforce TLS Certificate Transparency that helps to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. languages: - java severity: INFO metadata: cwe: cwe-295 owasp-mobile: m3 masvs: network-4 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.best_practices.tls_certificate_transparency.android_certificate_transparency shortlink: https://sg.run/bERp semgrep.dev: rule: r_id: 43726 rv_id: 833220 rule_id: BYUoO0 version_id: w8TAxWo url: https://semgrep.dev/playground/r/w8TAxWo/mobsf.mobsfscan.best_practices.tls_certificate_transparency.android_certificate_transparency origin: community - id: mobsf.mobsfscan.best_practices.tls_pinning.android_certificate_pinning patterns: - pattern-either: - pattern: | import com.toyberman.RNSslPinningPackage; - pattern: | import org.thoughtcrime.ssl.pinning; - pattern: | new PinningValidationReportTestBroadcastReceiver() - pattern: | new CertificatePinner.Builder() - pattern: | CertificatePinner.Builder() - pattern: | TrustKit.getInstance().getSSLSocketFactory(...) - pattern: | $X = $R.openRawResource(...); ... $KS = KeyStore.getInstance(...); ... $KS.load($X, ...); ... $T.init($KS); - pattern: | TrustKit.initializeWithNetworkSecurityConfiguration(...); - pattern: | OkHttp2Helper.getPinningInterceptor() - pattern: | OkHttp3Helper.getPinningInterceptor() - pattern: | new PinningHostnameVerifier(...) - pattern: | PinningHelper.getPinnedHttpsURLConnection - pattern: | $F.openRawResource(...); ... $X = new Picasso.Builder(...); message: This app does not use a TLS/SSL certificate or public key pinning in code to detect or prevent MITM attacks in secure communication channel. Please verify if pinning is enabled in `network_security_config.xml`. languages: - java severity: INFO metadata: cwe: cwe-295 owasp-mobile: m3 masvs: network-4 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.best_practices.tls_pinning.android_certificate_pinning shortlink: https://sg.run/NXEp semgrep.dev: rule: r_id: 43727 rv_id: 833221 rule_id: DbUL4y version_id: xyTNeR5 url: https://semgrep.dev/playground/r/xyTNeR5/mobsf.mobsfscan.best_practices.tls_pinning.android_certificate_pinning origin: community - id: mobsf.mobsfscan.crypto.aes_ecb.aes_ecb_mode patterns: - pattern-either: - pattern: | Cipher.getInstance("=~/AES\/ECB.*/i") message: The App uses ECB mode in Cryptographic encryption algorithm. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext. severity: ERROR languages: - java metadata: cwe: cwe-327 owasp-mobile: m5 masvs: crypto-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.aes_ecb.aes_ecb_mode shortlink: https://sg.run/kRY7 semgrep.dev: rule: r_id: 43728 rv_id: 833222 rule_id: WAUg2K version_id: O9TJWQY url: https://semgrep.dev/playground/r/O9TJWQY/mobsf.mobsfscan.crypto.aes_ecb.aes_ecb_mode origin: community - id: mobsf.mobsfscan.crypto.aes_ecb.aes_ecb_mode_default patterns: - pattern-either: - pattern: | Cipher.getInstance("AES") message: Calling Cipher.getInstance("AES") will return AES ECB mode by default. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext. severity: ERROR languages: - java metadata: cwe: cwe-327 owasp-mobile: m5 masvs: crypto-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.aes_ecb.aes_ecb_mode_default shortlink: https://sg.run/wzPY semgrep.dev: rule: r_id: 43729 rv_id: 833223 rule_id: 0oUZRX version_id: e1TDk4W url: https://semgrep.dev/playground/r/e1TDk4W/mobsf.mobsfscan.crypto.aes_ecb.aes_ecb_mode_default origin: community - id: mobsf.mobsfscan.crypto.aes_encryption_keys.aes_hardcoded_key patterns: - pattern-either: - pattern: "$S = new SecretKeySpec(\"...\".getBytes(), \"AES\");\n...\n$C.init(..., $S); \n" - pattern: | $P = "..."; ... $S = new SecretKeySpec($P.getBytes(), "AES"); ... $C.init(..., $S); message: Hardcoded encryption key makes AES symmetric encryption useless. An attacker can easily reverse engineer the application and recover the keys. languages: - java severity: ERROR metadata: cwe: cwe-321 owasp-mobile: m5 masvs: crypto-1 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#common-configuration-issues-mstg-crypto-1-mstg-crypto-2-and-mstg-crypto-3 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.aes_encryption_keys.aes_hardcoded_key shortlink: https://sg.run/xpJz semgrep.dev: rule: r_id: 43730 rv_id: 833224 rule_id: KxURB0 version_id: vdTOzLZ url: https://semgrep.dev/playground/r/vdTOzLZ/mobsf.mobsfscan.crypto.aes_encryption_keys.aes_hardcoded_key origin: community - id: mobsf.mobsfscan.crypto.cbc_padding_oracle.cbc_padding_oracle patterns: - pattern-either: - pattern: | Cipher.getInstance("AES/CBC/PKCS5Padding") - pattern: | Cipher.getInstance("Blowfish/CBC/PKCS5Padding") - pattern: | Cipher.getInstance("DES/CBC/PKCS5Padding") - pattern: | Cipher.getInstance("AES/CBC/PKCS7Padding") - pattern: | Cipher.getInstance("Blowfish/CBC/PKCS7Padding") - pattern: | Cipher.getInstance("DES/CBC/PKCS7Padding") message: The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks. languages: - java severity: ERROR metadata: cwe: cwe-649 owasp-mobile: m5 masvs: crypto-3 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.cbc_padding_oracle.cbc_padding_oracle shortlink: https://sg.run/OjEB semgrep.dev: rule: r_id: 43731 rv_id: 833225 rule_id: qNUrzk version_id: d6TKG8D url: https://semgrep.dev/playground/r/d6TKG8D/mobsf.mobsfscan.crypto.cbc_padding_oracle.cbc_padding_oracle origin: community - id: mobsf.mobsfscan.crypto.cbc_static_iv.cbc_static_iv patterns: - pattern-either: - pattern: | byte[] $X = {...}; ... $Y = new IvParameterSpec($X, ...); ... $C.getInstance("=~/AES/CBC.*/i"); - pattern: | byte[] $X = "...".$FUNC(...); ... $Y = new IvParameterSpec($X, ...); ... $C.getInstance("=~/AES/CBC.*/i"); message: The IV for AES CBC mode should be random. A static IV makes the ciphertext vulnerable to Chosen Plaintext Attack. languages: - java severity: ERROR metadata: cwe: cwe-329 owasp-mobile: m5 masvs: crypto-5 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#predictable-initialization-vector license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.cbc_static_iv.cbc_static_iv shortlink: https://sg.run/egDb semgrep.dev: rule: r_id: 43732 rv_id: 833226 rule_id: lBUYwL version_id: ZRTlPDE url: https://semgrep.dev/playground/r/ZRTlPDE/mobsf.mobsfscan.crypto.cbc_static_iv.cbc_static_iv origin: community - id: mobsf.mobsfscan.crypto.insecure_random.java_insecure_random patterns: - pattern-either: - pattern: | import java.util.Random; - pattern: | import java.util.concurrent.ThreadLocalRandom; message: The App uses an insecure Random Number Generator. languages: - java severity: WARNING metadata: cwe: cwe-330 owasp-mobile: m5 masvs: crypto-6 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.insecure_random.java_insecure_random shortlink: https://sg.run/vo4A semgrep.dev: rule: r_id: 43733 rv_id: 833227 rule_id: PeUKqY version_id: nWTy4Qq url: https://semgrep.dev/playground/r/nWTy4Qq/mobsf.mobsfscan.crypto.insecure_random.java_insecure_random origin: community - id: mobsf.mobsfscan.crypto.insecure_ssl_v3.insecure_sslv3 patterns: - pattern-either: - pattern: | $S.getInstance("SSLv3"); message: SSLv3 is insecure and has multiple known vulnerabilities. languages: - java severity: ERROR metadata: cwe: cwe-327 owasp-mobile: m5 masvs: crypto-4 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.insecure_ssl_v3.insecure_sslv3 shortlink: https://sg.run/dnBZ semgrep.dev: rule: r_id: 43734 rv_id: 833228 rule_id: JDU4Ag version_id: ExTrDv8 url: https://semgrep.dev/playground/r/ExTrDv8/mobsf.mobsfscan.crypto.insecure_ssl_v3.insecure_sslv3 origin: community - id: mobsf.mobsfscan.crypto.sha1_hash.sha1_hash patterns: - pattern-either: - pattern: | $C.getInstance("=~/sha-1|sha1/i", ...); - pattern: | DigestUtils.sha1Hex(...); - pattern: | DigestUtils.sha1(...); - pattern: | DigestUtils.sha(...); message: SHA1 Hash algorithm used. The SHA1 hash is known to have hash collisions. languages: - java severity: WARNING metadata: cwe: cwe-327 owasp-mobile: m5 masvs: crypto-4 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.sha1_hash.sha1_hash shortlink: https://sg.run/nDyX semgrep.dev: rule: r_id: 43736 rv_id: 833230 rule_id: GdUgKL version_id: LjTEb97 url: https://semgrep.dev/playground/r/LjTEb97/mobsf.mobsfscan.crypto.sha1_hash.sha1_hash origin: community - id: mobsf.mobsfscan.crypto.weak_ciphers.weak_cipher patterns: - pattern-either: - pattern: | $C.getInstance("=~/des|desede|rc2|rc4|blowfish/i", ...); - pattern: | $C = new NullCipher(); message: Weak encryption algorithm identified. This algorithm is vulnerable to cryptographic attacks. severity: ERROR languages: - java metadata: cwe: cwe-327 owasp-mobile: m5 masvs: crypto-4 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.weak_ciphers.weak_cipher shortlink: https://sg.run/EKZw semgrep.dev: rule: r_id: 43737 rv_id: 833231 rule_id: ReUdZD version_id: 8KTGkgq url: https://semgrep.dev/playground/r/8KTGkgq/mobsf.mobsfscan.crypto.weak_ciphers.weak_cipher origin: community - id: mobsf.mobsfscan.crypto.weak_hashes.weak_hash patterns: - pattern-either: - pattern: | $C.getInstance("=~/md5|md4/i", ...); - pattern: | $C.Files.hash(..., Hashing.md5()); - pattern: | Files.hash(..., Hashing.md5()); - pattern: | DigestUtils.md5Hex(...); - pattern: | DigestUtils.md5(...); message: Weak Hash algorithm used. The hash algorithm is known to have hash collisions. severity: WARNING languages: - java metadata: cwe: cwe-327 owasp-mobile: m5 masvs: crypto-4 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.weak_hashes.weak_hash shortlink: https://sg.run/72wZ semgrep.dev: rule: r_id: 43738 rv_id: 833232 rule_id: AbUxZk version_id: gETy2E1 url: https://semgrep.dev/playground/r/gETy2E1/mobsf.mobsfscan.crypto.weak_hashes.weak_hash origin: community - id: mobsf.mobsfscan.crypto.weak_iv.weak_iv patterns: - pattern-either: - pattern: | byte[] $X = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; ... $Y = new IvParameterSpec($X, ...); - pattern: | byte[] $X = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07 }; ... $Y = new IvParameterSpec($X, ...); message: The App may use weak IVs like "0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00" or "0x01,0x02,0x03,0x04,0x05,0x06,0x07". Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack. languages: - java severity: WARNING metadata: cwe: cwe-1204 owasp-mobile: m5 masvs: crypto-5 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#mobile-app-cryptography license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.weak_iv.weak_iv shortlink: https://sg.run/LpZr semgrep.dev: rule: r_id: 43739 rv_id: 833233 rule_id: BYUonD version_id: QkTkrA6 url: https://semgrep.dev/playground/r/QkTkrA6/mobsf.mobsfscan.crypto.weak_iv.weak_iv origin: community - id: mobsf.mobsfscan.deserialization.object_deserialization.object_deserialization patterns: - pattern: new ObjectInputStream(...); severity: WARNING languages: - java message: | Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. Consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object. metadata: cwe: cwe-502 owasp-mobile: m1 masvs: platform-8 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-object-persistence-mstg-platform-8 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.deserialization.object_deserialization.object_deserialization shortlink: https://sg.run/QxZ4 semgrep.dev: rule: r_id: 43742 rv_id: 833236 rule_id: 0oUZYJ version_id: PkTxr20 url: https://semgrep.dev/playground/r/PkTxr20/mobsf.mobsfscan.deserialization.object_deserialization.object_deserialization origin: community - id: mobsf.mobsfscan.injection.sqlite_injection.sqlite_injection patterns: - pattern-not: $DB.execSQL("..." , ...); - pattern-not: $DB.rawQuery("..." , ...); - pattern-either: - pattern: | $DB.rawQuery("..." + $INP + "..." , ...); - pattern: | $DB.rawQuery($INP + "..." , ... ); - pattern: | $DB.rawQuery($INP + "..." + $INP2, ...); - pattern: | $DB.rawQuery($INP + "..." + $INP2 + "...", ...); - pattern: | $DB.execSQL($INP + "..." , ...); - pattern: | $DB.execSQL("..." + $INP + "..." , ...); - pattern: | $DB.execSQL($INP + "..." + $INP2, ...); - pattern: | $DB.execSQL($INP + "..." + $INP2 + "...", ...); message: App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database. languages: - java severity: WARNING metadata: cwe: cwe-78 owasp-mobile: m7 masvs: platform-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.injection.sqlite_injection.sqlite_injection shortlink: https://sg.run/PxZY semgrep.dev: rule: r_id: 43745 rv_id: 833239 rule_id: lBUYAy version_id: GxTDEYP url: https://semgrep.dev/playground/r/GxTDEYP/mobsf.mobsfscan.injection.sqlite_injection.sqlite_injection origin: community - id: mobsf.mobsfscan.network.accept_self_signed.accept_self_signed_certificate patterns: - pattern-either: - pattern: | $X.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER - pattern: | $X.setHostnameVerifier($Z.ALLOW_ALL_HOSTNAME_VERIFIER); - pattern: | $X.setHostnameVerifier(new AllowAllHostnameVerifier()); - pattern: | $X.setDefaultHostnameVerifier(new NullHostnameVerifier()); - pattern: | $X.setDefaultHostnameVerifier((HostnameVerifier) new NullHostnameVerifier()); - pattern: | $RET verify(..., SSLSession $X) { ... return true; } - pattern: | $Y = SSLContext.getInstance(...); ... $Y.init(null, ...); - pattern: | $Y = $S.SSLContext.getInstance(...); ... $Y.init(null, ...); - pattern: | $Z = new TLSClientParameters(...); ... $Z.setDisableCNCheck(true); - pattern: "X509Certificate[] getAcceptedIssuers() { \n ...\n return new X509Certificate[]{};\n}\n" - pattern: | X509Certificate[] getAcceptedIssuers() { ... return new java.security.cert.X509Certificate[]{}; } - pattern: "X509Certificate[] getAcceptedIssuers() { \n ...\n $Y = new X509Certificate[]{};\n \ ...\n return $Y;\n}\n" - pattern: | X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } - pattern: | X509Certificate[] getAcceptedIssuers() { ... $X = new X509Certificate[0]; ... return $X; } - pattern: | X509Certificate[] getAcceptedIssuers() { return null; } - pattern: | sslContext.init(null, ...); - pattern: | setSslSocketFactory(new NonValidatingSSLSocketFactory()); message: Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks. languages: - java severity: ERROR metadata: cwe: cwe-295 owasp-mobile: m3 masvs: network-3 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-endpoint-identify-verification-mstg-network-3 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.network.accept_self_signed.accept_self_signed_certificate shortlink: https://sg.run/JoZw semgrep.dev: rule: r_id: 43746 rv_id: 833240 rule_id: YGUxKY version_id: RGTKGnk url: https://semgrep.dev/playground/r/RGTKGnk/mobsf.mobsfscan.network.accept_self_signed.accept_self_signed_certificate origin: community - id: mobsf.mobsfscan.network.default_http_client_tls.default_http_client_tls patterns: - pattern-either: - pattern: | new DefaultHttpClient() message: DefaultHTTPClient() with default constructor is not compatible with TLS 1.2. languages: - java severity: WARNING metadata: cwe: cwe-757 owasp-mobile: m3 masvs: network-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04f-Testing-Network-Communication.md#verifying-data-encryption-on-the-network-mstg-network-1-and-mstg-network-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.network.default_http_client_tls.default_http_client_tls shortlink: https://sg.run/5zwA semgrep.dev: rule: r_id: 43747 rv_id: 833241 rule_id: 6JUkwx version_id: A8T370X url: https://semgrep.dev/playground/r/A8T370X/mobsf.mobsfscan.network.default_http_client_tls.default_http_client_tls origin: community - id: mobsf.mobsfscan.webview.webview_allow_file_from_url.webview_allow_file_from_url patterns: - pattern-either: - pattern: | setAllowFileAccessFromFileURLs(true) - pattern: | $W.setAllowFileAccessFromFileURLs(true) - pattern: | $X = true; ... $W.setAllowFileAccessFromFileURLs($X); - pattern: | setAllowUniversalAccessFromFileURLs(true) - pattern: | $W.setAllowUniversalAccessFromFileURLs(true) - pattern: | $X = true; ... $W.setAllowUniversalAccessFromFileURLs($X); message: Ensure that user controlled URLs never reaches the Webview. Enabling file access from URLs in WebView can leak sensitive information from the file system. languages: - java severity: WARNING metadata: cwe: cwe-200 owasp-mobile: m1 masvs: platform-7 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_allow_file_from_url.webview_allow_file_from_url shortlink: https://sg.run/wdPz0 semgrep.dev: rule: r_id: 134573 rv_id: 833242 rule_id: QrUWlLB version_id: BjTe0Jk url: https://semgrep.dev/playground/r/BjTe0Jk/mobsf.mobsfscan.webview.webview_allow_file_from_url.webview_allow_file_from_url origin: community - id: mobsf.mobsfscan.webview.webview_debugging.webview_debugging patterns: - pattern-either: - pattern: | $WB.setWebContentsDebuggingEnabled(true); - pattern: | $X = true; ... $WB.setWebContentsDebuggingEnabled($X); message: Remote WebView debugging is enabled. This allows an attacker with debugging access to interact with the webview and steal or corrupt data. languages: - java severity: ERROR metadata: cwe: cwe-489 owasp-mobile: m1 masvs: resilience-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-anti-debugging-detection-mstg-resilience-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_debugging.webview_debugging shortlink: https://sg.run/G3Zp semgrep.dev: rule: r_id: 43748 rv_id: 833243 rule_id: oqUPpl version_id: DkTG0Xk url: https://semgrep.dev/playground/r/DkTG0Xk/mobsf.mobsfscan.webview.webview_debugging.webview_debugging origin: community - id: mobsf.mobsfscan.webview.webview_external_storage.webview_external_storage patterns: - pattern-either: - pattern: | $X = <... $E.getExternalStorageDirectory() ...>; ... $WV.loadUrl(<... $X ...>); - pattern: | $WV.loadUrl(<... $E.getExternalStorageDirectory().$F() ...>); - pattern: | $X = <... Environment.getExternalStorageDirectory().$F() ...>; ... $WV.loadUrl(<... $X ...>); - pattern: | $X = <... $E.getExternalFilesDir(...) ...>; ... $WV.loadUrl(<... $X ...>); message: WebView load files from external storage. Files in external storage can be modified by any application. languages: - java severity: ERROR metadata: cwe: cwe-749 owasp-mobile: m1 masvs: platform-6 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-webview-protocol-handlers-mstg-platform-6 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_external_storage.webview_external_storage shortlink: https://sg.run/Rx3O semgrep.dev: rule: r_id: 43749 rv_id: 833244 rule_id: zdU90D version_id: WrTdpG7 url: https://semgrep.dev/playground/r/WrTdpG7/mobsf.mobsfscan.webview.webview_external_storage.webview_external_storage origin: community - id: mobsf.mobsfscan.webview.webview_file_access.webview_set_allow_file_access patterns: - pattern-either: - pattern: | $WB.setAllowFileAccess(true); message: WebView File System Access is enabled. An attacker able to inject script into a WebView, could exploit the opportunity to access local resources. languages: - java severity: WARNING metadata: cwe: cwe-73 owasp-mobile: m7 masvs: platform-6 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md/#testing-webview-protocol-handlers-mstg-platform-6 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_file_access.webview_set_allow_file_access shortlink: https://sg.run/ABgp semgrep.dev: rule: r_id: 43750 rv_id: 833245 rule_id: pKUJ40 version_id: 0bTwbgg url: https://semgrep.dev/playground/r/0bTwbgg/mobsf.mobsfscan.webview.webview_file_access.webview_set_allow_file_access origin: community - id: mobsf.mobsfscan.webview.webview_ignore_ssl_errors.ignore_ssl_certificate_errors patterns: - pattern-either: - pattern: | $RET onReceivedSslError(WebView $W, SslErrorHandler $H, SslError $E) { ... $H.proceed(); } message: Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks. languages: - java severity: ERROR metadata: cwe: cwe-295 owasp-mobile: m3 masvs: network-3 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_ignore_ssl_errors.ignore_ssl_certificate_errors shortlink: https://sg.run/BDgW semgrep.dev: rule: r_id: 43751 rv_id: 833246 rule_id: 2ZUXop version_id: K3Trq83 url: https://semgrep.dev/playground/r/K3Trq83/mobsf.mobsfscan.webview.webview_ignore_ssl_errors.ignore_ssl_certificate_errors origin: community - id: mobsf.mobsfscan.xxe.xmlfactory_external_entities_enabled.xmlinputfactory_xxe_enabled pattern: $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", true); message: | XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false. languages: - java severity: ERROR metadata: cwe: cwe-611 owasp-mobile: m8 masvs: platform-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.xxe.xmlfactory_external_entities_enabled.xmlinputfactory_xxe_enabled shortlink: https://sg.run/0qwv semgrep.dev: rule: r_id: 43754 rv_id: 833249 rule_id: 10UnwQ version_id: YDTl0kz url: https://semgrep.dev/playground/r/YDTl0kz/mobsf.mobsfscan.xxe.xmlfactory_external_entities_enabled.xmlinputfactory_xxe_enabled origin: community - id: mobsf.mobsfscan.xxe.xmlfactory_xxe.xmlinputfactory_xxe patterns: - pattern-not-inside: | $RETURNTYPE $METHOD(...) { ... $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false); ... } - pattern-not-inside: | $RETURNTYPE $METHOD(...) { ... $XMLFACTORY.setProperty(java.xml.stream.XMLFactoryInput.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ... } - pattern-either: - pattern: $XMLFACTORY = $W.newFactory(...); - pattern: $XMLFACTORY = new XMLInputFactory(...); message: | XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false. severity: ERROR languages: - java metadata: cwe: cwe-611 owasp-mobile: m8 masvs: platform-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.xxe.xmlfactory_xxe.xmlinputfactory_xxe shortlink: https://sg.run/KzZ7 semgrep.dev: rule: r_id: 43755 rv_id: 833250 rule_id: 9AUL9X version_id: JdTlrG4 url: https://semgrep.dev/playground/r/JdTlrG4/mobsf.mobsfscan.xxe.xmlfactory_xxe.xmlinputfactory_xxe origin: community - id: trailofbits.yaml.ansible.get-url-validate-certs-disabled.get-url-validate-certs-disabled message: Found file download with SSL verification disabled languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit technology: - ansible confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-validate_certs - https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_get_url_module.html#parameter-validate_certs license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.yaml.ansible.get-url-validate-certs-disabled.get-url-validate-certs-disabled shortlink: https://sg.run/Or0N7 semgrep.dev: rule: r_id: 113231 rv_id: 833320 rule_id: KxUvKPQ version_id: kbT2lek url: https://semgrep.dev/playground/r/kbT2lek/trailofbits.yaml.ansible.get-url-validate-certs-disabled.get-url-validate-certs-disabled origin: community patterns: - pattern-inside: | $GETURL: ... url: ... ... - pattern-not-inside: | $GETURL: ... checksum: ... ... - metavariable-pattern: metavariable: $GETURL pattern-either: - pattern: get_url - pattern: win_get_url - pattern: ansible.builtin.get_url - pattern: ansible.windows.win_get_url - pattern: '$KEY: $VALUE' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: validate_certs - metavariable-pattern: metavariable: $VALUE pattern-either: - pattern: 'false' - id: trailofbits.yaml.ansible.rpm-key-unencrypted-url.rpm-key-unencrypted-url message: Found RPM key download with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' subcategory: - audit technology: - ansible - rpm confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/rpm_key_module.html#parameter-key license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.yaml.ansible.rpm-key-unencrypted-url.rpm-key-unencrypted-url shortlink: https://sg.run/eqGkR semgrep.dev: rule: r_id: 113232 rv_id: 833321 rule_id: qNU2R9K version_id: w8TAxy8 url: https://semgrep.dev/playground/r/w8TAxy8/trailofbits.yaml.ansible.rpm-key-unencrypted-url.rpm-key-unencrypted-url origin: community patterns: - pattern-inside: | $RPMKEY: ... - metavariable-pattern: metavariable: $RPMKEY pattern-either: - pattern: rpm_key - pattern: ansible.builtin.rpm_key - pattern: '$KEY: ''$VALUE''' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: key - metavariable-regex: metavariable: $VALUE regex: (?i)^(http|ftp)://.* - id: trailofbits.yaml.ansible.rpm-key-validate-certs-disabled.rpm-key-validate-certs-disabled message: Found RPM key with SSL verification disabled languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit technology: - ansible - rpm confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/rpm_key_module.html#parameter-validate_certs license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.yaml.ansible.rpm-key-validate-certs-disabled.rpm-key-validate-certs-disabled shortlink: https://sg.run/v8LWW semgrep.dev: rule: r_id: 113233 rv_id: 833322 rule_id: lBU4Jee version_id: xyTNeQ2 url: https://semgrep.dev/playground/r/xyTNeQ2/trailofbits.yaml.ansible.rpm-key-validate-certs-disabled.rpm-key-validate-certs-disabled origin: community patterns: - pattern-inside: | $RPMKEY: ... key: ... ... - metavariable-pattern: metavariable: $RPMKEY pattern-either: - pattern: rpm_key - pattern: ansible.builtin.rpm_key - pattern: '$KEY: $VALUE' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: validate_certs - metavariable-pattern: metavariable: $VALUE pattern-either: - pattern: 'false' - id: trailofbits.python.scikit-joblib-load.scikit-joblib-load message: Scikit `joblib` uses pickle under the hood. Functions reliant on pickle can result in arbitrary code execution. Consider using `skops` instead. languages: - python severity: ERROR metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - scikit description: Potential arbitrary code execution from `SciKit.Joblib` functions reliant on pickling references: - https://scikit-learn.org/stable/model_persistence.html license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.scikit-joblib-load.scikit-joblib-load shortlink: https://sg.run/wzW6 semgrep.dev: rule: r_id: 43929 rv_id: 833309 rule_id: DbULlX version_id: zyTWJrZ url: https://semgrep.dev/playground/r/zyTWJrZ/trailofbits.python.scikit-joblib-load.scikit-joblib-load origin: community patterns: - pattern: joblib.load(...) - pattern-not: joblib.load("...") - id: trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces message: Service port is exposed on all interfaces languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-1327: Binding to an Unrestricted IP Address' subcategory: - audit technology: - docker - compose confidence: LOW likelihood: LOW impact: LOW references: - https://docs.docker.com/compose/compose-file/compose-file-v3/#ports license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces shortlink: https://sg.run/gxAyK semgrep.dev: rule: r_id: 113241 rv_id: 833330 rule_id: j2UgnLW version_id: 7ZTx9XE url: https://semgrep.dev/playground/r/7ZTx9XE/trailofbits.yaml.docker-compose.port-all-interfaces.port-all-interfaces origin: community patterns: - pattern-inside: | services: ... - pattern: | ports: - ... - "$PORT" - ... - focus-metavariable: $PORT - metavariable-regex: metavariable: $PORT regex: ^(?!127.\d{1,3}.\d{1,3}.\d{1,3}:).+ - id: apex.lang.performance.ncino.operationsinloops.avoidoperationswithlimitsinloops.avoid-operations-with-limits-in-loops min-version: 1.44.0 severity: ERROR languages: - generic metadata: category: performance references: - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm technology: - salesforce license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/apex.lang.performance.ncino.operationsinloops.avoidoperationswithlimitsinloops.avoid-operations-with-limits-in-loops shortlink: https://sg.run/D462 semgrep.dev: rule: r_id: 72408 rv_id: 945142 rule_id: ReUln8 version_id: 3ZTOP6g url: https://semgrep.dev/playground/r/3ZTOP6g/apex.lang.performance.ncino.operationsinloops.avoidoperationswithlimitsinloops.avoid-operations-with-limits-in-loops origin: community message: Database class methods, DML operations, SOQL queries, SOSL queries, Approval class methods, Email sending, async scheduling or queueing within loops can cause governor limit exceptions. Instead, try to batch up the data into a list and invoke the operation once on that list of data outside the loop. patterns: - pattern-either: - pattern-inside: | for (...) { ... } - pattern-inside: | while (...) { ... } - pattern-inside: | do { ... } while (...); - pattern-either: - pattern: | Messaging.sendEmail(...); - pattern: | Approval.ProcessSubmitRequest $REQUEST = new Approval.ProcessSubmitRequest(); - pattern: | System.enqueueJob(...); - pattern: | System.schedule(...); - pattern: | System.scheduleBatch(...); - id: dockerfile.best-practice.missing-apk-no-cache.missing-apk-no-cache patterns: - pattern: | RUN apk $COMMAND ... - pattern-not-inside: | RUN apk ... --no-cache ... languages: - dockerfile message: This apk command is missing '--no-cache'. This forces apk to use a package index instead of a local package cache, removing the need for '--update' and the deletion of '/var/cache/apk/*'. Add '--no-cache' to your apk command. severity: INFO metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3019 references: - https://github.com/hadolint/hadolint/wiki/DL3019 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.missing-apk-no-cache.missing-apk-no-cache shortlink: https://sg.run/Njv7 semgrep.dev: rule: r_id: 20127 rv_id: 945245 rule_id: wdUkNy version_id: PkTQZjy url: https://semgrep.dev/playground/r/PkTQZjy/dockerfile.best-practice.missing-apk-no-cache.missing-apk-no-cache origin: community - id: elixir.lang.best-practice.deprecated-bxor-operator.deprecated_bxor_operator message: The bitwise operator (`^^^`) is already deprecated. Please use `Bitwise.bxor($LEFT, $RIGHT)` instead. severity: WARNING languages: - elixir pattern: $LEFT ^^^ $RIGHT fix: Bitwise.bxor($LEFT, $RIGHT) metadata: references: - https://github.com/elixir-lang/elixir/commit/c9a171da5b25e0eb5d1da3b04c622f8b79a8aff4 category: best-practice technology: - elixir license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/elixir.lang.best-practice.deprecated-bxor-operator.deprecated_bxor_operator shortlink: https://sg.run/yB7r semgrep.dev: rule: r_id: 67424 rv_id: 945273 rule_id: YGU0ew version_id: o5TZeZW url: https://semgrep.dev/playground/r/o5TZeZW/elixir.lang.best-practice.deprecated-bxor-operator.deprecated_bxor_operator origin: community - id: generic.ci.audit.changed-semgrepignore.changed-semgrepignore paths: include: - .semgrepignore patterns: - pattern-regex: | ^(.*)$ - pattern-not-regex: | ^\n.*$ - pattern-not-regex: | ^#.*$ message: '`$1` has been added to the .semgrepignore list of ignored paths. Someone from app-sec may want to audit these changes.' languages: - generic severity: WARNING metadata: technology: - semgrep references: - https://semgrep.dev/docs/ignoring-files-folders-code/ category: best-practice license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.ci.audit.changed-semgrepignore.changed-semgrepignore shortlink: https://sg.run/rywn semgrep.dev: rule: r_id: 16225 rv_id: 945280 rule_id: 10U5Eq version_id: 9lTy1yv url: https://semgrep.dev/playground/r/9lTy1yv/generic.ci.audit.changed-semgrepignore.changed-semgrepignore origin: community - id: generic.dockerfile.best-practice.missing-yum-clean-all.missing-yum-clean-all severity: WARNING languages: - generic patterns: - pattern: yum $COMMAND - pattern-not-inside: RUN ... && yum clean all - pattern-not-inside: RUN ... && \ yum clean all message: This yum command does not end with '&& yum clean all'. Running 'yum clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.) metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3032 references: - https://github.com/hadolint/hadolint/wiki/DL3032 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.dockerfile.best-practice.missing-yum-clean-all.missing-yum-clean-all shortlink: https://sg.run/Do2W semgrep.dev: rule: r_id: 9008 rv_id: 945282 rule_id: X5U81r version_id: rxT6r6d url: https://semgrep.dev/playground/r/rxT6r6d/generic.dockerfile.best-practice.missing-yum-clean-all.missing-yum-clean-all origin: community paths: include: - '*dockerfile*' - '*Dockerfile*' - id: generic.dockerfile.best-practice.use-absolute-workdir.use-absolute-workdir pattern-either: - patterns: - pattern: WORKDIR $VALUE - metavariable-pattern: metavariable: $VALUE patterns: - pattern-not-regex: (\/.*) - patterns: - pattern: ENV $VAR=$VALUE ... $CMD ${$VAR} - metavariable-pattern: metavariable: $VALUE patterns: - pattern-not-regex: (\/.*) - metavariable-pattern: metavariable: $CMD pattern: WORKDIR - focus-metavariable: $CMD message: Detected a relative WORKDIR. Use absolute paths. This prevents issues based on assumptions about the WORKDIR of previous containers. severity: WARNING languages: - generic metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3000 references: - https://github.com/hadolint/hadolint/wiki/DL3000 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.dockerfile.best-practice.use-absolute-workdir.use-absolute-workdir shortlink: https://sg.run/zve0 semgrep.dev: rule: r_id: 9017 rv_id: 945283 rule_id: wdUJE3 version_id: bZTXwXy url: https://semgrep.dev/playground/r/bZTXwXy/generic.dockerfile.best-practice.use-absolute-workdir.use-absolute-workdir origin: community paths: include: - '*dockerfile*' - '*Dockerfile*' - id: go.lang.maintainability.useless-ifelse.useless-if-body pattern: | if ($X) { $S } else { $S } message: Detected identical statements in the if body and the else body of an if-statement. This will lead to the same code being executed no matter what the if-expression evaluates to. Instead, remove the if statement. languages: - go severity: WARNING metadata: category: maintainability technology: - go license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/go.lang.maintainability.useless-ifelse.useless-if-body shortlink: https://sg.run/5Q53 semgrep.dev: rule: r_id: 9103 rv_id: 945559 rule_id: YGURWJ version_id: qkT4jLl url: https://semgrep.dev/playground/r/qkT4jLl/go.lang.maintainability.useless-ifelse.useless-if-body origin: community - id: java.lang.correctness.eqeq.eqeq patterns: - pattern-not-inside: assert $X; - pattern-not-inside: | assert $X : $Y; - pattern-either: - pattern: $X == $X - pattern: $X != $X - pattern-not: 1 == 1 message: '`$X == $X` or `$X != $X` is always true. (Unless the value compared is a float or double). To test if `$X` is not-a-number, use `Double.isNaN($X)`.' languages: - java severity: ERROR metadata: category: correctness technology: - java license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/java.lang.correctness.eqeq.eqeq shortlink: https://sg.run/qx1x semgrep.dev: rule: r_id: 9156 rv_id: 945642 rule_id: 9AU1x1 version_id: 7ZTrQXA url: https://semgrep.dev/playground/r/7ZTrQXA/java.lang.correctness.eqeq.eqeq origin: community - id: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled message: Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element. metadata: owasp: A07:2017 - Cross-Site Scripting (XSS) cwe: - 'CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences' references: - https://stackoverflow.com/a/7442668 category: security technology: - jsf subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled shortlink: https://sg.run/qxne semgrep.dev: rule: r_id: 9212 rv_id: 945709 rule_id: 10UKqE version_id: GxTP74Y url: https://semgrep.dev/playground/r/GxTP74Y/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled origin: community pattern-regex: .*escape.*?=.*?false.* paths: include: - '*.html' - '*.xhtml' languages: - regex severity: WARNING - id: javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true message: 'By setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.' metadata: cwe: - 'CWE-400: Uncontrolled Resource Consumption' category: security technology: - ajv references: - https://ajv.js.org/options.html#allerrors cwe2022-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Denial-of-Service (DoS) source: https://semgrep.dev/r/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true shortlink: https://sg.run/d2jY semgrep.dev: rule: r_id: 13578 rv_id: 945749 rule_id: PeUo5X version_id: 44TZkJ6 url: https://semgrep.dev/playground/r/44TZkJ6/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true origin: community languages: - javascript - typescript severity: WARNING pattern-either: - pattern: | new Ajv({...,allErrors: true,...},...) - patterns: - pattern: | new Ajv($SETTINGS,...) - pattern-inside: | $SETTINGS = {...,allErrors: true,...} ... - id: csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation severity: WARNING languages: - csharp metadata: cwe: - 'CWE-295: Improper Certificate Validation' owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8 category: security technology: - .net confidence: MEDIUM subcategory: - vuln likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation shortlink: https://sg.run/XZ6B semgrep.dev: rule: r_id: 18220 rv_id: 1262629 rule_id: gxUy01 version_id: xyTjzGW url: https://semgrep.dev/playground/r/xyTjzGW/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation origin: community message: Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead. patterns: - pattern-inside: | using System.IdentityModel.Tokens; ... - pattern-either: - patterns: - pattern-either: - pattern-inside: | X509SecurityToken $TOK = $RHS; ... - pattern-inside: | $T $M(..., X509SecurityToken $TOK, ...) { ... } - metavariable-pattern: metavariable: $RHS pattern-either: - pattern: $T as X509SecurityToken - pattern: new X509SecurityToken(...) - patterns: - pattern-either: - pattern-inside: | X509Certificate2 $CERT = new X509Certificate2(...); ... - pattern-inside: | $T $M(..., X509Certificate2 $CERT, ...) { ... } - pattern-inside: | foreach (X509Certificate2 $CERT in $COLLECTION) { ... } - patterns: - pattern-either: - pattern: String.Equals($NAME, "...") - pattern: String.Equals("...", $NAME) - pattern: $NAME.Equals("...") - pattern: $NAME == "..." - pattern: $NAME != "..." - pattern: | "..." == $NAME - pattern: | "..." != $NAME - metavariable-pattern: metavariable: $NAME pattern-either: - pattern: $TOK.Certificate.SubjectName.Name - pattern: $CERT.SubjectName.Name - pattern: $CERT.GetNameInfo(...) - id: javascript.lang.best-practice.assigned-undefined.assigned-undefined languages: - javascript - typescript message: '`undefined` is not a reserved keyword in Javascript, so this is "valid" Javascript but highly confusing and likely to result in bugs.' pattern-either: - pattern: undefined = $X; - pattern: var undefined = $X; - pattern: let undefined = $X; - pattern: const undefined = $X; severity: WARNING metadata: category: best-practice technology: - javascript license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.lang.best-practice.assigned-undefined.assigned-undefined shortlink: https://sg.run/GeK6 semgrep.dev: rule: r_id: 9304 rv_id: 945854 rule_id: lBU9DN version_id: GxTP7ON url: https://semgrep.dev/playground/r/GxTP7ON/javascript.lang.best-practice.assigned-undefined.assigned-undefined origin: community - id: javascript.lang.best-practice.lazy-load-module.lazy-load-module patterns: - pattern: require(...) - pattern-inside: | function $NAME(...) { ... } message: Lazy loading can complicate code bundling if care is not taken, also `require`s are run synchronously by Node.js. If they are called from within a function, it may block other requests from being handled at a more critical time. The best practice is to `require` modules at the beginning of each file, before and outside of any functions. languages: - javascript - typescript severity: WARNING metadata: category: best-practice technology: - javascript references: - https://nodesecroadmap.fyi/chapter-2/dynamism.html - https://github.com/goldbergyoni/nodebestpractices#-38-require-modules-first-not-inside-functions license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.lang.best-practice.lazy-load-module.lazy-load-module shortlink: https://sg.run/1GAb semgrep.dev: rule: r_id: 13022 rv_id: 945855 rule_id: BYU7RY version_id: RGTAgWy url: https://semgrep.dev/playground/r/RGTAgWy/javascript.lang.best-practice.lazy-load-module.lazy-load-module origin: community - id: javascript.react.correctness.hooks.set-state-no-op.calling-set-state-on-current-state patterns: - pattern: $Y($X); - pattern-inside: | const [$X, $Y] = useState(...); ... message: Calling setState on the current state is always a no-op. Did you mean to change the state like $Y(!$X) instead? languages: - javascript severity: ERROR metadata: technology: - react category: correctness license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.react.correctness.hooks.set-state-no-op.calling-set-state-on-current-state shortlink: https://sg.run/Y8BW semgrep.dev: rule: r_id: 14114 rv_id: 945914 rule_id: eqUz1k version_id: BjT1Nnx url: https://semgrep.dev/playground/r/BjT1Nnx/javascript.react.correctness.hooks.set-state-no-op.calling-set-state-on-current-state origin: community - id: ocaml.lang.best-practice.hashtbl.hashtbl-find-outside-try patterns: - pattern: | Hashtbl.find ... - pattern-not-inside: | try ... with Not_found -> ... message: '''Hashtbl.find'' raises the ''Not_found'' exception. Handle the exception or use ''Hashtbl.find_opt'' instead. If you have proof that the key exists in the table, use ''assert false'' as the exception handler to demonstrate awareness of the issue. If your code uses the syntax ''match Hashtbl.find ... with exception Not_found -> ...'', it''s fine and we apologize for not detecting it. Consider using ''Hashtbl.find_opt'' to please Semgrep and stay safe.' languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.hashtbl.hashtbl-find-outside-try shortlink: https://sg.run/yd7A semgrep.dev: rule: r_id: 9368 rv_id: 1197444 rule_id: v8Un6Z version_id: 5PTokxQ url: https://semgrep.dev/playground/r/5PTokxQ/ocaml.lang.best-practice.hashtbl.hashtbl-find-outside-try origin: community - id: ocaml.lang.best-practice.bool.ocamllint-bool-true pattern-either: - pattern: $X = true - pattern: $X == true - pattern: $X != false message: Comparison to boolean. Just use `$X` languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.bool.ocamllint-bool-true shortlink: https://sg.run/1ZE1 semgrep.dev: rule: r_id: 9366 rv_id: 945949 rule_id: OrU3xY version_id: QkTZzjO url: https://semgrep.dev/playground/r/QkTZzjO/ocaml.lang.best-practice.bool.ocamllint-bool-true origin: community - id: ocaml.lang.best-practice.bool.ocamllint-bool-false pattern-either: - pattern: $X = false - pattern: $X == false - pattern: $X <> true message: Comparison to boolean. Just use `not $X` languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.bool.ocamllint-bool-false shortlink: https://sg.run/9oEy semgrep.dev: rule: r_id: 9367 rv_id: 945950 rule_id: eqU8jW version_id: 3ZTOPzN url: https://semgrep.dev/playground/r/3ZTOPzN/ocaml.lang.best-practice.bool.ocamllint-bool-false origin: community - id: ocaml.lang.best-practice.exception.bad-reraise patterns: - pattern: | raise $EXN - metavariable-regex: metavariable: $EXN regex: \A[a-z_][a-z_A-Z0-9']*\z message: You should not re-raise exceptions using 'raise' because it loses track of where the exception was raised originally, leading to a useless and possibly confusing stack trace. Instead, you should obtain a stack backtrace as soon as the exception is caught using 'try ... with exn -> let trace = Printexc.get_raw_backtrace () in ...', and keep it around until you re-raise the exception using 'Printexc.raise_with_backtrace exn trace'. You must collect the stack backtrace before calling another function which might internally raise and catch exceptions. To avoid false positives from Semgrep, write 'raise (Foo args)' instead of 'let e = Foo args in raise e'. languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml references: - https://v2.ocaml.org/api/Printexc.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.exception.bad-reraise shortlink: https://sg.run/5ewK semgrep.dev: rule: r_id: 24391 rv_id: 945951 rule_id: BYUrnb version_id: 44TZkwn url: https://semgrep.dev/playground/r/44TZkwn/ocaml.lang.best-practice.exception.bad-reraise origin: community - id: ocaml.lang.best-practice.ifs.ocamllint-useless-else pattern: if $E then $E1 else () message: Useless else. Just remove the else branch; languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.ifs.ocamllint-useless-else shortlink: https://sg.run/rd7J semgrep.dev: rule: r_id: 9369 rv_id: 945953 rule_id: d8UjxD version_id: JdTDyYq url: https://semgrep.dev/playground/r/JdTDyYq/ocaml.lang.best-practice.ifs.ocamllint-useless-else origin: community - id: ocaml.lang.best-practice.ifs.ocamllint-backwards-if pattern: if $E then () else $E2 message: Backwards if. Rewrite the code as 'if not $E then $E2'. languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.ifs.ocamllint-backwards-if shortlink: https://sg.run/b7Ov semgrep.dev: rule: r_id: 9370 rv_id: 945954 rule_id: ZqU5AE version_id: 5PT9O25 url: https://semgrep.dev/playground/r/5PT9O25/ocaml.lang.best-practice.ifs.ocamllint-backwards-if origin: community - id: ocaml.lang.best-practice.list.list-find-outside-try patterns: - pattern: | List.find ... - pattern-not-inside: | try ... with ... -> ... message: You should not use List.find outside of a try, or you should use List.find_opt languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.list.list-find-outside-try shortlink: https://sg.run/N4KN semgrep.dev: rule: r_id: 9371 rv_id: 945955 rule_id: nJUzLq version_id: GxTP7K9 url: https://semgrep.dev/playground/r/GxTP7K9/ocaml.lang.best-practice.list.list-find-outside-try origin: community - id: ocaml.lang.best-practice.ref.ocamllint-ref-incr pattern: $X := ! $X + 1 message: You should use `incr` languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml references: - https://v2.ocaml.org/api/Stdlib.html#VALincr - https://v2.ocaml.org/api/Atomic.html#VALincr license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.ref.ocamllint-ref-incr shortlink: https://sg.run/kXJA semgrep.dev: rule: r_id: 9372 rv_id: 945956 rule_id: EwU2w8 version_id: RGTAg6O url: https://semgrep.dev/playground/r/RGTAg6O/ocaml.lang.best-practice.ref.ocamllint-ref-incr origin: community - id: ocaml.lang.best-practice.ref.ocamllint-ref-decr pattern: $X := ! $X - 1 message: You should use `decr` languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml references: - https://v2.ocaml.org/api/Stdlib.html#VALdecr - https://v2.ocaml.org/api/Atomic.html#VALdecr license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.ref.ocamllint-ref-decr shortlink: https://sg.run/weYd semgrep.dev: rule: r_id: 9373 rv_id: 945957 rule_id: 7KUQyg version_id: A8TJzO9 url: https://semgrep.dev/playground/r/A8TJzO9/ocaml.lang.best-practice.ref.ocamllint-ref-decr origin: community - id: ocaml.lang.best-practice.string.ocamllint-str-first-chars pattern: String.sub $S 0 $N message: Use instead `Str.first_chars` languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.string.ocamllint-str-first-chars shortlink: https://sg.run/x16y semgrep.dev: rule: r_id: 9374 rv_id: 945958 rule_id: L1Uy37 version_id: BjT1Ngx url: https://semgrep.dev/playground/r/BjT1Ngx/ocaml.lang.best-practice.string.ocamllint-str-first-chars origin: community - id: ocaml.lang.best-practice.string.ocamllint-str-string-after pattern: String.sub $S $N (String.length $S - $N) message: Use instead `Str.string_after` languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.string.ocamllint-str-string-after shortlink: https://sg.run/OPKk semgrep.dev: rule: r_id: 9375 rv_id: 945959 rule_id: 8GUjZq version_id: DkTNpP9 url: https://semgrep.dev/playground/r/DkTNpP9/ocaml.lang.best-practice.string.ocamllint-str-string-after origin: community - id: ocaml.lang.best-practice.string.ocamllint-str-last-chars pattern: String.sub $S (String.length $S - $N) $N message: Use instead `Str.last_chars` languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.string.ocamllint-str-last-chars shortlink: https://sg.run/eLvL semgrep.dev: rule: r_id: 9376 rv_id: 945960 rule_id: gxU1D1 version_id: WrTEoXo url: https://semgrep.dev/playground/r/WrTEoXo/ocaml.lang.best-practice.string.ocamllint-str-last-chars origin: community - id: ocaml.lang.best-practice.string.ocamllint-useless-sprintf pattern-either: - pattern: Printf.sprintf "..." - pattern: Printf.sprintf "%s" $S message: Useless sprintf languages: - ocaml severity: WARNING metadata: category: best-practice technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.best-practice.string.ocamllint-useless-sprintf shortlink: https://sg.run/vzl0 semgrep.dev: rule: r_id: 9377 rv_id: 945961 rule_id: QrUzO6 version_id: 0bT158E url: https://semgrep.dev/playground/r/0bT158E/ocaml.lang.best-practice.string.ocamllint-useless-sprintf origin: community - id: ocaml.lang.compatibility.deprecated.deprecated-pervasives pattern: Pervasives.$X message: Pervasives is deprecated and will not be available after 4.10. Use Stdlib. languages: - ocaml severity: ERROR metadata: category: compatibility technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives shortlink: https://sg.run/dKe0 semgrep.dev: rule: r_id: 9378 rv_id: 945962 rule_id: 3qUP1E version_id: K3TJbDY url: https://semgrep.dev/playground/r/K3TJbDY/ocaml.lang.compatibility.deprecated.deprecated-pervasives origin: community - id: ocaml.lang.correctness.physical-vs-structural.physical-equal pattern: $X == $Y message: You probably want the structural equality operator = languages: - ocaml severity: WARNING metadata: category: correctness technology: - ocaml references: - https://v2.ocaml.org/api/Stdlib.html#1_Comparisons license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.correctness.physical-vs-structural.physical-equal shortlink: https://sg.run/EOZN semgrep.dev: rule: r_id: 12781 rv_id: 945963 rule_id: qNUbP9 version_id: qkT4jdX url: https://semgrep.dev/playground/r/qkT4jdX/ocaml.lang.correctness.physical-vs-structural.physical-equal origin: community - id: ocaml.lang.correctness.physical-vs-structural.physical-not-equal pattern: $X != $Y message: You probably want the structural inequality operator <> languages: - ocaml severity: WARNING metadata: category: correctness technology: - ocaml references: - https://v2.ocaml.org/api/Stdlib.html#1_Comparisons license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.correctness.physical-vs-structural.physical-not-equal shortlink: https://sg.run/7Gw2 semgrep.dev: rule: r_id: 12782 rv_id: 945964 rule_id: lBUzAY version_id: l4Tx9KW url: https://semgrep.dev/playground/r/l4Tx9KW/ocaml.lang.correctness.physical-vs-structural.physical-not-equal origin: community - id: ocaml.lang.correctness.useless-compare.useless-compare patterns: - pattern-either: - pattern: compare $X $X - pattern: $MODULE.compare $X $X message: This comparison is useless because the expressions being compared are identical. This is expected to always return the same result, 0, unless your code is really strange. languages: - ocaml severity: ERROR metadata: category: correctness technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.correctness.useless-compare.useless-compare shortlink: https://sg.run/RyvO semgrep.dev: rule: r_id: 16249 rv_id: 945965 rule_id: JDU6Gv version_id: YDTvR1l url: https://semgrep.dev/playground/r/YDTvR1l/ocaml.lang.correctness.useless-compare.useless-compare origin: community - id: ocaml.lang.correctness.useless-eq.useless-equal pattern: $X = $X message: This is always true. If testing for floating point NaN, use `Float.is_nan` instead. languages: - ocaml severity: ERROR metadata: category: correctness technology: - ocaml license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ocaml.lang.correctness.useless-eq.useless-equal shortlink: https://sg.run/L8Z6 semgrep.dev: rule: r_id: 12783 rv_id: 945966 rule_id: YGUQKg version_id: JdTDyBo url: https://semgrep.dev/playground/r/JdTDyBo/ocaml.lang.correctness.useless-eq.useless-equal origin: community - id: generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key message: A gitleaks hubspot-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key shortlink: https://sg.run/7zoW semgrep.dev: rule: r_id: 44738 rv_id: 1262760 rule_id: WAUeop version_id: o5TbDZe url: https://semgrep.dev/playground/r/o5TbDZe/generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key origin: community patterns: - pattern-regex: (?i)(?:hubspot)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions message: Detects creations of tls configuration objects with an insecure MinVersion of TLS. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities. severity: WARNING metadata: likelihood: HIGH impact: MEDIUM confidence: HIGH category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://stackoverflow.com/questions/26429751/java-http-clients-and-poodle subcategory: - vuln technology: - go vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions shortlink: https://sg.run/PJqz semgrep.dev: rule: r_id: 9401 rv_id: 946044 rule_id: WAUow9 version_id: nWTpzjW url: https://semgrep.dev/playground/r/nWTpzjW/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions origin: community languages: - go patterns: - pattern-either: - pattern: | tls.Config{..., MinVersion: $TLS.$VERSION, ...} - pattern: | $CONFIG = &tls.Config{...} ... $CONFIG.MinVersion = $TLS.$VERSION - metavariable-regex: metavariable: $VERSION regex: (VersionTLS10|VersionTLS11|VersionSSL30) - id: problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request message: Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://godoc.org/github.com/jlaffaye/ftp#Dial - https://github.com/jlaffaye/ftp subcategory: - vuln technology: - ftp vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request shortlink: https://sg.run/J9Ay semgrep.dev: rule: r_id: 9402 rv_id: 946045 rule_id: 0oU5XN version_id: ExTg2Oj url: https://semgrep.dev/playground/r/ExTg2Oj/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request origin: community languages: - go fix-regex: regex: '[fF][tT][pP]://' replacement: sftp:// count: 1 pattern-either: - pattern: | ftp.Dial("=~/^[fF][tT][pP]://.*/", ...) - pattern: | ftp.DialTimeout("=~/^[fF][tT][pP]://.*/", ...) - pattern: | ftp.Connect("=~/^[fF][tT][pP]://.*/") - pattern: | $URL = "=~/^[fF][tT][pP]://.*/" ... ftp.Dial($URL, ...) - pattern: | $URL = "=~/^[fF][tT][pP]://.*/" ... ftp.DialTimeout($URL, ...) - pattern: | $URL = "=~/^[fF][tT][pP]://.*/" ... ftp.Connect($URL) - id: python.django.compatibility.django-2_0-compat.django-compat-2_0-assignment-tag message: The assignment_tag helper is removed in Django 2.0. languages: - python severity: WARNING pattern-either: - pattern: $X.assignment_tag(...) - pattern: assignment_tag(...) metadata: category: compatibility technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-assignment-tag shortlink: https://sg.run/l2RE semgrep.dev: rule: r_id: 9457 rv_id: 946123 rule_id: j2UvxK version_id: YDTvRWb url: https://semgrep.dev/playground/r/YDTvRWb/python.django.compatibility.django-2_0-compat.django-compat-2_0-assignment-tag origin: community - id: python.flask.best-practice.use-jsonify.use-jsonify patterns: - pattern: $JSONDUMPS - pattern-either: - pattern-inside: | return json.dumps($...VAR) - pattern-inside: | $DATA = json.dumps($...VAR) ... return $DATA - pattern-inside: | @app.route(...) def $X(): ... - metavariable-pattern: metavariable: $JSONDUMPS pattern: json.dumps($...VAR) - focus-metavariable: $JSONDUMPS fix: | flask.jsonify($...VAR) message: flask.jsonify() is a Flask helper method which handles the correct settings for returning JSON from Flask routes languages: - python severity: ERROR metadata: category: best-practice technology: - flask references: - https://flask.palletsprojects.com/en/2.2.x/api/#flask.json.jsonify license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.flask.best-practice.use-jsonify.use-jsonify shortlink: https://sg.run/XBlb semgrep.dev: rule: r_id: 9520 rv_id: 946199 rule_id: NbUkx6 version_id: vdTGnyK url: https://semgrep.dev/playground/r/vdTGnyK/python.flask.best-practice.use-jsonify.use-jsonify origin: community - id: python.flask.caching.query-string.flask-cache-query-string patterns: - pattern-either: - pattern: | @app.route("...") @cache.cached(...) def $HANDLER(...): ... request.args.get(...) - pattern: | @app.route("...", methods=[..., "POST", ...]) @cache.cached(...) def $HANDLER(...): ... - pattern: | @app.route("...", methods=[..., "PUT", ...]) @cache.cached(...) def $HANDLER(...): ... - pattern: | @app.route("...", methods=[..., "DELETE", ...]) @cache.cached(...) def $HANDLER(...): ... - pattern: | @app.route("...", methods=[..., "PATCH", ...]) @cache.cached(...) def $HANDLER(...): ... - pattern-not: | @app.route("...") @cache.cached(..., query_string=True) def $HANDLER(...): ... request.args.get(...) message: Flask-caching doesn't cache query strings by default. You have to use `query_string=True`. Also you shouldn't cache verbs that can mutate state. severity: WARNING languages: - python metadata: category: caching technology: - flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.flask.caching.query-string.flask-cache-query-string shortlink: https://sg.run/jROJ semgrep.dev: rule: r_id: 9521 rv_id: 946200 rule_id: kxUko3 version_id: d6TPjJN url: https://semgrep.dev/playground/r/d6TPjJN/python.flask.caching.query-string.flask-cache-query-string origin: community - id: python.flask.correctness.same-handler-name.flask-duplicate-handler-name pattern: | @app.route("...", ...) def $R(...): ... ... @app.route("...", ...) def $R(...): ... message: Looks like `$R` is a flask function handler that registered to two different routes. This will cause a runtime error languages: - python severity: WARNING metadata: category: correctness technology: - flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.flask.correctness.same-handler-name.flask-duplicate-handler-name shortlink: https://sg.run/9o18 semgrep.dev: rule: r_id: 9523 rv_id: 946202 rule_id: x8UnYQ version_id: nWTpzv1 url: https://semgrep.dev/playground/r/nWTpzv1/python.flask.correctness.same-handler-name.flask-duplicate-handler-name origin: community - id: python.lang.correctness.return-in-init.return-in-init patterns: - pattern-inside: | class $A(...): ... - pattern-inside: | def __init__(...): ... - pattern-not-inside: | def __init__(...): ... def $F(...): ... - patterns: - pattern: return ... - pattern-not: return - pattern-not: return None message: '`return` should never appear inside a class __init__ function. This will cause a runtime error.' languages: - python severity: ERROR metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.return-in-init.return-in-init shortlink: https://sg.run/4xwl semgrep.dev: rule: r_id: 9600 rv_id: 946298 rule_id: AbUzYe version_id: O9TX3WW url: https://semgrep.dev/playground/r/O9TX3WW/python.lang.correctness.return-in-init.return-in-init origin: community - id: generic.secrets.gitleaks.huggingface-access-token.huggingface-access-token message: A gitleaks huggingface-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.huggingface-access-token.huggingface-access-token shortlink: https://sg.run/n6dX semgrep.dev: rule: r_id: 67936 rv_id: 1262761 rule_id: j2Ujvk version_id: zyTb2ly url: https://semgrep.dev/playground/r/zyTb2ly/generic.secrets.gitleaks.huggingface-access-token.huggingface-access-token origin: community patterns: - pattern-regex: (?:^|[\\'"` >=:])(hf_[a-zA-Z]{34})(?:$|[\\'"` <]) - id: python.lang.maintainability.useless-ifelse.useless-if-body pattern: | if $X: $S else: $S message: Useless if statement; both blocks have the same body languages: - python severity: WARNING metadata: references: - https://docs.python.org/3/tutorial/controlflow.html category: maintainability technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.useless-ifelse.useless-if-body shortlink: https://sg.run/2xN0 semgrep.dev: rule: r_id: 9619 rv_id: 946314 rule_id: r6UrYp version_id: 5PT9OG8 url: https://semgrep.dev/playground/r/5PT9OG8/python.lang.maintainability.useless-ifelse.useless-if-body origin: community - id: python.lang.maintainability.useless-innerfunction.useless-inner-function patterns: - pattern-not-inside: | def $F(...): ... def $FF(...): ... ... <... $FF ...> - pattern-not-inside: | def $F(...): ... class $CLAZZ(...): ... - pattern-inside: | def $F(...): ... def $FF(...): ... ... - pattern: | def $FF(...): ... - pattern-not: | @$DECORATOR def $FF(...): ... message: function `$FF` is defined inside a function but never used languages: - python severity: ERROR metadata: category: maintainability technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.useless-innerfunction.useless-inner-function shortlink: https://sg.run/XB9K semgrep.dev: rule: r_id: 9620 rv_id: 946315 rule_id: bwUwkn version_id: GxTP7Xr url: https://semgrep.dev/playground/r/GxTP7Xr/python.lang.maintainability.useless-innerfunction.useless-inner-function origin: community - id: ruby.rails.correctness.rails-no-render-after-save.rails-no-render-after-save mode: taint pattern-sources: - patterns: - pattern: $T - pattern-inside: | $T.save ... pattern-sinks: - patterns: - pattern-inside: | render $T message: Found a call to `render $T` after calling `$T.save`. Do not call `render` after calling `save` on an ActiveRecord object. Reloading the page will cause the state-changing operation to be repeated which may cause undesirable side effects. Use `redirect_to` instead. languages: - ruby severity: WARNING fix: redirect_to $T metadata: references: - https://guides.rubyonrails.org/getting_started.html#creating-a-new-article category: correctness technology: - rails - ruby - activerecord license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ruby.rails.correctness.rails-no-render-after-save.rails-no-render-after-save shortlink: https://sg.run/QJLx semgrep.dev: rule: r_id: 20042 rv_id: 946495 rule_id: PeUjzK version_id: bZTXwqX url: https://semgrep.dev/playground/r/bZTXwqX/ruby.rails.correctness.rails-no-render-after-save.rails-no-render-after-save origin: community - id: ruby.rails.performance.ruby-rails-performance-indexes-are-really-beneficial.ruby-rails-performance-indexes-are-beneficial patterns: - pattern-not-inside: | add_column $TABLE, $COLUMN, $TYPE, ... ... add_index $TABLE, $COLUMN, ... - pattern: | add_column $TABLE, $COLUMN, $TYPE, ... - metavariable-regex: metavariable: $COLUMN regex: (.*_id$) - metavariable-regex: metavariable: $TYPE regex: :integer|:bigint message: The $COLUMN column appears to be a foreign key. Would it benefit from an index? Having an index can improve performance. languages: - ruby severity: INFO metadata: category: performance technology: - rails references: - https://archive.is/i7SLO license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ruby.rails.performance.ruby-rails-performance-indexes-are-really-beneficial.ruby-rails-performance-indexes-are-beneficial shortlink: https://sg.run/Y505 semgrep.dev: rule: r_id: 50758 rv_id: 946496 rule_id: lBUAyA version_id: NdTqk8d url: https://semgrep.dev/playground/r/NdTqk8d/ruby.rails.performance.ruby-rails-performance-indexes-are-really-beneficial.ruby-rails-performance-indexes-are-beneficial origin: community - id: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf patterns: - pattern: url($URL) - pattern-inside: | import dispatch._ ... - pattern-either: - pattern-inside: | def $FUNC(..., $URL: $T, ...) = $A { ... } - pattern-inside: | def $FUNC(..., $URL: $T, ...) = { ... } message: A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - https://dispatchhttp.org/Dispatch.html category: security technology: - scala - dispatch confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf shortlink: https://sg.run/gR6J semgrep.dev: rule: r_id: 18485 rv_id: 1263672 rule_id: 5rUyl4 version_id: 2KTv282 url: https://semgrep.dev/playground/r/2KTv282/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf origin: community languages: - scala severity: WARNING - id: rust.lang.security.ssl-verify-none.ssl-verify-none message: SSL verification disabled, this allows for MitM attacks pattern: $BUILDER.set_verify(openssl::ssl::SSL_VERIFY_NONE) metadata: references: - https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify technology: - openssl category: security cwe: 'CWE-295: Improper Certificate Validation' confidence: HIGH likelihood: LOW impact: MEDIUM subcategory: vuln license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none shortlink: https://sg.run/K2Pn semgrep.dev: rule: r_id: 40111 rv_id: 946554 rule_id: 6JU0Bl version_id: gETe1bo url: https://semgrep.dev/playground/r/gETe1bo/rust.lang.security.ssl-verify-none.ssl-verify-none origin: community languages: - rust severity: WARNING - id: rust.lang.security.temp-dir.temp-dir message: "temp_dir should not be used for security operations. From the docs: 'The temporary directory may be shared among users, or between processes with different privileges; thus, the creation of any files or directories in the temporary directory must use a secure method to create a uniquely named file. Creating a file or directory with a fixed or predictable name may result in \u201Cinsecure temporary file\u201D security vulnerabilities.'" pattern: std::env::temp_dir() metadata: references: - https://doc.rust-lang.org/stable/std/env/fn.temp_dir.html technology: - rust category: security cwe: 'CWE-807: Reliance on Untrusted Inputs in a Security Decision' confidence: HIGH likelihood: LOW impact: LOW subcategory: audit license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/rust.lang.security.temp-dir.temp-dir shortlink: https://sg.run/qzEO semgrep.dev: rule: r_id: 40112 rv_id: 946555 rule_id: oqU5AO version_id: QkTZz4Y url: https://semgrep.dev/playground/r/QkTZz4Y/rust.lang.security.temp-dir.temp-dir origin: community languages: - rust severity: INFO - id: rust.lang.security.unsafe-usage.unsafe-usage message: Detected 'unsafe' usage, please audit for secure usage pattern: unsafe { ... } metadata: references: - https://doc.rust-lang.org/std/keyword.unsafe.html technology: - rust category: security cwe: 'CWE-242: Use of Inherently Dangerous Function' confidence: HIGH likelihood: LOW impact: LOW subcategory: audit license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/rust.lang.security.unsafe-usage.unsafe-usage shortlink: https://sg.run/lqgo semgrep.dev: rule: r_id: 40113 rv_id: 946556 rule_id: zdUezd version_id: 3ZTOPoZ url: https://semgrep.dev/playground/r/3ZTOPoZ/rust.lang.security.unsafe-usage.unsafe-usage origin: community languages: - rust severity: INFO - id: scala.lang.security.audit.scalac-debug.scalac-debug patterns: - pattern-either: - pattern: scalacOptions ... "-Vdebug" - pattern: scalacOptions ... "-Ydebug" message: Scala applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration. languages: - generic severity: WARNING paths: include: - '*.sbt*' metadata: category: security cwe: - 'CWE-489: Active Debug Code' owasp: A05:2021 - Security Misconfiguration technology: - scala - sbt references: - https://docs.scala-lang.org/overviews/compiler-options/index.html confidence: MEDIUM subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/scala.lang.security.audit.scalac-debug.scalac-debug shortlink: https://sg.run/QbGd semgrep.dev: rule: r_id: 18686 rv_id: 946569 rule_id: JDUlE0 version_id: qkT4j0N url: https://semgrep.dev/playground/r/qkT4j0N/scala.lang.security.audit.scalac-debug.scalac-debug origin: community - id: solidity.performance.array-length-outside-loop.array-length-outside-loop message: Caching the array length outside a loop saves reading it on each iteration, as long as the array's length is not changed during the loop. metadata: references: - https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md/#g002---cache-array-length-outside-of-loop category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.array-length-outside-loop.array-length-outside-loop shortlink: https://sg.run/r4LJ semgrep.dev: rule: r_id: 67625 rv_id: 946586 rule_id: lBUOL5 version_id: o5TZenb url: https://semgrep.dev/playground/r/o5TZenb/solidity.performance.array-length-outside-loop.array-length-outside-loop origin: community patterns: - pattern-either: - pattern-inside: | for (...) { ... } - pattern-inside: | while (...) { ... } - pattern-not-inside: | function $F(..., $TYPE calldata $VAR, ...) { ... } - pattern-not-inside: | function $F(...) { ... $TYPE[...] storage $VAR; ... } - pattern-not-inside: | function $F(...) { ... $TYPE[...] storage $VAR = ...; ... } - pattern: | $VAR.length languages: - solidity severity: INFO - id: solidity.performance.inefficient-state-variable-increment.inefficient-state-variable-increment message: += costs more gas than = + for state variables. metadata: references: - https://gist.github.com/IllIllI000/cbbfb267425b898e5be734d4008d4fe8 category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.inefficient-state-variable-increment.inefficient-state-variable-increment shortlink: https://sg.run/bp9v semgrep.dev: rule: r_id: 67626 rv_id: 946587 rule_id: YGU03P version_id: zyTlk5L url: https://semgrep.dev/playground/r/zyTlk5L/solidity.performance.inefficient-state-variable-increment.inefficient-state-variable-increment origin: community patterns: - pattern-either: - pattern: | $X += $Y - pattern: | $X[...] += $Y - pattern-either: - pattern-inside: | contract $C { ... $TYPE $X; ... } - pattern-inside: | contract $C { ... $TYPE $X = ...; ... } - metavariable-regex: metavariable: $TYPE regex: uint languages: - solidity severity: INFO - id: solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens message: $VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy. metadata: category: security technology: - solidity cwe: 'CWE-841: Improper Enforcement of Behavioral Workflow' confidence: HIGH likelihood: MEDIUM impact: HIGH subcategory: - vuln references: - https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376 - https://hackmd.io/@sentimentxyz/SJCySo1z2 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens shortlink: https://sg.run/803Q semgrep.dev: rule: r_id: 67640 rv_id: 946602 rule_id: kxUl7x version_id: e1T98xQ url: https://semgrep.dev/playground/r/e1T98xQ/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens origin: community patterns: - pattern-either: - pattern: | function $F(...) { ... $RETURN = $VAULT.getPoolTokens(...); ... } - metavariable-pattern: metavariable: $RETURN pattern-regex: .*uint256\[].* - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... VaultReentrancyLib.ensureNotInVaultContext(...); ... } ... function $F(...) { ... $CHECKFUNC(...); ... $RETURN = $VAULT.getPoolTokens(...); ... } ... } - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... VaultReentrancyLib.ensureNotInVaultContext(...); ... } ... function $F(...) { ... $RETURN = $VAULT.getPoolTokens(...); ... $CHECKFUNC(...); ... } ... } - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... $VAULT.manageUserBalance(...); ... } ... function $F(...) { ... $RETURN = $VAULT.getPoolTokens(...); ... $CHECKFUNC(...); ... } ... } - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... $VAULT.manageUserBalance(...); ... } ... function $F(...) { ... $CHECKFUNC(...); ... $RETURN = $VAULT.getPoolTokens(...); ... } ... } - pattern-not: | function $F(...) { ... VaultReentrancyLib.ensureNotInVaultContext(...); ... } - pattern-not: | function $F(...) { ... $VAULT.manageUserBalance(...); ... } - pattern-not-inside: | contract LinearPool { ... } - pattern-not-inside: | contract ComposableStablePool { ... } - pattern-not-inside: "contract BalancerQueries {\n ...\n} \n" - pattern-not-inside: | contract ManagedPool { ... } - pattern-not-inside: "contract BaseWeightedPool {\n ...\n} \n" - pattern-not-inside: | contract ComposableStablePoolStorage { ... } - pattern-not-inside: | contract RecoveryModeHelper { ... } - focus-metavariable: - $VAULT languages: - solidity severity: ERROR - id: solidity.security.no-bidi-characters.no-bidi-characters message: The code must not contain any of Unicode Direction Control Characters metadata: category: security technology: - solidity cwe: 'CWE-837: Improper Enforcement of a Single, Unique Action' confidence: HIGH likelihood: LOW impact: LOW subcategory: - audit references: - https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters shortlink: https://sg.run/6DyK semgrep.dev: rule: r_id: 67659 rv_id: 946622 rule_id: 5rUD6Z version_id: DkTNp8K url: https://semgrep.dev/playground/r/DkTNp8K/solidity.security.no-bidi-characters.no-bidi-characters origin: community patterns: - pattern-either: - pattern-regex: "\u202A" - pattern-regex: "\u202B" - pattern-regex: "\u202D" - pattern-regex: "\u202E" - pattern-regex: "\u2066" - pattern-regex: "\u2067" - pattern-regex: "\u2068" - pattern-regex: "\u202C" - pattern-regex: "\u2069" languages: - solidity severity: WARNING - id: solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash message: blockhash(block.number) and blockhash(block.number + N) always returns 0. metadata: category: security technology: - solidity cwe: 'CWE-341: Predictable from Observable State' confidence: HIGH likelihood: LOW impact: MEDIUM subcategory: - vuln references: - https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash shortlink: https://sg.run/qvPO semgrep.dev: rule: r_id: 67656 rv_id: 946618 rule_id: 4bUPoB version_id: GxTP7wj url: https://semgrep.dev/playground/r/GxTP7wj/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash origin: community patterns: - pattern-either: - pattern: blockhash(block.number) - pattern: blockhash(block.number + $N) - pattern: blockhash(block.number * $N) - pattern: block.blockhash(block.number) - pattern: block.blockhash(block.number + $N) - pattern: block.blockhash(block.number * $N) severity: ERROR languages: - solidity - id: solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation message: Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed. metadata: category: security technology: - solidity cwe: 'CWE-682: Incorrect Calculation' confidence: HIGH likelihood: LOW impact: HIGH subcategory: - vuln references: - https://twitter.com/peckshield/status/1510232640338608131 - https://twitter.com/FrankResearcher/status/1510239094777032713 - https://twitter.com/larry0x/status/1510263618180464644 - https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9 - https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation shortlink: https://sg.run/lkEo semgrep.dev: rule: r_id: 67657 rv_id: 946619 rule_id: PeUrYv version_id: RGTAgvQ url: https://semgrep.dev/playground/r/RGTAgvQ/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation origin: community patterns: - pattern: $KEEPER.current($TOKENIN, $AMOUNTIN, $TOKENOUT); languages: - solidity severity: WARNING - id: solidity.security.no-slippage-check.no-slippage-check message: No slippage check in a Uniswap v2/v3 trade metadata: category: security technology: - solidity cwe: 'CWE-682: Incorrect Calculation' confidence: MEDIUM likelihood: HIGH impact: MEDIUM subcategory: - vuln references: - https://uniswapv3book.com/docs/milestone_3/slippage-protection/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.no-slippage-check.no-slippage-check shortlink: https://sg.run/oO8X semgrep.dev: rule: r_id: 67660 rv_id: 946623 rule_id: GdUE2p version_id: WrTEoxy url: https://semgrep.dev/playground/r/WrTEoxy/solidity.security.no-slippage-check.no-slippage-check origin: community patterns: - pattern-either: - pattern: $X.swapExactTokensForTokens($A, $LIMIT, $B, $C, $D) - pattern: $X.swapExactTokensForTokensSupportingFeeOnTransferTokens($A, $LIMIT, $B, $C, $D) - pattern: $X.swapExactTokensForETH($A, $LIMIT, $B, $C, $D) - pattern: $X.swapExactTokensForETHSupportingFeeOnTransferTokens($A, $LIMIT, $B, $C, $D) - pattern: $X.swapExactETHForTokens{$VALUE:...}($LIMIT, $A, $B, $C) - pattern: $X.swapExactETHForTokensSupportingFeeOnTransferTokens{$VALUE:...}($LIMIT, $A, $B, $C) - pattern: $X.swapTokensForExactTokens($A, $LIMIT, $B, $C, $D) - pattern: $X.swapTokensForExactETH($A, $LIMIT, $B, $C, $D) - pattern: "function $FUNC(...) {\n ...\n $Y = $SWAPROUTER.ExactInputSingleParams({\n \ tokenIn: $A, \n tokenOut: $B, \n fee: $C, \n recipient: $D, \n \ deadline: $E, \n amountIn: $F, \n amountOutMinimum: $LIMIT, \n sqrtPriceLimitX96: 0\n });\n ...\n $X.exactInputSingle($Y);\n ...\n}\n" - pattern: | $X.exactInputSingle($SWAPROUTER.ExactInputSingleParams({ tokenIn: $A, tokenOut: $B, fee: $C, recipient: $D, deadline: $E, amountIn: $F, amountOutMinimum: $LIMIT, sqrtPriceLimitX96: 0 })); - pattern: | function $FUNC(...) { ... $Y = $SWAPROUTER.ExactOutputSingleParams({ tokenIn: $A, tokenOut: $B, fee: $C, recipient: $D, deadline: $E, amountOut: $F, amountInMaximum: $LIMIT, sqrtPriceLimitX96: 0 }); ... $X.exactOutputSingle($Y); ... } - pattern: | $X.exactOutputSingle($SWAPROUTER.ExactOutputSingleParams({ tokenIn: $A, tokenOut: $B, fee: $C, recipient: $D, deadline: $E, amountOut: $F, amountInMaximum: $LIMIT, sqrtPriceLimitX96: 0 })); - pattern: $X.swap($RECIPIENT, $ZEROFORONE, $AMOUNTIN, $LIMIT, $DATA) - metavariable-regex: metavariable: $LIMIT regex: ^(0)|(0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff)|(type$uint(256)?$\.max)|(uint(256)?\(-1)|(115792089237316195423570985008687907853269984665640564039457584007913129639935)|(2\s?\*\*\s?256\s?-\s?1)$ languages: - solidity severity: ERROR - id: solidity.security.openzeppelin-ecdsa-recover-malleable.openzeppelin-ecdsa-recover-malleable message: Potential signature malleability in $F metadata: category: security technology: - solidity cwe: 'CWE-347: Improper Verification of Cryptographic Signature' confidence: LOW likelihood: MEDIUM impact: MEDIUM subcategory: - vuln references: - https://github.com/advisories/GHSA-4h98-2769-gh6h license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/solidity.security.openzeppelin-ecdsa-recover-malleable.openzeppelin-ecdsa-recover-malleable shortlink: https://sg.run/zD0n semgrep.dev: rule: r_id: 67661 rv_id: 946624 rule_id: ReUGb4 version_id: 0bT15Or url: https://semgrep.dev/playground/r/0bT15Or/solidity.security.openzeppelin-ecdsa-recover-malleable.openzeppelin-ecdsa-recover-malleable origin: community pattern-either: - pattern: | function $F(..., bytes $Y, ...) { ... $Z = ECDSA.recover(..., $Y); ... $A[$Y] = ...; ... } - pattern: | function $F(..., bytes $Y, ...) { ... $Z = ECDSA.recover(..., $Y); ... $A[$B][$Y] = ...; ... } languages: - solidity severity: WARNING - id: solidity.security.oracle-price-update-not-restricted.oracle-price-update-not-restricted message: Oracle price data can be submitted by anyone metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: LOW likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://twitter.com/BlockSecTeam/status/1514815673800663045 - https://twitter.com/CertiKAlert/status/1514831117169405953 - https://medium.com/@hacxyk/aave-v3s-price-oracle-manipulation-vulnerability-168e44e9e374 - https://bscscan.com/address/0xd55f01b4b51b7f48912cd8ca3cdd8070a1a9dba5 - https://polygonscan.com/address/0xaA5890362f36FeaAe91aF248e84e287cE6eCD1A9 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.oracle-price-update-not-restricted.oracle-price-update-not-restricted shortlink: https://sg.run/pe4e semgrep.dev: rule: r_id: 67662 rv_id: 946625 rule_id: AbU7R7 version_id: K3TJbyr url: https://semgrep.dev/playground/r/K3TJbyr/solidity.security.oracle-price-update-not-restricted.oracle-price-update-not-restricted origin: community patterns: - pattern-either: - pattern: function $F(...) public {...} - pattern: function $F(...) external {...} - metavariable-pattern: metavariable: $F pattern-either: - pattern: setOracleData - pattern: setAssetPrice - pattern-not: function $F(...) onlyOwner { ... } - pattern-not: function $F(...) onlySybil { ... } languages: - solidity severity: ERROR - id: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection message: A specially crafted calldata may be used to impersonate other accounts metadata: category: security technology: - solidity cwe: 'CWE-20: Improper Input Validation' confidence: HIGH likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://rekt.news/superfluid-rekt/ - https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd - https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection shortlink: https://sg.run/9KNy semgrep.dev: rule: r_id: 67667 rv_id: 946630 rule_id: KxUqld version_id: o5TZexb url: https://semgrep.dev/playground/r/o5TZexb/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection origin: community patterns: - pattern: $T.decodeCtx(ctx); - pattern-not-inside: | require($T.isCtxValid(...), "..."); ... languages: - solidity severity: ERROR - id: solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug message: Parameter "from" is checked at incorrect position in "_allowances" mapping metadata: category: security technology: - solidity cwe: 'CWE-688: Function Call With Incorrect Variable or Reference as Argument' confidence: MEDIUM likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://twitter.com/Mauricio_0218/status/1490082073096462340 - https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug shortlink: https://sg.run/yBWA semgrep.dev: rule: r_id: 67668 rv_id: 946631 rule_id: qNUnN0 version_id: zyTlkRL url: https://semgrep.dev/playground/r/zyTlkRL/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug origin: community patterns: - pattern-inside: | function $BURN(..., address $FROM, ...) { ... _burn($FROM, ...); ... } - pattern-either: - pattern: require(_allowances[$S][$FROM] >= $X, ...) - pattern: require(allowance($S, $FROM) >= $X, ...) languages: - solidity severity: ERROR - id: solidity.security.uniswap-callback-not-protected.uniswap-callback-not-protected message: Uniswap callback is not protected metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: LOW likelihood: MEDIUM impact: HIGH subcategory: - vuln references: - https://docs.uniswap.org/contracts/v3/guides/flash-integrations/flash-callback license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.uniswap-callback-not-protected.uniswap-callback-not-protected shortlink: https://sg.run/r4JJ semgrep.dev: rule: r_id: 67669 rv_id: 946632 rule_id: lBUO55 version_id: pZTNOl2 url: https://semgrep.dev/playground/r/pZTNOl2/solidity.security.uniswap-callback-not-protected.uniswap-callback-not-protected origin: community patterns: - pattern: | function $CALLBACK(...) { ... } - pattern-not: | function $CALLBACK(...) { ... $VALIDATION.verifyCallback(...); ... } - pattern-not: | function $CALLBACK(...) { ... $CHECK(msg.sender == $U.$PAIR(...), ...); ... } - pattern-not: | function $CALLBACK(...) { ... $CHECK(_msgSender() == $U.$PAIR(...), ...); ... } - pattern-not: | function $CALLBACK(...) { ... require(msg.sender == $POOL, ...); ... } - pattern-not: | function $CALLBACK(...) { ... require(_msgSender() == $POOL, ...); ... } - pattern-not: | function $CALLBACK(...) { ... require($POOL == msg.sender, ...); ... } - pattern-not: | function $CALLBACK(...) { ... require($POOL == _msgSender(), ...); ... } - pattern-not: | function $CALLBACK(...) { ... if (msg.sender != $POOL) { ... } ... } - pattern-not: | function $CALLBACK(...) { ... if (_msgSender() != $POOL) { ... } ... } - pattern-not: | function $CALLBACK(...) { ... if (msg.sender == $POOL) { ... } ... } - pattern-not: | function $CALLBACK(...) { ... if (_msgSender() == $POOL) { ... } ... } - pattern-not: | function $CALLBACK(...) { ... if(!$POOLS[msg.sender]) { ... } ... } - pattern-not: | function $CALLBACK(...) { ... if(!$POOLS[_msgSender()]) { ... } ... } - pattern-not: | function $CALLBACK(...) { ... _verifyCallback(...); ... } - pattern-not: | function $CALLBACK(...) isCallback { ... } - pattern-not: | function $CALLBACK(...) { ... require($POOLS[msg.sender], ...); ... } - pattern-not: | function $CALLBACK(...) { ... require($POOLS[_msgSender()], ...); ... } - metavariable-regex: metavariable: $CALLBACK regex: (uniswapV2Call|uniswapV3SwapCallback|uniswapV3FlashCallback|uniswapV3MintCallback) languages: - solidity severity: WARNING - id: solidity.security.unrestricted-transferownership.unrestricted-transferownership message: Unrestricted transferOwnership metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: LOW likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://medium.com/quillhash/decoding-ragnarok-online-invasion-44k-exploit-quillaudits-261b7e23b55 - https://www.bscscan.com/address/0xe48b75dc1b131fd3a8364b0580f76efd04cf6e9c license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.unrestricted-transferownership.unrestricted-transferownership shortlink: https://sg.run/bpNv semgrep.dev: rule: r_id: 67670 rv_id: 946633 rule_id: PeUrYL version_id: 2KTYb05 url: https://semgrep.dev/playground/r/2KTYb05/solidity.security.unrestricted-transferownership.unrestricted-transferownership origin: community patterns: - pattern-either: - pattern: function transferOwnership(address $X) public {...} - pattern: function transferOwnership(address $X) external {...} - pattern-not: | function transferOwnership(address $X) $M {...} - pattern-not: | function transferOwnership(address $X) $M(...) {...} - pattern-not: | function transferOwnership(address $X) { ... require(<... msg.sender ...>, ...); ... } - pattern-not: | function transferOwnership(address $X) { ... require(<... _msgSender ...>, ...); ... } - pattern-not: | function transferOwnership(address $X) { ... if (<... msg.sender ...>) { ... } ... } - pattern-not: | function transferOwnership(address $X) { ... if (<... _msgSender ...>) { ... } ... } - pattern-not: | function transferOwnership(address $X) { ... onlyOwner(...); ... } - pattern-not: | function transferOwnership(address $X) { ... requireOwner(...); ... } - pattern-not: | function transferOwnership(address $X) { ... _requireOwnership(...); ... } - pattern-not: | function transferOwnership(address $X) { ... $C._enforceIsContractOwner(...); ... } - pattern-not: | function transferOwnership(address $X) { ... $C._enforceOwner(...); ... } - pattern-not: | function transferOwnership(address $X) { ... $C.enforceIsContractOwner(...); ... } - pattern-not: | function transferOwnership(address $X) {} languages: - solidity severity: ERROR - id: swift.sqllite.sqllite-injection-audit.swift-potential-sqlite-injection message: Potential Client-side SQL injection which has different impacts depending on the SQL use-case. The impact may include the circumvention of local authentication mechanisms, obtaining of sensitive data from the app, or manipulation of client-side behavior. It wasn't possible to make certain that the source is untrusted, but the application should avoid concatenating dynamic data into SQL queries and should instead leverage parameterized queries. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' masvs: - 'MASVS-CODE-4: The app validates and sanitizes all untrusted inputs.' references: - https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html subcategory: - vuln technology: - ios - macos license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/swift.sqllite.sqllite-injection-audit.swift-potential-sqlite-injection shortlink: https://sg.run/lkwo semgrep.dev: rule: r_id: 66513 rv_id: 946636 rule_id: qNUnOG version_id: 1QToKxX url: https://semgrep.dev/playground/r/1QToKxX/swift.sqllite.sqllite-injection-audit.swift-potential-sqlite-injection origin: community languages: - swift mode: taint pattern-sources: - pattern-either: - pattern: | "...\($X)..." - pattern: | $SQL = "..." + $X - pattern: | $SQL = $X + "..." pattern-sinks: - patterns: - pattern-either: - pattern: sqlite3_exec($DB, $SQL, ...) - pattern: sqlite3_prepare_v2($DB, $SQL, ...) - focus-metavariable: - $SQL - id: swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows message: Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege. severity: WARNING metadata: likelihood: LOW impact: LOW confidence: HIGH category: security cwe: - 'CWE-272: Least Privilege Violation' masvs: - 'MASVS-PLATFORM-2: The app uses WebViews securely' references: - https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/ - https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati subcategory: - audit technology: - ios - macos license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows shortlink: https://sg.run/YWLd semgrep.dev: rule: r_id: 66514 rv_id: 946637 rule_id: lBUOZk version_id: 9lTy1KE url: https://semgrep.dev/playground/r/9lTy1KE/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows origin: community languages: - swift patterns: - pattern: | $P = WKPreferences() ... - pattern-either: - patterns: - pattern-inside: | $P.JavaScriptCanOpenWindowsAutomatically = $FALSE ... $P.JavaScriptCanOpenWindowsAutomatically = $TRUE - pattern-not-inside: | ... $P.JavaScriptCanOpenWindowsAutomatically = $TRUE ... $P.JavaScriptCanOpenWindowsAutomatically = $FALSE - pattern: | $P.JavaScriptCanOpenWindowsAutomatically = true - metavariable-regex: metavariable: $TRUE regex: ^(true)$ - metavariable-regex: metavariable: $TRUE regex: (.*(?!true)) - patterns: - pattern: | $P.JavaScriptCanOpenWindowsAutomatically = true - pattern-not-inside: | ... $P.JavaScriptCanOpenWindowsAutomatically = ... ... $P.JavaScriptCanOpenWindowsAutomatically = ... - id: template.eqeq-is-bad pattern: $X == $X message: $X == $X is a useless equality check languages: - python severity: ERROR metadata: license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/template.eqeq-is-bad shortlink: https://sg.run/q3gz semgrep.dev: rule: r_id: 43756 rv_id: 946638 rule_id: yyUzWd version_id: yeT0nLz url: https://semgrep.dev/playground/r/yeT0nLz/template.eqeq-is-bad origin: community - id: terraform.aws.best-practice.aws-elasticache-automatic-backup-not-enabled.aws-elasticache-automatic-backup-not-enabled patterns: - pattern-either: - patterns: - pattern: | resource "aws_elasticache_cluster" $ANYTHING { ... } - pattern-not-inside: | resource "aws_elasticache_cluster" $ANYTHING { ... engine = "memcached" ... } - pattern-not-inside: | resource "aws_elasticache_cluster" $ANYTHING { ... snapshot_retention_limit = ... ... } - patterns: - pattern: | resource "aws_elasticache_cluster" $ANYTHING { ... snapshot_retention_limit = $LIMIT ... } - metavariable-comparison: metavariable: $LIMIT comparison: $LIMIT == 0 message: Ensure that Amazon ElastiCache clusters have automatic backup turned on. To fix this, set a `snapshot_retention_limit`. metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.aws-elasticache-automatic-backup-not-enabled.aws-elasticache-automatic-backup-not-enabled shortlink: https://sg.run/x4Dz semgrep.dev: rule: r_id: 17330 rv_id: 946639 rule_id: oqU2nN version_id: rxT6rYB url: https://semgrep.dev/playground/r/rxT6rYB/terraform.aws.best-practice.aws-elasticache-automatic-backup-not-enabled.aws-elasticache-automatic-backup-not-enabled origin: community languages: - hcl severity: WARNING - id: terraform.aws.best-practice.aws-qldb-inadequate-ledger-permissions-mode.aws-qldb-inadequate-ledger-permissions-mode patterns: - pattern: | resource "aws_qldb_ledger" $ANYTHING { ... permissions_mode = "ALLOW_ALL" ... } message: The AWS QLDB ledger permissions are too permissive. Consider using "'STANDARD'" permissions mode if possible. languages: - hcl severity: WARNING metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.aws-qldb-inadequate-ledger-permissions-mode.aws-qldb-inadequate-ledger-permissions-mode shortlink: https://sg.run/OyDB semgrep.dev: rule: r_id: 17331 rv_id: 946640 rule_id: zdUn5p version_id: bZTXwkW url: https://semgrep.dev/playground/r/bZTXwkW/terraform.aws.best-practice.aws-qldb-inadequate-ledger-permissions-mode.aws-qldb-inadequate-ledger-permissions-mode origin: community - id: terraform.aws.best-practice.aws-rds-multiaz-not-enabled.aws-rds-multiaz-not-enabled patterns: - pattern: | resource "aws_db_instance" $ANYTHING { ... } - pattern-not-inside: | resource "aws_db_instance" $ANYTHING { ... multi_az = true ... } message: The AWS RDS is not configured to use multi-az. Consider using it if possible. languages: - hcl severity: WARNING metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.aws-rds-multiaz-not-enabled.aws-rds-multiaz-not-enabled shortlink: https://sg.run/d1wZ semgrep.dev: rule: r_id: 17334 rv_id: 946643 rule_id: X5UgP3 version_id: w8TKJ2P url: https://semgrep.dev/playground/r/w8TKJ2P/terraform.aws.best-practice.aws-rds-multiaz-not-enabled.aws-rds-multiaz-not-enabled origin: community - id: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted patterns: - pattern: | resource "aws_ebs_encryption_by_default" $ANYTHING { ... enabled = false ... } message: The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted shortlink: https://sg.run/Dy5Y semgrep.dev: rule: r_id: 17352 rv_id: 946678 rule_id: 7KUW7K version_id: BjT1N2v url: https://semgrep.dev/playground/r/BjT1N2v/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted origin: community - id: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk patterns: - pattern: | resource "aws_ebs_volume" $ANYTHING { ... encrypted = true ... } - pattern-not-inside: | resource "aws_ebs_volume" $ANYTHING { ... encrypted = true kms_key_id = ... ... } message: Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk shortlink: https://sg.run/WW14 semgrep.dev: rule: r_id: 17353 rv_id: 946679 rule_id: L1UPY9 version_id: DkTNpzv url: https://semgrep.dev/playground/r/DkTNpzv/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-opensearchserverless-encrypted-with-cmk.aws-opensearchserverless-encrypted-with-cmk patterns: - pattern-inside: | resource "aws_opensearchserverless_security_policy" $ANYTHING { ... type = "encryption" ... } - pattern-either: - patterns: - pattern: policy = "$JSONPOLICY" - metavariable-pattern: metavariable: $JSONPOLICY language: json pattern: | {..., "AWSOwnedKey":true, ... } - patterns: - pattern-inside: policy = jsonencode(...) - pattern: | {..., AWSOwnedKey = true, ...} message: Ensure opensearch serverless is encrypted at rest using AWS KMS (Key Management Service) CMK (Customer Managed Keys). CMKs give you control over the encryption key in terms of access and rotation. languages: - terraform severity: WARNING metadata: category: security subcategory: - vuln cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' confidence: LOW likelihood: MEDIUM impact: LOW source_rule_url: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-encryption.html#serverless-encryption-policies references: - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-encryption.html#serverless-encryption-policies technology: - terraform - aws owasp: - A2:2021 Cryptographic Failures - A5:2021 Security Misconfiguration license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-opensearchserverless-encrypted-with-cmk.aws-opensearchserverless-encrypted-with-cmk shortlink: https://sg.run/NeBN semgrep.dev: rule: r_id: 67671 rv_id: 946716 rule_id: JDUrq7 version_id: PkTQk51 url: https://semgrep.dev/playground/r/PkTQk51/terraform.aws.security.aws-opensearchserverless-encrypted-with-cmk.aws-opensearchserverless-encrypted-with-cmk origin: community - id: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention patterns: - pattern-either: - pattern: | resource "aws_rds_cluster" $ANYTHING { ... backup_retention_period = 0 ... } - pattern: | resource "aws_db_instance" $ANYTHING { ... backup_retention_period = 0 ... } message: The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention shortlink: https://sg.run/OyYB semgrep.dev: rule: r_id: 17375 rv_id: 946719 rule_id: GdUzwQ version_id: GxTP0Lq url: https://semgrep.dev/playground/r/GxTP0Lq/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention origin: community - id: terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk patterns: - pattern: | resource "aws_s3_bucket_object" $ANYTHING { ... } - pattern-not-inside: | resource "aws_s3_bucket_object" $ANYTHING { ... kms_key_id = ... ... } message: Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk shortlink: https://sg.run/veKA semgrep.dev: rule: r_id: 17377 rv_id: 946721 rule_id: AbUeYR version_id: A8TJWj0 url: https://semgrep.dev/playground/r/A8TJWj0/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk patterns: - pattern: | resource "aws_s3_object_copy" $ANYTHING { ... } - pattern-not-inside: | resource "aws_s3_object_copy" $ANYTHING { ... kms_key_id = ... ... } message: Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk shortlink: https://sg.run/d1ZZ semgrep.dev: rule: r_id: 17378 rv_id: 946722 rule_id: BYUzYY version_id: BjT1BWv url: https://semgrep.dev/playground/r/BjT1BWv/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-appservice-dotnet-framework-version.azure-appservice-dotnet-framework-version message: Ensure that Net Framework version is the latest, if used as a part of the web app patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... site_config { ... dotnet_framework_version = "v6.0" ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-appservice-dotnet-framework-version.azure-appservice-dotnet-framework-version shortlink: https://sg.run/GpYp semgrep.dev: rule: r_id: 23904 rv_id: 946742 rule_id: r6UL1L version_id: NdTqADl url: https://semgrep.dev/playground/r/NdTqADl/terraform.azure.best-practice.azure-appservice-dotnet-framework-version.azure-appservice-dotnet-framework-version origin: community languages: - hcl severity: INFO - id: terraform.azure.best-practice.azure-appservice-ftps-state.azure-appservice-ftps-state message: Ensure FTP deployments are disabled patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... site_config { ftps_state = "FtpsOnly" } ... } - pattern-not-inside: | resource "azurerm_app_service" "..." { ... site_config { ftps_state = "Disabled" } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-appservice-ftps-state.azure-appservice-ftps-state shortlink: https://sg.run/R4LO semgrep.dev: rule: r_id: 23905 rv_id: 946743 rule_id: bwU1Z9 version_id: kbTYRKq url: https://semgrep.dev/playground/r/kbTYRKq/terraform.azure.best-practice.azure-appservice-ftps-state.azure-appservice-ftps-state origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-appservice-https-20-enabled.azure-appservice-https-20-enabled message: Ensure that HTTP Version is the latest if used to run the web app patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... site_config { http2_enabled = true } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-appservice-https-20-enabled.azure-appservice-https-20-enabled shortlink: https://sg.run/ANDp semgrep.dev: rule: r_id: 23906 rv_id: 946744 rule_id: NbUdZz version_id: w8TK81e url: https://semgrep.dev/playground/r/w8TK81e/terraform.azure.best-practice.azure-appservice-https-20-enabled.azure-appservice-https-20-enabled origin: community languages: - hcl severity: WARNING - id: ajinabraham.njsscan.crypto.timing_attack_node.node_timing_attack patterns: - pattern-not: if ($Z == null) { ... }; - pattern-not: if ($Z === null) { ... }; - pattern-not: if ($Z != null) { ... }; - pattern-not: if ($Z !== null) { ... }; - pattern-not: if ($Q != undefined) { ... }; - pattern-not: if ($Q !== undefined) { ... }; - pattern-not: if ($Q == undefined) { ... }; - pattern-not: if ($Q === undefined) { ... }; - pattern-not: return $Y == null; - pattern-not: return $Y === null; - pattern-not: return $Y != null; - pattern-not: return $Y !== null; - pattern-not: return $Y == undefined; - pattern-not: return $Y === undefined; - pattern-not: return $Y != undefined; - pattern-not: return $Y !== undefined; - pattern-either: - pattern: | if (password == $X) { ... } - pattern: | if ($X == password) { ... } - pattern: | if (password === $X) { ... } - pattern: | if ($X === password) { ... } - pattern: | if (pass == $X) { ... } - pattern: | if ($X == pass) { ... } - pattern: | if (pass === $X) { ... } - pattern: | if ($X === pass) { ... } - pattern: | if (secret == $X) { ... } - pattern: | if ($X == secret) { ... } - pattern: | if (secret === $X) { ... } - pattern: | if ($X === secret) { ... } - pattern: | if (api == $X) { ... } - pattern: | if ($X == api) { ... } - pattern: | if (api === $X) { ... } - pattern: | if ($X === api) { ... } - pattern: | if (apiKey == $X) { ... } - pattern: | if ($X == apiKey) { ... } - pattern: | if (apiKey === $X) { ... } - pattern: | if ($X === apiKey) { ... } - pattern: | if (apiSecret == $X) { ... } - pattern: | if ($X == apiSecret) { ... } - pattern: | if (apiSecret === $X) { ... } - pattern: | if ($X === apiSecret) { ... } - pattern: | if (token == $X) { ... } - pattern: | if ($X == token) { ... } - pattern: | if (token === $X) { ... } - pattern: | if ($X === token) { ... } - pattern: | if (hash == $X) { ... } - pattern: | if ($X == hash) { ... } - pattern: | if (hash === $X) { ... } - pattern: | if ($X === hash) { ... } - pattern: | if (auth_token == $X) { ... } - pattern: | if ($X == auth_token) { ... } - pattern: | if (auth_token === $X) { ... } - pattern: | if ($X === auth_token) { ... } - pattern: | if (password != $X) { ... } - pattern: | if ($X != password) { ... } - pattern: | if (password !== $X) { ... } - pattern: | if ($X !== password) { ... } - pattern: | if (pass != $X) { ... } - pattern: | if ($X != pass) { ... } - pattern: | if (pass !== $X) { ... } - pattern: | if ($X !== pass) { ... } - pattern: | if (secret != $X) { ... } - pattern: | if ($X != secret) { ... } - pattern: | if (secret !== $X) { ... } - pattern: | if ($X !== secret) { ... } - pattern: | if (api != $X) { ... } - pattern: | if ($X != api) { ... } - pattern: | if (api !== $X) { ... } - pattern: | if ($X !== api) { ... } - pattern: | if (apiKey != $X) { ... } - pattern: | if ($X != apiKey) { ... } - pattern: | if (apiKey !== $X) { ... } - pattern: | if ($X !== apiKey) { ... } - pattern: | if (apiSecret != $X) { ... } - pattern: | if ($X != apiSecret) { ... } - pattern: | if (apiSecret !== $X) { ... } - pattern: | if ($X !== apiSecret) { ... } - pattern: | if (token != $X) { ... } - pattern: | if ($X != token) { ... } - pattern: | if (token !== $X) { ... } - pattern: | if ($X !== token) { ... } - pattern: | if (hash != $X) { ... } - pattern: | if ($X != hash) { ... } - pattern: | if (hash !== $X) { ... } - pattern: | if ($X !== hash) { ... } - pattern: | if (auth_token != $X) { ... } - pattern: | if ($X != auth_token) { ... } - pattern: | if (auth_token !== $X) { ... } - pattern: | if ($X !== auth_token) { ... } - pattern: | return $X === auth_token; - pattern: | return auth_token === $X; - pattern: | return $X === token; - pattern: | return token === $X; - pattern: | return $X === hash; - pattern: | return hash === $X; - pattern: | return $X === password; - pattern: | return password === $X; - pattern: | return $X === pass; - pattern: | return pass === $X; - pattern: | return $X === apiKey; - pattern: | return apiKey === $X; - pattern: | return $X === apiSecret; - pattern: | return apiSecret === $X; - pattern: | return $X === api_key; - pattern: | return api_key === $X; - pattern: | return $X === api_secret; - pattern: | return api_secret === $X; - pattern: | return $X === secret; - pattern: | return secret === $X; - pattern: | return $X === api; - pattern: | return api === $X; - pattern: | return $X == auth_token; - pattern: | return auth_token == $X; - pattern: | return $X == token; - pattern: | return token == $X; - pattern: | return $X == hash; - pattern: | return hash == $X; - pattern: | return $X == password; - pattern: | return password == $X; - pattern: | return $X == pass; - pattern: | return pass == $X; - pattern: | return $X == apiKey; - pattern: | return apiKey == $X; - pattern: | return $X == apiSecret; - pattern: | return apiSecret == $X; - pattern: | return $X == api_key; - pattern: | return api_key == $X; - pattern: | return $X == api_secret; - pattern: | return api_secret == $X; - pattern: | return $X == secret; - pattern: | return secret == $X; - pattern: | return $X == api; - pattern: | return api == $X; - pattern: | return $X !== auth_token; - pattern: | return auth_token !== $X; - pattern: | return $X !== token; - pattern: | return token !== $X; - pattern: | return $X !== hash; - pattern: | return hash !== $X; - pattern: | return $X !== password; - pattern: | return password !== $X; - pattern: | return $X !== pass; - pattern: | return pass !== $X; - pattern: | return $X !== apiKey; - pattern: | return apiKey !== $X; - pattern: | return $X !== apiSecret; - pattern: | return apiSecret !== $X; - pattern: | return $X !== api_key; - pattern: | return api_key !== $X; - pattern: | return $X !== api_secret; - pattern: | return api_secret !== $X; - pattern: | return $X !== secret; - pattern: | return secret !== $X; - pattern: | return $X !== api; - pattern: | return api !== $X; - pattern: | return $X != auth_token; - pattern: | return auth_token != $X; - pattern: | return $X != token; - pattern: | return token != $X; - pattern: | return $X != hash; - pattern: | return hash != $X; - pattern: | return $X != password; - pattern: | return password != $X; - pattern: | return $X != pass; - pattern: | return pass != $X; - pattern: | return $X != apiKey; - pattern: | return apiKey != $X; - pattern: | return $X != apiSecret; - pattern: | return apiSecret != $X; - pattern: | return $X != api_key; - pattern: | return api_key != $X; - pattern: | return $X != api_secret; - pattern: | return api_secret != $X; - pattern: | return $X != secret; - pattern: | return secret != $X; - pattern: | return $X != api; - pattern: | return api != $X; message: 'String comparisons using ''==='', ''!=='', ''!='' and ''=='' is vulnerable to timing attacks. A timing attack allows the attacker to learn potentially sensitive information by, for example, measuring how long it takes for the application to respond to a request. More info: https://nodejs.org/en/learn/getting-started/security-best-practices#information-exposure-through-timing-attacks-cwe-208' languages: - javascript severity: WARNING metadata: owasp-web: a9 cwe: cwe-208 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.crypto.timing_attack_node.node_timing_attack shortlink: https://sg.run/BDR2 semgrep.dev: rule: r_id: 43607 rv_id: 833101 rule_id: v8UJKp version_id: K3TrqK4 url: https://semgrep.dev/playground/r/K3TrqK4/ajinabraham.njsscan.crypto.timing_attack_node.node_timing_attack origin: community - id: terraform.azure.best-practice.azure-mysql-geo-backup-enabled.azure-mysql-geo-backup-enabled message: Ensure that MySQL server enables geo-redundant backups patterns: - pattern: resource - pattern-inside: | resource "azurerm_mysql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_mysql_server" "..." { ... geo_redundant_backup_enabled = true ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-mysql-geo-backup-enabled.azure-mysql-geo-backup-enabled shortlink: https://sg.run/OxLB semgrep.dev: rule: r_id: 23931 rv_id: 946769 rule_id: DbUnkD version_id: 0bT1ELQ url: https://semgrep.dev/playground/r/0bT1ELQ/terraform.azure.best-practice.azure-mysql-geo-backup-enabled.azure-mysql-geo-backup-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-mysql-server-tlsenforcement-enabled.azure-mysql-server-tlsenforcement-enabled message: Ensure Enforce SSL connection is set to Enabled for MySQL servers patterns: - pattern: resource - pattern-inside: | resource "azurerm_mysql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_mysql_server" "..." { ... ssl_enforcement_enabled = true ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-mysql-server-tlsenforcement-enabled.azure-mysql-server-tlsenforcement-enabled shortlink: https://sg.run/eE2b semgrep.dev: rule: r_id: 23932 rv_id: 946770 rule_id: WAUQ8R version_id: K3TJ4vR url: https://semgrep.dev/playground/r/K3TJ4vR/terraform.azure.best-practice.azure-mysql-server-tlsenforcement-enabled.azure-mysql-server-tlsenforcement-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-mysql-threat-detection-enabled.azure-mysql-threat-detection-enabled message: Ensure that MySQL server enables Threat detection policy patterns: - pattern: resource - pattern-inside: | resource "azurerm_mysql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_mysql_server" "..." { ... threat_detection_policy { ... enabled = true ... } ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-mysql-threat-detection-enabled.azure-mysql-threat-detection-enabled shortlink: https://sg.run/v1PA semgrep.dev: rule: r_id: 23933 rv_id: 946771 rule_id: 0oUlov version_id: qkT4o2A url: https://semgrep.dev/playground/r/qkT4o2A/terraform.azure.best-practice.azure-mysql-threat-detection-enabled.azure-mysql-threat-detection-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-postgresql-flexi-server-geo-backup-enabled.azure-postgresql-flexi-server-geo-backup-enabled message: Ensure that PostgreSQL Flexible server enables geo-redundant backups patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_postgresql_flexible_server" "..." { ... geo_redundant_backup_enabled = true ... } - pattern-inside: | resource "azurerm_postgresql_flexible_server" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-postgresql-flexi-server-geo-backup-enabled.azure-postgresql-flexi-server-geo-backup-enabled shortlink: https://sg.run/Z3LD semgrep.dev: rule: r_id: 23935 rv_id: 946773 rule_id: qNUxOl version_id: YDTvrpj url: https://semgrep.dev/playground/r/YDTvrpj/terraform.azure.best-practice.azure-postgresql-flexi-server-geo-backup-enabled.azure-postgresql-flexi-server-geo-backup-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-postgresql-geo-backup-enabled.azure-postgresql-geo-backup-enabled message: Ensure that PostgreSQL server enables geo-redundant backups patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_postgresql_server" "..." { ... geo_redundant_backup_enabled = true ... } - pattern-inside: | resource "azurerm_postgresql_server" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-postgresql-geo-backup-enabled.azure-postgresql-geo-backup-enabled shortlink: https://sg.run/nGbX semgrep.dev: rule: r_id: 23936 rv_id: 946774 rule_id: lBUvpQ version_id: JdTDPNY url: https://semgrep.dev/playground/r/JdTDPNY/terraform.azure.best-practice.azure-postgresql-geo-backup-enabled.azure-postgresql-geo-backup-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-postgresql-server-connection-throttling-enabled.azure-postgresql-server-connection-throttling-enabled message: Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server patterns: - pattern: resource - pattern-inside: | resource "azurerm_postgresql_configuration" "..." { ... } - pattern-not-inside: | resource "azurerm_postgresql_configuration" "..." { ... name = "connection_throttling" value = "on" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-postgresql-server-connection-throttling-enabled.azure-postgresql-server-connection-throttling-enabled shortlink: https://sg.run/E16w semgrep.dev: rule: r_id: 23937 rv_id: 946775 rule_id: PeU1eJ version_id: 5PT94dR url: https://semgrep.dev/playground/r/5PT94dR/terraform.azure.best-practice.azure-postgresql-server-connection-throttling-enabled.azure-postgresql-server-connection-throttling-enabled origin: community languages: - hcl severity: WARNING - id: ajinabraham.njsscan.electronjs.security_electron.electron_blink_integration patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {enableBlinkFeatures: '...'}}) - pattern: | var $X = {webPreferences: {enableBlinkFeatures: '...'}}; message: Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application. languages: - javascript severity: WARNING metadata: owasp-web: a6 cwe: cwe-272 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.electronjs.security_electron.electron_blink_integration shortlink: https://sg.run/9j28 semgrep.dev: rule: r_id: 43623 rv_id: 833117 rule_id: ReUdNr version_id: NdTB2z5 url: https://semgrep.dev/playground/r/NdTB2z5/ajinabraham.njsscan.electronjs.security_electron.electron_blink_integration origin: community - id: ajinabraham.njsscan.electronjs.security_electron.electron_nodejs_integration patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {nodeIntegration: true}}) - pattern: | var $X = {webPreferences: {nodeIntegration: true}}; message: Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS). languages: - javascript severity: WARNING metadata: owasp-web: a6 cwe: cwe-272 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.electronjs.security_electron.electron_nodejs_integration shortlink: https://sg.run/y2QR semgrep.dev: rule: r_id: 43624 rv_id: 833118 rule_id: AbUxvn version_id: kbT2lz9 url: https://semgrep.dev/playground/r/kbT2lz9/ajinabraham.njsscan.electronjs.security_electron.electron_nodejs_integration origin: community - id: ajinabraham.njsscan.electronjs.security_electron.electron_context_isolation patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {contextIsolation: false}}) - pattern: | var $X = {webPreferences: {contextIsolation: false}}; message: Disabling context isolation can introduce Prototype Pollution vulnerabilities. languages: - javascript severity: WARNING metadata: owasp-web: a6 cwe: cwe-693 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.electronjs.security_electron.electron_context_isolation shortlink: https://sg.run/rqQR semgrep.dev: rule: r_id: 43625 rv_id: 833119 rule_id: BYUo4Q version_id: w8TAxRq url: https://semgrep.dev/playground/r/w8TAxRq/ajinabraham.njsscan.electronjs.security_electron.electron_context_isolation origin: community - id: ajinabraham.njsscan.electronjs.security_electron.electron_experimental_features patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {experimentalFeatures: true}}) - pattern: | var $X = {webPreferences: {experimentalFeatures: true}}; message: Experimental features are not expected to be in production ready applications. languages: - javascript severity: WARNING metadata: owasp-web: a6 cwe: cwe-272 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.electronjs.security_electron.electron_experimental_features shortlink: https://sg.run/bEYE semgrep.dev: rule: r_id: 43626 rv_id: 833120 rule_id: DbULBL version_id: xyTNejb url: https://semgrep.dev/playground/r/xyTNejb/ajinabraham.njsscan.electronjs.security_electron.electron_experimental_features origin: community - id: ajinabraham.njsscan.eval.eval_deserialize.serializetojs_deserialize patterns: - pattern-inside: | require('serialize-to-js') ... - pattern: | $X.deserialize(...) message: User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection. languages: - javascript severity: ERROR metadata: owasp-web: a8 cwe: cwe-502 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_deserialize.serializetojs_deserialize shortlink: https://sg.run/NXzz semgrep.dev: rule: r_id: 43627 rv_id: 833121 rule_id: WAUgee version_id: O9TJWpK url: https://semgrep.dev/playground/r/O9TJWpK/ajinabraham.njsscan.eval.eval_deserialize.serializetojs_deserialize origin: community - id: ajinabraham.njsscan.eval.eval_deserialize.node_deserialize patterns: - pattern-inside: | require('node-serialize') ... - pattern: | $X.unserialize(...) message: User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection. languages: - javascript severity: ERROR metadata: owasp-web: a8 cwe: cwe-502 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_deserialize.node_deserialize shortlink: https://sg.run/kR32 semgrep.dev: rule: r_id: 43628 rv_id: 833122 rule_id: 0oUZ0k version_id: e1TDky2 url: https://semgrep.dev/playground/r/e1TDky2/ajinabraham.njsscan.eval.eval_deserialize.node_deserialize origin: community - id: ajinabraham.njsscan.eval.eval_grpc_deserialize.grpc_insecure_connection patterns: - pattern-inside: | require('grpc') ... - pattern: $CREDENTIALS.createInsecure() message: Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. metadata: owasp-web: a8 cwe: cwe-502 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_grpc_deserialize.grpc_insecure_connection shortlink: https://sg.run/wzQP semgrep.dev: rule: r_id: 43629 rv_id: 833123 rule_id: KxURAB version_id: vdTOz0w url: https://semgrep.dev/playground/r/vdTOz0w/ajinabraham.njsscan.eval.eval_grpc_deserialize.grpc_insecure_connection origin: community severity: ERROR languages: - javascript - id: ajinabraham.njsscan.eval.eval_node.eval_nodejs patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | new Function(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | new Function(..., <... $REQ.$QUERY ...>, ...) - pattern: | eval(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | eval(..., <... $REQ.$QUERY ...>, ...) - pattern: | setTimeout(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | setTimeout(..., <... $REQ.$QUERY ...>, ...) - pattern: | setInterval(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | setInterval(..., <... $REQ.$QUERY ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... new Function(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... new Function(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... eval(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... eval(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... setTimeout(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... setTimeout(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... setInterval(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... setInterval(..., <... $INP ...>, ...) message: User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-95 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_node.eval_nodejs shortlink: https://sg.run/xpQg semgrep.dev: rule: r_id: 43630 rv_id: 833124 rule_id: qNUrAP version_id: d6TKGyo url: https://semgrep.dev/playground/r/d6TKGyo/ajinabraham.njsscan.eval.eval_node.eval_nodejs origin: community - id: ajinabraham.njsscan.eval.eval_require.eval_require patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $INP = <... $REQ.$QUERY ...>; ... require(<... $INP ...>) - pattern: | $INP = <... $REQ.$QUERY.$FOO ...>; ... require(<... $INP ...>) - pattern: require(<... $REQ.$QUERY.$FOO ...>) - pattern: require(<... $REQ.$BODY ...>) message: Untrusted user input in `require()` function allows an attacker to load arbitrary code. severity: ERROR languages: - javascript metadata: owasp-web: a1 cwe: cwe-706 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_require.eval_require shortlink: https://sg.run/Ojpn semgrep.dev: rule: r_id: 43631 rv_id: 833125 rule_id: lBUY3K version_id: ZRTlPKn url: https://semgrep.dev/playground/r/ZRTlPKn/ajinabraham.njsscan.eval.eval_require.eval_require origin: community - id: ajinabraham.njsscan.eval.eval_sandbox.sandbox_code_injection patterns: - pattern-inside: | require('sandbox') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $S.run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... $S.run(<... $CODE ...>,...) - pattern: | new $SANDBOX(...).run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... new $SANDBOX(...).run(<... $CODE ...>,...) - pattern: | $S.run(<... $REQ.$BODY ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... $S.run(<... $CODE ...>,...) - pattern: | new $SANDBOX(...).run(<... $REQ.$BODY ...>,...) - pattern: |- $CODE = <... $REQ.$BODY ...>; ... new $SANDBOX(...).run(<... $CODE ...>,...) message: Unrusted data in `sandbox` can result in code injection. severity: ERROR languages: - javascript metadata: owasp-web: a1 cwe: cwe-94 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.eval.eval_sandbox.sandbox_code_injection shortlink: https://sg.run/egzy semgrep.dev: rule: r_id: 43632 rv_id: 833126 rule_id: PeUK79 version_id: nWTy42X url: https://semgrep.dev/playground/r/nWTy42X/ajinabraham.njsscan.eval.eval_sandbox.sandbox_code_injection origin: community - id: ajinabraham.njsscan.traversal.resolve_path_traversal.join_resolve_path_traversal patterns: - pattern-inside: | require('path') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $PATH.join(...,<... $REQ.$BODY ...>,...) - pattern: $PATH.join(...,<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $PATH.join(...,<... $VAR ...>,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $PATH.join(...,<... $VAR ...>,...) - pattern: $PATH.resolve(...,<... $REQ.$BODY ...>,...) - pattern: $PATH.resolve(...,<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $PATH.resolve(...,<... $VAR ...>,...) - pattern: |- $VAR = <... $REQ.$QUERY.$FOO ...>; ... $PATH.resolve(...,<... $VAR ...>,...) message: 'Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`. ' languages: - javascript metadata: owasp-web: a5 cwe: cwe-22 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.traversal.resolve_path_traversal.join_resolve_path_traversal shortlink: https://sg.run/PxEY semgrep.dev: rule: r_id: 43701 rv_id: 833195 rule_id: bwUJDB version_id: GxTDElP url: https://semgrep.dev/playground/r/GxTDElP/ajinabraham.njsscan.traversal.resolve_path_traversal.join_resolve_path_traversal origin: community severity: WARNING - id: ajinabraham.njsscan.xml.xml_entity_expansion_dos.node_entity_expansion patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $PARSER = new expat.Parser() ... $PARSER.write(..., <... $REQ.$QUERY ...>, ...) - pattern: | $PARSER = new expat.Parser() ... $PARSER.write(..., <... $REQ.$QUERY.$FOO ...>, ...) - pattern: | $PARSER = new expat.Parser() ... $PARSER.write(..., <... $REQ.$QUERY.$FOO.$FILE ...>, ...) message: User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS. languages: - javascript severity: ERROR metadata: owasp-web: a4 cwe: cwe-776 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xml.xml_entity_expansion_dos.node_entity_expansion shortlink: https://sg.run/JoEw semgrep.dev: rule: r_id: 43702 rv_id: 833196 rule_id: NbUE0e version_id: RGTKGEk url: https://semgrep.dev/playground/r/RGTKGEk/ajinabraham.njsscan.xml.xml_entity_expansion_dos.node_entity_expansion origin: community - id: ajinabraham.njsscan.xml.xpathi_node.node_xpath_injection patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $XPATH.parse(<... "=~/^[\/\/].+/" + $REQ.$QUERY.$VAR ...>, ...) - pattern: | $XPATH.parse(<... "=~/^[\/\/].+/" + $REQ.$PARAM ...>, ...) - pattern: | $XPATH.parse(<... "=~/^[\/\/].+/" + $REQ.$PARAM["..."] ...>, ...) - pattern: | $XPATH.parse(<... "=~/^[\/\/].+/" + $REQ.$PARAM("...") ...>, ...) - pattern: | $XPATH.parse(<... "=~/^[\/\/].+/" + $REQ["..."] ...>, ...) - pattern: | $XPATH.parse(<... "=~/^[\/\/].+/" + $REQ("...") ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $XPATH.parse(<... "=~/^[\/\/].+/" + $INP ...>, ...) - pattern: | $INP = <... $REQ.$PARAM ...>; ... $XPATH.parse(<... "=~/^[\/\/].+/" + $INP ...>, ...) - pattern: | $INP = <... $REQ.$PARAM["..."] ...>; ... $XPATH.parse(<... "=~/^[\/\/].+/" + $INP ...>, ...) - pattern: | $INP = <... $REQ.$PARAM("...") ...>; ... $XPATH.parse(<... "=~/^[\/\/].+/" + $INP ...>, ...) - pattern: | $INP = <... $REQ["..."] ...>; ... $XPATH.parse(<... "=~/^[\/\/].+/" + $INP ...>, ...) - pattern: | $INP = <... $REQ("...") ...>; ... $XPATH.parse(<... "=~/^[\/\/].+/" + $INP ...>, ...) message: User controlled data in xpath.parse() can result in XPATH injection vulnerability. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-643 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xml.xpathi_node.node_xpath_injection shortlink: https://sg.run/5zOA semgrep.dev: rule: r_id: 43703 rv_id: 833197 rule_id: kxU90Y version_id: A8T37EX url: https://semgrep.dev/playground/r/A8T37EX/ajinabraham.njsscan.xml.xpathi_node.node_xpath_injection origin: community - id: ajinabraham.njsscan.xml.xxe_expat.xxe_expat patterns: - pattern-inside: | require('node-expat') ... - pattern-either: - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern-inside: | $PARSER = new $EXPAT.Parser(...) ... - pattern-inside: | $PARSER = new Parser(...) ... - pattern-either: - pattern: $PARSER.parse(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PARSER.parse(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PARSER.parse(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PARSER.parse(<... $INPUT ...>,...) - pattern: $PARSER.write(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PARSER.write(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PARSER.write(<... $INPUT ...>,...) - pattern: |- $INPUT = <... $REQ.$BODY ...>; ... $PARSER.write(<... $INPUT ...>,...) message: Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities. metadata: owasp-web: a4 cwe: cwe-611 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xml.xxe_expat.xxe_expat shortlink: https://sg.run/G3Ep semgrep.dev: rule: r_id: 43704 rv_id: 833198 rule_id: wdUvdn version_id: BjTe0yk url: https://semgrep.dev/playground/r/BjTe0yk/ajinabraham.njsscan.xml.xxe_expat.xxe_expat origin: community severity: ERROR languages: - javascript - id: mobsf.mobsfscan.crypto.weak_key_size.weak_key_size patterns: - pattern-either: - pattern: | $K = $G.getInstance("RSA"); ... $K.initialize(1024); - pattern: | $K = $G.getInstance("RSA"); ... $K.initialize(512); - pattern: | $K = $G.getInstance("EC"); ... $K.initialize(new ECGenParameterSpec("secp112r1")); - pattern: | $K = $G.getInstance("EC"); ... $S = new ECGenParameterSpec("secp112r1"); ... $K.initialize($S); - pattern: | $K = $G.getInstance("EC"); ... $K.initialize(new ECGenParameterSpec("secp224r1")); - pattern: | $K = $G.getInstance("EC"); ... $S = new ECGenParameterSpec("secp224r1"); ... $K.initialize($S); - pattern: | $K = $G.getInstance("Blowfish"); ... $K.init(64); - pattern: | $K = $G.getInstance("AES"); ... $K.init(64); message: Cryptographic implementations with insufficient key length is susceptible to bruteforce attacks. languages: - java severity: ERROR metadata: cwe: cwe-326 owasp-mobile: m5 masvs: crypto-3 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#common-configuration-issues-mstg-crypto-1-mstg-crypto-2-and-mstg-crypto-3 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.crypto.weak_key_size.weak_key_size shortlink: https://sg.run/8Xey semgrep.dev: rule: r_id: 43740 rv_id: 833234 rule_id: DbULZp version_id: 3ZT3AWE url: https://semgrep.dev/playground/r/3ZT3AWE/mobsf.mobsfscan.crypto.weak_key_size.weak_key_size origin: community - id: mobsf.mobsfscan.deserialization.jackson_deserialization.jackson_deserialization patterns: - pattern-either: - pattern: | import com.fasterxml.jackson.databind.ObjectMapper; ... $Z.enableDefaultTyping(); message: The app uses jackson deserialization library. Deserialization of untrusted input can result in arbitrary code execution. Consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object. languages: - java severity: ERROR metadata: cwe: cwe-502 owasp-mobile: m1 masvs: platform-8 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-object-persistence-mstg-platform-8 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.deserialization.jackson_deserialization.jackson_deserialization shortlink: https://sg.run/gPzJ semgrep.dev: rule: r_id: 43741 rv_id: 833235 rule_id: WAUgAZ version_id: 44TQP51 url: https://semgrep.dev/playground/r/44TQP51/mobsf.mobsfscan.deserialization.jackson_deserialization.jackson_deserialization origin: community - id: mobsf.mobsfscan.injection.command_injection.command_injection patterns: - pattern-not: Runtime.getRuntime().exec("...", ...); - pattern-not: Runtime.getRuntime().exec(new String[] {"...", ...}, ...); - pattern-either: - pattern: | Runtime.getRuntime().exec(...); message: User controlled strings in exec() will result in command execution. languages: - java severity: ERROR metadata: cwe: cwe-78 owasp-mobile: m7 masvs: platform-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.injection.command_injection.command_injection shortlink: https://sg.run/36wr semgrep.dev: rule: r_id: 43743 rv_id: 833237 rule_id: KxUR67 version_id: JdTlrGl url: https://semgrep.dev/playground/r/JdTlrGl/mobsf.mobsfscan.injection.command_injection.command_injection origin: community - id: mobsf.mobsfscan.injection.command_injection_formated.command_injection_warning patterns: - pattern-either: - pattern: $RUNTIME.exec($X + $Y); - pattern: $RUNTIME.exec(String.format(...)); - pattern: $RUNTIME.loadLibrary($X + $Y); - pattern: $RUNTIME.loadLibrary(String.format(...)); - patterns: - pattern-either: - pattern: | $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...) - pattern: | $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...) - pattern: | $RUNTIME.exec(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...) - patterns: - pattern-either: - pattern: | $RUNTIME.exec($CMD,"-c",$ARG,...) - pattern: | $RUNTIME.exec(Arrays.asList($CMD,"-c",$ARG,...),...) - pattern: | $RUNTIME.exec(new String[]{$CMD,"-c",$ARG,...},...) - pattern-inside: | $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/"; ... - pattern-not-inside: | $ARG = "..."; ... - pattern-not: | $RUNTIME.exec("...","...","...",...) - pattern-not: | $RUNTIME.exec(new String[]{"...","...","...",...},...) - pattern-not: | $RUNTIME.exec(Arrays.asList("...","...","...",...),...) - pattern-inside: | $TYPE $RUNTIME = Runtime.getRuntime(...); ... message: | A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized. severity: WARNING languages: - java metadata: cwe: cwe-78 owasp-mobile: m7 masvs: platform-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.injection.command_injection_formated.command_injection_warning shortlink: https://sg.run/4oQl semgrep.dev: rule: r_id: 43744 rv_id: 833238 rule_id: qNUrPW version_id: 5PTyDrN url: https://semgrep.dev/playground/r/5PTyDrN/mobsf.mobsfscan.injection.command_injection_formated.command_injection_warning origin: community - id: terraform.gcp.best-practice.gcp-gke-nodepool-metadata-server-enabled.gcp-gke-nodepool-metadata-server-enabled patterns: - pattern: resource - pattern-inside: | resource "google_container_node_pool" "..." { ... } - pattern-not-inside: | resource "google_container_node_pool" "..." { ... node_config { ... workload_metadata_config { ... node_metadata = "GKE_METADATA_SERVER" ... } ... } ... } - pattern-not-inside: | resource "google_container_node_pool" "..." { ... node_config { ... workload_metadata_config { ... mode = "GKE_METADATA" ... } ... } ... } message: "Ensure the GKE Metadata Server is Enabled\t" metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-nodepool-metadata-server-enabled.gcp-gke-nodepool-metadata-server-enabled shortlink: https://sg.run/Rvwq semgrep.dev: rule: r_id: 33649 rv_id: 946882 rule_id: zdUNB7 version_id: WrTEZoO url: https://semgrep.dev/playground/r/WrTEZoO/terraform.gcp.best-practice.gcp-gke-nodepool-metadata-server-enabled.gcp-gke-nodepool-metadata-server-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-securitycenter-contact-phone.azure-securitycenter-contact-phone message: Ensure that Security contact Phone number is set patterns: - pattern: resource - pattern-inside: | resource "azurerm_security_center_contact" "..." { ... } - pattern-not-inside: | resource "azurerm_security_center_contact" "..." { ... phone = "..." ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-securitycenter-contact-phone.azure-securitycenter-contact-phone shortlink: https://sg.run/J1zw semgrep.dev: rule: r_id: 23946 rv_id: 946784 rule_id: 0oUlGp version_id: qkT4o27 url: https://semgrep.dev/playground/r/qkT4o27/terraform.azure.best-practice.azure-securitycenter-contact-phone.azure-securitycenter-contact-phone origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-securitycenter-email-alert-admins.azure-securitycenter-email-alert-admins message: Ensure that Send email notification for high severity alerts is set to On patterns: - pattern: resource - pattern-inside: | resource "azurerm_security_center_contact" "..." { ... } - pattern-not-inside: | resource "azurerm_security_center_contact" "..." { ... alerts_to_admins = true ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-securitycenter-email-alert-admins.azure-securitycenter-email-alert-admins shortlink: https://sg.run/5egA semgrep.dev: rule: r_id: 23947 rv_id: 946785 rule_id: KxUjgJ version_id: l4Txd40 url: https://semgrep.dev/playground/r/l4Txd40/terraform.azure.best-practice.azure-securitycenter-email-alert-admins.azure-securitycenter-email-alert-admins origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-sqlserver-email-alerts-enabled.azure-sqlserver-email-alerts-enabled message: Ensure that Send Alerts To is enabled for MSSQL servers patterns: - pattern: resource - pattern-inside: | resource "azurerm_mssql_server_security_alert_policy" "..." { ... } - pattern-not-inside: | resource "azurerm_mssql_server_security_alert_policy" "..." { ... state = "Enabled" email_addresses = ["...", ...] ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-sqlserver-email-alerts-enabled.azure-sqlserver-email-alerts-enabled shortlink: https://sg.run/R4wO semgrep.dev: rule: r_id: 23949 rv_id: 946787 rule_id: lBUvp6 version_id: 6xTxqvd url: https://semgrep.dev/playground/r/6xTxqvd/terraform.azure.best-practice.azure-sqlserver-email-alerts-enabled.azure-sqlserver-email-alerts-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-key-backedby-hsm.azure-key-backedby-hsm message: Ensure that key vault key is backed by HSM patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_key_vault_key" "..." { ... key_type = "EC-HSM" ... } - pattern-not-inside: | resource "azurerm_key_vault_key" "..." { ... key_type = "RSA-HSM" ... } - pattern-inside: | resource "azurerm_key_vault_key" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-key-backedby-hsm.azure-key-backedby-hsm shortlink: https://sg.run/PyvY semgrep.dev: rule: r_id: 23989 rv_id: 946833 rule_id: WAUQGd version_id: zyTlyj5 url: https://semgrep.dev/playground/r/zyTlyj5/terraform.azure.security.azure-key-backedby-hsm.azure-key-backedby-hsm origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date message: Ensure that the expiration date is set on all keys patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_key_vault_key" "..." { ... expiration_date = "..." ... } - pattern-inside: | resource "azurerm_key_vault_key" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date shortlink: https://sg.run/J1vw semgrep.dev: rule: r_id: 23990 rv_id: 946834 rule_id: 0oUlgp version_id: pZTNGkl url: https://semgrep.dev/playground/r/pZTNGkl/terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-managed-disk-encryption-set.azure-managed-disk-encryption-set message: Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_managed_disk" "..." { ... disk_encryption_set_id = ... ... } - pattern-inside: | resource "azurerm_managed_disk" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-managed-disk-encryption-set.azure-managed-disk-encryption-set shortlink: https://sg.run/5e4A semgrep.dev: rule: r_id: 23991 rv_id: 946835 rule_id: KxUj8J version_id: 2KTY4GW url: https://semgrep.dev/playground/r/2KTY4GW/terraform.azure.security.azure-managed-disk-encryption-set.azure-managed-disk-encryption-set origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-managed-disk-encryption.azure-managed-disk-encryption message: Ensure Azure managed disk has encryption enabled patterns: - pattern: resource - pattern-inside: | resource "azurerm_managed_disk" "..." { ... encryption_settings { ... enabled = false ... } ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-managed-disk-encryption.azure-managed-disk-encryption shortlink: https://sg.run/Gpvp semgrep.dev: rule: r_id: 23992 rv_id: 946836 rule_id: qNUxLx version_id: X0TLZwW url: https://semgrep.dev/playground/r/X0TLZwW/terraform.azure.security.azure-managed-disk-encryption.azure-managed-disk-encryption origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-monitor-log-profile-retention-days.azure-monitor-log-profile-retention-days message: Ensure that Activity Log Retention is set 365 days or greater patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "azurerm_monitor_log_profile" "..." { ... retention_policy { ... enabled = true days = $DAYS ... } ... } - pattern-not-inside: | resource "azurerm_monitor_log_profile" "..." { ... retention_policy { ... enabled = false days = 0 ... } ... } - metavariable-comparison: metavariable: $DAYS comparison: $DAYS < 365 metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.security.azure-monitor-log-profile-retention-days.azure-monitor-log-profile-retention-days shortlink: https://sg.run/ANqp semgrep.dev: rule: r_id: 23994 rv_id: 946838 rule_id: YGU2kZ version_id: 1QToZbz url: https://semgrep.dev/playground/r/1QToZbz/terraform.azure.security.azure-monitor-log-profile-retention-days.azure-monitor-log-profile-retention-days origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled message: Ensure that MySQL server enables infrastructure encryption patterns: - pattern: resource - pattern-inside: | resource "azurerm_mysql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_mysql_server" "..." { ... infrastructure_encryption_enabled = true ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled shortlink: https://sg.run/Dd6Y semgrep.dev: rule: r_id: 23996 rv_id: 946840 rule_id: oqUloL version_id: yeT0vBn url: https://semgrep.dev/playground/r/yeT0vBn/terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-network-watcher-flowlog-period.azure-network-watcher-flowlog-period message: Ensure that Network Security Group Flow Log retention period is 90 days or greater patterns: - pattern: resource - pattern-inside: | resource "azurerm_network_watcher_flow_log" "..." { ... retention_policy { ... enabled = true days = $DAYS ... } ... } - pattern-not-inside: | resource "azurerm_network_watcher_flow_log" "..." { ... retention_policy { ... enabled = true days = 0 ... } ... } - metavariable-comparison: metavariable: $DAYS comparison: $DAYS < 90 metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.security.azure-network-watcher-flowlog-period.azure-network-watcher-flowlog-period shortlink: https://sg.run/Kev7 semgrep.dev: rule: r_id: 23999 rv_id: 946843 rule_id: 2ZUr5w version_id: NdTqA9N url: https://semgrep.dev/playground/r/NdTqA9N/terraform.azure.security.azure-network-watcher-flowlog-period.azure-network-watcher-flowlog-period origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-postgresql-encryption-enabled.azure-postgresql-encryption-enabled message: Ensure that PostgreSQL server enables infrastructure encryption patterns: - pattern: resource - pattern-inside: | resource "azurerm_postgresql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_postgresql_server" "..." { ... infrastructure_encryption_enabled = true ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-postgresql-encryption-enabled.azure-postgresql-encryption-enabled shortlink: https://sg.run/4LXg semgrep.dev: rule: r_id: 24000 rv_id: 946844 rule_id: X5UxkJ version_id: kbTYRj6 url: https://semgrep.dev/playground/r/kbTYRj6/terraform.azure.security.azure-postgresql-encryption-enabled.azure-postgresql-encryption-enabled origin: community languages: - hcl severity: WARNING - id: ajinabraham.njsscan.crypto.crypto_node.node_md5 patterns: - pattern: | $X.createHash("md5") message: MD5 is a a weak hash which is known to have collision. Use a strong hashing function. languages: - javascript severity: WARNING metadata: owasp-web: a9 cwe: cwe-327 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.crypto.crypto_node.node_md5 shortlink: https://sg.run/PxxW semgrep.dev: rule: r_id: 43601 rv_id: 833095 rule_id: NbUEE1 version_id: RGTKGR1 url: https://semgrep.dev/playground/r/RGTKGR1/ajinabraham.njsscan.crypto.crypto_node.node_md5 origin: community - id: ajinabraham.njsscan.jwt.jwt_exposed_data.jwt_exposed_data patterns: - pattern-inside: | require('jose') ... - pattern-either: - patterns: - pattern-inside: function (...,$INPUT,...) {...} - pattern-either: - pattern: $JOSE.JWT.sign($INPUT,...) - pattern: $JWT.sign($INPUT,...) - patterns: - pattern-inside: function $F(...,$INPUT,...) {...} - pattern-either: - pattern: $JOSE.JWT.sign($INPUT,...) - pattern: $JWT.sign($INPUT,...) message: The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload. severity: WARNING metadata: owasp-web: a3 cwe: cwe-522 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.jwt.jwt_exposed_data.jwt_exposed_data shortlink: https://sg.run/nD12 semgrep.dev: rule: r_id: 43680 rv_id: 833174 rule_id: ReUdWj version_id: NdTB2Z2 url: https://semgrep.dev/playground/r/NdTB2Z2/ajinabraham.njsscan.jwt.jwt_exposed_data.jwt_exposed_data origin: community languages: - javascript - id: ajinabraham.njsscan.jwt.jwt_express_hardcoded.jwt_express_hardcoded patterns: - pattern-inside: | $JWT = require('express-jwt') ... - pattern-either: - pattern: | $JWT(<... {secret: "..."} ...>,...) - pattern: | $SECRET = "..."; ... $JWT(<... {secret: $SECRET} ...>,...) - pattern: | $OPTS = <... {secret: "..."} ...>; ... $JWT($OPTS,...) - pattern: |- $SECRET = "..."; ... $OPTS = <... {secret: $SECRET} ...>; ... $JWT($OPTS,...) message: Hardcoded JWT secret or private key was found. Store it properly in an environment variable. severity: ERROR languages: - javascript metadata: cwe: cwe-522 owasp-web: a2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.jwt.jwt_express_hardcoded.jwt_express_hardcoded shortlink: https://sg.run/EKRe semgrep.dev: rule: r_id: 43681 rv_id: 833175 rule_id: AbUxPo version_id: kbT2lDP url: https://semgrep.dev/playground/r/kbT2lDP/ajinabraham.njsscan.jwt.jwt_express_hardcoded.jwt_express_hardcoded origin: community - id: ajinabraham.njsscan.xml.xxe_node.node_xxe patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $LIBXML.parseXmlString(..., <... $REQ.$QUERY.$VAR.$FILE ...>, ...) - pattern: | $LIBXML.parseXmlString(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $LIBXML.parseXmlString(..., <... $REQ.$QUERY ...>, ...) - pattern: | $FOO = <... $REQ.$QUERY.$VAR.$FILE ...>; ... $LIBXML.parseXmlString(..., <... $FOO ...>, ...) - pattern: | $FOO = <... $REQ.$QUERY.$VAR ...>; ... $LIBXML.parseXmlString(..., <... $FOO ...>, ...) - pattern: | $FOO = <... $REQ.$QUERY ...>; ... $LIBXML.parseXmlString(..., <... $FOO ...>, ...) - pattern: | $LIBXML.parseXml(..., <... $REQ.$QUERY.$VAR.$FILE ...>, ...) - pattern: | $LIBXML.parseXml(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $LIBXML.parseXml(..., <... $REQ.$QUERY ...>, ...) - pattern: | $FOO = <... $REQ.$QUERY.$VAR.$FILE ...>; ... $LIBXML.parseXml(..., <... $FOO ...>, ...) - pattern: | $FOO = <... $REQ.$QUERY.$VAR ...>; ... $LIBXML.parseXml(..., <... $FOO ...>, ...) - pattern: | $FOO = <... $REQ.$QUERY ...>; ... $LIBXML.parseXml(..., <... $FOO ...>, ...) - pattern: | $PARSER = new libxmljs.SaxParser() ... $PARSER.parseString(..., <... $REQ.$QUERY ...>, ...) - pattern: | $PARSER = new libxmljs.SaxParser() ... $PARSER.parseString(..., <... $REQ.$QUERY.$BAR ...>, ...) - pattern: | $PARSER = new libxmljs.SaxParser() ... $PARSER.parseString(..., <... $REQ.$QUERY.$BAR.$FILE ...>, ...) - pattern: | $PARSER = new libxmljs.SaxPushParser() ... $PARSER.push(..., <... $REQ.$QUERY ...>, ...) - pattern: | $PARSER = new libxmljs.SaxPushParser() ... $PARSER.push(..., <... $REQ.$QUERY.$FOO ...> , ...) - pattern: | $PARSER = new libxmljs.SaxPushParser() ... $PARSER.push(..., <... $REQ.$QUERY.$FOO.$FILE ...> , ...) - pattern: | $PARSER = new libxmljs.SaxParser() ... $FOO = <... $REQ.$QUERY ...>; ... $PARSER.parseString(..., <... $FOO ...>, ...) - pattern: | $PARSER = new libxmljs.SaxParser() ... $FOO = <... $REQ.$QUERY.$BAR ...>; ... $PARSER.parseString(..., <... $FOO ...>, ...) - pattern: | $PARSER = new libxmljs.SaxParser() ... $FOO = <... $REQ.$QUERY.$BAR.$FILE ...>; ... $PARSER.parseString(..., <... $FOO ...>, ...) - pattern: | $PARSER = new libxmljs.SaxPushParser() ... $FOO = <... $REQ.$QUERY ...>; ... $PARSER.push(..., <... $FOO ...>, ...) - pattern: | $PARSER = new libxmljs.SaxPushParser() ... $FOO = <... $REQ.$QUERY.$BAR ...>; ... $PARSER.push(..., <... $FOO ...> , ...) - pattern: | $PARSER = new libxmljs.SaxPushParser() ... $FOO = <... $REQ.$QUERY.$BAR.$FILE ...>; ... $PARSER.push(..., <... $FOO ...> , ...) message: User controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities languages: - javascript severity: ERROR metadata: owasp-web: a4 cwe: cwe-611 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xml.xxe_node.node_xxe shortlink: https://sg.run/RxEO semgrep.dev: rule: r_id: 43705 rv_id: 833199 rule_id: x8U1yp version_id: DkTG0wk url: https://semgrep.dev/playground/r/DkTG0wk/ajinabraham.njsscan.xml.xxe_node.node_xxe origin: community - id: ajinabraham.njsscan.xml.xxe_sax.xxe_sax pattern-either: - pattern: | require('sax') ... $PARSER.ondoctype = ...; - pattern: |- require('sax') ... $PARSER.on('doctype',...) severity: WARNING languages: - javascript message: Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML. metadata: owasp-web: a4 cwe: cwe-611 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.xml.xxe_sax.xxe_sax shortlink: https://sg.run/ABOp semgrep.dev: rule: r_id: 43706 rv_id: 833200 rule_id: OrUrKp version_id: WrTdp77 url: https://semgrep.dev/playground/r/WrTdp77/ajinabraham.njsscan.xml.xxe_sax.xxe_sax origin: community - id: mobsf.mobsfscan.android.word_readable_writable.world_readable patterns: - pattern-either: - pattern: | Context.MODE_WORLD_READABLE message: The file is World Readable. Any App can read from the file. languages: - java severity: WARNING metadata: cwe: cwe-276 owasp-mobile: m2 masvs: storage-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.android.word_readable_writable.world_readable shortlink: https://sg.run/XxEK semgrep.dev: rule: r_id: 43720 rv_id: 833214 rule_id: PeUKq9 version_id: 9lTJ03r url: https://semgrep.dev/playground/r/9lTJ03r/mobsf.mobsfscan.android.word_readable_writable.world_readable origin: community - id: mobsf.mobsfscan.webview.webview_javascript_interface.webview_javascript_interface patterns: - pattern-either: - pattern: | addJavascriptInterface(...) - pattern: | $W.addJavascriptInterface(...) message: Ensure that javascript interface is implemented securely. Execution of user controlled code in WebView is a critical Security issue. languages: - java severity: WARNING metadata: cwe: cwe-749 owasp-mobile: m1 masvs: platform-7 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#determining-whether-java-objects-are-exposed-through-webviews-mstg-platform-7 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_javascript_interface.webview_javascript_interface shortlink: https://sg.run/D0LY semgrep.dev: rule: r_id: 43752 rv_id: 833247 rule_id: X5Up0Y version_id: qkTQnLe url: https://semgrep.dev/playground/r/qkTQnLe/mobsf.mobsfscan.webview.webview_javascript_interface.webview_javascript_interface origin: community - id: mobsf.mobsfscan.xxe.xmldecoder_xxe.xml_decoder_xxe patterns: - pattern: | $X $METHOD(...) { ... new XMLDecoder(...); ... } - pattern-not: | $X $METHOD(...) { ... new XMLDecoder("..."); ... } - pattern-not: |- $X $METHOD(...) { ... String $STR = "..."; ... new XMLDecoder($STR); ... } message: | XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. severity: WARNING languages: - java metadata: cwe: cwe-611 owasp-mobile: m8 masvs: platform-2 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/mobsf.mobsfscan.xxe.xmldecoder_xxe.xml_decoder_xxe shortlink: https://sg.run/WxP4 semgrep.dev: rule: r_id: 43753 rv_id: 833248 rule_id: j2Up0D version_id: l4TyOoN url: https://semgrep.dev/playground/r/l4TyOoN/mobsf.mobsfscan.xxe.xmldecoder_xxe.xml_decoder_xxe origin: community - id: terraform.gcp.best-practice.gcp-gke-sql-backup-configuration-enabled.gcp-gke-sql-backup-configuration-enabled patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... } - pattern-not-inside: | resource "google_sql_database_instance" "..." { ... settings { ... backup_configuration { ... enabled = true ... } ... } ... } message: Ensure all Cloud SQL database instance have backup configuration enabled metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-sql-backup-configuration-enabled.gcp-gke-sql-backup-configuration-enabled shortlink: https://sg.run/BlqA semgrep.dev: rule: r_id: 33651 rv_id: 946884 rule_id: 2ZU5RO version_id: K3TJ4bb url: https://semgrep.dev/playground/r/K3TJ4bb/terraform.gcp.best-practice.gcp-gke-sql-backup-configuration-enabled.gcp-gke-sql-backup-configuration-enabled origin: community languages: - hcl severity: WARNING - id: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs patterns: - pattern-either: - patterns: - pattern-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ... ] ... }) ... } - pattern-not-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Effect = "Deny" ...}, ... ] ... }) ... } - pattern: Action = $ACTION - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: | "aws_iam_role_policy" - pattern: | "aws_iam_policy" - pattern: | "aws_iam_user_policy" - pattern: | "aws_iam_group_policy" - patterns: - pattern-inside: | data aws_iam_policy_document "..." { ... statement { ... } ... } - pattern-not-inside: | data aws_iam_policy_document "..." { ... statement { ... effect = "Deny" ... } ... } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: metavariable: $ACTION pattern-either: - pattern: | "iam:AddUserToGroup" - pattern: | "iam:CreatePolicyVersion" - pattern: | "iam:SetDefaultPolicyVersion" - pattern: | "iam:AttachUserPolicy" - pattern: | "iam:AttachGroupPolicy" - pattern: | "iam:AttachRolePolicy" - pattern: | "iam:PutUserPolicy" - pattern: | "iam:PutGroupPolicy" - pattern: | "iam:PutRolePolicy" - pattern: | "glue:UpdateDevEndpoint" - pattern: | "iam:*" - pattern: | "glue:*" message: Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions. metadata: references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/ category: security cwe: - 'CWE-250: Execution with Unnecessary Privileges' technology: - terraform - aws subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs shortlink: https://sg.run/28y5 semgrep.dev: rule: r_id: 13563 rv_id: 946990 rule_id: x8UxLq version_id: o5TZzrP url: https://semgrep.dev/playground/r/o5TZzrP/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs origin: community languages: - hcl severity: WARNING - id: typescript.react.best-practice.react-legacy-component.react-legacy-component patterns: - pattern: | $METHOD(...) { ... } - metavariable-regex: metavariable: $METHOD regex: componentWillMount|componentWillReceiveProps|componentWillUpdate message: Legacy component lifecycle was detected - $METHOD. languages: - typescript - javascript severity: WARNING metadata: category: best-practice technology: - react license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.best-practice.react-legacy-component.react-legacy-component shortlink: https://sg.run/plK3 semgrep.dev: rule: r_id: 9762 rv_id: 947015 rule_id: 9AUOdB version_id: gETeWgA url: https://semgrep.dev/playground/r/gETeWgA/typescript.react.best-practice.react-legacy-component.react-legacy-component origin: community - id: typescript.react.best-practice.react-props-in-state.react-props-in-state pattern-either: - patterns: - pattern-inside: | class $CN extends React.Component { ... } - pattern-either: - pattern: | state = {$NAME: <... this.props.$PROP ...>} - pattern: | this.state = {$NAME: <... this.props.$PROP ...>} - metavariable-regex: metavariable: $NAME regex: ^(?!default|initial).*$ - patterns: - pattern-either: - pattern-inside: | function $FN({$PROP},...) { ... } - pattern-inside: | function $FN($PROP,...) { ... } - pattern-either: - pattern: useState(<... $PROP ...>) - pattern: useState(<... $PROP.$KEY ...>) - pattern: | useState(function $X(...) { ... <... $PROP ...> ... }) - pattern: | useState(function $X(...) { ... <... $PROP.$KEY ...> ... }) - metavariable-regex: metavariable: $PROP regex: ^(?!default|initial).*$ message: Copying a prop into state in React -- this is bad practice as all updates to it are ignored. Instead, read props directly in your component and avoid copying props into state. metadata: references: - https://overreacted.io/writing-resilient-components/#principle-1-dont-stop-the-data-flow category: best-practice technology: - react license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.best-practice.react-props-in-state.react-props-in-state shortlink: https://sg.run/2bZz semgrep.dev: rule: r_id: 9763 rv_id: 947016 rule_id: yyUvRJ version_id: QkTZ6dz url: https://semgrep.dev/playground/r/QkTZ6dz/typescript.react.best-practice.react-props-in-state.react-props-in-state origin: community languages: - typescript - javascript severity: WARNING - id: typescript.react.portability.i18next.i18next-key-format.i18next-key-format patterns: - pattern-either: - patterns: - pattern-either: - pattern: t('$KEY') - pattern: t('$KEY', $OPTIONS) - pattern: t([$DYNAMIC_KEY, '$KEY']) - pattern: t([$DYNAMIC_KEY, '$KEY'], $OPTIONS) - metavariable-regex: metavariable: $KEY regex: (?!^[a-z0-9-]+\.[a-z0-9-]+\.[a-zA-Z0-9_.-]+$) - patterns: - pattern-either: - pattern: t([$DYNAMIC_KEY, '$KEY']) - pattern: t([$DYNAMIC_KEY, '$KEY'], $OPTIONS) - metavariable-regex: metavariable: $DYNAMIC_KEY regex: (?!^[`][a-z0-9-]+[.][a-z0-9-]+[.]\S+$) - patterns: - pattern-either: - pattern: $I18NEXT.t('$KEY') - pattern: $I18NEXT.t('$KEY', $OPTIONS) - pattern: $I18NEXT.t([$DYNAMIC_KEY, '$KEY']) - pattern: $I18NEXT.t([$DYNAMIC_KEY, '$KEY'], $OPTIONS) - metavariable-regex: metavariable: $I18NEXT regex: (^i18n|i18next$) - metavariable-regex: metavariable: $KEY regex: (?!^[a-z0-9-]+\.[a-z0-9-]+\.[a-zA-Z0-9_.-]+$) - patterns: - pattern-either: - pattern: $I18NEXT.t([$DYNAMIC_KEY, '$KEY']) - pattern: $I18NEXT.t([$DYNAMIC_KEY, '$KEY'], $OPTIONS) - metavariable-regex: metavariable: $I18NEXT regex: (^(i18n|i18next)$) - metavariable-regex: metavariable: $DYNAMIC_KEY regex: (?!^[`][a-z0-9-]+[.][a-z0-9-]+[.]\S+$) message: Translation key '$KEY' should match format 'MODULE.FEATURE.*' languages: - typescript - javascript severity: WARNING metadata: category: portability technology: - react - mui - i18next references: - https://www.notion.so/hendyirawan/Internationalization-Localization-Policy-318c21674e5f44c48d6f136a6eb2e024 - https://mui.com/ - https://react.i18next.com/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.portability.i18next.i18next-key-format.i18next-key-format shortlink: https://sg.run/Y4oX semgrep.dev: rule: r_id: 20158 rv_id: 947018 rule_id: oqUKJr version_id: 44TZz12 url: https://semgrep.dev/playground/r/44TZz12/typescript.react.portability.i18next.i18next-key-format.i18next-key-format origin: community - id: typescript.react.portability.i18next.jsx-label-not-i18n.jsx-label-not-i18n patterns: - pattern-either: - pattern: - pattern: - metavariable-regex: metavariable: $MESSAGE regex: (.*[a-zA-Z]+.*) - pattern-not: <$ELEMENT ... label="" ... /> - pattern-not: <$ELEMENT ... label={t($KEY, ...)} ... /> message: 'JSX Component label not internationalized: ''$MESSAGE''' languages: - typescript - javascript severity: WARNING metadata: category: portability technology: - react - mui - i18next references: - https://www.notion.so/hendyirawan/Internationalization-Localization-Policy-318c21674e5f44c48d6f136a6eb2e024 - https://mui.com/ - https://react.i18next.com/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.portability.i18next.jsx-label-not-i18n.jsx-label-not-i18n shortlink: https://sg.run/6kv6 semgrep.dev: rule: r_id: 20159 rv_id: 947019 rule_id: zdUGrY version_id: PkTQkoo url: https://semgrep.dev/playground/r/PkTQkoo/typescript.react.portability.i18next.jsx-label-not-i18n.jsx-label-not-i18n origin: community - fix: js id: yaml.semgrep.consistency.lang-consistency-js.lang-consistency-js languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'js' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-js.lang-consistency-js shortlink: https://sg.run/GgLq semgrep.dev: rule: r_id: 18292 rv_id: 947080 rule_id: qNUQe3 version_id: RGTAPqW url: https://semgrep.dev/playground/r/RGTAPqW/yaml.semgrep.consistency.lang-consistency-js.lang-consistency-js origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(javascript)$ severity: WARNING - fix: solidity id: yaml.semgrep.consistency.lang-consistency-solidity.lang-consistency-solidity languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'solidity' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-solidity.lang-consistency-solidity shortlink: https://sg.run/DAgP semgrep.dev: rule: r_id: 18296 rv_id: 947084 rule_id: oqUBRD version_id: WrTEZND url: https://semgrep.dev/playground/r/WrTEZND/yaml.semgrep.consistency.lang-consistency-solidity.lang-consistency-solidity origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(sol)$ severity: WARNING - fix: ts id: yaml.semgrep.consistency.lang-consistency-ts.lang-consistency-ts languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'ts' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-ts.lang-consistency-ts shortlink: https://sg.run/Wjw2 semgrep.dev: rule: r_id: 18297 rv_id: 947085 rule_id: zdUWQZ version_id: 0bT1ErB url: https://semgrep.dev/playground/r/0bT1ErB/yaml.semgrep.consistency.lang-consistency-ts.lang-consistency-ts origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(typescript)$ severity: WARNING - id: trailofbits.yaml.github-actions.jfrog-hardcoded-credential.jfrog-hardcoded-credential message: | Found long-term access key. Instead prefer JFrog temporary OIDC security credentials languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: HIGH impact: MEDIUM technology: - jfrog - artifactory - github-actions references: - https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-jfrog - https://github.com/jfrog/setup-jfrog-cli#authorization license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.yaml.github-actions.jfrog-hardcoded-credential.jfrog-hardcoded-credential shortlink: https://sg.run/pKnOL semgrep.dev: rule: r_id: 150318 rv_id: 1024983 rule_id: OrUNg9p version_id: ExTNjXp url: https://semgrep.dev/playground/r/ExTNjXp/trailofbits.yaml.github-actions.jfrog-hardcoded-credential.jfrog-hardcoded-credential origin: community patterns: - pattern-inside: | uses: "$ACTION" ... - metavariable-regex: metavariable: $ACTION regex: ^jfrog/setup-jfrog-cli - pattern: | env: ... $VAR: ... - focus-metavariable: $VAR - metavariable-regex: metavariable: $VAR regex: ^(JF_PASSWORD|JF_ACCESS_TOKEN|JF_ENV_.+)$ - id: trailofbits.yaml.github-actions.pypi-publish-password.pypi-publish-password message: | Found long-term access key. Instead prefer PyPI trusted publishing and temporary OIDC security credentials. languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: HIGH impact: MEDIUM technology: - pypi - github-actions references: - https://docs.pypi.org/trusted-publishers/ - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi - https://github.com/pypa/gh-action-pypi-publish license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.yaml.github-actions.pypi-publish-password.pypi-publish-password shortlink: https://sg.run/2ZlPD semgrep.dev: rule: r_id: 150319 rv_id: 1024984 rule_id: eqU0Nle version_id: 7ZTogXQ url: https://semgrep.dev/playground/r/7ZTogXQ/trailofbits.yaml.github-actions.pypi-publish-password.pypi-publish-password origin: community patterns: - pattern-inside: | uses: "$ACTION" ... - metavariable-regex: metavariable: $ACTION regex: ^pypa/gh-action-pypi-publish - pattern: | with: ... password: ... - id: gitlab.find_sec_bugs.XPATH_INJECTION-1 languages: - java message: | The application processes `XPath` queries with potentially malicious input. An adversary who is able to control the XPath query could potentially influence the logic of how data is retrieved, processed or even bypass protections. To protect against XPath injection, user input should be parameterized using a variable resolver. By creating a class that implements the `XPathVariableResolver` the application can ensure that the xpath query and user-supplied input are treated separately. Example implementation of an XPathVariableResolver: ``` // Create a class which implements the XPathVariableResolver interface public static class SimpleXPathVariableResolver implements XPathVariableResolver { // Use a map or lookup table to store variables for resolution private HashMap variables = new HashMap<>(); // Allow caller to set variables public void setVariable(QName name, String value) { variables.put(name, value); } // Implement the resolveVariable to return the value @Override public Object resolveVariable(QName name) { return variables.getOrDefault(name, ""); } } public static void xpathQuery(String userInput) throws ParseException, ParserConfigurationException, SAXException, IOException, XPathExpressionException { // Create our DocumentFactory DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); // Enable namespace awareness domFactory.setNamespaceAware(true); // Enable secure processing domFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); // Create our DocumentBuilder DocumentBuilder builder = domFactory.newDocumentBuilder(); // Parse our XML document Document doc = builder.parse("inventory.xml"); // Create a new instance of an XPath object XPath xpathProcessor = XPathFactory.newInstance().newXPath(); // Create our XPathVariableResolver SimpleXPathVariableResolver resolver = new SimpleXPathVariableResolver(); // Add user input as a variable value resolver.setVariable(new QName("author"), userInput); // Configure the processor to use our variable resolver xpathProcessor.setXPathVariableResolver(resolver); // Evaluate the XPath query String result = xpathProcessor.compile("//author[contains(., $author)]").evaluate(doc); // Work with the result // ... } ``` For more information on XPath Injection see: - https://owasp.org/www-community/attacks/XPATH_Injection metadata: shortDescription: Improper neutralization of data within XPath expressions ('XPath Injection') category: security cwe: CWE-643 primary_identifier: find_sec_bugs.XPATH_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-XPATH_INJECTION type: find_sec_bugs_type value: XPATH_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.XPATH_INJECTION-1 shortlink: https://sg.run/8kv7 semgrep.dev: rule: r_id: 21240 rv_id: 835542 rule_id: OrUv05 version_id: kbT2P0y url: https://semgrep.dev/playground/r/kbT2P0y/gitlab.find_sec_bugs.XPATH_INJECTION-1 origin: community patterns: - pattern-either: - pattern-inside: import javax.xml.xpath.*; ... - pattern-inside: import javax.xml.xpath.XPath; ... - pattern-either: - patterns: - pattern: (XPath $X).compile($ARG) - pattern-not: (XPath $X).compile("...") - patterns: - pattern: (XPath $X).evaluate($ARG) - pattern-not: (XPath $X).evaluate("...") severity: ERROR - id: trailofbits.yaml.github-actions.vault-token.vault-token message: | Found long-term access key. Instead prefer Vault role assumption and temporary OIDC security credentials. languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: HIGH impact: MEDIUM technology: - vault - github-actions references: - https://developer.hashicorp.com/vault/docs/platform/github-actions - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault - https://github.com/hashicorp/vault-action license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.yaml.github-actions.vault-token.vault-token shortlink: https://sg.run/j2n3J semgrep.dev: rule: r_id: 150321 rv_id: 1024985 rule_id: d8Urdo7 version_id: LjTQql4 url: https://semgrep.dev/playground/r/LjTQql4/trailofbits.yaml.github-actions.vault-token.vault-token origin: community patterns: - pattern-inside: | uses: "$ACTION" ... - metavariable-regex: metavariable: $ACTION regex: ^hashicorp/vault-action - pattern-either: - pattern: | with: ... token: ... - pattern: | env: ... VAULT_TOKEN: ... - id: go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type message: Semgrep could not determine that the argument to 'template.HTML()' is a constant. 'template.HTML()' and similar does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. Instead, do not use this function and use 'template.Execute()'. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#HTML - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/vulnerability/xss/xss.go#L33 category: security technology: - go confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type shortlink: https://sg.run/3xDb semgrep.dev: rule: r_id: 9143 rv_id: 1262963 rule_id: 0oU5n3 version_id: zyTb2Lz url: https://semgrep.dev/playground/r/zyTb2Lz/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type origin: community languages: - go severity: WARNING patterns: - pattern-not: template.$ANY("..." + "...") - pattern-not: template.$ANY("...") - pattern-either: - pattern: template.HTML(...) - pattern: template.CSS(...) - pattern: template.HTMLAttr(...) - pattern: template.JS(...) - pattern: template.JSStr(...) - pattern: template.Srcset(...) - pattern: template.URL(...) - id: gitlab.security_code_scan.SCS0027-1 languages: - csharp mode: taint pattern-sources: - patterns: - pattern: $SRC - pattern-inside: | public $RET $FUNC(...,$SRC,...){...} pattern-sanitizers: - pattern-either: - pattern: TryCreate(...) - pattern: Action(...) - pattern: HttpRouteUrl(...) - pattern: RouteUrl(...) pattern-sinks: - patterns: - pattern-not-inside: | if (IsLocalUrl(...)) { ... Redirect(...); ... } - pattern-not-inside: | if ($URL.IsLocalUrl(...)) { ... Redirect(...); ... } - pattern-either: - pattern: Redirect(...) - pattern: RedirectPermanent(...) - pattern: RedirectToRoute(...) - pattern: RedirectToRoutePermanent(...) - pattern: new RedirectResult(...) message: | The application may allow open redirects if created using user supplied input. Open redirects are commonly abused in phishing attacks where the original domain or URL looks like a legitimate link, but then redirects a user to a malicious site. An example would be `https://example.com/redirect?url=https://%62%61%64%2e%63%6f%6d%2f%66%61%6b%65%6c%6f%67%69%6e` which, when decoded, turns into `bad.com/fakelogin`. Never redirect a client based on user input. It is recommended that the list of target links to redirect a user to are contained server side, and retrieved using a numerical value as an index to return the link to be redirected to. For example, `/redirect?id=1` would cause the application to look up the `1` index and return a URL such as `https://example.com`. This URL would then be used to redirect the user, using the 301 response code and `Location` header. For more information on open redirects see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html metadata: shortDescription: URL redirection to untrusted site 'open redirect' category: security cwe: CWE-601 primary_identifier: security_code_scan.SCS0027-1 secondary_identifiers: - name: SCS0027 type: security_code_scan_rule_id value: SCS0027 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0027-1 shortlink: https://sg.run/DYeP semgrep.dev: rule: r_id: 31452 rv_id: 835747 rule_id: QrUE1q version_id: O9TJ7wX url: https://semgrep.dev/playground/r/O9TJ7wX/gitlab.security_code_scan.SCS0027-1 origin: community severity: WARNING - id: terraform.gcp.best-practice.gcp-postgresql-log-connection.gcp-postgresql-log-connection patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... name = "log_connections" value = "off" ... } ... } message: Ensure PostgreSQL database 'log_connections' flag is set to 'on' metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-postgresql-log-connection.gcp-postgresql-log-connection shortlink: https://sg.run/qWe7 semgrep.dev: rule: r_id: 33656 rv_id: 946889 rule_id: yyUGq6 version_id: o5TZzeB url: https://semgrep.dev/playground/r/o5TZzeB/terraform.gcp.best-practice.gcp-postgresql-log-connection.gcp-postgresql-log-connection origin: community languages: - hcl severity: WARNING - id: trailofbits.yaml.github-actions.aws-secret-key.aws-secret-key message: | Found long-term access key. Instead prefer AWS role assumption and temporary OIDC security credentials. languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: HIGH impact: MEDIUM technology: - aws - github-actions references: - https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html#sec-alternatives-to-long-term-access-keys - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services - https://github.com/aws-actions/configure-aws-credentials license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.yaml.github-actions.aws-secret-key.aws-secret-key shortlink: https://sg.run/6JzRB semgrep.dev: rule: r_id: 150315 rv_id: 1024980 rule_id: kxUdnEY version_id: d6TArpw url: https://semgrep.dev/playground/r/d6TArpw/trailofbits.yaml.github-actions.aws-secret-key.aws-secret-key origin: community patterns: - pattern-inside: | uses: "$ACTION" ... - metavariable-regex: metavariable: $ACTION regex: ^aws-actions/configure-aws-credentials - pattern-either: - pattern: | with: ... aws-secret-access-key: ... - pattern: | env: ... AWS_SECRET_ACCESS_KEY: ... - id: terraform.gcp.security.gcp-spanner-database-encrypted-with-cmk.gcp-spanner-database-encrypted-with-cmk patterns: - pattern: | resource "google_spanner_database" $ANYTHING { ... } - pattern-not-inside: | resource "google_spanner_database" $ANYTHING { ... encryption_config { ... kms_key_name = ... ... } ... } message: Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-spanner-database-encrypted-with-cmk.gcp-spanner-database-encrypted-with-cmk shortlink: https://sg.run/D6lo semgrep.dev: rule: r_id: 33708 rv_id: 946970 rule_id: eqUbq8 version_id: WrTEZPO url: https://semgrep.dev/playground/r/WrTEZPO/terraform.gcp.security.gcp-spanner-database-encrypted-with-cmk.gcp-spanner-database-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: trailofbits.yaml.github-actions.azure-principal-secret.azure-principal-secret message: | Found long-term access key. Instead prefer Azure subscription ID and temporary OIDC security credentials. languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: HIGH impact: MEDIUM technology: - azure - github-actions references: - https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure - https://github.com/Azure/login license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.yaml.github-actions.azure-principal-secret.azure-principal-secret shortlink: https://sg.run/oqgdR semgrep.dev: rule: r_id: 150316 rv_id: 1024981 rule_id: wdU97En version_id: ZRTNQXQ url: https://semgrep.dev/playground/r/ZRTNQXQ/trailofbits.yaml.github-actions.azure-principal-secret.azure-principal-secret origin: community patterns: - pattern-inside: | uses: "$ACTION" ... - metavariable-regex: metavariable: $ACTION regex: ^azure/login - pattern: | with: ... creds: ... - id: terraform.gcp.security.gcp-vertexai-metadata-store-encrypted-with-cmk.gcp-vertexai-metadata-store-encrypted-with-cmk patterns: - pattern: | resource "google_vertex_ai_metadata_store" $ANYTHING { ... } - pattern-not-inside: | resource "google_vertex_ai_metadata_store" $ANYTHING { ... encryption_spec { ... kms_key_name = ... ... } ... } message: Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-vertexai-metadata-store-encrypted-with-cmk.gcp-vertexai-metadata-store-encrypted-with-cmk shortlink: https://sg.run/pDdL semgrep.dev: rule: r_id: 33718 rv_id: 946980 rule_id: QrUA2G version_id: A8TJWG5 url: https://semgrep.dev/playground/r/A8TJWG5/terraform.gcp.security.gcp-vertexai-metadata-store-encrypted-with-cmk.gcp-vertexai-metadata-store-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled languages: - yaml severity: WARNING message: Do not set FLASK_ENV to "development" since that sets `debug=True` in Flask. Use "dev" or a similar term instead. metadata: owasp: A06:2017 - Security Misconfiguration cwe: - 'CWE-489: Active Debug Code' references: - https://flask.palletsprojects.com/en/2.0.x/debugging/ - https://flask.palletsprojects.com/en/2.0.x/config/#ENV category: security technology: - kubernetes - flask subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled shortlink: https://sg.run/y6x8 semgrep.dev: rule: r_id: 13024 rv_id: 947053 rule_id: WAUP0z version_id: ZRT3qOw url: https://semgrep.dev/playground/r/ZRT3qOw/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled origin: community patterns: - pattern-inside: | env: [...] - pattern: | {name: FLASK_ENV, value: "development"} fix-regex: regex: development replacement: dev - id: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod patterns: - pattern-inside: | spec: ... - pattern: | hostNetwork: true message: Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality. metadata: cwe: - 'CWE-406: Insufficient Control of Network Message Volume (Network Amplification)' references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces category: security technology: - kubernetes subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod shortlink: https://sg.run/E51A semgrep.dev: rule: r_id: 10237 rv_id: 947056 rule_id: EwU4NO version_id: 7ZTreWz url: https://semgrep.dev/playground/r/7ZTreWz/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod origin: community languages: - yaml severity: WARNING - id: yaml.kubernetes.security.privileged-container.privileged-container pattern-either: - patterns: - pattern-inside: | containers: ... - pattern: | image: ... ... securityContext: ... privileged: true - patterns: - pattern-inside: | spec: ... - pattern-not-inside: | image: ... ... - pattern: | privileged: true message: Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability. metadata: cwe: - 'CWE-250: Execution with Unnecessary Privileges' references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html category: security technology: - kubernetes subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container shortlink: https://sg.run/Ygr5 semgrep.dev: rule: r_id: 10058 rv_id: 947059 rule_id: oqUz2p version_id: gETeWJA url: https://semgrep.dev/playground/r/gETeWJA/yaml.kubernetes.security.privileged-container.privileged-container origin: community languages: - yaml severity: WARNING - fix: bash id: yaml.semgrep.consistency.lang-consistency-bash.lang-consistency-bash languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'bash' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-bash.lang-consistency-bash shortlink: https://sg.run/gRv0 semgrep.dev: rule: r_id: 18285 rv_id: 947073 rule_id: ReUKrY version_id: K3TJ458 url: https://semgrep.dev/playground/r/K3TJ458/yaml.semgrep.consistency.lang-consistency-bash.lang-consistency-bash origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(sh)$ severity: WARNING - fix: cpp id: yaml.semgrep.consistency.lang-consistency-cpp.lang-consistency-cpp languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'cpp' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-cpp.lang-consistency-cpp shortlink: https://sg.run/Qb7Z semgrep.dev: rule: r_id: 18286 rv_id: 947074 rule_id: AbU3LZ version_id: qkT4oWJ url: https://semgrep.dev/playground/r/qkT4oWJ/yaml.semgrep.consistency.lang-consistency-cpp.lang-consistency-cpp origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(c\+\+)$ severity: WARNING - fix: csharp id: yaml.semgrep.consistency.lang-consistency-csharp.lang-consistency-csharp languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'csharp' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-csharp.lang-consistency-csharp shortlink: https://sg.run/3BgK semgrep.dev: rule: r_id: 18287 rv_id: 947075 rule_id: BYUe8g version_id: l4TxdW2 url: https://semgrep.dev/playground/r/l4TxdW2/yaml.semgrep.consistency.lang-consistency-csharp.lang-consistency-csharp origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(c\#)$ severity: WARNING - fix: dockerfile id: yaml.semgrep.consistency.lang-consistency-dockerfile.lang-consistency-dockerfile languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'dockerfile' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-dockerfile.lang-consistency-dockerfile shortlink: https://sg.run/4Dn5 semgrep.dev: rule: r_id: 18288 rv_id: 947076 rule_id: DbUGvg version_id: YDTvrA8 url: https://semgrep.dev/playground/r/YDTvrA8/yaml.semgrep.consistency.lang-consistency-dockerfile.lang-consistency-dockerfile origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(docker)$ severity: WARNING - fix: elixir id: yaml.semgrep.consistency.lang-consistency-elixir.lang-consistency-elixir languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'elixir' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-elixir.lang-consistency-elixir shortlink: https://sg.run/PY7z semgrep.dev: rule: r_id: 18289 rv_id: 947077 rule_id: WAUdj9 version_id: JdTDP62 url: https://semgrep.dev/playground/r/JdTDP62/yaml.semgrep.consistency.lang-consistency-elixir.lang-consistency-elixir origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(ex)$ severity: WARNING - fix: go id: yaml.semgrep.consistency.lang-consistency-go.lang-consistency-go languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'go' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-go.lang-consistency-go shortlink: https://sg.run/Jg7y semgrep.dev: rule: r_id: 18290 rv_id: 947078 rule_id: 0oUw9N version_id: 5PT94px url: https://semgrep.dev/playground/r/5PT94px/yaml.semgrep.consistency.lang-consistency-go.lang-consistency-go origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(golang)$ severity: WARNING - id: trailofbits.yaml.github-actions.gcp-credentials-json.gcp-credentials-json message: | Found long-term access key. Instead prefer GCP workload identity federation and temporary OIDC security credentials. languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: HIGH impact: MEDIUM technology: - gcp - github-actions references: - https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform - https://github.com/google-github-actions/auth license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.yaml.github-actions.gcp-credentials-json.gcp-credentials-json shortlink: https://sg.run/zdneW semgrep.dev: rule: r_id: 150317 rv_id: 1024982 rule_id: x8UK7Ep version_id: nWTPx0O url: https://semgrep.dev/playground/r/nWTPx0O/trailofbits.yaml.github-actions.gcp-credentials-json.gcp-credentials-json origin: community patterns: - pattern-inside: | uses: "$ACTION" ... - metavariable-regex: metavariable: $ACTION regex: ^google-github-actions/auth - pattern: | with: ... credentials_json: ... - id: bash.lang.best-practice.iteration-over-ls-output.iteration-over-ls-output patterns: - pattern: | for $VAR in $LIST; do ... done - pattern: | $(ls ...) message: Iterating over ls output is fragile. Use globs, e.g. 'dir/*' instead of '$(ls dir)'. metadata: references: - https://github.com/koalaman/shellcheck/wiki/SC2045 category: best-practice technology: - bash license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/bash.lang.best-practice.iteration-over-ls-output.iteration-over-ls-output shortlink: https://sg.run/AXoB semgrep.dev: rule: r_id: 14806 rv_id: 945158 rule_id: zdUYO9 version_id: JdTDy6W url: https://semgrep.dev/playground/r/JdTDy6W/bash.lang.best-practice.iteration-over-ls-output.iteration-over-ls-output origin: community severity: WARNING languages: - bash - id: gitlab.find_sec_bugs.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1 languages: - java message: | Beyond using an SSL socket, you need to make sure your use of SSLSocketFactory does all the appropriate certificate validation checks to make sure you are not subject to man-in-the-middle attacks. Please read the OWASP Transport Layer Protection Cheat Sheet for details on how to do this correctly. metadata: cwe: CWE-319 shortDescription: Cleartext Transmission of Sensitive Information primary_identifier: find_sec_bugs.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1 secondary_identifiers: - name: Find Security Bugs-UNENCRYPTED_SOCKET type: find_sec_bugs_type value: UNENCRYPTED_SOCKET - name: Find Security Bugs-UNENCRYPTED_SERVER_SOCKET type: find_sec_bugs_type value: UNENCRYPTED_SERVER_SOCKET license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1 shortlink: https://sg.run/4k1Z semgrep.dev: rule: r_id: 21188 rv_id: 835494 rule_id: nJUn7D version_id: yeTNgbz url: https://semgrep.dev/playground/r/yeTNgbz/gitlab.find_sec_bugs.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1 origin: community patterns: - pattern: new java.net.Socket(...) severity: WARNING - id: gitlab.find_sec_bugs.LDAP_ANONYMOUS-1 languages: - java patterns: - pattern-inside: | import javax.naming.Context; ... - pattern: $ENV.put(Context.SECURITY_AUTHENTICATION, "none"); message: | The application does not provide authentication when communicating an LDAP server. It is strongly recommended that the LDAP server be configured with authentication and restrict what queries users can execute. Example code that authenticates with a remote LDAP server and encodes any user-supplied input: ``` // Create a properties to hold the ldap connection details Properties props = new Properties(); // Use the com.sun.jndi.ldap.LdapCtxFactory factory provider props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); // The LDAP server URL props.put(Context.PROVIDER_URL, "ldap://ldap.example.org:3889"); // User details for the connection props.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=example,dc=org"); // LDAP account password String ldapAccountPassword = getAccountPasswordFromSecureStoreOrKMS(); // Pass in the LDAP password props.put(Context.SECURITY_CREDENTIALS, ldapAccountPassword); // Create the LDAPContext InitialDirContext ldapContext = new InitialDirContext(props); // Example using SUBTREE_SCOPE SearchControls SearchControls searchControls = new SearchControls(); searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); // Get user input for query String userQuery = someUserInput; // Use searchArguments to hold the user-supplied input Object[] searchArguments = new Object[]{userQuery}; // Hardcode the BaseDN, use the {0} format specifier to use the searchArguments array value, and pass in the search controls. // searchArguments automatically encode NamingEnumeration answer = ldapContext.search("dc=example,dc=org", "(cn={0})", searchArguments, searchControls); // Process the response answer while (answer.hasMoreElements()) { ... } ``` For information on enabling authentication, please see your LDAP server's documentation. For more information on LDAP Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html metadata: shortDescription: Missing authentication for critical function (LDAP) category: security cwe: CWE-306 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures security-severity: High primary_identifier: find_sec_bugs.LDAP_ANONYMOUS-1 secondary_identifiers: - name: Find Security Bugs-LDAP_ANONYMOUS type: find_sec_bugs_type value: LDAP_ANONYMOUS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.LDAP_ANONYMOUS-1 shortlink: https://sg.run/0Wrb semgrep.dev: rule: r_id: 21210 rv_id: 920189 rule_id: PeUjLD version_id: ExT1WAv url: https://semgrep.dev/playground/r/ExT1WAv/gitlab.find_sec_bugs.LDAP_ANONYMOUS-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1 languages: - java message: | "The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. See http://cwe.mitre.org/data/definitions/23.html for more information." metadata: category: security cwe: CWE-22 shortDescription: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') technology: - java primary_identifier: find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1 secondary_identifiers: - name: Find Security Bugs-PT_RELATIVE_PATH_TRAVERSAL type: find_sec_bugs_type value: PT_RELATIVE_PATH_TRAVERSAL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1 shortlink: https://sg.run/De5j semgrep.dev: rule: r_id: 21208 rv_id: 835514 rule_id: qNUpqY version_id: 44TQqN3 url: https://semgrep.dev/playground/r/44TQqN3/gitlab.find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL-1 origin: community mode: taint pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) pattern-sinks: - patterns: - pattern-inside: | $U = new java.net.URI($VAR) - pattern-either: - pattern-inside: new java.io.File($U) - pattern-inside: java.nio.file.Paths.get($U) - pattern: $VAR - patterns: - pattern-inside: new java.io.RandomAccessFile($INPUT,...) - pattern: $INPUT - pattern: new java.io.FileReader(...) - pattern: new javax.activation.FileDataSource(...) - pattern: new java.io.FileInputStream(...) - pattern: new java.io.File(...) - pattern: java.nio.file.Paths.get(...) - pattern: java.io.File.createTempFile(...) - pattern: java.io.File.createTempDirectory(...) - pattern: java.nio.file.Files.createTempFile(...) - pattern: java.nio.file.Files.createTempDirectory(...) - patterns: - pattern-inside: new java.io.FileWriter($PATH, ...) - pattern: $PATH - patterns: - pattern-inside: new java.io.FileOutputStream($PATH, ...) - pattern: $PATH pattern-sources: - patterns: - pattern-inside: | $P = (HttpServletRequest $REQ).getParameter(...); ... - pattern-either: - pattern: $P + ... - pattern: '... + $P' severity: WARNING - id: gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1 languages: - java message: | SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for `>` or `<` comparison operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<` values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized. Example using `PreparedStatement` queries: ``` // Some userInput String userInput = "someUserInput"; // Your connection string String url = "..."; // Get a connection from the DB via the DriverManager Connection conn = DriverManager.getConnection(url); // Create a prepared statement PreparedStatement st = conn.prepareStatement("SELECT name FROM table where name=?"); // Set each parameters value by the index (starting from 1) st.setString(1, userInput); // Execute query and get the result set ResultSet rs = st.executeQuery(); // Iterate over results while (rs.next()) { // Get result for this row at the provided column number (starting from 1) String result = rs.getString(1); // ... } // Close the ResultSet rs.close(); // Close the PreparedStatement st.close(); ``` For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html metadata: shortDescription: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') category: security cwe: CWE-89 primary_identifier: find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1 secondary_identifiers: - name: Find Security Bugs-SQL_INJECTION_SPRING_JDBC type: find_sec_bugs_type value: SQL_INJECTION_SPRING_JDBC - name: Find Security Bugs-SQL_INJECTION_JPA type: find_sec_bugs_type value: SQL_INJECTION_JPA - name: Find Security Bugs-SQL_INJECTION_JDO type: find_sec_bugs_type value: SQL_INJECTION_JDO - name: Find Security Bugs-SQL_INJECTION_JDBC type: find_sec_bugs_type value: SQL_INJECTION_JDBC - name: Find Security Bugs-SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE type: find_sec_bugs_type value: SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE - name: Find Security Bugs-SQL_INJECTION type: find_sec_bugs_type value: SQL_INJECTION - name: Find Security Bugs-SQL_INJECTION_HIBERNATE type: find_sec_bugs_type value: SQL_INJECTION_HIBERNATE - name: Find Security Bugs-SQL_INJECTION_VERTX type: find_sec_bugs_type value: SQL_INJECTION_VERTX - name: Find Security Bugs-SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING type: find_sec_bugs_type value: SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1 shortlink: https://sg.run/W9PA semgrep.dev: rule: r_id: 47609 rv_id: 835515 rule_id: L1Udoq version_id: PkTxGwA url: https://semgrep.dev/playground/r/PkTxGwA/gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1 origin: community patterns: - pattern-not-inside: | final String $ARG = ...; ... - pattern-not-inside: | class $CLAZZ { ... final String $ARG = ...; ... } - pattern-either: - patterns: - pattern: (javax.jdo.PersistenceManager $PM).newQuery($ARG) - pattern-not: (javax.jdo.PersistenceManager $PM).newQuery("...") - patterns: - pattern: (javax.jdo.PersistenceManager $PM).newQuery(..., $ARG) - pattern-not: (javax.jdo.PersistenceManager $PM).newQuery(..., "...") - patterns: - pattern: (javax.jdo.Query $Q).setFilter($ARG) - pattern-not: (javax.jdo.Query $Q).setFilter("...") - patterns: - pattern: (javax.jdo.Query $Q).setGrouping($ARG) - pattern-not: (javax.jdo.Query $Q).setGrouping("...") - patterns: - pattern: (javax.jdo.Query $Q).setGrouping($ARG) - pattern-not: (javax.jdo.Query $Q).setGrouping("...") - patterns: - pattern: org.hibernate.criterion.Restrictions.sqlRestriction($ARG, ...) - pattern-not: org.hibernate.criterion.Restrictions.sqlRestriction("...", ...) - patterns: - pattern: (org.hibernate.Session $S).createQuery((String $ARG), ...) - pattern-not: (org.hibernate.Session $S).createQuery("...", ...) - patterns: - pattern: (org.hibernate.Session $S).createSQLQuery($ARG, ...) - pattern-not: (org.hibernate.Session $S).createSQLQuery("...", ...) - patterns: - pattern: (java.sql.Statement $S).executeQuery($ARG, ...) - pattern-not: (java.sql.Statement $S).createSQLQuery("...", ...) - patterns: - pattern: (java.sql.Statement $S).execute($ARG, ...) - pattern-not: (java.sql.Statement $S).execute("...", ...) - patterns: - pattern: (java.sql.Statement $S).executeUpdate($ARG, ...) - pattern-not: (java.sql.Statement $S).executeUpdate("...", ...) - patterns: - pattern: (java.sql.Statement $S).executeLargeUpdate($ARG, ...) - pattern-not: (java.sql.Statement $S).executeLargeUpdate("...", ...) - patterns: - pattern: (java.sql.Statement $S).addBatch($ARG, ...) - pattern-not: (java.sql.Statement $S).addBatch("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).executeQuery($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).executeQuery("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).execute($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).execute("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).executeUpdate($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).executeUpdate("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).executeLargeUpdate($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).executeLargeUpdate("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).addBatch($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).addBatch("...", ...) - patterns: - pattern: (java.sql.Connection $S).prepareCall($ARG, ...) - pattern-not: (java.sql.Connection $S).prepareCall("...", ...) - patterns: - pattern: (java.sql.Connection $S).prepareStatement($ARG, ...) - pattern-not: (java.sql.Connection $S).prepareStatement("...", ...) - patterns: - pattern: (java.sql.Connection $S).nativeSQL($ARG, ...) - pattern-not: (java.sql.Connection $S).nativeSQL("...", ...) - patterns: - pattern: new org.springframework.jdbc.core.PreparedStatementCreatorFactory($ARG, ...) - pattern-not: new org.springframework.jdbc.core.PreparedStatementCreatorFactory("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.PreparedStatementCreatorFactory $F).newPreparedStatementCreator($ARG, ...) - pattern-not: (org.springframework.jdbc.core.PreparedStatementCreatorFactory $F).newPreparedStatementCreator("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).batchUpdate($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).batchUpdate("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).execute($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).execute("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).query($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).query("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForList($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForList("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForMap($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForMap("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForObject($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForObject("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForObject($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForObject("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForRowSet($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForRowSet("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForInt($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForInt("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForLong($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForLong("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).udpate($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).udpate("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).batchUpdate($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).batchUpdate("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).execute($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).execute("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).query($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).query("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForList($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForList("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForMap($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForMap("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForObject($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForObject("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForRowSet($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForRowSet("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForInt($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForInt("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForLong($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForLong("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).update($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).update("...", ...) - patterns: - pattern: (io.vertx.sqlclient.SqlClient $O).query($ARG, ...) - pattern-not: (io.vertx.sqlclient.SqlClient $O).query("...", ...) - patterns: - pattern: (io.vertx.sqlclient.SqlClient $O).preparedQuery($ARG, ...) - pattern-not: (io.vertx.sqlclient.SqlClient $O).preparedQuery("...", ...) - patterns: - pattern: (io.vertx.sqlclient.SqlConnection $O).prepare($ARG, ...) - pattern-not: (io.vertx.sqlclient.SqlConnection $O).prepare("...", ...) - patterns: - pattern: (org.apache.turbine.om.peer.BasePeer $O).executeQuery($ARG, ...) - pattern-not: (org.apache.turbine.om.peer.BasePeer $O).executeQuery("...", ...) - patterns: - pattern: (org.apache.torque.util.BasePeer $O).executeQuery($ARG, ...) - pattern-not: (org.apache.torque.util.BasePeer $O).executeQuery("...", ...) - patterns: - pattern: (javax.persistence.EntityManager $O).createQuery($ARG, ...) - pattern-not: (javax.persistence.EntityManager $O).createQuery("...", ...) - patterns: - pattern: (javax.persistence.EntityManager $O).createNativeQuery($ARG, ...) - pattern-not: (javax.persistence.EntityManager $O).createNativeQuery("...", ...) severity: ERROR - id: gitlab.find_sec_bugs.XXE_XPATH-1.XXE_DOCUMENT-1 languages: - java message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: category: security cwe: CWE-611 shortDescription: Improper Restriction of XML External Entity Reference ('XXE') primary_identifier: find_sec_bugs.XXE_XPATH-1.XXE_DOCUMENT-1 secondary_identifiers: - name: Find Security Bugs-XXE_XPATH type: find_sec_bugs_type value: XXE_XPATH - name: Find Security Bugs-XXE_DOCUMENT type: find_sec_bugs_type value: XXE_DOCUMENT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.XXE_XPATH-1.XXE_DOCUMENT-1 shortlink: https://sg.run/AL44 semgrep.dev: rule: r_id: 21250 rv_id: 835553 rule_id: gxUk44 version_id: LjTEeD3 url: https://semgrep.dev/playground/r/LjTEeD3/gitlab.find_sec_bugs.XXE_XPATH-1.XXE_DOCUMENT-1 origin: community patterns: - pattern-inside: | $DF = df.newDocumentBuilder(); ... - pattern-not-inside: | $DF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ... - pattern-not-inside: | $DF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); ... - pattern-not-inside: | $DF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); ... - pattern-not-inside: | $DF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); ... - pattern: $SF.newDocumentBuilder(...) severity: ERROR - id: trailofbits.yaml.github-actions.rubygems-publish-key.rubygems-publish-key message: | Found long-term access key. Instead prefer RubyGems trusted publishing and temporary OIDC security credentials. languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: LOW impact: MEDIUM technology: - rubygems - github-actions references: - https://guides.rubygems.org/trusted-publishing/ - https://guides.rubygems.org/api-key-scopes/#usage-with-gem-cli - https://github.com/rubygems/release-gem license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.yaml.github-actions.rubygems-publish-key.rubygems-publish-key shortlink: https://sg.run/X5pKb semgrep.dev: rule: r_id: 150320 rv_id: 943214 rule_id: v8UY7EL version_id: d6TPQ4X url: https://semgrep.dev/playground/r/d6TPQ4X/trailofbits.yaml.github-actions.rubygems-publish-key.rubygems-publish-key origin: community pattern: GEM_HOST_API_KEY - id: gitlab.flawfinder.equal-1.mismatch-1.is_permutation-1 languages: - c message: | This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function: (std::equal, std::mismatch or std::is_permutation) that checks the second iterator before potentially reading past its bounds. For more information please see: https://en.cppreference.com/w/cpp/algorithm metadata: shortDescription: Function does not check the second iterator for over-read conditions cwe: CWE-126 primary_identifier: flawfinder.equal-1.mismatch-1.is_permutation-1 secondary_identifiers: - name: Flawfinder - equal type: flawfinder_func_name value: equal - name: Flawfinder - mismatch type: flawfinder_func_name value: mismatch - name: Flawfinder - is_permutation type: flawfinder_func_name value: is_permutation license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.equal-1.mismatch-1.is_permutation-1 shortlink: https://sg.run/xewe semgrep.dev: rule: r_id: 13030 rv_id: 835647 rule_id: JDUQ8Q version_id: e1TDKo7 url: https://semgrep.dev/playground/r/e1TDKo7/gitlab.flawfinder.equal-1.mismatch-1.is_permutation-1 origin: community pattern-either: - pattern: equal(...) - pattern: mismatch(...) - pattern: is_permutation(...) severity: INFO - id: dgryski.semgrep-go.errnilcheck.err-nil-check patterns: - pattern-either: - pattern: | if err != nil { return err } return nil - pattern: | if err != nil { return $X, err } return $X, nil message: superfluous nil err check before return languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.errnilcheck.err-nil-check shortlink: https://sg.run/5Qd6 semgrep.dev: rule: r_id: 8691 rv_id: 833037 rule_id: AbUzyv version_id: GxTDE6y url: https://semgrep.dev/playground/r/GxTDE6y/dgryski.semgrep-go.errnilcheck.err-nil-check origin: community - id: terraform.azure.best-practice.azure-appservice-php-version.azure-appservice-php-version message: Ensure that PHP version is the latest, if used to run the web app patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... site_config { ... php_version = "7.4" ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-appservice-php-version.azure-appservice-php-version shortlink: https://sg.run/DdKY semgrep.dev: rule: r_id: 23908 rv_id: 946746 rule_id: wdUnpW version_id: O9TXGj0 url: https://semgrep.dev/playground/r/O9TXGj0/terraform.azure.best-practice.azure-appservice-php-version.azure-appservice-php-version origin: community languages: - hcl severity: INFO - id: generic.secrets.gitleaks.cloudflare-api-key.cloudflare-api-key message: A gitleaks cloudflare-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.cloudflare-api-key.cloudflare-api-key shortlink: https://sg.run/WA9P4 semgrep.dev: rule: r_id: 132809 rv_id: 1262700 rule_id: DbU6oZX version_id: l4TJRyG url: https://semgrep.dev/playground/r/l4TJRyG/generic.secrets.gitleaks.cloudflare-api-key.cloudflare-api-key origin: community patterns: - pattern-regex: (?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.cloudflare-global-api-key.cloudflare-global-api-key message: A gitleaks cloudflare-global-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.cloudflare-global-api-key.cloudflare-global-api-key shortlink: https://sg.run/0oxwv semgrep.dev: rule: r_id: 132810 rv_id: 1262701 rule_id: WAUW5AJ version_id: YDTZel9 url: https://semgrep.dev/playground/r/YDTZel9/generic.secrets.gitleaks.cloudflare-global-api-key.cloudflare-global-api-key origin: community patterns: - pattern-regex: (?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{37})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.cloudflare-origin-ca-key.cloudflare-origin-ca-key message: A gitleaks cloudflare-origin-ca-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.cloudflare-origin-ca-key.cloudflare-origin-ca-key shortlink: https://sg.run/KxKZ7 semgrep.dev: rule: r_id: 132811 rv_id: 1262702 rule_id: 0oULkY9 version_id: JdTzxlr url: https://semgrep.dev/playground/r/JdTzxlr/generic.secrets.gitleaks.cloudflare-origin-ca-key.cloudflare-origin-ca-key origin: community patterns: - pattern-regex: \b(v1\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.asana-client-id.asana-client-id message: A gitleaks asana-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.asana-client-id.asana-client-id shortlink: https://sg.run/vQZY semgrep.dev: rule: r_id: 44677 rv_id: 1262689 rule_id: nJU58J version_id: JdTzxl2 url: https://semgrep.dev/playground/r/JdTzxl2/generic.secrets.gitleaks.asana-client-id.asana-client-id origin: community patterns: - pattern-regex: (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id message: A gitleaks alibaba-access-key-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id shortlink: https://sg.run/OpkL semgrep.dev: rule: r_id: 44675 rv_id: 1262687 rule_id: d8UOQ3 version_id: 44TEjQG url: https://semgrep.dev/playground/r/44TEjQG/generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id origin: community patterns: - pattern-regex: (?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token message: A gitleaks dynatrace-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token shortlink: https://sg.run/AGv8 semgrep.dev: rule: r_id: 44706 rv_id: 1262723 rule_id: j2UGvl version_id: 9lT4bAy url: https://semgrep.dev/playground/r/9lT4bAy/generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token origin: community patterns: - pattern-regex: dt0c01\.(?i)[a-z0-9]{24}\.[a-z0-9]{64} - id: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding metadata: functional-categories: - crypto::search::mode::javax.crypto cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING references: - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' category: security technology: - java - kotlin subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding shortlink: https://sg.run/DoOj semgrep.dev: rule: r_id: 9196 rv_id: 1263003 rule_id: AbUzoj version_id: l4TJRpK url: https://semgrep.dev/playground/r/l4TJRpK/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding origin: community message: Using RSA without OAEP mode weakens the encryption. severity: WARNING languages: - java - kt pattern: $CIPHER.getInstance("=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/") - id: generic.secrets.gitleaks.yandex-api-key.yandex-api-key message: A gitleaks yandex-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.yandex-api-key.yandex-api-key shortlink: https://sg.run/lQxy semgrep.dev: rule: r_id: 44813 rv_id: 1262853 rule_id: NbUvY5 version_id: DkTRbYG url: https://semgrep.dev/playground/r/DkTRbYG/generic.secrets.gitleaks.yandex-api-key.yandex-api-key origin: community patterns: - pattern-regex: (?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(AQVN[A-Za-z0-9_\-]{35,38})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers pattern: $CONTEXT.set_ciphers(...) message: The 'ssl' module disables insecure cipher suites by default. Therefore, use of 'set_ciphers()' should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel. metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' asvs: section: V9 Communications Verification Requirements control_id: 9.1.3 Weak TLS control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements version: '4' references: - https://docs.python.org/3/library/ssl.html#cipher-selection - https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers category: security technology: - ssl subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers shortlink: https://sg.run/0Q0v semgrep.dev: rule: r_id: 9654 rv_id: 1263487 rule_id: oqUeYJ version_id: nWT2Lbb url: https://semgrep.dev/playground/r/nWT2Lbb/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers origin: community languages: - python severity: WARNING - id: dgryski.semgrep-go.sprinterr.use-err-error patterns: - pattern-not: | if err != nil { ..., err = ... <... fmt.Sprint(err) ...> } - pattern-not: | if err != nil { err = ... <... fmt.Sprint(err) ...> } - pattern-either: - pattern: | if err != nil { ... <... fmt.Sprint(err) ...> } - pattern: | if err == nil { ... return ... } ... <... fmt.Sprint(err) ...> - pattern: | if err != nil { ... <... fmt.Sprintf("%s", err) ...> } - pattern: | if err == nil { ... return ... } ... <... fmt.Sprintf("%s", err) ...> - pattern: | if err != nil { ... <... fmt.Sprintf("%v", err) ...> } - pattern: | if err == nil { ... return ... } ... <... fmt.Sprintf("%v", err) ...> message: Use err.Error() instead languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.sprinterr.use-err-error shortlink: https://sg.run/l2AB semgrep.dev: rule: r_id: 8713 rv_id: 833086 rule_id: kxUk9d version_id: 8KTGkyk url: https://semgrep.dev/playground/r/8KTGkyk/dgryski.semgrep-go.sprinterr.use-err-error origin: community - id: dgryski.semgrep-go.timeafter.leaky-time-after patterns: - pattern-either: - pattern: | for { ... select { case <- time.After(...): ... } ... } message: 'Leaky use of time.After in for-select, see: https://groups.google.com/g/golang-nuts/c/cCdm0Ixwi9A/m/jMiJJScAEAAJ' languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.timeafter.leaky-time-after shortlink: https://sg.run/dgrQ semgrep.dev: rule: r_id: 11478 rv_id: 833087 rule_id: 10UZDl version_id: gETy2OX url: https://semgrep.dev/playground/r/gETy2OX/dgryski.semgrep-go.timeafter.leaky-time-after origin: community - id: dgryski.semgrep-go.writestring.use-write-not-fprint patterns: - pattern: fmt.Fprint($W, string($VAR)) message: use $W.Write($VAR) instead of fmt.Fprint when $VAR is []byte languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.writestring.use-write-not-fprint shortlink: https://sg.run/gAP5 semgrep.dev: rule: r_id: 28085 rv_id: 833091 rule_id: DbURLY version_id: PkTxrdg url: https://semgrep.dev/playground/r/PkTxrdg/dgryski.semgrep-go.writestring.use-write-not-fprint origin: community - id: python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http fix-regex: regex: '[Hh][Tt][Tt][Pp]://' replacement: https:// count: 1 message: Detected a request using 'http://'. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use 'https://' instead. metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' asvs: section: V9 Communications Verification Requirements control_id: 9.1.1 Weak TLS control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements version: '4' category: security technology: - requests references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http shortlink: https://sg.run/W8J4 semgrep.dev: rule: r_id: 9653 rv_id: 1263486 rule_id: 6JUjpG version_id: ZRTKA9v url: https://semgrep.dev/playground/r/ZRTKA9v/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http origin: community languages: - python severity: INFO options: symbolic_propagation: true mode: taint pattern-sources: - patterns: - pattern: | "$URL" - metavariable-pattern: metavariable: $URL language: regex patterns: - pattern-regex: http:// - pattern-not-regex: .*://localhost - pattern-not-regex: .*://127\.0\.0\.1 pattern-sinks: - patterns: - pattern-either: - pattern: requests.$W($SINK, ...) - pattern: requests.request($METHOD, $SINK, ...) - pattern: requests.Request($METHOD, $SINK, ...) - focus-metavariable: $SINK - id: generic.secrets.gitleaks.yandex-access-token.yandex-access-token message: A gitleaks yandex-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.yandex-access-token.yandex-access-token shortlink: https://sg.run/qQqz semgrep.dev: rule: r_id: 44812 rv_id: 1262852 rule_id: bwUPN4 version_id: BjTkZpz url: https://semgrep.dev/playground/r/BjTkZpz/generic.secrets.gitleaks.yandex-access-token.yandex-access-token origin: community patterns: - pattern-regex: (?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.easypost-api-token.easypost-api-token message: A gitleaks easypost-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.easypost-api-token.easypost-api-token shortlink: https://sg.run/BRk2 semgrep.dev: rule: r_id: 44707 rv_id: 1262724 rule_id: 10UJKb version_id: yeTxpD2 url: https://semgrep.dev/playground/r/yeTxpD2/generic.secrets.gitleaks.easypost-api-token.easypost-api-token origin: community patterns: - pattern-regex: \bEZAK(?i)[a-z0-9]{54} - id: ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_template_injection.rb owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown category: security technology: - rails cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation shortlink: https://sg.run/L01L semgrep.dev: rule: r_id: 9739 rv_id: 1263638 rule_id: 4bUzR9 version_id: w8TRoY6 url: https://semgrep.dev/playground/r/w8TRoY6/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation origin: community message: Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a '.erb' template file and use 'render'. languages: - ruby severity: WARNING pattern: ERB.new(...) - id: ajinabraham.njsscan.crypto.tls_node.node_tls_reject patterns: - pattern-either: - pattern: | $X.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' - pattern: | $X.env['NODE_TLS_REJECT_UNAUTHORIZED']= '0' message: Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour. languages: - javascript severity: ERROR metadata: owasp-web: a6 cwe: cwe-295 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.crypto.tls_node.node_tls_reject shortlink: https://sg.run/D03o semgrep.dev: rule: r_id: 43608 rv_id: 833102 rule_id: d8UEOj version_id: qkTQnRb url: https://semgrep.dev/playground/r/qkTQnRb/ajinabraham.njsscan.crypto.tls_node.node_tls_reject origin: community - id: ajinabraham.njsscan.database.sequelize_tls.sequelize_tls message: | The Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks. languages: - javascript severity: WARNING metadata: owasp-web: a6 cwe: cwe-319 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.database.sequelize_tls.sequelize_tls shortlink: https://sg.run/q3Qy semgrep.dev: rule: r_id: 43612 rv_id: 833106 rule_id: 7KUwJW version_id: o5TBEbK url: https://semgrep.dev/playground/r/o5TBEbK/ajinabraham.njsscan.database.sequelize_tls.sequelize_tls origin: community patterns: - pattern: | { host: $HOST, database: $DATABASE, dialect: $DIALECT } - pattern-not: | { host: $HOST, database: $DATABASE, dialect: "postgres", dialectOptions: { ssl: true } } - pattern-not: | { host: $HOST, database: $DATABASE, dialect: $DIALECT, dialectOptions: { ssl: { ... } } } - metavariable-regex: metavariable: $DIALECT regex: '[''"](mariadb|mysql|postgres|oracle)[''"]' - id: ajinabraham.njsscan.dos.regex_injection.regex_injection_dos patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $INP = <... $REQ.$PARAM ...>; ... $RE = new RegExp(<... $INP ...>) - pattern: | $INP = <... $REQ.$PARAM.$BAR ...>; ... $RE = new RegExp(<... $INP ...>) - pattern: | new RegExp(<... $REQ.$PARAM ...>) - pattern: | new RegExp(<... $REQ.$PARAM.$BAR ...>) - pattern: | $INP = <... $REQ.$PARAM ...>; ... $RE = $STR.search(<... $INP ...>) - pattern: | $INP = <... $REQ.$PARAM.$FOO ...>; ... $RE = $STR.search(<... $INP ...>) - pattern: | $STR.search(<... $REQ.$PARAM ...>) - pattern: | $STR.search(<... $REQ.$PARAM.$BAR ...>) - pattern: | $INP = <... $REQ.$PARAM ...>; ... $RE = $STR.match(<... $INP ...>) - pattern: | $INP = <... $REQ.$PARAM.$FOO ...>; ... $RE = $STR.match(<... $INP ...>) - pattern: | $STR.match(<... $REQ.$PARAM ...>) - pattern: | $STR.match(<... $REQ.$PARAM.$BAR ...>) - pattern: | $INP = <... $REQ.$PARAM ...>; ... $RE = $STR.split(<... $INP ...>) - pattern: | $INP = <... $REQ.$PARAM.$FOO ...>; ... $RE = $STR.split(<... $INP ...>) - pattern: | $STR.split(<... $REQ.$PARAM ...>) - pattern: | $STR.split(<... $REQ.$PARAM.$BAR ...>) message: User controlled data in RegExp() can make the application vulnerable to layer 7 DoS. If user input is used to create a regular expression without validation, it can be exploited to create a complex regular expression that takes an excessive amount of time to evaluate. This can lead to a Denial of Service (DoS) attack where the application becomes unresponsive. Even if a ReDoS attack is not intended, poorly crafted or complex regular expressions from user input can cause performance issues that impact the responsiveness of an application. Always sanitize and validate user input to ensure that only safe, expected characters are used in the pattern. This can be done by whitelisting known safe characters and escaping potentially harmful ones. languages: - javascript severity: ERROR metadata: owasp-web: a1 cwe: cwe-400 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.dos.regex_injection.regex_injection_dos shortlink: https://sg.run/Xx3b semgrep.dev: rule: r_id: 43620 rv_id: 930057 rule_id: JDU4On version_id: BjTK9J5 url: https://semgrep.dev/playground/r/BjTK9J5/ajinabraham.njsscan.dos.regex_injection.regex_injection_dos origin: community - id: ajinabraham.njsscan.traversal.path_traversal.generic_path_traversal patterns: - pattern-either: - pattern-inside: | require('http') ... - pattern-inside: | require('express') ... - pattern-inside: | require('koa') ... - pattern-inside: | require('electron') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $X.createReadStream(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $X.createReadStream(..., <... $REQ.$QUERY ...>, ...) - pattern: | $X.readFile(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $X.readFile(..., <... $REQ.$QUERY ...>, ...) - pattern: | $X.readFileSync(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $X.readFileSync(..., <... $REQ.$QUERY ...>, ...) - pattern: | $X.readFileAsync(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $X.readFileAsync(..., <... $REQ.$QUERY ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $X.createReadStream(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $X.createReadStream(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $X.readFile(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $X.readFile(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $X.readFileSync(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $X.readFileSync(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $X.readFileAsync(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $X.readFileAsync(..., <... $INP ...>, ...) - pattern: | $Y = $REQ.$QUERY.$VAR; ... $INP = <... $Y ...>; ... $X.createReadStream(..., <... $INP ...>, ...) - pattern: | $Y = $REQ.$QUERY; ... $INP = <... $Y ...>; ... $X.createReadStream(..., <... $INP ...>, ...) - pattern: | $Y = $REQ.$QUERY.$VAR; ... $INP = <... $Y ...>; ... $X.readFile(..., <... $INP ...>, ...) - pattern: | $Y = $REQ.$QUERY; ... $INP = <... $Y ...>; ... $X.readFile(..., <... $INP ...>, ...) - pattern: | $Y = $REQ.$QUERY.$VAR; ... $INP = <... $Y ...>; ... $X.readFileSync(..., <... $INP ...>, ...) - pattern: | $Y = $REQ.$QUERY; ... $INP = <... $Y ...>; ... $X.readFileSync(..., <... $INP ...>, ...) - pattern: | $Y = $REQ.$QUERY.$VAR; ... $INP = <... $Y ...>; ... $X.readFileAsync(..., <... $INP ...>, ...) - pattern: | $Y = $REQ.$QUERY; ... $INP = <... $Y ...>; ... $X.readFileAsync(..., <... $INP ...>, ...) message: Untrusted user input in createReadStream()/readFile()/readFileSync()/readFileAsync() can end up in Directory Traversal Attack. A Directory Traversal Attack (also known as Path Traversal Attack) is a type of security vulnerability that occurs when an attacker is able to access files or directories on a server that are outside the intended directory structure. This attack leverages insufficient validation or sanitization of user inputs in applications that interact with the file system. Strictly validate user inputs. Ensure that user-supplied paths do not include sequences like ../ or ..\\ that could traverse directories. In Node.js, use the path module to safely handle and resolve file paths. The path.normalize() function can be used to ensure that paths do not go outside the intended directory. languages: - javascript severity: ERROR metadata: owasp-web: a5 cwe: cwe-23 license: LGPL-3.0-or-later vulnerability_class: - Other source: https://semgrep.dev/r/ajinabraham.njsscan.traversal.path_traversal.generic_path_traversal shortlink: https://sg.run/4oOl semgrep.dev: rule: r_id: 43700 rv_id: 930059 rule_id: r6UXR2 version_id: WrTYRGL url: https://semgrep.dev/playground/r/WrTYRGL/ajinabraham.njsscan.traversal.path_traversal.generic_path_traversal origin: community - id: gitlab.eslint.detect-child-process languages: - javascript - typescript patterns: - pattern: child_process.exec(...) - pattern-not: child_process.exec('...') severity: WARNING message: | OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands. This includes filenames supplied by user uploads or downloads. Ensure your application does not: - Use user-supplied information in the process name to execute. - Use user-supplied information in an OS command execution function which does not escape shell meta-characters. - Use user-supplied information in arguments to OS commands. The application should have a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, it is recommended that a hash of the filename be used instead, or some other unique identifier. It is strongly recommended that a native library that implements the same functionality be used instead of using OS system commands, due to the risk of unknown attacks against third-party commands. When specifying the OS command, ensure the application uses the full path information, otherwise the OS may attempt to look up which process to execute and could be vulnerable to untrusted search path vulnerabilities (CWE-426). Example of safely executing an OS command: ``` const child_process = require('child_process'); const fs = require('fs'); const crypto = require('node:crypto'); const { mkdtempSync } = require('node:fs'); function executeCommand(userFileData) { // Create a temporary directory, preferably in an application directory // that only the application has access to. const fileDir = mkdtempSync('/tmp/tmpdir-'); // Generate a random filename, do not use user input const filePath = fileDir + path.sep + crypto.randomUUID(); // Write the user-supplied data to the temporary file. fs.writeFileSync(filePath, userFileData); // Execute a program with a hardcoded path to the binary child_process.exec(`/bin/cat ${filePath}`, (error, stdout, stderr) => { // Delete the temporary directory and file if no longer needed fs.rmSync(fileDir, { recursive: true, force: true }); if (error) { console.error(`exec error: ${error}`); return; } console.log(`stdout: ${stdout}`); console.error(`stderr: ${stderr}`); }); } ``` For more information on OS command injection, see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html Detected non-literal calls to child_process.exec(). This could lead to a command injection vulnerability. metadata: cwe: CWE-95 owasp: A1:2017-Injection shortDescription: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') category: security source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js primary_identifier: eslint.detect-child-process secondary_identifiers: - name: ESLint rule ID/detect-child-process type: eslint_rule_id value: detect-child-process license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-child-process shortlink: https://sg.run/nqRr semgrep.dev: rule: r_id: 11580 rv_id: 835458 rule_id: 9AUODZ version_id: PkTxG74 url: https://semgrep.dev/playground/r/PkTxG74/gitlab.eslint.detect-child-process origin: community - id: gitlab.find_sec_bugs.HTTPONLY_COOKIE-1 languages: - java pattern-either: - patterns: - pattern: | javax.servlet.http.Cookie $C = new Cookie(..., ...); ... (HttpServletResponse $RESP).addCookie($C); - pattern-not-inside: | javax.servlet.http.Cookie $C = new Cookie(..., ...); ... $C.setHttpOnly(true); ... (HttpServletResponse $RESP).addCookie($C); - pattern: (javax.servlet.http.Cookie $C).setHttpOnly(false); message: | The `HttpOnly` attribute when set to `true` protects the cookie value from being accessed by client side JavaScript such as reading the `document.cookie` values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript. Example of protecting a `Cookie`: ``` // Create an HttpOnly cookie. Cookie someCookie = new Cookie("SomeCookieName", "SomeValue"); // Set HttpOnly flag to true someCookie.setHttpOnly(true); ``` For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setHttpOnly-boolean- Session cookies should be configured with the following security directives: - [HTTPOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) - [Secure](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) - [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) severity: WARNING metadata: shortDescription: Sensitive cookie without 'HttpOnly' flag category: security cwe: CWE-1004 technology: - java primary_identifier: find_sec_bugs.HTTPONLY_COOKIE-1 secondary_identifiers: - name: Find Security Bugs-HTTPONLY_COOKIE type: find_sec_bugs_type value: HTTPONLY_COOKIE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.HTTPONLY_COOKIE-1 shortlink: https://sg.run/z5B0 semgrep.dev: rule: r_id: 21161 rv_id: 835465 rule_id: WAUYRb version_id: DkTGyBj url: https://semgrep.dev/playground/r/DkTGyBj/gitlab.find_sec_bugs.HTTPONLY_COOKIE-1 origin: community - id: gitlab.bandit.B611 languages: - python message: | SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for `>` or `<` comparison operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<` values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized. To remediate this issue, do not use `raw` or `RawSQL` but use other `QuerySet` methods to achieve the same goals. If for some reason this is not feasible, ensure calls including user-supplied data pass it in to the `params` parameter of the `RawSQL` method. While not recommended due to [potential SQL Injection](https://docs.djangoproject.com/en/4.2/ref/models/expressions/#raw-sql-expressions), below is an example using `RawSQL`, passing in user-supplied data as a `param` which will escape the input: ``` # If dealing with integer based user input, restrict the values to integers only using the # path configuration: path('/someview/', views.some_view, name='someview'), # views.py def some_view(request, user_supplied_id): # Never use string interpolation in the `sql` parameter. # Never quote the `%s` string format such as `... where id='%s'` as this could lead to SQL Injection. # Pass the user supplied data only in the `params` parameter. for obj in DBObject.objects.all().annotate( val=RawSQL(sql="select id from some_secondary_table where id=%s", params=[user_supplied_id])): # Work with the results from the query # ... ``` For more information on QuerySet see: - https://docs.djangoproject.com/en/4.2/ref/models/querysets/#queryset-api For more information on SQL Injection see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html metadata: cwe: CWE-89 owasp: A1:2017-Injection category: security shortDescription: Improper neutralization of special elements used in an SQL Command ('SQL Injection') primary_identifier: bandit.B611 secondary_identifiers: - name: Bandit Test ID B611 type: bandit_test_id value: B611 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B611 shortlink: https://sg.run/e4xL semgrep.dev: rule: r_id: 11576 rv_id: 835414 rule_id: 2ZU4Wb version_id: PkTxGK4 url: https://semgrep.dev/playground/r/PkTxGK4/gitlab.bandit.B611 origin: community patterns: - pattern-either: - pattern: $MODEL.objects.raw($QUERY, ...) - pattern: django.db.models.expressions.RawSQL(...) severity: ERROR - id: gitlab.bandit.B404 languages: - python message: | Consider possible security implications associated with subprocess module. metadata: cwe: CWE-78 owasp: A8:2017-Insecure Deserialization shortDescription: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') primary_identifier: bandit.B404 secondary_identifiers: - name: Bandit Test ID B404 type: bandit_test_id value: B404 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B404 shortlink: https://sg.run/lj3o semgrep.dev: rule: r_id: 11557 rv_id: 835419 rule_id: 4bUz3p version_id: A8T3lxl url: https://semgrep.dev/playground/r/A8T3lxl/gitlab.bandit.B404 origin: community patterns: - pattern: import subprocess severity: WARNING - id: terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled patterns: - pattern: | resource "aws_launch_template" $ANYTHING { ... } - pattern-not-inside: | resource "aws_launch_template" $ANYTHING { ... metadata_options { ... http_endpoint = "disabled" ... } ... } - pattern-not-inside: | resource "aws_launch_template" $ANYTHING { ... metadata_options { ... http_tokens = "required" ... } ... } message: The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe: - 'CWE-1390: Weak Authentication' references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service subcategory: - audit likelihood: LOW impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled shortlink: https://sg.run/pg9J semgrep.dev: rule: r_id: 50762 rv_id: 1263712 rule_id: zdU0Wo version_id: JdTzx88 url: https://semgrep.dev/playground/r/JdTzx88/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled origin: community - id: gitlab.find_sec_bugs.PERMISSIVE_CORS-1 languages: - java message: | Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. metadata: category: security cwe: CWE-942 shortDescription: Permissive Cross-domain Policy with Untrusted Domains technology: - java primary_identifier: find_sec_bugs.PERMISSIVE_CORS-1 secondary_identifiers: - name: Find Security Bugs-PERMISSIVE_CORS type: find_sec_bugs_type value: PERMISSIVE_CORS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.PERMISSIVE_CORS-1 shortlink: https://sg.run/rNJA semgrep.dev: rule: r_id: 21169 rv_id: 835473 rule_id: zdUG5y version_id: 5PTyGld url: https://semgrep.dev/playground/r/5PTyGld/gitlab.find_sec_bugs.PERMISSIVE_CORS-1 origin: community patterns: - pattern-either: - pattern: (HttpServletResponse $RES).setHeader("$HEADER", "$VAL") - pattern: (HttpServletResponse $RES).addHeader("$HEADER", "$VAL") - metavariable-regex: metavariable: $HEADER regex: (?i)(Access-Control-Allow-Origin) - metavariable-regex: metavariable: $VAL regex: (\*|null) severity: ERROR - id: gitlab.find_sec_bugs.SPRING_CSRF_PROTECTION_DISABLED-1 languages: - java pattern-either: - pattern: (org.springframework.security.config.annotation.web.builders.HttpSecurity $H). ... .csrf().disable(); - pattern: (org.springframework.security.config.annotation.web.configurers.CsrfConfigurer $C).disable(); message: | The application fails to protect against Cross-Site Request Forgery (CSRF) due to disabling Spring's CSRF protection features. The vulnerability can be exploited by an adversary creating a link or form on a third party site and tricking an authenticated victim to access them. To remediate this issue, remove the call to `HttpSecurity.csrf().disable()` or remove the custom `CsrfConfigurer`. For more information on CSRF protection in Spring see: https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf Additionally, consider setting all session cookies to have the `SameSite=Strict` attribute. It should be noted that this may impact usability when sharing links across other mediums. It is recommended that a two cookie based approach is taken, as outlined in the [Top level navigations](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-08#section-8.8.2) section of the SameSite RFC. For more information on CSRF see OWASP's guide: https://owasp.org/www-community/attacks/csrf metadata: shortDescription: Cross-Site Request Forgery (CSRF) category: security cwe: CWE-352 primary_identifier: find_sec_bugs.SPRING_CSRF_PROTECTION_DISABLED-1 secondary_identifiers: - name: Find Security Bugs-SPRING_CSRF_PROTECTION_DISABLED type: find_sec_bugs_type value: SPRING_CSRF_PROTECTION_DISABLED license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SPRING_CSRF_PROTECTION_DISABLED-1 shortlink: https://sg.run/DGLj semgrep.dev: rule: r_id: 47608 rv_id: 835490 rule_id: 7KU6jz version_id: X0T5Ken url: https://semgrep.dev/playground/r/X0T5Ken/gitlab.find_sec_bugs.SPRING_CSRF_PROTECTION_DISABLED-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1 languages: - java message: | The Servlet can read GET and POST parameters from various methods. The value obtained should be considered unsafe." metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation primary_identifier: find_sec_bugs.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1 secondary_identifiers: - name: Find Security Bugs-SERVLET_PARAMETER type: find_sec_bugs_type value: SERVLET_PARAMETER - name: Find Security Bugs-SERVLET_CONTENT_TYPE type: find_sec_bugs_type value: SERVLET_CONTENT_TYPE - name: Find Security Bugs-SERVLET_SERVER_NAME type: find_sec_bugs_type value: SERVLET_SERVER_NAME - name: Find Security Bugs-SERVLET_SESSION_ID type: find_sec_bugs_type value: SERVLET_SESSION_ID - name: Find Security Bugs-SERVLET_QUERY_STRING type: find_sec_bugs_type value: SERVLET_QUERY_STRING - name: Find Security Bugs-SERVLET_HEADER type: find_sec_bugs_type value: SERVLET_HEADER - name: Find Security Bugs-SERVLET_HEADER_REFERER type: find_sec_bugs_type value: SERVLET_HEADER_REFERER - name: Find Security Bugs-SERVLET_HEADER_USER_AGENT type: find_sec_bugs_type value: SERVLET_HEADER_USER_AGENT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1 shortlink: https://sg.run/gGey semgrep.dev: rule: r_id: 21185 rv_id: 835491 rule_id: v8Uv2D version_id: jQTrjeN url: https://semgrep.dev/playground/r/jQTrjeN/gitlab.find_sec_bugs.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1 origin: community mode: taint pattern-sinks: - pattern-either: - pattern: '"..." + $PAR' - pattern: $PAR + "..." pattern-sources: - pattern-either: - pattern: (javax.servlet.http.HttpServletRequest $REQ).getContentType(...) - pattern: (javax.servlet.http.HttpServletRequest $REQ).getServerName(...) - pattern: (javax.servlet.http.HttpServletRequest $REQ).getRequestedSessionId(...) - pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameterValues(...) - pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameterMap(...) - pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameterNames(...) - pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameter(...) severity: WARNING - id: gitlab.find_sec_bugs.JAXRS_ENDPOINT-1 languages: - java message: | This method is part of a REST Web Service (JSR311). The security of this web service should be analyzed; Authentication, if enforced, should be tested. Access control, if enforced, should be tested. The inputs should be tracked for potential vulnerabilities. The communication should ideally be over SSL. metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation technology: - java primary_identifier: find_sec_bugs.JAXRS_ENDPOINT-1 secondary_identifiers: - name: Find Security Bugs-JAXRS_ENDPOINT type: find_sec_bugs_type value: JAXRS_ENDPOINT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.JAXRS_ENDPOINT-1 shortlink: https://sg.run/QJ0x semgrep.dev: rule: r_id: 21186 rv_id: 835492 rule_id: d8U6DE version_id: 1QTPNWX url: https://semgrep.dev/playground/r/1QTPNWX/gitlab.find_sec_bugs.JAXRS_ENDPOINT-1 origin: community mode: taint pattern-sanitizers: - patterns: - pattern-inside: | $STR.replaceAll("$REPLACE_CHAR", "$REPLACER"); ... - pattern: $STR - metavariable-regex: metavariable: $REPLACER regex: .*^(CRLF).* - metavariable-regex: metavariable: $REPLACE_CHAR regex: (*CRLF) - pattern: org.apache.commons.text.StringEscapeUtils.unescapeJava(...); pattern-sinks: - pattern: return ...; pattern-sources: - patterns: - pattern-inside: | @javax.ws.rs.Path("...") $TYPE $FUNC(..., $VAR, ...) { ... } - pattern: $VAR severity: WARNING - id: gitlab.find_sec_bugs.STRUTS_FORM_VALIDATION-1 languages: - java message: | Form inputs should have minimal input validation. Preventive validation helps provide defense in depth against a variety of risks. metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation primary_identifier: find_sec_bugs.STRUTS_FORM_VALIDATION-1 secondary_identifiers: - name: Find Security Bugs-STRUTS_FORM_VALIDATION type: find_sec_bugs_type value: STRUTS_FORM_VALIDATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.STRUTS_FORM_VALIDATION-1 shortlink: https://sg.run/R5K2 semgrep.dev: rule: r_id: 21193 rv_id: 835499 rule_id: gxUkqj version_id: w8TAbgP url: https://semgrep.dev/playground/r/w8TAbgP/gitlab.find_sec_bugs.STRUTS_FORM_VALIDATION-1 origin: community patterns: - pattern-inside: | class $CLASS extends $SC { ... } - metavariable-regex: metavariable: $SC regex: (ActionForm|ValidatorForm) - pattern-not: public void validate() { ... } severity: WARNING - id: gitlab.find_sec_bugs.JAXWS_ENDPOINT-1 languages: - java message: | This method is part of a SOAP Web Service (JSR224). The security of this web service should be analyzed; Authentication, if enforced, should be tested. Access control, if enforced, should be tested. The inputs should be tracked for potential vulnerabilities. The communication should ideally be over SSL. metadata: category: security cwe: CWE-20 owasp: A7:2017-Cross-Site Scripting (XSS) shortDescription: Improper Input Validation technology: - java primary_identifier: find_sec_bugs.JAXWS_ENDPOINT-1 secondary_identifiers: - name: Find Security Bugs-JAXWS_ENDPOINT type: find_sec_bugs_type value: JAXWS_ENDPOINT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.JAXWS_ENDPOINT-1 shortlink: https://sg.run/3Qjl semgrep.dev: rule: r_id: 21187 rv_id: 835493 rule_id: ZqUewk version_id: 9lTJ7NE url: https://semgrep.dev/playground/r/9lTJ7NE/gitlab.find_sec_bugs.JAXWS_ENDPOINT-1 origin: community mode: taint pattern-sanitizers: - patterns: - pattern-inside: | $STR.replaceAll("$REPLACE_CHAR", "$REPLACER"); ... - pattern: $STR - metavariable-regex: metavariable: $REPLACER regex: .*^(CRLF).* - metavariable-regex: metavariable: $REPLACE_CHAR regex: (*CRLF) - pattern: org.apache.commons.text.StringEscapeUtils.unescapeJava(...); pattern-sinks: - pattern: return ...; pattern-sources: - patterns: - pattern-inside: | @javax.jws.WebMethod(...) $TYPE $FUNC(..., $VAR, ...) { ... } - pattern: $VAR severity: INFO - id: gitlab.find_sec_bugs.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 languages: - java message: | Either the `HostnameVerifier` has been set to always return `true` or the `X509TrustManager` has been configured to return null, or both. This effectively disables the validation of server or client certificates. This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. It is recommended to not override the default `HostnameVerifiers`. Consider using the default `TrustManager` instead of implementing a custom one. If you must override the default verification process, implement proper TrustManager verification for `checkServerTrusted` and `checkClientTrusted` by throwing `CertificateException` if the certificate is invalid. Example using the built in `TrustManagerFactory` to manage validating certificate chains: ``` // Use the default TrustManagerFactory TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); // Use default system KeyStore, alternatively pass in your own keystore. trustManagerFactory.init((KeyStore) null); // Create SSLContext for TLS connections SSLContext tlsContext = SSLContext.getInstance("TLS"); // Initialize the tlsContext with our trust manager and a SecureRandom number generator. tlsContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom()); ``` For more information on TLS security see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html metadata: shortDescription: Improper certificate validation category: security cwe: CWE-295 primary_identifier: find_sec_bugs.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 secondary_identifiers: - name: Find Security Bugs-WEAK_HOSTNAME_VERIFIER type: find_sec_bugs_type value: WEAK_HOSTNAME_VERIFIER - name: Find Security Bugs-WEAK_TRUST_MANAGER type: find_sec_bugs_type value: WEAK_TRUST_MANAGER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 shortlink: https://sg.run/Jw5Z semgrep.dev: rule: r_id: 21190 rv_id: 835496 rule_id: 7KUbOj version_id: bZTBoWW url: https://semgrep.dev/playground/r/bZTBoWW/gitlab.find_sec_bugs.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 origin: community patterns: - pattern-either: - patterns: - pattern-inside: | class $V implements HostnameVerifier { ... } - pattern-inside: | public boolean verify(...) { ... } - pattern: return true; - patterns: - pattern-inside: | class $V implements X509TrustManager { ... } - pattern-either: - pattern: public void checkClientTrusted(...) {} - pattern: public void checkServerTrusted(...) {} - pattern: | public X509Certificate[] getAcceptedIssuers() { ... return null; } severity: WARNING - id: gitlab.find_sec_bugs.AWS_QUERY_INJECTION-1 languages: - java message: | Constructing SimpleDB queries containing user input can allow an attacker to view unauthorized records. metadata: category: security cwe: CWE-943 shortDescription: Improper Neutralization of Special Elements in Data Query Logic technology: - java primary_identifier: find_sec_bugs.AWS_QUERY_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-AWS_QUERY_INJECTION type: find_sec_bugs_type value: AWS_QUERY_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.AWS_QUERY_INJECTION-1 shortlink: https://sg.run/ALZ6 semgrep.dev: rule: r_id: 21194 rv_id: 835500 rule_id: QrU1JP version_id: xyTNrbE url: https://semgrep.dev/playground/r/xyTNrbE/gitlab.find_sec_bugs.AWS_QUERY_INJECTION-1 origin: community mode: taint pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $REQ = new SelectRequest($QUERY, ...); ... $DB.select($REQ); - pattern-inside: | $DB.select(new SelectRequest($QUERY,...)); - pattern-inside: | $DB.select((SelectRequest $SR).withSelectExpression($QUERY,...)); - pattern: $QUERY - metavariable-pattern: metavariable: $DB pattern-either: - pattern: (AmazonSimpleDB $DB) - pattern: (AmazonSimpleDBClient $DB) pattern-sources: - patterns: - pattern-inside: | $FUNC(..., $VAR, ...) { ... } - pattern: $VAR - patterns: - pattern-inside: | $FUNC(...) { ... $VAR = ... + $X; ... } - pattern: $VAR severity: ERROR - id: gitlab.find_sec_bugs.BEAN_PROPERTY_INJECTION-1 languages: - java message: | An attacker can set arbitrary bean properties that can compromise system integrity. An attacker can leverage this functionality to access special bean properties like class.classLoader that will allow them to override system properties and potentially execute arbitrary code. metadata: category: security cwe: CWE-15 shortDescription: External Control of System or Configuration Setting technology: - java primary_identifier: find_sec_bugs.BEAN_PROPERTY_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-BEAN_PROPERTY_INJECTION type: find_sec_bugs_type value: BEAN_PROPERTY_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.BEAN_PROPERTY_INJECTION-1 shortlink: https://sg.run/Ben9 semgrep.dev: rule: r_id: 21195 rv_id: 835501 rule_id: 3qULd8 version_id: O9TJ7Lz url: https://semgrep.dev/playground/r/O9TJ7Lz/gitlab.find_sec_bugs.BEAN_PROPERTY_INJECTION-1 origin: community patterns: - pattern-inside: $TYPE $FUNC(..., HttpServletRequest $REQ, ...) { ... } - pattern-either: - pattern: | $MAP.put(..., $REQ.getParameter(...)); ... $BEAN_UTIL.populate(..., $MAP); - pattern: | while (...) { ... $MAP.put(..., $REQ.getParameterValues(...)); } ... $BEAN_UTIL.populate(..., $MAP); - metavariable-pattern: metavariable: $BEAN_UTIL pattern-either: - pattern: (BeanUtilsBean $B) - pattern: new BeanUtilsBean() - pattern: org.apache.commons.beanutils.BeanUtils severity: ERROR - id: gitlab.find_sec_bugs.COOKIE_PERSISTENT-1 languages: - java message: | Storing sensitive data in a persistent cookie for an extended period can lead to a breach of confidentiality or account compromise. metadata: category: security cwe: CWE-614 shortDescription: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute technology: - java primary_identifier: find_sec_bugs.COOKIE_PERSISTENT-1 secondary_identifiers: - name: Find Security Bugs-COOKIE_PERSISTENT type: find_sec_bugs_type value: COOKIE_PERSISTENT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.COOKIE_PERSISTENT-1 shortlink: https://sg.run/2k6Y semgrep.dev: rule: r_id: 21163 rv_id: 835467 rule_id: KxUwpN version_id: 0bTw30A url: https://semgrep.dev/playground/r/0bTw30A/gitlab.find_sec_bugs.COOKIE_PERSISTENT-1 origin: community patterns: - pattern-inside: | (javax.servlet.http.Cookie $C).setMaxAge($AGE); - metavariable-comparison: comparison: $AGE >= 31536000 metavariable: $AGE severity: WARNING - id: gitlab.find_sec_bugs.COOKIE_USAGE-1 languages: - java message: | The information stored in a custom cookie should not be sensitive or related to the session. In most cases, sensitive data should only be stored in session and referenced by the user's session cookie. metadata: category: security cwe: CWE-614 shortDescription: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute technology: - java primary_identifier: find_sec_bugs.COOKIE_USAGE-1 secondary_identifiers: - name: Find Security Bugs-COOKIE_USAGE type: find_sec_bugs_type value: COOKIE_USAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.COOKIE_USAGE-1 shortlink: https://sg.run/XWze semgrep.dev: rule: r_id: 21164 rv_id: 835468 rule_id: qNUpNY version_id: K3TrLAp url: https://semgrep.dev/playground/r/K3TrLAp/gitlab.find_sec_bugs.COOKIE_USAGE-1 origin: community patterns: - pattern-inside: | $FUNC(..., HttpServletRequest $REQ, ...) { ... } - pattern-either: - patterns: - pattern-inside: | for (Cookie $C : $REQ.getCookies()) { ... } - pattern-either: - pattern: $C.getName(); - pattern: $C.getValue(); - pattern: $C.getPath(); - pattern: (Cookie $COOKIE).getName(); - pattern: (Cookie $COOKIE).getValue(); - pattern: (Cookie $COOKIE).getPath(); severity: WARNING - id: gitlab.find_sec_bugs.CRLF_INJECTION_LOGS-1 languages: - java patterns: - pattern-either: - pattern: | $TAINTED = (HttpServletRequest $REQ).getParameter(...); ... $LOGGER.$METHOD(...,$TAINTED,...); - pattern: | $TAINTED = (HttpServletRequest $REQ).getParameter(...); ... $VAR = String.Format(..., $TAINTED,...); ... $LOGGER.$METHOD(...,$VAR,...); - pattern: | $TAINTED = (HttpServletRequest $REQ).getParameter(...); ... $LOGGER.$METHOD(...,String.Format(..., $TAINTED,...),...); - pattern: | $TAINTED = (HttpServletRequest $REQ).getParameter(...); ... $VAR = ... + $TAINTED + ...; ... $LOGGER.$METHOD(...,$VAR,...); - pattern: | $TAINTED = (HttpServletRequest $REQ).getParameter(...); ... $LOGGER.$METHOD(...,... + $TAINTED + ...,...); - metavariable-regex: metavariable: $METHOD regex: (log|logp|logrb|entering|exiting|fine|finer|finest|info|debug|trace|warn|warning|config|error|severe) - metavariable-pattern: metavariable: $LOGGER pattern-either: - pattern: (Logger $LOG) - pattern: org.pmw.tinylog.Logger - pattern: org.apache.log4j.Logger - pattern: org.apache.logging.log4j.Logger - pattern: org.slf4j.Logger - pattern: org.apache.commons.logging.Log - pattern: java.util.logging.Logger message: | The application was found to take data from user input and output it into a logger method. When data from an untrusted source is sent to a logger without validation, an attacker could forge log entries or include malicious content. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may also inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility (e.g. command injection or XSS). To mitigate this issue, encode values that come from user input with a package such as [Apache Commons Text](https://commons.apache.org/proper/commons-text/) to escape the input: ``` public String escapeValue(String value) { return StringEscapeUtils.escapeJava(value); } ``` For more information on log injection see OWASP: https://owasp.org/www-community/attacks/Log_Injection severity: ERROR metadata: shortDescription: Improper neutralization of CRLF sequences ('CRLF Injection') category: security cwe: CWE-93 technology: - java primary_identifier: find_sec_bugs.CRLF_INJECTION_LOGS-1 secondary_identifiers: - name: Find Security Bugs-CRLF_INJECTION_LOGS type: find_sec_bugs_type value: CRLF_INJECTION_LOGS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.CRLF_INJECTION_LOGS-1 shortlink: https://sg.run/De7W semgrep.dev: rule: r_id: 21196 rv_id: 835502 rule_id: 4bUeor version_id: e1TDKPQ url: https://semgrep.dev/playground/r/e1TDKPQ/gitlab.find_sec_bugs.CRLF_INJECTION_LOGS-1 origin: community - id: gitlab.find_sec_bugs.CUSTOM_INJECTION-1 languages: - java patterns: - pattern-either: - pattern: | $QUERY = ... + $VAR + ...; ... $ST.executeQuery($QUERY); - pattern: | $QUERY = ... + $VAR ; ... $ST.executeQuery($QUERY); - pattern: | $QUERY = String.format("...",...,$VAR,...); ... $ST.executeQuery($QUERY); - pattern: $ST.executeQuery((StringBuilder $SB).toString()); - pattern: $ST.executeQuery(... + $VAR + ...); - pattern: $ST.executeQuery(... + $VAR); - pattern: $ST.executeQuery(...,String.format("...",...,$VAR,...), ...); - metavariable-pattern: metavariable: $ST pattern-either: - pattern: (java.sql.Statement $ST) - pattern: (org.apache.turbine.om.peer.BasePeer $ST) message: | SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user-supplied key. For example, some database drivers do not allow parameterized queries for `>` or `<` comparison operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<` values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized. Example using `PreparedStatement` queries: ``` // Some userInput String userInput = "someUserInput"; // Your connection string String url = "..."; // Get a connection from the DB via the DriverManager Connection conn = DriverManager.getConnection(url); // Create a prepared statement PreparedStatement st = conn.prepareStatement("SELECT name FROM table where name=?"); // Set each parameters value by the index (starting from 1) st.setString(1, userInput); // Execute query and get the result set ResultSet rs = st.executeQuery(); // Iterate over results while (rs.next()) { // Get result for this row at the provided column number (starting from 1) String result = rs.getString(1); // ... } // Close the ResultSet rs.close(); // Close the PreparedStatement st.close(); ``` For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html severity: WARNING metadata: shortDescription: Improper neutralization of special elements used in an SQL command ('SQL Injection') category: security cwe: CWE-89 technology: - java primary_identifier: find_sec_bugs.CUSTOM_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-CUSTOM_INJECTION type: find_sec_bugs_type value: CUSTOM_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.CUSTOM_INJECTION-1 shortlink: https://sg.run/0WpJ semgrep.dev: rule: r_id: 21198 rv_id: 835504 rule_id: JDUoqr version_id: d6TKgNJ url: https://semgrep.dev/playground/r/d6TKgNJ/gitlab.find_sec_bugs.CUSTOM_INJECTION-1 origin: community - id: gitlab.find_sec_bugs.CUSTOM_INJECTION-2 languages: - java message: | The method identified is susceptible to injection. The input should be validated and properly escaped. metadata: category: security cwe: CWE-89 shortDescription: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') technology: - java primary_identifier: find_sec_bugs.CUSTOM_INJECTION-2 secondary_identifiers: - name: Find Security Bugs-CUSTOM_INJECTION type: find_sec_bugs_type value: CUSTOM_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.CUSTOM_INJECTION-2 shortlink: https://sg.run/KyG6 semgrep.dev: rule: r_id: 21199 rv_id: 835505 rule_id: 5rUN6G version_id: ZRTldRY url: https://semgrep.dev/playground/r/ZRTldRY/gitlab.find_sec_bugs.CUSTOM_INJECTION-2 origin: community patterns: - pattern-not-inside: | final String $VAR = ...; - pattern-either: - pattern: | "$SQL_STR" + ... - pattern: String.format("$SQL_STR", ...) - pattern: | "$SQL_STR".concat(...) - pattern: (StringBuilder $BUILDER). ... .append("$SQL_STR") - patterns: - pattern-inside: | StringBuilder $BUILDER = new StringBuilder("$SQL_STR"); ... - pattern: $BUILDER.append(...) - patterns: - pattern-inside: | $QUERY = "$SQL_STR"; ... - pattern: $QUERY += ... - metavariable-regex: metavariable: $SQL_STR regex: (?i)(select|insert|create|update|alter|delete|drop)\b severity: WARNING - id: gitlab.find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 languages: - java mode: taint pattern-sinks: - patterns: - pattern: new org.springframework.web.servlet.ModelAndView($FST); - pattern: $FST - patterns: - pattern: new org.springframework.web.servlet.ModelAndView($FST, $SND); - pattern: $FST - patterns: - pattern: new org.springframework.web.servlet.ModelAndView($FST, $SND, $TRD); - pattern: $FST - patterns: - pattern: new org.apache.struts.action.ActionForward($FST) - pattern: $FST - patterns: - pattern: new org.apache.struts.action.ActionForward($FST, $SND) - pattern: $FST - patterns: - pattern: new org.apache.struts.action.ActionForward($FST, $SND, $TRD) - pattern: $SND - patterns: - pattern: new org.apache.struts.action.ActionForward($FST, $SND, $TRD) - pattern: $TRD - patterns: - pattern-inside: | $ACTION = new org.apache.struts.action.ActionForward(); ... - pattern: $ACTION.setPath(...) - patterns: - pattern-inside: | $MVC = new org.springframework.web.servlet.ModelAndView(); ... - pattern: $MVC.setViewName(...); - patterns: - pattern-inside: | $REQ = $HTTP.getRequestDispatcher(...); ... - pattern-either: - pattern: $REQ.include($FST, $SND) - pattern: $REQ.forward($FST, $SND) pattern-sources: - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameter(...) message: | The `org.springframework.web.servlet.ModelAndView` class and `HttpRequest.getRequestDispatcher()`'s `include` and `forward` methods may potentially allow access to restricted files if called with user-supplied input. For Spring MVC, the ModelAndView class looks up a view by name to resolve a `.jsp` file. If this view name comes from user-supplied input, it could be abused to attempt to return a JSP view that the user should not have access to. The `HttpRequest.getRequestDispatcher()`'s `include` and `forward` methods will return any file that is resolvable within the web application context. This includes the `web.xml` file, any compiled classes, `jsp` files, and additional JAR or WAR libraries that are accessible. Never pass user-supplied input directly to any of these methods. Use a lookup table or hardcode which views or paths the user should be directed to. Another option is to use a simple HTTP redirect by returning an empty response body with a 301 status code and a `Location` redirect header. In Java servlets, this can be done by using the `response.sendRedirect(...)` method. Example using a lookup table to resolve a view from a Spring MVC application: ``` @RequestMapping(value="/mvc", method=RequestMethod.GET) public ModelAndView mvc(HttpServletRequest request, HttpServletResponse response, Model model) { // Create a look up table or pull from a data source HashMap lookupTable = new HashMap<>(); lookupTable.put("key1", "view1"); lookupTable.put("key2", "view2"); // Get user input String userInput = request.getParameter("key"); // Look up view from the user input String viewValue = lookupTable.getOrDefault(userInput, userInput); // return the new model and view return new ModelAndView(viewValue); } ``` Example using a redirect instead of a `RequestDispatcher`: ``` // Create a look up table or pull from a data source HashMap lookupTable = new HashMap<>(); lookupTable.put("key1", "/Resource1"); lookupTable.put("key2", "/Resource2"); // Get user input String userInput = request.getParameter("key"); // Look up resource to redirect to from the user input String redirectValue = lookupTable.getOrDefault(userInput, "/Resource1"); // Redirect the user response.sendRedirect(redirectValue); ``` metadata: shortDescription: Files or directories accessible to external parties category: security cwe: CWE-552 primary_identifier: find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 secondary_identifiers: - name: Find Security Bugs-REQUESTDISPATCHER_FILE_DISCLOSURE type: find_sec_bugs_type value: REQUESTDISPATCHER_FILE_DISCLOSURE - name: Find Security Bugs-STRUTS_FILE_DISCLOSURE type: find_sec_bugs_type value: STRUTS_FILE_DISCLOSURE - name: Find Security Bugs-SPRING_FILE_DISCLOSURE type: find_sec_bugs_type value: SPRING_FILE_DISCLOSURE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 shortlink: https://sg.run/PPWq semgrep.dev: rule: r_id: 21201 rv_id: 835507 rule_id: ReU2bl version_id: ExTrW5W url: https://semgrep.dev/playground/r/ExTrW5W/gitlab.find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 origin: community severity: ERROR - id: gitlab.find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-2 languages: - java message: | Overly permissive file permission metadata: category: security confidence: HIGH cwe: CWE-732 shortDescription: Incorrect Permission Assignment for Critical Resource primary_identifier: find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-2 secondary_identifiers: - name: Find Security Bugs-OVERLY_PERMISSIVE_FILE_PERMISSION type: find_sec_bugs_type value: OVERLY_PERMISSIVE_FILE_PERMISSION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-2 shortlink: https://sg.run/jBgA semgrep.dev: rule: r_id: 21221 rv_id: 835523 rule_id: qNUpqB version_id: WrTdn2y url: https://semgrep.dev/playground/r/WrTdn2y/gitlab.find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-2 origin: community patterns: - pattern-inside: | $PERMS.add($P); ... java.nio.file.Files.setPosixFilePermissions(..., $PERMS); - metavariable-regex: metavariable: $P regex: (PosixFilePermission.){0,1}(OTHERS_) severity: WARNING - id: gitlab.find_sec_bugs.PREDICTABLE_RANDOM-1 languages: - java patterns: - pattern-either: - pattern: | java.util.Random $R = new java.util.Random(); ... $R.$METHOD(); - pattern: (java.util.Random $R).$METHOD() - pattern: new java.util.Random().$METHOD() - pattern: org.apache.commons.lang.math.RandomUtils.$METHOD() - pattern: org.apache.commons.lang.RandomStringUtils.$METHOD(...) - metavariable-regex: metavariable: $METHOD regex: ^(next|random) message: | Depending on the context, generating weak random numbers may expose cryptographic functions which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the `DRBG` instance of `SecureRandom` be used. Example using `DRBG` with `SecureRandom`: ``` public SecureRandom getSecureRandomDRBG() throws NoSuchAlgorithmException { // Use DRBG according to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf return SecureRandom.getInstance("DRBG", // Security strength in bits (default is 128) DrbgParameters.instantiation(256, // Set prediction resistance and re-seeding DrbgParameters.Capability.PR_AND_RESEED, // Set the personalization string (optional, not necessary) "some_personalization_string".getBytes() ) ); } ``` For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html severity: WARNING metadata: shortDescription: Use of insufficiently random values category: security cwe: CWE-330 technology: - java primary_identifier: find_sec_bugs.PREDICTABLE_RANDOM-1 secondary_identifiers: - name: Find Security Bugs-PREDICTABLE_RANDOM type: find_sec_bugs_type value: PREDICTABLE_RANDOM license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.PREDICTABLE_RANDOM-1 shortlink: https://sg.run/1kbD semgrep.dev: rule: r_id: 21222 rv_id: 835524 rule_id: lBUXPJ version_id: 0bTw3Rr url: https://semgrep.dev/playground/r/0bTw3Rr/gitlab.find_sec_bugs.PREDICTABLE_RANDOM-1 origin: community - id: gitlab.find_sec_bugs.PATH_TRAVERSAL_IN-1 languages: - java message: | A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. metadata: category: security cwe: CWE-22 shortDescription: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') technology: - java primary_identifier: find_sec_bugs.PATH_TRAVERSAL_IN-1 secondary_identifiers: - name: Find Security Bugs-PATH_TRAVERSAL_IN type: find_sec_bugs_type value: PATH_TRAVERSAL_IN license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.PATH_TRAVERSAL_IN-1 shortlink: https://sg.run/R5KK semgrep.dev: rule: r_id: 21205 rv_id: 835511 rule_id: WAUYbb version_id: gETyX8w url: https://semgrep.dev/playground/r/gETyX8w/gitlab.find_sec_bugs.PATH_TRAVERSAL_IN-1 origin: community mode: taint pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) pattern-sinks: - patterns: - pattern-inside: | $U = new java.net.URI($VAR) - pattern-either: - pattern-inside: new java.io.File($U) - pattern-inside: java.nio.file.Paths.get($U) - pattern: $VAR - patterns: - pattern-inside: new java.io.RandomAccessFile($INPUT,...) - pattern: $INPUT - pattern: new java.io.FileReader(...) - pattern: new javax.activation.FileDataSource(...) - pattern: new java.io.FileInputStream(...) - patterns: - pattern-either: - pattern-inside: new java.io.File(...,(String $VAR), ...) - pattern-inside: java.nio.file.Paths.get(...,(String $VAR),...) - pattern-inside: java.io.File.createTempFile(...,(String $VAR), ...) - pattern-inside: java.io.File.createTempDirectory(...,(String $VAR),...) - pattern-inside: java.nio.file.Files.createTempFile(..., (String $VAR), ...) - pattern-inside: java.nio.file.Files.createTempDirectory(..., (String $VAR), ...) - pattern: $VAR pattern-sources: - patterns: - pattern-inside: | $FUNC(String[] $ARGS) { ... } - pattern: $ARGS[$IDX] - patterns: - pattern-inside: | $FUNC(..., String $VAR, ...) { ... } - pattern: $VAR severity: ERROR - id: gitlab.find_sec_bugs.LDAP_ENTRY_POISONING-1 languages: - java message: | Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to abuse poorly configured LDAP context metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation primary_identifier: find_sec_bugs.LDAP_ENTRY_POISONING-1 secondary_identifiers: - name: Find Security Bugs-LDAP_ENTRY_POISONING type: find_sec_bugs_type value: LDAP_ENTRY_POISONING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.LDAP_ENTRY_POISONING-1 shortlink: https://sg.run/Ky0d semgrep.dev: rule: r_id: 21211 rv_id: 835517 rule_id: JDUog3 version_id: 5PTyG0d url: https://semgrep.dev/playground/r/5PTyG0d/gitlab.find_sec_bugs.LDAP_ENTRY_POISONING-1 origin: community patterns: - pattern: new javax.naming.directory.SearchControls($SCOPE, $CLIMIT, $TLIMIT, $ATTR, true, $DEREF) severity: ERROR - id: gitlab.find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SEND_ERROR-1 languages: - java mode: taint pattern-sanitizers: - patterns: - pattern-inside: org.owasp.encoder.Encode.forHtml($TAINTED); - pattern: $TAINTED pattern-sinks: - patterns: - pattern-inside: $FUNC(..., HttpServletResponse $RES, ...) {...} - pattern: $RES.sendError(..., $DATA); - pattern: $DATA pattern-sources: - patterns: - pattern-inside: $FUNC(..., HttpServletRequest $REQ, ...) {...} - pattern-either: - pattern: $REQ.getParameter(...); - pattern: $REQ.getHeader(...); - pattern: $REQ.getRequestedSessionId(); - pattern: $REQ.getQueryString(); message: | The application is returning user-supplied data from an HTTP request to an HTTP response's `sendError` method. This could lead to Cross Site Scripting (XSS) if the input were malicious script code and the application server is not properly validating the output. Note that Apache Tomcat 9 and above automatically encode the output and are not vulnerable. XSS is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types: - Inside HTML tags `
context 1
` - Inside attributes: `
` - Inside event attributes `` - Inside script blocks: `` - Unsafe element HTML assignment: `element.innerHTML = "context 5"` - Inside URLs: `link` Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 7*7 }} which may execute client-side templating features. It is _NOT_ advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. If possible do not use user input directly in the output to the `sendError` message parameter. Regardless if the application server handles output encoding, consider encoding any user-supplied input that is used in the sendError method: Example using [Apache Commons Text](https://commons.apache.org/proper/commons-text/) `StringEscapeUtils.escapeHtml4`: ``` // Get user input String userInput = request.getParameter("key"); // Encode the input using the Html4 encoder String encoded = StringEscapeUtils.escapeHtml4(userInput); // Respond with the error code and value response.sendError(401, encoded); ``` For more information on XSS see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html severity: WARNING metadata: shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') category: security cwe: CWE-79 technology: - java primary_identifier: find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SEND_ERROR-1 secondary_identifiers: - name: Find Security Bugs-XSS_REQUEST_PARAMETER_TO_SEND_ERROR type: find_sec_bugs_type value: XSS_REQUEST_PARAMETER_TO_SEND_ERROR license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SEND_ERROR-1 shortlink: https://sg.run/0xwb semgrep.dev: rule: r_id: 47610 rv_id: 835545 rule_id: 8GUo74 version_id: O9TJ7Kz url: https://semgrep.dev/playground/r/O9TJ7Kz/gitlab.find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SEND_ERROR-1 origin: community - id: gitlab.find_sec_bugs.XSS_REQUEST_WRAPPER-1 languages: - java message: | Avoid using custom XSS filtering. Please use standard sanitization functions. metadata: category: security cwe: CWE-79 shortDescription: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') primary_identifier: find_sec_bugs.XSS_REQUEST_WRAPPER-1 secondary_identifiers: - name: Find Security Bugs-XSS_REQUEST_WRAPPER type: find_sec_bugs_type value: XSS_REQUEST_WRAPPER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.XSS_REQUEST_WRAPPER-1 shortlink: https://sg.run/gG7n semgrep.dev: rule: r_id: 21241 rv_id: 835543 rule_id: eqUZdN version_id: w8TAbdP url: https://semgrep.dev/playground/r/w8TAbdP/gitlab.find_sec_bugs.XSS_REQUEST_WRAPPER-1 origin: community patterns: - pattern-inside: | class $CLASS extends HttpServletRequestWrapper { ... } - pattern: stripXSS(...) { ... } severity: INFO - id: gitlab.find_sec_bugs.XSS_SERVLET-1 languages: - java message: | A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. metadata: category: security cwe: CWE-79 shortDescription: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') primary_identifier: find_sec_bugs.XSS_SERVLET-1 secondary_identifiers: - name: Find Security Bugs-XSS_SERVLET type: find_sec_bugs_type value: XSS_SERVLET license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.XSS_SERVLET-1 shortlink: https://sg.run/4kwE semgrep.dev: rule: r_id: 21244 rv_id: 835547 rule_id: ZqUeEA version_id: vdTOQxl url: https://semgrep.dev/playground/r/vdTOQxl/gitlab.find_sec_bugs.XSS_SERVLET-1 origin: community mode: taint pattern-sanitizers: - patterns: - pattern-inside: org.owasp.encoder.Encode.forHtml($TAINTED); - pattern: $TAINTED pattern-sinks: - patterns: - pattern-inside: $FUNC(..., HttpServletResponse $RES, ...) {...} - pattern-inside: | $WRITER = $RES.getWriter(); ... - pattern: $WRITER.write($DATA,...); - pattern: $DATA - patterns: - pattern-inside: $FUNC(..., HttpServletResponse $RES, ...) {...} - pattern: $RES.getWriter().write($DATA,...); - pattern: $DATA pattern-sources: - patterns: - pattern-inside: $FUNC(..., HttpServletRequest $REQ, ...) {...} - pattern: $REQ.getParameter(...); severity: WARNING - id: gitlab.find_sec_bugs.XSS_SERVLET-2.XSS_SERVLET_PARAMETER-1 languages: - java message: | The Servlet can read GET and POST parameters from various methods. The value obtained should be considered unsafe. You may need to validate or sanitize those values before passing them to sensitive APIs metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation technology: - java primary_identifier: find_sec_bugs.XSS_SERVLET-2.XSS_SERVLET_PARAMETER-1 secondary_identifiers: - name: Find Security Bugs-XSS_SERVLET type: find_sec_bugs_type value: XSS_SERVLET - name: Find Security Bugs-XSS_SERVLET_PARAMETER type: find_sec_bugs_type value: XSS_SERVLET_PARAMETER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.XSS_SERVLET-2.XSS_SERVLET_PARAMETER-1 shortlink: https://sg.run/PP6q semgrep.dev: rule: r_id: 21245 rv_id: 835548 rule_id: nJUneR version_id: d6TKg2J url: https://semgrep.dev/playground/r/d6TKg2J/gitlab.find_sec_bugs.XSS_SERVLET-2.XSS_SERVLET_PARAMETER-1 origin: community pattern-either: - patterns: - pattern-inside: $TYPE $FUNC(..., ServletRequest $REQ, ...) { ... } - pattern-either: - pattern: $REQ.getParameter(...); - pattern: $REQ.getParameterValues(); - pattern: $REQ.getParameterMap(...); - pattern: $REQ.getParameterNames(); - patterns: - pattern-inside: $TYPE $FUNC(..., HttpServletRequest $SREQ, ...) { ... } - pattern-either: - pattern: $SREQ.getRequestedSessionId(); - pattern: $SREQ.getQueryString(); - pattern: $SREQ.getParameter(...); - pattern: $SREQ.getParameterValues(); - pattern: $SREQ.getParameterMap(...); - pattern: $SREQ.getParameterNames(); - patterns: - pattern: $SREQ.getHeader($HEADER); - metavariable-regex: metavariable: $HEADER regex: (?i)(Host|Referer|User-Agent) severity: WARNING - id: gitlab.find_sec_bugs.XXE_SAXPARSER-1 languages: - java message: | External XML entities are a feature of XML parsers that allow documents to contain references to other documents or data. This feature can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS). It is recommended that the `SAXParser` is configured to disable DTD doctypes as this protects against the majority of XXE attacks. Example creating a SAXParser with disallowing the doctypes feature enabled: ``` // Create a SAXParserFactory SAXParserFactory saxParserFactory = SAXParserFactory.newInstance(); // Enable the feature which disallows ` or `<` comparison operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<` values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized. Example using parameterized queries with `sql.Query`: ``` rows, err := db.Query("SELECT * FROM users WHERE userName = ?", userName) if err != nil { return nil, err } defer rows.Close() for rows.Next() { // ... process rows } ``` For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html metadata: shortDescription: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') cwe: CWE-89 primary_identifier: gosec.G201-1 secondary_identifiers: - name: Gosec Rule ID G201 type: gosec_rule_id value: G201 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G201-1 shortlink: https://sg.run/18Z1 semgrep.dev: rule: r_id: 13766 rv_id: 835735 rule_id: OrU63Y version_id: 2KT7OeW url: https://semgrep.dev/playground/r/2KT7OeW/gitlab.gosec.G201-1 origin: community severity: WARNING - id: gitlab.flawfinder.getpw-1 languages: - c message: | The getpw() function is dangerous as it may overflow the provided buffer when reading from the `/etc/passwd` file. While the passwd file is not generally writeable, there are no protections offered by this function to protect from reading past the bounds of the destination buffer. This function is obsoleted by `getpwuid`. For more information please see: https://linux.die.net/man/3/getpwuid metadata: shortDescription: Use of deprecated function (getpwd) cwe: CWE-120 owasp: A1:2017-Injection primary_identifier: flawfinder.getpw-1 secondary_identifiers: - name: Flawfinder - getpw type: flawfinder_func_name value: getpw license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.getpw-1 shortlink: https://sg.run/EO08 semgrep.dev: rule: r_id: 13037 rv_id: 835652 rule_id: WAUP03 version_id: ExTrWl2 url: https://semgrep.dev/playground/r/ExTrWl2/gitlab.flawfinder.getpw-1 origin: community pattern: getpw(...) severity: ERROR - id: gitlab.gosec.G112-1 languages: - go patterns: - pattern-inside: | import "net/http" ... - pattern-either: - patterns: - pattern-not-inside: | &http.Server{ ..., ReadHeaderTimeout: ..., ..., } - pattern-not-inside: | &http.Server{ ..., ReadTimeout: ..., ..., } - pattern-not-inside: | $S = &http.Server{ ..., } $S.ReadHeaderTimeout = ... ... - pattern-not-inside: | $S = &http.Server{ ..., } $S.ReadTimeout = ... ... - pattern: | &http.Server{ ..., } message: | Potential Slowloris Attack because `ReadHeaderTimeout` is not configured in the `http.Server`. This application may be vulnerable to resource consumption attacks if timeouts are not properly configured prior to starting the HTTP server. An adversary may open up thousands of connections but never complete sending all data, or never terminate the connections. This may lead to the server no longer accepting new connections. To protect against this style of resource consumption attack, timeouts should be set in the `net/http` server prior to calling the listen or serve functions. The default `http.ListenAndServe` and `http.Serve` functions should not be used in a production setting as they are unable to have timeouts configured. Instead a custom `http.Server` object must be created with the timeouts configured. Example setting timeouts on a `net/http` server: ``` // All values chosen below are dependent on application logic and // should be tailored per use-case srv := &http.Server{ Addr: "localhost:8000", // ReadHeaderTimeout is the amount of time allowed to read // request headers. The connection's read deadline is reset // after reading the headers and the Handler can decide what // is considered too slow for the body. If ReadHeaderTimeout // is zero, the value of ReadTimeout is used. If both are // zero, there is no timeout. ReadHeaderTimeout: 15 * time.Second, // ReadTimeout is the maximum duration for reading the entire // request, including the body. A zero or negative value means // there will be no timeout. // // Because ReadTimeout does not let Handlers make per-request // decisions on each request body's acceptable deadline or // upload rate, most users will prefer to use // ReadHeaderTimeout. It is valid to use them both. ReadTimeout: 15 * time.Second, // WriteTimeout is the maximum duration before timing out // writes of the response. It is reset whenever a new // request's header is read. Like ReadTimeout, it does not // let Handlers make decisions on a per-request basis. // A zero or negative value means there will be no timeout. WriteTimeout: 10 * time.Second, // IdleTimeout is the maximum amount of time to wait for the // next request when keep-alives are enabled. If IdleTimeout // is zero, the value of ReadTimeout is used. If both are // zero, there is no timeout. IdleTimeout: 30 * time.Second, } // For per request timeouts applications can wrap all `http.HandlerFunc(...)` in // `http.TimeoutHandler`` and specify a timeout, but note the TimeoutHandler does not // start ticking until all headers have been read. // Listen with our custom server with timeouts configured if err := srv.ListenAndServe(); err != nil { log.Fatal(err) } ``` For more information on the `http.Server` timeouts, see: https://pkg.go.dev/net/http#Server For information on setting request based timeouts, see: https://pkg.go.dev/net/http#TimeoutHandler For more information on the Slowloris attack see: https://en.wikipedia.org/wiki/Slowloris_(computer_security) metadata: shortDescription: Uncontrolled resource consumption (Slowloris) cwe: CWE-400 primary_identifier: gosec.G112-1 secondary_identifiers: - name: Gosec Rule ID G112 type: gosec_rule_id value: G112 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G112-1 shortlink: https://sg.run/lX1j semgrep.dev: rule: r_id: 47613 rv_id: 835725 rule_id: 3qUKzB version_id: WrTdn94 url: https://semgrep.dev/playground/r/WrTdn94/gitlab.gosec.G112-1 origin: community severity: WARNING - id: go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure patterns: - pattern-not-inside: | &sessions.Options{ ..., Secure: true, ..., } - pattern: | &sessions.Options{ ..., } message: A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct. metadata: cwe: - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69 category: security technology: - gorilla confidence: MEDIUM subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure shortlink: https://sg.run/PJdE semgrep.dev: rule: r_id: 9089 rv_id: 1262912 rule_id: lBU9kw version_id: 0bTKzKk url: https://semgrep.dev/playground/r/0bTKzKk/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure origin: community fix-regex: regex: (Secure\s*:\s+)false replacement: \1true severity: WARNING languages: - go - id: gitlab.gosec.G113-1 languages: - go message: | Potential Integer overflow made by strconv.Atoi result conversion to int16/32 metadata: cwe: CWE-190 shortDescription: Integer Overflow or Wraparound primary_identifier: gosec.G113-1 secondary_identifiers: - name: Gosec Rule ID G113 type: gosec_rule_id value: G113 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G113-1 shortlink: https://sg.run/YP5X semgrep.dev: rule: r_id: 47614 rv_id: 835730 rule_id: 4bUNw2 version_id: YDTlb5y url: https://semgrep.dev/playground/r/YDTlb5y/gitlab.gosec.G113-1 origin: community patterns: - pattern-inside: | import "math/big" ... - pattern-inside: | $R = big.Rat{...} ... - pattern: | $R.SetString(...) severity: ERROR - id: gitlab.gosec.G101-1 languages: - go patterns: - pattern-either: - pattern: $MASK = "..." - metavariable-regex: metavariable: $MASK regex: (password|pass|passwd|pwd|secret|token) message: | A potential hard-coded password was identified. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using Key Management System's is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation metadata: shortDescription: Use of hard-coded password cwe: CWE-259 owasp: A3:2017-Sensitive Data Exposure primary_identifier: gosec.G101-1 secondary_identifiers: - name: Gosec Rule ID G101 type: gosec_rule_id value: G101 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G101-1 shortlink: https://sg.run/XOBj semgrep.dev: rule: r_id: 13764 rv_id: 835733 rule_id: wdUjJo version_id: zyTW3d5 url: https://semgrep.dev/playground/r/zyTW3d5/gitlab.gosec.G101-1 origin: community severity: ERROR - id: gitlab.find_sec_bugs_scala.PREDICTABLE_RANDOM-1.PREDICTABLE_RANDOM_SCALA-1 languages: - scala message: | The use of a predictable random value can lead to vulnerabilities when used in certain security critical contexts. A quick fix could be to replace the use of scala.util.Random with something stronger, such as java.security.SecureRandom metadata: category: security cwe: CWE-330 shortDescription: Use of Insufficiently Random Values technology: - scala primary_identifier: find_sec_bugs.PREDICTABLE_RANDOM-1.PREDICTABLE_RANDOM_SCALA-1 secondary_identifiers: - name: Find Security Bugs-PREDICTABLE_RANDOM type: find_sec_bugs_type value: PREDICTABLE_RANDOM - name: Find Security Bugs-PREDICTABLE_RANDOM_SCALA type: find_sec_bugs_type value: PREDICTABLE_RANDOM_SCALA license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.PREDICTABLE_RANDOM-1.PREDICTABLE_RANDOM_SCALA-1 shortlink: https://sg.run/WNg4 semgrep.dev: rule: r_id: 67997 rv_id: 835611 rule_id: r6Uvkl version_id: 8KTGlJz url: https://semgrep.dev/playground/r/8KTGlJz/gitlab.find_sec_bugs_scala.PREDICTABLE_RANDOM-1.PREDICTABLE_RANDOM_SCALA-1 origin: community pattern-either: - patterns: - pattern: $LANG.util.Random.$METHOD - metavariable-regex: metavariable: $METHOD regex: ^(next) - pattern: Math.random severity: WARNING - id: yaml.gitlab.correctness.changes-with-when-never.changes-with-when-never pattern: | - changes: - ... when: never message: 'This Gitlab CI YAML will never run on default branches due to a `changes` rule with `when:never`. To fix this, make sure the triggering event is a push event. You can do this with `if: ''$CI_PIPELINE_SOURCE == "push"''`. See https://docs.gitlab.com/ee/ci/yaml/index.html#ruleschanges' metadata: category: correctness technology: - gitlab - gitlab-ci license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.gitlab.correctness.changes-with-when-never.changes-with-when-never shortlink: https://sg.run/Q9PQ semgrep.dev: rule: r_id: 15086 rv_id: 947048 rule_id: 7KUv9A version_id: xyTqWxz url: https://semgrep.dev/playground/r/xyTqWxz/yaml.gitlab.correctness.changes-with-when-never.changes-with-when-never origin: community languages: - yaml severity: WARNING - id: terraform.azure.best-practice.azure-appservice-java-version.azure-appservice-java-version message: Ensure that Java version is the latest, if used to run the web app patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... site_config { ... java_version = "11" ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-appservice-java-version.azure-appservice-java-version shortlink: https://sg.run/B1WW semgrep.dev: rule: r_id: 23907 rv_id: 946745 rule_id: kxUxDD version_id: xyTqWL4 url: https://semgrep.dev/playground/r/xyTqWL4/terraform.azure.best-practice.azure-appservice-java-version.azure-appservice-java-version origin: community languages: - hcl severity: INFO - id: gitlab.find_sec_bugs_kotlin.COMMAND_INJECTION-1 languages: - kotlin message: | The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution. severity: WARNING metadata: shortDescription: Improper neutralization of special elements used in an OS command ('OS Command Injection') category: security cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.COMMAND_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-COMMAND_INJECTION type: find_sec_bugs_type value: COMMAND_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.COMMAND_INJECTION-1 shortlink: https://sg.run/wdWbX semgrep.dev: rule: r_id: 144329 rv_id: 920420 rule_id: PeUJ4wx version_id: WrTYnJD url: https://semgrep.dev/playground/r/WrTYnJD/gitlab.find_sec_bugs_kotlin.COMMAND_INJECTION-1 origin: community pattern-either: - patterns: - pattern-inside: | fun $FUNC(..., $PARAM: String, ...) { ... } - pattern-inside: | $R = Runtime.getRuntime() ... - pattern-either: - pattern: $R.exec(<...$PARAM...>,...) - patterns: - pattern-either: - pattern: | $CMDARR = arrayOf("$SHELL",...,<...$PARAM...>,...) ... $R.exec($CMDARR,...) - pattern: $R.exec(arrayOf("$SHELL",...,<...$PARAM...>,...), ...) - pattern: $R.exec(java.util.String.format("...", ...,<...$PARAM...>,...)) - pattern: '$R.exec(($A: String) + ($B: String))' - metavariable-regex: metavariable: $SHELL regex: (/.../)?(sh|bash|ksh|csh|tcsh|zsh)$ - pattern-not: $R.exec("...","...","...",...) - pattern-not: | $R.exec(arrayOf("...","...","...",...),...) - patterns: - pattern-inside: | fun $FUNC(..., $PARAM: String, ...) { ... } - pattern-inside: | $PB = ProcessBuilder() ... - pattern-either: - pattern: $PB.command(<...$PARAM...>,...) - patterns: - pattern-inside: $VAL = <...$PARAM...>; ... - pattern: $PB.command(<...$VAL...>,...) - patterns: - pattern-either: - pattern: $PB.command("$SHELL",...,<...$PARAM...>,...) - pattern: | $CMDARR = java.util.Arrays.asList("$SHELL",...,<...$PARAM...>,...) ... $PB.command($CMDARR,...) - pattern: $PB.command(java.util.Arrays.asList("$SHELL",...,<...$PARAM...>,...),...) - pattern: $PB.command(java.util.String.format("...", ...,<...$PARAM...>,...)) - pattern: '$PB.command(($A: String) + ($B: String))' - metavariable-regex: metavariable: $SHELL regex: (/.../)?(sh|bash|ksh|csh|tcsh|zsh)$ - pattern-not: $PB.command("...","...","...",...) - pattern-not: | $PB.command(java.util.Arrays.asList("...","...","...",...)) - id: gitlab.security_code_scan.SCS0009-1 languages: - csharp mode: taint pattern-sources: - pattern: | var $COOKIE = new HttpCookie(...); pattern-sinks: - pattern: $COOKIE pattern-sanitizers: - pattern: $COOKIE.HttpOnly = true; message: | The `HttpOnly` attribute when set to `true` protects the cookie value from being accessed by client side JavaScript such as reading the `document.cookie` values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript. Example of protecting an HttpCookie: ``` // Create an HttpOnly cookie. HttpCookie someCookie = new HttpCookie("SomeCookieName", "SomeValue"); someCookie.HttpOnly = true; ``` For more information see: https://learn.microsoft.com/en-us/dotnet/api/system.web.httpcookie.httponly Session cookies should be configured with the following security directives: - [HTTPOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) - [Secure](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) - [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) severity: WARNING metadata: shortDescription: Sensitive cookie without 'HttpOnly' flag category: security cwe: CWE-1004 primary_identifier: security_code_scan.SCS0009-1 secondary_identifiers: - name: SCS0009 type: security_code_scan_rule_id value: SCS0009 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0009-1 shortlink: https://sg.run/39QK semgrep.dev: rule: r_id: 31443 rv_id: 835738 rule_id: v8ULvw version_id: 1QTPN6z url: https://semgrep.dev/playground/r/1QTPN6z/gitlab.security_code_scan.SCS0009-1 origin: community - id: gitlab.security_code_scan.SCS0008-1 languages: - csharp mode: taint pattern-sources: - pattern: | var $COOKIE = new HttpCookie(...); pattern-sinks: - pattern: $COOKIE pattern-sanitizers: - pattern: $COOKIE.Secure = true; message: | The `Secure` attribute when set to `true` protects the cookie value from being being transmitted over clear text communication paths such as HTTP. By enabling this protection, the cookie will only be sent over HTTPS. Example of protecting an HttpCookie: ``` // Create an HttpOnly cookie. HttpCookie someCookie = new HttpCookie("SomeCookieName", "SomeValue"); someCookie.Secure = true; ``` For more information see: https://learn.microsoft.com/en-us/dotnet/api/system.web.httpcookie.secure Session cookies should be configured with the following security directives: - [HTTPOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) - [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) - [Secure](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) severity: WARNING metadata: shortDescription: Sensitive cookie in HTTPS session without 'Secure' attribute category: security cwe: CWE-614 primary_identifier: security_code_scan.SCS0008-1 secondary_identifiers: - name: SCS0008 type: security_code_scan_rule_id value: SCS0008 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0008-1 shortlink: https://sg.run/49k5 semgrep.dev: rule: r_id: 31444 rv_id: 835739 rule_id: d8U86o version_id: 9lTJ7ro url: https://semgrep.dev/playground/r/9lTJ7ro/gitlab.security_code_scan.SCS0008-1 origin: community - id: gitlab.security_code_scan.SCS0004-1 languages: - csharp patterns: - pattern-inside: | using System.Net; ... - pattern: ServicePointManager.ServerCertificateValidationCallback += $CALLBACK; - metavariable-pattern: metavariable: $CALLBACK patterns: - pattern-either: - pattern: $RETURNTYPE $FUNC(...) { return true; } - pattern: (...) => true; message: | The `ServicePointManager.ServerCertificateValidationCallback` event has been set to always return `true`, which effectively disables the validation of server certificates. This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. Remove the callback function that is returning true to allow normal certificate validation to proceed. When no callback is provided, the client will validate that the certificate name matches the hostname that was used when creating the request. For more information on the `ServerCertificateValidationCallback` property see: https://learn.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.servercertificatevalidationcallback severity: WARNING metadata: shortDescription: Certificate validation disabled category: security cwe: CWE-295 primary_identifier: security_code_scan.SCS0004-1 secondary_identifiers: - name: SCS0004 type: security_code_scan_rule_id value: SCS0004 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0004-1 shortlink: https://sg.run/PwPz semgrep.dev: rule: r_id: 31445 rv_id: 835740 rule_id: ZqUDen version_id: yeTNgln url: https://semgrep.dev/playground/r/yeTNgln/gitlab.security_code_scan.SCS0004-1 origin: community - id: gitlab.security_code_scan.SCS0010-1 patterns: - pattern-inside: | using System.Security.Cryptography; ... - pattern-either: - pattern-regex: .*DES\.Create; - pattern: new DESCryptoServiceProvider(); - pattern-regex: .*TripleDES\.Create; - pattern: new TripleDESCryptoServiceProvider(); - pattern-regex: .*RC2\.Create; - pattern: new RC2CryptoServiceProvider(); message: | DES, TripleDES and RC2 are all considered broken or insecure cryptographic algorithms. If using .NET Framework greater than version 6.0 consider using `ChaCha20Poly1305` instead as it is easier and faster than the alternatives such as `AES-256-GCM`. For older applications, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` // Generate a random key byte[] key = new byte[32]; RandomNumberGenerator.Fill(key); // Note nonce values _must_ be regenerated every time they are used. byte[] nonce = new byte[12]; RandomNumberGenerator.Fill(nonce); byte[] authTag = new byte[16]; byte[] cipherText; using (ChaCha20Poly1305 encryptor = new ChaCha20Poly1305(key)) { byte[] plainText = System.Text.Encoding.UTF8.GetBytes("Secret text to encrypt"); cipherText = new byte[plainText.Length]; encryptor.Encrypt(nonce, plainText, cipherText, authTag); } using (ChaCha20Poly1305 decryptor = new ChaCha20Poly1305(key)) { byte[] output = new byte[cipherText.Length]; decryptor.Decrypt(nonce, cipherText, authTag, output); Console.WriteLine("Output: {0}", System.Text.Encoding.UTF8.GetString(output)); } ``` Example using `AES-256-GCM`: ``` // Generate a random key byte[] key = new byte[32]; RandomNumberGenerator.Fill(key); // Note nonce values _must_ be regenerated every time they are used. byte[] nonce = new byte[AesGcm.NonceByteSizes.MaxSize]; RandomNumberGenerator.Fill(nonce); byte[] authTag = new byte[AesGcm.TagByteSizes.MaxSize]; byte[] cipherText; using (AesGcm encryptor = new AesGcm(key)) { byte[] plainText = Encoding.UTF8.GetBytes("Secret text to encrypt"); cipherText = new byte[plainText.Length]; encryptor.Encrypt(nonce, plainText, cipherText, authTag); } using (AesGcm decryptor = new AesGcm(key)) { byte[] output = new byte[cipherText.Length]; decryptor.Decrypt(nonce, cipherText, authTag, output); Console.WriteLine("Output: {0}", Encoding.UTF8.GetString(output)); } ``` languages: - csharp severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 primary_identifier: security_code_scan.SCS0010-1 secondary_identifiers: - name: SCS0010 type: security_code_scan_rule_id value: SCS0010 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0010-1 shortlink: https://sg.run/Jzwy semgrep.dev: rule: r_id: 31446 rv_id: 835741 rule_id: nJUQnX version_id: rxTDvdk url: https://semgrep.dev/playground/r/rxTDvdk/gitlab.security_code_scan.SCS0010-1 origin: community - id: gitlab.security_code_scan.SCS0013-1 languages: - csharp patterns: - pattern-inside: | using System.Security.Cryptography; ... - metavariable-regex: metavariable: $CIPHER regex: ^(ECB|CBC|OFB|CFB|CTS)$ - pattern: CipherMode.$CIPHER message: | Cryptographic algorithms provide many different modes of operation, only some of which provide message integrity. Without message integrity it could be possible for an adversary to attempt to tamper with the ciphertext which could lead to compromising the encryption key. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Instead of using an algorithm that requires configuring a `CipherMode`, an algorithm that has built-in message integrity should be used. If using .NET Framework greater than version 6.0 consider using `ChaCha20Poly1305` or `AES-256-GCM`. For older applications, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are re-used. Example using `ChaCha20Poly1305`: ``` // Generate a random key byte[] key = new byte[32]; RandomNumberGenerator.Fill(key); ChaCha20Poly1305 encryptor = new ChaCha20Poly1305(key); // Note nonce values _must_ be regenerated every time they are used. var nonce = new byte[12]; RandomNumberGenerator.Fill(nonce); byte[] plainText = System.Text.Encoding.UTF8.GetBytes("Secret text to encrypt"); byte[] cipherText = new byte[plainText.Length]; var authTag = new byte[16]; encryptor.Encrypt(nonce, plainText, cipherText, authTag); byte[] output = new byte[cipherText.Length]; encryptor.Decrypt(nonce, cipherText, authTag, output); Console.WriteLine("Output: {0}", System.Text.Encoding.UTF8.GetString(output)); ``` Example using `AES-256-GCM`: ``` var plaintextBytes = Encoding.UTF8.GetBytes("Secret text to encrypt"); var key = new byte[32]; RandomNumberGenerator.Fill(key); using var aes = new AesGcm(key); var nonce = new byte[AesGcm.NonceByteSizes.MaxSize]; RandomNumberGenerator.Fill(nonce); var cipherText = new byte[plaintextBytes.Length]; var tag = new byte[AesGcm.TagByteSizes.MaxSize]; aes.Encrypt(nonce, plaintextBytes, cipherText, tag); // Decrypt using (var decrypt = new AesGcm(key)) { var decryptedBytes = new byte[cipherText.Length]; decrypt.Decrypt(nonce, cipherText, tag, decryptedBytes); Console.WriteLine("Decrypted: {0}", Encoding.UTF8.GetString(decryptedBytes)); } ``` severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 primary_identifier: security_code_scan.SCS0013-1 secondary_identifiers: - name: SCS0013 type: security_code_scan_rule_id value: SCS0013 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0013-1 shortlink: https://sg.run/5gZ0 semgrep.dev: rule: r_id: 31447 rv_id: 835742 rule_id: EwUe1Z version_id: bZTBopN url: https://semgrep.dev/playground/r/bZTBopN/gitlab.security_code_scan.SCS0013-1 origin: community - id: gitlab.security_code_scan.SCS0006-1 languages: - csharp patterns: - pattern-either: - patterns: - metavariable-regex: metavariable: $HASH_PROVIDER regex: ^(SHA1CryptoServiceProvider|MD5CryptoServiceProvider)$ - pattern: new $HASH_PROVIDER - patterns: - metavariable-regex: metavariable: $HASH_CLASS regex: ^System.Security.Cryptography.(SHA1|MD5)$ - pattern: $HASH_CLASS.$METHOD(); message: | Both MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Currently there is no vetted Argon2id implementation for C# so it is recommended that PBKDF2 be used until one is available. Example using PBKDF2 to generate and compare passwords: ``` const int SaltSize = 24; const int HashSize = 24; // number of pbkdf2 iterations, Rfc2898DeriveBytes uses hmac-sha1 // so set a high iteration count const int Iterations = 1_300_000; byte[] salt = new byte[SaltSize]; RandomNumberGenerator.Fill(salt); Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes("some password", salt, Iterations); byte[] hashBytes = pbkdf2.GetBytes(HashSize); // Store salt and hashedBytes in a data store such as database for authentication Console.WriteLine("Hash {0}", BitConverter.ToString(hashBytes).Replace("-", "")); // Do a constant time comparison as to not leak data based on timing if (CryptographicOperations.FixedTimeEquals(hashBytes, hashBytes)) { Console.WriteLine("hashes are equal"); } ``` For more information on PBKDF2 see: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rfc2898derivebytes For more information on secure password storage see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm (SHA1/MD5) category: security cwe: CWE-327 primary_identifier: security_code_scan.SCS0006-1 secondary_identifiers: - name: SCS0006 type: security_code_scan_rule_id value: SCS0006 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0006-1 shortlink: https://sg.run/Gzbq semgrep.dev: rule: r_id: 31448 rv_id: 835743 rule_id: 7KUKbk version_id: NdTBRPN url: https://semgrep.dev/playground/r/NdTBRPN/gitlab.security_code_scan.SCS0006-1 origin: community - id: gitlab.security_code_scan.SCS0005-1 languages: - csharp patterns: - pattern: (Random $RNG).$METHOD(...); - focus-metavariable: $RNG message: | Depending on the context, generating weak random numbers may expose cryptographic functions which rely on these numbers to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the `RandomNumberGenerator` class be used. Example `RandomNumberGenerator` usage: ``` Int32 randInt = RandomNumberGenerator.GetInt32(32000); byte[] randomBytes = new byte[64]; RandomNumberGenerator.Fill(randomBytes); Console.WriteLine("Random Int32: {0}", randInt); Console.WriteLine("Random Bytes: {0}", BitConverter.ToString(randomBytes).Replace("-", "")); ``` For more information see: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator severity: WARNING metadata: shortDescription: Use of cryptographically weak Pseudo-Random Number Generator (PRNG) category: security cwe: CWE-338 primary_identifier: security_code_scan.SCS0005-1 secondary_identifiers: - name: SCS0005 type: security_code_scan_rule_id value: SCS0005 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0005-1 shortlink: https://sg.run/Rw5q semgrep.dev: rule: r_id: 31449 rv_id: 835744 rule_id: L1URz8 version_id: kbT2PN6 url: https://semgrep.dev/playground/r/kbT2PN6/gitlab.security_code_scan.SCS0005-1 origin: community - id: gitlab.security_code_scan.SCS0016-1 languages: - csharp patterns: - pattern: | [$HTTPMETHOD] public $RET $FOO(...) { ... } - pattern-not: | [ValidateAntiForgeryToken] public $RET $FOO(...) { ... } - metavariable-regex: metavariable: $HTTPMETHOD regex: Http(Post|Delete|Patch|Put) message: | The application failed to protect against Cross-Site Request Forgery (CSRF) due to not including the `[ValidateAntiForgeryToken]` attribute on an HTTP method handler that could change user state (usually in the form of POST or PUT methods). The vulnerability can be exploited by an adversary creating a link or form on a third party site and tricking an authenticated victim to access them. Add the `[ValidateAntiForgeryToken]` to all methods which take in user data and change user state (such as updating a database with a new value). This is especially true for functionality such as updating passwords or other security sensitive functions. Alternatively, applications can enable a global [AutoValidateAntiforgeryTokenAttribute](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.autovalidateantiforgerytokenattribute) filter. For more information on ValidateAntiForgeryToken and other CSRF protections in .NET see the following URL: https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery Additionally, consider setting all session cookies to have the `SameSite=Strict` attribute. It should be noted that this may impact usability when sharing links across other mediums. It is recommended that a two cookie based approach is taken, as outlined in the [Top level navigations](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-08#section-8.8.2) section of the SameSite RFC. For more information on CSRF see OWASP's guide: https://owasp.org/www-community/attacks/csrf severity: WARNING metadata: shortDescription: Potential Cross-Site Request Forgery (CSRF) category: security cwe: CWE-352 primary_identifier: security_code_scan.SCS0016-1 secondary_identifiers: - name: SCS0016 type: security_code_scan_rule_id value: SCS0016 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0016-1 shortlink: https://sg.run/AKL2 semgrep.dev: rule: r_id: 31450 rv_id: 835745 rule_id: 8GU3vk version_id: w8TAbXA url: https://semgrep.dev/playground/r/w8TAbXA/gitlab.security_code_scan.SCS0016-1 origin: community - id: gitlab.security_code_scan.SCS0001-1 languages: - csharp patterns: - pattern-inside: | using System.Diagnostics; ... - pattern-either: - patterns: - pattern: Process.Start($ARG) - pattern-not: Process.Start("...") - pattern: (Process $PROC).StartInfo.FileName = <...$ARG...>; - pattern: (Process $PROC).StartInfo.Arguments = <...$ARG...>; - patterns: - pattern-inside: | $PSINFO = new ProcessStartInfo(...) ... Process.Start($PSINFO) - pattern-either: - pattern: $PSINFO.Arguments = <...$ARG...>; - pattern: $PSINFO.FileName = <...$ARG...>; message: | OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands. This includes filenames supplied by user uploads or downloads. Ensure your application does not: - Use user-supplied information in the process name to execute. - Use user-supplied information in an OS command execution function which does not escape shell meta-characters. - Use user-supplied information in arguments to OS commands. The application should have a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, it is recommended that a hash of the filename be used instead, or some other unique identifier. It is strongly recommended that a native library that implements the same functionality be used instead of using OS system commands, due to the risk of unknown attacks against third party commands. When specifying the OS command, ensure the application uses the full path information, otherwise the OS may attempt to look up which process to execute and could be vulnerable to untrusted search path vulnerabilities (CWE-426). Example of safely executing an OS command: ``` public void ExecuteCommand(string userFileData) { // generate a random filename, do not using user input string fileName = "C:\\Temp\\" + Guid.NewGuid(); File.WriteAllText(fileName, userFileData); using (Process process = new Process()) { // hardcode the full process path ProcessStartInfo processInfo = new ProcessStartInfo("C:\\App\\FileReader.exe"); // only pass in trust arguments, and never direct user input. processInfo.Arguments = fileName; processInfo.UseShellExecute = false; process.StartInfo = processInfo; process.Start(); } } ``` For more information on OS command injection, see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html severity: ERROR metadata: shortDescription: Improper neutralization of special elements used in an OS command ('OS Command Injection') category: security cwe: CWE-78 primary_identifier: security_code_scan.SCS0001-1 secondary_identifiers: - name: SCS0001 type: security_code_scan_rule_id value: SCS0001 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0001-1 shortlink: https://sg.run/WbD2 semgrep.dev: rule: r_id: 31453 rv_id: 835748 rule_id: 3qU2L1 version_id: e1TDKQ1 url: https://semgrep.dev/playground/r/e1TDKQ1/gitlab.security_code_scan.SCS0001-1 origin: community - id: go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter message: Detected 'printf' or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users. metadata: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ category: security technology: - go confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter shortlink: https://sg.run/Q5BP semgrep.dev: rule: r_id: 9142 rv_id: 1262962 rule_id: WAUoLp version_id: o5TbDdq url: https://semgrep.dev/playground/r/o5TbDdq/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter origin: community severity: WARNING patterns: - pattern-either: - pattern-inside: | func $HANDLER(..., $WRITER http.ResponseWriter, ...) { ... } - pattern-inside: | func(..., $WRITER http.ResponseWriter, ...) { ... } - pattern: | $WRITER.Write(<... fmt.$PRINTF(...) ...>, ...) languages: - go - id: gitlab.security_code_scan.SCS0026-1.SCS0031-1 languages: - csharp patterns: - pattern-either: - patterns: - pattern: (DirectorySearcher $SOURCE).Filter = ... - pattern-not: (DirectorySearcher $SOURCE).Filter = "..." - patterns: - pattern: (DirectorySearcher $SOURCE).Path = ... - pattern-not: (DirectorySearcher $SOURCE).Path = "..." message: "LDAP injection attacks exploit LDAP queries to influence how data is returned by\nthe LDAP, or in this case an Active Directory server.\n\nIt is recommended that newer applications use the `System.DirectoryServices.AccountManagement`\nAPI instead of `DirectorySearcher` API as it hides the complexity of querying LDAP directly.\nHowever,\nthe `AccountManagement` API is still susceptible to LDAP injection if a user inputs LDAP\nqueries,\nincluding LDAP filter characters such as `*`.\n\nIt is recommended that all input passed to LDAP querying systems encode the following values:\n\n- Any occurrence of the null character must be escaped as \u201C\\00\u201D.\n- Any occurrence of the open parenthesis character must be escaped as \u201C\\28\u201D.\n- Any occurrence of the close parenthesis character must be escaped as \u201C\\29\u201D.\n- Any occurrence of the asterisk character must be escaped as \u201C\\2a\u201D.\n- Any occurrence of the backslash character must be escaped as \u201C\\5c\u201D.\n\nExample code that safely encodes input for use in an LDAP query using the `AccountManagement`\nAPI:\n```\nusing System.DirectoryServices.AccountManagement;\n\nstring EncodeLDAPString(string input) {\n // Note the \\ character is replaced first\n \ char[] chars = new char[] { '\\\\', '\\0', '(', ')', '*' };\n string[] encoded = new string[] { \"\\\\5c\", \"\\\\00\", \"\\\\28\", \"\\\\29\", \"\\\\2a\" };\n\n for (int i = 0; i < chars.Length; i++)\n {\n input = input.Replace(chars[i].ToString(), encoded[i]);\n }\n\n return input;\n}\n\n// unsafe, do not use without encoding first\nstring userInput = \"Administrator\";\nPrincipalContext AD = new PrincipalContext(ContextType.Domain, \"ad.example.dev\");\n\nUserPrincipal u = new UserPrincipal(AD);\nstring encodedUserName = EncodeLDAPString(userInput);\n\n// The AD search term, encoded prior to calling search\nu.SamAccountName = encodedUserName;\n\n// Search for user\nPrincipalSearcher search = new PrincipalSearcher(u);\n\n// Use FindOne to only return a single result\nUserPrincipal result = (UserPrincipal)search.FindOne();\nsearch.Dispose();\n\n// show some details\nif (result != null) {\n Console.WriteLine(\"User: {0}\", result.DisplayName);\n} else {\n Console.WriteLine(\"user not found\");\n}\n```\n\nThe same encoding method shown in `EncodeLDAPString` can also be used when using the\nolder `DirectorySearcher` API.\n\nFor more information see OWASP's guide:\nhttps://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html\n" severity: WARNING metadata: shortDescription: Improper neutralization of special elements used in an LDAP query ('LDAP Injection') category: security cwe: CWE-90 primary_identifier: security_code_scan.SCS0026-1.SCS0031-1 secondary_identifiers: - name: SCS0026 type: security_code_scan_rule_id value: SCS0026 - name: SCS0031 type: security_code_scan_rule_id value: SCS0031 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0026-1.SCS0031-1 shortlink: https://sg.run/0ZWj semgrep.dev: rule: r_id: 31454 rv_id: 835749 rule_id: 4bUbeO version_id: vdTOQe8 url: https://semgrep.dev/playground/r/vdTOQe8/gitlab.security_code_scan.SCS0026-1.SCS0031-1 origin: community - id: gitlab.gosec.G104-1.G107-1 patterns: - pattern-either: - patterns: - pattern: http.Get($URL) - pattern-not: http.Get("...") - patterns: - pattern: http.Head($URL) - pattern-not: http.Head("...") - patterns: - pattern: http.Post($URL, ...) - pattern-not: http.Post("...", ...) - patterns: - pattern: http.PostForm($URL, ...) - pattern-not: http.PostForm("...", ...) - patterns: - pattern-inside: | $REQ, ... := http.NewRequest(..., url, ...) ... $CLIENT := &http.Client{...} ... - pattern: $CLIENT.Do($REQ) - patterns: - pattern-not-inside: | const $X = "..." ... - pattern-not-inside: | var $Y string = "..." ... $X = $Y ... - pattern-not-inside: | $Y := "..." ... $X = $Y ... - pattern: http.Get($X) message: | Url provided to HTTP request as taint input metadata: cwe: 'CWE-88: Improper Neutralization of Argument Delimiters in a Command' license: MIT source: https://semgrep.dev/r/gitlab.gosec.G104-1.G107-1 shortlink: https://sg.run/Y8vd semgrep.dev: rule: r_id: 13758 rv_id: 15758 rule_id: 9AUR1r version_id: GxTzZZ url: https://semgrep.dev/playground/r/GxTzZZ/gitlab.gosec.G104-1.G107-1 origin: community severity: WARNING languages: - go - id: gitlab.security_code_scan.SCS0002-1 languages: - csharp patterns: - pattern-either: - patterns: - metavariable-regex: metavariable: $FUNC regex: ^(SqlQuery|ExecuteSqlCommand|ExecuteSqlCommandAsync|ExecuteSqlRaw|ExecuteSqlRawAsync|FromSqlRaw|FromSql|GetSqlStringCommand|ExecuteDataSet|ExecuteReader|ExecuteNonQuery|ExecuteScalar|CreateSQLQuery)$ - pattern: $DB.$FUNC($ARG, ...); - pattern-not: $DB.$FUNC("...", ...); - patterns: - metavariable-regex: metavariable: $FUNC regex: ^(ExecuteQuery|ExecuteCommand)$ - pattern-inside: | using System.Data.Linq; ... - pattern: (DataContext $CTX).$FUNC($ARG, ...) - patterns: - metavariable-regex: metavariable: $IMPL regex: ^(SqlCommand|OracleCommand|NpgsqlCommand|MySqlCommand|EntityCommand|OdbcCommand|OleDbCommand|SqliteCommand)$ - pattern-either: - patterns: - pattern: new $IMPL($ARG, ...); - pattern-not: new $IMPL("...", ...); - patterns: - pattern: ($IMPL $CMD).CommandText = <...$ARG...>; - pattern-not: ($IMPL $CMD).CommandText = "..."; - patterns: - metavariable-regex: metavariable: $FUNC regex: ^(ExecuteDataRow|ExecuteDataRowAsync|ExecuteDataset|ExecuteDatasetAsync|ExecuteNonQuery|ExecuteNonQueryAsync|ExecuteReader|ExecuteReaderAsync|ExecuteScalar|ExecuteScalarAsync|UpdateDataSet|UpdateDataSetAsync)$ - pattern-inside: | using MySql.Data.MySqlClient; ... - pattern: MySqlHelper.$FUNC("...", $ARG, ...); - patterns: - pattern-inside: | using Cassandra; ... - pattern: (Session $SESS).Execute($ARG, ...); - pattern-not: (Session $SESS).Execute("...", ...); message: | SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for `>` or `<` comparison operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<` values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized. Example using parameterized queries with `SqlCommand`: ``` string userInput = "someUserInput"; string connectionString = ...; using (SqlConnection connection = new SqlConnection(connectionString)) { connection.Open(); String sql = "SELECT name, value FROM table where name=@Name"; using (SqlCommand command = new SqlCommand(sql, connection)) { command.Parameters.Add("@Name", System.Data.SqlDbType.NVarChar); command.Parameters["@Name"].Value = userInput; using (SqlDataReader reader = command.ExecuteReader()) { while (reader.Read()) { Console.WriteLine("{0} {1}", reader.GetString(0), reader.GetString(1)); } } } } ``` For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html severity: ERROR metadata: shortDescription: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') category: security cwe: CWE-89 primary_identifier: security_code_scan.SCS0002-1 secondary_identifiers: - name: SCS0002 type: security_code_scan_rule_id value: SCS0002 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0002-1 shortlink: https://sg.run/K1y5 semgrep.dev: rule: r_id: 31455 rv_id: 835750 rule_id: PeUejg version_id: d6TKgXy url: https://semgrep.dev/playground/r/d6TKgXy/gitlab.security_code_scan.SCS0002-1 origin: community - id: gitlab.security_code_scan.SCS0003-1 languages: - csharp patterns: - pattern-inside: | using System.Xml; ... - pattern-either: - patterns: - metavariable-regex: metavariable: $FUNC regex: ^(SelectNodes|SelectSingleNode|Compile|Evaluate|Matches|Select|SelectAncestors|SelectChildren|SelectDescendants)$ - metavariable-regex: metavariable: $TY regex: ^(XPathNavigator|XmlDocument|XmlNode|XmlDocumentXPathExtensions)$ - pattern: ($TY $VAR).$FUNC(<...$ARG...>, ...) - pattern-not: ($TY $VAR).$FUNC("...", ...) - patterns: - pattern-inside: | using System.Xml.Linq; ... - metavariable-regex: metavariable: $FUNC regex: ^(XPathEvaluate|XPathSelectElement|XPathSelectElements)$ - pattern: $VAR.$FUNC(<...$ARG...>, ...) - pattern-not: $VAR.$FUNC("...", ...) - patterns: - pattern-inside: | using System.Xml.Schema; ... - pattern-either: - patterns: - pattern: $VAR.XPath = <...$ARG...>; - pattern-not: $VAR.XPath = "..." - patterns: - pattern: new XmlSchemaXPath { XPath = <...$ARG...> }; - focus-metavariable: $ARG message: | XPath injection is a vulnerability that can allow an adversary to inject or modify how an XML query is structured. Depending on the logic of the original query, this could lead to adversaries extracting unauthorized information or in rare cases bypassing authorization checks. It is recommended that LINQ to XML is used instead of XPath for querying XML documents. Care must be taken to **not** call these LINQ functions with user input as they can still lead to XPath injection: - `XPathEvaluate` - `XPathSelectElement` - `XPathSelectElements` Example using LINQ to XML to safely extract the first user from a list of users: ``` // XDocument is safe from XXE attacks as the resolver is disabled by default XDocument doc = XDocument.Load("users.xml"); XNamespace ns = "urn:users-schema"; string userInput = "LastName"; // Get all the users. var user = doc.Descendants(ns + "user") .Select(u => new { FirstName = (string)u.Element(ns + "first-name"), LastName = (string)u.Element(ns + "last-name") }).Where(u => u.LastName == userInput).FirstOrDefault(); Console.WriteLine(user.FirstName + " " + user.LastName); ``` For more information on LINQ to XML security see: https://learn.microsoft.com/en-us/dotnet/standard/linq/linq-xml-security For more information on XML security see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#net severity: INFO metadata: shortDescription: Improper neutralization of data within XPath expressions ('XPath Injection') category: security cwe: CWE-643 primary_identifier: security_code_scan.SCS0003-1 secondary_identifiers: - name: SCS0003 type: security_code_scan_rule_id value: SCS0003 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0003-1 shortlink: https://sg.run/qeZ7 semgrep.dev: rule: r_id: 31456 rv_id: 835751 rule_id: JDUnoJ version_id: ZRTld02 url: https://semgrep.dev/playground/r/ZRTld02/gitlab.security_code_scan.SCS0003-1 origin: community - id: gitlab.security_code_scan.SCS0007-1 languages: - csharp mode: taint pattern-sanitizers: - pattern: (XmlReaderSettings $SETTINGS).ProhibitDtd = true; - pattern: (XmlReaderSettings $SETTINGS).DtdProcessing = DtdProcessing.Prohibit; - pattern: (XmlDocument $DOC).XmlResolver = null; - pattern: var $DOC = new XmlDocument { ..., XmlResolver = null, ... }; pattern-sinks: - pattern: XmlReader.Create(..., $SETTINGS); - pattern: (XmlDocument $DOC).Load(...); pattern-sources: - pattern: var $SETTINGS = new XmlReaderSettings(); - pattern: var $DOC = new XmlDocument(...); - pattern: var $DOC = new XmlDocument {...}; message: | External XML entities are a feature of XML parsers that allow documents to contain references to other documents or data. This feature can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS). XML parsers and document loaders must be configured to not resolve entities. This can be done by: - Ensuring you are running a version of .NET Framework greater than 4.5.2 (released in 2014). - Using `XDocument` which disables entity resolution and is generally safe from DoS. - Setting `XmlDocument`'s `XmlResolver` to null. - Setting `XmlTextReader`'s `ProhibitDtd` to `true` - Setting `XmlReaderSettings` `DtdProcessing` to `DtdProcessing.Prohibit` Example of safely loading an XML file using `XmlDocument`: ``` XmlDocument document = new XmlDocument(); document.XmlResolver = null; document.Load("users.xml"); ``` For more information on XML security, see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#net severity: WARNING metadata: shortDescription: Improper restriction of XML external entity reference ('XXE') category: security cwe: CWE-611 primary_identifier: security_code_scan.SCS0007-1 secondary_identifiers: - name: SCS0007 type: security_code_scan_rule_id value: SCS0007 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0007-1 shortlink: https://sg.run/lbWE semgrep.dev: rule: r_id: 31457 rv_id: 835752 rule_id: 5rU7N6 version_id: nWTyNXQ url: https://semgrep.dev/playground/r/nWTyNXQ/gitlab.security_code_scan.SCS0007-1 origin: community - id: terraform.azure.best-practice.azure-defenderon-keyvaults.azure-defenderon-keyvaults message: Ensure that Azure Defender is set to On for Key Vault patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Standard" resource_type = "KeyVaults" ... } - pattern-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Free" resource_type = "KeyVaults" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-defenderon-keyvaults.azure-defenderon-keyvaults shortlink: https://sg.run/lJwy semgrep.dev: rule: r_id: 23913 rv_id: 946751 rule_id: d8UA3n version_id: nWTpYx8 url: https://semgrep.dev/playground/r/nWTpYx8/terraform.azure.best-practice.azure-defenderon-keyvaults.azure-defenderon-keyvaults origin: community languages: - hcl severity: WARNING - id: typescript.react.best-practice.react-props-spreading.react-props-spreading patterns: - pattern: <$X {...$PROPS} /> - focus-metavariable: $PROPS message: It's best practice to explicitly pass props to an HTML component rather than use the spread operator. The spread operator risks passing invalid HTML props to an HTML element, which can cause console warnings or worse, give malicious actors a way to inject unexpected attributes. languages: - typescript - javascript severity: INFO metadata: source-rule-url: https://github.com/yannickcr/eslint-plugin-react/blob/master/docs/rules/jsx-props-no-spreading.md references: - https://github.com/yannickcr/eslint-plugin-react/blob/master/docs/rules/jsx-props-no-spreading.md category: best-practice technology: - react license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.best-practice.react-props-spreading.react-props-spreading shortlink: https://sg.run/XL5l semgrep.dev: rule: r_id: 9764 rv_id: 1274399 rule_id: r6Uky5 version_id: 8KT52KJ url: https://semgrep.dev/playground/r/8KT52KJ/typescript.react.best-practice.react-props-spreading.react-props-spreading origin: community - id: gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1 patterns: - pattern-not-inside: | final String $ARG = ...; ... - pattern-not-inside: | class $CLAZZ { ... final String $ARG = ...; ... } - pattern-either: - patterns: - pattern: (javax.jdo.PersistenceManager $PM).newQuery($ARG) - pattern-not: (javax.jdo.PersistenceManager $PM).newQuery("...") - patterns: - pattern: (javax.jdo.PersistenceManager $PM).newQuery(..., $ARG) - pattern-not: (javax.jdo.PersistenceManager $PM).newQuery(..., "...") - patterns: - pattern: (javax.jdo.Query $Q).setFilter($ARG) - pattern-not: (javax.jdo.Query $Q).setFilter("...") - patterns: - pattern: (javax.jdo.Query $Q).setGrouping($ARG) - pattern-not: (javax.jdo.Query $Q).setGrouping("...") - patterns: - pattern: (javax.jdo.Query $Q).setGrouping($ARG) - pattern-not: (javax.jdo.Query $Q).setGrouping("...") - patterns: - pattern: (org.hibernate.criterion.Restrictions $H).sqlRestriction($ARG, ...) - pattern-not: (org.hibernate.criterion.Restrictions $H).sqlRestriction("...", ...) - patterns: - pattern: (org.hibernate.Session $S).createQuery((String $ARG), ...) - pattern-not: (org.hibernate.Session $S).createQuery("...", ...) - patterns: - pattern: (org.hibernate.Session $S).createSQLQuery($ARG, ...) - pattern-not: (org.hibernate.Session $S).createSQLQuery("...", ...) - patterns: - pattern: (java.sql.Statement $S).executeQuery($ARG, ...) - pattern-not: (java.sql.Statement $S).createSQLQuery("...", ...) - patterns: - pattern: (java.sql.Statement $S).execute($ARG, ...) - pattern-not: (java.sql.Statement $S).execute("...", ...) - patterns: - pattern: (java.sql.Statement $S).executeUpdate($ARG, ...) - pattern-not: (java.sql.Statement $S).executeUpdate("...", ...) - patterns: - pattern: (java.sql.Statement $S).executeLargeUpdate($ARG, ...) - pattern-not: (java.sql.Statement $S).executeLargeUpdate("...", ...) - patterns: - pattern: (java.sql.Statement $S).addBatch($ARG, ...) - pattern-not: (java.sql.Statement $S).addBatch("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).executeQuery($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).executeQuery("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).execute($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).execute("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).executeUpdate($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).executeUpdate("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).executeLargeUpdate($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).executeLargeUpdate("...", ...) - patterns: - pattern: (java.sql.PreparedStatement $S).addBatch($ARG, ...) - pattern-not: (java.sql.PreparedStatement $S).addBatch("...", ...) - patterns: - pattern: (java.sql.Connection $S).prepareCall($ARG, ...) - pattern-not: (java.sql.Connection $S).prepareCall("...", ...) - patterns: - pattern: (java.sql.Connection $S).prepareStatement($ARG, ...) - pattern-not: (java.sql.Connection $S).prepareStatement("...", ...) - patterns: - pattern: (java.sql.Connection $S).nativeSQL($ARG, ...) - pattern-not: (java.sql.Connection $S).nativeSQL("...", ...) - patterns: - pattern: new org.springframework.jdbc.core.PreparedStatementCreatorFactory($ARG, ...) - pattern-not: new org.springframework.jdbc.core.PreparedStatementCreatorFactory("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.PreparedStatementCreatorFactory $F).newPreparedStatementCreator($ARG, ...) - pattern-not: (org.springframework.jdbc.core.PreparedStatementCreatorFactory $F).newPreparedStatementCreator("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).batchUpdate($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).batchUpdate("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).execute($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).execute("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).query($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).query("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForList($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForList("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForMap($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForMap("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForObject($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForObject("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForObject($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForObject("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForRowSet($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForRowSet("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForInt($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForInt("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).queryForLong($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).queryForLong("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcOperations $O).udpate($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcOperations $O).udpate("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).batchUpdate($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).batchUpdate("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).execute($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).execute("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).query($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).query("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForList($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForList("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForMap($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForMap("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForObject($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForObject("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForRowSet($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForRowSet("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForInt($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForInt("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).queryForLong($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).queryForLong("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.JdbcTemplate $O).update($ARG, ...) - pattern-not: (org.springframework.jdbc.core.JdbcTemplate $O).update("...", ...) - patterns: - pattern: (io.vertx.sqlclient.SqlClient $O).query($ARG, ...) - pattern-not: (io.vertx.sqlclient.SqlClient $O).query("...", ...) - patterns: - pattern: (io.vertx.sqlclient.SqlClient $O).preparedQuery($ARG, ...) - pattern-not: (io.vertx.sqlclient.SqlClient $O).preparedQuery("...", ...) - patterns: - pattern: (io.vertx.sqlclient.SqlConnection $O).prepare($ARG, ...) - pattern-not: (io.vertx.sqlclient.SqlConnection $O).prepare("...", ...) - patterns: - pattern: (org.apache.turbine.om.peer.BasePeer $O).executeQuery($ARG, ...) - pattern-not: (org.apache.turbine.om.peer.BasePeer $O).executeQuery("...", ...) - patterns: - pattern: (org.apache.torque.util.BasePeer $O).executeQuery($ARG, ...) - pattern-not: (org.apache.torque.util.BasePeer $O).executeQuery("...", ...) - patterns: - pattern: (javax.persistence.EntityManager $O).createQuery($ARG, ...) - pattern-not: (javax.persistence.EntityManager $O).createQuery("...", ...) - patterns: - pattern: (javax.persistence.EntityManager $O).createNativeQuery($ARG, ...) - pattern-not: (javax.persistence.EntityManager $O).createNativeQuery("...", ...) languages: - java message: | The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. metadata: category: security cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' primary_identifier: find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1 secondary_identifiers: - name: Find Security Bugs-SQL_INJECTION_SPRING_JDBC type: find_sec_bugs_type value: SQL_INJECTION_SPRING_JDBC - name: Find Security Bugs-SQL_INJECTION_JPA type: find_sec_bugs_type value: SQL_INJECTION_JPA - name: Find Security Bugs-SQL_INJECTION_JDO type: find_sec_bugs_type value: SQL_INJECTION_JDO - name: Find Security Bugs-SQL_INJECTION_JDBC type: find_sec_bugs_type value: SQL_INJECTION_JDBC - name: Find Security Bugs-SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE type: find_sec_bugs_type value: SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE license: MIT source: https://semgrep.dev/r/gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1 shortlink: https://sg.run/WD1A semgrep.dev: rule: r_id: 21209 rv_id: 57077 rule_id: lBUXP4 version_id: YDT5zl url: https://semgrep.dev/playground/r/YDT5zl/gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1 origin: community severity: ERROR - id: generic.secrets.gitleaks.hashicorp-tf-password.hashicorp-tf-password message: A gitleaks hashicorp-tf-password was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO paths: include: - '*.tf' - '*.hcl' metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.hashicorp-tf-password.hashicorp-tf-password shortlink: https://sg.run/bw7lv semgrep.dev: rule: r_id: 92970 rv_id: 1262758 rule_id: BYUXNWY version_id: YDTZevN url: https://semgrep.dev/playground/r/YDTZevN/generic.secrets.gitleaks.hashicorp-tf-password.hashicorp-tf-password origin: community patterns: - pattern-regex: (?i)(?:administrator_login_password|password)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}("[a-z0-9=_\-]{8,20}")(?:['|\"|\n|\r|\s|\x60|;]|$) - id: terraform.azure.best-practice.azure-defenderon-kubernetes.azure-defenderon-kubernetes message: Ensure that Azure Defender is set to On for Kubernetes patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Standard" resource_type = "KubernetesService" ... } - pattern-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Free" resource_type = "KubernetesService" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-defenderon-kubernetes.azure-defenderon-kubernetes shortlink: https://sg.run/YBLe semgrep.dev: rule: r_id: 23914 rv_id: 946752 rule_id: ZqUN2J version_id: ExTg4j2 url: https://semgrep.dev/playground/r/ExTg4j2/terraform.azure.best-practice.azure-defenderon-kubernetes.azure-defenderon-kubernetes origin: community languages: - hcl severity: WARNING - id: generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account pattern-regex: (("|'|`)?type("|'|`)?\s{0,50}(:|=>|=)\s{0,50}("|'|`)?service_account("|'|`)?,?) languages: - regex message: Google (GCM) Service account detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go category: security technology: - secrets - google-cloud confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account shortlink: https://sg.run/6nXj semgrep.dev: rule: r_id: 9059 rv_id: 1262874 rule_id: NbUkL8 version_id: w8TRoDX url: https://semgrep.dev/playground/r/w8TRoDX/generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account origin: community - id: dockerfile.security.secret-in-build-arg.secret-in-build-arg patterns: - pattern-either: - pattern: ARG $ARG - pattern: ARG $ARG=... - metavariable-regex: metavariable: $ARG regex: (?i).*(password|secret|token|key|cert|api|auth) message: Docker build time arguments are not suited for secrets, because the argument values are saved with the image. Running `docker image history` on the image will show information on how the image was built, including arguments. If these contain plain text secrets, anyone with access to the docker image can access those secrets and exploit them. metadata: category: security technology: - dockerfile cwe: - 'CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://cwe.mitre.org/data/definitions/538.html - https://docs.docker.com/engine/reference/builder/#arg subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/dockerfile.security.secret-in-build-arg.secret-in-build-arg shortlink: https://sg.run/w6wA semgrep.dev: rule: r_id: 33629 rv_id: 1262662 rule_id: 0oUgGe version_id: 2KTv2Lq url: https://semgrep.dev/playground/r/2KTv2Lq/dockerfile.security.secret-in-build-arg.secret-in-build-arg origin: community languages: - dockerfile severity: WARNING - id: generic.secrets.gitleaks.slack-app-token.slack-app-token message: A gitleaks slack-app-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.slack-app-token.slack-app-token shortlink: https://sg.run/OvNn semgrep.dev: rule: r_id: 66775 rv_id: 1262825 rule_id: 6JUgAl version_id: yeTxp29 url: https://semgrep.dev/playground/r/yeTxp29/generic.secrets.gitleaks.slack-app-token.slack-app-token origin: community patterns: - pattern-regex: (?i)(xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+) - id: generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt message: A gitleaks gitlab-ptt was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt shortlink: https://sg.run/wQeP semgrep.dev: rule: r_id: 44729 rv_id: 1262749 rule_id: 4bUKkW version_id: RGT0L2l url: https://semgrep.dev/playground/r/RGT0L2l/generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt origin: community patterns: - pattern-regex: glptt-[0-9a-f]{40} - id: elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator message: The bitwise operator (`^^^`) is already deprecated. Please use `Bitwise.bnot($VAL)` instead. severity: WARNING languages: - elixir pattern: ~~~$VAL fix: Bitwise.bnot($VAL) metadata: references: - https://github.com/elixir-lang/elixir/commit/f1b9d3e818e5bebd44540f87be85979f24b9abfc category: best-practice technology: - elixir license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator shortlink: https://sg.run/9KE4 semgrep.dev: rule: r_id: 67423 rv_id: 945272 rule_id: lBUORZ version_id: 6xTxjx0 url: https://semgrep.dev/playground/r/6xTxjx0/elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator origin: community - id: c.lang.security.double-free.double-free patterns: - pattern-not: | free($VAR); ... $VAR = NULL; ... free($VAR); - pattern-not: | free($VAR); ... $VAR = malloc(...); ... free($VAR); - pattern-inside: | free($VAR); ... $FREE($VAR); - metavariable-pattern: metavariable: $FREE pattern: free - focus-metavariable: $FREE message: Variable '$VAR' was freed twice. This can lead to undefined behavior. metadata: cwe: - 'CWE-415: Double Free' owasp: - A03:2021 - Injection - A01:2017 - Injection - A05:2025 - Injection references: - https://cwe.mitre.org/data/definitions/415.html - https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory category: security technology: - c confidence: LOW subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Memory Issues source: https://semgrep.dev/r/c.lang.security.double-free.double-free shortlink: https://sg.run/eLl0 semgrep.dev: rule: r_id: 8832 rv_id: 1262604 rule_id: JDUyw8 version_id: RGT0L3W url: https://semgrep.dev/playground/r/RGT0L3W/c.lang.security.double-free.double-free origin: community languages: - c severity: ERROR - id: generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token pattern-regex: ya29\.[0-9A-Za-z\-_]+ languages: - regex message: Google OAuth Access Token detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json category: security technology: - secrets - google confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token shortlink: https://sg.run/ox2n semgrep.dev: rule: r_id: 9060 rv_id: 1262875 rule_id: kxUkpo version_id: xyTjzp6 url: https://semgrep.dev/playground/r/xyTjzp6/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token origin: community - id: generic.secrets.security.detected-google-oauth.detected-google-oauth-url pattern-regex: '[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com' languages: - regex message: Google OAuth url detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json category: security technology: - secrets - google confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-google-oauth.detected-google-oauth-url shortlink: https://sg.run/zvP0 semgrep.dev: rule: r_id: 9061 rv_id: 1262876 rule_id: wdUJr3 version_id: O9Tpxd5 url: https://semgrep.dev/playground/r/O9Tpxd5/generic.secrets.security.detected-google-oauth.detected-google-oauth-url origin: community - id: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key pattern-regex: '[hH][eE][rR][oO][kK][uU].*[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}' languages: - regex message: Heroku API Key detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json category: security technology: - secrets - heroku confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key shortlink: https://sg.run/pxXR semgrep.dev: rule: r_id: 9062 rv_id: 1262877 rule_id: x8UnOB version_id: e1Tyj3N url: https://semgrep.dev/playground/r/e1Tyj3N/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key origin: community - id: trailofbits.yaml.ansible.unarchive-validate-certs-disabled.unarchive-validate-certs-disabled message: Found unarchive download with SSL verification disabled languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit technology: - ansible confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/unarchive_module.html#parameter-validate_certs license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.yaml.ansible.unarchive-validate-certs-disabled.unarchive-validate-certs-disabled shortlink: https://sg.run/ZqByA semgrep.dev: rule: r_id: 113235 rv_id: 833324 rule_id: 6JUv2A4 version_id: e1TDkGr url: https://semgrep.dev/playground/r/e1TDkGr/trailofbits.yaml.ansible.unarchive-validate-certs-disabled.unarchive-validate-certs-disabled origin: community patterns: - pattern-inside: | $UNARCHIVE: ... - metavariable-pattern: metavariable: $UNARCHIVE pattern-either: - pattern: unarchive - pattern: ansible.builtin.unarchive - pattern: '$KEY: $VALUE' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: validate_certs - metavariable-pattern: metavariable: $VALUE pattern-either: - pattern: 'false' - id: python.twilio.security.twiml-injection.twiml-injection languages: - python severity: WARNING message: Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands metadata: cwe: - 'CWE-91: XML Injection' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - python - twilio - twiml confidence: MEDIUM likelihood: HIGH impact: MEDIUM subcategory: - vuln references: - https://codeberg.org/fennix/funjection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection shortlink: https://sg.run/GdEEy semgrep.dev: rule: r_id: 134692 rv_id: 1263580 rule_id: oqUgjj2 version_id: kbTzGp1 url: https://semgrep.dev/playground/r/kbTzGp1/python.twilio.security.twiml-injection.twiml-injection origin: community mode: taint pattern-sources: - pattern: | f"..." - pattern: | "..." % ... - pattern: | "...".format(...) - patterns: - pattern: $ARG - pattern-inside: | def $F(..., $ARG, ...): ... pattern-sanitizers: - pattern: xml.sax.saxutils.escape(...) - pattern: html.escape(...) pattern-sinks: - patterns: - pattern: | $CLIENT.calls.create(..., twiml=$SINK, ...) - focus-metavariable: $SINK - id: trailofbits.yaml.ansible.unarchive-unencrypted-url.unarchive-unencrypted-url message: Found unarchive download with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' subcategory: - audit technology: - ansible confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/unarchive_module.html#parameter-src license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.yaml.ansible.unarchive-unencrypted-url.unarchive-unencrypted-url shortlink: https://sg.run/d85yn semgrep.dev: rule: r_id: 113234 rv_id: 833323 rule_id: YGUpZzx version_id: O9TJWR6 url: https://semgrep.dev/playground/r/O9TJWR6/trailofbits.yaml.ansible.unarchive-unencrypted-url.unarchive-unencrypted-url origin: community patterns: - pattern-inside: | $UNARCHIVE: ... - metavariable-pattern: metavariable: $UNARCHIVE pattern-either: - pattern: unarchive - pattern: ansible.builtin.unarchive - pattern: '$KEY: ''$VALUE''' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: src - metavariable-regex: metavariable: $VALUE regex: (?i)^(http|ftp)://.* - id: trailofbits.yaml.ansible.apt-key-unencrypted-url.apt-key-unencrypted-url message: Found apt key download with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' subcategory: - audit technology: - ansible - apt confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_key_module.html#parameter-url license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.yaml.ansible.apt-key-unencrypted-url.apt-key-unencrypted-url shortlink: https://sg.run/r68RP semgrep.dev: rule: r_id: 113225 rv_id: 833314 rule_id: ReUD0BR version_id: 1QTPLQx url: https://semgrep.dev/playground/r/1QTPLQx/trailofbits.yaml.ansible.apt-key-unencrypted-url.apt-key-unencrypted-url origin: community patterns: - pattern-inside: | $APTKEY: ... - metavariable-pattern: metavariable: $APTKEY pattern-either: - pattern: apt_key - pattern: ansible.builtin.apt_key - pattern: '$KEY: ''$VALUE''' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: url - metavariable-regex: metavariable: $VALUE regex: (?i)^(http|ftp)://.* - id: trailofbits.yaml.ansible.yum-validate-certs-disabled.yum-validate-certs-disabled message: Found yum with SSL verification disabled languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit technology: - ansible - yum confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/yum_module.html#parameter-validate_certs license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.yaml.ansible.yum-validate-certs-disabled.yum-validate-certs-disabled shortlink: https://sg.run/7Kvdw semgrep.dev: rule: r_id: 113238 rv_id: 833327 rule_id: pKU10q4 version_id: ZRTlPX3 url: https://semgrep.dev/playground/r/ZRTlPX3/trailofbits.yaml.ansible.yum-validate-certs-disabled.yum-validate-certs-disabled origin: community patterns: - pattern-inside: | $YUM: ... - metavariable-pattern: metavariable: $YUM pattern-either: - pattern: yum - pattern: ansible.builtin.yum - pattern: '$KEY: $VALUE' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: validate_certs - metavariable-pattern: metavariable: $VALUE pattern-either: - pattern: 'false' - id: terraform.azure.best-practice.azure-defenderon-storage.azure-defenderon-storage message: Ensure that Azure Defender is set to On for Storage patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Standard" resource_type = "StorageAccounts" ... } - pattern-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Free" resource_type = "StorageAccounts" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-defenderon-storage.azure-defenderon-storage shortlink: https://sg.run/pAwg semgrep.dev: rule: r_id: 23918 rv_id: 946756 rule_id: L1UQGo version_id: gETeW3J url: https://semgrep.dev/playground/r/gETeW3J/terraform.azure.best-practice.azure-defenderon-storage.azure-defenderon-storage origin: community languages: - hcl severity: WARNING - id: solidity.security.basic-arithmetic-underflow.basic-arithmetic-underflow message: Possible arithmetic underflow metadata: category: security technology: - solidity cwe: 'CWE-191: Integer Underflow (Wrap or Wraparound)' confidence: LOW likelihood: MEDIUM impact: HIGH subcategory: - vuln references: - https://medium.com/@Knownsec_Blockchain_Lab/knownsec-blockchain-lab-umbnetwork-attack-event-analysis-9bae1141e58 - https://twitter.com/danielvf/status/1497194778278174724 - https://etherscan.io/address/0xbbc3a290c7d2755b48681c87f25f9d7f480ad42f license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.basic-arithmetic-underflow.basic-arithmetic-underflow shortlink: https://sg.run/QP0q semgrep.dev: rule: r_id: 67642 rv_id: 946604 rule_id: x8Ue4j version_id: d6TPjDJ url: https://semgrep.dev/playground/r/d6TPjDJ/solidity.security.basic-arithmetic-underflow.basic-arithmetic-underflow origin: community mode: taint pattern-sinks: - pattern: $Y - $X pattern-sources: - pattern-either: - pattern-inside: | function $F(..., $X, ...) external { ... } - pattern-inside: | function $F(..., $X, ...) public { ... } languages: - solidity severity: INFO - id: generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token message: A gitleaks planetscale-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token shortlink: https://sg.run/bYDE semgrep.dev: rule: r_id: 44770 rv_id: 1262801 rule_id: kxUQR9 version_id: l4TJRv4 url: https://semgrep.dev/playground/r/l4TJRv4/generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token origin: community patterns: - pattern-regex: (?i)\b(pscale_tkn_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: python.lang.maintainability.return.return-not-in-function patterns: - pattern-not-inside: | def $F(...): ... # TODO: first pattern should just automatically include this one - pattern-not-inside: | def $F(...) -> $Y: ... - pattern: return ... message: '`return` only makes sense inside a function' languages: - python severity: WARNING metadata: category: maintainability technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.return.return-not-in-function shortlink: https://sg.run/oxG9 semgrep.dev: rule: r_id: 9616 rv_id: 946311 rule_id: 10UKxW version_id: 44TZkqA url: https://semgrep.dev/playground/r/44TZkqA/python.lang.maintainability.return.return-not-in-function origin: community - id: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate message: $VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy. metadata: category: security technology: - solidity cwe: 'CWE-841: Improper Enforcement of Behavioral Workflow' confidence: HIGH likelihood: MEDIUM impact: HIGH subcategory: - vuln references: - https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate shortlink: https://sg.run/g9e5 semgrep.dev: rule: r_id: 67641 rv_id: 946603 rule_id: wdUx3D version_id: vdTGn2l url: https://semgrep.dev/playground/r/vdTGn2l/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate origin: community patterns: - pattern: | function $F(...) { ... $VAR.getRate(); ... } - pattern-not-inside: | function $F(...) { ... VaultReentrancyLib.ensureNotInVaultContext(...); ... } - pattern-not-inside: | function $F(...) { ... $VAULT.manageUserBalance(...); ... } - pattern-not-inside: | function _updateTokenRateCache(...) { ... } - pattern-not-inside: | contract PoolRecoveryHelper { ... } - pattern-not-inside: | contract ComposableStablePoolRates { ... } - pattern-not-inside: | contract WeightedPoolProtocolFees { ... } - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... VaultReentrancyLib.ensureNotInVaultContext(...); ... } ... function $F(...) { ... $CHECKFUNC(...); ... $VAR.getRate(); ... } ... } - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... VaultReentrancyLib.ensureNotInVaultContext(...); ... } ... function $F(...) { ... $VAR.getRate(); ... $CHECKFUNC(...); ... } ... } - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... $VAULT.manageUserBalance(...); ... } ... function $F(...) { ... $VAR.getRate(); ... $CHECKFUNC(...); ... } ... } - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... $VAULT.manageUserBalance(...); ... } ... function $F(...) { ... $CHECKFUNC(...); ... $VAR.getRate(); ... } ... } - focus-metavariable: $VAR languages: - solidity severity: ERROR - id: gitlab.flawfinder.strcat-1 languages: - c - cpp message: | The `strcat` family of functions are unable to limit how many bytes are copied to the destination buffer. It is recommended to use more secure alternatives such as `snprintf`. For more information please see: https://linux.die.net/man/3/snprintf If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strcat-s-wcscat-s-mbscat-s?view=msvc-170 metadata: shortDescription: Insecure string processing function cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.strcat-1 secondary_identifiers: - name: Flawfinder - strcat type: flawfinder_func_name value: strcat license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.strcat-1 shortlink: https://sg.run/GwqB semgrep.dev: rule: r_id: 13048 rv_id: 920318 rule_id: X5U7re version_id: DkT2ywR url: https://semgrep.dev/playground/r/DkT2ywR/gitlab.flawfinder.strcat-1 origin: community pattern: strcat(...) severity: ERROR - id: python.lang.maintainability.is-function-without-parentheses.is-function-without-parentheses languages: - python message: Is "$FUNC" a function or an attribute? If it is a function, you may have meant $X.$FUNC() because $X.$FUNC is always true. patterns: - pattern: $X.$FUNC - pattern-not-inside: $X.$FUNC(...) - metavariable-regex: metavariable: $FUNC regex: is_.* severity: WARNING metadata: category: maintainability technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.is-function-without-parentheses.is-function-without-parentheses shortlink: https://sg.run/oYR7 semgrep.dev: rule: r_id: 14116 rv_id: 946309 rule_id: d8UeAx version_id: QkTZzNW url: https://semgrep.dev/playground/r/QkTZzNW/python.lang.maintainability.is-function-without-parentheses.is-function-without-parentheses origin: community - id: python.lang.maintainability.return.code-after-unconditional-return pattern: | return ... $S message: code after return statement will not be executed languages: - python severity: WARNING metadata: category: maintainability technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.return.code-after-unconditional-return shortlink: https://sg.run/6nOo semgrep.dev: rule: r_id: 9615 rv_id: 946310 rule_id: j2UvZG version_id: 3ZTOPwl url: https://semgrep.dev/playground/r/3ZTOPwl/python.lang.maintainability.return.code-after-unconditional-return origin: community - id: trailofbits.yaml.ansible.wrm-cert-validation-ignore.wrm-cert-validation-ignore message: Found Windows Remote Management connection with certificate validation disabled languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit technology: - ansible confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/os_guide/windows_winrm.html#https-certificate-validation license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.yaml.ansible.wrm-cert-validation-ignore.wrm-cert-validation-ignore shortlink: https://sg.run/nJlP1 semgrep.dev: rule: r_id: 113236 rv_id: 833325 rule_id: oqUgbWQ version_id: vdTOzBO url: https://semgrep.dev/playground/r/vdTOzBO/trailofbits.yaml.ansible.wrm-cert-validation-ignore.wrm-cert-validation-ignore origin: community pattern: 'ansible_winrm_server_cert_validation: ignore' - id: trailofbits.yaml.ansible.yum-unencrypted-url.yum-unencrypted-url message: Found yum download with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' subcategory: - audit technology: - ansible - yum confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/yum_module.html#parameter-name license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.yaml.ansible.yum-unencrypted-url.yum-unencrypted-url shortlink: https://sg.run/Ew4NE semgrep.dev: rule: r_id: 113237 rv_id: 833326 rule_id: zdUKbXv version_id: d6TKGp6 url: https://semgrep.dev/playground/r/d6TKGp6/trailofbits.yaml.ansible.yum-unencrypted-url.yum-unencrypted-url origin: community patterns: - pattern-inside: | $YUM: ... - metavariable-pattern: metavariable: $YUM pattern-either: - pattern: yum - pattern: ansible.builtin.yum - pattern: '$KEY: ''$VALUE''' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: name - pattern: pkg - metavariable-regex: metavariable: $VALUE regex: (?i)^(http|ftp)://.* - id: gitlab.flawfinder.CreateProcess-1 languages: - c - cpp message: | Due to how `CreateProcess` parses spaces, an attacker may be able to exploit this function by creating a binary with the same name that is loaded first, depending on the search path order. Ensure that quotation marks around the executable path are used, such as: ``` CreateProcessA(NULL, "\"C:\\Program Files\\MyApp.exe\"", ...) ``` For more information, please see MSDNs documentation at: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa#security-remarks metadata: shortDescription: Possible executable path hijacking (CreateProcess) cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.CreateProcess-1 secondary_identifiers: - name: Flawfinder - CreateProcess type: flawfinder_func_name value: CreateProcess license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.CreateProcess-1 shortlink: https://sg.run/Q4KD semgrep.dev: rule: r_id: 13086 rv_id: 920353 rule_id: YGUQ94 version_id: 3ZTLwWB url: https://semgrep.dev/playground/r/3ZTLwWB/gitlab.flawfinder.CreateProcess-1 origin: community pattern: CreateProcess(...) severity: WARNING - id: gitlab.flawfinder.getlogin-1 languages: - c - cpp message: | The `getlogin` function suffers from many bugs or unknown behaviors depending on the system. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling TTY of our program does not necessarily mean it is the user who started the process. Use getpwuid(geteuid()) and extract the desired information instead. For more information please see: https://linux.die.net/man/3/getpwuid metadata: shortDescription: Usage of deprecated function (getlogin) cwe: CWE-807 owasp: - A9:2017-Using Components with Known Vulnerabilities - A06:2021-Vulnerable and Outdated Components security-severity: Low category: security primary_identifier: flawfinder.getlogin-1 secondary_identifiers: - name: Flawfinder - getlogin type: flawfinder_func_name value: getlogin license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.getlogin-1 shortlink: https://sg.run/xene semgrep.dev: rule: r_id: 13074 rv_id: 920342 rule_id: JDUQ9Q version_id: e1TZK4n url: https://semgrep.dev/playground/r/e1TZK4n/gitlab.flawfinder.getlogin-1 origin: community pattern: getlogin(...) severity: ERROR - id: gitlab.find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1 languages: - java message: | A file is opened to write to its contents. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files at an arbitrary filesystem location could be modified. This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. metadata: category: security cwe: CWE-22 shortDescription: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') technology: - java primary_identifier: find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1 secondary_identifiers: - name: Find Security Bugs-PATH_TRAVERSAL_OUT type: find_sec_bugs_type value: PATH_TRAVERSAL_OUT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1 shortlink: https://sg.run/ALZ4 semgrep.dev: rule: r_id: 21206 rv_id: 835512 rule_id: 0oUpvO version_id: QkTkN34 url: https://semgrep.dev/playground/r/QkTkN34/gitlab.find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1 origin: community mode: taint pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) pattern-sinks: - patterns: - pattern-inside: new java.io.FileWriter($PATH, ...) - pattern: $PATH - patterns: - pattern-inside: new java.io.FileOutputStream($PATH, ...) - pattern: $PATH pattern-sources: - patterns: - pattern-inside: | $FUNC(String[] $ARGS) { ... } - pattern: $ARGS[$IDX] - patterns: - pattern-inside: | $FUNC(..., String $VAR, ...) { ... } - pattern: $VAR severity: ERROR - id: gitlab.find_sec_bugs.IMPROPER_UNICODE-1 languages: - java message: | Improper Handling of Unicode Encoding metadata: category: security confidence: HIGH cwe: CWE-176 shortDescription: Improper Handling of Unicode Encoding primary_identifier: find_sec_bugs.IMPROPER_UNICODE-1 secondary_identifiers: - name: Find Security Bugs-IMPROPER_UNICODE type: find_sec_bugs_type value: IMPROPER_UNICODE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.IMPROPER_UNICODE-1 shortlink: https://sg.run/xPlp semgrep.dev: rule: r_id: 21230 rv_id: 835532 rule_id: j2UwZp version_id: pZTXDv2 url: https://semgrep.dev/playground/r/pZTXDv2/gitlab.find_sec_bugs.IMPROPER_UNICODE-1 origin: community pattern-either: - patterns: - pattern-either: - pattern: | $S = (String $INPUT).$TRANSFORM(...); ... $S.$METHOD(...); - pattern: (String $INPUT).$TRANSFORM().$METHOD(...); - metavariable-regex: metavariable: $METHOD regex: (equals|equalsIgnoreCase|indexOf) - metavariable-regex: metavariable: $TRANSFORM regex: (toLowerCase|toUpperCase) - pattern: java.text.Normalizer.normalize(...); - pattern: java.net.IDN.toASCII(...); - pattern: (URI $U).toASCIIString(); severity: ERROR - id: gitlab.find_sec_bugs.HARD_CODE_KEY-1 pattern-either: - patterns: - pattern-not-inside: | $FUNC(...,byte[] $KEY_BYTES, ...) { ... } - pattern-either: - pattern: new DESKeySpec((byte[] $KEY_BYTES)); - pattern: new DESedeKeySpec((byte[] $KEY_BYTES)); - pattern: new KerberosKey(..., (byte[] $KEY_BYTES), ..., ...); - pattern: new SecretKeySpec((byte[] $KEY_BYTES), ...); - pattern: new X509EncodedKeySpec((byte[] $KEY_BYTES)); - pattern: new PKCS8EncodedKeySpec((byte[] $KEY_BYTES)); - pattern: new KeyRep(...,(byte[] $KEY_BYTES)); - pattern: new KerberosTicket(...,(byte[] $KEY_BYTES),...); - metavariable-pattern: metavariable: $KEY_BYTES patterns: - pattern-not-regex: (null) - patterns: - pattern-not-inside: | $FUNC(..., BigInteger $PRIVATE_KEY, ...) { ... } - pattern-either: - pattern: new DSAPrivateKeySpec((BigInteger $PRIVATE_KEY), ...); - pattern: new DSAPublicKeySpec((BigInteger $PRIVATE_KEY), ...); - pattern: new DHPrivateKeySpec((BigInteger $PRIVATE_KEY), ...); - pattern: new DHPublicKeySpec((BigInteger $PRIVATE_KEY), ...); - pattern: new ECPrivateKeySpec((BigInteger $PRIVATE_KEY), ...); - pattern: new RSAPrivateKeySpec((BigInteger $PRIVATE_KEY), ...); - pattern: new RSAMultiPrimePrivateCrtKeySpec((BigInteger $PRIVATE_KEY), ...); - pattern: new RSAPrivateCrtKeySpec((BigInteger $PRIVATE_KEY), ...); - pattern: new RSAPublicKeySpec((BigInteger $PRIVATE_KEY), ...); - metavariable-pattern: metavariable: $PRIVATE_KEY patterns: - pattern-not-regex: (null) message: | Cryptographic keys should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. To be managed safely, passwords and secret keys should be stored in separate configuration files or keystores. languages: - java severity: ERROR metadata: category: security cwe: 'CWE-321: Use of Hard-coded Cryptographic Key' technology: - java license: MIT source: https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-1 shortlink: https://sg.run/Y4yX semgrep.dev: rule: r_id: 21214 rv_id: 26889 rule_id: ReU2vo version_id: rxT4Zk url: https://semgrep.dev/playground/r/rxT4Zk/gitlab.find_sec_bugs.HARD_CODE_KEY-1 origin: community - id: gitlab.find_sec_bugs.HARD_CODE_KEY-4 patterns: - pattern-not-inside: | $FUNC(..., $VAR_NAME, ...) { ... } - pattern-either: - pattern: (String $VAR_NAME).equals(...) - pattern: (String $OTHER).equals((String $VAR_NAME)) - pattern: java.util.Arrays.equals(...,(String $VAR_NAME),...) - pattern: (byte[] $VAR_NAME).equals(...) - pattern: (byte[] $OTHER).equals((byte[] $VAR_NAME)) - pattern: java.util.Arrays.equals(...,(byte[] $VAR_NAME),...) - pattern: java.lang.Byte.comapre(...,(byte[] $VAR_NAME),...) - pattern: (char[] $VAR_NAME).equals(...) - pattern: (char[] $OTHER).equals((char[] $VAR_NAME)) - pattern: java.util.Arrays.equals(...,(char[] $VAR_NAME),...) - metavariable-regex: metavariable: $VAR_NAME regex: (?i).*(pass|pwd|psw|secret|key|cipher|crypt|des|aes|mac|private|sign|cert).* message: | Cryptographic keys should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. To be managed safely, passwords and secret keys should be stored in separate configuration files or keystores. languages: - java severity: WARNING metadata: category: security cwe: 'CWE-321: Use of Hard-coded Cryptographic Key' technology: - java license: MIT source: https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-4 shortlink: https://sg.run/6kO6 semgrep.dev: rule: r_id: 21215 rv_id: 26890 rule_id: AbUNYQ version_id: bZT9qN url: https://semgrep.dev/playground/r/bZT9qN/gitlab.find_sec_bugs.HARD_CODE_KEY-4 origin: community - id: gitlab.find_sec_bugs.HARD_CODE_KEY-2 patterns: - pattern-either: - pattern: String $VAR = "..."; - pattern: byte[] $VAR = {...}; - pattern: byte[] $VAR = new byte[]{...}; - pattern: char[] $VAR = {...}; - pattern: char[] $VAR = new char[]{...}; - metavariable-regex: metavariable: $VAR regex: (?i).*(pass|pwd|psw|secret|key|cipher|crypt|des|aes|mac|private|sign|cert).* message: | Cryptographic keys should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. To be managed safely, passwords and secret keys should be stored in separate configuration files or keystores. languages: - java severity: WARNING metadata: category: security cwe: 'CWE-321: Use of Hard-coded Cryptographic Key' technology: - java license: MIT source: https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-2 shortlink: https://sg.run/obGN semgrep.dev: rule: r_id: 21216 rv_id: 26891 rule_id: BYUKYz version_id: NdTo8N url: https://semgrep.dev/playground/r/NdTo8N/gitlab.find_sec_bugs.HARD_CODE_KEY-2 origin: community - id: gitlab.find_sec_bugs.HARD_CODE_KEY-3 patterns: - pattern: String $VAR = "$VAL"; - metavariable-regex: metavariable: $VAL regex: (?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).* message: | Cryptographic keys should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. To be managed safely, passwords and secret keys should be stored in separate configuration files or keystores. languages: - java severity: WARNING metadata: category: security cwe: 'CWE-321: Use of Hard-coded Cryptographic Key' technology: - java license: MIT source: https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-3 shortlink: https://sg.run/z561 semgrep.dev: rule: r_id: 21217 rv_id: 26892 rule_id: DbU28G version_id: kbTLq6 url: https://semgrep.dev/playground/r/kbTLq6/gitlab.find_sec_bugs.HARD_CODE_KEY-3 origin: community - id: gitlab.find_sec_bugs.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1 languages: - java pattern-either: - pattern: | catch(Throwable $E) { ... $E.printStackTrace(); ... } - pattern: | catch(Exception $E) { ... $E.printStackTrace(); ... } - pattern: | catch(Error $E) { ... $E.printStackTrace(); ... } - pattern: | catch(java.io.FileNotFoundException $E) { ... $E.printStackTrace(); ... } - pattern: | catch(java.sql.SQLException $E) { ... $E.printStackTrace(); ... } - pattern: | catch(java.net.BindException $E) { ... $E.printStackTrace(); ... } - pattern: | catch(java.util.ConcurrentModificationException $E) { ... $E.printStackTrace(); ... } - pattern: | catch(javax.naming.InsufficientResourcesException $E) { ... $E.printStackTrace(); ... } - pattern: | catch(java.util.MissingResourceException $E) { ... $E.printStackTrace(); ... } - pattern: | catch(java.util.jar.JarException $E) { ... $E.printStackTrace(); ... } - pattern: | catch(java.security.acl.NotOwnerException $E) { ... $E.printStackTrace(); ... } - pattern: | catch(OutOfMemoryError $E) { ... $E.printStackTrace(); ... } - pattern: | catch(StackOverflowError $E) { ... $E.printStackTrace(); ... } message: | The application was found printing stack information to the default system output. As stack trace data may contain sensitive information, it is recommended that the output be logged using a secure logging framework. Log files should also be protected with proper operating system permission levels. severity: WARNING metadata: shortDescription: Information exposure through an error message category: security cwe: CWE-209 technology: - java primary_identifier: find_sec_bugs.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1 secondary_identifiers: - name: Find Security Bugs-INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE type: find_sec_bugs_type value: INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1 shortlink: https://sg.run/ZPrn semgrep.dev: rule: r_id: 21235 rv_id: 835537 rule_id: bwULk7 version_id: 9lTJ7YE url: https://semgrep.dev/playground/r/9lTJ7YE/gitlab.find_sec_bugs.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1 origin: community - id: gitlab.find_sec_bugs.RPC_ENABLED_EXTENSIONS-1 languages: - java message: | Enabling extensions in Apache XML RPC server or client can lead to deserialization vulnerability which would allow an attacker to execute arbitrary code. metadata: category: security cwe: CWE-502 shortDescription: Deserialization of Untrusted Data primary_identifier: find_sec_bugs.RPC_ENABLED_EXTENSIONS-1 secondary_identifiers: - name: Find Security Bugs-RPC_ENABLED_EXTENSIONS type: find_sec_bugs_type value: RPC_ENABLED_EXTENSIONS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.RPC_ENABLED_EXTENSIONS-1 shortlink: https://sg.run/nw5O semgrep.dev: rule: r_id: 21236 rv_id: 835538 rule_id: NbUeOb version_id: yeTNg9z url: https://semgrep.dev/playground/r/yeTNg9z/gitlab.find_sec_bugs.RPC_ENABLED_EXTENSIONS-1 origin: community patterns: - pattern-either: - patterns: - pattern-inside: | XmlRpcServerConfigImpl $VAR = new org.apache.xmlrpc.server.XmlRpcServerConfigImpl(); ... - pattern: $VAR.setEnabledForExtensions(true); - patterns: - pattern-inside: | XmlRpcClientConfigImpl $VAR = new org.apache.xmlrpc.client.XmlRpcClientConfigImpl(); ... - pattern: $VAR.setEnabledForExtensions(true); severity: WARNING - id: go.lang.security.shared-url-struct-mutation.shared-url-struct-mutation message: Shared URL struct may have been accidentally mutated. Ensure that this behavior is intended. languages: - go severity: WARNING patterns: - pattern-inside: | import "net/url" ... - pattern-not-inside: | ... = url.Parse(...) ... - pattern-not-inside: | ... = url.ParseRequestURI(...) ... - pattern-not-inside: | ... = url.URL{...} ... - pattern-not-inside: | var $URL *$X.URL ... - pattern-either: - pattern: $URL.RawQuery = ... - pattern: $URL.Path = ... - pattern: $URL.RawPath = ... - pattern: $URL.Fragment = ... - pattern: $URL.RawFragment = ... - pattern: $URL.Scheme = ... - pattern: $URL.Opaque = ... - pattern: $URL.Host = ... - pattern: $URL.User = ... - metavariable-pattern: metavariable: $URL patterns: - pattern-not: $X.$Y - pattern-not: $X[...] metadata: cwe: - 'CWE-436: Interpretation Conflict' category: security subcategory: - audit technology: - go confidence: LOW likelihood: LOW impact: LOW references: - https://github.com/golang/go/issues/63777 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/go.lang.security.shared-url-struct-mutation.shared-url-struct-mutation shortlink: https://sg.run/yyEEd semgrep.dev: rule: r_id: 146568 rv_id: 945613 rule_id: pKU1EEO version_id: WrTEojd url: https://semgrep.dev/playground/r/WrTEojd/go.lang.security.shared-url-struct-mutation.shared-url-struct-mutation origin: community - id: solidity.security.delegatecall-to-arbitrary-address.delegatecall-to-arbitrary-address message: An attacker may perform delegatecall() to an arbitrary address. metadata: category: security technology: - solidity cwe: 'CWE-20: Improper Input Validation' confidence: LOW likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-delegatecall license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/solidity.security.delegatecall-to-arbitrary-address.delegatecall-to-arbitrary-address shortlink: https://sg.run/5B9j semgrep.dev: rule: r_id: 67647 rv_id: 946609 rule_id: ZqUPwX version_id: LjTXy03 url: https://semgrep.dev/playground/r/LjTXy03/solidity.security.delegatecall-to-arbitrary-address.delegatecall-to-arbitrary-address origin: community languages: - solidity severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern: function $ANY(..., address $CONTRACT, ...) public {...} - pattern: function $ANY(..., address $CONTRACT, ...) external {...} - pattern: function $ANY(..., address payable $CONTRACT, ...) public {...} - pattern: function $ANY(..., address payable $CONTRACT, ...) external {...} - pattern-not: constructor(...) { ... } - pattern-not: function $ANY(...) $M { ... } - pattern-not: function $ANY(...) $M(...) { ... } - focus-metavariable: $CONTRACT pattern-sinks: - patterns: - pattern-not-inside: | require(<... msg.sender ...>, ...); ... - pattern-not-inside: | require(<... _msgSender() ...>, ...); ... - pattern-not-inside: | if(<... msg.sender ...>) revert(...); ... - pattern-not-inside: | if(<... _msgSender() ...>) revert(...); ... - pattern-not: address(this).delegatecall(...); - pattern-either: - pattern: $CONTRACT.delegatecall(...); - pattern: $CONTRACT.delegatecall{gas:$GAS}(...); - id: yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false languages: - yaml message: 'Found ''x-openai-isConsequential: false'' in a state-changing HTTP method: $METHOD $PATH. This Action configuration will enable the ''Always Allow'' option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the ''Always Allow'' button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human In The Loop (HITL) type of control. Consider the trade-off between security and user friction and then make a risk-based decision about this function.' severity: WARNING pattern-either: - pattern-inside: | post: ... x-openai-isConsequential: false - pattern-inside: | put: ... x-openai-isConsequential: false - pattern-inside: | patch: ... x-openai-isConsequential: false - pattern-inside: | delete: ... x-openai-isConsequential: false metadata: category: security subcategory: - audit technology: - openapi - openai likelihood: HIGH impact: HIGH confidence: HIGH cwe: 'CWE-441: Unintended Proxy or Intermediary (''Confused Deputy'')' owasp: - A04:2021 Insecure Design - LLM08:2023 - Excessive Agency references: - https://platform.openai.com/docs/actions/consequential-flag - https://owasp.org/Top10/A04_2021-Insecure_Design/ - https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false shortlink: https://sg.run/x8EEP semgrep.dev: rule: r_id: 146574 rv_id: 947071 rule_id: yyURooD version_id: WrTEZN8 url: https://semgrep.dev/playground/r/WrTEZN8/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false origin: community - id: gitlab.bandit.B108-1 pattern: open("=~/^\/tmp.*/", ...) message: | Detected hardcoded temp directory. Consider using 'tempfile.TemporaryFile' instead. metadata: cwe: 'CWE-377: Insecure Temporary File' license: MIT source: https://semgrep.dev/r/gitlab.bandit.B108-1 shortlink: https://sg.run/O81B semgrep.dev: rule: r_id: 11875 rv_id: 13242 rule_id: 6JU6qd version_id: l4TzRP url: https://semgrep.dev/playground/r/l4TzRP/gitlab.bandit.B108-1 origin: community severity: WARNING languages: - python - id: python.lang.security.audit.non-literal-import.non-literal-import patterns: - pattern: | importlib.import_module($NAME, ...) - pattern-not: | importlib.import_module("...", ...) message: Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code. metadata: owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' category: security technology: - python references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/python.lang.security.audit.non-literal-import.non-literal-import shortlink: https://sg.run/y6Jk semgrep.dev: rule: r_id: 12068 rv_id: 1263508 rule_id: AbUGN5 version_id: l4TJRg9 url: https://semgrep.dev/playground/r/l4TJRg9/python.lang.security.audit.non-literal-import.non-literal-import origin: community languages: - python severity: WARNING - id: apex.lang.security.ncino.system.systemdebug.system-debug min-version: 1.44.0 severity: WARNING languages: - apex metadata: cwe: - 'CWE-489: Active Debug Code' - 'CWE-779: Logging of Excessive Data' category: security subcategory: - vuln technology: - vuln references: - https://cwe.mitre.org/data/definitions/489.html - https://cwe.mitre.org/data/definitions/779.html impact: MEDIUM likelihood: LOW confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code - Other source: https://semgrep.dev/r/apex.lang.security.ncino.system.systemdebug.system-debug shortlink: https://sg.run/jPJZ semgrep.dev: rule: r_id: 72421 rv_id: 945155 rule_id: ReUlnb version_id: qkT4jWw url: https://semgrep.dev/playground/r/qkT4jWw/apex.lang.security.ncino.system.systemdebug.system-debug origin: community message: In addition to debug statements potentially logging data excessively, debug statements also contribute to longer transactions and consume Apex CPU time even when debug logs are not being captured. pattern: System.debug(...) paths: exclude: - '*Test*' - '*test*' - id: gitlab.bandit.B303-3 patterns: - pattern-either: - pattern: Crypto.Hash.MD2.new(...) - pattern: Cryptodome.Hash.MD2.new (...) message: | Detected MD2 hash algorithm which is considered insecure. This algorithm has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead. metadata: cwe: CWE-327 shortDescription: Use of a Broken or Risky Cryptographic Algorithm owasp: A3:2017-Sensitive Data Exposure primary_identifier: bandit.B303-3 secondary_identifiers: - name: Bandit Test ID B303 type: bandit_test_id value: B303 license: MIT source: https://semgrep.dev/r/gitlab.bandit.B303-3 shortlink: https://sg.run/nq5r semgrep.dev: rule: r_id: 11536 rv_id: 73118 rule_id: 9AUOKZ version_id: WrTw4p url: https://semgrep.dev/playground/r/WrTw4p/gitlab.bandit.B303-3 origin: community severity: WARNING languages: - python - id: gitlab.bandit.B303-4 patterns: - pattern-either: - pattern: Crypto.Hash.MD4.new(...) - pattern: Cryptodome.Hash.MD4.new (...) message: | Detected MD4 hash algorithm which is considered insecure. This algorithm has many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead. metadata: cwe: CWE-327 shortDescription: Use of a Broken or Risky Cryptographic Algorithm owasp: A3:2017-Sensitive Data Exposure primary_identifier: bandit.B303-4 secondary_identifiers: - name: Bandit Test ID B303 type: bandit_test_id value: B303 license: MIT source: https://semgrep.dev/r/gitlab.bandit.B303-4 shortlink: https://sg.run/E5GB semgrep.dev: rule: r_id: 11537 rv_id: 73119 rule_id: yyUvLN version_id: 0bTXP3 url: https://semgrep.dev/playground/r/0bTXP3/gitlab.bandit.B303-4 origin: community severity: WARNING languages: - python - id: gitlab.bandit.B303-5 patterns: - pattern-either: - pattern: Crypto.Hash.MD5.new(...) - pattern: Cryptodome.Hash.MD5.new (...) message: | Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. metadata: cwe: CWE-327 shortDescription: Use of a Broken or Risky Cryptographic Algorithm owasp: A3:2017-Sensitive Data Exposure primary_identifier: bandit.B303-5 secondary_identifiers: - name: Bandit Test ID B303 type: bandit_test_id value: B303 license: MIT source: https://semgrep.dev/r/gitlab.bandit.B303-5 shortlink: https://sg.run/70eQ semgrep.dev: rule: r_id: 11538 rv_id: 73120 rule_id: r6UkYj version_id: K3TXWk url: https://semgrep.dev/playground/r/K3TXWk/gitlab.bandit.B303-5 origin: community severity: WARNING languages: - python - id: gitlab.bandit.B313.B314.B315.B316.B318.B319.B320.B405.B406.B407.B408.B409.B410 pattern-either: - pattern: import xml - pattern: import lxml - pattern: xml.etree.cElementTree.fromstring(...) - pattern: xml.etree.cElementTree.parse(...) - pattern: xml.etree.cElementTree.iterparse(...) - pattern: xml.etree.cElementTree.XMLParser(...) - pattern: xml.etree.ElementTree.fromstring(...) - pattern: xml.etree.ElementTree.parse(...) - pattern: xml.etree.ElementTree.iterparse(...) - pattern: xml.etree.ElementTree.XMLParser(...) - pattern: xml.sax.expatreader.create_parser(...) - pattern: xml.dom.expatbuilder.parse(...) - pattern: xml.dom.expatbuilder.parseString(...) - pattern: xml.dom.minidom.parseString(...) - pattern: xml.dom.minidom.parse(...) - pattern: xml.dom.pulldom.parseString(...) - pattern: xml.dom.pulldom.parse(...) - pattern: lxml.etree.fromstring(...) - pattern: lxml.etree.RestrictedElement(...) - pattern: lxml.etree.GlobalParserTLS(...) - pattern: lxml.etree.getDefaultParser(...) - pattern: lxml.etree.check_docinfo(...) metadata: cwe: 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: 'A4: XML External Entities (XXE)' license: MIT source: https://semgrep.dev/r/gitlab.bandit.B313.B314.B315.B316.B318.B319.B320.B405.B406.B407.B408.B409.B410 shortlink: https://sg.run/DJ5G semgrep.dev: rule: r_id: 11552 rv_id: 13281 rule_id: L1U4Yd version_id: DkTKjj url: https://semgrep.dev/playground/r/DkTKjj/gitlab.bandit.B313.B314.B315.B316.B318.B319.B320.B405.B406.B407.B408.B409.B410 origin: community message: | Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE) attacks. The Python documentation recommends the 'defusedxml' library instead. Use 'defusedxml'. See https://github.com/tiran/defusedxml for more information. severity: ERROR languages: - python - id: gitlab.bandit.B502.B503 patterns: - pattern-either: - pattern: ssl.PROTOCOL_SSLv2 - pattern: ssl.PROTOCOL_SSLv3 - pattern: ssl.PROTOCOL_TLSv1 - pattern: ssl.PROTOCOL_TLSv1_1 - pattern: pyOpenSSL.SSL.SSLv2_METHOD - pattern: pyOpenSSL.SSL.SSLv23_METHOD - pattern: pyOpenSSL.SSL.SSLv3_METHOD - pattern: pyOpenSSL.SSL.TLSv1_METHOD - pattern: pyOpenSSL.SSL.TLSv1_1_METHOD message: | An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher. metadata: cwe: 'CWE-326: Inadequate Encryption Strength' owasp: 'A3: Sensitive Data Exposure' license: MIT source: https://semgrep.dev/r/gitlab.bandit.B502.B503 shortlink: https://sg.run/plRe semgrep.dev: rule: r_id: 11562 rv_id: 13295 rule_id: ReUPvG version_id: 1QTeld url: https://semgrep.dev/playground/r/1QTeld/gitlab.bandit.B502.B503 origin: community severity: WARNING languages: - python - id: go.lang.security.reverseproxy-director.reverseproxy-director message: ReverseProxy can remove headers added by Director. Consider using ReverseProxy.Rewrite instead of ReverseProxy.Director. languages: - go severity: WARNING patterns: - pattern-inside: | import "net/http/httputil" ... - pattern-either: - pattern: $PROXY.Director = $FUNC - patterns: - pattern-inside: | httputil.ReverseProxy{ ... } - pattern: | Director: $FUNC metadata: cwe: - 'CWE-115: Misinterpretation of Input' category: security subcategory: - audit technology: - go confidence: MEDIUM likelihood: LOW impact: LOW references: - https://github.com/golang/go/issues/50580 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/go.lang.security.reverseproxy-director.reverseproxy-director shortlink: https://sg.run/9AYYR semgrep.dev: rule: r_id: 146567 rv_id: 945612 rule_id: zdUKzzA version_id: DkTNpvx url: https://semgrep.dev/playground/r/DkTNpvx/go.lang.security.reverseproxy-director.reverseproxy-director origin: community - id: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount message: The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine. languages: - dockerfile - yaml severity: ERROR metadata: cwe: - 'CWE-862: Missing Authorization' - 'CWE-269: Improper Privilege Management' confidence: HIGH likelihood: MEDIUM impact: HIGH subcategory: - audit technology: - dockerfile category: security references: - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html - https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/ - https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount shortlink: https://sg.run/10AAQ semgrep.dev: rule: r_id: 146566 rv_id: 945266 rule_id: oqUgAAk version_id: WrTEoEq url: https://semgrep.dev/playground/r/WrTEoEq/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount origin: community pattern-either: - patterns: - pattern: VOLUME $X - metavariable-regex: metavariable: $X regex: /var/run/docker.sock - patterns: - pattern-regex: '- "/var/run/docker.sock:.*"' - pattern-inside: | volumes: ... - id: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv message: The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead. metadata: cwe: - 'CWE-1204: Generation of Weak Initialization Vector (IV)' category: security subcategory: - vuln technology: - node-crypto likelihood: HIGH impact: MEDIUM confidence: HIGH references: - https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options - https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv shortlink: https://sg.run/bw33r semgrep.dev: rule: r_id: 146570 rv_id: 945898 rule_id: X5UQRR7 version_id: ZRT3510 url: https://semgrep.dev/playground/r/ZRT3510/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv origin: community languages: - javascript - typescript severity: ERROR patterns: - pattern-either: - pattern: | $CRYPTO.createCipher(...) - pattern: | $CRYPTO.createDecipher(...) - id: python.correctness.check-is-none-explicitly.check-is-none-explicitly pattern-either: - pattern: $X and $X == 0 - pattern: $X.get($FIELD) and $X[$FIELD] == 0 fix: ($X != None) and $X == 0 message: This expression will always return False because 0 is a false-y value. So if $X is 0, then the first part of this expression will return False but if it is not, the second part will return False. Perhaps you meant to check if $X was None explicitly. languages: - python severity: WARNING metadata: category: correctness technology: - none references: - https://www.freecodecamp.org/news/truthy-and-falsy-values-in-python/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.correctness.check-is-none-explicitly.check-is-none-explicitly shortlink: https://sg.run/wdEEX semgrep.dev: rule: r_id: 146573 rv_id: 946102 rule_id: 9AUdppJ version_id: ExTg27E url: https://semgrep.dev/playground/r/ExTg27E/python.correctness.check-is-none-explicitly.check-is-none-explicitly origin: community - id: gitlab.security_code_scan.SCS0028-1 mode: taint pattern-sources: - pattern: Request.Cookies[...] - pattern: Request.Cookies.Get(...) - pattern: Request.Form[...] - pattern: Request.Form.Get(...) - pattern: Request.Headers[...] - pattern: Request.Headers.Get(...) - pattern: Request.QueryString[...] - pattern: Request.QueryString.Get(...) - pattern: Request.Body - pattern: $CTX.Request.Cookies[...] - pattern: $CTX.Request.Cookies.Get(...) - pattern: $CTX.Request.Form[...] - pattern: $CTX.Request.Form.Get(...) - pattern: $CTX.Request.Headers[...] - pattern: $CTX.Request.Headers.Get(...) - pattern: $CTX.Request.QueryString[...] - pattern: $CTX.Request.QueryString.Get(...) - pattern: $CTX.Request.Body - pattern: System.IO.File.ReadAllText(...) - pattern: System.IO.File.ReadAllTextAsync(...) - pattern: System.IO.File.ReadAllLines(...) - pattern: System.IO.File.ReadAllLinesAsync(...) - pattern: System.IO.File.ReadAllBytes(...) - pattern: System.IO.File.ReadAllBytesAsync(...) - pattern: System.IO.File.ReadLines(...) - pattern: System.IO.File.ReadLinesAsync(...) - pattern: System.Environment.GetEnvironmentVariable(...) pattern-sinks: - pattern: (System.Runtime.Serialization.Formatters.Binary.BinaryFormatter $OBJ).Deserialize(...) - pattern: (System.Runtime.Serialization.Formatters.Binary.BinaryFormatter $OBJ).UnsafeDeserialize(...) - pattern: (System.Runtime.Serialization.Formatters.Binary.BinaryFormatter $OBJ).UnsafeDeserializeMethod(...) - pattern: (System.Runtime.Serialization.Formatters.Soap.SoapFormatter $OBJ).Deserialize(...) - pattern: (System.Runtime.Serialization.NetDataContractSerializer $OBJ).Deserialize(...) - pattern: (System.Web.UI.LosFormatter $OBJ).Deserialize(...) languages: - csharp message: | Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to: - Inject code that is executed upon object construction, which occurs during the deserialization process. - Exploit mass assignment by including fields that are not normally a part of the serialized data but are read in during deserialization. Microsoft recommends no longer using the following serialization formats: - BinaryFormatter - SoapFormatter - NetDataContractSerializer - LosFormatter - ObjectStateFormatter Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. Additionally, when deserializing, never deserialize to base object types like `Object` and only cast to the exact object type that is expected. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. For more information see Microsoft's deserialization security guide: https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide For more details on deserialization attacks in general, see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html It should be noted that [tools exist](https://github.com/pwntester/ysoserial.net) to automatically create exploit code for these vulnerabilities. metadata: shortDescription: Deserialization of potentially untrusted data category: security cwe: CWE-502 primary_identifier: security_code_scan.SCS0028-1 secondary_identifiers: - name: SCS0028 type: security_code_scan_rule_id value: SCS0028 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.security_code_scan.SCS0028-1 shortlink: https://sg.run/BqeA semgrep.dev: rule: r_id: 31451 rv_id: 835746 rule_id: gxUrkX version_id: xyTNrPd url: https://semgrep.dev/playground/r/xyTNrPd/gitlab.security_code_scan.SCS0028-1 origin: community severity: WARNING - id: php.lang.security.tainted-exec.tainted-exec mode: taint pattern-sources: - pattern: $_REQUEST - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE pattern-sinks: - pattern: exec(...) - pattern: system(...) - pattern: popen(...) - pattern: passthru(...) - pattern: shell_exec(...) - pattern: pcntl_exec(...) - pattern: proc_open(...) pattern-sanitizers: - pattern: escapeshellarg(...) message: Executing non-constant commands. This can lead to command injection. You should use `escapeshellarg()` when using command. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' references: - https://www.stackhawk.com/blog/php-command-injection/ - https://brightsec.com/blog/code-injection-php/ - https://www.acunetix.com/websitesecurity/php-security-2/ category: security technology: - php owasp: - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true subcategory: - vuln likelihood: HIGH impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec shortlink: https://sg.run/JAkP semgrep.dev: rule: r_id: 73146 rv_id: 1263300 rule_id: 9AUw06 version_id: BjTkZ4y url: https://semgrep.dev/playground/r/BjTkZ4y/php.lang.security.tainted-exec.tainted-exec origin: community languages: - php severity: ERROR - id: csharp.dotnet.security.audit.ldap-injection.ldap-injection message: LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution. severity: ERROR metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: - 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection/ - https://cwe.mitre.org/data/definitions/90 - https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example subcategory: - vuln technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - LDAP Injection source: https://semgrep.dev/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection shortlink: https://sg.run/GJ9z semgrep.dev: rule: r_id: 27692 rv_id: 1262612 rule_id: 2ZUv3R version_id: l4TJR8G url: https://semgrep.dev/playground/r/l4TJR8G/csharp.dotnet.security.audit.ldap-injection.ldap-injection origin: community languages: - csharp mode: taint options: taint_unify_mvars: true pattern-sources: - patterns: - focus-metavariable: $INPUT - pattern-inside: $T $M(...,$INPUT,...) {...} pattern-sinks: - patterns: - pattern-either: - pattern: $S.Filter = ... + $INPUT + ... - pattern: $S.Filter = String.Format(...,$INPUT) - pattern: $S.Filter = String.Concat(...,$INPUT) pattern-sanitizers: - pattern-either: - pattern: Regex.Replace($INPUT, ...) - pattern: $ENCODER.LdapFilterEncode($INPUT) - pattern: $ENCODER.LdapDistinguishedNameEncode($INPUT) - id: c.lang.security.use-after-free.use-after-free patterns: - pattern-either: - pattern: $VAR->$ACCESSOR - pattern: (*$VAR).$ACCESSOR - pattern: $VAR[$NUM] - pattern-inside: free($VAR); ... - pattern-not-inside: $VAR = NULL; ... - pattern-not-inside: free($VAR); ... $VAR = malloc(...); ... message: Variable '$VAR' was used after being freed. This can lead to undefined behavior. metadata: cwe: - 'CWE-416: Use After Free' references: - https://cwe.mitre.org/data/definitions/416.html - https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/use_after_free/ category: security technology: - c confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Memory Issues source: https://semgrep.dev/r/c.lang.security.use-after-free.use-after-free shortlink: https://sg.run/gL6e semgrep.dev: rule: r_id: 8841 rv_id: 945178 rule_id: KxUb9l version_id: 1QToKPy url: https://semgrep.dev/playground/r/1QToKPy/c.lang.security.use-after-free.use-after-free origin: community languages: - c severity: WARNING - id: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos severity: WARNING languages: - C# metadata: cwe: - 'CWE-1333: Inefficient Regular Expression Complexity' owasp: A01:2017 - Injection references: - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS - https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples category: security technology: - .net confidence: MEDIUM subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Denial-of-Service (DoS) source: https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos shortlink: https://sg.run/RPyY semgrep.dev: rule: r_id: 12005 rv_id: 945225 rule_id: 4bU2gd version_id: rxT6rjl url: https://semgrep.dev/playground/r/rxT6rjl/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos origin: community message: When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack patterns: - pattern-inside: | using System.Text.RegularExpressions; ... - pattern-either: - pattern: | public $T $F($X) { Regex $Y = new Regex($P); ... $Y.Match($X); } - pattern: | public $T $F($X) { Regex $Y = new Regex($P, $O); ... $Y.Match($X); } - pattern: | public $T $F($X) { ... Regex.Match($X, $P); } - pattern: | public $T $F($X) { ... Regex.Match($X, $P, $O); } - id: generic.secrets.gitleaks.private-key.private-key message: A gitleaks private-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.private-key.private-key shortlink: https://sg.run/Op1n semgrep.dev: rule: r_id: 44775 rv_id: 1262806 rule_id: v8UK5w version_id: RGT0Lko url: https://semgrep.dev/playground/r/RGT0Lko/generic.secrets.gitleaks.private-key.private-key origin: community patterns: - pattern-regex: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?---- - id: generic.secrets.gitleaks.pulumi-api-token.pulumi-api-token message: A gitleaks pulumi-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.pulumi-api-token.pulumi-api-token shortlink: https://sg.run/ez4y semgrep.dev: rule: r_id: 44776 rv_id: 1262807 rule_id: d8UOzo version_id: A8Tgd5Q url: https://semgrep.dev/playground/r/A8Tgd5Q/generic.secrets.gitleaks.pulumi-api-token.pulumi-api-token origin: community patterns: - pattern-regex: (?i)\b(pul-[a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js message: Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#JS category: security technology: - go confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js shortlink: https://sg.run/eLNl semgrep.dev: rule: r_id: 9132 rv_id: 1262946 rule_id: 3qUP8K version_id: 44TEj9E url: https://semgrep.dev/playground/r/44TEj9E/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js origin: community languages: - go severity: WARNING pattern-either: - pattern: template.JS($T + $X, ...) - pattern: template.JS(fmt.$P("...", ...), ...) - pattern: | $T = "..." ... $T = $FXN(..., $T, ...) ... template.JS($T, ...) - pattern: | $T = fmt.$P("...", ...) ... template.JS($T, ...) - pattern: | $T, $ERR = fmt.$P("...", ...) ... template.JS($T, ...) - pattern: | $T = $X + $Y ... template.JS($T, ...) - pattern: | $T = "..." ... $OTHER, $ERR = fmt.$P(..., $T, ...) ... template.JS($OTHER, ...) - id: java.java-jwt.security.jwt-none-alg.java-jwt-none-alg message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: - jwt confidence: HIGH references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg shortlink: https://sg.run/Av14 semgrep.dev: rule: r_id: 9150 rv_id: 1262981 rule_id: zdUkzR version_id: ZRTKADq url: https://semgrep.dev/playground/r/ZRTKADq/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg origin: community languages: - java severity: ERROR pattern-either: - pattern: | $JWT.sign(com.auth0.jwt.algorithms.Algorithm.none()); - pattern: | $NONE = com.auth0.jwt.algorithms.Algorithm.none(); ... $JWT.sign($NONE); - pattern: |- class $CLASS { ... $TYPE $NONE = com.auth0.jwt.algorithms.Algorithm.none(); ... $RETURNTYPE $FUNC (...) { ... $JWT.sign($NONE); ... } ... } - id: java.jax-rs.security.insecure-resteasy.insecure-resteasy-deserialization message: When a Restful webservice endpoint is configured to use wildcard mediaType {*/*} as a value for the @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution when calling the $Y.getObject method. severity: WARNING metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-502: Deserialization of Untrusted Data' cwe2021-top25: true cwe2022-top25: true owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://access.redhat.com/blogs/766093/posts/3162112 subcategory: - audit technology: - jax-rs license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/java.jax-rs.security.insecure-resteasy.insecure-resteasy-deserialization shortlink: https://sg.run/XLBN semgrep.dev: rule: r_id: 9864 rv_id: 1262982 rule_id: yyUvnA version_id: nWT2LQr url: https://semgrep.dev/playground/r/nWT2LQr/java.jax-rs.security.insecure-resteasy.insecure-resteasy-deserialization origin: community languages: - java pattern-either: - pattern: | @Consumes({"application/x-java-serialized-object"}) - pattern: | @Consumes({"*/*"}) - pattern: | @Consumes("*/*") - pattern: | @Consumes({MediaType.WILDCARD_TYPE}) - id: javascript.lang.best-practice.leftover_debugging.javascript-alert message: found alert() call; should this be in production code? languages: - javascript - typescript severity: WARNING pattern-either: - pattern: alert() - pattern: alert($X) metadata: category: best-practice technology: - javascript license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.lang.best-practice.leftover_debugging.javascript-alert shortlink: https://sg.run/Ro1N semgrep.dev: rule: r_id: 9305 rv_id: 945856 rule_id: YGURbz version_id: A8TJzPw url: https://semgrep.dev/playground/r/A8TJzPw/javascript.lang.best-practice.leftover_debugging.javascript-alert origin: community - id: javascript.lang.best-practice.leftover_debugging.javascript-debugger pattern: debugger; message: found debugger call; should this be in production code? languages: - javascript - typescript severity: WARNING metadata: category: best-practice technology: - javascript license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.lang.best-practice.leftover_debugging.javascript-debugger shortlink: https://sg.run/AvRB semgrep.dev: rule: r_id: 9306 rv_id: 945857 rule_id: 6JUjXk version_id: BjT1Nj3 url: https://semgrep.dev/playground/r/BjT1Nj3/javascript.lang.best-practice.leftover_debugging.javascript-debugger origin: community - id: javascript.lang.best-practice.leftover_debugging.javascript-confirm pattern: confirm(...) message: found confirm() call; should this be in production code? languages: - javascript - typescript severity: WARNING metadata: category: best-practice technology: - javascript license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.lang.best-practice.leftover_debugging.javascript-confirm shortlink: https://sg.run/BkAR semgrep.dev: rule: r_id: 9307 rv_id: 945858 rule_id: oqUe1G version_id: DkTNpo0 url: https://semgrep.dev/playground/r/DkTNpo0/javascript.lang.best-practice.leftover_debugging.javascript-confirm origin: community - id: javascript.lang.best-practice.leftover_debugging.javascript-prompt message: found prompt() call; should this be in production code? languages: - javascript - typescript severity: WARNING pattern-either: - pattern: prompt() - pattern: prompt($X) - pattern: prompt($X, $Y) metadata: category: best-practice technology: - javascript license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.lang.best-practice.leftover_debugging.javascript-prompt shortlink: https://sg.run/DoDG semgrep.dev: rule: r_id: 9308 rv_id: 945859 rule_id: zdUk3g version_id: WrTEo5n url: https://semgrep.dev/playground/r/WrTEo5n/javascript.lang.best-practice.leftover_debugging.javascript-prompt origin: community - id: javascript.lang.best-practice.zlib-async-loop.zlib-async-loop patterns: - pattern-either: - pattern-inside: | for (...) { ... } - pattern-inside: | while (...) { ... } - pattern-inside: | do { ... } while (...) - pattern-inside: | $SMTH.forEach(...) - pattern-inside: | $SMTH.map(...) - pattern-inside: | $SMTH.reduce(...) - pattern-inside: | $SMTH.reduceRight(...) - pattern: zlib.$METHOD(...); - metavariable-regex: metavariable: $METHOD regex: ^.+$(?; message: '`$X` is assigned twice; the first assignment is useless' languages: - javascript - typescript severity: INFO metadata: category: correctness technology: - javascript license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.lang.correctness.useless-assign.useless-assignment shortlink: https://sg.run/0Q9w semgrep.dev: rule: r_id: 9310 rv_id: 945864 rule_id: 2ZUbOo version_id: YDTvRG3 url: https://semgrep.dev/playground/r/YDTvRG3/javascript.lang.correctness.useless-assign.useless-assignment origin: community - id: javascript.lang.correctness.useless-eqeq.eqeq-is-bad patterns: - pattern-not-inside: assert(...) - pattern-either: - pattern: $X == $X - pattern: $X != $X - pattern-not: 1 == 1 message: Detected a useless comparison operation `$X == $X` or `$X != $X`. This operation is always true. If testing for floating point NaN, use `math.isnan`, or `cmath.isnan` if the number is complex. languages: - javascript - typescript severity: INFO metadata: category: correctness technology: - javascript license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.lang.correctness.useless-eqeq.eqeq-is-bad shortlink: https://sg.run/Kl6n semgrep.dev: rule: r_id: 9311 rv_id: 945865 rule_id: X5U8Kj version_id: JdTDywq url: https://semgrep.dev/playground/r/JdTDywq/javascript.lang.correctness.useless-eqeq.eqeq-is-bad origin: community - id: javascript.lang.security.audit.code-string-concat.code-string-concat message: Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible. options: interfile: true metadata: interfile: true confidence: HIGH owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' references: - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval - https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback - https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/ - https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html category: security technology: - node.js - Express - Next.js subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat shortlink: https://sg.run/96Yk semgrep.dev: rule: r_id: 13023 rv_id: 1263192 rule_id: DbUKEz version_id: 44TEjYX url: https://semgrep.dev/playground/r/44TEjYX/javascript.lang.security.audit.code-string-concat.code-string-concat origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - pattern-either: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | import { ...,$IMPORT,... } from 'next/router' ... - pattern-inside: | import $IMPORT from 'next/router'; ... - pattern-either: - patterns: - pattern-inside: | $ROUTER = $IMPORT() ... - pattern-either: - pattern-inside: | const { ...,$PROPS,... } = $ROUTER.query ... - pattern-inside: | var { ...,$PROPS,... } = $ROUTER.query ... - pattern-inside: | let { ...,$PROPS,... } = $ROUTER.query ... - focus-metavariable: $PROPS - patterns: - pattern-inside: | $ROUTER = $IMPORT() ... - pattern: "$ROUTER.query.$VALUE \n" - patterns: - pattern: $IMPORT().query.$VALUE pattern-sinks: - patterns: - pattern: | eval(...) - id: javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell message: Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js category: security technology: - javascript references: - https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell shortlink: https://sg.run/DJ8v semgrep.dev: rule: r_id: 9852 rv_id: 1263193 rule_id: qNUo10 version_id: PkTR3nY url: https://semgrep.dev/playground/r/PkTR3nY/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-inside: | function ... (...,$FUNC,...) { ... } - focus-metavariable: $FUNC pattern-sinks: - patterns: - pattern-either: - pattern-inside: | require('child_process') ... - pattern-inside: | import 'child_process' ... - pattern-either: - pattern: spawn(...) - pattern: spawnSync(...) - pattern: $CP.spawn(...) - pattern: $CP.spawnSync(...) - pattern-either: - pattern: | $EXEC("=~/(sh|bash|ksh|csh|tcsh|zsh)/",["-c", $ARG, ...],...) - patterns: - pattern: $EXEC($CMD,["-c", $ARG, ...],...) - pattern-inside: | $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/" ... - pattern: | $EXEC("=~/(sh|bash|ksh|csh|tcsh|zsh)/",[$ARG, ...],...) - patterns: - pattern: $EXEC($CMD,[$ARG, ...],...) - pattern-inside: | $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/" ... - focus-metavariable: $ARG - id: javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override message: Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later. metadata: cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-no-csrf-before-method-override.js references: - https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md category: security technology: - javascript owasp: - A01:2021 - Broken Access Control - A05:2017 - Broken Access Control - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override shortlink: https://sg.run/oxoX semgrep.dev: rule: r_id: 9316 rv_id: 1263216 rule_id: r6UrvQ version_id: K3TKkPO url: https://semgrep.dev/playground/r/K3TKkPO/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override origin: community languages: - javascript - typescript severity: WARNING pattern: | express.csrf(); ... express.methodOverride(); - id: javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes message: Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers. metadata: cwe: - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js asvs: section: 'V6: Stored Cryptography Verification Requirements' control_id: 6.3.1 Insecure Randomness control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values version: '4' category: security technology: - javascript subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes shortlink: https://sg.run/pxze semgrep.dev: rule: r_id: 9318 rv_id: 1263217 rule_id: NbUkR2 version_id: qkTR799 url: https://semgrep.dev/playground/r/qkTR799/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes origin: community languages: - javascript - typescript severity: WARNING pattern: crypto.pseudoRandomBytes - id: python.lang.compatibility.python37.python37-compatibility-os1 pattern: os.preadv(...) message: os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread(). languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1 shortlink: https://sg.run/PJWW semgrep.dev: rule: r_id: 9589 rv_id: 946279 rule_id: DbUpQQ version_id: qkT4jnO url: https://semgrep.dev/playground/r/qkT4jnO/python.lang.compatibility.python37.python37-compatibility-os1 origin: community - id: python.lang.security.audit.dangerous-os-exec-audit.dangerous-os-exec-audit message: Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' category: security technology: - python confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-os-exec-audit.dangerous-os-exec-audit shortlink: https://sg.run/KAd7 semgrep.dev: rule: r_id: 27255 rv_id: 1263465 rule_id: 3qU4pe version_id: YDTZe1r url: https://semgrep.dev/playground/r/YDTZe1r/python.lang.security.audit.dangerous-os-exec-audit.dangerous-os-exec-audit origin: community languages: - python severity: ERROR pattern-either: - patterns: - pattern-not: os.$METHOD("...", ...) - pattern: os.$METHOD(...) - metavariable-regex: metavariable: $METHOD regex: (execl|execle|execlp|execlpe|execv|execve|execvp|execvpe) - patterns: - pattern-not: os.$METHOD("...", [$PATH,"...","...",...],...) - pattern: os.$METHOD($BASH,[$PATH,"-c",$CMD,...],...) - metavariable-regex: metavariable: $METHOD regex: (execv|execve|execvp|execvpe) - metavariable-regex: metavariable: $BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - patterns: - pattern-not: os.$METHOD("...", $PATH, "...", "...",...) - pattern: os.$METHOD($BASH, $PATH, "-c", $CMD,...) - metavariable-regex: metavariable: $METHOD regex: (execl|execle|execlp|execlpe) - metavariable-regex: metavariable: $BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - id: python.lang.security.audit.mako-templates-detected.mako-templates-detected pattern: mako.template.Template(...) message: Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/mako_templates.py references: - https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping - https://jinja.palletsprojects.com/en/2.11.x/intro/# category: security technology: - mako cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected shortlink: https://sg.run/Q5v4 semgrep.dev: rule: r_id: 9642 rv_id: 1263502 rule_id: GdU79Z version_id: BjTkZgY url: https://semgrep.dev/playground/r/BjTkZgY/python.lang.security.audit.mako-templates-detected.mako-templates-detected origin: community languages: - python severity: INFO - id: ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' references: - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown category: security technology: - rails cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call shortlink: https://sg.run/4e8E semgrep.dev: rule: r_id: 13588 rv_id: 1263625 rule_id: KxU72k version_id: o5TbDq8 url: https://semgrep.dev/playground/r/o5TbDq8/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call origin: community message: Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to. languages: - ruby severity: ERROR mode: taint pattern-sources: - pattern-either: - pattern: params[...] - pattern: cookies - pattern: request.env pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: Kernel.$X(...) - patterns: - pattern-either: - pattern: Shell.$X(...) - patterns: - pattern-inside: | $SHELL = Shell.$ANY(...) ... $SHELL.$X(...) - pattern: $SHELL.$X(...) - metavariable-pattern: metavariable: $X patterns: - pattern-either: - pattern: cat - pattern: chdir - pattern: chroot - pattern: delete - pattern: entries - pattern: exec - pattern: foreach - pattern: glob - pattern: install - pattern: lchmod - pattern: lchown - pattern: link - pattern: load - pattern: load_file - pattern: makedirs - pattern: move - pattern: new - pattern: open - pattern: read - pattern: readlines - pattern: rename - pattern: rmdir - pattern: safe_unlink - pattern: symlink - pattern: syscopy - pattern: sysopen - pattern: system - pattern: truncate - pattern: unlink - id: ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include mode: taint pattern-sources: - patterns: - pattern: params[...] pattern-sinks: - patterns: - pattern-either: - pattern: | render ..., file: $X - pattern: | render ..., inline: $X - pattern: | render ..., template: $X - pattern: | render ..., action: $X - pattern: | render $X, ... - focus-metavariable: $X pattern-sanitizers: - patterns: - pattern: $MAP[...] - metavariable-pattern: metavariable: $MAP patterns: - pattern-not-regex: params - pattern: File.basename(...) message: Found request parameters in a call to `render`. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. Where possible, avoid letting users specify template paths for `render`. If you must allow user input, use an allow-list of known templates or normalize the user-supplied value with `File.basename(...)`. languages: - ruby severity: WARNING metadata: technology: - ruby - rails category: security cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render.rb references: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion - https://github.com/presidentbeef/brakeman/blob/f74cb53/test/apps/rails2/app/controllers/home_controller.rb#L48-L60 cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM vulnerability_class: - Path Traversal license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include shortlink: https://sg.run/Jw8Z semgrep.dev: rule: r_id: 20046 rv_id: 1409407 rule_id: ReU2pZ version_id: K3TgANN url: https://semgrep.dev/playground/r/K3TgANN/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include origin: community - id: terraform.gcp.security.gcp-pubsub-encrypted-with-cmk.gcp-pubsub-encrypted-with-cmk patterns: - pattern: | resource "google_pubsub_topic" $ANYTHING { ... } - pattern-not-inside: | resource "google_pubsub_topic" $ANYTHING { ... kms_key_name = ... ... } message: Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-pubsub-encrypted-with-cmk.gcp-pubsub-encrypted-with-cmk shortlink: https://sg.run/544X semgrep.dev: rule: r_id: 33703 rv_id: 946965 rule_id: NbUGGn version_id: GxTP002 url: https://semgrep.dev/playground/r/GxTP002/terraform.gcp.security.gcp-pubsub-encrypted-with-cmk.gcp-pubsub-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: apex.lang.best-practice.ncino.accessmodifiers.globalaccessmodifiers.global-access-modifiers min-version: 1.44.0 severity: WARNING languages: - apex metadata: cwe: - 'CWE-284: Improper Access Control' category: best-practice technology: - salesforce references: - https://cwe.mitre.org/data/definitions/284.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/apex.lang.best-practice.ncino.accessmodifiers.globalaccessmodifiers.global-access-modifiers shortlink: https://sg.run/G5vB semgrep.dev: rule: r_id: 72404 rv_id: 945138 rule_id: PeUy2w version_id: LjTXyPB url: https://semgrep.dev/playground/r/LjTXyPB/apex.lang.best-practice.ncino.accessmodifiers.globalaccessmodifiers.global-access-modifiers origin: community message: Global classes, methods, and variables should be avoided (especially in managed packages) as they can never be deleted or changed in signature. Always check twice if something needs to be global. patterns: - pattern-regex: global [A-Za-z0-9_]{3,} - pattern-not-regex: //(\s+([a-zA-Z]+\s+)+)[a-zA-Z]+ - pattern-not-regex: '[*](\s+([a-zA-Z]+\s+)+)[a-zA-Z]+' paths: exclude: - '*Test*' - '*test*' - id: apex.lang.best-practice.ncino.urls.absoluteurls.absolute-urls min-version: 1.44.0 severity: WARNING languages: - apex metadata: category: best-practice references: - '' technology: - salesforce license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/apex.lang.best-practice.ncino.urls.absoluteurls.absolute-urls shortlink: https://sg.run/Adqg semgrep.dev: rule: r_id: 72406 rv_id: 945140 rule_id: 5rUzr2 version_id: gETe1J5 url: https://semgrep.dev/playground/r/gETe1J5/apex.lang.best-practice.ncino.urls.absoluteurls.absolute-urls origin: community message: Using absolute URLs to Salesforce Pages is bug prone. Different sandboxes and production environments will have different instance names (like "na10", "na15" etc.). Code using absolute URLs will only work when it runs in the corresponding salesforce instances. It will break as soon as it is deployed in another one. Thus only relative URLs, i.e. without the domain and subdomain names, should be used when pointing to a salesforce page. pattern-regex: (http|https)://.*(salesforce|force|visualforce)\.com\.* paths: exclude: - '*Test*' - '*test*' - id: apex.lang.performance.ncino.operationsinloops.avoidnativedmlinloops.avoid-native-dml-in-loops min-version: 1.44.0 severity: ERROR languages: - generic metadata: category: performance references: - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm technology: - salesforce license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/apex.lang.performance.ncino.operationsinloops.avoidnativedmlinloops.avoid-native-dml-in-loops shortlink: https://sg.run/BZlb semgrep.dev: rule: r_id: 72407 rv_id: 945141 rule_id: GdURYn version_id: QkTZznB url: https://semgrep.dev/playground/r/QkTZznB/apex.lang.performance.ncino.operationsinloops.avoidnativedmlinloops.avoid-native-dml-in-loops origin: community message: Avoid DML statements inside loops to avoid hitting the DML governor limit. Instead, try to batch up the data into a list and invoke your DML once on that list of data outside the loop. patterns: - pattern-either: - pattern-inside: | for (...) { ... } - pattern-inside: | while (...) { ... } - pattern-inside: | do { ... } while (...); - pattern-either: - pattern: | insert $DATA; - pattern: | update $DATA; - pattern: | upsert $DATA; - pattern: | delete $DATA; - pattern: | Database.insert($DATA); - pattern: | Database.update($DATA); - pattern: | Database.upsert($DATA); - pattern: | Database.delete($DATA); - id: apex.lang.performance.ncino.operationsinloops.avoidsoqlinloops.avoid-soql-in-loops min-version: 1.44.0 severity: ERROR languages: - generic metadata: category: performance references: - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm technology: - salesforce license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/apex.lang.performance.ncino.operationsinloops.avoidsoqlinloops.avoid-soql-in-loops shortlink: https://sg.run/W24y semgrep.dev: rule: r_id: 72409 rv_id: 945143 rule_id: AbU208 version_id: 44TZkgK url: https://semgrep.dev/playground/r/44TZkgK/apex.lang.performance.ncino.operationsinloops.avoidsoqlinloops.avoid-soql-in-loops origin: community message: Database class methods, DML operations, SOQL queries, SOSL queries, Approval class methods, Email sending, async scheduling or queueing within loops can cause governor limit exceptions. Instead, try to batch up the data into a list and invoke the operation once on that list of data outside the loop. patterns: - pattern-either: - pattern-inside: | for (...) { ... } - pattern-inside: | while (...) { ... } - pattern-inside: | do { ... } while (...); - pattern: | $OBJECTS = [...SELECT...FROM...]; - id: generic.secrets.security.detected-artifactory-password.detected-artifactory-password patterns: - pattern-regex: (?\bAP[\dABCDEF][a-zA-Z0-9]{8,}) - pattern-regex: .*(?i)arti[-_]?factory.* - pattern-not-regex: .*(?i)sha(1|2|3|118|256|512).* - pattern-not-regex: (?i)-----\s*?BEGIN[ A-Z0-9_-]*? KEY( BLOCK)?-----[\s\S]*?-----\s*?END[ A-Z0-9_-]*?\s*?----- - metavariable-analysis: analyzer: entropy metavariable: $ITEM - pattern-not-regex: (\w|\.|\*)\1{4} languages: - regex paths: exclude: - '*.svg' - '*go.sum' - '*package.json' - '*cargo.lock' - '*package-lock.json' - '*bundle.js' - '*pnpm-lock*' - '*Podfile.lock' - '**/*/openssl/*.h' - '*.xcscmblueprint' message: Artifactory token detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/artifactory.py category: security technology: - secrets - artifactory confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password shortlink: https://sg.run/J9KZ semgrep.dev: rule: r_id: 9046 rv_id: 1262857 rule_id: YGUR5K version_id: qkTR7BB url: https://semgrep.dev/playground/r/qkTR7BB/generic.secrets.security.detected-artifactory-password.detected-artifactory-password origin: community - id: generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute languages: - generic severity: INFO message: Visualforce Pages must have the cspHeader attribute set to true. This attribute is available in API version 55 or higher. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm&type=5 category: security subcategory: - vuln technology: - salesforce - visualforce cwe2022-top25: true cwe2021-top25: true likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute shortlink: https://sg.run/yoj8 semgrep.dev: rule: r_id: 72424 rv_id: 1262907 rule_id: DbUj7d version_id: RGT0L0r url: https://semgrep.dev/playground/r/RGT0L0r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute origin: community patterns: - pattern: ... - pattern-not: ... - pattern-not: ...... - pattern-not: ...... paths: include: - '*.page' - id: javascript.aws-lambda.security.tainted-html-string.tainted-html-string message: Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string shortlink: https://sg.run/Lgqr semgrep.dev: rule: r_id: 18483 rv_id: 1263112 rule_id: PeUxwW version_id: DkTRbvp url: https://semgrep.dev/playground/r/DkTRbvp/javascript.aws-lambda.security.tainted-html-string.tainted-html-string origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern: $EVENT pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: | "$HTMLSTR" + $EXPR - pattern: | "$HTMLSTR".concat(...) - pattern: $UTIL.format($HTMLSTR, ...) - pattern: format($HTMLSTR, ...) - metavariable-pattern: metavariable: $HTMLSTR language: generic pattern: <$TAG ... - patterns: - pattern: | `...${...}...` - pattern-regex: | .*<\w+.* - pattern-not-inside: | console.$LOG(...) - id: javascript.express.security.audit.res-render-injection.res-render-injection message: User controllable data `$REQ` enters `$RES.render(...)` this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application. options: interfile: true metadata: interfile: true owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' category: security technology: - express references: - http://expressjs.com/en/4x/api.html#res.render subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/javascript.express.security.audit.res-render-injection.res-render-injection shortlink: https://sg.run/eLjd semgrep.dev: rule: r_id: 9276 rv_id: 1263149 rule_id: QrUzrq version_id: PkTR3OY url: https://semgrep.dev/playground/r/PkTR3OY/javascript.express.security.audit.res-render-injection.res-render-injection origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - pattern: $RES.render($SINK, ...) - focus-metavariable: $SINK - id: kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag metadata: cwe: - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE category: security technology: - kt references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag shortlink: https://sg.run/zv7n semgrep.dev: rule: r_id: 9361 rv_id: 1263261 rule_id: bwUw3j version_id: qkTR7r9 url: https://semgrep.dev/playground/r/qkTR7r9/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag origin: community message: A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);' severity: WARNING languages: - kt patterns: - pattern-not-inside: | $COOKIE.setValue("") ... - pattern-either: - pattern: $COOKIE.setSecure(false) - patterns: - pattern-not-inside: | $COOKIE.setSecure(...) ... - pattern: $RESPONSE.addCookie($COOKIE) - id: problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request message: Checks for attempts to connect to an insecure telnet server using the package telnet. This is bad because it can lead to man in the middle attacks. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://godoc.org/github.com/reiver/go-telnet subcategory: - vuln technology: - go-telnet vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request shortlink: https://sg.run/Do4P semgrep.dev: rule: r_id: 9408 rv_id: 946051 rule_id: oqUewD version_id: 3ZTOPnj url: https://semgrep.dev/playground/r/3ZTOPnj/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request origin: community languages: - go pattern: | telnet.DialToAndCall(...) - id: python.aws-lambda.security.tainted-html-response.tainted-html-response mode: taint pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - pattern: $BODY - pattern-inside: | {..., "headers": {..., "Content-Type": "text/html", ...}, "body": $BODY, ... } message: Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - aws-lambda references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response shortlink: https://sg.run/k9vP semgrep.dev: rule: r_id: 18272 rv_id: 1263343 rule_id: ReUKrk version_id: ExTEx5o url: https://semgrep.dev/playground/r/ExTEx5o/python.aws-lambda.security.tainted-html-response.tainted-html-response origin: community languages: - python severity: WARNING - id: python.aws-lambda.security.tainted-html-string.tainted-html-string languages: - python severity: WARNING message: Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - aws-lambda references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string shortlink: https://sg.run/8zNy semgrep.dev: rule: r_id: 18484 rv_id: 1263344 rule_id: JDUlwy version_id: 7ZTE36K url: https://semgrep.dev/playground/r/7ZTE36K/python.aws-lambda.security.tainted-html-string.tainted-html-string origin: community mode: taint pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: '"$HTMLSTR" % ...' - pattern: '"$HTMLSTR".format(...)' - pattern: '"$HTMLSTR" + ...' - pattern: f"$HTMLSTR{...}..." - patterns: - pattern-inside: | $HTML = "$HTMLSTR" ... - pattern-either: - pattern: $HTML % ... - pattern: $HTML.format(...) - pattern: $HTML + ... - metavariable-pattern: metavariable: $HTMLSTR language: generic pattern: <$TAG ... - pattern-not-inside: | print(...) - id: python.bokeh.maintainability.deprecated.deprecated_apis.bokeh-deprecated-apis message: These APIs are deprecated in Bokeh see https://docs.bokeh.org/en/latest/docs/releases.html#api-deprecations languages: - python severity: WARNING pattern-either: - pattern: | import bokeh.layouts.widgetbox - pattern: | import bokeh.models.graphs.from_networkx metadata: category: maintainability technology: - bokeh license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.bokeh.maintainability.deprecated.deprecated_apis.bokeh-deprecated-apis shortlink: https://sg.run/7ok2 semgrep.dev: rule: r_id: 9438 rv_id: 946099 rule_id: JDUyW4 version_id: d6TPjXP url: https://semgrep.dev/playground/r/d6TPjXP/python.bokeh.maintainability.deprecated.deprecated_apis.bokeh-deprecated-apis origin: community - id: python.click.best-practice.echo-style.use-click-secho pattern: click.echo(click.style($X, ...)) message: Use `click.secho($X)` instead. It combines click.echo() and click.style(). languages: - python severity: ERROR metadata: category: best-practice technology: - click license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.click.best-practice.echo-style.use-click-secho shortlink: https://sg.run/8ywN semgrep.dev: rule: r_id: 9440 rv_id: 946101 rule_id: GdU7AO version_id: nWTpzXo url: https://semgrep.dev/playground/r/nWTpzXo/python.click.best-practice.echo-style.use-click-secho origin: community - id: python.correctness.socket-shutdown-close.socket-shutdown-close patterns: - pattern: | $SOCK.shutdown(socket.$A) $SOCK.close() - pattern-not-inside: | try: ... except ...: ... $SOCK.close() - pattern-not-inside: | try: ... finally: ... $SOCK.close() message: Socket is not closed if shutdown fails. When socket.shutdown fails on an OSError, socket.close is not called and the code fails to clean up the socket and allow garbage collection to release the memory used for it. The OSError on shutdown can occur when the remote side of the connection closes the connection first. metadata: references: - https://www.paulsprogrammingnotes.com/2021/12/python-memory-leaks.html category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.correctness.socket-shutdown-close.socket-shutdown-close shortlink: https://sg.run/Bel5 semgrep.dev: rule: r_id: 20151 rv_id: 946103 rule_id: WAUYGr version_id: 7ZTrQ0B url: https://semgrep.dev/playground/r/7ZTrQ0B/python.correctness.socket-shutdown-close.socket-shutdown-close origin: community languages: - python severity: WARNING - id: python.correctness.suppressed-exception-handling-finally-break.suppressed-exception-handling-finally-break patterns: - pattern-either: - pattern: | try: ... except $EXCEPTION: ... finally: ... break - pattern: | try: ... except $EXCEPTION: ... finally: ... continue - pattern: | try: ... except $EXCEPTION: ... finally: ... return ... - pattern: | try: ... return ... finally: ... return ... message: Having a `break`, `continue`, or `return` in a `finally` block will cause strange behaviors, like exceptions not being caught. metadata: references: - https://docs.python.org/3/reference/compound_stmts.html#the-try-statement - https://www.python.org/dev/peps/pep-0601/#rejection-note category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.correctness.suppressed-exception-handling-finally-break.suppressed-exception-handling-finally-break shortlink: https://sg.run/xXvL semgrep.dev: rule: r_id: 18274 rv_id: 946104 rule_id: BYUe8k version_id: LjTXyZR url: https://semgrep.dev/playground/r/LjTXyZR/python.correctness.suppressed-exception-handling-finally-break.suppressed-exception-handling-finally-break origin: community languages: - python severity: WARNING - id: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql message: User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql shortlink: https://sg.run/Kl4X semgrep.dev: rule: r_id: 9511 rv_id: 1263403 rule_id: pKUOBp version_id: WrTqK2L url: https://semgrep.dev/playground/r/WrTqK2L/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W.get(...), ...) - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W.get(...)}...", ...) - pattern: django.db.models.expressions.RawSQL(..., request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... django.db.models.expressions.RawSQL(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.db.models.expressions.RawSQL(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.db.models.expressions.RawSQL(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W.get(...), ...) - pattern: return django.db.models.expressions.RawSQL(..., request.$W.get(...), ...) - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W(...), ...), ...) - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W(...), ...) - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W(...)}...", ...) - pattern: django.db.models.expressions.RawSQL(..., request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... django.db.models.expressions.RawSQL(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.db.models.expressions.RawSQL(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.db.models.expressions.RawSQL(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W(...), ...) - pattern: return django.db.models.expressions.RawSQL(..., request.$W(...), ...) - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W[...], ...), ...) - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W[...], ...) - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W[...]}...", ...) - pattern: django.db.models.expressions.RawSQL(..., request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... django.db.models.expressions.RawSQL(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.db.models.expressions.RawSQL(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.db.models.expressions.RawSQL(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W[...], ...) - pattern: return django.db.models.expressions.RawSQL(..., request.$W[...], ...) - pattern: django.db.models.expressions.RawSQL(..., $S.format(..., request.$W, ...), ...) - pattern: django.db.models.expressions.RawSQL(..., $S % request.$W, ...) - pattern: django.db.models.expressions.RawSQL(..., f"...{request.$W}...", ...) - pattern: django.db.models.expressions.RawSQL(..., request.$W, ...) - pattern: | $DATA = request.$W ... django.db.models.expressions.RawSQL(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.db.models.expressions.RawSQL(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.db.models.expressions.RawSQL(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.db.models.expressions.RawSQL(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.db.models.expressions.RawSQL(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... django.db.models.expressions.RawSQL(..., $INTERM, ...) - pattern: $A = django.db.models.expressions.RawSQL(..., request.$W, ...) - pattern: return django.db.models.expressions.RawSQL(..., request.$W, ...) - pattern: | $DATA = request.$W.get(...) ... django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... django.db.models.expressions.RawSQL($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % (..., $DATA, ...) ... django.db.models.expressions.RawSQL($INTERM, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % (..., $DATA, ...) ... django.db.models.expressions.RawSQL($INTERM, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % (..., $DATA, ...) ... django.db.models.expressions.RawSQL($INTERM, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % (..., $DATA, ...) ... django.db.models.expressions.RawSQL($INTERM, ...) - id: python.pymongo.security.mongodb.mongo-client-bad-auth pattern: | pymongo.MongoClient(..., authMechanism='MONGODB-CR') message: Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details). fix-regex: regex: MONGODB-CR replacement: SCRAM-SHA-256 severity: WARNING languages: - python metadata: cwe: - 'CWE-477: Use of Obsolete Function' category: security technology: - pymongo references: - https://cwe.mitre.org/data/definitions/477.html subcategory: - vuln likelihood: LOW impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth shortlink: https://sg.run/YXRd semgrep.dev: rule: r_id: 12658 rv_id: 946422 rule_id: d8UlOX version_id: 0bT15XY url: https://semgrep.dev/playground/r/0bT15XY/python.pymongo.security.mongodb.mongo-client-bad-auth origin: community - id: solidity.performance.use-nested-if.use-nested-if message: Using nested is cheaper than using && multiple check combinations. There are more advantages, such as easier to read code and better coverage reports. metadata: references: - https://code4rena.com/reports/2023-01-biconomy#g-18-use-nested-if-and-avoid-multiple-check-combinations category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.use-nested-if.use-nested-if shortlink: https://sg.run/dXw0 semgrep.dev: rule: r_id: 67634 rv_id: 946595 rule_id: 10ULje version_id: rxT6rxB url: https://semgrep.dev/playground/r/rxT6rxB/solidity.performance.use-nested-if.use-nested-if origin: community patterns: - pattern: | if (<... $X && $Y ...>) { ... } languages: - solidity severity: INFO - id: typescript.lang.best-practice.moment-deprecated.moment-deprecated pattern: | import 'moment' message: Moment is a legacy project in maintenance mode. Consider using libraries that are actively supported, e.g. `dayjs`. languages: - typescript - javascript severity: INFO metadata: category: best-practice technology: - moment - dayjs references: - https://momentjs.com/docs/#/-project-status/ - https://day.js.org/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.lang.best-practice.moment-deprecated.moment-deprecated shortlink: https://sg.run/lWej semgrep.dev: rule: r_id: 20157 rv_id: 947007 rule_id: 6JUyWq version_id: vdTG5jq url: https://semgrep.dev/playground/r/vdTG5jq/typescript.lang.best-practice.moment-deprecated.moment-deprecated origin: community - id: typescript.lang.correctness.useless-ternary.useless-ternary pattern: | $CONDITION ? $ANS : $ANS message: It looks like no matter how $CONDITION is evaluated, this expression returns $ANS. This is probably a copy-paste error. languages: - typescript - javascript metadata: category: correctness technology: - react license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.lang.correctness.useless-ternary.useless-ternary shortlink: https://sg.run/9rN0 semgrep.dev: rule: r_id: 15367 rv_id: 947008 rule_id: oqU4nZ version_id: d6TPzlB url: https://semgrep.dev/playground/r/d6TPzlB/typescript.lang.correctness.useless-ternary.useless-ternary origin: community severity: ERROR - id: gitlab.find_sec_bugs.MALICIOUS_XSLT-1 languages: - java mode: taint pattern-sources: - patterns: - pattern-either: - patterns: - pattern-inside: | $FUNC(...,String $VAR, ...) { ... } - pattern-either: - pattern: new FileInputStream(<... $VAR ...>); - pattern: getClass().getResourceAsStream(<... $VAR ...>) - patterns: - pattern-inside: | class $CLZ { String $X = "..."; ... } - pattern-inside: | $FUNC(...,String $Y, ...) { ... } - pattern-either: - pattern: new FileInputStream($X + $Y); - pattern: getClass().getResourceAsStream($X + $Y) pattern-sinks: - patterns: - pattern-either: - pattern-inside: (javax.xml.transform.TransformerFactory $T).newTransformer($SRC, ...) - pattern-inside: (javax.xml.transform.Transformer $T).transform($SRC, ...) - pattern: $SRC message: | The application performs XSLT translation with potentially malicious input. An adversary who is able to influence the loaded XSL document could call XSL functions or exploit External XML Entity (XXE) attacks that allow file retrieval or force the parser to connect to arbitrary servers to exfiltrate files. It is strongly recommended that an alternative approach is used to work with XML data. For increased security, never process user-supplied XSL style sheets. If XSLT processing is absolutely necessary, ensure that `FEATURE_SECURE_PROCESSING` is enabled prior to processing the XSLT file: ``` // Create a new TransformerFactory instance TransformerFactory transformerFactory = TransformerFactory.newInstance(); // Enable the FEATURE_SECURE_PROCESSING feature transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); // Read in the XML Source Source xmlSource = new StreamSource(new FileInputStream("hardcoded.xml")); // Read in the XSL template file Source xslSource = new StreamSource(new FileInputStream("hardcoded.xsl")); /// Create the transformer object to do the transformation Transformer transformer = transformerFactory.newTransformer(xslSource); // Create a Result object for output Result result = new StreamResult(System.out); // Execute the transformation process transformer.transform(xmlSource, result); ``` For more information on XML security see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java For more information on the secure processing feature see: - https://xml.apache.org/xalan-j/features.html#secureprocessing metadata: shortDescription: Improper neutralization of special elements in output used by a downstream component ('Injection') category: security cwe: CWE-74 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: Medium primary_identifier: find_sec_bugs.MALICIOUS_XSLT-1 secondary_identifiers: - name: Find Security Bugs-MALICIOUS_XSLT type: find_sec_bugs_type value: MALICIOUS_XSLT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.MALICIOUS_XSLT-1 shortlink: https://sg.run/L2KJ semgrep.dev: rule: r_id: 21239 rv_id: 920208 rule_id: x8UdB6 version_id: qkTpwB7 url: https://semgrep.dev/playground/r/qkTpwB7/gitlab.find_sec_bugs.MALICIOUS_XSLT-1 origin: community severity: WARNING - id: typescript.react.best-practice.define-styled-components-on-module-level.define-styled-components-on-module-level patterns: - pattern-inside: | import styled from 'styled-components'; ... - pattern-either: - pattern-inside: | function $FUNC(...) { ... } - pattern-inside: | class $CLASS { ... } - pattern-either: - pattern: | styled.$EL`...`; - pattern: | styled($EL)`...`; message: By declaring a styled component inside the render method of a react component, you are dynamically creating a new component on every render. This means that React will have to discard and re-calculate that part of the DOM subtree on each subsequent render, instead of just calculating the difference of what changed between them. This leads to performance bottlenecks and unpredictable behavior. metadata: references: - https://styled-components.com/docs/faqs#why-should-i-avoid-declaring-styled-components-in-the-render-method category: best-practice technology: - react license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.best-practice.define-styled-components-on-module-level.define-styled-components-on-module-level shortlink: https://sg.run/okq7 semgrep.dev: rule: r_id: 9760 rv_id: 947013 rule_id: j2Uqg5 version_id: LjTX45q url: https://semgrep.dev/playground/r/LjTX45q/typescript.react.best-practice.define-styled-components-on-module-level.define-styled-components-on-module-level origin: community languages: - typescript - javascript severity: WARNING - id: typescript.react.best-practice.react-find-dom.react-find-dom pattern-either: - pattern: | findDOMNode(...) - pattern: | $DOM.findDOMNode(...) message: findDOMNode is an escape hatch used to access the underlying DOM node. In most cases, use of this escape hatch is discouraged because it pierces the component abstraction. metadata: references: - https://react.dev/reference/react-dom/findDOMNode - https://github.com/yannickcr/eslint-plugin-react/issues/678#issue-165177220 category: best-practice technology: - react license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.best-practice.react-find-dom.react-find-dom shortlink: https://sg.run/zkdz semgrep.dev: rule: r_id: 9761 rv_id: 947014 rule_id: 10UZOv version_id: 8KTKEz4 url: https://semgrep.dev/playground/r/8KTKEz4/typescript.react.best-practice.react-find-dom.react-find-dom origin: community languages: - typescript - javascript severity: WARNING - id: yaml.github-actions.semgrep-configuration.semgrep-github-action-push-without-branches.semgrep-github-action-push-without-branches message: The 'branches' field (in the push event configuration) contains no branches. This causes all branches to be scanned and may result in unneccessary duplicate findings across the entire codebase. severity: WARNING languages: - yaml paths: include: - /.github/workflows/semgrep.yml - '*.test.yml' patterns: - pattern-either: - pattern: | on: [..., push, ...] ... - pattern: | on: push ... - pattern: | on: ... push: "" ... ... - pattern: | on: ... push: {} ... ... - patterns: - pattern-inside: | on: ... push: ... ... ... - pattern-either: - pattern: | branches: "" - pattern: | branches: [] metadata: category: correctness technology: - github-action license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.github-actions.semgrep-configuration.semgrep-github-action-push-without-branches.semgrep-github-action-push-without-branches shortlink: https://sg.run/GOBn semgrep.dev: rule: r_id: 14648 rv_id: 1039235 rule_id: GdUrOG version_id: GxT6zE9 url: https://semgrep.dev/playground/r/GxT6zE9/yaml.github-actions.semgrep-configuration.semgrep-github-action-push-without-branches.semgrep-github-action-push-without-branches origin: community - id: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout languages: - yaml message: This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations. metadata: category: security owasp: A01:2017 - Injection cwe: 'CWE-913: Improper Control of Dynamically-Managed Code Resources' likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM subcategory: - vuln references: - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md - https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability technology: - github-actions license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout shortlink: https://sg.run/A0p6 semgrep.dev: rule: r_id: 35494 rv_id: 947046 rule_id: 4bU8E4 version_id: kbTYRwl url: https://semgrep.dev/playground/r/kbTYRwl/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout origin: community patterns: - pattern-inside: | on: ... workflow_run: ... ... ... - pattern-inside: | jobs: ... $JOBNAME: ... steps: ... - pattern: | ... uses: "$ACTION" with: ... ref: $EXPR - metavariable-regex: metavariable: $ACTION regex: actions/checkout@.* - metavariable-pattern: language: generic metavariable: $EXPR patterns: - pattern: ${{ github.event.workflow_run ... }} severity: WARNING - id: yaml.kubernetes.best-practice.no-fractional-cpu-limits.no-fractional-cpu-limits patterns: - pattern-inside: | limits: ... - pattern: | cpu: $CPU_LIMIT - metavariable-regex: metavariable: $CPU_LIMIT regex: \d{0,3}m fix: 'cpu: 1000m' message: When you set a fractional CPU limit on a container, the CPU cycles available will be throttled, even though most nodes can handle processes alternating between using 100% of the CPU. severity: WARNING languages: - yaml metadata: category: best-practice technology: - kubernetes license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.kubernetes.best-practice.no-fractional-cpu-limits.no-fractional-cpu-limits shortlink: https://sg.run/WgWZ semgrep.dev: rule: r_id: 10053 rv_id: 947049 rule_id: KxU45P version_id: O9TXG6b url: https://semgrep.dev/playground/r/O9TXG6b/yaml.kubernetes.best-practice.no-fractional-cpu-limits.no-fractional-cpu-limits origin: community - id: yaml.kubernetes.security.hostipc-pod.hostipc-pod patterns: - pattern-inside: | spec: ... - pattern: | hostIPC: true message: Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the 'hostIPC' key to disable this functionality. metadata: cwe: - 'CWE-693: Protection Mechanism Failure' references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces category: security technology: - kubernetes subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod shortlink: https://sg.run/nqGO semgrep.dev: rule: r_id: 10236 rv_id: 947055 rule_id: nJUYPE version_id: ExTg4KB url: https://semgrep.dev/playground/r/ExTg4KB/yaml.kubernetes.security.hostipc-pod.hostipc-pod origin: community languages: - yaml severity: WARNING - id: c.lang.correctness.incorrect-use-ato-fn.incorrect-use-ato-fn pattern-either: - pattern: atoi(...) - pattern: atol(...) - pattern: atoll(...) message: Avoid the 'ato*()' family of functions. Their use can lead to undefined behavior, integer overflows, and lack of appropriate error handling. Instead prefer the 'strtol*()' family of functions. metadata: references: - https://stackoverflow.com/q/38393162 - https://stackoverflow.com/q/14176123 category: correctness technology: - c license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/c.lang.correctness.incorrect-use-ato-fn.incorrect-use-ato-fn shortlink: https://sg.run/x1N0 semgrep.dev: rule: r_id: 8830 rv_id: 945165 rule_id: 4bUkN4 version_id: WrTEodW url: https://semgrep.dev/playground/r/WrTEodW/c.lang.correctness.incorrect-use-ato-fn.incorrect-use-ato-fn origin: community languages: - c severity: WARNING - id: c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn pattern: gets(...) message: Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead. metadata: cwe: - 'CWE-676: Use of Potentially Dangerous Function' references: - https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s category: security technology: - c confidence: MEDIUM subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn shortlink: https://sg.run/dKqX semgrep.dev: rule: r_id: 8834 rv_id: 945170 rule_id: GdU7OE version_id: YDTvRlQ url: https://semgrep.dev/playground/r/YDTvRlQ/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn origin: community languages: - c severity: ERROR - id: c.lang.security.random-fd-exhaustion.random-fd-exhaustion pattern-either: - patterns: - pattern: | $FD = open("/dev/urandom", ...); ... read($FD, ...); - pattern-not: | $FD = open("/dev/urandom", ...); ... $BYTES_READ = read($FD, ...); - patterns: - pattern: | $FD = open("/dev/random", ...); ... read($FD, ...); - pattern-not: | $FD = open("/dev/random", ...); ... $BYTES_READ = read($FD, ...); message: Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function. metadata: cwe: - 'CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling' references: - https://lwn.net/Articles/606141/ category: security technology: - c confidence: MEDIUM subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Denial-of-Service (DoS) source: https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion shortlink: https://sg.run/8yNj semgrep.dev: rule: r_id: 8840 rv_id: 945177 rule_id: 0oU5k4 version_id: jQTzvry url: https://semgrep.dev/playground/r/jQTzvry/c.lang.security.random-fd-exhaustion.random-fd-exhaustion origin: community languages: - c severity: WARNING - id: clojure.lang.security.command-injection-shell-call.command-injection-shell-call metadata: author: Gabriel Marquet category: security confidence: LOW owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' likelihood: MEDIUM impact: HIGH subcategory: - audit technology: - clojure references: - https://clojuredocs.org/clojure.java.shell/sh license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/clojure.lang.security.command-injection-shell-call.command-injection-shell-call shortlink: https://sg.run/Ag4L semgrep.dev: rule: r_id: 52194 rv_id: 1262607 rule_id: ZqUvEe version_id: DkTRb1P url: https://semgrep.dev/playground/r/DkTRb1P/clojure.lang.security.command-injection-shell-call.command-injection-shell-call origin: community patterns: - pattern-either: - pattern-inside: "(ns ...\n...\n(:require \n... \n[clojure.java.shell ... [sh]]\n...\n))\n...\n" - pattern-inside: "(ns ...\n...\n(:use \n... \n[clojure.java.shell ... [sh]]\n...\n))\n...\n" - pattern-either: - patterns: - pattern: (sh $BASH ...) - metavariable-regex: metavariable: $BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - patterns: - pattern: (sh $ARG ...) - pattern-not: (sh "..." ...) languages: - clojure severity: ERROR message: A call to clojure.java.shell has been found, this could lead to an RCE if the inputs are user-controllable. Please ensure their origin is validated and sanitized. - id: csharp.dotnet.security.use_ecb_mode.use_ecb_mode message: Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305. severity: WARNING metadata: likelihood: HIGH impact: MEDIUM confidence: HIGH category: security cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0 - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0 - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0 - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes subcategory: - vuln technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode shortlink: https://sg.run/wj9n semgrep.dev: rule: r_id: 36773 rv_id: 1262623 rule_id: 0oUqWP version_id: yeTxpPw url: https://semgrep.dev/playground/r/yeTxpPw/csharp.dotnet.security.use_ecb_mode.use_ecb_mode origin: community languages: - csharp patterns: - pattern-either: - pattern: ($KEYTYPE $KEY).EncryptEcb(...); - pattern: ($KEYTYPE $KEY).DecryptEcb(...); - pattern: ($KEYTYPE $KEY).Mode = CipherMode.ECB; - metavariable-pattern: metavariable: $KEYTYPE pattern-either: - pattern: SymmetricAlgorithm - pattern: Aes - pattern: Rijndael - pattern: DES - pattern: TripleDES - pattern: RC2 - id: csharp.lang.correctness.regioninfo.regioninfo-interop.correctness-regioninfo-interop patterns: - pattern-either: - pattern: | $WRITER.Write($RI); - pattern: | $WRITER.WriteAsync($RI); - pattern: | $WRITER.WriteLine($RI); - pattern: | $WRITER.WriteLineAsync($RI); - pattern-inside: | RegionInfo $RI = new RegionInfo($REGION); ... using($PIPESTREAM $P = ...){ ... } - metavariable-regex: metavariable: $REGION regex: ^"\w{2}"$ - metavariable-regex: metavariable: $PIPESTREAM regex: (Anonymous|Named)Pipe(Server|Client)Stream message: Potential inter-process write of RegionInfo $RI via $PIPESTREAM $P that was instantiated with a two-character culture code $REGION. Per .NET documentation, if you want to persist a RegionInfo object or communicate it between processes, you should instantiate it by using a full culture name rather than a two-letter ISO region code. languages: - csharp severity: WARNING metadata: references: - https://docs.microsoft.com/en-us/dotnet/api/system.globalization.regioninfo.twoletterisoregionname?view=net-6.0#remarks technology: - .net category: correctness confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/csharp.lang.correctness.regioninfo.regioninfo-interop.correctness-regioninfo-interop shortlink: https://sg.run/2AvL semgrep.dev: rule: r_id: 18219 rv_id: 945202 rule_id: 8GUGnq version_id: JdTDylW url: https://semgrep.dev/playground/r/JdTDylW/csharp.lang.correctness.regioninfo.regioninfo-interop.correctness-regioninfo-interop origin: community - id: csharp.lang.best-practice.structured-logging.structured-logging patterns: - pattern-either: - pattern: $LOG.Debug($"...") - pattern: $LOG.Error($"...") - pattern: $LOG.Fatal($"...") - pattern: $LOG.Information($"...") - pattern: $LOG.Verbose($"...") - pattern: $LOG.Warning($"...") - pattern: $LOG.LogCritical($"...") - pattern: $LOG.LogDebug($"...") - pattern: $LOG.LogError($"...") - pattern: $LOG.LogInformation($"...") - pattern: $LOG.LogTrace($"...") - pattern: $LOG.LogWarning($"...") - pattern: $LOG.Info($"...") - pattern: $LOG.Trace($"...") - pattern: $LOG.Warn($"...") - metavariable-regex: metavariable: $LOG regex: .*(log|LOG|Log) message: String interpolation in log message obscures the distinction between variables and the log message. Use structured logging instead, where the variables are passed as additional arguments and the interpolation is performed by the logging library. This reduces the possibility of log injection and makes it easier to search through logs. languages: - csharp severity: INFO metadata: cwe: - 'CWE-117: Improper Output Neutralization for Logs' owasp: - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures technology: - .net - serilog - nlog confidence: LOW references: - https://github.com/NLog/NLog/wiki/How-to-use-structured-logging - https://softwareengineering.stackexchange.com/questions/312197/benefits-of-structured-logging-vs-basic-logging category: best-practice subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/csharp.lang.best-practice.structured-logging.structured-logging shortlink: https://sg.run/nwNb semgrep.dev: rule: r_id: 20036 rv_id: 1262627 rule_id: L1UzGR version_id: kbTzG6j url: https://semgrep.dev/playground/r/kbTzG6j/csharp.lang.best-practice.structured-logging.structured-logging origin: community - id: csharp.lang.correctness.sslcertificatetrust.sslcertificatetrust-handshake-no-trust.correctness-sslcertificatetrust-handshake-no-trust patterns: - pattern-either: - pattern: SslCertificateTrust.$METHOD($COLLECTION,sendTrustInHandshake=true) - pattern: SslCertificateTrust.$METHOD($COLLECTION,true) - metavariable-regex: metavariable: $METHOD regex: CreateForX509(Collection|Store) fix: SslCertificateTrust.$METHOD($COLLECTION,false) message: Sending the trusted CA list increases the size of the handshake request and can leak system configuration information. languages: - csharp metadata: references: - https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslcertificatetrust.createforx509collection?view=net-6.0#remarks - https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslcertificatetrust.createforx509store?view=net-6.0#remarks cwe: 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: A03:2017 - Sensitive Data Exposure category: correctness technology: - .net confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/csharp.lang.correctness.sslcertificatetrust.sslcertificatetrust-handshake-no-trust.correctness-sslcertificatetrust-handshake-no-trust shortlink: https://sg.run/Je2w semgrep.dev: rule: r_id: 17390 rv_id: 945203 rule_id: 2ZULWd version_id: 5PT9OyX url: https://semgrep.dev/playground/r/5PT9OyX/csharp.lang.correctness.sslcertificatetrust.sslcertificatetrust-handshake-no-trust.correctness-sslcertificatetrust-handshake-no-trust origin: community severity: WARNING - id: csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization message: Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users. severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: MEDIUM category: security cwe: - 'CWE-862: Missing Authorization' cwe2021-top25: true cwe2022-top25: true cwe2023-top25: true owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://cwe.mitre.org/data/definitions/862.html - https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0 subcategory: - vuln technology: - .net - mvc license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization shortlink: https://sg.run/Z8GA semgrep.dev: rule: r_id: 26335 rv_id: 1262615 rule_id: eqU32Y version_id: o5TbD41 url: https://semgrep.dev/playground/r/o5TbD41/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization origin: community languages: - csharp patterns: - pattern: | public class $CLASS : Controller { ... } - pattern-inside: | using Microsoft.AspNetCore.Mvc; ... - pattern-not: | [AllowAnonymous] public class $CLASS : Controller { ... } - pattern-not: | [Authorize] public class $CLASS : Controller { ... } - pattern-not: | [Authorize(Roles = ...)] public class $CLASS : Controller { ... } - pattern-not: | [Authorize(Policy = ...)] public class $CLASS : Controller { ... } - id: csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation patterns: - pattern-either: - patterns: - pattern: $LIFETIME = $FALSE - pattern-inside: new TokenValidationParameters {...} - patterns: - pattern: | (TokenValidationParameters $OPTS). ... .$LIFETIME = $FALSE - metavariable-regex: metavariable: $LIFETIME regex: (RequireExpirationTime|ValidateLifetime) - metavariable-regex: metavariable: $FALSE regex: (false) - focus-metavariable: $FALSE fix: | true message: The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used. metadata: category: security technology: - csharp owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe: - 'CWE-613: Insufficient Session Expiration' references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ - https://cwe.mitre.org/data/definitions/613.html - https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet subcategory: - audit likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation shortlink: https://sg.run/KA0d semgrep.dev: rule: r_id: 28955 rv_id: 1262628 rule_id: bwU5kK version_id: w8TRolJ url: https://semgrep.dev/playground/r/w8TRolJ/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation origin: community languages: - csharp severity: WARNING - id: python.lang.maintainability.useless-literal.useless-literal message: key `$X` is uselessly assigned twice languages: - python severity: WARNING patterns: - pattern-either: - pattern: | {..., $X: $A, ..., $X: $B, ...} - pattern: | dict(..., ($X, $A), ..., ($X, $B), ...) - focus-metavariable: $X metadata: category: maintainability references: - https://docs.python.org/3/library/stdtypes.html#mapping-types-dict technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.useless-literal.useless-literal shortlink: https://sg.run/Brd2 semgrep.dev: rule: r_id: 26095 rv_id: 946317 rule_id: 7KUn51 version_id: A8TJzl3 url: https://semgrep.dev/playground/r/A8TJzl3/python.lang.maintainability.useless-literal.useless-literal origin: community - id: csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization severity: WARNING languages: - C# metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks category: security technology: - .net confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization shortlink: https://sg.run/gJnR semgrep.dev: rule: r_id: 11141 rv_id: 1262644 rule_id: eqUvND version_id: PkTR30n url: https://semgrep.dev/playground/r/PkTR30n/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization origin: community message: The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure patterns: - pattern-inside: | using System.Runtime.Serialization.Formatters.Soap; ... - pattern: | new SoapFormatter(); - id: java.servlets.security.cookie-issecure-false.cookie-issecure-false patterns: - pattern: $COOKIE = new Cookie($...ARGS); - pattern-not-inside: | $COOKIE = new Cookie(...); ... $COOKIE.setSecure(...); message: 'Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.' fix: | $COOKIE = new Cookie($...ARGS); $COOKIE.setSecure(true); metadata: vulnerability: Insecure Transport owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: - https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean) - https://owasp.org/www-community/controls/SecureCookieAttribute category: security technology: - java - cookie subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false shortlink: https://sg.run/pxn0 semgrep.dev: rule: r_id: 9218 rv_id: 1263073 rule_id: kxUkn9 version_id: bZT53lB url: https://semgrep.dev/playground/r/bZT53lB/java.servlets.security.cookie-issecure-false.cookie-issecure-false origin: community languages: - java severity: WARNING - id: ocaml.lang.security.digest.ocamllint-digest pattern-either: - pattern: Digest.string - pattern: Digest.bytes - pattern: Digest.substring - pattern: Digest.subbytes - pattern: Digest.channel - pattern: Digest.file message: Digest uses MD5 and should not be used for security purposes. Consider using SHA256 instead. languages: - ocaml severity: WARNING metadata: category: security references: - https://v2.ocaml.org/api/Digest.html technology: - ocaml cwe: 'CWE-328: Use of Weak Hash (4.12)' confidence: LOW likelihood: MEDIUM impact: MEDIUM subcategory: - audit license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ocaml.lang.security.digest.ocamllint-digest shortlink: https://sg.run/kxXxA semgrep.dev: rule: r_id: 92972 rv_id: 945975 rule_id: WAUWoWz version_id: K3TJbDQ url: https://semgrep.dev/playground/r/K3TJbDQ/ocaml.lang.security.digest.ocamllint-digest origin: community - id: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout severity: WARNING languages: - C# metadata: cwe: - 'CWE-1333: Inefficient Regular Expression Complexity' owasp: A01:2017 - Injection references: - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS - https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout - https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0 category: security technology: - .net confidence: MEDIUM subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Denial-of-Service (DoS) source: https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout shortlink: https://sg.run/NgRy semgrep.dev: rule: r_id: 18227 rv_id: 945224 rule_id: GdUDBP version_id: yeT0nDq url: https://semgrep.dev/playground/r/yeT0nDq/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout origin: community message: 'Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the "Notes to Callers" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0' patterns: - pattern-inside: | using System.Text.RegularExpressions; ... - pattern-either: - pattern: new Regex(..., TimeSpan.InfiniteMatchTimeout) - patterns: - pattern: new Regex(..., TimeSpan.FromSeconds($TIME)) - metavariable-comparison: metavariable: $TIME comparison: $TIME > 5 - pattern: new Regex(..., TimeSpan.FromMinutes(...)) - pattern: new Regex(..., TimeSpan.FromHours(...)) - id: dockerfile.audit.dockerfile-source-not-pinned.dockerfile-source-not-pinned patterns: - pattern-either: - patterns: - pattern: FROM $IMAGE:$VERSION@$HASH - metavariable-regex: metavariable: $HASH regex: (?!sha256:) - patterns: - pattern: FROM $IMAGE - pattern: FROM $IMAGE:$VERSION - pattern-not-inside: FROM $IMAGE:$VERSION@$HASH message: To ensure reproducible builds, pin Dockerfile `FROM` commands to a specific hash. You can find the hash by running `docker pull $IMAGE` and then specify it with `$IMAGE:$VERSION@sha256:` languages: - dockerfile severity: INFO metadata: references: - https://stackoverflow.com/a/33511811/4965 category: best-practice technology: - docker license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.audit.dockerfile-source-not-pinned.dockerfile-source-not-pinned shortlink: https://sg.run/RgD8 semgrep.dev: rule: r_id: 18793 rv_id: 945236 rule_id: DbUGEW version_id: nWTpznE url: https://semgrep.dev/playground/r/nWTpznE/dockerfile.audit.dockerfile-source-not-pinned.dockerfile-source-not-pinned origin: community - id: dockerfile.best-practice.avoid-apk-upgrade.avoid-apk-upgrade languages: - dockerfile message: Packages in base images should be up-to-date, removing the need for 'apk upgrade'. If packages are out-of-date, consider contacting the base image maintainer. severity: INFO metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3017 references: - https://github.com/hadolint/hadolint/wiki/DL3017 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.avoid-apk-upgrade.avoid-apk-upgrade shortlink: https://sg.run/2kg5 semgrep.dev: rule: r_id: 20119 rv_id: 945237 rule_id: j2UwDz version_id: ExTg21O url: https://semgrep.dev/playground/r/ExTg21O/dockerfile.best-practice.avoid-apk-upgrade.avoid-apk-upgrade origin: community pattern: RUN ... apk upgrade ... - id: dockerfile.best-practice.avoid-apt-get-upgrade.avoid-apt-get-upgrade message: Packages in base containers should be up-to-date, removing the need to upgrade or dist-upgrade. If a package is out of date, contact the maintainers. languages: - dockerfile severity: WARNING metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3005 references: - https://github.com/hadolint/hadolint/wiki/DL3005 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.avoid-apt-get-upgrade.avoid-apt-get-upgrade shortlink: https://sg.run/XWPA semgrep.dev: rule: r_id: 20120 rv_id: 945238 rule_id: 10U43Y version_id: 7ZTrQb0 url: https://semgrep.dev/playground/r/7ZTrQb0/dockerfile.best-practice.avoid-apt-get-upgrade.avoid-apt-get-upgrade origin: community pattern-either: - pattern: RUN ... apt-get upgrade ... - pattern: RUN ... apt-get dist-upgrade ... - id: dockerfile.best-practice.avoid-dnf-update.avoid-dnf-update severity: INFO languages: - dockerfile message: Packages in base images should be up-to-date, removing the need for 'dnf update'. If packages are out-of-date, consider contacting the base image maintainer. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3039 references: - https://github.com/hadolint/hadolint/wiki/DL3039 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.avoid-dnf-update.avoid-dnf-update shortlink: https://sg.run/jBJA semgrep.dev: rule: r_id: 20121 rv_id: 945239 rule_id: 9AUAq5 version_id: LjTXyzj url: https://semgrep.dev/playground/r/LjTXyzj/dockerfile.best-practice.avoid-dnf-update.avoid-dnf-update origin: community pattern: dnf update - id: dockerfile.best-practice.avoid-latest-version.avoid-latest-version message: Images should be tagged with an explicit version to produce deterministic container images. The 'latest' tag may change the base container without warning. severity: WARNING languages: - dockerfile metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3007 references: - https://github.com/hadolint/hadolint/wiki/DL3007 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.avoid-latest-version.avoid-latest-version shortlink: https://sg.run/1kXD semgrep.dev: rule: r_id: 20122 rv_id: 945240 rule_id: yyUDGx version_id: 8KTKjvw url: https://semgrep.dev/playground/r/8KTKjvw/dockerfile.best-practice.avoid-latest-version.avoid-latest-version origin: community pattern: FROM $FROM:latest - id: dockerfile.best-practice.avoid-platform-with-from.avoid-platform-with-from severity: INFO languages: - dockerfile pattern: FROM --platform=$PLATFORM $IMAGE message: Using '--platform' with FROM restricts the image to build on a single platform. Further, this must be the same as the build platform. If you intended to specify the target platform, use the utility 'docker buildx --platform=' instead. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3029 references: - https://github.com/hadolint/hadolint/wiki/DL3029 - https://docs.docker.com/buildx/working-with-buildx/ category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.avoid-platform-with-from.avoid-platform-with-from shortlink: https://sg.run/93G4 semgrep.dev: rule: r_id: 20123 rv_id: 945241 rule_id: r6Ujl1 version_id: gETe1kQ url: https://semgrep.dev/playground/r/gETe1kQ/dockerfile.best-practice.avoid-platform-with-from.avoid-platform-with-from origin: community - id: dockerfile.best-practice.avoid-yum-update.avoid-yum-update severity: INFO languages: - dockerfile message: Packages in base images should be up-to-date, removing the need for 'yum update'. If packages are out-of-date, consider contacting the base image maintainer. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3031 references: - https://github.com/hadolint/hadolint/wiki/DL3031 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.avoid-yum-update.avoid-yum-update shortlink: https://sg.run/yJ3r semgrep.dev: rule: r_id: 20124 rv_id: 945242 rule_id: bwULQE version_id: QkTZz1r url: https://semgrep.dev/playground/r/QkTZz1r/dockerfile.best-practice.avoid-yum-update.avoid-yum-update origin: community pattern: yum update - id: dockerfile.best-practice.avoid-zypper-update.avoid-zypper-update severity: INFO languages: - dockerfile message: Packages in base images should be up-to-date, removing the need for 'zypper update'. If packages are out-of-date, consider contacting the base image maintainer. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3035 references: - https://github.com/hadolint/hadolint/wiki/DL3035 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.avoid-zypper-update.avoid-zypper-update shortlink: https://sg.run/rN00 semgrep.dev: rule: r_id: 20125 rv_id: 945243 rule_id: NbUeGG version_id: 3ZTOPLw url: https://semgrep.dev/playground/r/3ZTOPLw/dockerfile.best-practice.avoid-zypper-update.avoid-zypper-update origin: community pattern: zypper update ... - id: dockerfile.best-practice.maintainer-is-deprecated.maintainer-is-deprecated severity: INFO languages: - dockerfile pattern: MAINTAINER $NAME message: MAINTAINER has been deprecated. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4000 references: - https://github.com/hadolint/hadolint/wiki/DL4000 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.maintainer-is-deprecated.maintainer-is-deprecated shortlink: https://sg.run/bWKe semgrep.dev: rule: r_id: 20126 rv_id: 945244 rule_id: kxUO35 version_id: 44TZkej url: https://semgrep.dev/playground/r/44TZkej/dockerfile.best-practice.maintainer-is-deprecated.maintainer-is-deprecated origin: community fix: '# MAINTAINER $NAME' - id: dockerfile.best-practice.missing-dnf-assume-yes-switch.missing-dnf-assume-yes-switch severity: WARNING languages: - dockerfile patterns: - pattern: | RUN ... dnf install ... - pattern-not-inside: | RUN ... dnf install ... -y ... - pattern-not-inside: | RUN ... dnf ... --assumeyes ... message: This 'dnf install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3038 references: - https://github.com/hadolint/hadolint/wiki/DL3038 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.missing-dnf-assume-yes-switch.missing-dnf-assume-yes-switch shortlink: https://sg.run/kD5K semgrep.dev: rule: r_id: 20128 rv_id: 945246 rule_id: x8Ud03 version_id: JdTDyoW url: https://semgrep.dev/playground/r/JdTDyoW/dockerfile.best-practice.missing-dnf-assume-yes-switch.missing-dnf-assume-yes-switch origin: community - id: dockerfile.best-practice.missing-dnf-clean-all.missing-dnf-clean-all severity: WARNING languages: - dockerfile patterns: - pattern: RUN ... dnf ... - pattern-not-inside: RUN ... && dnf clean all - pattern-not-inside: RUN ... && \ dnf clean all message: This dnf command does not end with '&& dnf clean all'. Running 'dnf clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.) metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3038 references: - https://github.com/hadolint/hadolint/wiki/DL3038 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.missing-dnf-clean-all.missing-dnf-clean-all shortlink: https://sg.run/w460 semgrep.dev: rule: r_id: 20129 rv_id: 945247 rule_id: OrUvE4 version_id: 5PT9ONX url: https://semgrep.dev/playground/r/5PT9ONX/dockerfile.best-practice.missing-dnf-clean-all.missing-dnf-clean-all origin: community - id: dockerfile.best-practice.missing-image-version.missing-image-version patterns: - pattern-either: - pattern: FROM $IMAGE - pattern-not: FROM $IMAGE:$VERSION - pattern-not: FROM $IMAGE@$DIGEST - pattern-not: FROM $IMAGE:$VERSION@$DIGEST - pattern-not: FROM scratch message: Detected docker image with no explicit version attached. Images should be tagged with an explicit version to produce deterministic container images -- attach a version when using `FROM `. severity: WARNING languages: - dockerfile metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3006 references: - https://github.com/hadolint/hadolint/wiki/DL3006 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.missing-image-version.missing-image-version shortlink: https://sg.run/xPop semgrep.dev: rule: r_id: 20130 rv_id: 945248 rule_id: eqUZbw version_id: GxTP7oG url: https://semgrep.dev/playground/r/GxTP7oG/dockerfile.best-practice.missing-image-version.missing-image-version origin: community - id: dockerfile.best-practice.missing-no-install-recommends.missing-no-install-recommends patterns: - pattern: | RUN apt-get install ... - pattern-not: RUN apt-get install ... --no-install-recommends ... languages: - dockerfile message: This 'apt-get install' is missing '--no-install-recommends'. This prevents unnecessary packages from being installed, thereby reducing image size. Add '--no-install-recommends'. severity: INFO metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3015 references: - https://github.com/hadolint/hadolint/wiki/DL3015 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.missing-no-install-recommends.missing-no-install-recommends shortlink: https://sg.run/O4dp semgrep.dev: rule: r_id: 20131 rv_id: 945249 rule_id: v8UvoK version_id: RGTAg2b url: https://semgrep.dev/playground/r/RGTAg2b/dockerfile.best-practice.missing-no-install-recommends.missing-no-install-recommends origin: community - id: dockerfile.best-practice.missing-pip-no-cache-dir.missing-pip-no-cache-dir severity: INFO languages: - dockerfile patterns: - patterns: - pattern: | RUN ... $PIP install ... - pattern-not-inside: | RUN ... $PIP install ... --no-cache-dir ... - pattern-not-inside: | RUN ... $PIP install . ... - pattern-not-inside: | ENV ... PIP_NO_CACHE_DIR=$BOOL ... ... RUN ... $PIP install ... - pattern-not-inside: | ENV ... PIP_NO_CACHE_DIR ... ... RUN ... $PIP install ... - metavariable-regex: metavariable: $PIP regex: (pip|pip2|pip3|python -m pip|python3 -m pip) message: This '$PIP install' is missing '--no-cache-dir'. This flag prevents package archives from being kept around, thereby reducing image size. Add '--no-cache-dir'. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3042 references: - https://github.com/hadolint/hadolint/wiki/DL3042 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.missing-pip-no-cache-dir.missing-pip-no-cache-dir shortlink: https://sg.run/eJYl semgrep.dev: rule: r_id: 20132 rv_id: 945250 rule_id: d8U67N version_id: A8TJzNY url: https://semgrep.dev/playground/r/A8TJzNY/dockerfile.best-practice.missing-pip-no-cache-dir.missing-pip-no-cache-dir origin: community - id: dockerfile.best-practice.missing-yum-assume-yes-switch.missing-yum-assume-yes-switch severity: WARNING languages: - dockerfile patterns: - pattern: | RUN ... yum install ... - pattern-not: | RUN ... yum install ... -y ... - pattern-not: | RUN ... yum ... --assumeyes ... message: This 'yum install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3030 references: - https://github.com/hadolint/hadolint/wiki/DL3030 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.missing-yum-assume-yes-switch.missing-yum-assume-yes-switch shortlink: https://sg.run/vpY4 semgrep.dev: rule: r_id: 20133 rv_id: 945251 rule_id: ZqUex1 version_id: BjT1NK2 url: https://semgrep.dev/playground/r/BjT1NK2/dockerfile.best-practice.missing-yum-assume-yes-switch.missing-yum-assume-yes-switch origin: community - id: apex.lang.best-practice.ncino.tests.useassertclass.use-assert-class min-version: 1.44.0 severity: WARNING languages: - generic metadata: category: best-practice references: - https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_class_System_Assert.htm technology: - salesforce license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/apex.lang.best-practice.ncino.tests.useassertclass.use-assert-class shortlink: https://sg.run/RYvE semgrep.dev: rule: r_id: 72405 rv_id: 945139 rule_id: JDUjGA version_id: 8KTKjAB url: https://semgrep.dev/playground/r/8KTKjAB/apex.lang.best-practice.ncino.tests.useassertclass.use-assert-class origin: community message: 'Assert methods in the System class have been replaced with the Assert class: https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_class_System_Assert.htm' pattern-regex: System\.assert paths: include: - '*.cls' - UseAssertClass.cls - id: apex.lang.performance.ncino.operationsinloops.avoidsoslinloops.avoid-sosl-in-loops min-version: 1.44.0 severity: ERROR languages: - generic metadata: category: performance references: - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm technology: - salesforce license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/apex.lang.performance.ncino.operationsinloops.avoidsoslinloops.avoid-sosl-in-loops shortlink: https://sg.run/0zXk semgrep.dev: rule: r_id: 72410 rv_id: 945144 rule_id: BYUAJq version_id: PkTQZ0w url: https://semgrep.dev/playground/r/PkTQZ0w/apex.lang.performance.ncino.operationsinloops.avoidsoslinloops.avoid-sosl-in-loops origin: community message: Database class methods, DML operations, SOQL queries, SOSL queries, Approval class methods, Email sending, async scheduling or queueing within loops can cause governor limit exceptions. Instead, try to batch up the data into a list and invoke the operation once on that list of data outside the loop. patterns: - pattern-either: - pattern-inside: | for (...) { ... } - pattern-inside: | while (...) { ... } - pattern-inside: | do { ... } while (...); - pattern-either: - pattern: | $OBJECTS = ... Search.query(...) - pattern: | $OBJECTS = ... [FIND...IN ALL FIELDS RETURNING...] - id: apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor min-version: 1.44.0 severity: ERROR languages: - apex metadata: cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2020-top25': true cwe2021-top25': true cwe2022-top25': true impact: HIGH likelihood: MEDIUM confidence: HIGH category: security subcategory: - vuln technology: - salesforce references: - https://cwe.mitre.org/data/definitions/352.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor shortlink: https://sg.run/KBvP semgrep.dev: rule: r_id: 72411 rv_id: 1262594 rule_id: DbUjXE version_id: DkTRb1R url: https://semgrep.dev/playground/r/DkTRb1R/apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor origin: community message: 'Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.' patterns: - pattern-either: - pattern-inside: public class $CLASSNAME {...} - pattern-inside: private class $CLASSNAME {...} - pattern-inside: public $SOME sharing class $CLASSNAME {...} - pattern-inside: private $SOME sharing class $CLASSNAME {...} - pattern-either: - pattern-inside: public $CLASSNAME() {...} - pattern-inside: private $CLASSNAME() {...} - pattern-either: - pattern: | insert $DATA; - pattern: | update $DATA; - pattern: | upsert $DATA; - pattern: | delete $DATA; paths: exclude: - '*Test*' - '*test*' - id: apex.lang.security.ncino.dml.apexcsrfstaticconstructor.apex-csrf-static-constructor min-version: 1.44.0 severity: ERROR languages: - generic metadata: cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2020-top25': true cwe2021-top25': true cwe2022-top25': true impact: HIGH likelihood: MEDIUM confidence: HIGH category: security subcategory: - vuln technology: - salesforce references: - https://cwe.mitre.org/data/definitions/352.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/apex.lang.security.ncino.dml.apexcsrfstaticconstructor.apex-csrf-static-constructor shortlink: https://sg.run/qDW1 semgrep.dev: rule: r_id: 72412 rv_id: 1262595 rule_id: WAUwG0 version_id: WrTqKy8 url: https://semgrep.dev/playground/r/WrTqKy8/apex.lang.security.ncino.dml.apexcsrfstaticconstructor.apex-csrf-static-constructor origin: community message: 'Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.' patterns: - pattern-inside: static {...} - pattern-either: - pattern: | insert $DATA; - pattern: | update $DATA; - pattern: | upsert $DATA; - pattern: | delete $DATA; paths: exclude: - '*Test*' - '*test*' - id: apex.lang.security.ncino.dml.dmlnativestatements.dml-native-statements min-version: 1.44.0 severity: WARNING languages: - apex metadata: cwe: - 'CWE-863: Incorrect Authorization' owasp: - A01:2021 - Broken Access Control - A04:2021 - Insecure Design - A01:2025 - Broken Access Control - A06:2025 - Insecure Design impact: HIGH likelihood: LOW confidence: LOW category: security subcategory: - audit technology: - salesforce references: - https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_dml_section.htm - https://cwe.mitre.org/data/definitions/863.html - https://owasp.org/Top10/A04_2021-Insecure_Design/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/apex.lang.security.ncino.dml.dmlnativestatements.dml-native-statements shortlink: https://sg.run/l5GL semgrep.dev: rule: r_id: 72413 rv_id: 1262596 rule_id: 0oUXgP version_id: 0bTKz2G url: https://semgrep.dev/playground/r/0bTKz2G/apex.lang.security.ncino.dml.dmlnativestatements.dml-native-statements origin: community message: Native Salesforce DML operations execute in system context, ignoring the current user's permissions, field-level security, organization-wide defaults, position in the role hierarchy, and sharing rules. Be mindful when using native Salesforce DML operations. patterns: - pattern-either: - pattern-regex: (insert|upsert|update|delete)[\s] - pattern-regex: (insert|upsert|update|delete)[(] - pattern-not-regex: '[\/\/].*(insert|upsert|update|delete).*' - pattern-not-regex: '[\/\/].*(insert|upsert|update|delete)[\n]' - pattern-not-regex: .*[=].*(insert|upsert|update|delete).*[,;] - id: apex.lang.security.ncino.encryption.badcrypto.bad-crypto min-version: 1.44.0 severity: ERROR languages: - apex metadata: cwe: - 'CWE-321: Use of Hard-coded Cryptographic Key' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures impact: HIGH likelihood: LOW confidence: LOW category: security subcategory: - audit technology: - salesforce references: - https://cwe.mitre.org/data/definitions/321.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/apex.lang.security.ncino.encryption.badcrypto.bad-crypto shortlink: https://sg.run/YjJW semgrep.dev: rule: r_id: 72414 rv_id: 1262597 rule_id: KxUX8q version_id: K3TKk78 url: https://semgrep.dev/playground/r/K3TKk78/apex.lang.security.ncino.encryption.badcrypto.bad-crypto origin: community message: The rule makes sure you are using randomly generated IVs and keys for Crypto calls. Hard-coding these values greatly compromises the security of encrypted data. pattern-either: - pattern: Blob $IV = Blob.valueOf('$STRING');...Crypto.encrypt($ONE, $TWO, $IV, $FOUR); - pattern: Blob $IV = Blob.valueOf('$STRING');...Crypto.decrypt($ONE, $TWO, $IV, $FOUR); - pattern: Blob $KEY = Blob.valueOf('$STRING');...Crypto.encrypt($ONE, $KEY, $THREE, $FOUR); - pattern: Blob $KEY = Blob.valueOf('$STRING');...Crypto.decrypt($ONE, $KEY, $THREE, $FOUR); paths: exclude: - '*Test*' - '*test*' - id: apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param min-version: 1.44.0 mode: taint severity: ERROR languages: - apex metadata: category: security subcategory: - vuln technology: - salesforce cwe: - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://cwe.mitre.org/data/definitions/943.html impact: HIGH likelihood: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param shortlink: https://sg.run/pBD3 semgrep.dev: rule: r_id: 72418 rv_id: 1262598 rule_id: JDUjGW version_id: qkTR7XJ url: https://semgrep.dev/playground/r/qkTR7XJ/apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param origin: community message: If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn't validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands. pattern-sources: - by-side-effect: true pattern: ApexPage.getCurrentPage().getParameters.get($URLPARAM); pattern-sanitizers: - pattern: String.escapeSingleQuotes(...) pattern-sinks: - patterns: - pattern: Database.query($SINK,...); - focus-metavariable: $SINK - id: apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param min-version: 1.44.0 mode: taint severity: ERROR languages: - apex metadata: category: security subcategory: - vuln technology: - salesforce cwe: - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://cwe.mitre.org/data/definitions/943.html impact: HIGH likelihood: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param shortlink: https://sg.run/22gz semgrep.dev: rule: r_id: 72419 rv_id: 1262599 rule_id: 5rUzrX version_id: l4TJR82 url: https://semgrep.dev/playground/r/l4TJR82/apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param origin: community message: If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn't validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands. pattern-sources: - by-side-effect: true patterns: - pattern: $M(...,String $P,...) { ... } - focus-metavariable: $P pattern-sanitizers: - pattern-either: - pattern: String.escapeSingleQuotes($P) - pattern: Database.query(<... String.escapeSingleQuotes($P) ...>) pattern-sinks: - pattern: Database.query(<... $P ...>) - id: apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request min-version: 1.44.0 severity: ERROR languages: - apex metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' impact: MEDIUM likelihood: LOW confidence: MEDIUM category: security subcategory: - vuln technology: - salesforce references: - https://cwe.mitre.org/data/definitions/319.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request shortlink: https://sg.run/69Pw semgrep.dev: rule: r_id: 72415 rv_id: 945149 rule_id: qNUyLw version_id: A8TJze8 url: https://semgrep.dev/playground/r/A8TJze8/apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request origin: community message: The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. patterns: - pattern-regex: http[:][/][/] - pattern-not-regex: //.* - pattern-not-regex: '[*].*' paths: exclude: - '*Test*' - '*test*' - id: apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match min-version: 1.44.0 mode: taint severity: ERROR languages: - apex metadata: cwe: - 'CWE-540: Inclusion of Sensitive Information in Source Code' impact: HIGH likelihood: LOW confidence: HIGH category: security subcategory: - vuln technology: - salesforce references: - https://cwe.mitre.org/data/definitions/540.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match shortlink: https://sg.run/oA37 semgrep.dev: rule: r_id: 72416 rv_id: 945150 rule_id: lBU0oR version_id: BjT1Nzq url: https://semgrep.dev/playground/r/BjT1Nzq/apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match origin: community message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone. pattern-sources: - pattern: '...String $X = ''Authorization'';' pattern-sinks: - patterns: - pattern: req.setHeader($X, ...); - focus-metavariable: $X - id: apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match min-version: 1.44.0 severity: ERROR languages: - apex metadata: cwe: - 'CWE-540: Inclusion of Sensitive Information in Source Code' impact: HIGH likelihood: LOW confidence: HIGH category: security subcategory: - vuln technology: - salesforce references: - https://cwe.mitre.org/data/definitions/540.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match shortlink: https://sg.run/zzZz semgrep.dev: rule: r_id: 72417 rv_id: 945151 rule_id: PeUy2y version_id: DkTNpxE url: https://semgrep.dev/playground/r/DkTNpxE/apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match origin: community message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone. pattern: $REQUEST.setHeader('Authorization', $AUTHSTRING); - id: bash.lang.best-practice.useless-cat.useless-cat pattern-either: - pattern: | cat | ... - patterns: - pattern: | cat $ARG | ... - pattern-not: | cat ${$SEVERAL_FILES} | ... - pattern: | ... | cat - pattern: | ... | cat | ... message: Useless call to 'cat' in a pipeline. Use '<' and '>' for any command to read from a file or write to a file. metadata: references: - https://github.com/koalaman/shellcheck/wiki/SC2002 category: best-practice technology: - bash license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/bash.lang.best-practice.useless-cat.useless-cat shortlink: https://sg.run/pNDN semgrep.dev: rule: r_id: 20118 rv_id: 945159 rule_id: X5UAkA version_id: 5PT9OpX url: https://semgrep.dev/playground/r/5PT9OpX/bash.lang.best-practice.useless-cat.useless-cat origin: community severity: WARNING languages: - bash - id: bash.curl.security.curl-eval.curl-eval severity: WARNING languages: - bash message: Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' category: security technology: - bash - curl confidence: MEDIUM references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval shortlink: https://sg.run/0yqJ semgrep.dev: rule: r_id: 14554 rv_id: 1262601 rule_id: KxU7Rq version_id: JdTzxL2 url: https://semgrep.dev/playground/r/JdTzxL2/bash.curl.security.curl-eval.curl-eval origin: community mode: taint pattern-sources: - pattern: | $(curl ...) - pattern: | `curl ...` pattern-sinks: - pattern: eval ... - id: ai.dart.detect-gemini.detect-gemini languages: - dart severity: INFO message: 'Possibly found usage of AI: Gemini' pattern-either: - pattern: import 'package:google_generative_ai'; - pattern: final $MODEL = GenerativeModel(...); metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.dart.detect-gemini.detect-gemini shortlink: https://sg.run/EwZnw semgrep.dev: rule: r_id: 137237 rv_id: 1039208 rule_id: nJUx1Bx version_id: jQTYQX1 url: https://semgrep.dev/playground/r/jQTYQX1/ai.dart.detect-gemini.detect-gemini origin: community - id: bash.lang.security.ifs-tampering.ifs-tampering languages: - bash severity: WARNING message: The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS="," read -a my_array'. pattern: IFS=... metadata: cwe: - 'CWE-20: Improper Input Validation' category: security technology: - bash confidence: LOW owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering shortlink: https://sg.run/Q9pq semgrep.dev: rule: r_id: 14842 rv_id: 1262603 rule_id: WAUy9q version_id: GxTkerb url: https://semgrep.dev/playground/r/GxTkerb/bash.lang.security.ifs-tampering.ifs-tampering origin: community - id: ai.generic.detect-generic-ai-anthprop.detect-generic-ai-anthprop languages: - generic severity: INFO message: 'Possibly found usage of AI: Anthropic' pattern-either: - pattern: anthropic - pattern: Anthropic - pattern: claude metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.generic.detect-generic-ai-anthprop.detect-generic-ai-anthprop shortlink: https://sg.run/7Kw1Z semgrep.dev: rule: r_id: 137238 rv_id: 945115 rule_id: EwUj3JR version_id: o5TZe40 url: https://semgrep.dev/playground/r/o5TZe40/ai.generic.detect-generic-ai-anthprop.detect-generic-ai-anthprop origin: community - id: ai.generic.detect-generic-ai-api.detect-generic-ai-api languages: - generic severity: INFO message: 'Possibly found usage of AI: HTTP Request' pattern-either: - pattern: /chat/completions - pattern: api.openai.com metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.generic.detect-generic-ai-api.detect-generic-ai-api shortlink: https://sg.run/L1ZGr semgrep.dev: rule: r_id: 137239 rv_id: 945116 rule_id: 7KUgj21 version_id: zyTlkYx url: https://semgrep.dev/playground/r/zyTlkYx/ai.generic.detect-generic-ai-api.detect-generic-ai-api origin: community - id: ai.generic.detect-generic-ai-gem.detect-generic-ai-gem languages: - generic severity: INFO message: 'Possibly found usage of AI: Gemini' pattern-either: - pattern: google/generative-ai - pattern: GoogleGenerativeAI metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.generic.detect-generic-ai-gem.detect-generic-ai-gem shortlink: https://sg.run/8Ge9y semgrep.dev: rule: r_id: 137240 rv_id: 945117 rule_id: L1Uqowy version_id: pZTNOpr url: https://semgrep.dev/playground/r/pZTNOpr/ai.generic.detect-generic-ai-gem.detect-generic-ai-gem origin: community - id: ai.go.detect-openai.detect-openai languages: - go severity: INFO message: 'Possibly found usage of AI: OpenAI' pattern-either: - pattern: import "github.com/sashabaranov/go-openai" - pattern: gogpt.NewClient(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.go.detect-openai.detect-openai shortlink: https://sg.run/3qwpr semgrep.dev: rule: r_id: 137243 rv_id: 945120 rule_id: QrUWjbd version_id: jQTzvQk url: https://semgrep.dev/playground/r/jQTzvQk/ai.go.detect-openai.detect-openai origin: community - id: ai.kotlin.detect-gemini.detect-gemini languages: - kotlin severity: INFO message: 'Possibly found usage of AI: Gemini' pattern-either: - pattern: import com.google.ai - pattern: GenerativeModel(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.kotlin.detect-gemini.detect-gemini shortlink: https://sg.run/4bQ2l semgrep.dev: rule: r_id: 137244 rv_id: 945121 rule_id: 3qUkzv6 version_id: 1QToK5O url: https://semgrep.dev/playground/r/1QToK5O/ai.kotlin.detect-gemini.detect-gemini origin: community - id: ai.python.detect-anthropic.detect-anthropic languages: - python severity: INFO message: 'Possibly found usage of AI: Anthropic' pattern-either: - pattern: import anthropic - pattern: from anthropic import $ANYTHING - pattern: Anthropic(...) - pattern: anthropic.Anthropic(...) - pattern: $CLIENT.messages.$FUNC(...,model=...,...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.python.detect-anthropic.detect-anthropic shortlink: https://sg.run/PeZDY semgrep.dev: rule: r_id: 137245 rv_id: 945122 rule_id: 4bURwnQ version_id: 9lTy1Ze url: https://semgrep.dev/playground/r/9lTy1Ze/ai.python.detect-anthropic.detect-anthropic origin: community - id: ai.python.detect-gemini.detect-gemini languages: - python severity: INFO message: 'Possibly found usage of AI: Gemini' pattern-either: - pattern: import google.generativeai metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.python.detect-gemini.detect-gemini shortlink: https://sg.run/JDZJw semgrep.dev: rule: r_id: 137246 rv_id: 945123 rule_id: PeUJXgj version_id: yeT0nAB url: https://semgrep.dev/playground/r/yeT0nAB/ai.python.detect-gemini.detect-gemini origin: community - id: ai.typescript.detect-gemini.detect-gemini languages: - js - ts severity: INFO message: 'Possibly found usage of AI: Gemini' pattern-either: - pattern: import "@google/generative-ai" - pattern: import $ANYTHING from "@google/generative-ai"; - pattern: new GoogleGenerativeAI(...) - pattern: $GENAI.getGenerativeModel(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.typescript.detect-gemini.detect-gemini shortlink: https://sg.run/qNgJz semgrep.dev: rule: r_id: 137256 rv_id: 945133 rule_id: KxUv6dO version_id: d6TPj4v url: https://semgrep.dev/playground/r/d6TPj4v/ai.typescript.detect-gemini.detect-gemini origin: community - id: ai.typescript.detect-mistral.detect-mistral languages: - js - ts severity: INFO message: 'Possibly found usage of AI: Mistral' pattern-either: - pattern: import "@mistralai" - pattern: new MistralClient(...) - pattern: '$CLIENT.chat({model: ...})' metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.typescript.detect-mistral.detect-mistral shortlink: https://sg.run/lB1ny semgrep.dev: rule: r_id: 137257 rv_id: 945134 rule_id: qNU2Pk9 version_id: ZRT35GK url: https://semgrep.dev/playground/r/ZRT35GK/ai.typescript.detect-mistral.detect-mistral origin: community - id: ai.typescript.detect-openai.detect-openai languages: - js - ts severity: INFO message: 'Possibly found usage of AI: OpenAI' pattern-either: - pattern: import "openai" - pattern: import $ANYTHING from "openai"; - pattern: new OpenAI(...) - pattern: $CLIENT.chat.completions.$FUNC(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.typescript.detect-openai.detect-openai shortlink: https://sg.run/YG5ze semgrep.dev: rule: r_id: 137258 rv_id: 945135 rule_id: lBU4A7Y version_id: nWTpzG9 url: https://semgrep.dev/playground/r/nWTpzG9/ai.typescript.detect-openai.detect-openai origin: community - id: ai.typescript.detect-promptfoo.detect-promptfoo languages: - js - ts severity: INFO message: 'Possibly found usage of AI tooling: promptfoo' pattern-either: - pattern: import "promptfoo" - pattern: promptfoo.evaluate(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.typescript.detect-promptfoo.detect-promptfoo shortlink: https://sg.run/6JZjo semgrep.dev: rule: r_id: 137259 rv_id: 945136 rule_id: PeUJXg7 version_id: ExTg2qe url: https://semgrep.dev/playground/r/ExTg2qe/ai.typescript.detect-promptfoo.detect-promptfoo origin: community - id: ai.typescript.detect-vercel-ai.detect-vercel-ai languages: - js - ts severity: INFO message: 'Possibly found usage of AI: VercelAI' pattern-either: - pattern: import "ai" - pattern: import "@ai-sdk" - pattern: generateText({model:...}) - pattern: generateText({prompt:...}) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.typescript.detect-vercel-ai.detect-vercel-ai shortlink: https://sg.run/oqr49 semgrep.dev: rule: r_id: 137260 rv_id: 945137 rule_id: JDUNYdw version_id: 7ZTrQWZ url: https://semgrep.dev/playground/r/7ZTrQWZ/ai.typescript.detect-vercel-ai.detect-vercel-ai origin: community - id: bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command languages: - bash severity: INFO message: Variable expansions must be double-quoted so as to prevent being split into multiple pieces according to whitespace or whichever separator is specified by the IFS variable. If you really wish to split the variable's contents, you may use a variable that starts with an underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array, consider using a proper bash array. metadata: category: correctness technology: - bash license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command shortlink: https://sg.run/861Q semgrep.dev: rule: r_id: 14840 rv_id: 945160 rule_id: BYUd5r version_id: GxTP7zG url: https://semgrep.dev/playground/r/GxTP7zG/bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command origin: community patterns: - pattern-either: - pattern: | ... ${$VAR} ... - pattern: | ... ...${$VAR}... ... - metavariable-regex: metavariable: $VAR regex: '[*@0-9]|[A-Za-z].*' - id: bash.lang.correctness.unquoted-expansion.unquoted-command-substitution-in-command languages: - bash severity: INFO message: The result of command substitution $(...) or `...`, if unquoted, is split on whitespace or other separators specified by the IFS variable. You should surround it with double quotes to avoid splitting the result. metadata: category: correctness technology: - bash license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/bash.lang.correctness.unquoted-expansion.unquoted-command-substitution-in-command shortlink: https://sg.run/gYK5 semgrep.dev: rule: r_id: 14841 rv_id: 945161 rule_id: DbU1JY version_id: RGTAgqb url: https://semgrep.dev/playground/r/RGTAgqb/bash.lang.correctness.unquoted-expansion.unquoted-command-substitution-in-command origin: community patterns: - pattern-either: - pattern: | ... $(...) ... - pattern: | ... ...$(...)... ... - pattern-regex: | .*(\$$[^\(]|`).+([^$]\)|`).* - id: c.lang.correctness.c-string-equality.c-string-equality patterns: - pattern: (char *$X) == (char *$Y) - metavariable-comparison: metavariable: $X comparison: $X != 0 - metavariable-comparison: metavariable: $Y comparison: $Y != 0 message: Using == on char* performs pointer comparison, use strcmp instead fix: strcmp($X, $Y) == 0 languages: - c severity: ERROR metadata: category: correctness technology: - c license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/c.lang.correctness.c-string-equality.c-string-equality shortlink: https://sg.run/kX2O semgrep.dev: rule: r_id: 8828 rv_id: 945163 rule_id: QrUz35 version_id: BjT1Nz2 url: https://semgrep.dev/playground/r/BjT1Nz2/c.lang.correctness.c-string-equality.c-string-equality origin: community - id: c.lang.correctness.goto-fail.double_goto pattern: | if ($COND) goto $FAIL; goto $FAIL; message: The second goto statement will always be executed. languages: - c severity: WARNING metadata: category: correctness technology: - c license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/c.lang.correctness.goto-fail.double_goto shortlink: https://sg.run/webN semgrep.dev: rule: r_id: 8829 rv_id: 945164 rule_id: 3qUPKn version_id: DkTNpGd url: https://semgrep.dev/playground/r/DkTNpGd/c.lang.correctness.goto-fail.double_goto origin: community - id: dockerfile.best-practice.prefer-copy-over-add.prefer-copy-over-add severity: INFO languages: - dockerfile message: The ADD command will accept and include files from a URL and automatically extract archives. This potentially exposes the container to a man-in-the-middle attack or other attacks if a malicious actor can tamper with the source archive. Since ADD can have this and other unexpected side effects, the use of the more explicit COPY command is preferred. metadata: references: - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.prefer-copy-over-add.prefer-copy-over-add shortlink: https://sg.run/EzoA semgrep.dev: rule: r_id: 20137 rv_id: 945255 rule_id: L1Uz9O version_id: K3TJbJz url: https://semgrep.dev/playground/r/K3TJbJz/dockerfile.best-practice.prefer-copy-over-add.prefer-copy-over-add origin: community patterns: - pattern: | ADD $FROM $TO - metavariable-regex: metavariable: $FROM regex: (^[A-Za-z]+:\/\/|.*[.](gz|bz2|zip|tar)$) - focus-metavariable: $FROM - id: dockerfile.best-practice.set-pipefail.set-pipefail languages: - dockerfile message: Only the exit code from the final command in this RUN instruction will be evaluated unless 'pipefail' is set. If you want to fail the command at any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash", "-o", "pipefail", "-c"] before the command. If you're using alpine and don't have bash installed, communicate this explicitly with `SHELL ["/bin/ash"]`. metadata: references: - https://github.com/hadolint/hadolint/wiki/DL4006 source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4006 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.set-pipefail.set-pipefail shortlink: https://sg.run/gGon semgrep.dev: rule: r_id: 20141 rv_id: 945259 rule_id: 3qULW0 version_id: JdTDyDL url: https://semgrep.dev/playground/r/JdTDyDL/dockerfile.best-practice.set-pipefail.set-pipefail origin: community patterns: - pattern-either: - pattern: RUN ... | ... - pattern: RUN ... || ... - pattern-not-inside: | SHELL [..., "pipefail", ...] ... RUN ... | ... - pattern-not-inside: | SHELL ["/bin/ash", ...] ... RUN ... | ... severity: WARNING - id: dockerfile.best-practice.use-either-wget-or-curl.use-either-wget-or-curl severity: INFO languages: - dockerfile message: '''wget'' and ''curl'' are similar tools. Choose one and do not install the other to decrease image size.' metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4001 references: - https://github.com/hadolint/hadolint/wiki/DL4001 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.use-either-wget-or-curl.use-either-wget-or-curl shortlink: https://sg.run/QJ3P semgrep.dev: rule: r_id: 20142 rv_id: 945260 rule_id: 4bUe5P version_id: 5PT9O9p url: https://semgrep.dev/playground/r/5PT9O9p/dockerfile.best-practice.use-either-wget-or-curl.use-either-wget-or-curl origin: community pattern-either: - pattern: | RUN wget ... ... RUN curl ... - pattern: | RUN curl ... ... RUN wget ... - id: dockerfile.best-practice.missing-zypper-clean.missing-zypper-clean severity: WARNING languages: - dockerfile patterns: - pattern: RUN ... zypper $COMMAND ... - pattern-not-inside: RUN ... zypper clean - pattern-not-inside: RUN ... zypper clean message: This zypper command does not end with '&& zypper clean'. Running 'zypper clean' will remove cached data and reduce package size. (This must be performed in the same RUN step.) metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3036 references: - https://github.com/hadolint/hadolint/wiki/DL3036 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.missing-zypper-clean.missing-zypper-clean shortlink: https://sg.run/dPlY semgrep.dev: rule: r_id: 20134 rv_id: 945252 rule_id: nJUnJ1 version_id: DkTNpNd url: https://semgrep.dev/playground/r/DkTNpNd/dockerfile.best-practice.missing-zypper-clean.missing-zypper-clean origin: community - id: dockerfile.best-practice.nonsensical-command.nonsensical-command patterns: - pattern: RUN $CMD ... - metavariable-regex: metavariable: $CMD regex: (shutdown|service|ps|free|top|kill|mount|ifconfig|nano|vim) message: Some commands such as `$CMD` do not make sense in a container. Do not use these. severity: WARNING languages: - dockerfile metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3001 references: - https://github.com/hadolint/hadolint/wiki/DL3001 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.nonsensical-command.nonsensical-command shortlink: https://sg.run/ZP5n semgrep.dev: rule: r_id: 20135 rv_id: 945253 rule_id: EwU1vL version_id: WrTEoEW url: https://semgrep.dev/playground/r/WrTEoEW/dockerfile.best-practice.nonsensical-command.nonsensical-command origin: community - id: dockerfile.best-practice.prefer-apt-get.prefer-apt-get severity: INFO languages: - dockerfile patterns: - pattern: RUN apt ... - pattern-not: RUN apt-get ... message: '''apt-get'' is preferred as an unattended tool for stability. ''apt'' is discouraged.' metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3027 references: - https://github.com/hadolint/hadolint/wiki/DL3027 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.prefer-apt-get.prefer-apt-get shortlink: https://sg.run/nwAO semgrep.dev: rule: r_id: 20136 rv_id: 945254 rule_id: 7KUbZG version_id: 0bT151y url: https://semgrep.dev/playground/r/0bT151y/dockerfile.best-practice.prefer-apt-get.prefer-apt-get origin: community - id: dockerfile.best-practice.prefer-json-notation.prefer-json-notation severity: INFO languages: - dockerfile message: Prefer JSON notation when using CMD or ENTRYPOINT. This allows signals to be passed from the OS. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3025 references: - https://github.com/hadolint/hadolint/wiki/DL3025 - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#cmd category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.prefer-json-notation.prefer-json-notation shortlink: https://sg.run/7QJR semgrep.dev: rule: r_id: 20138 rv_id: 945256 rule_id: 8GUvgR version_id: qkT4j4j url: https://semgrep.dev/playground/r/qkT4j4j/dockerfile.best-practice.prefer-json-notation.prefer-json-notation origin: community pattern-either: - patterns: - pattern: CMD $WORD ... - pattern-not-inside: CMD [...] - patterns: - pattern: ENTRYPOINT $WORD ... - pattern-not-inside: ENTRYPOINT [...] - id: dockerfile.best-practice.use-shell-instruction.use-shell-instruction severity: WARNING languages: - dockerfile pattern: | RUN ln ... $SHELL /bin/sh message: Use the SHELL instruction to set the default shell instead of overwriting '/bin/sh'. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4005 references: - https://github.com/hadolint/hadolint/wiki/DL4005 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.use-shell-instruction.use-shell-instruction shortlink: https://sg.run/3Qnb semgrep.dev: rule: r_id: 20143 rv_id: 945261 rule_id: PeUj2G version_id: GxTP7PD url: https://semgrep.dev/playground/r/GxTP7PD/dockerfile.best-practice.use-shell-instruction.use-shell-instruction origin: community fix: SHELL ["$SHELL", "-c"] - id: dockerfile.correctness.multiple-entrypoint-instructions.multiple-entrypoint-instructions severity: ERROR languages: - dockerfile patterns: - pattern: | ENTRYPOINT ... ... $ENTRYPOINT_INSTR - metavariable-pattern: metavariable: $ENTRYPOINT_INSTR pattern: | ENTRYPOINT ... - focus-metavariable: $ENTRYPOINT_INSTR message: Multiple ENTRYPOINT instructions were found. Only the last one will take effect. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4004 references: - https://github.com/hadolint/hadolint/wiki/DL4004 - https://kapeli.com/cheat_sheets/Dockerfile.docset/Contents/Resources/Documents/index#//dash_ref_Instructions/Entry/ENTRYPOINT/0 category: correctness technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.correctness.multiple-entrypoint-instructions.multiple-entrypoint-instructions shortlink: https://sg.run/JwvQ semgrep.dev: rule: r_id: 20146 rv_id: 945265 rule_id: GdUoYA version_id: DkTNpNY url: https://semgrep.dev/playground/r/DkTNpNY/dockerfile.correctness.multiple-entrypoint-instructions.multiple-entrypoint-instructions origin: community - id: dockerfile.best-practice.use-workdir.use-workdir options: implicit_deep_exprstmt: false patterns: - pattern-either: - pattern-inside: | RUN $ CMD ... - pattern-inside: | RUN $CMD ... && ... - metavariable-pattern: metavariable: $CMD pattern: cd - focus-metavariable: $CMD message: As recommended by Docker's documentation, it is best to use 'WORKDIR' instead of 'RUN cd ...' for improved clarity and reliability. Also, 'RUN cd ...' may not work as expected in a container. severity: WARNING languages: - dockerfile metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3003 references: - https://github.com/hadolint/hadolint/wiki/DL3003 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.best-practice.use-workdir.use-workdir shortlink: https://sg.run/4kXE semgrep.dev: rule: r_id: 20144 rv_id: 945262 rule_id: JDUoGx version_id: RGTAgA2 url: https://semgrep.dev/playground/r/RGTAgA2/dockerfile.best-practice.use-workdir.use-workdir origin: community - id: elixir.lang.best-practice.enum-map-join.enum_map_join message: Using `Enum.map_join/3` is more efficient than using `Enum.map/2 |> Enum.join/2`. severity: WARNING languages: - elixir pattern-either: - pattern: | Enum.join(Enum.map($E, $FUN), $JOINER) - pattern: | Enum.map($E, $FUN) |> Enum.join($JOINER) - pattern: | $E |> Enum.map($FUN) |> Enum.join($JOINER) fix: | $E |> Enum.map_join($JOINER, $FUN end) metadata: references: - https://github.com/rrrene/credo/blob/master/lib/credo/check/refactor/map_join.ex category: best-practice technology: - elixir license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/elixir.lang.best-practice.enum-map-join.enum_map_join shortlink: https://sg.run/g9Ke semgrep.dev: rule: r_id: 67141 rv_id: 945277 rule_id: d8UG1D version_id: X0TL8LX url: https://semgrep.dev/playground/r/X0TL8LX/elixir.lang.best-practice.enum-map-join.enum_map_join origin: community - id: elixir.lang.best-practice.enum-map-into.enum_map_into message: Using `Enum.into/3` is more efficient than using `Enum.map/2 |> Enum.into/2`. severity: WARNING languages: - elixir pattern-either: - pattern: | Enum.into(Enum.map($E, $FUN), $INTO) - pattern: | Enum.map($E, $FUN) |> Enum.into($INTO) - pattern: | $E |> Enum.map($FUN) |> Enum.into($INTO) fix: | $E |> Enum.into($INTO, $FUN end) metadata: references: - https://github.com/rrrene/credo/blob/master/lib/credo/check/refactor/map_into.ex category: best-practice technology: - elixir license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/elixir.lang.best-practice.enum-map-into.enum_map_into shortlink: https://sg.run/801j semgrep.dev: rule: r_id: 67140 rv_id: 945276 rule_id: v8UzgZ version_id: 2KTYbYN url: https://semgrep.dev/playground/r/2KTYbYN/elixir.lang.best-practice.enum-map-into.enum_map_into origin: community - id: elixir.lang.correctness.atom-exhaustion.atom_exhaustion message: Atom values are appended to a global table but never removed. If input is user-controlled, dynamic instantiations such as `String.to_atom` or `List.to_atom` can lead to possible memory leaks. Instead, use `String.to_existing_atom` or `List.to_existing_atom`. severity: ERROR languages: - elixir patterns: - pattern: $MODULE.to_atom($STRING) - metavariable-regex: metavariable: $MODULE regex: ^(String|List)$ fix: $MODULE.to_existing_atom($STRING) metadata: references: - https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/atom_exhaustion.html category: correctness technology: - elixir license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/elixir.lang.correctness.atom-exhaustion.atom_exhaustion shortlink: https://sg.run/QPpo semgrep.dev: rule: r_id: 67142 rv_id: 945278 rule_id: ZqUPnE version_id: jQTzvz0 url: https://semgrep.dev/playground/r/jQTzvz0/elixir.lang.correctness.atom-exhaustion.atom_exhaustion origin: community - id: generic.hugo.best-practice.localhost-base-url.localhost-base-url patterns: - pattern: baseURL = "..." - pattern-regex: .*(localhost|127\.0\.0\.1).* severity: WARNING message: The 'baseURL' is set to localhost. This may cause links to not work if deployed. languages: - generic metadata: references: - https://gohugo.io/ category: best-practice technology: - hugo license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.hugo.best-practice.localhost-base-url.localhost-base-url shortlink: https://sg.run/dKD5 semgrep.dev: rule: r_id: 9034 rv_id: 945294 rule_id: JDUybz version_id: ExTg2gk url: https://semgrep.dev/playground/r/ExTg2gk/generic.hugo.best-practice.localhost-base-url.localhost-base-url origin: community - id: trailofbits.yaml.ansible.zypper-unencrypted-url.zypper-unencrypted-url message: Found Zypper package with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' subcategory: - audit technology: - ansible - zypper confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/community/general/zypper_module.html#parameter-name license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.yaml.ansible.zypper-unencrypted-url.zypper-unencrypted-url shortlink: https://sg.run/8GLdB semgrep.dev: rule: r_id: 113240 rv_id: 833329 rule_id: X5UQzo1 version_id: ExTrDXA url: https://semgrep.dev/playground/r/ExTrDXA/trailofbits.yaml.ansible.zypper-unencrypted-url.zypper-unencrypted-url origin: community patterns: - pattern-inside: | $ZYPPER: ... - pattern: '$KEY: ''$VALUE''' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: name - pattern: pkg - metavariable-pattern: metavariable: $ZYPPER pattern-either: - pattern: zypper - pattern: community.general.zypper - metavariable-regex: metavariable: $VALUE regex: (?i)^(http|ftp)://.* - id: trailofbits.yaml.ansible.zypper-repository-unencrypted-url.zypper-repository-unencrypted-url message: Found Zypper repository with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' subcategory: - audit technology: - ansible - zypper confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/community/general/zypper_module.html#parameter-name license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.yaml.ansible.zypper-repository-unencrypted-url.zypper-repository-unencrypted-url shortlink: https://sg.run/L1Bkn semgrep.dev: rule: r_id: 113239 rv_id: 833328 rule_id: 2ZUzvAk version_id: nWTy40P url: https://semgrep.dev/playground/r/nWTy40P/trailofbits.yaml.ansible.zypper-repository-unencrypted-url.zypper-repository-unencrypted-url origin: community patterns: - pattern-inside: | $ZYPPER: ... - pattern: '$KEY: ''$VALUE''' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: repo - metavariable-pattern: metavariable: $ZYPPER pattern-either: - pattern: zypper_repository - pattern: community.general.zypper_repository - metavariable-regex: metavariable: $VALUE regex: (?i)^(http|ftp)://.* - id: generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token message: A gitleaks coinbase-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token shortlink: https://sg.run/4YB5 semgrep.dev: rule: r_id: 44688 rv_id: 1262704 rule_id: 5rUKPQ version_id: GxTkeDe url: https://semgrep.dev/playground/r/GxTkeDe/generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token origin: community patterns: - pattern-regex: (?i)(?:coinbase)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.adobe-client-secret.adobe-client-secret message: A gitleaks adobe-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.adobe-client-secret.adobe-client-secret shortlink: https://sg.run/Nzxy semgrep.dev: rule: r_id: 44671 rv_id: 1262683 rule_id: x8UlAq version_id: 8KT5rGN url: https://semgrep.dev/playground/r/8KT5rGN/generic.secrets.gitleaks.adobe-client-secret.adobe-client-secret origin: community patterns: - pattern-regex: (?i)\b((p8e-)(?i)[a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.hugo.best-practice.invalid-base-url.invalid-base-url patterns: - pattern: baseURL = "..." - pattern-not-regex: (.*http).* severity: WARNING message: The 'baseURL' is invalid. This may cause links to not work if deployed. Include the scheme (e.g., http:// or https://). languages: - generic metadata: references: - https://gohugo.io/ category: best-practice technology: - hugo license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.hugo.best-practice.invalid-base-url.invalid-base-url shortlink: https://sg.run/vzbR semgrep.dev: rule: r_id: 9033 rv_id: 945293 rule_id: PeUZvd version_id: nWTpzp7 url: https://semgrep.dev/playground/r/nWTpzp7/generic.hugo.best-practice.invalid-base-url.invalid-base-url origin: community - id: generic.secrets.gitleaks.rubygems-api-token.rubygems-api-token message: A gitleaks rubygems-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.rubygems-api-token.rubygems-api-token shortlink: https://sg.run/nQq2 semgrep.dev: rule: r_id: 44780 rv_id: 1262811 rule_id: 7KUJek version_id: 0bTKzl1 url: https://semgrep.dev/playground/r/0bTKzl1/generic.secrets.gitleaks.rubygems-api-token.rubygems-api-token origin: community patterns: - pattern-regex: (?i)\b(rubygems_[a-f0-9]{48})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.sentry-access-token.sentry-access-token message: A gitleaks sentry-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.sentry-access-token.sentry-access-token shortlink: https://sg.run/g2JZ semgrep.dev: rule: r_id: 44785 rv_id: 1262817 rule_id: 3qU5B1 version_id: o5TbDlo url: https://semgrep.dev/playground/r/o5TbDlo/generic.secrets.gitleaks.sentry-access-token.sentry-access-token origin: community patterns: - pattern-regex: (?i)(?:sentry)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret message: A gitleaks linkedin-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret shortlink: https://sg.run/G0W2 semgrep.dev: rule: r_id: 44748 rv_id: 1262777 rule_id: AbUvWj version_id: vdT06GD url: https://semgrep.dev/playground/r/vdT06GD/generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret origin: community patterns: - pattern-regex: (?i)(?:linkedin|linked-in)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.finicity-api-token.finicity-api-token message: A gitleaks finicity-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.finicity-api-token.finicity-api-token shortlink: https://sg.run/qQxy semgrep.dev: rule: r_id: 44712 rv_id: 1262732 rule_id: NbUvkX version_id: e1TyjZA url: https://semgrep.dev/playground/r/e1TyjZA/generic.secrets.gitleaks.finicity-api-token.finicity-api-token origin: community patterns: - pattern-regex: (?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.heroku-api-key.heroku-api-key message: A gitleaks heroku-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.heroku-api-key.heroku-api-key shortlink: https://sg.run/EDke semgrep.dev: rule: r_id: 44737 rv_id: 1262759 rule_id: DbUBpr version_id: 6xT29x5 url: https://semgrep.dev/playground/r/6xT29x5/generic.secrets.gitleaks.heroku-api-key.heroku-api-key origin: community patterns: - pattern-regex: (?i)(?:heroku)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.sendbird-access-token.sendbird-access-token message: A gitleaks sendbird-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.sendbird-access-token.sendbird-access-token shortlink: https://sg.run/7z0W semgrep.dev: rule: r_id: 44782 rv_id: 1262814 rule_id: 8GUPEk version_id: l4TJRvJ url: https://semgrep.dev/playground/r/l4TJRvJ/generic.secrets.gitleaks.sendbird-access-token.sendbird-access-token origin: community patterns: - pattern-regex: (?i)(?:sendbird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.security.detected-aws-session-token.detected-aws-session-token patterns: - pattern-regex: ((?i)AWS_SESSION_TOKEN)\s*(:|=>|=)\s*(?P[A-Za-z0-9/+=]{16,}) - pattern-not-regex: (?i)example|sample|test|fake - metavariable-analysis: analyzer: entropy metavariable: $TOKEN languages: - regex message: AWS Session Token detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go category: security technology: - secrets - aws confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token shortlink: https://sg.run/DoRW semgrep.dev: rule: r_id: 9052 rv_id: 1262863 rule_id: X5U8Er version_id: pZT03Lx url: https://semgrep.dev/playground/r/pZT03Lx/generic.secrets.security.detected-aws-session-token.detected-aws-session-token origin: community - id: generic.secrets.gitleaks.sidekiq-secret.sidekiq-secret message: A gitleaks sidekiq-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.sidekiq-secret.sidekiq-secret shortlink: https://sg.run/568X semgrep.dev: rule: r_id: 44791 rv_id: 1262823 rule_id: ReUNP1 version_id: 1QTypYJ url: https://semgrep.dev/playground/r/1QTypYJ/generic.secrets.gitleaks.sidekiq-secret.sidekiq-secret origin: community patterns: - pattern-regex: (?i)(?:BUNDLE_ENTERPRISE__CONTRIBSYS__COM|BUNDLE_GEMS__CONTRIBSYS__COM)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{8}:[a-f0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.security.detected-google-api-key.detected-google-api-key patterns: - pattern-regex: \bAIzaSy[0-9A-Za-z-_]{33}\b - pattern-not-regex: \bAIzaSy[0-9A-Za-z-_]{33}\b[=] languages: - regex message: Google API Key Detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json category: security technology: - secrets - google confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-google-api-key.detected-google-api-key shortlink: https://sg.run/eojy semgrep.dev: rule: r_id: 15076 rv_id: 1262872 rule_id: kxUwlE version_id: NdTzyob url: https://semgrep.dev/playground/r/NdTzyob/generic.secrets.security.detected-google-api-key.detected-google-api-key origin: community - id: generic.secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key pattern-regex: AIza[0-9A-Za-z\\-_]{35} languages: - regex message: Google Cloud API Key detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go category: security technology: - secrets - google-cloud confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key shortlink: https://sg.run/YvbQ semgrep.dev: rule: r_id: 9058 rv_id: 1262873 rule_id: bwUwrv version_id: kbTzGLp url: https://semgrep.dev/playground/r/kbTzGLp/generic.secrets.security.detected-google-cloud-api-key.detected-google-cloud-api-key origin: community - id: generic.secrets.gitleaks.snyk-api-token.snyk-api-token message: A gitleaks snyk-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.snyk-api-token.snyk-api-token shortlink: https://sg.run/80dE semgrep.dev: rule: r_id: 66784 rv_id: 1262834 rule_id: yyU1Qp version_id: vdT06Nz url: https://semgrep.dev/playground/r/vdT06Nz/generic.secrets.gitleaks.snyk-api-token.snyk-api-token origin: community patterns: - pattern-regex: (?i)(?:snyk_token|snyk_key|snyk_api_token|snyk_api_key|snyk_oauth_token)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.vault-service-token.vault-service-token message: A gitleaks vault-service-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.vault-service-token.vault-service-token shortlink: https://sg.run/KY87 semgrep.dev: rule: r_id: 44811 rv_id: 1262851 rule_id: r6UB9G version_id: A8TgdXQ url: https://semgrep.dev/playground/r/A8TgdXQ/generic.secrets.gitleaks.vault-service-token.vault-service-token origin: community patterns: - pattern-regex: (?i)\b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token pattern-regex: (?:api_live(?:_[a-zA-Z]{2})?\.[a-zA-Z0-9-_]{11}\.[-_a-zA-Z0-9]{32}) languages: - regex message: Onfido live API Token detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' category: security technology: - secrets - onfido confidence: HIGH references: - https://documentation.onfido.com/api/latest/#api-tokens subcategory: - audit likelihood: HIGH impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token shortlink: https://sg.run/lBoKD semgrep.dev: rule: r_id: 141957 rv_id: 945509 rule_id: WAUW9q3 version_id: A8TJzE2 url: https://semgrep.dev/playground/r/A8TJzE2/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token origin: community - id: generic.secrets.security.detected-jwt-token.detected-jwt-token pattern-regex: eyJ[A-Za-z0-9-_=]{14,}\.[A-Za-z0-9-_=]{13,}\.?[A-Za-z0-9-_.+/=]*? languages: - regex message: JWT token detected severity: ERROR metadata: source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/jwt.py category: security technology: - secrets - jwt confidence: LOW references: - https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ cwe: - 'CWE-321: Use of Hard-coded Cryptographic Key' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token shortlink: https://sg.run/05N5 semgrep.dev: rule: r_id: 12854 rv_id: 1262879 rule_id: kxU8E8 version_id: d6Tyxvg url: https://semgrep.dev/playground/r/d6Tyxvg/generic.secrets.security.detected-jwt-token.detected-jwt-token origin: community - id: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak patterns: - pattern-regex: ^(AIza[0-9A-Za-z_-]{35}(?!\S))$ message: Detects potential Google Maps API keys in code languages: - generic severity: WARNING metadata: description: Detects potential Google Maps API keys in code severity: MEDIUM category: security confidence: MEDIUM impact: HIGH likelihood: MEDIUM subcategory: - audit owasp: - A3:2017 Sensitive Data Exposure references: - https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e cwe: - 'CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory' technology: - Google Maps license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak shortlink: https://sg.run/DL5d semgrep.dev: rule: r_id: 52196 rv_id: 945530 rule_id: EwU3kN version_id: NdTqkGz url: https://semgrep.dev/playground/r/NdTqkGz/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak origin: community - id: generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs languages: - generic severity: WARNING message: 'Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your - metavariable-pattern: metavariable: $...A language: javascript patterns: - pattern-either: - patterns: - pattern-either: - pattern: $X. ... .innerHTML = ... - pattern: $X. ... .outerHTML = ... - pattern-not: $X. ... .$V = "..." - focus-metavariable: $X - id: java.android.best-practice.manifest-security-features.manifest-usesCleartextTraffic-true languages: - generic message: The Android manifest is configured to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. This flag is ignored on Android 7 (API 24) and above if a Network Security Config is present. metadata: category: best-practice technology: - android references: - https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic - https://developer.android.com/training/articles/security-config license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/java.android.best-practice.manifest-security-features.manifest-usesCleartextTraffic-true shortlink: https://sg.run/JjnW semgrep.dev: rule: r_id: 12846 rv_id: 945622 rule_id: X5U7j3 version_id: pZTNOxA url: https://semgrep.dev/playground/r/pZTNOxA/java.android.best-practice.manifest-security-features.manifest-usesCleartextTraffic-true origin: community patterns: - pattern: | android:usesCleartextTraffic="true" - pattern-not-inside: | severity: INFO paths: include: - '*.xml' - id: java.android.best-practice.manifest-security-features.manifest-usesCleartextTraffic-ignored-by-nsc languages: - generic message: Manifest uses both `android:usesCleartextTraffic` and Network Security Config. The `usesCleartextTraffic` directive is ignored on Android 7 (API 24) and above if a Network Security Config is present. metadata: category: best-practice technology: - android references: - https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic - https://developer.android.com/training/articles/security-config license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/java.android.best-practice.manifest-security-features.manifest-usesCleartextTraffic-ignored-by-nsc shortlink: https://sg.run/5JlX semgrep.dev: rule: r_id: 12847 rv_id: 945623 rule_id: j2UR4O version_id: 2KTYbww url: https://semgrep.dev/playground/r/2KTYbww/java.android.best-practice.manifest-security-features.manifest-usesCleartextTraffic-ignored-by-nsc origin: community patterns: - pattern-either: - pattern: | android:usesCleartextTraffic ... android:networkSecurityConfig - pattern: | android:networkSecurityConfig ... android:usesCleartextTraffic - pattern-not-inside: | severity: INFO paths: include: - '*.xml' - id: java.android.best-practice.network-security-config.nsc-allows-plaintext-traffic languages: - generic message: The Network Security Config is set to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools="http://schemas.android.com/tools" tools:ignore="InsecureBaseConfiguration"` as parameters to your ``) metadata: category: best-practice technology: - android references: - https://developer.android.com/training/articles/security-config - https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/java.android.best-practice.network-security-config.nsc-allows-plaintext-traffic shortlink: https://sg.run/Gw12 semgrep.dev: rule: r_id: 12848 rv_id: 945624 rule_id: 10Uer8 version_id: X0TL8lJ url: https://semgrep.dev/playground/r/X0TL8lJ/java.android.best-practice.network-security-config.nsc-allows-plaintext-traffic origin: community patterns: - pattern: | - pattern-not-inside: | - pattern-not-inside: | ... ... ... ... ... ... ... ... ... ... severity: INFO paths: include: - '*.xml' - id: java.android.best-practice.network-security-config.nsc-pinning-without-backup languages: - generic message: Your app uses TLS public key pinning without specifying a backup key. If you are forced to change TLS keys or CAs on short notice, not having a backup pin can lead to connectivity issues until you can push out an update. It is considered best practice to add at least one additional pin as a backup. metadata: category: best-practice technology: - android references: - https://developer.android.com/training/articles/security-config#CertificatePinning - https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/java.android.best-practice.network-security-config.nsc-pinning-without-backup shortlink: https://sg.run/RPRe semgrep.dev: rule: r_id: 12849 rv_id: 945625 rule_id: 9AUkvd version_id: jQTzvNL url: https://semgrep.dev/playground/r/jQTzvNL/java.android.best-practice.network-security-config.nsc-pinning-without-backup origin: community patterns: - pattern: | ... - pattern-not-inside: | ......... - pattern-inside: | ... ... - pattern-inside: | ... ... ... ... ... - pattern-not-inside: | severity: INFO paths: include: - '*.xml' - id: java.android.best-practice.network-security-config.nsc-pinning-without-expiration languages: - generic message: Your app uses TLS public key pinning without specifying an expiration date. If your users do not update the app to receive new pins in time, expired or replaced certificates can lead to connectivity issues until they install an update. It is considered best practice to set an expiration time, after which the system will default to trusting system CAs and disregard the pin. metadata: category: best-practice technology: - android references: - https://developer.android.com/training/articles/security-config#CertificatePinning - https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/java.android.best-practice.network-security-config.nsc-pinning-without-expiration shortlink: https://sg.run/Awo8 semgrep.dev: rule: r_id: 12850 rv_id: 945626 rule_id: yyUyE3 version_id: 1QToKkn url: https://semgrep.dev/playground/r/1QToKkn/java.android.best-practice.network-security-config.nsc-pinning-without-expiration origin: community patterns: - pattern: | ... ... ... - pattern-not-inside: | ... ... ... - pattern-inside: | ... ... ... ... ... - pattern-not-inside: | severity: INFO paths: include: - '*.xml' - id: java.android.best-practice.network-security-config.nsc-allows-user-ca-certs languages: - generic message: The Network Security Config is set to accept user-installed CAs. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools="http://schemas.android.com/tools" tools:ignore="AcceptsUserCertificates"` as parameters to your ``) metadata: category: best-practice technology: - android references: - https://developer.android.com/training/articles/security-config - https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/java.android.best-practice.network-security-config.nsc-allows-user-ca-certs shortlink: https://sg.run/BLz2 semgrep.dev: rule: r_id: 12851 rv_id: 945627 rule_id: r6U9Eo version_id: 9lTy1X8 url: https://semgrep.dev/playground/r/9lTy1X8/java.android.best-practice.network-security-config.nsc-allows-user-ca-certs origin: community patterns: - pattern: | - pattern-inside: | ... ... ... ... - pattern-not-inside: | - pattern-not-inside: | ... ... ... ... ... ... ... ... ... ... severity: WARNING paths: include: - '*.xml' - id: java.android.best-practice.network-security-config.nsc-allows-user-ca-certs-for-domain languages: - generic message: The Network Security Config is set to accept user-installed CAs for the domain `$DOMAIN`. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools="http://schemas.android.com/tools" tools:ignore="AcceptsUserCertificates"` as parameters to your ``) metadata: category: best-practice technology: - android references: - https://developer.android.com/training/articles/security-config - https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/java.android.best-practice.network-security-config.nsc-allows-user-ca-certs-for-domain shortlink: https://sg.run/Dw2o semgrep.dev: rule: r_id: 12852 rv_id: 945628 rule_id: bwUNnw version_id: yeT0n5b url: https://semgrep.dev/playground/r/yeT0n5b/java.android.best-practice.network-security-config.nsc-allows-user-ca-certs-for-domain origin: community patterns: - pattern: | - pattern-inside: | ... ... ... - pattern-inside: | ... $DOMAIN ... ... ... - pattern-not-inside: | - pattern-not-inside: | ... ... ... ... ... ... ... ... ... ... severity: WARNING paths: include: - '*.xml' - id: java.android.security.exported_activity.exported_activity patterns: - pattern-not-inside: - pattern-inside: " \n" - pattern-either: - pattern: | - pattern: | ... /> message: The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application's control plane. languages: - generic severity: WARNING paths: exclude: - sources/ - classes3.dex - '*.so' include: - '*AndroidManifest.xml' metadata: category: security subcategory: - vuln cwe: - 'CWE-926: Improper Export of Android Application Components' confidence: MEDIUM likelihood: MEDIUM impact: MEDIUM owasp: - A5:2021 Security Misconfiguration technology: - Android references: - https://cwe.mitre.org/data/definitions/926.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/java.android.security.exported_activity.exported_activity shortlink: https://sg.run/eNGZ semgrep.dev: rule: r_id: 60632 rv_id: 945629 rule_id: v8Ul0r version_id: rxT6rGR url: https://semgrep.dev/playground/r/rxT6rGR/java.android.security.exported_activity.exported_activity origin: community - id: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish pattern: $CIPHER.getInstance("Blowfish") metadata: functional-categories: - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish shortlink: https://sg.run/ZE4n semgrep.dev: rule: r_id: 48735 rv_id: 1263010 rule_id: 0oUR28 version_id: BjTkZy0 url: https://semgrep.dev/playground/r/BjTkZy0/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish origin: community message: 'Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.' severity: WARNING languages: - java - id: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes pattern-either: - patterns: - pattern-either: - pattern-inside: | import javax; ... - pattern-either: - pattern: javax.crypto.Cipher.getInstance("AES") - pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES") - patterns: - pattern-either: - pattern-inside: | import javax.*; ... - pattern-inside: | import javax.crypto; ... - pattern-either: - pattern: crypto.Cipher.getInstance("AES") - pattern: (crypto.Cipher $CIPHER).getInstance("AES") - patterns: - pattern-either: - pattern-inside: | import javax.crypto.*; ... - pattern-inside: | import javax.crypto.Cipher; ... - pattern-either: - pattern: Cipher.getInstance("AES") - pattern: (Cipher $CIPHER).getInstance("AES") metadata: functional-categories: - crypto::search::mode::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes shortlink: https://sg.run/nzKO semgrep.dev: rule: r_id: 48736 rv_id: 1263011 rule_id: KxUB7Z version_id: DkTRbwy url: https://semgrep.dev/playground/r/DkTRbwy/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes origin: community message: 'Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn''t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.' severity: WARNING languages: - java - id: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead. languages: - java severity: WARNING metadata: functional-categories: - crypto::search::hash-algorithm::org.apache.commons owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils shortlink: https://sg.run/AWL2 semgrep.dev: rule: r_id: 39194 rv_id: 1263012 rule_id: BYUGK0 version_id: WrTqK7K url: https://semgrep.dev/playground/r/WrTqK7K/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils origin: community patterns: - pattern: | $DU.$GET_ALGO().digest(...) - metavariable-pattern: metavariable: $GET_ALGO pattern: getMd5Digest - metavariable-pattern: metavariable: $DU pattern: DigestUtils - focus-metavariable: $GET_ALGO fix: | getSha512Digest - id: java.lang.security.audit.crypto.use-of-md5.use-of-md5 message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead. languages: - java severity: WARNING metadata: functional-categories: - crypto::search::hash-algorithm::java.security owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5 shortlink: https://sg.run/ryJn semgrep.dev: rule: r_id: 17325 rv_id: 1263013 rule_id: KxU5lW version_id: 0bTKzGX url: https://semgrep.dev/playground/r/0bTKzGX/java.lang.security.audit.crypto.use-of-md5.use-of-md5 origin: community patterns: - pattern: | java.security.MessageDigest.getInstance($ALGO, ...); - metavariable-regex: metavariable: $ALGO regex: (?i)(.MD5.) - focus-metavariable: $ALGO fix: | "SHA-512" - id: java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 pattern: $CIPHER.getInstance("RC2") metadata: functional-categories: - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 shortlink: https://sg.run/EEvA semgrep.dev: rule: r_id: 48737 rv_id: 1263014 rule_id: qNUzXG version_id: K3TKkg0 url: https://semgrep.dev/playground/r/K3TKkg0/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 origin: community message: 'Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.' severity: WARNING languages: - java - id: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission message: Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need. severity: WARNING languages: - java metadata: cwe: - 'CWE-276: Incorrect Default Permissions' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION category: security technology: - java references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission shortlink: https://sg.run/LwzJ semgrep.dev: rule: r_id: 9183 rv_id: 1263032 rule_id: AbUzwB version_id: w8TRoNn url: https://semgrep.dev/playground/r/w8TRoNn/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission origin: community pattern-either: - pattern: java.nio.file.Files.setPosixFilePermissions($FILE, java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/")); - pattern: | $TYPE $P = java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/"); ... java.nio.file.Files.setPosixFilePermissions($FILE, $P); - pattern: | $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_READ); ... java.nio.file.Files.setPosixFilePermissions($FILE, $P); - pattern: | $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_WRITE); ... java.nio.file.Files.setPosixFilePermissions($FILE, $P); - pattern: |- $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_EXECUTE); ... java.nio.file.Files.setPosixFilePermissions($FILE, $P); - id: java.lang.security.audit.permissive-cors.permissive-cors message: https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. metadata: cwe: - 'CWE-183: Permissive List of Allowed Inputs' asvs: section: 'V14: Configuration Verification Requirements' control_id: 14.4.8 Permissive CORS control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements version: '4' category: security technology: - java owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors shortlink: https://sg.run/8y77 semgrep.dev: rule: r_id: 9184 rv_id: 1263033 rule_id: BYUN66 version_id: xyTjz0p url: https://semgrep.dev/playground/r/xyTjz0p/java.lang.security.audit.permissive-cors.permissive-cors origin: community severity: WARNING languages: - java pattern-either: - pattern: | HttpServletResponse $RES = ...; ... $RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); - pattern: | HttpServletResponse $RES = ...; ... $RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); - pattern: | ServerHttpResponse $RES = ...; ... $RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); - pattern: | HttpHeaders $HEADERS = ...; ... $HEADERS.set("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); - pattern: | ServerWebExchange $SWE = ...; ... $SWE.getResponse().getHeaders().add("Access-Control-Allow-Origin", "*"); - pattern: | $X $METHOD(...,HttpServletResponse $RES,...) { ... $RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); ... } - pattern: | $X $METHOD(...,HttpServletResponse $RES,...) { ... $RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); ... } - pattern: | $X $METHOD(...,ServerHttpResponse $RES,...) { ... $RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); ... } - pattern: | $X $METHOD(...,ServerWebExchange $SWE,...) { ... $SWE.getResponse().getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); ... } - pattern: ResponseEntity.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i") - pattern: ServerResponse.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i") - id: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli message: Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'. languages: - java severity: WARNING patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | String $SQL = $X + $Y; ... - pattern-inside: | String $SQL = String.format(...); ... - pattern-inside: | $VAL $FUNC(...,String $SQL,...) { ... } - pattern-not-inside: | String $SQL = "..." + "..."; ... - pattern: $S.$METHOD($SQL,...) - pattern: | $S.$METHOD(String.format(...),...); - pattern: | $S.$METHOD($X + $Y,...); - pattern-either: - pattern-inside: | java.sql.Statement $S = ...; ... - pattern-inside: | $TYPE $FUNC(...,java.sql.Statement $S,...) { ... } - pattern-not: | $S.$METHOD("..." + "...",...); - metavariable-regex: metavariable: $METHOD regex: ^(executeQuery|execute|executeUpdate|executeLargeUpdate|addBatch|nativeSQL)$ metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' category: security technology: - jdbc owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli shortlink: https://sg.run/AvkL semgrep.dev: rule: r_id: 9206 rv_id: 1263036 rule_id: oqUe8K version_id: vdT06oL url: https://semgrep.dev/playground/r/vdT06oL/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli origin: community - id: java.lang.security.audit.sqli.jdo-sqli.jdo-sqli pattern-either: - patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | String $SQL = $X + $Y; ... - pattern-inside: | String $SQL = String.format(...); ... - pattern-inside: | $TYPE $FUNC(...,String $SQL,...) { ... } - pattern-not-inside: | String $SQL = "..." + "..."; ... - pattern: $Q.$METHOD($SQL,...) - pattern: | $Q.$METHOD(String.format(...),...); - pattern: | $Q.$METHOD($X + $Y,...); - pattern-either: - pattern-inside: | javax.jdo.Query $Q = ...; ... - pattern-inside: | $TYPE $FUNC(...,javax.jdo.Query $Q,...) { ... } - pattern-not: | $Q.$METHOD("..." + "...",...); - metavariable-regex: metavariable: $METHOD regex: ^(setFilter|setGrouping)$ - patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | String $SQL = $X + $Y; ... - pattern-inside: | String $SQL = String.format(...); ... - pattern-inside: | $VAL $FUNC(...,String $SQL,...) { ... } - pattern-not-inside: | String $SQL = "..." + "..."; ... - pattern: $PM.newQuery(...,$SQL,...) - pattern: | $PM.newQuery(...,String.format(...),...); - pattern: | $PM.newQuery(...,$X + $Y,...); - pattern-either: - pattern-inside: | javax.jdo.PersistenceManager $PM = ...; ... - pattern-inside: | $TYPE $FUNC(...,javax.jdo.PersistenceManager $PM,...) { ... } - pattern-not: | $PM.newQuery(...,"..." + "...",...); message: Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'. languages: - java severity: WARNING metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' category: security technology: - java owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli shortlink: https://sg.run/Bkwx semgrep.dev: rule: r_id: 9207 rv_id: 1263037 rule_id: zdUk7l version_id: d6Tyx77 url: https://semgrep.dev/playground/r/d6Tyx77/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli origin: community - id: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli message: Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'. languages: - java severity: WARNING patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | String $SQL = $X + $Y; ... - pattern-inside: | String $SQL = String.format(...); ... - pattern-inside: | $TYPE $FUNC(...,String $SQL,...) { ... } - pattern-not-inside: | String $SQL = "..." + "..."; ... - pattern: $EM.$METHOD($SQL,...) - pattern: | $EM.$METHOD(String.format(...),...); - pattern: | $EM.$METHOD($X + $Y,...); - pattern-either: - pattern-inside: | EntityManager $EM = ...; ... - pattern-inside: | $TYPE $FUNC(...,EntityManager $EM,...) { ... } - pattern-not: | $EM.$METHOD("..." + "...",...); - metavariable-regex: metavariable: $METHOD regex: ^(createQuery|createNativeQuery)$ metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' category: security technology: - jpa owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli shortlink: https://sg.run/DoOd semgrep.dev: rule: r_id: 9208 rv_id: 1263038 rule_id: pKUO7y version_id: ZRTKAxW url: https://semgrep.dev/playground/r/ZRTKAxW/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli origin: community - id: javascript.express.security.audit.express-open-redirect.express-open-redirect message: The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website. metadata: technology: - express references: - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' category: security owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect shortlink: https://sg.run/EpoP semgrep.dev: rule: r_id: 22081 rv_id: 1263140 rule_id: X5ULkq version_id: nWT2L0v url: https://semgrep.dev/playground/r/nWT2L0v/javascript.express.security.audit.express-open-redirect.express-open-redirect origin: community languages: - javascript - typescript severity: WARNING options: taint_unify_mvars: true symbolic_propagation: true mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - pattern: $RES.redirect("$HTTP"+$REQ. ... .$VALUE) - pattern: $RES.redirect("$HTTP"+$REQ. ... .$VALUE + $...A) - pattern: $RES.redirect(`$HTTP${$REQ. ... .$VALUE}...`) - pattern: $RES.redirect("$HTTP"+$REQ.$VALUE[...]) - pattern: $RES.redirect("$HTTP"+$REQ.$VALUE[...] + $...A) - pattern: $RES.redirect(`$HTTP${$REQ.$VALUE[...]}...`) - metavariable-regex: metavariable: $HTTP regex: ^https?:\/\/$ - pattern-either: - pattern: $REQ. ... .$VALUE - patterns: - pattern-either: - pattern: $RES.redirect($REQ. ... .$VALUE) - pattern: $RES.redirect($REQ. ... .$VALUE + $...A) - pattern: $RES.redirect(`${$REQ. ... .$VALUE}...`) - pattern: $REQ. ... .$VALUE - patterns: - pattern-either: - pattern: $RES.redirect($REQ.$VALUE['...']) - pattern: $RES.redirect($REQ.$VALUE['...'] + $...A) - pattern: $RES.redirect(`${$REQ.$VALUE['...']}...`) - pattern: $REQ.$VALUE - patterns: - pattern-either: - pattern-inside: | $ASSIGN = $REQ. ... .$VALUE ... - pattern-inside: | $ASSIGN = $REQ.$VALUE['...'] ... - pattern-inside: | $ASSIGN = $REQ. ... .$VALUE + $...A ... - pattern-inside: "$ASSIGN = $REQ.$VALUE['...'] + $...A\n... \n" - pattern-inside: | $ASSIGN = `${$REQ. ... .$VALUE}...` ... - pattern-inside: "$ASSIGN = `${$REQ.$VALUE['...']}...`\n... \n" - pattern-either: - pattern: $RES.redirect($ASSIGN) - pattern: $RES.redirect($ASSIGN + $...FOO) - pattern: $RES.redirect(`${$ASSIGN}...`) - focus-metavariable: $ASSIGN - id: python.attr.correctness.mutable-initializer.attr-mutable-initializer patterns: - pattern-not-inside: | def $Y(...): ... - pattern-not-inside: | def $Y(...) -> $TYPE: ... - pattern-either: - pattern-inside: | @attr.s(...,auto_attribs=True, ...) class $X(...): ... - pattern-inside: | @attrs.define class $X(...): ... - pattern-either: - pattern: | $M = {...} - pattern: $M = [...] - pattern: $M = list(...) - pattern: $M = set(...) - pattern: $M = dict(...) message: 'Unsafe usage of mutable initializer with attr.s decorator. Multiple instances of this class will re-use the same data structure, which is likely not the desired behavior. Consider instead: replace assignment to mutable initializer (ex. dict() or {}) with attr.ib(factory=type) where type is dict, set, or list' severity: WARNING languages: - python metadata: category: correctness technology: - attr license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.attr.correctness.mutable-initializer.attr-mutable-initializer shortlink: https://sg.run/EkQN semgrep.dev: rule: r_id: 9437 rv_id: 946081 rule_id: PeUZ6E version_id: o5TZevw url: https://semgrep.dev/playground/r/o5TZevw/python.attr.correctness.mutable-initializer.attr-mutable-initializer origin: community - id: python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection mode: taint metadata: cwe: - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' owasp: - A01:2017 - Injection category: security technology: - python - boto3 - aws-lambda - dynamodb references: - https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection shortlink: https://sg.run/jjrl semgrep.dev: rule: r_id: 21321 rv_id: 946088 rule_id: KxUJ2B version_id: 9lTy1rQ url: https://semgrep.dev/playground/r/9lTy1rQ/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection origin: community message: Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client. pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sanitizers: - patterns: - pattern: | {...} pattern-sinks: - patterns: - focus-metavariable: $SINK - pattern-either: - pattern: $TABLE.scan(..., ScanFilter = $SINK, ...) - pattern: $TABLE.query(..., QueryFilter = $SINK, ...) - pattern-either: - patterns: - pattern-inside: | $TABLE = $DB.Table(...) ... - pattern-inside: | $DB = boto3.resource('dynamodb', ...) ... - pattern-inside: | $TABLE = boto3.client('dynamodb', ...) ... severity: ERROR languages: - python - id: python.aws-lambda.security.mysql-sqli.mysql-sqli languages: - python message: 'Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(''SELECT * FROM projects WHERE status = %s'', (''active''))`' mode: taint metadata: references: - https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-execute.html - https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursor-executemany.html category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - mysql cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.aws-lambda.security.mysql-sqli.mysql-sqli shortlink: https://sg.run/1RjG semgrep.dev: rule: r_id: 18266 rv_id: 1263337 rule_id: 3qU3eE version_id: O9TpxLJ url: https://semgrep.dev/playground/r/O9TpxLJ/python.aws-lambda.security.mysql-sqli.mysql-sqli origin: community pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern-either: - pattern: $CURSOR.execute($QUERY,...) - pattern: $CURSOR.executemany($QUERY,...) - pattern-either: - pattern-inside: | import mysql ... - pattern-inside: | import mysql.cursors ... pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... severity: WARNING - id: python.aws-lambda.security.pymysql-sqli.pymysql-sqli languages: - python message: 'Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(''SELECT * FROM projects WHERE status = %s'', (''active''))`' mode: taint metadata: references: - https://pypi.org/project/PyMySQL/#id4 category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - pymysql cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.aws-lambda.security.pymysql-sqli.pymysql-sqli shortlink: https://sg.run/reve semgrep.dev: rule: r_id: 18269 rv_id: 1263340 rule_id: JDUlel version_id: d6TyxNA url: https://semgrep.dev/playground/r/d6TyxNA/python.aws-lambda.security.pymysql-sqli.pymysql-sqli origin: community pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern: $CURSOR.execute($QUERY,...) - pattern-either: - pattern-inside: | import pymysql ... - pattern-inside: | import pymysql.cursors ... pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... severity: WARNING - id: python.cryptography.security.empty-aes-key.empty-aes-key message: Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption. patterns: - pattern: AES.new("",...) languages: - python severity: WARNING metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' - 'CWE-310: Cryptographic Issues' references: - https://cwe.mitre.org/data/definitions/327.html - https://cwe.mitre.org/data/definitions/310.html category: security subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM owasp: A6:2017 misconfiguration functional-categories: - crypto::search::key-length::pycrypto - crypto::search::key-length::pycryptodome technology: - python - pycrypto - pycryptodome license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key shortlink: https://sg.run/zQ9G semgrep.dev: rule: r_id: 44817 rv_id: 946105 rule_id: OrUADK version_id: 8KTKjRg url: https://semgrep.dev/playground/r/8KTKjRg/python.cryptography.security.empty-aes-key.empty-aes-key origin: community - id: ai.ai-best-practices.anthropic-hardcoded-api-key.anthropic-hardcoded-api-key-javascript.anthropic-hardcoded-api-key-javascript languages: - javascript - typescript severity: ERROR message: Anthropic API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/docs/initial-setup license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-hardcoded-api-key.anthropic-hardcoded-api-key-javascript.anthropic-hardcoded-api-key-javascript shortlink: https://sg.run/JqvxP semgrep.dev: rule: r_id: 288790 rv_id: 1413348 rule_id: eqULbzq version_id: l4TpA4q url: https://semgrep.dev/playground/r/l4TpA4q/ai.ai-best-practices.anthropic-hardcoded-api-key.anthropic-hardcoded-api-key-javascript.anthropic-hardcoded-api-key-javascript origin: community patterns: - pattern: | new Anthropic({apiKey: "$KEY", ...}) - metavariable-regex: metavariable: $KEY regex: ^sk-ant- - id: ai.ai-best-practices.anthropic-hardcoded-api-key.anthropic-hardcoded-api-key-python.anthropic-hardcoded-api-key-python languages: - python severity: ERROR message: Anthropic API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/docs/initial-setup license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-hardcoded-api-key.anthropic-hardcoded-api-key-python.anthropic-hardcoded-api-key-python shortlink: https://sg.run/5W4Dj semgrep.dev: rule: r_id: 288791 rv_id: 1413349 rule_id: v8Upo9B version_id: YDTwKpj url: https://semgrep.dev/playground/r/YDTwKpj/ai.ai-best-practices.anthropic-hardcoded-api-key.anthropic-hardcoded-api-key-python.anthropic-hardcoded-api-key-python origin: community pattern-either: - patterns: - pattern: Anthropic(api_key="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^sk-ant- - patterns: - pattern: AsyncAnthropic(api_key="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^sk-ant- - id: python.django.best-practice.json_response.use-json-response patterns: - pattern-inside: | def $X(...): ... - pattern: | $Y = json.dumps(...) ... django.http.HttpResponse($Y, ...) message: Use JsonResponse instead languages: - python severity: ERROR metadata: category: best-practice technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.best-practice.json_response.use-json-response shortlink: https://sg.run/BkQA semgrep.dev: rule: r_id: 9451 rv_id: 946117 rule_id: 6JUjYX version_id: DkTNplJ url: https://semgrep.dev/playground/r/DkTNplJ/python.django.best-practice.json_response.use-json-response origin: community - id: python.django.best-practice.upsell_django_environ.use-django-environ patterns: - pattern-not-inside: | import environ ... - pattern-either: - pattern: | import django ... import os ... $FOO = $M.environ[...] - pattern: | import os ... import django ... $FOO = $M.environ[...] message: You are using environment variables inside django app. Use `django-environ` as it a better alternative for deployment. languages: - python severity: ERROR metadata: category: best-practice technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.best-practice.upsell_django_environ.use-django-environ shortlink: https://sg.run/DoQP semgrep.dev: rule: r_id: 9452 rv_id: 946118 rule_id: oqUeND version_id: WrTEoBB url: https://semgrep.dev/playground/r/WrTEoBB/python.django.best-practice.upsell_django_environ.use-django-environ origin: community - id: python.django.best-practice.use-onetoonefield.use-onetoonefield patterns: - pattern-inside: | class $M(...): ... - pattern: $F = django.db.models.ForeignKey(..., unique=True, ...) message: Use 'django.db.models.OneToOneField' instead of 'ForeignKey' with unique=True. 'OneToOneField' is used to create one-to-one relationships. languages: - python severity: WARNING metadata: category: best-practice technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.best-practice.use-onetoonefield.use-onetoonefield shortlink: https://sg.run/W8Q2 semgrep.dev: rule: r_id: 9453 rv_id: 946119 rule_id: zdUk4Z version_id: 0bT15Nn url: https://semgrep.dev/playground/r/0bT15Nn/python.django.best-practice.use-onetoonefield.use-onetoonefield origin: community - id: python.django.compatibility.django-2_0-compat.django-compat-2_0-signals-weak pattern: django.dispatch.signals.Signal.disconnect(..., weak=$X, ...) message: The weak argument to django.dispatch.signals.Signal.disconnect() is removed in Django 2.0. languages: - python severity: WARNING metadata: category: compatibility technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-signals-weak shortlink: https://sg.run/0Qjj semgrep.dev: rule: r_id: 9454 rv_id: 946120 rule_id: pKUOWW version_id: K3TJbE1 url: https://semgrep.dev/playground/r/K3TJbE1/python.django.compatibility.django-2_0-compat.django-compat-2_0-signals-weak origin: community - id: python.django.compatibility.django-2_0-compat.django-compat-2_0-check-aggregate-support pattern: django.db.backends.base.BaseDatabaseOperations.check_aggregate_support(...) message: django.db.backends.base.BaseDatabaseOperations.check_aggregate_support() is removed in Django 2.0. languages: - python severity: WARNING metadata: category: compatibility technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-check-aggregate-support shortlink: https://sg.run/KlQ5 semgrep.dev: rule: r_id: 9455 rv_id: 946121 rule_id: 2ZUbqg version_id: qkT4j68 url: https://semgrep.dev/playground/r/qkT4j68/python.django.compatibility.django-2_0-compat.django-compat-2_0-check-aggregate-support origin: community - id: python.django.compatibility.django-2_0-compat.django-compat-2_0-extra-forms message: The django.forms.extras package is removed in Django 2.0. languages: - python severity: WARNING pattern-either: - pattern: from django.forms import extras - pattern: from django.forms.extras import $X - pattern: from django.forms import extras as $Y - pattern: from django.forms.extras import $X as $Y - pattern: import django.forms.extras - pattern: import django.forms.extras.$X - pattern: import django.forms.extras as $Y - pattern: import django.forms.extras.$X as $Y metadata: category: compatibility technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-extra-forms shortlink: https://sg.run/qx07 semgrep.dev: rule: r_id: 9456 rv_id: 946122 rule_id: X5U89v version_id: l4Tx9kO url: https://semgrep.dev/playground/r/l4Tx9kO/python.django.compatibility.django-2_0-compat.django-compat-2_0-extra-forms origin: community - id: python.django.compatibility.django-2_0-compat.django-compat-2_0-assert-redirects-helper message: The host argument to assertRedirects is removed in Django 2.0. languages: - python severity: WARNING pattern-either: - pattern: $X.assertRedirects(..., host=$Y, ...) - pattern: assertRedirects(..., host=$Y, ...) metadata: category: compatibility technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.compatibility.django-2_0-compat.django-compat-2_0-assert-redirects-helper shortlink: https://sg.run/YvQy semgrep.dev: rule: r_id: 9458 rv_id: 946124 rule_id: 10UKlx version_id: 6xTxjn9 url: https://semgrep.dev/playground/r/6xTxjn9/python.django.compatibility.django-2_0-compat.django-compat-2_0-assert-redirects-helper origin: community - id: python.django.correctness.model-save.django-db-model-save-super patterns: - pattern-inside: | class $MODEL(django.db.models.Model): ... - pattern-not: | def save(self, ...): ... super($MODEL, self).save(...) - pattern-not: | def save(self, ...): ... super().save(...) - pattern: | def save(self, ...): ... message: Detected a django model `$MODEL` is not calling super().save() inside of the save method. languages: - python severity: WARNING metadata: category: correctness technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.correctness.model-save.django-db-model-save-super shortlink: https://sg.run/6nN1 semgrep.dev: rule: r_id: 9459 rv_id: 946125 rule_id: 9AU1BD version_id: o5TZeqw url: https://semgrep.dev/playground/r/o5TZeqw/python.django.correctness.model-save.django-db-model-save-super origin: community - id: python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true patterns: - pattern-inside: | class $M(...): ... - pattern-not: $F = django.db.models.CharField(...) - pattern-not: $F = django.db.models.TextField(...) - pattern-not: $F = django.db.models.SlugField(...) - pattern-not: $F = django.db.models.EmailField(...) - pattern-not: $F = django.db.models.FileField(...) - pattern-not: $F = django.db.models.ImageField(...) - pattern-not: $F = django.db.models.URLField(...) - pattern-not: $F = django.db.models.UUIDField(...) - pattern-not: $F = django.db.models.ManyToManyField(...) - pattern-not: $F = django.db.models.NullBooleanField(...) - pattern-not: $F = django.contrib.gis.db.models.$MODEL(...) - pattern-not: $F = phonenumber_field.modelfields.PhoneNumberField(...) - pattern-not: $F = ckeditor.fields.RichTextField(...) - pattern-not: $F = $X(..., null=True, blank=True, ...) - pattern: $F = $X(..., blank=True, ...) message: null=True should be set if blank=True is set on non-text fields. languages: - python severity: ERROR metadata: category: correctness references: - https://docs.djangoproject.com/en/4.0/ref/models/fields/#null technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true shortlink: https://sg.run/ox40 semgrep.dev: rule: r_id: 9460 rv_id: 946126 rule_id: yyUnJk version_id: zyTlko4 url: https://semgrep.dev/playground/r/zyTlko4/python.django.correctness.nontext-field-must-set-null-true.nontext-field-must-set-null-true origin: community - id: python.django.correctness.string-field-null-checks.no-null-string-field patterns: - pattern-inside: | class $M(...): ... - pattern-not: $F = django.db.models.CharField(..., null=True, unique=True, blank=True, ...) - pattern-not: $F = django.db.models.TextField(..., null=True, unique=True, blank=True, ...) - pattern-either: - pattern: $F = django.db.models.CharField(..., null=True, ...) - pattern: $F = django.db.models.TextField(..., null=True, ...) message: 'Avoid using null on string-based fields such as CharField and TextField. If a string-based field has null=True, that means it has two possible values for "no data": NULL, and the empty string. In most cases, it''s redundant to have two possible values for "no data;" the Django convention is to use the empty string, not NULL.' languages: - python severity: WARNING metadata: category: correctness technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.correctness.string-field-null-checks.no-null-string-field shortlink: https://sg.run/zvKd semgrep.dev: rule: r_id: 9461 rv_id: 946127 rule_id: r6UrZy version_id: pZTNOZK url: https://semgrep.dev/playground/r/pZTNOZK/python.django.correctness.string-field-null-checks.no-null-string-field origin: community - id: python.django.correctness.string-field-null-checks.string-field-must-set-null-true patterns: - pattern-inside: | class $M(...): ... - pattern-not: $F = django.db.models.CharField(..., unique=True, blank=True, null=True, ...) - pattern-not: $F = django.db.models.TextField(..., unique=True, blank=True, null=True, ...) - pattern-either: - pattern: $F = django.db.models.CharField(..., unique=True, blank=True, ...) - pattern: $F = django.db.models.TextField(..., unique=True, blank=True, ...) message: If a text field declares unique=True and blank=True, null=True must also be set to avoid unique constraint violations when saving multiple objects with blank values. languages: - python severity: ERROR metadata: category: correctness technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.correctness.string-field-null-checks.string-field-must-set-null-true shortlink: https://sg.run/pxPZ semgrep.dev: rule: r_id: 9462 rv_id: 946128 rule_id: bwUwqR version_id: 2KTYbyD url: https://semgrep.dev/playground/r/2KTYbyD/python.django.correctness.string-field-null-checks.string-field-must-set-null-true origin: community - id: python.django.correctness.use-decimalfield-for-money.use-decimalfield-for-money patterns: - pattern-inside: | class $M(...): ... - pattern: $F = django.db.models.FloatField(...) - metavariable-regex: metavariable: $F regex: .*([pP][rR][iI][cC][eE]|[aA][mM][oO][uU][nN][tT]|[sS][uU][bB][tT][oO][tT][aA][lL]|[dD][oO][nN][aA][tT][iI][oO][nN]|[fF][eE][eE]|[sS][aA][lL][aA][rR][yY]|[pP][rR][eE][cC][iI][oO]).* message: Found a FloatField used for variable $F. Use DecimalField for currency fields to avoid float-rounding errors. languages: - python severity: ERROR metadata: category: correctness technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.correctness.use-decimalfield-for-money.use-decimalfield-for-money shortlink: https://sg.run/2xzL semgrep.dev: rule: r_id: 9463 rv_id: 946129 rule_id: NbUk89 version_id: X0TL8DP url: https://semgrep.dev/playground/r/X0TL8DP/python.django.correctness.use-decimalfield-for-money.use-decimalfield-for-money origin: community - id: python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment languages: - python message: path for `$URL` is uselessly assigned twice metadata: category: maintainability technology: - django references: - https://docs.djangoproject.com/en/3.2/topics/http/urls/#naming-url-patterns license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment shortlink: https://sg.run/65e1 semgrep.dev: rule: r_id: 12715 rv_id: 946130 rule_id: 5rU8ln version_id: jQTzvdZ url: https://semgrep.dev/playground/r/jQTzvdZ/python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment origin: community patterns: - pattern: | [..., django.urls.path('$URL', $VIEW, ...), ..., django.urls.path('$URL', $VIEW, ...), ...] severity: WARNING - id: python.django.maintainability.duplicate-path-assignment.conflicting-path-assignment languages: - python message: The path for `$URL` is assigned once to view `$VIEW` and once to `$DIFFERENT_VIEW`, which can lead to unexpected behavior. Verify what the intended target view is and delete the other route. metadata: category: maintainability technology: - django references: - https://docs.djangoproject.com/en/3.2/topics/http/urls/#naming-url-patterns license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.maintainability.duplicate-path-assignment.conflicting-path-assignment shortlink: https://sg.run/owp0 semgrep.dev: rule: r_id: 12716 rv_id: 946131 rule_id: GdUZ5L version_id: 1QToK6g url: https://semgrep.dev/playground/r/1QToK6g/python.django.maintainability.duplicate-path-assignment.conflicting-path-assignment origin: community patterns: - pattern: | [..., django.urls.path('$URL', $VIEW, ...), ..., django.urls.path('$URL', $DIFFERENT_VIEW, ...), ...] - pattern-not: | [..., django.urls.path('$URL', $VIEW, ...), ..., django.urls.path('$URL', $VIEW, ...), ...] severity: ERROR - id: python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment-different-names languages: - python message: path for `$URL` is assigned twice with different names metadata: category: maintainability technology: - django references: - https://docs.djangoproject.com/en/3.2/topics/http/urls/#naming-url-patterns license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment-different-names shortlink: https://sg.run/z9Gd semgrep.dev: rule: r_id: 12717 rv_id: 946132 rule_id: ReUoYD version_id: 9lTy1pQ url: https://semgrep.dev/playground/r/9lTy1pQ/python.django.maintainability.duplicate-path-assignment.duplicate-path-assignment-different-names origin: community patterns: - pattern: | [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$URL', $VIEW, name='$OTHER_NAME', ...), ...] - pattern-not: | [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ...] severity: WARNING - id: python.django.maintainability.duplicate-path-assignment.duplicate-name-assignment languages: - python message: The name `$NAME` is used for both `$URL` and `$OTHER_URL`, which can lead to unexpected behavior when using URL reversing. Pick a unique name for each path. metadata: category: maintainability technology: - django references: - https://docs.djangoproject.com/en/3.2/topics/http/urls/#naming-url-patterns license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.maintainability.duplicate-path-assignment.duplicate-name-assignment shortlink: https://sg.run/pk2Z semgrep.dev: rule: r_id: 12718 rv_id: 946133 rule_id: AbUG1k version_id: yeT0noR url: https://semgrep.dev/playground/r/yeT0noR/python.django.maintainability.duplicate-path-assignment.duplicate-name-assignment origin: community patterns: - pattern: | [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$OTHER_URL', $OTHER_VIEW, name='$NAME', ...), ...] - pattern-not: | [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ...] - pattern-not: | [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$URL', $OTHER_VIEW, name='$NAME', ...), ...] - pattern-not: | [..., django.urls.path('$URL', $VIEW, name='$NAME', ...), ..., django.urls.path('$OTHER_URL', $VIEW, name='$NAME', ...), ...] severity: ERROR - id: python.django.performance.upsell-count.use-count-method message: Looks like you need to determine the number of records. Django provides the count() method which is more efficient than .len(). See https://docs.djangoproject.com/en/3.0/ref/models/querysets/ languages: - python severity: ERROR pattern-either: - pattern: $X.objects.$FUNC(...).len() - pattern: $X.objects.$FUNC(...).$FILTER().len() - pattern: $X.objects.$FUNC(...).$FILTER().$UPDATE(...).len() metadata: category: performance technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.performance.upsell-count.use-count-method shortlink: https://sg.run/jRdN semgrep.dev: rule: r_id: 9465 rv_id: 946135 rule_id: wdUJZ8 version_id: bZTXwyK url: https://semgrep.dev/playground/r/bZTXwyK/python.django.performance.upsell-count.use-count-method origin: community - id: python.django.performance.upsell_earliest_latest.use-earliest-or-latest message: Looks like you are only accessing first element of an ordered QuerySet. Use `latest()` or `earliest()` instead. See https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.latest languages: - python severity: ERROR pattern-either: - pattern: $X.objects.order_by(...)[0] - pattern: $X.objects.$FUNC(...).order_by(...)[0] - pattern: $X.objects.$FUNC(...).$FILTER(...).order_by(...)[0] metadata: category: performance technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.django.performance.upsell_earliest_latest.use-earliest-or-latest shortlink: https://sg.run/1ZoG semgrep.dev: rule: r_id: 9466 rv_id: 946136 rule_id: x8UnX2 version_id: NdTqk4k url: https://semgrep.dev/playground/r/NdTqk4k/python.django.performance.upsell_earliest_latest.use-earliest-or-latest origin: community - id: python.django.security.audit.templates.debug-template-tag.debug-template-tag languages: - regex severity: WARNING message: Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag. pattern-regex: ({% debug %}) paths: include: - '*.html' metadata: owasp: A06:2017 - Security Misconfiguration cwe: - 'CWE-489: Active Debug Code' references: - https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug - https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page category: security technology: - django subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag shortlink: https://sg.run/dK3E semgrep.dev: rule: r_id: 9478 rv_id: 946146 rule_id: QrUzb2 version_id: ExTg2ZE url: https://semgrep.dev/playground/r/ExTg2ZE/python.django.security.audit.templates.debug-template-tag.debug-template-tag origin: community - id: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention patterns: - pattern: | resource "aws_cloudwatch_log_group" $ANYTHING { ... } - pattern-not-inside: | resource "aws_cloudwatch_log_group" $ANYTHING { ... retention_in_days = ... ... } message: The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention shortlink: https://sg.run/4lwl semgrep.dev: rule: r_id: 17344 rv_id: 946665 rule_id: x8UGBG version_id: BjT1N2B url: https://semgrep.dev/playground/r/BjT1N2B/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention origin: community - id: ai.ai-best-practices.anthropic-hardcoded-api-key.anthropic-hardcoded-api-key-ruby.anthropic-hardcoded-api-key-ruby languages: - ruby severity: ERROR message: Anthropic API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/docs/initial-setup license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-hardcoded-api-key.anthropic-hardcoded-api-key-ruby.anthropic-hardcoded-api-key-ruby shortlink: https://sg.run/GRvO6 semgrep.dev: rule: r_id: 288792 rv_id: 1413350 rule_id: d8UQ7eb version_id: 6xTRwvw url: https://semgrep.dev/playground/r/6xTRwvw/ai.ai-best-practices.anthropic-hardcoded-api-key.anthropic-hardcoded-api-key-ruby.anthropic-hardcoded-api-key-ruby origin: community patterns: - pattern: | Anthropic::Client.new(api_key: "$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^sk-ant- - id: python.django.security.django-no-csrf-token.django-no-csrf-token patterns: - pattern: ... - pattern-either: - pattern: |
...
- pattern: |
...
- pattern: |
...
- metavariable-regex: metavariable: $METHOD regex: (?i)(post|put|delete|patch) - pattern-not-inside: ...{% csrf_token %}... - pattern-not-inside: ...{{ $VAR.csrf_token }}... message: Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks. languages: - generic severity: WARNING metadata: category: security cwe: 'CWE-352: Cross-Site Request Forgery (CSRF)' references: - https://docs.djangoproject.com/en/4.2/howto/csrf/ confidence: MEDIUM likelihood: MEDIUM impact: MEDIUM subcategory: - audit technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token shortlink: https://sg.run/N0Bp semgrep.dev: rule: r_id: 73471 rv_id: 946160 rule_id: PeUyYG version_id: BjT1NRl url: https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token origin: community paths: include: - '*.html' - id: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid patterns: - pattern-inside: | def $FUNC(request, ...): ... - pattern-inside: | if $FORM.is_valid(): ... - pattern-either: - pattern: request.POST[...] - pattern: request.POST.get(...) message: Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data languages: - python severity: WARNING metadata: category: security cwe: 'CWE-20: Improper Input Validation' references: - https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data confidence: MEDIUM likelihood: MEDIUM impact: MEDIUM subcategory: - audit technology: - django license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid shortlink: https://sg.run/kJn7 semgrep.dev: rule: r_id: 73472 rv_id: 946161 rule_id: JDUjqx version_id: DkTNpEJ url: https://semgrep.dev/playground/r/DkTNpEJ/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid origin: community - id: python.django.security.hashids-with-django-secret.hashids-with-django-secret languages: - python message: The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs. metadata: category: security subcategory: - vuln cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - "A02:2021 \u2013 Cryptographic Failures" references: - https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY - http://carnage.github.io/2015/08/cryptanalysis-of-hashids technology: - django likelihood: LOW impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret shortlink: https://sg.run/bxeZ semgrep.dev: rule: r_id: 72426 rv_id: 946163 rule_id: 0oUXqy version_id: 0bT15nn url: https://semgrep.dev/playground/r/0bT15nn/python.django.security.hashids-with-django-secret.hashids-with-django-secret origin: community pattern-either: - pattern: hashids.Hashids(..., salt=django.conf.settings.SECRET_KEY, ...) - pattern: hashids.Hashids(django.conf.settings.SECRET_KEY, ...) severity: ERROR - id: generic.secrets.gitleaks.okta-access-token.okta-access-token message: A gitleaks okta-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.okta-access-token.okta-access-token shortlink: https://sg.run/1Knv semgrep.dev: rule: r_id: 44766 rv_id: 1262796 rule_id: yyUYve version_id: DkTRbNO url: https://semgrep.dev/playground/r/DkTRbNO/generic.secrets.gitleaks.okta-access-token.okta-access-token origin: community patterns: - pattern-regex: (?i)(?:okta)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{42})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.planetscale-password.planetscale-password message: A gitleaks planetscale-password was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.planetscale-password.planetscale-password shortlink: https://sg.run/k3L2 semgrep.dev: rule: r_id: 44772 rv_id: 1262803 rule_id: x8UlWb version_id: JdTzxp3 url: https://semgrep.dev/playground/r/JdTzxp3/generic.secrets.gitleaks.planetscale-password.planetscale-password origin: community patterns: - pattern-regex: (?i)\b(pscale_pw_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: ai.ai-best-practices.anthropic-missing-max-tokens.anthropic-missing-max-tokens-javascript.anthropic-missing-max-tokens-javascript languages: - javascript - typescript severity: WARNING message: Anthropic messages.create() called without 'max_tokens' parameter. Setting max_tokens prevents unexpectedly long or expensive responses. metadata: cwe: 'CWE-770: Allocation of Resources Without Limits or Throttling' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-missing-max-tokens.anthropic-missing-max-tokens-javascript.anthropic-missing-max-tokens-javascript shortlink: https://sg.run/RrvXN semgrep.dev: rule: r_id: 288793 rv_id: 1413351 rule_id: ZqU7xOB version_id: o5TLpg3 url: https://semgrep.dev/playground/r/o5TLpg3/ai.ai-best-practices.anthropic-missing-max-tokens.anthropic-missing-max-tokens-javascript.anthropic-missing-max-tokens-javascript origin: community patterns: - pattern: $CLIENT.messages.create({...}) - pattern-not: '$CLIENT.messages.create({..., max_tokens: $MT, ...})' - id: python.django.security.nan-injection.nan-injection message: Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'. languages: - python severity: ERROR mode: taint pattern-sources: - patterns: - pattern-inside: | def $FUNC(request, ...): ... - pattern-either: - pattern: request.$PROPERTY.get(...) - pattern: request.$PROPERTY[...] pattern-sinks: - patterns: - pattern-either: - pattern: float(...) - pattern: bool(...) - pattern: complex(...) - pattern-not-inside: | if $COND: ... ... pattern-sanitizers: - pattern: $ANYTHING(...) not_conflicting: true metadata: references: - https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868 - https://blog.bitdiscovery.com/2021/12/python-nan-injection/ category: security cwe: - 'CWE-704: Incorrect Type Conversion or Cast' technology: - django subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.django.security.nan-injection.nan-injection shortlink: https://sg.run/Og7L semgrep.dev: rule: r_id: 18275 rv_id: 946193 rule_id: DbUGvk version_id: NdTqk7G url: https://semgrep.dev/playground/r/NdTqk7G/python.django.security.nan-injection.nan-injection origin: community - id: python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run patterns: - pattern-either: - pattern-inside: | $CLIENT = docker.from_env() ... - pattern-inside: | $CLIENT = docker.DockerClient(...) ... - pattern-either: - pattern: | $CLIENT.containers.run(...) - pattern: | $CLIENT.containers.create(...) - pattern-not: | $CLIENT.containers.run("...",...) - pattern-not: | $CLIENT.containers.create("...",...) message: If unverified user data can reach the `run` or `create` method it can result in running arbitrary container. languages: - python severity: WARNING metadata: cwe: - 'CWE-250: Execution with Unnecessary Privileges' category: security technology: - docker references: - https://cwe.mitre.org/data/definitions/250.html subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run shortlink: https://sg.run/pxEL semgrep.dev: rule: r_id: 9518 rv_id: 946196 rule_id: r6Ur5A version_id: xyTqnk3 url: https://semgrep.dev/playground/r/xyTqnk3/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run origin: community - id: python.flask.best-practice.get-class-method-with-side-effects.flask-class-method-get-side-effects patterns: - pattern-either: - pattern: | def get(self,...): ... $METHOD(...) - pattern: | def get(self,...): ... $VAR = $METHOD(...) - metavariable-regex: metavariable: $METHOD regex: (?i)(create|update|delete).* message: Flask class method GET with side effects severity: WARNING languages: - python metadata: category: best-practice technology: - flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.flask.best-practice.get-class-method-with-side-effects.flask-class-method-get-side-effects shortlink: https://sg.run/2x6D semgrep.dev: rule: r_id: 9519 rv_id: 946198 rule_id: bwUwYZ version_id: e1T98Jw url: https://semgrep.dev/playground/r/e1T98Jw/python.flask.best-practice.get-class-method-with-side-effects.flask-class-method-get-side-effects origin: community - id: python.flask.correctness.access-request-in-wrong-handler.avoid-accessing-request-in-wrong-handler patterns: - pattern-inside: | @app.route(..., method="GET") def $X(...): ... - pattern-either: - pattern: | $Y = flask.request.json - pattern: | $Y = flask.request.form - pattern: | $Y = flask.request.data message: Accessing request object inside a route handle for HTTP GET command will throw due to missing request body. languages: - python severity: WARNING metadata: category: correctness technology: - flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.flask.correctness.access-request-in-wrong-handler.avoid-accessing-request-in-wrong-handler shortlink: https://sg.run/1ZYv semgrep.dev: rule: r_id: 9522 rv_id: 946201 rule_id: wdUJe5 version_id: ZRT35o1 url: https://semgrep.dev/playground/r/ZRT35o1/python.flask.correctness.access-request-in-wrong-handler.avoid-accessing-request-in-wrong-handler origin: community - id: python.flask.maintainability.deprecated.deprecated-apis.flask-deprecated-apis message: deprecated Flask API languages: - python severity: WARNING pattern-either: - pattern: | $F = Flask(...) ... $F.open_session(...) - pattern: | $F = Flask(...) ... $F.save_session(...) - pattern: | $F = Flask(...) ... $F.make_null_session(...) - pattern: | $F = Flask(...) ... $F.init_jinja_globals(...) - pattern: | $F = Flask(...) ... $F.request_globals_class(...) - pattern: | $F = Flask(...) ... $F.static_path(...) - pattern: app.open_session(...) - pattern: app.save_session(...) - pattern: app.make_null_session(...) - pattern: app.init_jinja_globals(...) - pattern: app.request_globals_class(...) - pattern: app.static_path(...) - pattern: app.config.from_json(...) - pattern: flask.json_available - pattern: flask.request.module - pattern: flask.testing.make_test_environ_builder(...) metadata: category: maintainability technology: - flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.flask.maintainability.deprecated.deprecated-apis.flask-deprecated-apis shortlink: https://sg.run/rdLR semgrep.dev: rule: r_id: 9525 rv_id: 946203 rule_id: eqU86E version_id: ExTg2zL url: https://semgrep.dev/playground/r/ExTg2zL/python.flask.maintainability.deprecated.deprecated-apis.flask-deprecated-apis origin: community - id: python.flask.security.audit.debug-enabled.debug-enabled patterns: - pattern-inside: | import flask ... - pattern: $APP.run(..., debug=True, ...) message: Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables. metadata: cwe: - 'CWE-489: Active Debug Code' owasp: A06:2017 - Security Misconfiguration references: - https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ category: security technology: - flask subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled shortlink: https://sg.run/dKrd semgrep.dev: rule: r_id: 9534 rv_id: 946206 rule_id: gxU1bd version_id: 8KTKjwR url: https://semgrep.dev/playground/r/8KTKjwR/python.flask.security.audit.debug-enabled.debug-enabled origin: community severity: WARNING languages: - python - id: python.flask.security.audit.host-header-injection-python.host-header-injection-python message: The `flask.request.host` is used to construct an HTTP request. This can lead to host header injection issues. Vulnerabilities that generally occur due to this issue are authentication bypasses, password reset issues, Server-Side-Request-Forgery (SSRF), and many more. It is recommended to validate the URL before passing it to a request library, or using application logic such as authentication or password resets. patterns: - pattern-either: - pattern: | $X = <... "=~/.*http[s]*:///" + flask.request.host ...>; - pattern: | $X = <... "=~/.*http[s]*:///" + flask.request["host"] ...>; - pattern: | $Z = flask.request.host; ... $X = <... "=~/.*http[s]*:///" + $Z ...>; - pattern: | $Z = flask.request["host"]; ... $X = <... "=~/.*http[s]*:///" + $Z ...>; - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(): ... languages: - python severity: INFO metadata: cwe: - 'CWE-20: Improper Input Validation' category: security references: - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection - https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html technology: - flask subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.flask.security.audit.host-header-injection-python.host-header-injection-python shortlink: https://sg.run/lAgB semgrep.dev: rule: r_id: 43957 rv_id: 946213 rule_id: 9AULpd version_id: 5PT9Obz url: https://semgrep.dev/playground/r/5PT9Obz/python.flask.security.audit.host-header-injection-python.host-header-injection-python origin: community - id: python.flask.security.flask-api-method-string-format.flask-api-method-string-format patterns: - pattern-either: - pattern: | def $METHOD(...,$ARG,...): ... $STRING = "...".format(...,$ARG,...) ... ... = requests.$REQMETHOD($STRING,...) - pattern: | def $METHOD(...,$ARG,...): ... ... = requests.$REQMETHOD("...".format(...,$ARG,...),...) - pattern-inside: | class $CLASS(...): method_decorators = ... ... message: Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD severity: ERROR languages: - python metadata: cwe: - 'CWE-134: Use of Externally-Controlled Format String' category: security technology: - flask references: - https://cwe.mitre.org/data/definitions/134.html subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format shortlink: https://sg.run/bDWr semgrep.dev: rule: r_id: 10126 rv_id: 946219 rule_id: NbUAeY version_id: WrTEo0r url: https://semgrep.dev/playground/r/WrTEo0r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format origin: community - id: python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret languages: - python message: The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs. metadata: category: security subcategory: - vuln cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - "A02:2021 \u2013 Cryptographic Failures" references: - https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY - http://carnage.github.io/2015/08/cryptanalysis-of-hashids technology: - flask likelihood: LOW impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret shortlink: https://sg.run/N0Rx semgrep.dev: rule: r_id: 72427 rv_id: 946220 rule_id: KxUX3z version_id: 0bT15Px url: https://semgrep.dev/playground/r/0bT15Px/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret origin: community pattern-either: - pattern: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...) - pattern: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...) - patterns: - pattern-inside: | $APP = flask.Flask(...) ... - pattern-either: - pattern: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...) - pattern: hashids.Hashids($APP.config['SECRET_KEY'], ...) severity: ERROR - id: python.flask.security.injection.nan-injection.nan-injection message: Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'. languages: - python severity: ERROR mode: taint pattern-sources: - pattern-either: - pattern: flask.request.$SOMETHING.get(...) - pattern: flask.request.$SOMETHING[...] - patterns: - pattern-inside: | @$APP.route(...) def $FUNC(..., $ROUTEVAR, ...): ... - pattern: $ROUTEVAR pattern-sinks: - pattern-either: - pattern: float(...) - pattern: bool(...) - pattern: complex(...) pattern-sanitizers: - not_conflicting: true pattern: $ANYTHING(...) metadata: references: - https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868 - https://blog.bitdiscovery.com/2021/12/python-nan-injection/ category: security cwe: - 'CWE-704: Incorrect Type Conversion or Cast' technology: - flask subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.flask.security.injection.nan-injection.nan-injection shortlink: https://sg.run/e598 semgrep.dev: rule: r_id: 18276 rv_id: 946222 rule_id: WAUdj7 version_id: qkT4j85 url: https://semgrep.dev/playground/r/qkT4j85/python.flask.security.injection.nan-injection.nan-injection origin: community - id: ai.ai-best-practices.anthropic-missing-max-tokens.anthropic-missing-max-tokens-python.anthropic-missing-max-tokens-python languages: - python severity: WARNING message: Anthropic messages.create() called without 'max_tokens' parameter. Setting max_tokens prevents unexpectedly long or expensive responses. metadata: cwe: 'CWE-770: Allocation of Resources Without Limits or Throttling' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-missing-max-tokens.anthropic-missing-max-tokens-python.anthropic-missing-max-tokens-python shortlink: https://sg.run/AjqXB semgrep.dev: rule: r_id: 288794 rv_id: 1413352 rule_id: nJU8JZl version_id: zyTB0KO url: https://semgrep.dev/playground/r/zyTB0KO/ai.ai-best-practices.anthropic-missing-max-tokens.anthropic-missing-max-tokens-python.anthropic-missing-max-tokens-python origin: community patterns: - pattern: $CLIENT.messages.create(...) - pattern-not: $CLIENT.messages.create(..., max_tokens=$MT, ...) - id: python.lang.best-practice.hardcoded-tmp-path.hardcoded-tmp-path pattern: open("=~/^\/tmp.*/", ...) message: Detected hardcoded temp directory. Consider using 'tempfile.TemporaryFile' instead. metadata: references: - https://docs.python.org/3/library/tempfile.html#tempfile.TemporaryFile category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.hardcoded-tmp-path.hardcoded-tmp-path shortlink: https://sg.run/zv0W semgrep.dev: rule: r_id: 9561 rv_id: 946249 rule_id: yyUnXZ version_id: LjTXy8O url: https://semgrep.dev/playground/r/LjTXy8O/python.lang.best-practice.hardcoded-tmp-path.hardcoded-tmp-path origin: community severity: WARNING languages: - python - id: gitlab.nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret patterns: - pattern-either: - pattern-inside: | const $JWT = require("jsonwebtoken"); ... - pattern-inside: | const $JOSE = require("jose"); ... - pattern-inside: | import $JWT from "jsonwebtoken" ... - pattern-inside: | import $JOSE from "jose" ... - pattern-either: - pattern: $JWT.sign($PAYLOAD, "...", ...) - pattern: $JWT.verify($PAYLOAD, "...", ...) - pattern: new $JOSE.SignJWT(...). ... .sign("...") - pattern: | var $TOKEN = new $JOSE.SignJWT(...). ... ... $TOKEN. ... .sign("...") - pattern: $JOSE.jwtVerify( $TKN, "...", ... ) - patterns: - pattern-either: - patterns: - pattern-inside: | var $KEY = $X ... - pattern-either: - pattern: new $JOSE.SignJWT(...). ... .sign($KEY) - patterns: - pattern: | var $TOKEN = new $JOSE.SignJWT(...). ... ... $TOKEN. ... .sign($KEY) - pattern: $TOKEN. ... .sign($KEY) - pattern: $JOSE.jwtVerify( $TKN, $KEY, ... ) - pattern: new $JOSE.SignJWT(...). ... .sign($X) - patterns: - pattern: | var $TOKEN = new $JOSE.SignJWT(...). ... ... $TOKEN. ... .sign($X) - pattern: $TOKEN. ... .sign($X) - pattern: $JOSE.jwtVerify( $TKN, $X, ... ) - metavariable-pattern: metavariable: $X pattern-either: - pattern: new TextEncoder().encode( "...",... ) - pattern: Uint8Array.from("...", ...) message: "Hardcoded JWT secret or private key was found. Hardcoding secrets like JWT signing keys poses a significant security risk. \nIf the source code ends up in a public repository or is compromised, the secret is exposed. Attackers could then use the secret to \ngenerate forged tokens and access the system. Store it properly in an environment variable.\n\nHere are some recommended safe ways to access JWT secrets:\n - Use environment variables to store the secret and access it in code instead of hardcoding. This keeps it out of source control.\n \ - Use a secrets management service to securely store and tightly control access to the secret. Applications can request the secret at runtime.\n - For local development, use a .env file that is gitignored and access the secret from process.env.\n\nsample code snippet of accessing JWT secret from env variables\n```\n const token = jwt.sign(payload, process.env.SECRET, { algorithm: 'HS256' });\n```\n" languages: - javascript severity: ERROR metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-798 shortDescription: Use of hard-coded credentials security-severity: HIGH category: security primary_identifier: nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret secondary_identifiers: - name: NodeJS Scan ID javascript-jwt-rule-hardcoded_jwt_secret type: njsscan_rule_type value: Hardcoded JWT secret was found. Store it properly in an environment variable. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret shortlink: https://sg.run/bwdqe semgrep.dev: rule: r_id: 144426 rv_id: 920517 rule_id: 0oULNYq version_id: RGT2xwl url: https://semgrep.dev/playground/r/RGT2xwl/gitlab.nodejs_scan.javascript-jwt-rule-hardcoded_jwt_secret origin: community - id: gitlab.nodejs_scan.javascript-jwt-rule-jwt_exposed_credentials patterns: - pattern-either: - pattern-inside: | const $JWT = require("jsonwebtoken"); ... - pattern-inside: | const $JOSE = require("jose"); ... - pattern-inside: | import $JWT from "jsonwebtoken" ... - pattern-inside: | import $JOSE from "jose" ... - pattern-either: - pattern: '$JWT.sign(<... {$PASSWORD: $VALUE} ...>, ...)' - patterns: - pattern: | $OBJ = <... {$PASSWORD: $VALUE} ...> ... $TOKEN = $JWT.sign(<... $OBJ ...>, ...) - pattern: $TOKEN = $JWT.sign(<... $OBJ ...>, ...) - patterns: - pattern: | $OBJ. ... .$PASSWORD = ... ... $TOKEN = $JWT.sign(<... $OBJ ...>, ...) - pattern: $TOKEN = $JWT.sign(<... $OBJ ...>, ...) - pattern: 'new $JOSE.SignJWT(<... {$PASSWORD: $VALUE} ...>)' - patterns: - pattern: | $OBJ = <... {$PASSWORD: $VALUE} ...> ... new $JOSE.SignJWT(<... $OBJ ...>) - pattern: new $JOSE.SignJWT(<... $OBJ ...>) - patterns: - pattern: | $OBJ. ... .$PASSWORD = ... ... new $JOSE.SignJWT(<... $OBJ ...>) - pattern: new $JOSE.SignJWT(<... $OBJ ...>) - metavariable-regex: metavariable: $PASSWORD regex: (?i)\b(?:.*password.*)\b severity: ERROR languages: - javascript metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-522 shortDescription: Insufficiently protected credentials security-severity: HIGH category: security primary_identifier: nodejs_scan.javascript-jwt-rule-jwt_exposed_credentials secondary_identifiers: - name: NodeJS Scan ID javascript-jwt-rule-jwt_exposed_credentials type: njsscan_rule_type value: Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-jwt-rule-jwt_exposed_credentials shortlink: https://sg.run/NbkZ7 semgrep.dev: rule: r_id: 144427 rv_id: 920518 rule_id: KxUvE6Q version_id: A8TNln4 url: https://semgrep.dev/playground/r/A8TNln4/gitlab.nodejs_scan.javascript-jwt-rule-jwt_exposed_credentials origin: community message: "The application is storing a password in the JWT token payload. Storing \npasswords in JWT token payloads is an insecure practice that can lead to \ncompromised credentials. \n\nThe password transmitted in the JWT payload is not encrypted and therefore \nvisible to anyone who intercepts the token. It is recommended to avoid storing \nsensitive information like passwords in JWTs. Instead, reference user identifiers \nthat map to credentials stored securely on the server.This helps to mitigate the \nrisk of exposing passwords through JWT tokens that could be intercepted or leaked.\n\nSecure code example of secure JWT signing:\n```\nrouter.route(\"/jsonwebtoken/1\").get((req, res) => {\n // any payload without passwords or any other sensitive data will be secure\n const payload = { user_id: 123, username: 'john_doe' };\n const token = jwt.sign(payload, secretKey, { algorithm: 'HS256' });\n console.log('Generated Token:', token);\n res.send({ token })\n})\n```" - id: gitlab.nodejs_scan.javascript-jwt-rule-jwt_exposed_data patterns: - pattern-inside: | require('jose') ... - pattern-either: - patterns: - pattern-inside: function (...,$INPUT,...) {...} - pattern-either: - pattern: $JOSE.JWT.sign($INPUT,...) - pattern: $JWT.sign($INPUT,...) - patterns: - pattern-inside: function $F(...,$INPUT,...) {...} - pattern-either: - pattern: $JOSE.JWT.sign($INPUT,...) - pattern: $JWT.sign($INPUT,...) message: | The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload. severity: WARNING metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-522 shortDescription: Insufficiently protected credentials security-severity: HIGH category: security primary_identifier: nodejs_scan.javascript-jwt-rule-jwt_exposed_data secondary_identifiers: - name: NodeJS Scan ID javascript-jwt-rule-jwt_exposed_data type: njsscan_rule_type value: The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-jwt-rule-jwt_exposed_data shortlink: https://sg.run/kxdjK semgrep.dev: rule: r_id: 144428 rv_id: 920519 rule_id: qNU26PK version_id: BjTKLGw url: https://semgrep.dev/playground/r/BjTKLGw/gitlab.nodejs_scan.javascript-jwt-rule-jwt_exposed_data origin: community languages: - javascript - id: gitlab.nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded patterns: - pattern-either: - pattern-inside: | import { ..., $JWT,... } from 'express-jwt'; ... - pattern-inside: | var {..., expressjwt: $JWT,... } = require('express-jwt'); ... - pattern-either: - pattern: $JWT(<...{...,secret:"...",...}...>) - patterns: - pattern-inside: | $OPTS = <... {secret: "..."} ...>; ... - pattern: $JWT(<... $OPTS ...>,...) - patterns: - pattern-inside: | $OPTS = <... {secret: "..."} ...>; ... $OPTS2 = <... $OPTS ...>; ... - pattern: $JWT(<... $OPTS2 ...>,...) message: "Hardcoded JWT secret or private key was found. Hardcoding secrets like JWT signing keys poses a significant security risk. \nIf the source code ends up in a public repository or is compromised, the secret is exposed. Attackers could then use the secret to \ngenerate forged tokens and access the system. Store it properly in an environment variable.\n\nHere are some recommended safe ways to access JWT secrets:\n - Use environment variables to store the secret and access it in code instead of hardcoding. This keeps it out of source control.\n \ - Use a secrets management service to securely store and tightly control access to the secret. Applications can request the secret at runtime.\n - For local development, use a .env file that is gitignored and access the secret from process.env.\n\nsample code snippet of accessing JWT secret from env variables\n```\nrouter.route(\"/auth-route-1\").get(\n \ jwt({ secret: process.env.secret, algorithms: ['HS256'] }),\n (req, res) => {\n res.send('Token is valid');\n }\n);\n```\n" severity: ERROR languages: - javascript metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-522 shortDescription: Insufficiently protected credentials security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded secondary_identifiers: - name: NodeJS Scan ID javascript-jwt-rule-jwt_express_hardcoded type: njsscan_rule_type value: Hardcoded JWT secret or private key was found. Store it properly in an environment variable. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded shortlink: https://sg.run/wdWg0 semgrep.dev: rule: r_id: 144429 rv_id: 920520 rule_id: lBU4kAe version_id: DkT2yeO url: https://semgrep.dev/playground/r/DkT2yeO/gitlab.nodejs_scan.javascript-jwt-rule-jwt_express_hardcoded origin: community - id: python.lang.best-practice.logging-error-without-handling.logging-error-without-handling patterns: - pattern-inside: | try: ... except ...: ... ... - pattern-either: - pattern: | logger.$FUNC(...) ... raise - pattern: | logger.$FUNC(...) ... raise $EX - pattern: | logger.$FUNC(...) ... raise $EX from $EX2 - metavariable-regex: metavariable: $FUNC regex: (error|exception) message: Errors should only be logged when handled. The code logs the error and propogates the exception, consider reducing the level to warning or info. languages: - python severity: WARNING metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.logging-error-without-handling.logging-error-without-handling shortlink: https://sg.run/jzwl semgrep.dev: rule: r_id: 15821 rv_id: 946250 rule_id: 10U5dA version_id: 8KTKj8R url: https://semgrep.dev/playground/r/8KTKj8R/python.lang.best-practice.logging-error-without-handling.logging-error-without-handling origin: community - id: python.lang.best-practice.manual-collections-create.manual-defaultdict-dict-create message: manually creating a defaultdict - use collections.defaultdict(dict) languages: - python severity: WARNING pattern-either: - pattern: | $DICT = {} ... for $KEY, $VALUE in $OTHERDICT.items(): ... if $KEY not in $DICT: ... $DICT[$KEY] = {} ... $DICT[$KEY].update(...) - pattern: | $DICT = {} ... for $KEY, $VALUE in $OTHERDICT.items(): ... $DICT.setdefault($KEY, {}).update(...) metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.manual-collections-create.manual-defaultdict-dict-create shortlink: https://sg.run/px4L semgrep.dev: rule: r_id: 9562 rv_id: 946251 rule_id: r6UrxA version_id: gETe1QK url: https://semgrep.dev/playground/r/gETe1QK/python.lang.best-practice.manual-collections-create.manual-defaultdict-dict-create origin: community - id: python.lang.best-practice.manual-collections-create.manual-defaultdict-set-create message: manually creating a defaultdict - use collections.defaultdict(set) languages: - python severity: WARNING pattern-either: - pattern: | $DICT = {} ... for $KEY, $VALUE in $OTHERDICT.items(): ... if $KEY not in $DICT: ... $DICT[$KEY] = set() ... $DICT[$KEY].add(...) - pattern: | $DICT = {} ... for $KEY, $VALUE in $OTHERDICT.items(): ... $DICT.setdefault($KEY, set()).add(...) metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.manual-collections-create.manual-defaultdict-set-create shortlink: https://sg.run/2xXD semgrep.dev: rule: r_id: 9563 rv_id: 946252 rule_id: bwUwGZ version_id: QkTZzex url: https://semgrep.dev/playground/r/QkTZzex/python.lang.best-practice.manual-collections-create.manual-defaultdict-set-create origin: community - id: python.lang.best-practice.manual-collections-create.manual-defaultdict-list-create message: manually creating a defaultdict - use collections.defaultdict(list) languages: - python severity: WARNING pattern-either: - pattern: | $DICT = {} ... for $KEY, $VALUE in $OTHERDICT.items(): ... if $KEY not in $DICT: ... $DICT[$KEY] = [] ... $DICT[$KEY].append(...) - pattern: | $DICT = {} ... for $KEY, $VALUE in $OTHERDICT.items(): ... $DICT.setdefault($KEY, []).append(...) metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.manual-collections-create.manual-defaultdict-list-create shortlink: https://sg.run/XBzb semgrep.dev: rule: r_id: 9564 rv_id: 946253 rule_id: NbUk16 version_id: 3ZTOP00 url: https://semgrep.dev/playground/r/3ZTOP00/python.lang.best-practice.manual-collections-create.manual-defaultdict-list-create origin: community - id: python.lang.best-practice.manual-collections-create.manual-counter-create pattern: | $DICT = {} ... for $KEY, $VALUE in $OTHERDICT.items(): ... if $KEY not in $DICT: ... $DICT[$KEY] = 0 ... $DICT[$KEY] += 1 message: manually creating a counter - use collections.Counter languages: - python severity: WARNING metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.manual-collections-create.manual-counter-create shortlink: https://sg.run/jRZJ semgrep.dev: rule: r_id: 9565 rv_id: 946254 rule_id: kxUk73 version_id: 44TZk0P url: https://semgrep.dev/playground/r/44TZk0P/python.lang.best-practice.manual-collections-create.manual-counter-create origin: community - id: python.lang.best-practice.pass-body.pass-body-fn patterns: - pattern-not-inside: | def __init__(self, ...): ... - pattern-not-inside: | class $A: ... - pattern: | def $X(...): pass message: '`pass` is the body of function $X. Consider removing this or raise NotImplementedError() if this is a TODO' languages: - python severity: WARNING metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.pass-body.pass-body-fn shortlink: https://sg.run/ydWR semgrep.dev: rule: r_id: 9568 rv_id: 946257 rule_id: OrU3yZ version_id: 5PT9Ogz url: https://semgrep.dev/playground/r/5PT9Ogz/python.lang.best-practice.pass-body.pass-body-fn origin: community - id: python.lang.best-practice.pass-body.pass-body-range pattern: | for $X in $Y: pass message: '`pass` is the body of for $X in $Y. Consider removing this or raise NotImplementedError() if this is a TODO' languages: - python severity: WARNING metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.pass-body.pass-body-range shortlink: https://sg.run/rdJR semgrep.dev: rule: r_id: 9569 rv_id: 946258 rule_id: eqU8xE version_id: GxTP7dA url: https://semgrep.dev/playground/r/GxTP7dA/python.lang.best-practice.pass-body.pass-body-range origin: community - id: python.lang.best-practice.pdb.python-debugger-found pattern-either: - pattern: import pdb - pattern: pdb.set_trace() message: Importing the python debugger; did you mean to leave this in? severity: WARNING languages: - python metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.pdb.python-debugger-found shortlink: https://sg.run/b7NE semgrep.dev: rule: r_id: 9570 rv_id: 946259 rule_id: v8Un2J version_id: RGTAg45 url: https://semgrep.dev/playground/r/RGTAg45/python.lang.best-practice.pdb.python-debugger-found origin: community - id: python.lang.best-practice.sleep.arbitrary-sleep patterns: - pattern-not: time.sleep($F(...)) - pattern-either: - pattern: | time.sleep($X: int) - pattern: | time.sleep($X: float) message: time.sleep() call; did you mean to leave this in? languages: - python severity: ERROR metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.sleep.arbitrary-sleep shortlink: https://sg.run/N4Bz semgrep.dev: rule: r_id: 9571 rv_id: 946260 rule_id: d8UjDO version_id: A8TJzo6 url: https://semgrep.dev/playground/r/A8TJzo6/python.lang.best-practice.sleep.arbitrary-sleep origin: community - id: python.lang.best-practice.unspecified-open-encoding.unspecified-open-encoding patterns: - pattern-inside: open(...) - pattern-not: open(..., encoding="...", ...) - pattern-not: open($F, "...", $B, "...", ...) - pattern-either: - pattern: open($FILE) - patterns: - pattern: open($FILE, ...) - pattern-not: open($FILE, $M, ...) - pattern-not-regex: open$.*(?:encoding|mode)=.*$ - patterns: - pattern: open($FILE, $MODE, ...) - metavariable-regex: metavariable: $MODE regex: (?!.*b.*) - patterns: - pattern: open($FILE, ..., mode=$MODE, ...) - metavariable-regex: metavariable: $MODE regex: (?!.*b.*) message: Missing 'encoding' parameter. 'open()' uses device locale encodings by default, corrupting files with special characters. Specify the encoding to ensure cross-platform support when opening files in text mode (e.g. encoding="utf-8"). languages: - python severity: WARNING metadata: category: best-practice technology: - python references: - https://www.python.org/dev/peps/pep-0597/ - https://docs.python.org/3/library/functions.html#open license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.unspecified-open-encoding.unspecified-open-encoding shortlink: https://sg.run/1z8x semgrep.dev: rule: r_id: 15822 rv_id: 946261 rule_id: 9AUZR9 version_id: BjT1N3E url: https://semgrep.dev/playground/r/BjT1N3E/python.lang.best-practice.unspecified-open-encoding.unspecified-open-encoding origin: community - id: python.lang.compatibility.python36.python36-compatibility-ssl pattern: ssl.get_ciphers() message: this function is only available on Python 3.6+ languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl shortlink: https://sg.run/kXn2 semgrep.dev: rule: r_id: 9572 rv_id: 946262 rule_id: ZqU5wR version_id: DkTNpr8 url: https://semgrep.dev/playground/r/DkTNpr8/python.lang.compatibility.python36.python36-compatibility-ssl origin: community - id: python.lang.compatibility.python36.python36-compatibility-Popen1 pattern: subprocess.Popen(errors=$X, ...) message: the `errors` argument to Popen is only available on Python 3.6+ languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1 shortlink: https://sg.run/weBP semgrep.dev: rule: r_id: 9573 rv_id: 946263 rule_id: nJUz7A version_id: WrTEo4r url: https://semgrep.dev/playground/r/WrTEo4r/python.lang.compatibility.python36.python36-compatibility-Popen1 origin: community - id: python.lang.compatibility.python36.python36-compatibility-Popen2 pattern: subprocess.Popen(encoding=$X, ...) message: the `encoding` argument to Popen is only available on Python 3.6+ languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2 shortlink: https://sg.run/x1Dg semgrep.dev: rule: r_id: 9574 rv_id: 946264 rule_id: EwU2n3 version_id: 0bT15bx url: https://semgrep.dev/playground/r/0bT15bx/python.lang.compatibility.python36.python36-compatibility-Popen2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-importlib pattern: importlib.source_hash() message: source_hash' is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib shortlink: https://sg.run/OPDn semgrep.dev: rule: r_id: 9575 rv_id: 946265 rule_id: 7KUQOl version_id: K3TJbqv url: https://semgrep.dev/playground/r/K3TJbqv/python.lang.compatibility.python37.python37-compatibility-importlib origin: community - id: python.lang.compatibility.python37.python37-compatibility-importlib2 pattern: import importlib.resources message: Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2 shortlink: https://sg.run/eL3y semgrep.dev: rule: r_id: 9576 rv_id: 946266 rule_id: L1Uy0n version_id: qkT4jn5 url: https://semgrep.dev/playground/r/qkT4jn5/python.lang.compatibility.python37.python37-compatibility-importlib2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-httpconn pattern: http.client.HTTPConnection(blocksize=$X,...) message: Found usage of the 'blocksize' argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn shortlink: https://sg.run/vzAb semgrep.dev: rule: r_id: 9577 rv_id: 946267 rule_id: 8GUjbX version_id: l4Tx9Or url: https://semgrep.dev/playground/r/l4Tx9Or/python.lang.compatibility.python37.python37-compatibility-httpconn origin: community - id: python.lang.compatibility.python37.python37-compatibility-httpsconn pattern: http.client.HTTPSConnection(blocksize=$X,...) message: Found usage of the 'blocksize' argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn shortlink: https://sg.run/dKwd semgrep.dev: rule: r_id: 9578 rv_id: 946268 rule_id: gxU1qd version_id: YDTvR0R url: https://semgrep.dev/playground/r/YDTvR0R/python.lang.compatibility.python37.python37-compatibility-httpsconn origin: community - id: python.lang.maintainability.useless-ifelse.useless-if-conditional message: if block checks for the same condition on both branches (`$X`) languages: - python severity: WARNING pattern: | if $X: ... elif $X: ... metadata: references: - https://docs.python.org/3/tutorial/controlflow.html category: maintainability technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.useless-ifelse.useless-if-conditional shortlink: https://sg.run/pxRg semgrep.dev: rule: r_id: 9618 rv_id: 946313 rule_id: yyUnLW version_id: JdTDyRP url: https://semgrep.dev/playground/r/JdTDyRP/python.lang.maintainability.useless-ifelse.useless-if-conditional origin: community - id: python.lang.maintainability.useless-literal-set.useless-literal-set patterns: - pattern: | set(..., ($X, $A), ..., ($X, $B), ...) - focus-metavariable: $X message: '`$X` is uselessly assigned twice inside the creation of the set' languages: - python severity: ERROR metadata: category: maintainability references: - https://docs.python.org/3/library/stdtypes.html#set-types-set-frozenset technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.useless-literal-set.useless-literal-set shortlink: https://sg.run/A9n8 semgrep.dev: rule: r_id: 26094 rv_id: 946316 rule_id: EwUAdR version_id: RGTAgxq url: https://semgrep.dev/playground/r/RGTAgxq/python.lang.maintainability.useless-literal-set.useless-literal-set origin: community - id: python.lang.security.audit.dangerous-spawn-process-audit.dangerous-spawn-process-audit message: Found dynamic content when spawning a process. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here. metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' category: security technology: - python confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-spawn-process-audit.dangerous-spawn-process-audit shortlink: https://sg.run/lK0y semgrep.dev: rule: r_id: 27257 rv_id: 1263467 rule_id: PeURWE version_id: o5TbD34 url: https://semgrep.dev/playground/r/o5TbD34/python.lang.security.audit.dangerous-spawn-process-audit.dangerous-spawn-process-audit origin: community languages: - python severity: ERROR pattern-either: - patterns: - pattern-not: os.$METHOD($MODE, "...", ...) - pattern: os.$METHOD(...) - metavariable-regex: metavariable: $METHOD regex: (spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile) - patterns: - pattern-not: os.$METHOD($MODE, "...", ["...","...",...], ...) - pattern: os.$METHOD($MODE, $BASH, ["-c",$CMD,...],...) - metavariable-regex: metavariable: $METHOD regex: (spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp) - metavariable-regex: metavariable: $BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - patterns: - pattern-not: os.$METHOD($MODE, "...", "...", "...", ...) - pattern: os.$METHOD($MODE, $BASH, "-c", $CMD,...) - metavariable-regex: metavariable: $METHOD regex: (spawnl|spawnle|spawnlp|spawnlpe) - metavariable-regex: metavariable: $BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - id: python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args mode: taint options: symbolic_propagation: true pattern-sources: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: os.environ - pattern: os.environ.get('$FOO', ...) - pattern: os.environb - pattern: os.environb.get('$FOO', ...) - pattern: os.getenv('$ANYTHING', ...) - pattern: os.getenvb('$ANYTHING', ...) - patterns: - pattern-either: - patterns: - pattern-either: - pattern: sys.argv - pattern: sys.orig_argv - patterns: - pattern-inside: | $PARSER = argparse.ArgumentParser(...) ... - pattern-inside: | $ARGS = $PARSER.parse_args() - pattern: <... $ARGS ...> - patterns: - pattern-inside: | $PARSER = optparse.OptionParser(...) ... - pattern-inside: | $ARGS = $PARSER.parse_args() - pattern: <... $ARGS ...> - patterns: - pattern-either: - pattern-inside: | $OPTS, $ARGS = getopt.getopt(...) ... - pattern-inside: | $OPTS, $ARGS = getopt.gnu_getopt(...) ... - pattern-either: - patterns: - pattern-inside: | for $O, $A in $OPTS: ... - pattern: $A - pattern: $ARGS pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-not: os.$METHOD($MODE, "...", ...) - pattern-inside: os.$METHOD($MODE, $CMD, ...) - pattern: $CMD - metavariable-regex: metavariable: $METHOD regex: (spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile) - patterns: - pattern-not: os.$METHOD($MODE, "...", ["...","...",...], ...) - pattern-inside: os.$METHOD($MODE, $BASH, ["-c",$CMD,...],...) - pattern: $CMD - metavariable-regex: metavariable: $METHOD regex: (spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp) - metavariable-regex: metavariable: $BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - patterns: - pattern-not: os.$METHOD($MODE, "...", "...", "...", ...) - pattern-inside: os.$METHOD($MODE, $BASH, "-c", $CMD,...) - pattern: $CMD - metavariable-regex: metavariable: $METHOD regex: (spawnl|spawnle|spawnlp|spawnlpe) - metavariable-regex: metavariable: $BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) message: Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands. metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' category: security technology: - python confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args shortlink: https://sg.run/Y3Ke semgrep.dev: rule: r_id: 27258 rv_id: 1263468 rule_id: JDUz34 version_id: zyTb2wn url: https://semgrep.dev/playground/r/zyTb2wn/python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args origin: community languages: - python severity: ERROR - id: python.lang.security.audit.dangerous-subinterpreters-run-string-audit.dangerous-subinterpreters-run-string-audit patterns: - pattern: | _xxsubinterpreters.run_string($ID, $PAYLOAD, ...) - pattern-not: | _xxsubinterpreters.run_string($ID, "...", ...) message: Found dynamic content in `run_string`. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code. Ensure no external data reaches here. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://bugs.python.org/issue43472 - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security technology: - python confidence: LOW subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-subinterpreters-run-string-audit.dangerous-subinterpreters-run-string-audit shortlink: https://sg.run/6lWo semgrep.dev: rule: r_id: 27259 rv_id: 1263469 rule_id: 5rUoPK version_id: pZT03dX url: https://semgrep.dev/playground/r/pZT03dX/python.lang.security.audit.dangerous-subinterpreters-run-string-audit.dangerous-subinterpreters-run-string-audit origin: community severity: WARNING languages: - python - id: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit pattern-either: - patterns: - pattern-not: subprocess.$FUNC("...", ...) - pattern-not: subprocess.$FUNC(["...",...], ...) - pattern-not: subprocess.$FUNC(("...",...), ...) - pattern-not: patterns: - pattern-not-inside: | $ARR = ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", ...] ... - pattern-inside: | $ARR = [...] ... - pattern-either: - pattern: subprocess.$FUNC(*$ARR, ...) - pattern: subprocess.$FUNC([*$ARR, ...]) - pattern-not: subprocess.CalledProcessError(...) - pattern-not: subprocess.SubprocessError(...) - pattern: subprocess.$FUNC(...) - patterns: - pattern: subprocess.$FUNC("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",...) - pattern-not: subprocess.$FUNC("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c","...",...) - patterns: - pattern-either: - pattern: subprocess.$FUNC(["=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",...],...) - pattern: subprocess.$FUNC(("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",...),...) - pattern-not: subprocess.$FUNC(["=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c","...",...],...) - pattern-not: subprocess.$FUNC(("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c","...",...),...) - patterns: - pattern: subprocess.$FUNC("=~/(python)/",...) - pattern-not: subprocess.$FUNC("=~/(python)/","...",...) - patterns: - pattern-either: - pattern: subprocess.$FUNC(["=~/(python)/",...],...) - pattern: subprocess.$FUNC(("=~/(python)/",...),...) - pattern-not: subprocess.$FUNC(["=~/(python)/","...",...],...) - pattern-not: subprocess.$FUNC(("=~/(python)/","...",...),...) message: Detected subprocess function '$FUNC' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess - https://docs.python.org/3/library/subprocess.html - https://docs.python.org/3/library/shlex.html - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security technology: - python confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit shortlink: https://sg.run/zL8G semgrep.dev: rule: r_id: 27261 rv_id: 1263471 rule_id: ReU0QY version_id: X0TzyjL url: https://semgrep.dev/playground/r/X0TzyjL/python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit origin: community languages: - python severity: ERROR - id: python.lang.security.audit.dangerous-system-call-audit.dangerous-system-call-audit patterns: - pattern-not: os.$W("...", ...) - pattern-either: - pattern: os.system(...) - pattern: getattr(os, "system")(...) - pattern: __import__("os").system(...) - pattern: getattr(__import__("os"), "system")(...) - pattern: | $X = __import__("os") ... $X.system(...) - pattern: | $X = __import__("os") ... getattr($X, "system")(...) - pattern: | $X = getattr(os, "system") ... $X(...) - pattern: | $X = __import__("os") ... $Y = getattr($X, "system") ... $Y(...) - pattern: os.popen(...) - pattern: os.popen2(...) - pattern: os.popen3(...) - pattern: os.popen4(...) message: Found dynamic content used in a system call. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability. metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.2.4 Dyanmic Code Execution Features control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements version: '4' category: security technology: - python confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-system-call-audit.dangerous-system-call-audit shortlink: https://sg.run/2WL0 semgrep.dev: rule: r_id: 27263 rv_id: 1263473 rule_id: BYUkDg version_id: 1QTypR7 url: https://semgrep.dev/playground/r/1QTypR7/python.lang.security.audit.dangerous-system-call-audit.dangerous-system-call-audit origin: community languages: - python severity: ERROR - id: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected patterns: - pattern-not: urllib.$W("...") - pattern-not: urllib.request.$W("...") - pattern-not: $OPENER.$W("...") - pattern-either: - pattern: urllib.urlopen(...) - pattern: urllib.request.urlopen(...) - pattern: urllib.urlretrieve(...) - pattern: urllib.request.urlretrieve(...) - patterns: - pattern-either: - pattern-inside: | $OPENER = urllib.URLopener(...) ... - pattern-inside: | $OPENER = urllib.request.URLopener(...) ... - pattern-inside: | $OPENER = urllib.FancyURLopener(...) ... - pattern-inside: | $OPENER = urllib.request.FancyURLopener(...) ... - pattern-either: - pattern: $OPENER.open(...) - pattern: $OPENER.retrieve(...) message: Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead. metadata: cwe: - 'CWE-939: Improper Authorization in Handler for Custom URL Scheme' owasp: A01:2017 - Injection source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/blacklists/calls.py#L163 bandit-code: B310 asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.2.4 Dynamic Code Execution Features control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements version: '4' category: security technology: - python references: - https://cwe.mitre.org/data/definitions/939.html subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected shortlink: https://sg.run/dKZZ semgrep.dev: rule: r_id: 9634 rv_id: 946340 rule_id: 8GUj22 version_id: w8TKJbO url: https://semgrep.dev/playground/r/w8TKJbO/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected origin: community languages: - python severity: WARNING - id: c.lang.correctness.incorrect-use-sscanf-fn.incorrect-use-sscanf-fn patterns: - pattern: sscanf($STR, $FMT, $PTR); - metavariable-regex: metavariable: $FMT regex: '"%(l{0,2}|L)([fegEa]|[dDiouxX])"' message: Avoid 'sscanf()' for number conversions. Its use can lead to undefined behavior, slow processing, and integer overflows. Instead prefer the 'strto*()' family of functions. metadata: references: - https://stackoverflow.com/q/22865622 - https://stackoverflow.com/q/7021725 - https://www.mattkeeter.com/blog/2021-03-01-happen/ category: correctness technology: - c license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/c.lang.correctness.incorrect-use-sscanf-fn.incorrect-use-sscanf-fn shortlink: https://sg.run/OP6R semgrep.dev: rule: r_id: 8831 rv_id: 945166 rule_id: PeUZw8 version_id: 0bT15wy url: https://semgrep.dev/playground/r/0bT15wy/c.lang.correctness.incorrect-use-sscanf-fn.incorrect-use-sscanf-fn origin: community languages: - c severity: WARNING - id: csharp.lang.security.missing-hsts-header.missing-hsts-header pattern-either: - patterns: - pattern-inside: | public void Configure(...) { ... (IApplicationBuilder $APP). ...; ... } - focus-metavariable: $APP - pattern-not-inside: | public void Configure(...) { ... (IApplicationBuilder $APP).UseHsts(...); ... } - patterns: - pattern-inside: | public void ConfigureServices(...) { ... (IServiceCollection $SERVICES). ...; ... } - focus-metavariable: $SERVICES - pattern-not-inside: | public void ConfigureServices(...) { ... (IServiceCollection $SERVICES).AddHsts(...); ... } message: The HSTS HTTP response security header is missing, allowing interaction and communication to be sent over the insecure HTTP protocol. metadata: category: security technology: - dotnet owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe: - 'CWE-346: Origin Validation Error' references: - https://cwe.mitre.org/data/definitions/346.html - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/csharp.lang.security.missing-hsts-header.missing-hsts-header shortlink: https://sg.run/8JkN semgrep.dev: rule: r_id: 31440 rv_id: 1262646 rule_id: x8URdb version_id: 5PTo1px url: https://semgrep.dev/playground/r/5PTo1px/csharp.lang.security.missing-hsts-header.missing-hsts-header origin: community languages: - csharp severity: WARNING - id: python.lang.security.audit.python-reverse-shell.python-reverse-shell patterns: - pattern-either: - pattern: pty.spawn("$BINPATH",...) - pattern: subprocess.call(["$BINPATH",...],...) - metavariable-regex: metavariable: $BINPATH regex: /bin/.*?sh\b - pattern-inside: | import socket ... $S = socket.socket(...) ... $S.connect(($IP,$PORT),...) ... message: Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT metadata: cwe: - 'CWE-553: Command Shell in Externally Accessible Directory' category: security technology: - python references: - https://cwe.mitre.org/data/definitions/553.html subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell shortlink: https://sg.run/gYZJ semgrep.dev: rule: r_id: 15185 rv_id: 946375 rule_id: nJUZRY version_id: BjT1NZ4 url: https://semgrep.dev/playground/r/BjT1NZ4/python.lang.security.audit.python-reverse-shell.python-reverse-shell origin: community languages: - python severity: WARNING - id: python.lang.security.audit.regex-dos.regex_dos patterns: - pattern: | $A = re.compile("$B", ...) ... $A.$METHOD(...) - metavariable-analysis: analyzer: redos metavariable: $B - metavariable-regex: metavariable: $METHOD regex: (?!(escape)|(purge)) message: Detected usage of re.compile with an inefficient regular expression. This can lead to regular expression denial of service, which can result in service down time. Instead, check all regexes or use safer alternatives such as pyre2. languages: - python severity: WARNING metadata: likelihood: LOW impact: MEDIUM confidence: LOW subcategory: - vuln owasp: A06:2017 - Security Misconfiguration cwe: 'CWE-1333: Inefficient Regular Expression Complexity' category: security technology: - python references: - https://docs.python.org/3/library/re.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Denial-of-Service (DoS) source: https://semgrep.dev/r/python.lang.security.audit.regex-dos.regex_dos shortlink: https://sg.run/eexd semgrep.dev: rule: r_id: 36776 rv_id: 946376 rule_id: lBU1BR version_id: DkTNpbo url: https://semgrep.dev/playground/r/DkTNpbo/python.lang.security.audit.regex-dos.regex_dos origin: community - id: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected patterns: - pattern-either: - pattern-inside: os.system("...") - pattern-inside: os.popen("...") - pattern-inside: os.popen2("...") - pattern-inside: os.popen3("...") - pattern-inside: os.popen4("...") - pattern-inside: subprocess.$W(..., shell=True, ...) - pattern-regex: (tar|chmod|chown|rsync)(.*?)\* message: Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information. metadata: cwe: - 'CWE-155: Improper Neutralization of Wildcards or Matching Symbols' owasp: A01:2017 - Injection source-url-open: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/injection_wildcard.py references: - https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt category: security technology: - python subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected shortlink: https://sg.run/5QXA semgrep.dev: rule: r_id: 9647 rv_id: 946383 rule_id: WAUorE version_id: 6xTxj9B url: https://semgrep.dev/playground/r/6xTxj9B/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected origin: community languages: - python severity: WARNING - id: terraform.aws.correctness.lambda-permission-logs-missing-arn-asterisk.lambda-permission-logs-missing-arn-asterisk severity: WARNING languages: - hcl message: 'The `source_arn` field needs to end with an asterisk, like this: `:*` Without this, the `aws_lambda_permission` resource ''$NAME'' will not be created. Add the asterisk to the end of the arn. x $ARN' metadata: category: correctness references: - https://github.com/hashicorp/terraform-provider-aws/issues/14630 technology: - aws - terraform - aws-lambda license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.correctness.lambda-permission-logs-missing-arn-asterisk.lambda-permission-logs-missing-arn-asterisk shortlink: https://sg.run/3X9r semgrep.dev: rule: r_id: 72343 rv_id: 946655 rule_id: kxUbWw version_id: gETe14w url: https://semgrep.dev/playground/r/gETe14w/terraform.aws.correctness.lambda-permission-logs-missing-arn-asterisk.lambda-permission-logs-missing-arn-asterisk origin: community patterns: - pattern-inside: | resource "aws_lambda_permission" "$NAME" { ... } - pattern: | source_arn = $ARN - metavariable-pattern: metavariable: $ARN patterns: - pattern-regex: arn:aws:logs.* - pattern-not-regex: arn:aws:logs:.*:\* - id: python.requests.best-practice.use-raise-for-status.use-raise-for-status patterns: - pattern-either: - pattern: requests.request(...) - pattern: requests.get(...) - pattern: requests.post(...) - pattern: requests.put(...) - pattern: requests.delete(...) - pattern: requests.head(...) - pattern: requests.patch(...) - pattern-not-inside: | $RESP = requests.$METHOD(...) $RESP.raise_for_status(...) - pattern-not-inside: | requests.$METHOD(...).raise_for_status(...) - pattern-not-inside: | $RESP = requests.$METHOD(...) if $RESP.status_code == ...: ... - pattern-not-inside: | $RESP = requests.$METHOD(...) if $RESP.status_code != ...: ... - pattern-not-inside: | $RESP = requests.$METHOD(...) ... if $RESP.ok: ... - pattern-not-inside: | $RESP = requests.$METHOD(...) ... if not $RESP.ok: ... - pattern-not-inside: | with ...: ... $RESP = requests.$METHOD(...) ... $RESP.raise_for_status(...) - pattern-not-inside: | with ... as ...: ... $RESP = requests.$METHOD(...) ... $RESP.raise_for_status(...) message: There's an HTTP request made with requests, but the raise_for_status() utility method isn't used. This can result in request errors going unnoticed and your code behaving in unexpected ways, such as if your authorization API returns a 500 error while you're only checking for a 401. metadata: references: - https://requests.readthedocs.io/en/master/api/#requests.Response.raise_for_status category: best-practice technology: - requests license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.requests.best-practice.use-raise-for-status.use-raise-for-status shortlink: https://sg.run/J3Xw semgrep.dev: rule: r_id: 9690 rv_id: 946440 rule_id: DbUWd2 version_id: kbTYkXK url: https://semgrep.dev/playground/r/kbTYkXK/python.requests.best-practice.use-raise-for-status.use-raise-for-status origin: community severity: WARNING languages: - python - id: python.requests.best-practice.use-request-json-shortcut.python.requests.best-practice.use-request-json-shortcut patterns: - pattern-inside: import json; ... - pattern-inside: import requests; ... - pattern: requests.$METHOD(..., body=json.dumps($BODY), ...) message: The requests library has a convenient shortcut for sending JSON requests, which lets you stop worrying about serializing the body yourself. To use it, replace `body=json.dumps(...)` with `json=...`. severity: WARNING metadata: references: - https://requests.readthedocs.io/en/stable/user/quickstart/#more-complicated-post-requests category: best-practice technology: - requests license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.requests.best-practice.use-request-json-shortcut.python.requests.best-practice.use-request-json-shortcut shortlink: https://sg.run/58YA semgrep.dev: rule: r_id: 9691 rv_id: 946441 rule_id: WAUZzE version_id: w8TKJw9 url: https://semgrep.dev/playground/r/w8TKJw9/python.requests.best-practice.use-request-json-shortcut.python.requests.best-practice.use-request-json-shortcut origin: community languages: - python - id: python.requests.best-practice.use-response-json-shortcut.python.requests.best-practice.use-response-json-shortcut patterns: - pattern-inside: import json; ... - pattern-inside: import requests; ... - pattern-inside: $RESP = requests.$METHOD(...); ... - pattern: json.loads($RESP.text) fix: $RESP.json() message: The requests library has a convenient shortcut for reading JSON responses, which lets you stop worrying about deserializing the response yourself. severity: WARNING metadata: references: - https://requests.readthedocs.io/en/stable/user/quickstart/#json-response-content category: best-practice technology: - requests license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.requests.best-practice.use-response-json-shortcut.python.requests.best-practice.use-response-json-shortcut shortlink: https://sg.run/GW2p semgrep.dev: rule: r_id: 9692 rv_id: 946442 rule_id: 0oUExl version_id: xyTqnov url: https://semgrep.dev/playground/r/xyTqnov/python.requests.best-practice.use-response-json-shortcut.python.requests.best-practice.use-response-json-shortcut origin: community languages: - python - id: python.requests.best-practice.use-timeout.use-timeout pattern-either: - patterns: - pattern-not: requests.$W(..., timeout=$N, ...) - pattern-not: requests.$W(..., **$KWARGS) - pattern-either: - pattern: requests.request(...) - pattern: requests.get(...) - pattern: requests.post(...) - pattern: requests.put(...) - pattern: requests.delete(...) - pattern: requests.head(...) - pattern: requests.patch(...) - patterns: - pattern-inside: | $SESSION = requests.Session(...) ... - pattern-not: | $SESSION.$W(..., timeout=$N, ...) - pattern-not: | $SESSION.$W(..., **$KWARGS) - pattern-either: - pattern: $SESSION.get(...) - pattern: $SESSION.post(...) - pattern: $SESSION.put(...) - pattern: $SESSION.delete(...) - pattern: $SESSION.head(...) - pattern: $SESSION.patch(...) fix-regex: regex: (.*)\)$ replacement: \1, timeout=30) message: Detected a 'requests' call without a timeout set. By default, 'requests' calls wait until the connection is closed. This means a 'requests' call without a timeout will hang the program if a response is never received. Consider setting a timeout for all 'requests'. languages: - python severity: WARNING metadata: category: best-practice references: - https://docs.python-requests.org/en/latest/user/advanced/?highlight=timeout#timeouts - https://requests.readthedocs.io/en/latest/user/quickstart/#timeouts technology: - requests license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.requests.best-practice.use-timeout.use-timeout shortlink: https://sg.run/R8kO semgrep.dev: rule: r_id: 9693 rv_id: 946443 rule_id: KxU42G version_id: O9TX3Yn url: https://semgrep.dev/playground/r/O9TX3Yn/python.requests.best-practice.use-timeout.use-timeout origin: community - id: python.sqlalchemy.correctness.bad-operator-in-filter.bad-operator-in-filter languages: - python message: Only comparison operators should be used inside SQLAlchemy filter expressions. Use `==` instead of `is`, `!=` instead of `is not`, `sqlalchemy.and_` instead of `and`, `sqlalchemy.or_` instead of `or`, `sqlalchemy.not_` instead of `not`, and `sqlalchemy.in_` instead of `in_`. metadata: references: - https://docs.sqlalchemy.org/en/13/orm/tutorial.html#common-filter-operators category: correctness technology: - sqlalchemy license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.sqlalchemy.correctness.bad-operator-in-filter.bad-operator-in-filter shortlink: https://sg.run/0nLv semgrep.dev: rule: r_id: 9698 rv_id: 946447 rule_id: 5rU4JE version_id: ZRT35rO url: https://semgrep.dev/playground/r/ZRT35rO/python.sqlalchemy.correctness.bad-operator-in-filter.bad-operator-in-filter origin: community patterns: - pattern-inside: | def $ANY(...): ... $MODEL.query - pattern-inside: | $TARGET.filter(...) - pattern-either: - pattern: not $A - pattern: $A is $B - pattern: $A is not $B - pattern: $A and $B - pattern: $A or $B - pattern: $A in $B - pattern: $A not in $B severity: WARNING - id: python.lang.compatibility.python37.python37-compatibility-importlib3 pattern: import importlib.abc.ResourceReader message: Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib3 shortlink: https://sg.run/Zv2o semgrep.dev: rule: r_id: 9579 rv_id: 946269 rule_id: QrUzJ9 version_id: JdTDyrP url: https://semgrep.dev/playground/r/JdTDyrP/python.lang.compatibility.python37.python37-compatibility-importlib3 origin: community - id: python.lang.compatibility.python37.python37-compatibility-textiowrapper pattern: TextIOWrapper.reconfigure(...) message: Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper shortlink: https://sg.run/ndL2 semgrep.dev: rule: r_id: 9580 rv_id: 946270 rule_id: 3qUPdy version_id: 5PT9OD8 url: https://semgrep.dev/playground/r/5PT9OD8/python.lang.compatibility.python37.python37-compatibility-textiowrapper origin: community - id: python.lang.compatibility.python37.python37-compatibility-ipv6network1 pattern: ipaddress.IPv6Network.subnet_of($X) message: IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1 shortlink: https://sg.run/EkLe semgrep.dev: rule: r_id: 9581 rv_id: 946271 rule_id: 4bUko0 version_id: GxTP7Er url: https://semgrep.dev/playground/r/GxTP7Er/python.lang.compatibility.python37.python37-compatibility-ipv6network1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-ipv6network2 pattern: ipaddress.IPv6Network.supernet_of($X) message: IPv6Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in 'supernet'. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network2 shortlink: https://sg.run/7orW semgrep.dev: rule: r_id: 9582 rv_id: 946272 rule_id: PeUZYr version_id: RGTAgGq url: https://semgrep.dev/playground/r/RGTAgGq/python.lang.compatibility.python37.python37-compatibility-ipv6network2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-ipv4network1 pattern: ipaddress.IPv4Network.subnet_of($X) message: IPv4Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network1 shortlink: https://sg.run/LwRo semgrep.dev: rule: r_id: 9583 rv_id: 946273 rule_id: JDUyqR version_id: A8TJz73 url: https://semgrep.dev/playground/r/A8TJz73/python.lang.compatibility.python37.python37-compatibility-ipv4network1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-ipv4network2 pattern: ipaddress.IPv4Network.supernet_of($X) message: IPv4Network.supernet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the supernet is in 'supernet'. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv4network2 shortlink: https://sg.run/8y3E semgrep.dev: rule: r_id: 9584 rv_id: 946274 rule_id: 5rUO61 version_id: BjT1N0K url: https://semgrep.dev/playground/r/BjT1N0K/python.lang.compatibility.python37.python37-compatibility-ipv4network2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-locale1 pattern: locale.format_string(monetary=$X, ...) message: Found usage of the 'monetary' argument in a function call of 'locale.format_string'. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the 'monetary' argument. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1 shortlink: https://sg.run/gLeZ semgrep.dev: rule: r_id: 9585 rv_id: 946275 rule_id: GdU72R version_id: DkTNp0N url: https://semgrep.dev/playground/r/DkTNp0N/python.lang.compatibility.python37.python37-compatibility-locale1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-math1 pattern: math.remainder($X, $Y) message: math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1 shortlink: https://sg.run/Q50Q semgrep.dev: rule: r_id: 9586 rv_id: 946276 rule_id: ReUgbz version_id: WrTEopQ url: https://semgrep.dev/playground/r/WrTEopQ/python.lang.compatibility.python37.python37-compatibility-math1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-multiprocess1 pattern: multiprocessing.Process.close() message: multiprocessing.Process.close() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use join(). languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess1 shortlink: https://sg.run/3xjp semgrep.dev: rule: r_id: 9587 rv_id: 946277 rule_id: AbUzRA version_id: 0bT15be url: https://semgrep.dev/playground/r/0bT15be/python.lang.compatibility.python37.python37-compatibility-multiprocess1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-multiprocess2 pattern: multiprocessing.Process.kill() message: multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate(). languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2 shortlink: https://sg.run/4x1z semgrep.dev: rule: r_id: 9588 rv_id: 946278 rule_id: BYUNE9 version_id: K3TJbqK url: https://semgrep.dev/playground/r/K3TJbqK/python.lang.compatibility.python37.python37-compatibility-multiprocess2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-os2-ok2 patterns: - pattern-not-inside: | if hasattr(os, 'pwritev'): ... - pattern: os.pwritev(...) message: os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev(). languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2 shortlink: https://sg.run/5Q9X semgrep.dev: rule: r_id: 9591 rv_id: 946280 rule_id: 0oU5vW version_id: l4Tx9Op url: https://semgrep.dev/playground/r/l4Tx9Op/python.lang.compatibility.python37.python37-compatibility-os2-ok2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-pdb pattern: pdb.set_trace(header=$X, ...) message: pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument. languages: - python severity: ERROR metadata: category: compatibility technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb shortlink: https://sg.run/GeA2 semgrep.dev: rule: r_id: 9592 rv_id: 946281 rule_id: KxUby2 version_id: YDTvR0k url: https://semgrep.dev/playground/r/YDTvR0k/python.lang.compatibility.python37.python37-compatibility-pdb origin: community - id: python.lang.correctness.baseclass-attribute-override.baseclass-attribute-override message: Class $C inherits from both `$A` and `$B` which both have a method named `$F`; one of these methods will be overwritten. languages: - python severity: WARNING patterns: - pattern-inside: | class $A(...): ... def $F1(...): ... ... ... - pattern-inside: | class $B(...): ... def $F2(...): ... ... ... - metavariable-comparison: comparison: str($F1) == str($F2) - pattern: | class $C(..., $A, ..., $B, ...): ... - focus-metavariable: $C metadata: category: correctness references: - https://docs.python.org/3/tutorial/classes.html#multiple-inheritance technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.baseclass-attribute-override.baseclass-attribute-override shortlink: https://sg.run/Roze semgrep.dev: rule: r_id: 9593 rv_id: 946282 rule_id: qNUjq2 version_id: 6xTxjgW url: https://semgrep.dev/playground/r/6xTxjgW/python.lang.correctness.baseclass-attribute-override.baseclass-attribute-override origin: community - id: python.lang.correctness.cannot-cache-generators.cannot-cache-generators patterns: - pattern-inside: | @functools.lru_cache(...) def $FUNC(...): ... yield ... - pattern: functools.lru_cache(...) message: Generators can only be consumed once, so in most cases, caching them will cause an error when the already-consumed generator is retrieved from cache. languages: - python severity: WARNING metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.cannot-cache-generators.cannot-cache-generators shortlink: https://sg.run/gG8y semgrep.dev: rule: r_id: 20041 rv_id: 946283 rule_id: 4bUe9x version_id: o5TZeER url: https://semgrep.dev/playground/r/o5TZeER/python.lang.correctness.cannot-cache-generators.cannot-cache-generators origin: community - id: python.lang.correctness.common-mistakes.default-mutable-dict.default-mutable-dict message: 'Function $F mutates default dict $D. Python only instantiates default function arguments once and shares the instance across the function calls. If the default function argument is mutated, that will modify the instance used by all future function calls. This can cause unexpected results, or lead to security vulnerabilities whereby one function consumer can view or modify the data of another function consumer. Instead, use a default argument (like None) to indicate that no argument was provided and instantiate a new dictionary at that time. For example: `if $D is None: $D = {}`.' languages: - python severity: ERROR options: symbolic_propagation: true patterns: - pattern-not-inside: | def $A(...): ... def $F(..., $D={}, ...): ... - pattern-inside: | def $F(..., $D={}, ...): ... - pattern-not-inside: | $D = {} ... - pattern-not-inside: | $D = dict(...) ... - pattern-not-inside: | $D = $D.copy() ... - pattern-not-inside: | $D = copy.deepcopy($D) ... - pattern-not-inside: | $D = copy.copy($D) ... - pattern-not-inside: | $D = dict.copy($D) ... - pattern-not-inside: | $D = {... for ... in ...} ... - pattern-not-inside: | $D = $D or {} ... - pattern-either: - pattern: | $D[...] = ... - pattern: | $D.update(...) - pattern: | $D.setdefault(...) metadata: category: correctness technology: - python references: - https://docs.python-guide.org/writing/gotchas/#mutable-default-arguments license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.default-mutable-dict.default-mutable-dict shortlink: https://sg.run/Av4p semgrep.dev: rule: r_id: 9606 rv_id: 946284 rule_id: qNUjqR version_id: zyTlkJe url: https://semgrep.dev/playground/r/zyTlkJe/python.lang.correctness.common-mistakes.default-mutable-dict.default-mutable-dict origin: community - id: python.lang.correctness.common-mistakes.default-mutable-list.default-mutable-list message: 'Function $F mutates default list $D. Python only instantiates default function arguments once and shares the instance across the function calls. If the default function argument is mutated, that will modify the instance used by all future function calls. This can cause unexpected results, or lead to security vulnerabilities whereby one function consumer can view or modify the data of another function consumer. Instead, use a default argument (like None) to indicate that no argument was provided and instantiate a new list at that time. For example: `if $D is None: $D = []`.' languages: - python severity: ERROR options: symbolic_propagation: true patterns: - pattern-not-inside: | def $A(...): ... def $F(..., $D=[], ...): ... - pattern-inside: | def $F(..., $D=[], ...): ... - pattern-not-inside: | $D = [] ... - pattern-not-inside: | $D = [...] ... - pattern-not-inside: | $D = list(...) ... - pattern-not-inside: | $D = copy.deepcopy($D) ... - pattern-not-inside: | $D = copy.copy($D) ... - pattern-not-inside: | $D = list.copy($D) ... - pattern-not-inside: | $D = $D[:] ... - pattern-not-inside: | $D = [... for ... in ...] ... - pattern-not-inside: | $D = $D or [] ... - pattern-either: - pattern: | $D.append(...) - pattern: | $D.extend(...) - pattern: | $D.insert(...) metadata: category: correctness technology: - python references: - https://docs.python-guide.org/writing/gotchas/#mutable-default-arguments license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.default-mutable-list.default-mutable-list shortlink: https://sg.run/BkPW semgrep.dev: rule: r_id: 9607 rv_id: 946285 rule_id: lBU9PZ version_id: pZTNOjq url: https://semgrep.dev/playground/r/pZTNOjq/python.lang.correctness.common-mistakes.default-mutable-list.default-mutable-list origin: community - id: python.lang.correctness.common-mistakes.string-concat-in-list.string-concat-in-list patterns: - pattern-either: - pattern-inside: '[...]' - pattern-inside: '{...}' - pattern: '"..." "..."' - pattern-not-inside: f"..." - pattern-not-inside: '{..., $KEY: $VALUE, ...}' message: Detected strings that are implicitly concatenated inside a list. Python will implicitly concatenate strings when not explicitly delimited. Was this supposed to be individual elements of the list? severity: WARNING languages: - python metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.string-concat-in-list.string-concat-in-list shortlink: https://sg.run/Kl07 semgrep.dev: rule: r_id: 9611 rv_id: 946289 rule_id: zdUkRQ version_id: 1QToKLA url: https://semgrep.dev/playground/r/1QToKLA/python.lang.correctness.common-mistakes.string-concat-in-list.string-concat-in-list origin: community - id: python.lang.correctness.concurrent.uncaught-executor-exceptions patterns: - pattern-inside: | with concurrent.futures.thread.ThreadPoolExecutor(...) as $EXECUTOR: ... - pattern-not-inside: | $VAR = $EXECUTOR.map(...) ... for ... in $VAR: ... - pattern-not-inside: | $VAR = $EXECUTOR.map(...) ... [... for ... in $VAR] - pattern-not-inside: | [... for ... in $EXECUTOR.map(...)] - pattern-not-inside: | for $IT in $EXECUTOR.map(...): ... - pattern: $EXECUTOR.map(...) message: 'Values returned by thread pool map must be read in order to raise exceptions. Consider using `for _ in $EXECUTOR.map(...): pass`.' severity: WARNING languages: - python metadata: references: - https://superfastpython.com/threadpoolexecutor-exception-handling/ category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.concurrent.uncaught-executor-exceptions shortlink: https://sg.run/Av48 semgrep.dev: rule: r_id: 9594 rv_id: 946290 rule_id: lBU9Pl version_id: 9lTy109 url: https://semgrep.dev/playground/r/9lTy109/python.lang.correctness.concurrent.uncaught-executor-exceptions origin: community - id: python.lang.correctness.dict-modify-iterating.dict-del-while-iterate message: 'It appears that `$DICT[$KEY]` is a dict with items being deleted while in a for loop. This is usually a bad idea and will likely lead to a RuntimeError: dictionary changed size during iteration' metadata: references: - https://docs.python.org/3/library/stdtypes.html#dictionary-view-objects category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.dict-modify-iterating.dict-del-while-iterate shortlink: https://sg.run/BkP2 semgrep.dev: rule: r_id: 9595 rv_id: 946291 rule_id: PeUZLW version_id: yeT0n14 url: https://semgrep.dev/playground/r/yeT0n14/python.lang.correctness.dict-modify-iterating.dict-del-while-iterate origin: community languages: - python severity: WARNING pattern-either: - pattern: | for $KEY, $VALUE in $DICT.items(): ... del $DICT[$KEY] - pattern: | for $KEY in $DICT.keys(): ... del $DICT[$KEY] - id: python.lang.correctness.exit.use-sys-exit languages: - python message: Detected use of `exit`. Use `sys.exit` over the python shell `exit` built-in. `exit` is a helper for the interactive shell and may not be available on all Python implementations. patterns: - pattern: exit($X) - pattern-not: sys.exit($X) severity: WARNING fix: sys.exit($X) metadata: category: correctness technology: - python references: - https://stackoverflow.com/questions/6501121/difference-between-exit-and-sys-exit-in-python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.exit.use-sys-exit shortlink: https://sg.run/Do5o semgrep.dev: rule: r_id: 9596 rv_id: 946293 rule_id: JDUygy version_id: bZTXwer url: https://semgrep.dev/playground/r/bZTXwer/python.lang.correctness.exit.use-sys-exit origin: community - id: python.lang.correctness.file-object-redefined-before-close.file-object-redefined-before-close patterns: - pattern: | $F = open($X, ...) ... $F = open($Y, ...) - pattern-not: | $F = open($X, ...) ... $F.close() ... $F = open($Y, ...) message: Detected a file object that is redefined and never closed. This could leak file descriptors and unnecessarily consume system resources. languages: - python severity: WARNING metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.file-object-redefined-before-close.file-object-redefined-before-close shortlink: https://sg.run/W81g semgrep.dev: rule: r_id: 9597 rv_id: 946294 rule_id: 5rUO54 version_id: NdTqk2P url: https://semgrep.dev/playground/r/NdTqk2P/python.lang.correctness.file-object-redefined-before-close.file-object-redefined-before-close origin: community - id: problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request message: 'Checks for lack of usage of the "secure: true" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as "implicit" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.' severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://www.npmjs.com/package/ftp - https://openbase.io/js/ftp subcategory: - vuln technology: - node.js vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request shortlink: https://sg.run/b7QW semgrep.dev: rule: r_id: 9426 rv_id: 946070 rule_id: d8UjZ6 version_id: RGTAg7Z url: https://semgrep.dev/playground/r/RGTAg7Z/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request origin: community languages: - javascript - typescript patterns: - pattern-inside: | $X = require('ftp'); ... $C = new $X(); ... - pattern-not-inside: | $OPTIONS = {secure: true}; ... - pattern: | $C.connect($OPTIONS,...); - pattern-not: | $C.connect({...,secure: true}); - id: problem-based-packs.insecure-transport.js-node.http-request.http-request message: Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://nodejs.org/api/http.html#http_http_request_options_callback subcategory: - vuln technology: - node.js vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.http-request.http-request shortlink: https://sg.run/N4Qy semgrep.dev: rule: r_id: 9427 rv_id: 946071 rule_id: ZqU5r3 version_id: A8TJz8O url: https://semgrep.dev/playground/r/A8TJz8O/problem-based-packs.insecure-transport.js-node.http-request.http-request origin: community languages: - javascript patterns: - pattern-inside: | $HTTP = require('http'); ... - pattern-either: - pattern: | $HTTP.request("=~/http://.*/",...); - pattern: | $HTTP.get("=~/http://.*/", ...) - pattern: | $VAR = new URL("=~/http://.*/"); ... $HTTP.request($VAR, ...); - pattern: | $VAR = {...,hostname: "..."}; ... $HTTP.request(..., $VAR, ...); - pattern: | $HTTP.request(..., {...,hostname: "..."}, ...); - pattern-not: | $VAR = {...,protocol: "https"}; ... $HTTP.request(..., $VAR, ...); - pattern-not: | $HTTP.request(..., {...,protocol: "https"}, ...); - id: problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support message: Checks for requests to http (unencrypted) sites using some of node js's most popular REST/HTTP libraries, including node-rest-client, axios, and got. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://www.npmjs.com/package/axios - https://www.npmjs.com/package/got - https://www.npmjs.com/package/node-rest-client subcategory: - vuln technology: - node.js vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support shortlink: https://sg.run/kXGP semgrep.dev: rule: r_id: 9428 rv_id: 946072 rule_id: nJUzKP version_id: BjT1N5l url: https://semgrep.dev/playground/r/BjT1N5l/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support origin: community languages: - javascript patterns: - pattern-either: - pattern-inside: | $CLIENT = require('node-rest-client').Client; ... $C = new $CLIENT(); ... - pattern-inside: | $C = require('axios'); ... - pattern-inside: | $C = require('got'); ... - pattern-either: - pattern: | $C.$REQ("=~/http://.*/", ...) - pattern: | $C("=~/http://.*/", ...) - pattern: | $C({...,url: "=~/http://.*/"}) - pattern: | $C.$REQ({...,url: "=~/http://.*/"}) - id: problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request message: Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://www.npmjs.com/package/telnet - https://www.npmjs.com/package/telnet-client subcategory: - vuln technology: - node.js vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request shortlink: https://sg.run/weoA semgrep.dev: rule: r_id: 9429 rv_id: 946073 rule_id: EwU2GA version_id: DkTNpJJ url: https://semgrep.dev/playground/r/DkTNpJJ/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request origin: community languages: - javascript patterns: - pattern-either: - pattern-inside: | $TEL = require('telnet-client'); ... $SERVER = new $TEL(); ... - pattern-inside: | $SERVER = require('telnet'); ... - pattern-either: - pattern: | $SERVER.on(...) - pattern: | $SERVER.connect(...) - pattern: | $SERVER.createServer(...) - id: problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests message: Checks for requests to http (unencrypted) sites using some of ruby's most popular REST/HTTP libraries, including httparty and restclient. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://github.com/rest-client/rest-client - https://github.com/jnunemaker/httparty/tree/master/docs subcategory: - vuln technology: - httparty - rest-client vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests shortlink: https://sg.run/OPQL semgrep.dev: rule: r_id: 9431 rv_id: 946075 rule_id: L1UyKG version_id: 0bT15Bn url: https://semgrep.dev/playground/r/0bT15Bn/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests origin: community languages: - ruby pattern-either: - pattern: | HTTParty.$PARTYVERB("=~/[hH][tT][tT][pP]://.*/", ...) - pattern: | $STRING = "=~/[hH][tT][tT][pP]://.*/" ... HTTParty.$PARTYVERB($STRING, ...) - pattern: | RestClient.$RESTVERB "=~/[hH][tT][tT][pP]://.*/", ... - pattern: | RestClient::Request.execute(..., url: "=~/[hH][tT][tT][pP]://.*/", ...) - id: problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request message: Checks for outgoing connections to ftp servers with the 'net/ftp' package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html subcategory: - vuln technology: - ruby vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request shortlink: https://sg.run/eLQ8 semgrep.dev: rule: r_id: 9432 rv_id: 946076 rule_id: 8GUj13 version_id: K3TJbe1 url: https://semgrep.dev/playground/r/K3TJbe1/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request origin: community languages: - ruby pattern-either: - pattern: | $FTP = Net::FTP.new('...') ... $FTP.login - pattern: | Net::FTP.open('...') do |ftp| ... ftp.login end - id: problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request message: Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://ruby-doc.org/stdlib-2.6.5/libdoc/net/http/rdoc/Net/ subcategory: - vuln technology: - ruby vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request shortlink: https://sg.run/vz6Y semgrep.dev: rule: r_id: 9433 rv_id: 946077 rule_id: gxU1lE version_id: qkT4jG8 url: https://semgrep.dev/playground/r/qkT4jG8/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request origin: community languages: - ruby patterns: - pattern-either: - pattern: | $URI = URI('=~/[hH][tT][tT][pP]://.*/') ... Net::HTTP::$FUNC.new $URI - pattern: | $URI = URI('=~/[hH][tT][tT][pP]://.*/') ... Net::HTTP.$FUNC($URI, ...) - pattern: | Net::HTTP.$FUNC(URI('=~/[hH][tT][tT][pP]://.*/'), ...) - metavariable-regex: metavariable: $FUNC regex: ([gG]et|post_form|[pP]ost|get_response|get_print|Head|Patch|Put|Proppatch|Lock|Unlock|Options|Propfind|Delete|Move|Copy|Trace|Mkcol) - id: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request message: Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html - https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet subcategory: - vuln technology: - ruby vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request shortlink: https://sg.run/dKQE semgrep.dev: rule: r_id: 9434 rv_id: 946078 rule_id: QrUzo2 version_id: l4Tx9bO url: https://semgrep.dev/playground/r/l4Tx9bO/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request origin: community languages: - ruby pattern-either: - pattern: | Net::Telnet::new(...) - pattern: | Net::SSH::Telnet.new(...) - id: problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request message: Checks for requests to http and ftp (unencrypted) sites using OpenURI. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: A03:2017 - Sensitive Data Exposure references: - https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html subcategory: - vuln technology: - open-uri vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request shortlink: https://sg.run/ZvQw semgrep.dev: rule: r_id: 9435 rv_id: 946079 rule_id: 3qUPNe version_id: YDTvR5b url: https://semgrep.dev/playground/r/YDTvR5b/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request origin: community languages: - ruby pattern-either: - pattern: | URI.open('=~/[hH][tT][tT][pP]://.*/', ...) - pattern: | $URI = URI.parse('=~/[hH][tT][tT][pP]://.*/', ...) ... $URI.open - pattern: | URI.open('=~/^[fF][tT][pP]://.*/', ...) - pattern: | $URI = URI.parse('=~/^[fF][tT][pP]://.*/', ...) ... $URI.open - id: ai.ai-best-practices.anthropic-missing-metadata-user-id.anthropic-missing-metadata-user-id-javascript.anthropic-missing-metadata-user-id-javascript languages: - javascript - typescript severity: WARNING message: Anthropic messages.create() called without 'metadata' parameter. Pass a metadata object with a hashed user_id to enable abuse tracking and policy enforcement. See https://docs.anthropic.com/en/api/messages metadata: cwe: 'CWE-778: Insufficient Logging' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-missing-metadata-user-id.anthropic-missing-metadata-user-id-javascript.anthropic-missing-metadata-user-id-javascript shortlink: https://sg.run/B2l6R semgrep.dev: rule: r_id: 288795 rv_id: 1413353 rule_id: EwUpvKy version_id: pZT241o url: https://semgrep.dev/playground/r/pZT241o/ai.ai-best-practices.anthropic-missing-metadata-user-id.anthropic-missing-metadata-user-id-javascript.anthropic-missing-metadata-user-id-javascript origin: community patterns: - pattern: $CLIENT.messages.create({...}) - pattern-not: '$CLIENT.messages.create({..., metadata: $META, ...})' - id: ai.ai-best-practices.claude-settings-auto-enable-mcp.claude-settings-auto-enable-mcp.claude-settings-auto-enable-mcp-generic languages: - generic severity: WARNING message: '"enableAllProjectMcpServers" is set to true in settings. This automatically enables all MCP servers defined in project configuration without user confirmation, allowing malicious repositories to register arbitrary MCP servers that execute code on your machine. Remove this setting or set it to false so that MCP servers require explicit approval.' metadata: cwe: 'CWE-862: Missing Authorization' category: security confidence: HIGH subcategory: - vuln likelihood: MEDIUM impact: MEDIUM technology: - claude-code references: - https://docs.anthropic.com/en/docs/claude-code/security license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/ai.ai-best-practices.claude-settings-auto-enable-mcp.claude-settings-auto-enable-mcp.claude-settings-auto-enable-mcp-generic shortlink: https://sg.run/AjKv8 semgrep.dev: rule: r_id: 286706 rv_id: 1409303 rule_id: r6Uonr0 version_id: DkTwBQP url: https://semgrep.dev/playground/r/DkTwBQP/ai.ai-best-practices.claude-settings-auto-enable-mcp.claude-settings-auto-enable-mcp.claude-settings-auto-enable-mcp-generic origin: community paths: include: - '**/settings.json' - '**/.claude/**' - '**/*.settings.json' pattern-regex: '"enableAllProjectMcpServers"\s*:\s*true' - id: rust.lang.security.args-os.args-os message: 'args_os should not be used for security operations. From the docs: "The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes."' pattern: std::env::args_os() metadata: references: - https://doc.rust-lang.org/stable/std/env/fn.args_os.html technology: - rust category: security cwe: 'CWE-807: Reliance on Untrusted Inputs in a Security Decision' confidence: HIGH likelihood: LOW impact: LOW subcategory: audit license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/rust.lang.security.args-os.args-os shortlink: https://sg.run/G6k6 semgrep.dev: rule: r_id: 40104 rv_id: 946547 rule_id: DbUeEe version_id: d6TPjBp url: https://semgrep.dev/playground/r/d6TPjBp/rust.lang.security.args-os.args-os origin: community languages: - rust severity: INFO - id: rust.lang.security.args.args message: 'args should not be used for security operations. From the docs: "The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes."' pattern: std::env::args() metadata: references: - https://doc.rust-lang.org/stable/std/env/fn.args.html technology: - rust category: security cwe: 'CWE-807: Reliance on Untrusted Inputs in a Security Decision' confidence: HIGH likelihood: LOW impact: LOW subcategory: audit license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/rust.lang.security.args.args shortlink: https://sg.run/RADN semgrep.dev: rule: r_id: 40105 rv_id: 946548 rule_id: WAU6Lk version_id: ZRT35Ly url: https://semgrep.dev/playground/r/ZRT35Ly/rust.lang.security.args.args origin: community languages: - rust severity: INFO - id: rust.lang.security.current-exe.current-exe message: 'current_exe should not be used for security operations. From the docs: "The output of this function should not be trusted for anything that might have security implications. Basically, if users can run the executable, they can change the output arbitrarily."' pattern: std::env::current_exe() metadata: references: - https://doc.rust-lang.org/stable/std/env/fn.current_exe.html#security technology: - rust category: security cwe: 'CWE-807: Reliance on Untrusted Inputs in a Security Decision' confidence: HIGH likelihood: LOW impact: LOW subcategory: audit license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/rust.lang.security.current-exe.current-exe shortlink: https://sg.run/AW1B semgrep.dev: rule: r_id: 40106 rv_id: 946549 rule_id: 0oU6nZ version_id: nWTpz6d url: https://semgrep.dev/playground/r/nWTpz6d/rust.lang.security.current-exe.current-exe origin: community languages: - rust severity: INFO - id: rust.lang.security.insecure-hashes.insecure-hashes message: Detected cryptographically insecure hashing function pattern-either: - pattern: md2::Md2::new(...) - pattern: md4::Md4::new(...) - pattern: md5::Md5::new(...) - pattern: sha1::Sha1::new(...) metadata: references: - https://github.com/RustCrypto/hashes - https://docs.rs/md2/latest/md2/ - https://docs.rs/md4/latest/md4/ - https://docs.rs/md5/latest/md5/ - https://docs.rs/sha-1/latest/sha1/ technology: - rust category: security cwe: 'CWE-328: Use of Weak Hash' confidence: HIGH likelihood: LOW impact: MEDIUM subcategory: audit license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/rust.lang.security.insecure-hashes.insecure-hashes shortlink: https://sg.run/B09R semgrep.dev: rule: r_id: 40107 rv_id: 946550 rule_id: KxUOxA version_id: ExTg29b url: https://semgrep.dev/playground/r/ExTg29b/rust.lang.security.insecure-hashes.insecure-hashes origin: community languages: - rust severity: WARNING - id: rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid message: Dangerously accepting invalid TLS information pattern-either: - pattern: reqwest::Client::builder(). ... .danger_accept_invalid_hostnames(true) - pattern: reqwest::Client::builder(). ... .danger_accept_invalid_certs(true) metadata: references: - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs technology: - reqwest category: security cwe: 'CWE-295: Improper Certificate Validation' confidence: HIGH likelihood: LOW impact: MEDIUM subcategory: vuln license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid shortlink: https://sg.run/DqrG semgrep.dev: rule: r_id: 40108 rv_id: 946551 rule_id: qNUKDg version_id: 7ZTrQLJ url: https://semgrep.dev/playground/r/7ZTrQLJ/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid origin: community languages: - rust severity: WARNING - id: rust.lang.security.reqwest-set-sensitive.reqwest-set-sensitive message: Set sensitive flag on security headers with 'set_sensitive' to treat data with special care patterns: - pattern: | let mut $HEADERS = header::HeaderMap::new(); ... let $HEADER_VALUE = <... header::HeaderValue::$FROM_FUNC(...) ...>; ... $HEADERS.insert($HEADER, $HEADER_VALUE); - pattern-not: | let mut $HEADERS = header::HeaderMap::new(); ... let $HEADER_VALUE = <... header::HeaderValue::$FROM_FUNC(...) ...>; ... $HEADER_VALUE.set_sensitive(true); ... $HEADERS.insert($HEADER, $HEADER_VALUE); - metavariable-pattern: metavariable: $FROM_FUNC pattern-either: - pattern: from_static - pattern: from_str - pattern: from_name - pattern: from_bytes - pattern: from_maybe_shared - metavariable-pattern: metavariable: $HEADER pattern-either: - pattern: header::AUTHORIZATION - pattern: '"Authorization"' metadata: references: - https://docs.rs/reqwest/latest/reqwest/header/struct.HeaderValue.html#method.set_sensitive technology: - reqwest category: security cwe: 'CWE-921: Storage of Sensitive Data in a Mechanism without Access Control' confidence: MEDIUM likelihood: LOW impact: LOW subcategory: audit license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/rust.lang.security.reqwest-set-sensitive.reqwest-set-sensitive shortlink: https://sg.run/WKlE semgrep.dev: rule: r_id: 40109 rv_id: 946552 rule_id: lBUNEw version_id: LjTXy1d url: https://semgrep.dev/playground/r/LjTXy1d/rust.lang.security.reqwest-set-sensitive.reqwest-set-sensitive origin: community languages: - rust severity: INFO - id: rust.lang.security.rustls-dangerous.rustls-dangerous message: Dangerous client config used, ensure SSL verification pattern-either: - pattern: rustls::client::DangerousClientConfig - pattern: $CLIENT.dangerous().set_certificate_verifier(...) - pattern: | let $CLIENT = rustls::client::ClientConfig::dangerous(...); ... $CLIENT.set_certificate_verifier(...); metadata: references: - https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html - https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous technology: - rustls category: security cwe: 'CWE-295: Improper Certificate Validation' confidence: HIGH likelihood: LOW impact: MEDIUM subcategory: vuln license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous shortlink: https://sg.run/01Rw semgrep.dev: rule: r_id: 40110 rv_id: 946553 rule_id: YGU8LK version_id: 8KTKjdO url: https://semgrep.dev/playground/r/8KTKjdO/rust.lang.security.rustls-dangerous.rustls-dangerous origin: community languages: - rust severity: WARNING - id: scala.lang.correctness.positive-number-index-of.positive-number-index-of metadata: category: correctness technology: - scala references: - https://blog.codacy.com/9-scala-security-issues/ confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/scala.lang.correctness.positive-number-index-of.positive-number-index-of shortlink: https://sg.run/PbqY semgrep.dev: rule: r_id: 15189 rv_id: 946558 rule_id: 8GUzZG version_id: PkTQZp4 url: https://semgrep.dev/playground/r/PkTQZp4/scala.lang.correctness.positive-number-index-of.positive-number-index-of origin: community message: Flags scala code that look for values that are greater than 0. This ignores the first element, which is most likely a bug. Instead, use indexOf with -1. If the intent is to check the inclusion of a value, use the contains method instead. severity: WARNING languages: - scala patterns: - pattern-either: - patterns: - pattern: | $OBJ.indexOf(...) > $VALUE - metavariable-comparison: metavariable: $VALUE comparison: $VALUE >= 0 - patterns: - pattern: | $OBJ.indexOf(...) >= $SMALLERVAL - metavariable-comparison: metavariable: $SMALLERVAL comparison: $SMALLERVAL > 0 - id: ai.ai-best-practices.claude-settings-bypass-permissions.claude-settings-bypass-permissions.claude-settings-bypass-permissions-generic languages: - generic severity: ERROR message: 'Dangerous permission bypass detected in Claude Code or Cursor settings. Settings like "bypassPermissions", "allowUnsandboxedCommands: true", or "enableWeakerNestedSandbox: true" disable critical security controls that protect against malicious tool use. Remove these settings or set them to false to maintain proper sandboxing and permission checks.' metadata: cwe: 'CWE-862: Missing Authorization' category: security confidence: HIGH subcategory: - vuln likelihood: HIGH impact: MEDIUM technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/security license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/ai.ai-best-practices.claude-settings-bypass-permissions.claude-settings-bypass-permissions.claude-settings-bypass-permissions-generic shortlink: https://sg.run/B2qk2 semgrep.dev: rule: r_id: 286707 rv_id: 1409304 rule_id: bwUKEwK version_id: WrT7ebD url: https://semgrep.dev/playground/r/WrT7ebD/ai.ai-best-practices.claude-settings-bypass-permissions.claude-settings-bypass-permissions.claude-settings-bypass-permissions-generic origin: community paths: include: - '**/settings.json' - '**/.claude/**' - '**/*.settings.json' pattern-either: - pattern-regex: '"bypassPermissions"' - pattern-regex: '"allowUnsandboxedCommands"\s*:\s*true' - pattern-regex: '"enableWeakerNestedSandbox"\s*:\s*true' - id: ai.ai-best-practices.anthropic-missing-metadata-user-id.anthropic-missing-metadata-user-id-python.anthropic-missing-metadata-user-id-python languages: - python severity: WARNING message: Anthropic messages.create() called without 'metadata' parameter. Pass a metadata object with a hashed user_id to enable abuse tracking and policy enforcement. See https://docs.anthropic.com/en/api/messages metadata: cwe: 'CWE-778: Insufficient Logging' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-missing-metadata-user-id.anthropic-missing-metadata-user-id-python.anthropic-missing-metadata-user-id-python shortlink: https://sg.run/D86zG semgrep.dev: rule: r_id: 288796 rv_id: 1413354 rule_id: 7KU1Zv6 version_id: 2KTRozy url: https://semgrep.dev/playground/r/2KTRozy/ai.ai-best-practices.anthropic-missing-metadata-user-id.anthropic-missing-metadata-user-id-python.anthropic-missing-metadata-user-id-python origin: community patterns: - pattern: $CLIENT.messages.create(...) - pattern-not: $CLIENT.messages.create(..., metadata=$META, ...) - id: solidity.best-practice.use-abi-encodecall-instead-of-encodewithselector.use-abi-encodecall-instead-of-encodewithselector message: To guarantee arguments type safety it is recommended to use `abi.encodeCall` instead of `abi.encodeWithSelector`. metadata: category: best-practice references: - https://blog.soliditylang.org/2021/12/20/solidity-0.8.11-release-announcement/ technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.best-practice.use-abi-encodecall-instead-of-encodewithselector.use-abi-encodecall-instead-of-encodewithselector shortlink: https://sg.run/9K1y semgrep.dev: rule: r_id: 67623 rv_id: 946584 rule_id: KxUqpd version_id: YDTvRo2 url: https://semgrep.dev/playground/r/YDTvRo2/solidity.best-practice.use-abi-encodecall-instead-of-encodewithselector.use-abi-encodecall-instead-of-encodewithselector origin: community patterns: - pattern: | abi.encodeWithSelector(...); languages: - solidity severity: INFO - id: solidity.best-practice.use-ownable2step.use-ownable2step metadata: category: best-practice references: - https://docs.openzeppelin.com/contracts/4.x/api/access#Ownable2Step - https://www.rareskills.io/post/openzeppelin-ownable2step technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.best-practice.use-ownable2step.use-ownable2step shortlink: https://sg.run/yBAA semgrep.dev: rule: r_id: 67624 rv_id: 946585 rule_id: qNUn00 version_id: 6xTxjeQ url: https://semgrep.dev/playground/r/6xTxjeQ/solidity.best-practice.use-ownable2step.use-ownable2step origin: community message: By demanding that the receiver of the owner permissions actively accept via a contract call of its own, `Ownable2Step` and `Ownable2StepUpgradeable` prevent the contract ownership from accidentally being transferred to an address that cannot handle it. languages: - solidity severity: INFO patterns: - pattern-inside: | contract $C is ...,$OWNABLE,... { ... } - metavariable-regex: metavariable: $OWNABLE regex: (Ownable$|OwnableUpgradeable) - focus-metavariable: $OWNABLE - id: solidity.performance.state-variable-read-in-a-loop.state-variable-read-in-a-loop message: Replace state variable reads and writes within loops with local variable reads and writes. metadata: category: performance technology: - solidity references: - https://github.com/devanshbatham/Solidity-Gas-Optimization-Tips#10--replace-state-variable-reads-and-writes-within-loops-with-local-variable-reads-and-writes license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.state-variable-read-in-a-loop.state-variable-read-in-a-loop shortlink: https://sg.run/xADy semgrep.dev: rule: r_id: 67630 rv_id: 946591 rule_id: pKUjrk version_id: jQTzvKN url: https://semgrep.dev/playground/r/jQTzvKN/solidity.performance.state-variable-read-in-a-loop.state-variable-read-in-a-loop origin: community patterns: - pattern-either: - pattern-inside: | contract $C { ... $TYPE $X = ... ; ... } - pattern-inside: | contract $C { ... $TYPE $X; ... } - pattern-not-inside: | contract $C { ... $TYPE immutable $X; ... } - pattern-not-inside: | contract $C { ... $TYPE immutable $X = ...; ... } - pattern-not-inside: | contract $C { ... $TYPE constant $X = ...; ... } - pattern: $X - pattern-either: - pattern-inside: | for (...) { ... } - pattern-inside: | while (...) { ... } languages: - solidity severity: INFO - id: solidity.performance.unnecessary-checked-arithmetic-in-loop.unnecessary-checked-arithmetic-in-loop message: A lot of times there is no risk that the loop counter can overflow. Using Solidity's unchecked block saves the overflow checks. metadata: references: - https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md/#g011---unnecessary-checked-arithmetic-in-for-loop category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.unnecessary-checked-arithmetic-in-loop.unnecessary-checked-arithmetic-in-loop shortlink: https://sg.run/OvDk semgrep.dev: rule: r_id: 67631 rv_id: 946592 rule_id: 2ZUx1Q version_id: 1QToKjX url: https://semgrep.dev/playground/r/1QToKjX/solidity.performance.unnecessary-checked-arithmetic-in-loop.unnecessary-checked-arithmetic-in-loop origin: community patterns: - pattern-either: - pattern-inside: | for ($TYPE $VAR = ... ; ...; ...) { ... } - pattern-inside: | for ($TYPE $VAR = ...; ...) { ... } - pattern-inside: | for ($TYPE $VAR; ...; ...) { ... } - pattern-inside: | for ($TYPE $VAR; ...) { ... } - pattern-either: - pattern: | $VAR++ - pattern: | ++$VAR - pattern-not-inside: | unchecked { ... <... $VAR ...>; ... } languages: - solidity severity: INFO - id: solidity.performance.use-custom-error-not-require.use-custom-error-not-require message: Consider using custom errors as they are more gas efficient while allowing developers to describe the error in detail using NatSpec. metadata: references: - https://blog.soliditylang.org/2021/04/21/custom-errors/ category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.use-custom-error-not-require.use-custom-error-not-require shortlink: https://sg.run/ej3L semgrep.dev: rule: r_id: 67632 rv_id: 946593 rule_id: X5UNP8 version_id: 9lTy1zE url: https://semgrep.dev/playground/r/9lTy1zE/solidity.performance.use-custom-error-not-require.use-custom-error-not-require origin: community patterns: - pattern-either: - pattern: require(..., "$MSG"); - pattern: revert("$MSG"); languages: - solidity severity: INFO - id: solidity.performance.use-multiple-require.use-multiple-require message: Using multiple require statements is cheaper than using && multiple check combinations. There are more advantages, such as easier to read code and better coverage reports. metadata: references: - https://code4rena.com/reports/2023-01-ondo#g-15-splitting-require-statements-that-use--saves-gas---saves-8-gas-per- category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.use-multiple-require.use-multiple-require shortlink: https://sg.run/vGA0 semgrep.dev: rule: r_id: 67633 rv_id: 946594 rule_id: j2UXKq version_id: yeT0nXz url: https://semgrep.dev/playground/r/yeT0nXz/solidity.performance.use-multiple-require.use-multiple-require origin: community patterns: - pattern: | require (<... $X && $Y ...>, ...); languages: - solidity severity: INFO - id: solidity.performance.use-prefix-decrement-not-postfix.use-prefix-decrement-not-postfix message: Consider using the prefix decrement expression whenever the return value is not needed. The prefix decrement expression is cheaper in terms of gas. metadata: references: - https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md/#g012---use-prefix-increment-instead-of-postfix-increment-if-possible category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.use-prefix-decrement-not-postfix.use-prefix-decrement-not-postfix shortlink: https://sg.run/Z024 semgrep.dev: rule: r_id: 67635 rv_id: 946596 rule_id: 9AU0zR version_id: bZTXwGW url: https://semgrep.dev/playground/r/bZTXwGW/solidity.performance.use-prefix-decrement-not-postfix.use-prefix-decrement-not-postfix origin: community patterns: - pattern: $VAR-- - pattern-not-inside: | $B = ... - pattern-not-inside: "if (<... $VAR-- ...>) {\n ... \n}\n" - pattern-not-inside: require (<... $VAR-- ...>) - pattern-not-inside: | while (<... $VAR-- ...>) { ... } - pattern-not-inside: | return ...; languages: - solidity severity: INFO - id: solidity.performance.use-prefix-increment-not-postfix.use-prefix-increment-not-postfix message: Consider using the prefix increment expression whenever the return value is not needed. The prefix increment expression is cheaper in terms of gas. metadata: references: - https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md/#g012---use-prefix-increment-instead-of-postfix-increment-if-possible category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.use-prefix-increment-not-postfix.use-prefix-increment-not-postfix shortlink: https://sg.run/nxLr semgrep.dev: rule: r_id: 67636 rv_id: 946597 rule_id: yyU1XA version_id: NdTqk10 url: https://semgrep.dev/playground/r/NdTqk10/solidity.performance.use-prefix-increment-not-postfix.use-prefix-increment-not-postfix origin: community patterns: - pattern: $VAR++ - pattern-not-inside: | $B = ... - pattern-not-inside: "if (<... $VAR++ ...>) {\n ... \n}\n" - pattern-not-inside: require (<... $VAR++ ...>) - pattern-not-inside: | while (<... $VAR++ ...>) { ... } - pattern-not-inside: | return ...; languages: - solidity severity: INFO - id: solidity.performance.use-short-revert-string.use-short-revert-string message: Shortening revert strings to fit in 32 bytes will decrease gas costs for deployment and gas costs when the revert condition has been met. metadata: references: - https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md/#g007---long-revert-strings category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.use-short-revert-string.use-short-revert-string shortlink: https://sg.run/E9LB semgrep.dev: rule: r_id: 67637 rv_id: 946598 rule_id: r6UzxD version_id: kbTYk7y url: https://semgrep.dev/playground/r/kbTYk7y/solidity.performance.use-short-revert-string.use-short-revert-string origin: community patterns: - pattern-either: - pattern: | require(..., "$MSG"); - pattern: | revert("$MSG"); - metavariable-regex: metavariable: $MSG regex: .{33,} languages: - solidity severity: INFO - id: solidity.performance.non-payable-constructor.non-payable-constructor message: Consider making costructor payable to save gas. metadata: references: - https://twitter.com/0xAsm0d3us/status/1518960704271056897 category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.non-payable-constructor.non-payable-constructor shortlink: https://sg.run/wRBd semgrep.dev: rule: r_id: 67629 rv_id: 946590 rule_id: zdUJ5K version_id: X0TL8Pn url: https://semgrep.dev/playground/r/X0TL8Pn/solidity.performance.non-payable-constructor.non-payable-constructor origin: community languages: - solidity severity: INFO patterns: - pattern-inside: | contract $ANY{ ... } - pattern-not-inside: | abstract contract $ANY{ ... } - pattern: | constructor(...){ ... } - pattern-not: | constructor(...) payable{ ... } - id: solidity.security.basic-oracle-manipulation.basic-oracle-manipulation message: Price oracle can be manipulated via flashloan metadata: category: security technology: - solidity cwe: 'CWE-682: Incorrect Calculation' confidence: LOW likelihood: MEDIUM impact: HIGH subcategory: - vuln references: - https://medium.com/oneringfinance/onering-finance-exploit-post-mortem-after-oshare-hack-602a529db99b - https://twitter.com/peckshield/status/1506090607059431427 - https://pwned-no-more.notion.site/The-Deus-Hack-Explained-647bf97afa2b4e4e9e8b882e68a75c0b - https://twitter.com/peckshield/status/1519530463337250817 - https://ftmscan.com/address/0xc06826f52f29b34c5d8b2c61abf844cebcf78abf - https://ftmscan.com/address/0x5CEB2b0308a7f21CcC0915DB29fa5095bEAdb48D - https://ftmscan.com/address/0x8129026c585bcfa530445a6267f9389057761a00 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.basic-oracle-manipulation.basic-oracle-manipulation shortlink: https://sg.run/3RjW semgrep.dev: rule: r_id: 67643 rv_id: 946605 rule_id: OrUWy8 version_id: ZRT35wY url: https://semgrep.dev/playground/r/ZRT35wY/solidity.security.basic-oracle-manipulation.basic-oracle-manipulation origin: community patterns: - pattern-inside: | function $F(...) { ... } - pattern-either: - pattern: $X.div($Y) - pattern: $X / $Y - metavariable-regex: metavariable: $F regex: (?i)get([a-z0-9_])*price - metavariable-pattern: metavariable: $X pattern-either: - pattern: underlying - pattern: underlyingUnit - pattern: pair - pattern: reserve - pattern: reserve0 - pattern: reserve1 - metavariable-regex: metavariable: $Y regex: .*totalSupply.* languages: - solidity severity: INFO - id: solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy message: Function borrowFresh() in Compound performs state update after doTransferOut() metadata: category: security technology: - solidity cwe: 'CWE-841: Improper Enforcement of Behavioral Workflow' confidence: HIGH likelihood: LOW impact: HIGH subcategory: - vuln references: - https://twitter.com/peckshield/status/1509431646818234369 - https://twitter.com/blocksecteam/status/1509466576848064512 - https://slowmist.medium.com/another-day-another-reentrancy-attack-5cde10bbb2b4 - https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy shortlink: https://sg.run/4A19 semgrep.dev: rule: r_id: 67644 rv_id: 946606 rule_id: eqUkx4 version_id: nWTpz74 url: https://semgrep.dev/playground/r/nWTpz74/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy origin: community patterns: - pattern-inside: | function borrowFresh(...) { ... } - pattern-not-inside: | accountBorrows[borrower].interestIndex = borrowIndex; ... - pattern: doTransferOut(...); languages: - solidity severity: WARNING - id: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted message: Function sweepToken is allowed to be called by anyone metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: MEDIUM likelihood: LOW impact: HIGH subcategory: - vuln references: - https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2 - https://chainsecurity.com/security-audit/compound-ctoken/ - https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/ - https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted shortlink: https://sg.run/P4Wv semgrep.dev: rule: r_id: 67645 rv_id: 946607 rule_id: v8Uz2o version_id: ExTg2nW url: https://semgrep.dev/playground/r/ExTg2nW/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted origin: community patterns: - pattern-inside: | function sweepToken(...) { ... } - pattern-not-inside: | function sweepToken(...) $M { ... } - pattern: token.transfer(...); - pattern-not-inside: | require(msg.sender == admin, "..."); ... - pattern-not-inside: | require(_msgSender() == admin, "..."); ... languages: - solidity severity: WARNING - id: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy message: $POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy. metadata: category: security technology: - solidity cwe: 'CWE-841: Improper Enforcement of Behavioral Workflow' confidence: HIGH likelihood: MEDIUM impact: HIGH subcategory: - vuln references: - https://chainsecurity.com/heartbreaks-curve-lp-oracles/ - https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy shortlink: https://sg.run/Jk5P semgrep.dev: rule: r_id: 67646 rv_id: 946608 rule_id: d8UGDL version_id: 7ZTrQO3 url: https://semgrep.dev/playground/r/7ZTrQO3/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy origin: community patterns: - pattern: | $POOL.get_virtual_price() - pattern-not-inside: | function $F(...) { ... $VAR.withdraw_admin_fees(...); ... } - pattern-not-inside: | function $F(...) { ... $VAR.withdraw_admin_fees(...); ... } - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... $VAR.withdraw_admin_fees(...); ... } ... function $F(...) { ... $CHECKFUNC(...); ... $POOL.get_virtual_price(); ... } ... } - pattern-not-inside: | contract $C { ... function $CHECKFUNC(...) { ... $VAR.withdraw_admin_fees(...); ... } ... function $F(...) { ... $POOL.get_virtual_price(); ... $CHECKFUNC(...); ... } ... } languages: - solidity severity: ERROR - id: solidity.security.encode-packed-collision.encode-packed-collision message: abi.encodePacked hash collision with variable length arguments in $F() metadata: category: security technology: - solidity cwe: 'CWE-20: Improper Input Validation' confidence: HIGH likelihood: MEDIUM impact: MEDIUM subcategory: - vuln references: - https://swcregistry.io/docs/SWC-133 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision shortlink: https://sg.run/Gr46 semgrep.dev: rule: r_id: 67648 rv_id: 946610 rule_id: nJU47w version_id: 8KTKjb1 url: https://semgrep.dev/playground/r/8KTKjb1/solidity.security.encode-packed-collision.encode-packed-collision origin: community patterns: - pattern-either: - pattern-inside: | function $F(..., bytes $A, ..., bytes $B, ...) public { ... } - pattern-inside: | function $F(..., string $A, ..., string $B, ...) public { ... } - pattern-inside: | function $F(..., bytes $A, ..., string $B, ...) public { ... } - pattern-inside: | function $F(..., string $A, ..., bytes $B, ...) public { ... } - pattern-inside: | function $F(..., address[] $A, ..., address[] $B, ...) public { ... } - pattern-inside: | function $F(..., uint256[] $A, ..., uint256[] $B, ...) public { ... } - pattern-inside: | function $F(..., bytes $A, ..., bytes $B, ...) external { ... } - pattern-inside: | function $F(..., string $A, ..., string $B, ...) external { ... } - pattern-inside: | function $F(..., bytes $A, ..., string $B, ...) external { ... } - pattern-inside: | function $F(..., string $A, ..., bytes $B, ...) external { ... } - pattern-inside: | function $F(..., address[] $A, ..., address[] $B, ...) external { ... } - pattern-inside: | function $F(..., uint256[] $A, ..., uint256[] $B, ...) external { ... } - pattern-either: - pattern: | keccak256(abi.encodePacked(..., $A, $B, ...)) - pattern: | $X = abi.encodePacked(..., $A, $B, ...); ... keccak256($X); languages: - solidity severity: ERROR - id: solidity.security.erc20-public-burn.erc20-public-burn message: Anyone can burn tokens of other accounts metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: LOW likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://twitter.com/danielvf/status/1511013322015051797 - https://etherscan.io/address/0xf15ead6acb8ab52a1e335671a48f3a99e991614c license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.erc20-public-burn.erc20-public-burn shortlink: https://sg.run/RJKN semgrep.dev: rule: r_id: 67649 rv_id: 946611 rule_id: EwUDnd version_id: gETe1qw url: https://semgrep.dev/playground/r/gETe1qw/solidity.security.erc20-public-burn.erc20-public-burn origin: community patterns: - pattern-either: - pattern: "function burn(...) public { \n _burn($ACCOUNT, $AMOUNT);\n }\n" - pattern: "function burn(...) external { \n _burn($ACCOUNT, $AMOUNT);\n }\n" - pattern-not: function burn(...) $M { ... } - pattern-not: function burn(...) $M(...) { ... } - pattern-not: | function burn(...) { _burn(msg.sender, ...); } - pattern-not: | function burn(...) { _burn(_msgSender(), ...); } - pattern-not: | function burn(...) { _burn(tokenId, ...); } - pattern-not: | function burn(...) { _burn(_tokenId, ...); } languages: - solidity severity: ERROR - id: solidity.security.erc20-public-transfer.erc20-public-transfer message: Custom ERC20 implementation exposes _transfer() as public metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: LOW likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://medium.com/@Knownsec_Blockchain_Lab/creat-future-was-tragically-transferred-coins-at-will-who-is-the-mastermind-behind-the-scenes-8ad42a7af814 - https://bscscan.com/address/0x8B7218CF6Ac641382D7C723dE8aA173e98a80196 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.erc20-public-transfer.erc20-public-transfer shortlink: https://sg.run/A2ZB semgrep.dev: rule: r_id: 67650 rv_id: 946612 rule_id: 7KU9Ow version_id: QkTZzJ4 url: https://semgrep.dev/playground/r/QkTZzJ4/solidity.security.erc20-public-transfer.erc20-public-transfer origin: community patterns: - pattern-either: - pattern: | function _transfer(...) public { ... } - pattern: | function _transfer(...) external { ... } - pattern-not: | function _transfer(...) $M { ... } - pattern-not: | function _transfer(...) $M(...) { ... } languages: - solidity severity: WARNING - id: solidity.security.erc677-reentrancy.erc677-reentrancy message: ERC677 callAfterTransfer() reentrancy metadata: category: security technology: - solidity cwe: 'CWE-841: Improper Enforcement of Behavioral Workflow' confidence: HIGH likelihood: MEDIUM impact: HIGH subcategory: - vuln references: - https://twitter.com/peckshield/status/1509431646818234369 - https://twitter.com/blocksecteam/status/1509466576848064512 - https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611 - https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.erc677-reentrancy.erc677-reentrancy shortlink: https://sg.run/BXnR semgrep.dev: rule: r_id: 67651 rv_id: 946613 rule_id: L1Ub0L version_id: 3ZTOPdd url: https://semgrep.dev/playground/r/3ZTOPdd/solidity.security.erc677-reentrancy.erc677-reentrancy origin: community patterns: - pattern-inside: | function transfer(...) { ... } - pattern: callAfterTransfer(...); languages: - solidity severity: WARNING - id: solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom message: Custom ERC721 implementation lacks access control checks in _transfer() metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: MEDIUM likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://twitter.com/BlockSecAlert/status/1516289618605654024 - https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom shortlink: https://sg.run/D17G semgrep.dev: rule: r_id: 67652 rv_id: 946614 rule_id: 8GUkbo version_id: 44TZko3 url: https://semgrep.dev/playground/r/44TZko3/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom origin: community patterns: - pattern-inside: | function _transfer(...) { ... } - pattern-inside: | require(prevOwnership.addr == $FROM, ...); ... - pattern-not-inside: | (<... _msgSender() == $FROM ...>); ... - pattern-not-inside: | (<... _msgSender() == $PREV.$ADDR ...>); ... - pattern-not-inside: | (<... msg.sender == $FROM ...>); ... - pattern-not-inside: | require(_isApprovedOrOwner(...), ...); ... - pattern: _approve(...); languages: - solidity severity: WARNING - id: solidity.security.erc721-reentrancy.erc721-reentrancy message: ERC721 onERC721Received() reentrancy metadata: category: security technology: - solidity cwe: 'CWE-841: Improper Enforcement of Behavioral Workflow' confidence: HIGH likelihood: LOW impact: HIGH subcategory: - vuln references: - https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a - https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy shortlink: https://sg.run/WBoE semgrep.dev: rule: r_id: 67653 rv_id: 946615 rule_id: gxU2qG version_id: PkTQZYA url: https://semgrep.dev/playground/r/PkTQZYA/solidity.security.erc721-reentrancy.erc721-reentrancy origin: community patterns: - pattern: _checkOnERC721Received(...) languages: - solidity severity: WARNING - id: solidity.security.erc777-reentrancy.erc777-reentrancy message: ERC777 tokensReceived() reentrancy metadata: category: security technology: - solidity cwe: 'CWE-841: Improper Enforcement of Behavioral Workflow' confidence: HIGH likelihood: LOW impact: HIGH subcategory: - vuln references: - https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0 - https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy shortlink: https://sg.run/0Jpw semgrep.dev: rule: r_id: 67654 rv_id: 946616 rule_id: QrUrJj version_id: JdTDyg1 url: https://semgrep.dev/playground/r/JdTDyg1/solidity.security.erc777-reentrancy.erc777-reentrancy origin: community patterns: - pattern: $X.tokensReceived(...); languages: - solidity severity: WARNING - id: solidity.security.gearbox-tokens-path-confusion.gearbox-tokens-path-confusion message: UniswapV3 adapter implemented incorrect extraction of path parameters metadata: category: security technology: - solidity cwe: 'CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input' confidence: LOW likelihood: LOW impact: HIGH subcategory: - vuln references: - https://medium.com/@nnez/different-parsers-different-results-acecf84dfb0c - https://etherscan.io/address/0xbA7B57D7E4d4A7516FC1CbfF1CA5182eBC0c1491 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.gearbox-tokens-path-confusion.gearbox-tokens-path-confusion shortlink: https://sg.run/KwGn semgrep.dev: rule: r_id: 67655 rv_id: 946617 rule_id: 3qUAdG version_id: 5PT9O5d url: https://semgrep.dev/playground/r/5PT9O5d/solidity.security.gearbox-tokens-path-confusion.gearbox-tokens-path-confusion origin: community patterns: - pattern: $PATH.toAddress($PATH.length - $ADDR_SIZE); languages: - solidity severity: WARNING - id: solidity.security.proxy-storage-collision.proxy-storage-collision message: Proxy declares a state var that may override a storage slot of the implementation metadata: category: security technology: - solidity cwe: 'CWE-787: Out-of-bounds Write' confidence: HIGH likelihood: MEDIUM impact: HIGH subcategory: - vuln references: - https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.proxy-storage-collision.proxy-storage-collision shortlink: https://sg.run/2GXr semgrep.dev: rule: r_id: 67663 rv_id: 946626 rule_id: BYU0EL version_id: qkT4jqp url: https://semgrep.dev/playground/r/qkT4jqp/solidity.security.proxy-storage-collision.proxy-storage-collision origin: community patterns: - pattern-either: - pattern: | contract $CONTRACT is ..., $PROXY, ... { ... $TYPE $VAR; ... constructor(...) { ... } ... } - pattern: | contract $CONTRACT is ..., $PROXY, ... { ... $TYPE $VAR = ...; ... constructor(...) { ... } ... } - pattern-not: | contract $CONTRACT is ..., $PROXY, ... { $TYPE immutable $VAR; ... constructor(...) { ... } ... } - pattern-not: | contract $CONTRACT is ..., $PROXY, ... { $TYPE immutable $VAR = ...; ... constructor(...) { ... } ... } - pattern-not: | contract $CONTRACT is ..., $PROXY, ... { $TYPE constant $VAR = ...; ... constructor(...) { ... } ... } - metavariable-regex: metavariable: $CONTRACT regex: ^(?!AdminUpgradeabilityProxy|OwnedUpgrade*abilityProxy).*$ - metavariable-regex: metavariable: $PROXY regex: (UpgradeabilityProxy|AdminUpgradeabilityProxy|OwnedUpgrade*abilityProxy|TransparentUpgradeableProxy|ERC1967Proxy) - focus-metavariable: $PROXY languages: - solidity severity: WARNING - id: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug message: transferFrom() can steal allowance of other accounts metadata: category: security technology: - solidity cwe: 'CWE-688: Function Call With Incorrect Variable or Reference as Argument' confidence: HIGH likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5 - https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug shortlink: https://sg.run/XDzj semgrep.dev: rule: r_id: 67664 rv_id: 946627 rule_id: DbU0Qb version_id: l4Tx9Px url: https://semgrep.dev/playground/r/l4Tx9Px/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug origin: community patterns: - pattern-inside: | function transferFrom(...) { ... } - pattern: _approve(..., allowance(sender, recipient).sub(amount, ...), ...); languages: - solidity severity: ERROR - id: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control message: setMultipleAllowances() is missing onlyOwner modifier metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: HIGH likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://twitter.com/danielvf/status/1494317265835147272 - https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8 - https://play.secdim.com/game/dapp/challenge/rigoownsol license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control shortlink: https://sg.run/jbZP semgrep.dev: rule: r_id: 67665 rv_id: 946628 rule_id: WAUpbw version_id: YDTvRP2 url: https://semgrep.dev/playground/r/YDTvRP2/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control origin: community patterns: - pattern: function setMultipleAllowances(...) {...} - pattern-not: function setMultipleAllowances(...) onlyOwner {...} languages: - solidity severity: ERROR - id: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control message: Oracle update is not restricted in $F() metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: MEDIUM likelihood: HIGH impact: HIGH subcategory: - vuln author: https://twitter.com/ArbazKiraak references: - https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control shortlink: https://sg.run/1521 semgrep.dev: rule: r_id: 67666 rv_id: 946629 rule_id: 0oUbvd version_id: 6xTxjKQ url: https://semgrep.dev/playground/r/6xTxjKQ/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control origin: community patterns: - pattern-either: - pattern-inside: | function $F(...,$D $REQUEST,...) external { ... } - pattern-inside: | function $F(...,$D $REQUEST,...) public { ... } - pattern-not-inside: | function $F(...,$D $REQUEST,...) external onlyVault(...) { ... } - patterns: - pattern: _updateOracle($LASTBLOCK,...,...) - pattern-not-inside: | ... if (msg.sender == $BALANCER) { ... } ... - pattern-not-inside: | ... require(msg.sender == address($BALANCER),...); ... - pattern-not-inside: | ... if (_msgSender() == $BALANCER) { ... } ... - pattern-not-inside: | ... require(_msgSender() == address($BALANCER),...); ... languages: - solidity severity: ERROR - id: ai.ai-best-practices.claude-settings-env-url-override.claude-settings-env-url-override.claude-settings-env-url-override-generic languages: - generic severity: ERROR message: API base URL override detected in settings or environment file. ANTHROPIC_BASE_URL or OPENAI_BASE_URL overrides can redirect all API traffic to an attacker-controlled server, exposing prompts, code, and API keys. Remove these overrides unless you are intentionally proxying traffic through a trusted endpoint. metadata: cwe: 'CWE-923: Improper Restriction of Communication Channel to Intended Endpoints' category: security confidence: MEDIUM subcategory: - vuln likelihood: HIGH impact: MEDIUM technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/security license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.claude-settings-env-url-override.claude-settings-env-url-override.claude-settings-env-url-override-generic shortlink: https://sg.run/D8Yoo semgrep.dev: rule: r_id: 286708 rv_id: 1409305 rule_id: NbU96kk version_id: 0bTG0vB url: https://semgrep.dev/playground/r/0bTG0vB/ai.ai-best-practices.claude-settings-env-url-override.claude-settings-env-url-override.claude-settings-env-url-override-generic origin: community paths: include: - '**/settings.json' - '**/.env*' - '**/.claude/**' - '**/*.settings.json' pattern-regex: (ANTHROPIC_BASE_URL|OPENAI_BASE_URL)\s*"?\s*[=:]\s*"?\s*\S+ - id: terraform.aws.best-practice.aws-rds-cluster-iam-authentication-not-enabled.aws-rds-cluster-iam-authentication-not-enabled patterns: - pattern: | resource "aws_rds_cluster" $ANYTHING { ... } - pattern-not-inside: | resource "aws_rds_cluster" $ANYTHING { ... iam_database_authentication_enabled = true ... } message: The AWS RDS Cluster is not configured to use IAM authentication. Consider using IAM for authentication. languages: - hcl severity: WARNING metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.aws-rds-cluster-iam-authentication-not-enabled.aws-rds-cluster-iam-authentication-not-enabled shortlink: https://sg.run/eX3b semgrep.dev: rule: r_id: 17332 rv_id: 946641 rule_id: pKUzrB version_id: NdTqkO0 url: https://semgrep.dev/playground/r/NdTqkO0/terraform.aws.best-practice.aws-rds-cluster-iam-authentication-not-enabled.aws-rds-cluster-iam-authentication-not-enabled origin: community - id: terraform.aws.best-practice.aws-rds-iam-authentication-not-enabled.aws-rds-iam-authentication-not-enabled patterns: - pattern: | resource "aws_db_instance" $ANYTHING { ... } - pattern-not-inside: | resource "aws_db_instance" $ANYTHING { ... iam_database_authentication_enabled = true ... } message: The AWS RDS is not configured to use IAM authentication. Consider using IAM for authentication. languages: - hcl severity: WARNING metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.aws-rds-iam-authentication-not-enabled.aws-rds-iam-authentication-not-enabled shortlink: https://sg.run/veAA semgrep.dev: rule: r_id: 17333 rv_id: 946642 rule_id: 2ZUL11 version_id: kbTYkAy url: https://semgrep.dev/playground/r/kbTYkAy/terraform.aws.best-practice.aws-rds-iam-authentication-not-enabled.aws-rds-iam-authentication-not-enabled origin: community - id: terraform.aws.best-practice.aws-s3-bucket-versioning-not-enabled.aws-s3-bucket-versioning-not-enabled patterns: - pattern: | resource "aws_s3_bucket" $ANYTHING { ... } - pattern-not-inside: | resource "aws_s3_bucket" $ANYTHING { ... versioning { ... enabled = true ... } ... } - pattern-not-inside: | resource "aws_s3_bucket" $ANYTHING { ... versioning { ... enabled = var.$X ... } ... } message: Ensure that Amazon S3 bucket versioning is not enabled. Consider using versioning if you don't have alternative backup mechanism. metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.aws-s3-bucket-versioning-not-enabled.aws-s3-bucket-versioning-not-enabled shortlink: https://sg.run/Zj2D semgrep.dev: rule: r_id: 17335 rv_id: 946644 rule_id: j2UQKO version_id: xyTqnBE url: https://semgrep.dev/playground/r/xyTqnBE/terraform.aws.best-practice.aws-s3-bucket-versioning-not-enabled.aws-s3-bucket-versioning-not-enabled origin: community languages: - hcl severity: WARNING - id: terraform.aws.best-practice.aws-s3-object-lock-not-enabled.aws-s3-object-lock-not-enabled patterns: - pattern-either: - pattern: | resource "aws_s3_bucket" $ANYTHING { ... object_lock_configuration = { object_lock_enabled = "Disabled" } ... } - pattern: | resource "aws_s3_bucket" $ANYTHING { ... object_lock_configuration { object_lock_enabled = "Disabled" } ... } message: The AWS S3 object lock is not enabled. Consider using it if possible. languages: - hcl severity: WARNING metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.aws-s3-object-lock-not-enabled.aws-s3-object-lock-not-enabled shortlink: https://sg.run/nr5X semgrep.dev: rule: r_id: 17336 rv_id: 946645 rule_id: 10U5x8 version_id: O9TX30z url: https://semgrep.dev/playground/r/O9TX30z/terraform.aws.best-practice.aws-s3-object-lock-not-enabled.aws-s3-object-lock-not-enabled origin: community - id: terraform.aws.best-practice.missing-autoscaling-group-tags.missing-autoscaling-group-tags patterns: - patterns: - patterns: - pattern: resource "aws_autoscaling_group" $ANYTHING {...} - pattern-not-inside: | resource "aws_autoscaling_group" $ANYTHING { ... tag {...} ... } - patterns: - pattern: resource "aws_autoscaling_group" $ANYTHING {...} - pattern-not-inside: | resource "aws_autoscaling_group" $ANYTHING { ... tags = concat(...) ... } message: |- There are missing tags for an AWS Auto Scaling group. Tags help track costs, allow for filtering for Auto Scaling groups, help with access control, and aid in organizing AWS resources. Add: `tag { key = "key" value = "value" propagate_at_launch = boolean }` See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group for more details. languages: - hcl severity: WARNING metadata: technology: - aws - terraform category: best-practice license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.missing-autoscaling-group-tags.missing-autoscaling-group-tags shortlink: https://sg.run/ryY1 semgrep.dev: rule: r_id: 15825 rv_id: 946648 rule_id: bwUz8r version_id: d6TPjRJ url: https://semgrep.dev/playground/r/d6TPjRJ/terraform.aws.best-practice.missing-autoscaling-group-tags.missing-autoscaling-group-tags origin: community - id: terraform.aws.best-practice.missing-aws-autoscaling-tags.missing-aws-autoscaling-tags patterns: - pattern: | resource "aws_autoscaling_group" $ANYTHING { ... } - pattern-not-inside: | resource "aws_autoscaling_group" $ANYTHING { ... tag { ... } ... } - pattern-not-inside: | resource "aws_autoscaling_group" $ANYTHING { ... tags = concat( ... ) ... } message: The AWS Autoscaling Group is not tagged. languages: - hcl severity: WARNING metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.missing-aws-autoscaling-tags.missing-aws-autoscaling-tags shortlink: https://sg.run/EyGw semgrep.dev: rule: r_id: 17337 rv_id: 946649 rule_id: 9AUZKd version_id: ZRT35EY url: https://semgrep.dev/playground/r/ZRT35EY/terraform.aws.best-practice.missing-aws-autoscaling-tags.missing-aws-autoscaling-tags origin: community - id: terraform.aws.best-practice.missing-aws-cross-zone-lb.missing-aws-cross-zone-lb patterns: - pattern-either: - pattern: | resource "aws_lb" $ANYTHING { ... load_balancer_type = ... ... } - pattern: | resource "aws_alb" $ANYTHING { ... load_balancer_type = ... ... } - pattern-not-inside: | resource $ANYLB $ANYTHING { ... enable_cross_zone_load_balancing = true ... } - pattern-not-inside: | resource $ANYLB $ANYTHING { ... load_balancer_type = "application" ... } message: The AWS cross zone load balancing is not enabled. languages: - hcl severity: WARNING metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.missing-aws-cross-zone-lb.missing-aws-cross-zone-lb shortlink: https://sg.run/7neZ semgrep.dev: rule: r_id: 17338 rv_id: 946650 rule_id: yyUAL3 version_id: nWTpze4 url: https://semgrep.dev/playground/r/nWTpze4/terraform.aws.best-practice.missing-aws-cross-zone-lb.missing-aws-cross-zone-lb origin: community - id: terraform.aws.best-practice.missing-aws-lb-deletion-protection.missing-aws-lb-deletion-protection patterns: - pattern-either: - pattern-inside: | resource "aws_alb" "..." { ... } - pattern-inside: | resource "aws_lb" "..." { ... } - pattern-not-inside: | resource $ANYLB $ANYTHING { ... enable_deletion_protection = true ... } message: The AWS LoadBalancer deletion protection is not enabled. languages: - hcl severity: WARNING metadata: category: best-practice references: - https://aws.amazon.com/what-is/load-balancing/#seo-faq-pairs#benefits-lb - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.missing-aws-lb-deletion-protection.missing-aws-lb-deletion-protection shortlink: https://sg.run/L3Kr semgrep.dev: rule: r_id: 17339 rv_id: 946651 rule_id: r6U2Yo version_id: ExTg2kW url: https://semgrep.dev/playground/r/ExTg2kW/terraform.aws.best-practice.missing-aws-lb-deletion-protection.missing-aws-lb-deletion-protection origin: community - id: terraform.aws.best-practice.missing-aws-qldb-deletion-protection.missing-aws-qldb-deletion-protection patterns: - pattern: | resource "aws_qldb_ledger" $ANYTHING { ... deletion_protection = false ... } message: The AWS QLDB deletion protection is not enabled. languages: - hcl severity: WARNING metadata: category: best-practice technology: - terraform - aws license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.missing-aws-qldb-deletion-protection.missing-aws-qldb-deletion-protection shortlink: https://sg.run/8gvy semgrep.dev: rule: r_id: 17340 rv_id: 946652 rule_id: bwUzkw version_id: 7ZTrQ73 url: https://semgrep.dev/playground/r/7ZTrQ73/terraform.aws.best-practice.missing-aws-qldb-deletion-protection.missing-aws-qldb-deletion-protection origin: community - id: terraform.aws.best-practice.missing-cloudwatch-log-group-kms-key.missing-cloudwatch-log-group-kms-key patterns: - patterns: - pattern: resource "aws_cloudwatch_log_group" $ANYTHING {...} - pattern-not-inside: | resource "aws_cloudwatch_log_group" $ANYTHING { ... kms_key_id = ... ... } message: The AWS CloudWatch Log group is missing a KMS key. While Log group data is always encrypted, you can optionally use a KMS key instead. Add `kms_key_id = "yourKey"` to your resource block. languages: - hcl severity: WARNING metadata: technology: - aws - terraform category: best-practice license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.missing-cloudwatch-log-group-kms-key.missing-cloudwatch-log-group-kms-key shortlink: https://sg.run/bX2d semgrep.dev: rule: r_id: 15826 rv_id: 946653 rule_id: NbUXNP version_id: LjTXyY3 url: https://semgrep.dev/playground/r/LjTXyY3/terraform.aws.best-practice.missing-cloudwatch-log-group-kms-key.missing-cloudwatch-log-group-kms-key origin: community - id: terraform.aws.correctness.lambda-redundant-field-with-image.lambda-redundant-field-with-image severity: WARNING languages: - hcl message: When using the AWS Lambda "Image" package_type, `runtime` and `handler` are not necessary for Lambda to understand how to run the code. These are built into the container image. Including `runtime` or `handler` with an "Image" `package_type` will result in an error on `terraform apply`. Remove these redundant fields. metadata: category: correctness references: - https://stackoverflow.com/questions/72771366/why-do-i-get-error-handler-and-runtime-must-be-set-when-packagetype-is-zip-whe technology: - aws - terraform - aws-lambda license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.correctness.lambda-redundant-field-with-image.lambda-redundant-field-with-image shortlink: https://sg.run/4j9l semgrep.dev: rule: r_id: 72344 rv_id: 946656 rule_id: wdULWl version_id: QkTZzy4 url: https://semgrep.dev/playground/r/QkTZzy4/terraform.aws.correctness.lambda-redundant-field-with-image.lambda-redundant-field-with-image origin: community patterns: - pattern-inside: "resource \"aws_lambda_function\" $NAME { \n ...\n package_type = \"Image\"\n}\n" - pattern-either: - pattern: handler = ... - pattern: runtime = ... - id: gitlab.bandit.B607 languages: - python message: | Starting a process with a shell; seems safe, but may be changed in the future, consider rewriting without shell pattern-either: - pattern: os.system("...", ...) - pattern: $OS.popen("...", ...) - pattern: $OS.popen2("...", ...) - pattern: $OS.popen3("...", ...) - pattern: $OS.popen4("...", ...) - pattern: commands.getoutput("...", ...) - pattern: commands.getstatusoutput("...", ...) metadata: cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper neutralization of special elements used in an OS Command ('OS Command Injection') security-severity: High category: security primary_identifier: bandit.B607 secondary_identifiers: - name: Bandit Test ID B607 type: bandit_test_id value: B607 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B607 shortlink: https://sg.run/wx9d semgrep.dev: rule: r_id: 11573 rv_id: 920111 rule_id: oqUzYg version_id: 5PTNG9R url: https://semgrep.dev/playground/r/5PTNG9R/gitlab.bandit.B607 origin: community severity: INFO - id: terraform.aws.correctness.reserved-aws-lambda-environment-variable.reserved-aws-lambda-environment-variable message: '`terraform apply` will fail because the environment variable "$VARIABLE" is a reserved by AWS. Use another name for "$VARIABLE".' languages: - hcl severity: WARNING metadata: category: correctness references: - https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime technology: - aws - aws-lambda - terraform license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.correctness.reserved-aws-lambda-environment-variable.reserved-aws-lambda-environment-variable shortlink: https://sg.run/4jk5 semgrep.dev: rule: r_id: 72100 rv_id: 946657 rule_id: 4bUdeB version_id: 3ZTOPJd url: https://semgrep.dev/playground/r/3ZTOPJd/terraform.aws.correctness.reserved-aws-lambda-environment-variable.reserved-aws-lambda-environment-variable origin: community patterns: - pattern-inside: | resource "aws_lambda_function" $FUNCTION { ... } - pattern-inside: | environment { ... } - pattern-inside: | variables = { ... } - pattern: | $VARIABLE = ... - metavariable-pattern: metavariable: $VARIABLE patterns: - pattern-either: - pattern: _HANDLER - pattern: _X_AMZN_TRACE_ID - pattern: AWS_DEFAULT_REGION - pattern: AWS_REGION - pattern: AWS_EXECUTION_ENV - pattern: AWS_LAMBDA_FUNCTION_NAME - pattern: AWS_LAMBDA_FUNCTION_MEMORY_SIZE - pattern: AWS_LAMBDA_FUNCTION_VERSION - pattern: AWS_LAMBDA_INITIALIZATION_TYPE - pattern: AWS_LAMBDA_LOG_GROUP_NAME - pattern: AWS_LAMBDA_LOG_STREAM_NAME - pattern: AWS_ACCESS_KEY - pattern: AWS_ACCESS_KEY_ID - pattern: AWS_SECRET_ACCESS_KEY - pattern: AWS_LAMBDA_RUNTIME_API - pattern: LAMBDA_TASK_ROOT - pattern: LAMBDA_RUNTIME_DIR - id: terraform.aws.correctness.subscription-filter-missing-depends.subscription-filter-missing-depends severity: WARNING languages: - hcl message: The `aws_cloudwatch_log_subscription_filter` resource "$NAME" needs a `depends_on` clause on the `aws_lambda_permission`, otherwise Terraform may try to create these out-of-order and fail. metadata: category: correctness references: - https://stackoverflow.com/questions/38407660/terraform-configuring-cloudwatch-log-subscription-delivery-to-lambda/38428834#38428834 technology: - aws - terraform - aws-lambda - cloudwatch confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.correctness.subscription-filter-missing-depends.subscription-filter-missing-depends shortlink: https://sg.run/PqwY semgrep.dev: rule: r_id: 72345 rv_id: 946658 rule_id: x8U5RN version_id: 44TZk33 url: https://semgrep.dev/playground/r/44TZk33/terraform.aws.correctness.subscription-filter-missing-depends.subscription-filter-missing-depends origin: community patterns: - pattern: | resource "aws_cloudwatch_log_subscription_filter" $NAME { ... destination_arn = aws_lambda_function.$LAMBDA_NAME.arn } - pattern-not-inside: | resource "aws_cloudwatch_log_subscription_filter" $NAME { ... depends_on = [..., aws_lambda_permission.$PERMISSION_NAME, ...] } - id: terraform.aws.security.aws-athena-client-can-disable-workgroup-encryption.aws-athena-client-can-disable-workgroup-encryption patterns: - pattern: | resource "aws_athena_workgroup" $ANYTHING { ... configuration { ... enforce_workgroup_configuration = false ... result_configuration { ... encryption_configuration { ... } ... } ... } ... } message: The Athena workgroup configuration can be overriden by client-side settings. The client can make changes to disable encryption settings. Enforce the configuration to prevent client overrides. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-athena-client-can-disable-workgroup-encryption.aws-athena-client-can-disable-workgroup-encryption shortlink: https://sg.run/wbj6 semgrep.dev: rule: r_id: 47273 rv_id: 1263697 rule_id: AbUPp0 version_id: 44TEjr5 url: https://semgrep.dev/playground/r/44TEjr5/terraform.aws.security.aws-athena-client-can-disable-workgroup-encryption.aws-athena-client-can-disable-workgroup-encryption origin: community - id: terraform.aws.security.aws-athena-database-unencrypted.aws-athena-database-unencrypted patterns: - pattern: | resource "aws_athena_database" $ANYTHING { ... } - pattern-not-inside: | resource "aws_athena_database" $ANYTHING { ... encryption_configuration { ... } ... } message: The Athena database is unencrypted at rest. These databases are generally derived from data in S3 buckets and should have the same level of at rest protection. The AWS KMS encryption key protects database contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-athena-database-unencrypted.aws-athena-database-unencrypted shortlink: https://sg.run/xNjj semgrep.dev: rule: r_id: 47274 rv_id: 1263698 rule_id: BYUjvv version_id: PkTR3Nb url: https://semgrep.dev/playground/r/PkTR3Nb/terraform.aws.security.aws-athena-database-unencrypted.aws-athena-database-unencrypted origin: community - id: terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted patterns: - pattern: | resource "aws_codebuild_project" $ANYTHING { ... artifacts { ... encryption_disabled = true ... } ... } - pattern-not-inside: | resource "aws_codebuild_project" $ANYTHING { ... artifacts { type = "NO_ARTIFACTS" encryption_disabled = true } ... } - pattern-not-inside: | resource "aws_codebuild_project" $ANYTHING { ... artifacts { type = "NO_ARTIFACTS" } ... } message: The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted shortlink: https://sg.run/JeWw semgrep.dev: rule: r_id: 17346 rv_id: 946668 rule_id: eqUrdZ version_id: 0bT15Wr url: https://semgrep.dev/playground/r/0bT15Wr/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted origin: community - id: terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted patterns: - pattern: | resource "aws_codebuild_project" $ANYTHING { ... } - pattern-not-inside: | resource "aws_codebuild_project" $ANYTHING { ... encryption_key = ... ... } message: The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted shortlink: https://sg.run/5yxA semgrep.dev: rule: r_id: 17347 rv_id: 946669 rule_id: v8U4kG version_id: K3TJbNr url: https://semgrep.dev/playground/r/K3TJbNr/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted origin: community - id: terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk patterns: - pattern: | resource "aws_docdb_cluster" $ANYTHING { ... } - pattern-not-inside: | resource "aws_docdb_cluster" $ANYTHING { ... kms_key_id = ... ... } message: Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk shortlink: https://sg.run/RyzO semgrep.dev: rule: r_id: 17349 rv_id: 946672 rule_id: ZqUGEp version_id: YDTvRX2 url: https://semgrep.dev/playground/r/YDTvRX2/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-dynamodb-point-in-time-recovery-disabled.aws-dynamodb-point-in-time-recovery-disabled patterns: - pattern: | resource "aws_dynamodb_table" $ANYTHING { ... } - pattern-not-inside: | resource "aws_dynamodb_table" $ANYTHING { ... point_in_time_recovery { ... enabled = true ... } ... } message: Point-in-time recovery is not enabled for the DynamoDB table. DynamoDB tables should be protected against accidental or malicious write/delete actions. By enabling point-in-time-recovery you can restore to a known point in the event of loss of data. languages: - hcl severity: INFO metadata: category: security technology: - terraform - aws cwe: - 'CWE-221: Information Loss or Omission' subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery owasp: - "A09:2021 \u2013 Security Logging and Monitoring Failures" license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Memory Issues source: https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-point-in-time-recovery-disabled.aws-dynamodb-point-in-time-recovery-disabled shortlink: https://sg.run/eD4E semgrep.dev: rule: r_id: 48632 rv_id: 946675 rule_id: DbU4Wn version_id: GxTP79q url: https://semgrep.dev/playground/r/GxTP79q/terraform.aws.security.aws-dynamodb-point-in-time-recovery-disabled.aws-dynamodb-point-in-time-recovery-disabled origin: community - id: ai.ai-best-practices.anthropic-missing-refusal-check.anthropic-missing-refusal-check-javascript.anthropic-missing-refusal-check-javascript languages: - javascript - typescript severity: WARNING message: Anthropic response content accessed without checking stop_reason. Check response.stop_reason to handle cases where the model stops unexpectedly (e.g., due to max_tokens or content filtering). metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-missing-refusal-check.anthropic-missing-refusal-check-javascript.anthropic-missing-refusal-check-javascript shortlink: https://sg.run/We4pE semgrep.dev: rule: r_id: 288797 rv_id: 1413355 rule_id: L1U295D version_id: X0TY0QR url: https://semgrep.dev/playground/r/X0TY0QR/ai.ai-best-practices.anthropic-missing-refusal-check.anthropic-missing-refusal-check-javascript.anthropic-missing-refusal-check-javascript origin: community patterns: - pattern: $RESP.content - pattern-either: - pattern-inside: | $RESP = await $CLIENT.messages.create(...) ... - pattern-inside: | $RESP = $CLIENT.messages.create(...) ... - pattern-not-inside: | if ($RESP.stopReason === "end_turn") { ... } - pattern-not-inside: | if ($RESP.stop_reason === "end_turn") { ... } - id: terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk patterns: - pattern: | resource "aws_ebs_snapshot_copy" $ANYTHING { ... encrypted = true ... } - pattern-not-inside: | resource "aws_ebs_snapshot_copy" $ANYTHING { ... encrypted = true kms_key_id = ... ... } message: Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk shortlink: https://sg.run/ByPW semgrep.dev: rule: r_id: 17351 rv_id: 946677 rule_id: EwUqko version_id: A8TJzb0 url: https://semgrep.dev/playground/r/A8TJzb0/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled patterns: - pattern: | resource "aws_docdb_cluster" $ANYTHING { ... } - pattern-not-inside: | resource "aws_docdb_cluster" $ANYTHING { ... enabled_cloudwatch_logs_exports = [..., "audit", ...] ... } message: Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch. languages: - hcl severity: INFO metadata: category: security technology: - terraform - aws owasp: - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ subcategory: - audit likelihood: LOW impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled shortlink: https://sg.run/xJYP semgrep.dev: rule: r_id: 48630 rv_id: 1263705 rule_id: AbU1WN version_id: DkTRbA4 url: https://semgrep.dev/playground/r/DkTRbA4/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled origin: community - id: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk patterns: - pattern-inside: | resource "aws_emr_security_configuration" $ANYTHING { ... } - pattern: configuration = "$STATEMENT" - metavariable-pattern: metavariable: $STATEMENT language: json patterns: - pattern-not-inside: | "AwsKmsKey": ... message: Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk shortlink: https://sg.run/6gOo semgrep.dev: rule: r_id: 17359 rv_id: 946694 rule_id: PeU0L7 version_id: 9lTy1D0 url: https://semgrep.dev/playground/r/9lTy1D0/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk patterns: - pattern: | resource "aws_efs_file_system" $ANYTHING { ... encrypted = true ... } - pattern-not-inside: | resource "aws_efs_file_system" $ANYTHING { ... encrypted = true kms_key_id = ... ... } message: Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk shortlink: https://sg.run/Kk07 semgrep.dev: rule: r_id: 17355 rv_id: 946690 rule_id: gxUJ4n version_id: 2KTYbWy url: https://semgrep.dev/playground/r/2KTYbWy/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-ec2-security-group-rule-missing-description.aws-ec2-security-group-rule-missing-description patterns: - pattern-either: - patterns: - pattern-either: - patterns: - pattern-inside: | resource "aws_security_group" $ANYTHING { ... $INGRESS { ... description = $DESCR ... } ... } - metavariable-regex: metavariable: $INGRESS regex: ^(ingress|egress)$ - patterns: - pattern-inside: | resource "$SECGROUP" $ANYTHING { ... description = $DESCR ... } - metavariable-regex: metavariable: $SECGROUP regex: ^(aws_security_group_rule|aws_security_group)$ - metavariable-regex: metavariable: $DESCR regex: ^(['\"]['\"]|['\"]Managed by Terraform['\"])$ - focus-metavariable: $DESCR - patterns: - metavariable-regex: metavariable: $INGRESS regex: ^(ingress|egress)$ - pattern: | resource "aws_security_group" $ANYTHING { ... $INGRESS { ... } ... } - pattern-not: | resource "aws_security_group" $ANYTHING { ... $INGRESS { ... description = ... ... } ... } - patterns: - metavariable-regex: metavariable: $SECGROUP regex: ^(aws_security_group_rule|aws_security_group)$ - pattern: | resource "$SECGROUP" $ANYTHING { ... } - pattern-not: | resource "$SECGROUP" $ANYTHING { ... description = ... ... } message: The AWS security group rule is missing a description, or its description is empty or the default value. Security groups rules should include a meaningful description in order to simplify auditing, debugging, and managing security groups. languages: - hcl severity: INFO metadata: category: security technology: - terraform - aws owasp: - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-223: Omission of Security-relevant Information' references: - https://shisho.dev/dojo/providers/aws/Amazon_EC2/aws-security-group/#:~:text=Ensure%20to%20keep%20the%20description%20of%20your%20security%20group%20up%2Dto%2Ddate - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.aws.security.aws-ec2-security-group-rule-missing-description.aws-ec2-security-group-rule-missing-description shortlink: https://sg.run/v40R semgrep.dev: rule: r_id: 48633 rv_id: 1263714 rule_id: WAU2Z3 version_id: GxTkepE url: https://semgrep.dev/playground/r/GxTkepE/terraform.aws.security.aws-ec2-security-group-rule-missing-description.aws-ec2-security-group-rule-missing-description origin: community - id: terraform.aws.security.aws-ecr-image-scanning-disabled.aws-ecr-image-scanning-disabled patterns: - pattern: | resource "aws_ecr_repository" $ANYTHING { ... } - pattern-not-inside: | resource "aws_ecr_repository" $ANYTHING { ... image_scanning_configuration { ... scan_on_push = true ... } ... } message: The ECR repository has image scans disabled. Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible. languages: - hcl severity: WARNING metadata: references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ category: security technology: - terraform - aws owasp: - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-223: Omission of Security-relevant Information' subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.aws.security.aws-ecr-image-scanning-disabled.aws-ecr-image-scanning-disabled shortlink: https://sg.run/dBg5 semgrep.dev: rule: r_id: 48634 rv_id: 1263715 rule_id: 0oUREK version_id: RGT0Ljx url: https://semgrep.dev/playground/r/RGT0Ljx/terraform.aws.security.aws-ecr-image-scanning-disabled.aws-ecr-image-scanning-disabled origin: community - id: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags patterns: - pattern: | resource "aws_ecr_repository" $ANYTHING { ... } - pattern-not-inside: | resource "aws_ecr_repository" $ANYTHING { ... image_tag_mutability = "IMMUTABLE" ... } message: The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-345: Insufficient Verification of Data Authenticity' references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/ subcategory: - audit likelihood: LOW impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags shortlink: https://sg.run/ZEeL semgrep.dev: rule: r_id: 48635 rv_id: 1263716 rule_id: KxUB4o version_id: A8Tgdwd url: https://semgrep.dev/playground/r/A8Tgdwd/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags origin: community - id: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk patterns: - pattern: | resource "aws_fsx_ontap_file_system" $ANYTHING { ... } - pattern-not-inside: | resource "aws_fsx_ontap_file_system" $ANYTHING { ... kms_key_id = ... ... } message: Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk shortlink: https://sg.run/pyRg semgrep.dev: rule: r_id: 17362 rv_id: 946697 rule_id: GdUzwK version_id: bZTXw0d url: https://semgrep.dev/playground/r/bZTXw0d/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk patterns: - pattern: | resource "aws_fsx_windows_file_system" $ANYTHING { ... } - pattern-not-inside: | resource "aws_fsx_windows_file_system" $ANYTHING { ... kms_key_id = ... ... } message: Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk shortlink: https://sg.run/2pN0 semgrep.dev: rule: r_id: 17363 rv_id: 946698 rule_id: ReUqv6 version_id: NdTqknl url: https://semgrep.dev/playground/r/NdTqknl/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk patterns: - pattern: | resource "aws_imagebuilder_component" $ANYTHING { ... } - pattern-not-inside: | resource "aws_imagebuilder_component" $ANYTHING { ... kms_key_id = ... ... } message: Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk shortlink: https://sg.run/9vdY semgrep.dev: rule: r_id: 17367 rv_id: 946702 rule_id: WAUNxL version_id: O9TX3o0 url: https://semgrep.dev/playground/r/O9TX3o0/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk patterns: - pattern: | resource "aws_kinesis_video_stream" $ANYTHING { ... } - pattern-not-inside: | resource "aws_kinesis_video_stream" $ANYTHING { ... kms_key_id = ... ... } message: Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk shortlink: https://sg.run/bXvp semgrep.dev: rule: r_id: 17370 rv_id: 946707 rule_id: qNUWqn version_id: nWTpYW8 url: https://semgrep.dev/playground/r/nWTpYW8/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted patterns: - pattern-inside: | resource "aws_lambda_function" $ANYTHING { ... } - pattern-either: - patterns: - pattern: | environment { ... } - pattern-not-inside: | resource $A $B { ... kms_key_arn = ... ... } - patterns: - pattern: | kms_key_arn = ... - pattern-not-inside: | resource $A $B { ... environment { ... } ... } - pattern: kms_key_arn = "" message: By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted shortlink: https://sg.run/x4lz semgrep.dev: rule: r_id: 17374 rv_id: 946711 rule_id: 5rUp5w version_id: 8KTKEYz url: https://semgrep.dev/playground/r/8KTKEYz/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted origin: community - id: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active patterns: - pattern: | resource "aws_lambda_function" $ANYTHING { ... } - pattern-not: | resource "aws_lambda_function" $ANYTHING { ... tracing_config { ... mode = "Active" ... } ... } message: The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts. languages: - hcl severity: INFO metadata: category: security technology: - aws - terraform owasp: - A09:2021 Security Logging and Monitoring Failures cwe: - 'CWE-778: Insufficient Logging' references: - https://cwe.mitre.org/data/definitions/778.html - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode - https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html subcategory: - audit likelihood: LOW impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active shortlink: https://sg.run/wO2Y semgrep.dev: rule: r_id: 54773 rv_id: 946713 rule_id: eqUl1O version_id: QkTZ6vk url: https://semgrep.dev/playground/r/QkTZ6vk/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active origin: community - patterns: - pattern-either: - pattern: | provisioner "remote-exec" { ... } - pattern: | provisioner "local-exec" { ... } - pattern-inside: | resource "aws_instance" "..." { ... } id: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design. languages: - terraform severity: WARNING metadata: category: security owasp: - A03:2021 - Injection - A01:2017 - Injection - A05:2025 - Injection cwe: - 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')' - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' subcategory: - audit confidence: HIGH likelihood: HIGH impact: MEDIUM technology: - terraform references: - https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec - https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection - Other source: https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec shortlink: https://sg.run/7EjQ semgrep.dev: rule: r_id: 70982 rv_id: 1263736 rule_id: EwUxO1 version_id: bZT53j1 url: https://semgrep.dev/playground/r/bZT53j1/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec origin: community - id: terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk patterns: - pattern: | resource "aws_sagemaker_domain" $ANYTHING { ... } - pattern-not-inside: | resource "aws_sagemaker_domain" $ANYTHING { ... kms_key_id = ... ... } message: Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk shortlink: https://sg.run/ZjrD semgrep.dev: rule: r_id: 17379 rv_id: 946723 rule_id: DbUx8z version_id: DkTNWdv url: https://semgrep.dev/playground/r/DkTNWdv/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk patterns: - pattern: | resource "aws_timestreamwrite_database" $ANYTHING { ... } - pattern-not-inside: | resource "aws_timestreamwrite_database" $ANYTHING { ... kms_key_id = ... ... } message: Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk shortlink: https://sg.run/7nyZ semgrep.dev: rule: r_id: 17382 rv_id: 946731 rule_id: KxU5Nn version_id: o5TZzX3 url: https://semgrep.dev/playground/r/o5TZzX3/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted patterns: - pattern: | resource "aws_workspaces_workspace" $ANYTHING { ... } - pattern-not-inside: | resource "aws_workspaces_workspace" $ANYTHING { ... user_volume_encryption_enabled = true ... } message: The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted shortlink: https://sg.run/gXdJ semgrep.dev: rule: r_id: 17385 rv_id: 946734 rule_id: YGUAXr version_id: 2KTY4ly url: https://semgrep.dev/playground/r/2KTY4ly/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted origin: community - id: terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption patterns: - pattern: resource "aws_athena_workgroup" $ANYTHING {...} - pattern-not-inside: | resource "aws_athena_workgroup" $ANYTHING { ... encryption_configuration {...} ... } message: 'The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = "SSE_KMS" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.' languages: - hcl severity: WARNING metadata: technology: - aws - terraform category: security owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption shortlink: https://sg.run/kzro semgrep.dev: rule: r_id: 15828 rv_id: 946736 rule_id: wdUljO version_id: jQTzqko url: https://semgrep.dev/playground/r/jQTzqko/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption origin: community - id: terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version patterns: - pattern-either: - patterns: - pattern: ssl_policy = $ANYTHING - pattern-not-regex: ELBSecurityPolicy-TLS13-1-[23]-[(Res)0-9-]+ - pattern-not-regex: ELBSecurityPolicy-FS-1-2-[(Res)0-9-]+ - patterns: - pattern: protocol = "HTTP" - pattern-not-inside: | resource $ANYTHING $NAME { ... default_action { ... redirect { ... protocol = "HTTPS" ... } ... } ... } - pattern-inside: | resource $RESOURCE $X { ... } - metavariable-pattern: metavariable: $RESOURCE patterns: - pattern-either: - pattern: | "aws_lb_listener" - pattern: | "aws_alb_listener" message: Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `"ELBSecurityPolicy-TLS13-1-2-Res-2021-06"`, or include a default action to redirect to HTTPS. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' references: - https://www.ietf.org/rfc/rfc5246.txt subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version shortlink: https://sg.run/187G semgrep.dev: rule: r_id: 14966 rv_id: 1263747 rule_id: 2ZUP9K version_id: ExTEx0y url: https://semgrep.dev/playground/r/ExTEx0y/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-ad-used-auth-service-fabric.azure-ad-used-auth-service-fabric message: "Ensures that Active Directory is used for authentication for Service Fabric\t" patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_service_fabric_cluster" "..." { ... azure_active_directory { tenant_id = "..." } ... } - pattern-inside: | resource "azurerm_service_fabric_cluster" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-ad-used-auth-service-fabric.azure-ad-used-auth-service-fabric shortlink: https://sg.run/PyLY semgrep.dev: rule: r_id: 23901 rv_id: 946739 rule_id: 10UY2P version_id: yeT0vkg url: https://semgrep.dev/playground/r/yeT0vkg/terraform.azure.best-practice.azure-ad-used-auth-service-fabric.azure-ad-used-auth-service-fabric origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-aks-uses-azure-policies-addon.azure-aks-uses-azure-policies-addon message: Ensure that AKS uses Azure Policies Add-on patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_kubernetes_cluster" "..." { ... addon_profile { azure_policy { enabled = true } } ... } - pattern-inside: | resource "azurerm_kubernetes_cluster" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-aks-uses-azure-policies-addon.azure-aks-uses-azure-policies-addon shortlink: https://sg.run/J18w semgrep.dev: rule: r_id: 23902 rv_id: 946740 rule_id: 9AUWlA version_id: rxT6kOK url: https://semgrep.dev/playground/r/rxT6kOK/terraform.azure.best-practice.azure-aks-uses-azure-policies-addon.azure-aks-uses-azure-policies-addon origin: community languages: - hcl severity: INFO - id: terraform.azure.best-practice.azure-appservice-python-version.azure-appservice-python-version message: Ensure that Python version is the latest, if used to run the web app patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... site_config { ... python_version = "3.10" ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-appservice-python-version.azure-appservice-python-version shortlink: https://sg.run/WRv4 semgrep.dev: rule: r_id: 23909 rv_id: 946747 rule_id: x8UZ80 version_id: e1T9vR7 url: https://semgrep.dev/playground/r/e1T9vR7/terraform.azure.best-practice.azure-appservice-python-version.azure-appservice-python-version origin: community languages: - hcl severity: INFO - id: terraform.azure.best-practice.azure-appgateway-enables-waf.azure-appgateway-enables-waf message: Ensure that Application Gateway enables WAF patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_application_gateway" "..." { ... waf_configuration { enabled = true } ... } - pattern-inside: | resource "azurerm_application_gateway" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-appgateway-enables-waf.azure-appgateway-enables-waf shortlink: https://sg.run/5eKA semgrep.dev: rule: r_id: 23903 rv_id: 946741 rule_id: yyU2O0 version_id: bZTXOAd url: https://semgrep.dev/playground/r/bZTXOAd/terraform.azure.best-practice.azure-appgateway-enables-waf.azure-appgateway-enables-waf origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-appservice-used-azure-files.azure-appservice-used-azure-files message: Ensure that app services use Azure Files patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... storage_account { ... type = "AzureFiles" ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-appservice-used-azure-files.azure-appservice-used-azure-files shortlink: https://sg.run/02Av semgrep.dev: rule: r_id: 23910 rv_id: 946748 rule_id: OrUO8B version_id: vdTG5Yr url: https://semgrep.dev/playground/r/vdTG5Yr/terraform.azure.best-practice.azure-appservice-used-azure-files.azure-appservice-used-azure-files origin: community languages: - hcl severity: INFO - id: terraform.azure.best-practice.azure-defenderon-appservices.azure-defenderon-appservices message: Ensure that Azure Defender is set to On for App Service patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Standard" resource_type = "AppServices" ... } - pattern-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Free" resource_type = "AppServices" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-defenderon-appservices.azure-defenderon-appservices shortlink: https://sg.run/KeL7 semgrep.dev: rule: r_id: 23911 rv_id: 946749 rule_id: eqU1eG version_id: d6TPzrr url: https://semgrep.dev/playground/r/d6TPzrr/terraform.azure.best-practice.azure-defenderon-appservices.azure-defenderon-appservices origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-defenderon-container-registry.azure-defenderon-container-registry message: Ensure that Azure Defender is set to On for Container patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Standard" resource_type = "ContainerRegistry" ... } - pattern-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Free" resource_type = "ContainerRegistry" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-defenderon-container-registry.azure-defenderon-container-registry shortlink: https://sg.run/qBoz semgrep.dev: rule: r_id: 23912 rv_id: 946750 rule_id: v8UNX3 version_id: ZRT3qQ6 url: https://semgrep.dev/playground/r/ZRT3qQ6/terraform.azure.best-practice.azure-defenderon-container-registry.azure-defenderon-container-registry origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-defenderon-servers.azure-defenderon-servers message: Ensure that Azure Defender is set to On for Servers patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Standard" resource_type = "VirtualMachines" ... } - pattern-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Free" resource_type = "VirtualMachines" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-defenderon-servers.azure-defenderon-servers shortlink: https://sg.run/68qo semgrep.dev: rule: r_id: 23915 rv_id: 946753 rule_id: nJUP95 version_id: 7ZTrege url: https://semgrep.dev/playground/r/7ZTrege/terraform.azure.best-practice.azure-defenderon-servers.azure-defenderon-servers origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-defenderon-sqlservers-vms.azure-defenderon-sqlservers-vms message: Ensure that Azure Defender is set to On for SQL servers on machines patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Standard" resource_type = "SqlServerVirtualMachines" ... } - pattern-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Free" resource_type = "SqlServerVirtualMachines" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-defenderon-sqlservers-vms.azure-defenderon-sqlservers-vms shortlink: https://sg.run/oRZ9 semgrep.dev: rule: r_id: 23916 rv_id: 946754 rule_id: EwUNo5 version_id: LjTX4qr url: https://semgrep.dev/playground/r/LjTX4qr/terraform.azure.best-practice.azure-defenderon-sqlservers-vms.azure-defenderon-sqlservers-vms origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-defenderon-sqlservers.azure-defenderon-sqlservers message: Ensure that Azure Defender is set to On for SQL servers patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Standard" resource_type = "SqlServers" ... } - pattern-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Free" resource_type = "SqlServers" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-defenderon-sqlservers.azure-defenderon-sqlservers shortlink: https://sg.run/zoRG semgrep.dev: rule: r_id: 23917 rv_id: 946755 rule_id: 7KUoBq version_id: 8KTKEQz url: https://semgrep.dev/playground/r/8KTKEQz/terraform.azure.best-practice.azure-defenderon-sqlservers.azure-defenderon-sqlservers origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-frontdoor-enables-waf.azure-frontdoor-enables-waf message: Ensure that Azure Front Door enables WAF patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_frontdoor" "..." { ... web_application_firewall_policy_link_id = "..." ... } - pattern-inside: | resource "azurerm_frontdoor" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-frontdoor-enables-waf.azure-frontdoor-enables-waf shortlink: https://sg.run/2nD0 semgrep.dev: rule: r_id: 23919 rv_id: 946757 rule_id: 8GU9NJ version_id: QkTZ6Wk url: https://semgrep.dev/playground/r/QkTZ6Wk/terraform.azure.best-practice.azure-frontdoor-enables-waf.azure-frontdoor-enables-waf origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-frontdoor-use-wafmode.azure-frontdoor-use-wafmode message: "Ensure that Azure Front Door uses WAF and configured in \u201CDetection\u201D or \u201CPrevention\u201D modes" patterns: - pattern: resource - pattern-inside: | resource "azurerm_frontdoor_firewall_policy" "..." { ... policy_settings { ... enabled = false ... } ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-frontdoor-use-wafmode.azure-frontdoor-use-wafmode shortlink: https://sg.run/XAgK semgrep.dev: rule: r_id: 23920 rv_id: 946758 rule_id: gxUxPz version_id: 3ZTOBkL url: https://semgrep.dev/playground/r/3ZTOBkL/terraform.azure.best-practice.azure-frontdoor-use-wafmode.azure-frontdoor-use-wafmode origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-functionapp-http-version-latest.azure-functionapp-http-version-latest message: Ensure that HTTP Version is the latest if used to run the Function app patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_function_app" "..." { ... site_config { ... http2_enabled = true ... } ... } - pattern-inside: | resource "azurerm_function_app" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-functionapp-http-version-latest.azure-functionapp-http-version-latest shortlink: https://sg.run/j4oY semgrep.dev: rule: r_id: 23921 rv_id: 946759 rule_id: QrU0XD version_id: 44TZzRZ url: https://semgrep.dev/playground/r/44TZzRZ/terraform.azure.best-practice.azure-functionapp-http-version-latest.azure-functionapp-http-version-latest origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-functionapps-accessible-over-https.azure-functionapps-accessible-over-https message: Ensure that HTTP Version is the latest if used to run the Function app patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... https_only = true ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-functionapps-accessible-over-https.azure-functionapps-accessible-over-https shortlink: https://sg.run/1gBw semgrep.dev: rule: r_id: 23922 rv_id: 946760 rule_id: 3qUQRq version_id: PkTQkJ1 url: https://semgrep.dev/playground/r/PkTQkJ1/terraform.azure.best-practice.azure-functionapps-accessible-over-https.azure-functionapps-accessible-over-https origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-keyvault-enables-firewall-rules-settings.azure-keyvault-enables-firewall-rules-settings message: Ensure that key vault allows firewall rules settings patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_key_vault" "..." { ... network_acls { ... default_action = "Deny" ... } ... } - pattern-inside: | resource "azurerm_key_vault" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-keyvault-enables-firewall-rules-settings.azure-keyvault-enables-firewall-rules-settings shortlink: https://sg.run/9n4Y semgrep.dev: rule: r_id: 23923 rv_id: 946761 rule_id: 4bUl9D version_id: JdTDPNv url: https://semgrep.dev/playground/r/JdTDPNv/terraform.azure.best-practice.azure-keyvault-enables-firewall-rules-settings.azure-keyvault-enables-firewall-rules-settings origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-keyvault-enables-purge-protection.azure-keyvault-enables-purge-protection message: Ensure that key vault enables purge protection patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_key_vault" "..." { ... purge_protection_enabled = true } - pattern-inside: | resource "azurerm_key_vault" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-keyvault-enables-purge-protection.azure-keyvault-enables-purge-protection shortlink: https://sg.run/ykGx semgrep.dev: rule: r_id: 23924 rv_id: 946762 rule_id: PeU1zN version_id: 5PT94do url: https://semgrep.dev/playground/r/5PT94do/terraform.azure.best-practice.azure-keyvault-enables-purge-protection.azure-keyvault-enables-purge-protection origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-keyvault-enables-soft-delete.azure-keyvault-enables-soft-delete message: Ensure that key vault enables soft delete patterns: - pattern: resource - pattern-inside: | resource "azurerm_key_vault" "..." { ... soft_delete_enabled = false ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-keyvault-enables-soft-delete.azure-keyvault-enables-soft-delete shortlink: https://sg.run/rDon semgrep.dev: rule: r_id: 23925 rv_id: 946763 rule_id: JDUpk9 version_id: GxTP0vq url: https://semgrep.dev/playground/r/GxTP0vq/terraform.azure.best-practice.azure-keyvault-enables-soft-delete.azure-keyvault-enables-soft-delete origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-keyvault-recovery-enabled.azure-keyvault-recovery-enabled message: Ensure the key vault is recoverable https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable patterns: - pattern: | resource "azurerm_key_vault" "..." { ... } - pattern-not-inside: | resource "azurerm_key_vault" "..." { ... purge_protection_enabled = true ... } metadata: category: best-practice technology: - terraform - azure references: - https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-keyvault-recovery-enabled.azure-keyvault-recovery-enabled shortlink: https://sg.run/bgzp semgrep.dev: rule: r_id: 23926 rv_id: 946764 rule_id: 5rUAqD version_id: RGTAPDE url: https://semgrep.dev/playground/r/RGTAPDE/terraform.azure.best-practice.azure-keyvault-recovery-enabled.azure-keyvault-recovery-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-mariadb-geo-backup-enabled.azure-mariadb-geo-backup-enabled message: Ensure that MariaDB server enables geo-redundant backups patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_mariadb_server" "..." { ... geo_redundant_backup_enabled = true ... } - pattern-inside: | resource "azurerm_mariadb_server" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-mariadb-geo-backup-enabled.azure-mariadb-geo-backup-enabled shortlink: https://sg.run/NoLp semgrep.dev: rule: r_id: 23927 rv_id: 946765 rule_id: GdU6qX version_id: A8TJW90 url: https://semgrep.dev/playground/r/A8TJW90/terraform.azure.best-practice.azure-mariadb-geo-backup-enabled.azure-mariadb-geo-backup-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-monitor-log-profile-categories.azure-monitor-log-profile-categories message: Ensure audit profile captures all the activities patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_monitor_log_profile" "..." { ... categories = [ "Action", "Delete", "Write", ] ... } - pattern-inside: | resource "azurerm_monitor_log_profile" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-monitor-log-profile-categories.azure-monitor-log-profile-categories shortlink: https://sg.run/w2JY semgrep.dev: rule: r_id: 23929 rv_id: 946767 rule_id: AbU5q2 version_id: DkTNW6v url: https://semgrep.dev/playground/r/DkTNW6v/terraform.azure.best-practice.azure-monitor-log-profile-categories.azure-monitor-log-profile-categories origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-monitor-log-profile-retention-days.azure-monitor-log-profile-retention-days message: Ensure that Activity Log Retention is set 365 days or greater patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_monitor_log_profile" "..." { ... retention_policy { ... enabled = true days = 365 ... } ... } - pattern-not-inside: | resource "azurerm_monitor_log_profile" "..." { ... retention_policy { ... enabled = false days = 0 ... } ... } - pattern-inside: | resource "azurerm_monitor_log_profile" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-monitor-log-profile-retention-days.azure-monitor-log-profile-retention-days shortlink: https://sg.run/x25z semgrep.dev: rule: r_id: 23930 rv_id: 946768 rule_id: BYUrbP version_id: WrTEZW6 url: https://semgrep.dev/playground/r/WrTEZW6/terraform.azure.best-practice.azure-monitor-log-profile-retention-days.azure-monitor-log-profile-retention-days origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-postgresql-server-log-checkpoint-enabled.azure-postgresql-server-log-checkpoint-enabled message: Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server patterns: - pattern: resource - pattern-inside: | resource "azurerm_postgresql_configuration" "..." { ... } - pattern-not-inside: | resource "azurerm_postgresql_configuration" "..." { ... name = "log_checkpoints" value = "on" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-postgresql-server-log-checkpoint-enabled.azure-postgresql-server-log-checkpoint-enabled shortlink: https://sg.run/78PZ semgrep.dev: rule: r_id: 23938 rv_id: 946776 rule_id: JDUpn5 version_id: GxTP0v3 url: https://semgrep.dev/playground/r/GxTP0v3/terraform.azure.best-practice.azure-postgresql-server-log-checkpoint-enabled.azure-postgresql-server-log-checkpoint-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-postgresql-server-log-connections-enabled.azure-postgresql-server-log-connections-enabled message: Ensure server parameter log_connections is set to ON for PostgreSQL Database Server patterns: - pattern: resource - pattern-inside: | resource "azurerm_postgresql_configuration" "..." { ... } - pattern-not-inside: | resource "azurerm_postgresql_configuration" "..." { ... name = "log_connections" value = "on" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-postgresql-server-log-connections-enabled.azure-postgresql-server-log-connections-enabled shortlink: https://sg.run/Lder semgrep.dev: rule: r_id: 23939 rv_id: 946777 rule_id: 5rUA7P version_id: RGTAPD7 url: https://semgrep.dev/playground/r/RGTAPD7/terraform.azure.best-practice.azure-postgresql-server-log-connections-enabled.azure-postgresql-server-log-connections-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-postgresql-ssl-enforcement-enabled.azure-postgresql-ssl-enforcement-enabled message: Ensure Enforce SSL connection is set to Enabled for PostgreSQL servers patterns: - pattern: resource - pattern-inside: | resource "azurerm_postgresql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_postgresql_server" "..." { ... ssl_enforcement_enabled = true ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-postgresql-ssl-enforcement-enabled.azure-postgresql-ssl-enforcement-enabled shortlink: https://sg.run/8QJy semgrep.dev: rule: r_id: 23940 rv_id: 946778 rule_id: GdU6l7 version_id: A8TJW9D url: https://semgrep.dev/playground/r/A8TJW9D/terraform.azure.best-practice.azure-postgresql-ssl-enforcement-enabled.azure-postgresql-ssl-enforcement-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-secret-expiration-date.azure-secret-expiration-date message: Ensure that the expiration date is set on all secrets patterns: - pattern: resource - pattern-inside: | resource "azurerm_key_vault_secret" "..." { ... } - pattern-not-inside: | resource "azurerm_key_vault_secret" "..." { ... expiration_date = "..." ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-secret-expiration-date.azure-secret-expiration-date shortlink: https://sg.run/329r semgrep.dev: rule: r_id: 23943 rv_id: 946781 rule_id: BYUryd version_id: WrTEZW4 url: https://semgrep.dev/playground/r/WrTEZW4/terraform.azure.best-practice.azure-secret-expiration-date.azure-secret-expiration-date origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-securitcenter-email-alert.azure-securitcenter-email-alert message: Ensure that Send email notification for high severity alerts is set to On patterns: - pattern: resource - pattern-inside: | resource "azurerm_security_center_contact" "..." { ... } - pattern-not-inside: | resource "azurerm_security_center_contact" "..." { ... alert_notifications = true ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-securitcenter-email-alert.azure-securitcenter-email-alert shortlink: https://sg.run/4L9l semgrep.dev: rule: r_id: 23944 rv_id: 946782 rule_id: DbUnwx version_id: 0bT1ELb url: https://semgrep.dev/playground/r/0bT1ELb/terraform.azure.best-practice.azure-securitcenter-email-alert.azure-securitcenter-email-alert origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-securitycenter-contact-emails.azure-securitycenter-contact-emails message: Ensure that Security contact emails is set patterns: - pattern: resource - pattern-inside: | resource "azurerm_security_center_contact" "..." { ... } - pattern-not-inside: | resource "azurerm_security_center_contact" "..." { ... email = "..." ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-securitycenter-contact-emails.azure-securitycenter-contact-emails shortlink: https://sg.run/PywY semgrep.dev: rule: r_id: 23945 rv_id: 946783 rule_id: WAUQ7d version_id: K3TJ4vL url: https://semgrep.dev/playground/r/K3TJ4vL/terraform.azure.best-practice.azure-securitycenter-contact-emails.azure-securitycenter-contact-emails origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-securitycenter-standard-pricing.azure-securitycenter-standard-pricing message: Ensure that standard pricing tier is selected patterns: - pattern: resource - pattern-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... } - pattern-not-inside: | resource "azurerm_security_center_subscription_pricing" "..." { ... tier = "Standard" ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-securitycenter-standard-pricing.azure-securitycenter-standard-pricing shortlink: https://sg.run/Gpzp semgrep.dev: rule: r_id: 23948 rv_id: 946786 rule_id: qNUxvx version_id: YDTvrpy url: https://semgrep.dev/playground/r/YDTvrpy/terraform.azure.best-practice.azure-securitycenter-standard-pricing.azure-securitycenter-standard-pricing origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-sqlserver-email-alerts-toadmins-enabled.azure-sqlserver-email-alerts-toadmins-enabled message: Ensure that Email service and co-administrators is Enabled for MSSQL servers patterns: - pattern: resource - pattern-inside: | resource "azurerm_mssql_server_security_alert_policy" "..." { ... } - pattern-not-inside: | resource "azurerm_mssql_server_security_alert_policy" "..." { ... state = "Enabled" email_account_admins = true ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-sqlserver-email-alerts-toadmins-enabled.azure-sqlserver-email-alerts-toadmins-enabled shortlink: https://sg.run/ANKp semgrep.dev: rule: r_id: 23950 rv_id: 946788 rule_id: YGU2wZ version_id: o5TZzg7 url: https://semgrep.dev/playground/r/o5TZzg7/terraform.azure.best-practice.azure-sqlserver-email-alerts-toadmins-enabled.azure-sqlserver-email-alerts-toadmins-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-sqlserver-threat-detection-types.azure-sqlserver-threat-detection-types message: Ensure that Threat Detection types is set to All patterns: - pattern: resource - pattern-inside: | resource "azurerm_mssql_server_security_alert_policy" "..." { ... } - pattern-not-inside: | resource "azurerm_mssql_server_security_alert_policy" "..." { ... state = "Enabled" disabled_alerts = [] ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-sqlserver-threat-detection-types.azure-sqlserver-threat-detection-types shortlink: https://sg.run/B1qW semgrep.dev: rule: r_id: 23951 rv_id: 946789 rule_id: 6JUJR8 version_id: zyTlyK5 url: https://semgrep.dev/playground/r/zyTlyK5/terraform.azure.best-practice.azure-sqlserver-threat-detection-types.azure-sqlserver-threat-detection-types origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-storage-account-enables-secure-transfer.azure-storage-account-enables-secure-transfer message: Ensure that storage account enables secure transfer patterns: - pattern: resource - pattern-inside: | resource "azurerm_storage_account" "..." { ... enable_https_traffic_only = false ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-storage-account-enables-secure-transfer.azure-storage-account-enables-secure-transfer shortlink: https://sg.run/DdYY semgrep.dev: rule: r_id: 23952 rv_id: 946790 rule_id: oqUlLL version_id: pZTNG1l url: https://semgrep.dev/playground/r/pZTNG1l/terraform.azure.best-practice.azure-storage-account-enables-secure-transfer.azure-storage-account-enables-secure-transfer origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-synapse-workscape-enables-managed-virtual-network.azure-synapse-workscape-enables-managed-virtual-network message: Ensure that Azure Synapse workspaces enables managed virtual networks patterns: - pattern: resource - pattern-inside: | resource "azurerm_synapse_workspace" "..." { ... } - pattern-not-inside: | resource "azurerm_synapse_workspace" "..." { ... managed_virtual_network_enabled = true ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-synapse-workscape-enables-managed-virtual-network.azure-synapse-workscape-enables-managed-virtual-network shortlink: https://sg.run/WRb4 semgrep.dev: rule: r_id: 23953 rv_id: 946791 rule_id: zdU8BN version_id: 2KTY4zW url: https://semgrep.dev/playground/r/2KTY4zW/terraform.azure.best-practice.azure-synapse-workscape-enables-managed-virtual-network.azure-synapse-workscape-enables-managed-virtual-network origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-vmscale-sets-auto-os-image-patching-enabled.azure-vmscale-sets-auto-os-image-patching-enabled message: Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets patterns: - pattern: resource - pattern-inside: | resource "azurerm_virtual_machine_scale_set" "..." { ... } - pattern-not-inside: | resource "azurerm_virtual_machine_scale_set" "..." { ... automatic_os_upgrade = true os_profile_windows_config { ... enable_automatic_upgrades = true ... } ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-vmscale-sets-auto-os-image-patching-enabled.azure-vmscale-sets-auto-os-image-patching-enabled shortlink: https://sg.run/02Zv semgrep.dev: rule: r_id: 23954 rv_id: 946792 rule_id: pKUy2A version_id: X0TLZOW url: https://semgrep.dev/playground/r/X0TLZOW/terraform.azure.best-practice.azure-vmscale-sets-auto-os-image-patching-enabled.azure-vmscale-sets-auto-os-image-patching-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-waf-specificed-mode-app-gw.azure-waf-specificed-mode-app-gw message: "Ensure that Application Gateway uses WAF in \u201CDetection\u201D or \u201CPrevention\u201D modes" patterns: - pattern: resource - pattern-inside: | resource "azurerm_web_application_firewall_policy" "..." { ... policy_settings { enabled = false } ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-waf-specificed-mode-app-gw.azure-waf-specificed-mode-app-gw shortlink: https://sg.run/Ke17 semgrep.dev: rule: r_id: 23955 rv_id: 946793 rule_id: 2ZUrRw version_id: jQTzqlg url: https://semgrep.dev/playground/r/jQTzqlg/terraform.azure.best-practice.azure-waf-specificed-mode-app-gw.azure-waf-specificed-mode-app-gw origin: community languages: - hcl severity: WARNING - id: ai.ai-best-practices.anthropic-missing-refusal-check.anthropic-missing-refusal-check-python.anthropic-missing-refusal-check-python languages: - python severity: WARNING message: Anthropic response content accessed without checking stop_reason. Check response.stop_reason to handle cases where the model stops unexpectedly (e.g., due to max_tokens or content filtering). metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-missing-refusal-check.anthropic-missing-refusal-check-python.anthropic-missing-refusal-check-python shortlink: https://sg.run/0gXyw semgrep.dev: rule: r_id: 288798 rv_id: 1413356 rule_id: 8GUqgz7 version_id: jQT10go url: https://semgrep.dev/playground/r/jQT10go/ai.ai-best-practices.anthropic-missing-refusal-check.anthropic-missing-refusal-check-python.anthropic-missing-refusal-check-python origin: community patterns: - pattern: $RESP.content - pattern-inside: | $RESP = $CLIENT.messages.create(...) ... - pattern-not-inside: | if $RESP.stop_reason == "end_turn": ... - pattern-not-inside: | if $RESP.stop_reason != ...: ... else: ... - id: terraform.azure.security.aks.azure-aks-uses-disk-encryptionset.azure-aks-uses-disk-encryptionset message: Ensure that AKS uses disk encryption set patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_kubernetes_cluster" "..." { ... disk_encryption_set_id = "..." ... } - pattern-inside: | resource "azurerm_kubernetes_cluster" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.aks.azure-aks-uses-disk-encryptionset.azure-aks-uses-disk-encryptionset shortlink: https://sg.run/YBZe semgrep.dev: rule: r_id: 23958 rv_id: 946796 rule_id: 10UYEn version_id: yeT0v3n url: https://semgrep.dev/playground/r/yeT0v3n/terraform.azure.security.aks.azure-aks-uses-disk-encryptionset.azure-aks-uses-disk-encryptionset origin: community languages: - hcl severity: WARNING - id: ai.ai-best-practices.cohere-no-error-handling.cohere-no-error-handling.cohere-no-error-handling languages: - python severity: WARNING message: Cohere API call without error handling. Wrap API calls in try/except to handle rate limits, API errors, and network issues gracefully. metadata: cwe: 'CWE-754: Improper Check for Unusual or Exceptional Conditions' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - cohere references: - https://docs.cohere.com/docs/safety-modes license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.cohere-no-error-handling.cohere-no-error-handling.cohere-no-error-handling shortlink: https://sg.run/l0b29 semgrep.dev: rule: r_id: 286713 rv_id: 1409310 rule_id: eqUL48D version_id: 6xTR4eg url: https://semgrep.dev/playground/r/6xTR4eg/ai.ai-best-practices.cohere-no-error-handling.cohere-no-error-handling.cohere-no-error-handling origin: community patterns: - pattern-either: - pattern: $CLIENT.chat(...) - pattern: $CLIENT.chat_stream(...) - pattern-inside: | $CLIENT = cohere.Client(...) ... - pattern-not-inside: | try: ... except ...: ... - id: ai.ai-best-practices.anthropic-missing-system-prompt.anthropic-missing-system-prompt-javascript.anthropic-missing-system-prompt-javascript languages: - javascript - typescript severity: WARNING message: Anthropic messages.create() called without a 'system' parameter. A system prompt helps set behavioral guidelines and safety boundaries for the model. metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-missing-system-prompt.anthropic-missing-system-prompt-javascript.anthropic-missing-system-prompt-javascript shortlink: https://sg.run/KdvXn semgrep.dev: rule: r_id: 288799 rv_id: 1413357 rule_id: gxUAEgR version_id: 1QTEwOq url: https://semgrep.dev/playground/r/1QTEwOq/ai.ai-best-practices.anthropic-missing-system-prompt.anthropic-missing-system-prompt-javascript.anthropic-missing-system-prompt-javascript origin: community patterns: - pattern: $CLIENT.messages.create({...}) - pattern-not: '$CLIENT.messages.create({..., system: $SYS, ...})' - id: terraform.azure.security.azure-automation-encrypted.azure-automation-encrypted patterns: - pattern-either: - pattern-inside: | resource "azurerm_automation_variable_string" "..." { ... } - pattern-inside: | resource "azurerm_automation_variable_datetime" "..." { ... } - pattern-inside: | resource "azurerm_automation_variable_int" "..." { ... } - pattern-not-inside: | resource "azurerm_automation_variable_string" "..." { ... encrypted = true ... } - pattern-not-inside: | resource "azurerm_automation_variable_datetime" "..." { ... encrypted = true ... } - pattern-not-inside: | resource "azurerm_automation_variable_int" "..." { ... encrypted = true ... } message: Ensure that Automation account variables are encrypted languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-automation-encrypted.azure-automation-encrypted shortlink: https://sg.run/bgLp semgrep.dev: rule: r_id: 23970 rv_id: 946814 rule_id: d8UA8G version_id: QkTZ68L url: https://semgrep.dev/playground/r/QkTZ68L/terraform.azure.security.azure-automation-encrypted.azure-automation-encrypted origin: community - id: terraform.azure.security.azure-batchaccount-uses-keyvault-encrpytion.azure-batchaccount-uses-keyvault-encrpytion message: Ensure that Azure Batch account uses key vault to encrypt data patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_batch_account" "..." { ... key_vault_reference { ... } ... } - pattern-inside: | resource "azurerm_batch_account" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-batchaccount-uses-keyvault-encrpytion.azure-batchaccount-uses-keyvault-encrpytion shortlink: https://sg.run/No9p semgrep.dev: rule: r_id: 23971 rv_id: 946815 rule_id: ZqUNDd version_id: 3ZTOBl5 url: https://semgrep.dev/playground/r/3ZTOBl5/terraform.azure.security.azure-batchaccount-uses-keyvault-encrpytion.azure-batchaccount-uses-keyvault-encrpytion origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-cosmosdb-have-cmk.azure-cosmosdb-have-cmk message: Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_cosmosdb_account" "..." { ... key_vault_key_id = ... ... } - pattern-inside: | resource "azurerm_cosmosdb_account" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-cosmosdb-have-cmk.azure-cosmosdb-have-cmk shortlink: https://sg.run/v1rA semgrep.dev: rule: r_id: 23977 rv_id: 946821 rule_id: gxUxrq version_id: RGTAPe7 url: https://semgrep.dev/playground/r/RGTAPe7/terraform.azure.security.azure-cosmosdb-have-cmk.azure-cosmosdb-have-cmk origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-dataexplorer-double-encryption-enabled.azure-dataexplorer-double-encryption-enabled message: Ensure that Azure Data Explorer uses double encryption patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_kusto_cluster" "..." { ... double_encryption_enabled = true ... } - pattern-inside: | resource "azurerm_kusto_cluster" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-dataexplorer-double-encryption-enabled.azure-dataexplorer-double-encryption-enabled shortlink: https://sg.run/Z3bD semgrep.dev: rule: r_id: 23979 rv_id: 946823 rule_id: 3qUQ29 version_id: BjT1BxR url: https://semgrep.dev/playground/r/BjT1BxR/terraform.azure.security.azure-dataexplorer-double-encryption-enabled.azure-dataexplorer-double-encryption-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-dataexplorer-uses-disk-encryption.azure-dataexplorer-uses-disk-encryption message: Ensure that Azure Data Explorer uses disk encryption patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_kusto_cluster" "..." { ... enable_disk_encryption = true ... } - pattern-inside: | resource "azurerm_kusto_cluster" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-dataexplorer-uses-disk-encryption.azure-dataexplorer-uses-disk-encryption shortlink: https://sg.run/nGAX semgrep.dev: rule: r_id: 23980 rv_id: 946824 rule_id: 4bUl5y version_id: DkTNWqA url: https://semgrep.dev/playground/r/DkTNWqA/terraform.azure.security.azure-dataexplorer-uses-disk-encryption.azure-dataexplorer-uses-disk-encryption origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-datalake-store-encryption.azure-datalake-store-encryption message: Ensure that Data Lake Store accounts enables encryption patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_data_lake_store" "..." { ... encryption_state = "Enabled" ... } - pattern-inside: | resource "azurerm_data_lake_store" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-datalake-store-encryption.azure-datalake-store-encryption shortlink: https://sg.run/Ldvr semgrep.dev: rule: r_id: 23983 rv_id: 946827 rule_id: 5rUArP version_id: K3TJ4nL url: https://semgrep.dev/playground/r/K3TJ4nL/terraform.azure.security.azure-datalake-store-encryption.azure-datalake-store-encryption origin: community languages: - hcl severity: WARNING - id: ai.ai-best-practices.anthropic-missing-system-prompt.anthropic-missing-system-prompt-python.anthropic-missing-system-prompt-python languages: - python severity: WARNING message: Anthropic messages.create() called without a 'system' parameter. A system prompt helps set behavioral guidelines and safety boundaries for the model. metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-missing-system-prompt.anthropic-missing-system-prompt-python.anthropic-missing-system-prompt-python shortlink: https://sg.run/4BXe5 semgrep.dev: rule: r_id: 288800 rv_id: 1413358 rule_id: QrU7Ad5 version_id: 9lT39d0 url: https://semgrep.dev/playground/r/9lT39d0/ai.ai-best-practices.anthropic-missing-system-prompt.anthropic-missing-system-prompt-python.anthropic-missing-system-prompt-python origin: community patterns: - pattern: $CLIENT.messages.create(...) - pattern-not: $CLIENT.messages.create(..., system=$SYS, ...) - id: ai.ai-best-practices.anthropic-no-error-handling.anthropic-no-error-handling-javascript.anthropic-no-error-handling-javascript languages: - javascript - typescript severity: WARNING message: Anthropic API call without error handling. Wrap API calls in try/catch to handle rate limits, API errors, and network issues gracefully. metadata: cwe: 'CWE-754: Improper Check for Unusual or Exceptional Conditions' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-no-error-handling.anthropic-no-error-handling-javascript.anthropic-no-error-handling-javascript shortlink: https://sg.run/P9vbz semgrep.dev: rule: r_id: 288801 rv_id: 1413359 rule_id: 3qUpWjn version_id: yeTqWRg url: https://semgrep.dev/playground/r/yeTqWRg/ai.ai-best-practices.anthropic-no-error-handling.anthropic-no-error-handling-javascript.anthropic-no-error-handling-javascript origin: community patterns: - pattern-either: - pattern: await $CLIENT.messages.create({...}) - pattern: $CLIENT.messages.create({...}) - pattern-not-inside: | try { ... } catch ($ERR) { ... } - id: terraform.azure.security.azure-service-fabric-cluster-protection-level.azure-service-fabric-cluster-protection-level message: Ensure that Service Fabric use three levels of protection available patterns: - pattern: resource - pattern-inside: | resource "azurerm_service_fabric_cluster" "..." { ... } - pattern-not-inside: | resource "azurerm_service_fabric_cluster" "..." { ... fabric_settings { name = "Security" parameters = { ... name = "ClusterProtectionLevel" value = "EncryptAndSign" ... } ... } ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-service-fabric-cluster-protection-level.azure-service-fabric-cluster-protection-level shortlink: https://sg.run/Dd62 semgrep.dev: rule: r_id: 24008 rv_id: 946852 rule_id: kxUx3E version_id: nWTpY8Q url: https://semgrep.dev/playground/r/nWTpY8Q/terraform.azure.security.azure-service-fabric-cluster-protection-level.azure-service-fabric-cluster-protection-level origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-vmencryption-at-host-enabled.azure-vmencryption-at-host-enabled message: Ensure that Virtual machine scale sets have encryption at host enabled patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "azurerm_windows_virtual_machine_scale_set" "..." { ... } - pattern-inside: | resource "azurerm_linux_virtual_machine_scale_set" "..." { ... } - pattern-not-inside: | resource "azurerm_windows_virtual_machine_scale_set" "..." { ... encryption_at_host_enabled = true ... } - pattern-not-inside: | resource "azurerm_linux_virtual_machine_scale_set" "..." { ... encryption_at_host_enabled = true ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-vmencryption-at-host-enabled.azure-vmencryption-at-host-enabled shortlink: https://sg.run/68Pw semgrep.dev: rule: r_id: 24015 rv_id: 946859 rule_id: ZqUNxd version_id: 3ZTOBp5 url: https://semgrep.dev/playground/r/3ZTOBp5/terraform.azure.security.azure-vmencryption-at-host-enabled.azure-vmencryption-at-host-enabled origin: community languages: - hcl severity: WARNING - id: ai.ai-best-practices.anthropic-no-error-handling.anthropic-no-error-handling-python.anthropic-no-error-handling languages: - python severity: WARNING message: Anthropic API call without error handling. Wrap API calls in try/except to handle rate limits, API errors, and network issues gracefully. metadata: cwe: 'CWE-754: Improper Check for Unusual or Exceptional Conditions' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - anthropic references: - https://docs.anthropic.com/en/api/messages license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-no-error-handling.anthropic-no-error-handling-python.anthropic-no-error-handling shortlink: https://sg.run/Jqvxy semgrep.dev: rule: r_id: 288802 rv_id: 1413360 rule_id: 4bUA514 version_id: rxTnJyK url: https://semgrep.dev/playground/r/rxTnJyK/ai.ai-best-practices.anthropic-no-error-handling.anthropic-no-error-handling-python.anthropic-no-error-handling origin: community patterns: - pattern: $CLIENT.messages.create(...) - pattern-not-inside: | try: ... except ...: ... - id: terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret message: Key vault Secret should have a content type set patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_key_vault_secret" "..." { ... content_type = "..." ... } - pattern-inside: | resource "azurerm_key_vault_secret" "..." { ... } metadata: category: correctness technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type - https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret shortlink: https://sg.run/eoAb semgrep.dev: rule: r_id: 15132 rv_id: 946862 rule_id: 8GUzld version_id: JdTDP3Y url: https://semgrep.dev/playground/r/JdTDP3Y/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret origin: community languages: - hcl severity: INFO - id: terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires message: Ensure that the expiration date is set on all keys patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_key_vault_key" "..." { ... expiration_date = "..." ... } - pattern-inside: | resource "azurerm_key_vault_key" "..." { ... } metadata: cwe: - 'CWE-262: Not Using Password Aging' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date - https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires shortlink: https://sg.run/vq9A semgrep.dev: rule: r_id: 15133 rv_id: 946863 rule_id: gxUgXq version_id: 5PT94PR url: https://semgrep.dev/playground/r/5PT94PR/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires origin: community languages: - hcl severity: INFO - id: terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled message: Key vault should have purge protection enabled patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_key_vault" "..." { ... purge_protection_enabled = true ... } - pattern-either: - pattern-inside: | resource "azurerm_key_vault" "..." { ... } - pattern-inside: | resource "azurerm_key_vault" "..." { ... purge_protection_enabled = false ... } metadata: cwe: - 'CWE-693: Protection Mechanism Failure' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled - https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled shortlink: https://sg.run/Z4xD semgrep.dev: rule: r_id: 15135 rv_id: 946865 rule_id: 3qUjw9 version_id: RGTAPQ7 url: https://semgrep.dev/playground/r/RGTAPQ7/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled origin: community languages: - hcl severity: WARNING - id: ai.ai-best-practices.anthropic-user-input-in-system-prompt.anthropic-user-input-in-system-prompt-js.anthropic-user-input-in-system-prompt-js mode: taint languages: - javascript - typescript severity: ERROR message: User input flows into the Anthropic system prompt. This enables prompt injection attacks where users can override system instructions. Validate and sanitize user input, or keep system prompts hardcoded. metadata: cwe: 'CWE-77: Command Injection' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/docs/initial-setup license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-user-input-in-system-prompt.anthropic-user-input-in-system-prompt-js.anthropic-user-input-in-system-prompt-js shortlink: https://sg.run/5W4D0 semgrep.dev: rule: r_id: 288803 rv_id: 1413361 rule_id: PeUW2o8 version_id: bZTEgbd url: https://semgrep.dev/playground/r/bZTEgbd/ai.ai-best-practices.anthropic-user-input-in-system-prompt.anthropic-user-input-in-system-prompt-js.anthropic-user-input-in-system-prompt-js origin: community pattern-sources: - pattern: req.body.$F - pattern: req.query.$F - pattern: req.params.$F - pattern: req.body pattern-sinks: - patterns: - pattern: | $CLIENT.messages.create({..., system: $SINK, ...}) - focus-metavariable: $SINK - id: terraform.gcp.best-practice.gcp-dnssec-enabled.gcp-dnssec-enabled patterns: - pattern: resource - pattern-inside: | resource "google_dns_managed_zone" "..." { ... } - pattern-not-inside: | resource "google_dns_managed_zone" "..." { ... dnssec_config { state = on } ... } message: "Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC\t" metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-dnssec-enabled.gcp-dnssec-enabled shortlink: https://sg.run/go10 semgrep.dev: rule: r_id: 33641 rv_id: 946874 rule_id: WAUG72 version_id: YDTvr6y url: https://semgrep.dev/playground/r/YDTvr6y/terraform.gcp.best-practice.gcp-dnssec-enabled.gcp-dnssec-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-gke-alias-ip-enabled.gcp-gke-alias-ip-enabled patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... ip_allocation_policy { ... use_ip_aliases = "false" ... } ... } message: Ensure Kubernetes Cluster is created with Alias IP ranges enabled metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-alias-ip-enabled.gcp-gke-alias-ip-enabled shortlink: https://sg.run/Q3yZ semgrep.dev: rule: r_id: 33642 rv_id: 946875 rule_id: 0oUgGY version_id: JdTDP3d url: https://semgrep.dev/playground/r/JdTDP3d/terraform.gcp.best-practice.gcp-gke-alias-ip-enabled.gcp-gke-alias-ip-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-gke-binary-authorization.gcp-gke-binary-authorization patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... enable_binary_authorization = true ... } message: "Ensure use of Binary Authorization\t" metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-binary-authorization.gcp-gke-binary-authorization shortlink: https://sg.run/3n9K semgrep.dev: rule: r_id: 33643 rv_id: 946876 rule_id: KxU8gD version_id: 5PT94Pv url: https://semgrep.dev/playground/r/5PT94Pv/terraform.gcp.best-practice.gcp-gke-binary-authorization.gcp-gke-binary-authorization origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-gke-enable-shielded-nodes.gcp-gke-enable-shielded-nodes patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... enable_shielded_nodes = false ... } message: Ensure Shielded GKE Nodes are Enabled metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-enable-shielded-nodes.gcp-gke-enable-shielded-nodes shortlink: https://sg.run/4X95 semgrep.dev: rule: r_id: 33644 rv_id: 946877 rule_id: qNULvE version_id: GxTP0x2 url: https://semgrep.dev/playground/r/GxTP0x2/terraform.gcp.best-practice.gcp-gke-enable-shielded-nodes.gcp-gke-enable-shielded-nodes origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-gke-has-labels.gcp-gke-has-labels patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... resource_labels = { "..." = "..." } ... } message: Ensure Kubernetes Clusters are configured with Labels metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-has-labels.gcp-gke-has-labels shortlink: https://sg.run/Pvwz semgrep.dev: rule: r_id: 33645 rv_id: 946878 rule_id: lBUopb version_id: RGTAPQv url: https://semgrep.dev/playground/r/RGTAPQv/terraform.gcp.best-practice.gcp-gke-has-labels.gcp-gke-has-labels origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-gke-metadata-server-enabled.gcp-gke-metadata-server-enabled patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... node_config { ... workload_metadata_config { ... node_metadata = "GKE_METADATA_SERVER" ... } ... } ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... node_config { ... workload_metadata_config { ... mode = "GKE_METADATA" ... } ... } ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... node_config { ... workload_metadata_config = ... ... } ... } message: "Ensure the GKE Metadata Server is Enabled\t" metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-metadata-server-enabled.gcp-gke-metadata-server-enabled shortlink: https://sg.run/Jvzy semgrep.dev: rule: r_id: 33646 rv_id: 946879 rule_id: YGUkwW version_id: A8TJWrb url: https://semgrep.dev/playground/r/A8TJWrb/terraform.gcp.best-practice.gcp-gke-metadata-server-enabled.gcp-gke-metadata-server-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-gke-nodepool-auto-repair-enabled.gcp-gke-nodepool-auto-repair-enabled patterns: - pattern: resource - pattern-inside: | resource "google_container_node_pool" "..." { ... management { ... auto_repair = false ... } ... } message: Ensure 'Automatic node repair' is enabled for Kubernetes Clusters metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-nodepool-auto-repair-enabled.gcp-gke-nodepool-auto-repair-enabled shortlink: https://sg.run/54g0 semgrep.dev: rule: r_id: 33647 rv_id: 946880 rule_id: 6JUGRB version_id: BjT1BNW url: https://semgrep.dev/playground/r/BjT1BNW/terraform.gcp.best-practice.gcp-gke-nodepool-auto-repair-enabled.gcp-gke-nodepool-auto-repair-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-gke-nodepool-auto-upgrade-enabled.gcp-gke-nodepool-auto-upgrade-enabled patterns: - pattern: resource - pattern-inside: | resource "google_container_node_pool" "..." { ... management { ... auto_upgrade = false ... } ... } message: Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-nodepool-auto-upgrade-enabled.gcp-gke-nodepool-auto-upgrade-enabled shortlink: https://sg.run/Gvzq semgrep.dev: rule: r_id: 33648 rv_id: 946881 rule_id: oqUoL6 version_id: DkTNWp6 url: https://semgrep.dev/playground/r/DkTNWp6/terraform.gcp.best-practice.gcp-gke-nodepool-auto-upgrade-enabled.gcp-gke-nodepool-auto-upgrade-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-gke-nodepool-secure-boot-for-shielded-nodes.gcp-gke-nodepool-secure-boot-for-shielded-nodes patterns: - pattern: resource - pattern-inside: | resource "google_container_node_pool" "..." { ... } - pattern-not-inside: | resource "google_container_node_pool" "..." { ... shielded_instance_config { ... enable_secure_boot = true ... } ... } message: "Ensure Secure Boot for Shielded GKE Nodes is Enabled\t" metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-nodepool-secure-boot-for-shielded-nodes.gcp-gke-nodepool-secure-boot-for-shielded-nodes shortlink: https://sg.run/AqK2 semgrep.dev: rule: r_id: 33650 rv_id: 946883 rule_id: pKUe2j version_id: 0bT1E57 url: https://semgrep.dev/playground/r/0bT1E57/terraform.gcp.best-practice.gcp-gke-nodepool-secure-boot-for-shielded-nodes.gcp-gke-nodepool-secure-boot-for-shielded-nodes origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-gke-use-cos-image.gcp-gke-use-cos-image patterns: - pattern: resource - pattern-inside: | resource "google_container_node_pool" "..." { ... } - pattern-not-inside: | resource "google_container_node_pool" "..." { ... node_config { ... image_type = "COS" } ... } message: Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-gke-use-cos-image.gcp-gke-use-cos-image shortlink: https://sg.run/D6YP semgrep.dev: rule: r_id: 33652 rv_id: 946885 rule_id: X5UkYy version_id: qkT4ojo url: https://semgrep.dev/playground/r/qkT4ojo/terraform.gcp.best-practice.gcp-gke-use-cos-image.gcp-gke-use-cos-image origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-ipv6-private-google-enabled.gcp-ipv6-private-google-enabled patterns: - pattern: resource - pattern-inside: | resource "google_compute_subnetwork" "..." { ... } - pattern-not-inside: | resource "google_compute_subnetwork" "..." { ... private_ipv6_google_access = "ENABLE_OUTBOUND_VM_ACCESS_TO_GOOGLE" ... } - pattern-not-inside: | resource "google_compute_subnetwork" "..." { ... private_ipv6_google_access = "ENABLE_BIDIRECTIONAL_ACCESS_TO_GOOGLE" ... } message: Ensure that Private google access is enabled for IPV6 metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-ipv6-private-google-enabled.gcp-ipv6-private-google-enabled shortlink: https://sg.run/W4b2 semgrep.dev: rule: r_id: 33653 rv_id: 946886 rule_id: j2UD12 version_id: l4Txd9z url: https://semgrep.dev/playground/r/l4Txd9z/terraform.gcp.best-practice.gcp-ipv6-private-google-enabled.gcp-ipv6-private-google-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-mysql-local-in-file-off.gcp-mysql-local-in-file-off patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... name = "local_infile" value = "on" ... } ... } message: Ensure MySQL database 'local_infile' flag is set to 'off' metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-mysql-local-in-file-off.gcp-mysql-local-in-file-off shortlink: https://sg.run/0XZj semgrep.dev: rule: r_id: 33654 rv_id: 946887 rule_id: 10U3El version_id: YDTvrRD url: https://semgrep.dev/playground/r/YDTvrRD/terraform.gcp.best-practice.gcp-mysql-local-in-file-off.gcp-mysql-local-in-file-off origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-postgresql-log-checkpoints.gcp-postgresql-log-checkpoints patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... name = "log_checkpoints" value = "off" ... } ... } message: Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-postgresql-log-checkpoints.gcp-postgresql-log-checkpoints shortlink: https://sg.run/Kv15 semgrep.dev: rule: r_id: 33655 rv_id: 946888 rule_id: 9AUq3g version_id: 6xTxqjE url: https://semgrep.dev/playground/r/6xTxqjE/terraform.gcp.best-practice.gcp-postgresql-log-checkpoints.gcp-postgresql-log-checkpoints origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-postgresql-log-disconnection.gcp-postgresql-log-disconnection patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... name = "log_disconnections" value = "off" ... } ... } message: Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-postgresql-log-disconnection.gcp-postgresql-log-disconnection shortlink: https://sg.run/lGbE semgrep.dev: rule: r_id: 33657 rv_id: 946890 rule_id: r6Ulnx version_id: zyTlykG url: https://semgrep.dev/playground/r/zyTlykG/terraform.gcp.best-practice.gcp-postgresql-log-disconnection.gcp-postgresql-log-disconnection origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-postgresql-log-lock-waits.gcp-postgresql-log-lock-waits patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... name = "log_lock_waits" value = "off" ... } ... } message: Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-postgresql-log-lock-waits.gcp-postgresql-log-lock-waits shortlink: https://sg.run/YJZy semgrep.dev: rule: r_id: 33658 rv_id: 946891 rule_id: bwUQEk version_id: pZTNGON url: https://semgrep.dev/playground/r/pZTNGON/terraform.gcp.best-practice.gcp-postgresql-log-lock-waits.gcp-postgresql-log-lock-waits origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-postgresql-log-min-duration.gcp-postgresql-log-min-duration patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... } ... } - pattern-not-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... name = "log_min_duration_statement" value = "-1" ... } ... } message: Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-postgresql-log-min-duration.gcp-postgresql-log-min-duration shortlink: https://sg.run/6P41 semgrep.dev: rule: r_id: 33659 rv_id: 946892 rule_id: NbUG6n version_id: 2KTY4br url: https://semgrep.dev/playground/r/2KTY4br/terraform.gcp.best-practice.gcp-postgresql-log-min-duration.gcp-postgresql-log-min-duration origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-postgresql-log-min-message.gcp-postgresql-log-min-message patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... name = "log_min_messages" value = "$VALUE" ... } ... } - metavariable-pattern: metavariable: $VALUE language: generic patterns: - pattern-not-regex: (?i)(DEBUG5|DEBUG4|DEBUG3|DEBUG2|DEBUG1|INFO|NOTICE|WARNING|ERROR|LOG|FATAL|PANIC) message: Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-postgresql-log-min-message.gcp-postgresql-log-min-message shortlink: https://sg.run/o330 semgrep.dev: rule: r_id: 33660 rv_id: 946893 rule_id: kxU33K version_id: X0TLZ82 url: https://semgrep.dev/playground/r/X0TLZ82/terraform.gcp.best-practice.gcp-postgresql-log-min-message.gcp-postgresql-log-min-message origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-postgresql-log-temp.gcp-postgresql-log-temp patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... } ... } - pattern-not-inside: | resource "google_sql_database_instance" "..." { ... database_flags { ... name = "log_temp_files" value = "0" ... } ... } message: Ensure PostgreSQL database 'log_temp_files' flag is set to '0' metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-postgresql-log-temp.gcp-postgresql-log-temp shortlink: https://sg.run/zZZd semgrep.dev: rule: r_id: 33661 rv_id: 946894 rule_id: wdUNN9 version_id: jQTzqvn url: https://semgrep.dev/playground/r/jQTzqvn/terraform.gcp.best-practice.gcp-postgresql-log-temp.gcp-postgresql-log-temp origin: community languages: - hcl severity: WARNING - id: terraform.gcp.best-practice.gcp-storage-versioning-enabled.gcp-storage-versioning-enabled patterns: - pattern: resource - pattern-inside: | resource "google_storage_bucket" "..." { ... } - pattern-not-inside: | resource "google_storage_bucket" "..." { ... versioning = { enabled = true } ... } message: Ensure Cloud storage has versioning enabled metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.best-practice.gcp-storage-versioning-enabled.gcp-storage-versioning-enabled shortlink: https://sg.run/pDDZ semgrep.dev: rule: r_id: 33662 rv_id: 946895 rule_id: x8U00v version_id: 1QToZK2 url: https://semgrep.dev/playground/r/1QToZK2/terraform.gcp.best-practice.gcp-storage-versioning-enabled.gcp-storage-versioning-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy message: 'Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.' patterns: - pattern-either: - pattern-inside: | resource "azurerm_storage_account" "..." { ... min_tls_version = "$ANYTHING" ... } - pattern-inside: | resource "azurerm_storage_account" "..." { ... } - pattern-not-inside: | resource "azurerm_storage_account" "..." { ... min_tls_version = "TLS1_2" ... } metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version - https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy shortlink: https://sg.run/KXD7 semgrep.dev: rule: r_id: 15155 rv_id: 1263807 rule_id: AbUQdL version_id: WrTqKpv url: https://semgrep.dev/playground/r/WrTqKpv/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy origin: community languages: - hcl severity: ERROR - id: terraform.gcp.security.gcp-compute-boot-disk-encryption.gcp-compute-boot-disk-encryption patterns: - pattern: | resource "google_compute_instance" $ANYTHING { ... } - pattern-not-inside: | resource "google_compute_instance" $ANYTHING { ... boot_disk { disk_encryption_key_raw = ... } ... } - pattern-not-inside: | resource "google_compute_instance" $ANYTHING { ... boot_disk { kms_key_self_link = ... } ... } message: Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' technology: - terraform - gcp category: security references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-boot-disk-encryption.gcp-compute-boot-disk-encryption shortlink: https://sg.run/Gzjy semgrep.dev: rule: r_id: 32304 rv_id: 1263814 rule_id: QrUEPn version_id: 5PTo1Gk url: https://semgrep.dev/playground/r/5PTo1Gk/terraform.gcp.security.gcp-compute-boot-disk-encryption.gcp-compute-boot-disk-encryption origin: community - id: ai.ai-best-practices.gemini-no-error-handling.gemini-no-error-handling.gemini-no-error-handling languages: - python severity: WARNING message: Google Gemini API call without error handling. Wrap API calls in try/except to handle API errors and network issues gracefully. metadata: cwe: 'CWE-754: Improper Check for Unusual or Exceptional Conditions' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - gemini references: - https://ai.google.dev/gemini-api/docs/safety-guidance license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.gemini-no-error-handling.gemini-no-error-handling.gemini-no-error-handling shortlink: https://sg.run/boL7E semgrep.dev: rule: r_id: 286726 rv_id: 1409323 rule_id: PeUWeZK version_id: kbTWQAj url: https://semgrep.dev/playground/r/kbTWQAj/ai.ai-best-practices.gemini-no-error-handling.gemini-no-error-handling.gemini-no-error-handling origin: community patterns: - pattern: $MODEL.generate_content(...) - pattern-inside: | $MODEL = genai.GenerativeModel(...) ... - pattern-not-inside: | try: ... except ...: ... - id: terraform.gcp.security.gcp-bigtable-instance-encrypted-with-cmk.gcp-bigtable-instance-encrypted-with-cmk patterns: - pattern: | resource "google_bigtable_instance" $ANYTHING { ... } - pattern-not-inside: | resource "google_bigtable_instance" $ANYTHING { ... cluster { ... kms_key_name = ... ... } ... } message: "Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)\t" metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-bigtable-instance-encrypted-with-cmk.gcp-bigtable-instance-encrypted-with-cmk shortlink: https://sg.run/Pwdp semgrep.dev: rule: r_id: 32301 rv_id: 946903 rule_id: L1URZ4 version_id: xyTqWnl url: https://semgrep.dev/playground/r/xyTqWnl/terraform.gcp.security.gcp-bigtable-instance-encrypted-with-cmk.gcp-bigtable-instance-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-dataflow-job-encrypted-with-cmk.gcp-dataflow-job-encrypted-with-cmk patterns: - pattern: | resource "google_dataflow_job" $ANYTHING { ... } - pattern-not-inside: | resource "google_dataflow_job" $ANYTHING { ... kms_key_name = ... ... } message: Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-dataflow-job-encrypted-with-cmk.gcp-dataflow-job-encrypted-with-cmk shortlink: https://sg.run/Xbd4 semgrep.dev: rule: r_id: 32320 rv_id: 946922 rule_id: PeUe4w version_id: RGTAPgv url: https://semgrep.dev/playground/r/RGTAPgv/terraform.gcp.security.gcp-dataflow-job-encrypted-with-cmk.gcp-dataflow-job-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-dataproc-cluster-encrypted-with-cmk.gcp-dataproc-cluster-encrypted-with-cmk patterns: - pattern: | resource "google_dataproc_cluster" $ANYTHING { ... } - pattern-not-inside: | resource "google_dataproc_cluster" $ANYTHING { ... cluster_config { encryption_config { ... kms_key_name = ... ... } } ... } message: "Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK)\t" metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-dataproc-cluster-encrypted-with-cmk.gcp-dataproc-cluster-encrypted-with-cmk shortlink: https://sg.run/1XXG semgrep.dev: rule: r_id: 33666 rv_id: 946927 rule_id: d8U77l version_id: 0bT1EE7 url: https://semgrep.dev/playground/r/0bT1EE7/terraform.gcp.security.gcp-dataproc-cluster-encrypted-with-cmk.gcp-dataproc-cluster-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1 patterns: - pattern: resource - pattern-inside: | resource "google_dns_managed_zone" "..." { ... dnssec_config { ... default_key_specs { ... algorithm = "rsasha1" key_type = "zoneSigning" ... } ... } ... } - pattern-inside: | resource "google_dns_managed_zone" "..." { ... dnssec_config { ... default_key_specs { ... algorithm = "rsasha1" key_type = "keySigning" ... } ... } ... } message: "Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC\t" metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1 shortlink: https://sg.run/bKKW semgrep.dev: rule: r_id: 33670 rv_id: 1263837 rule_id: 7KUZZb version_id: bZT53oD url: https://semgrep.dev/playground/r/bZT53oD/terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1 origin: community languages: - hcl severity: WARNING - id: ai.ai-best-practices.anthropic-user-input-in-system-prompt.anthropic-user-input-in-system-prompt-python.anthropic-user-input-in-system-prompt-python mode: taint languages: - python severity: ERROR message: User input flows into the Anthropic system prompt. This enables prompt injection attacks where users can override system instructions. Validate and sanitize user input, or keep system prompts hardcoded. metadata: cwe: 'CWE-77: Command Injection' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - anthropic references: - https://docs.anthropic.com/en/docs/initial-setup license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.anthropic-user-input-in-system-prompt.anthropic-user-input-in-system-prompt-python.anthropic-user-input-in-system-prompt-python shortlink: https://sg.run/GRvOq semgrep.dev: rule: r_id: 288804 rv_id: 1413362 rule_id: JDU3GL8 version_id: NdT6p3l url: https://semgrep.dev/playground/r/NdT6p3l/ai.ai-best-practices.anthropic-user-input-in-system-prompt.anthropic-user-input-in-system-prompt-python.anthropic-user-input-in-system-prompt-python origin: community pattern-sources: - pattern: request.args.get(...) - pattern: request.form[...] - pattern: request.form.get(...) - pattern: request.json[...] - pattern: request.json.get(...) - pattern: request.data - pattern: request.GET[...] - pattern: request.GET.get(...) - pattern: request.POST[...] - pattern: request.POST.get(...) pattern-sinks: - patterns: - pattern: $CLIENT.messages.create(..., system=$SINK, ...) - focus-metavariable: $SINK - id: terraform.gcp.security.gcp-gke-basic-auth.gcp-gke-basic-auth patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... master_auth { client_certificate_config { ... } } ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... master_auth { ... username = "" password = "" ... } ... } message: "Ensure GKE basic auth is disabled\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-basic-auth.gcp-gke-basic-auth shortlink: https://sg.run/OddL semgrep.dev: rule: r_id: 33675 rv_id: 1263842 rule_id: 3qUWWR version_id: O9Tpx7w url: https://semgrep.dev/playground/r/O9Tpx7w/terraform.gcp.security.gcp-gke-basic-auth.gcp-gke-basic-auth origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-secure-boot-for-shielded-nodes.gcp-gke-secure-boot-for-shielded-nodes patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... shielded_instance_config { ... enable_secure_boot = true ... } ... } message: "Ensure Secure Boot for Shielded GKE Nodes is Enabled\t" metadata: category: best-practice technology: - terraform - gcp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-secure-boot-for-shielded-nodes.gcp-gke-secure-boot-for-shielded-nodes shortlink: https://sg.run/Jvvy semgrep.dev: rule: r_id: 33690 rv_id: 946951 rule_id: YGUkkW version_id: d6TPzz0 url: https://semgrep.dev/playground/r/d6TPzz0/terraform.gcp.security.gcp-gke-secure-boot-for-shielded-nodes.gcp-gke-secure-boot-for-shielded-nodes origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-insecure-load-balancer-tls-version.gcp-insecure-load-balancer-tls-version patterns: - pattern: | resource "google_compute_ssl_policy" $ANYTHING { ... min_tls_version = "..." ... } - pattern-not: | resource "google_compute_ssl_policy" $ANYTHING { ... min_tls_version = "TLS_1_2" ... } message: Detected GCP Load Balancer to be using an insecure version of TLS. To fix this set your "min_tls_version" to "TLS_1_2" languages: - terraform severity: WARNING metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures technology: - gcp - terraform category: security references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-insecure-load-balancer-tls-version.gcp-insecure-load-balancer-tls-version shortlink: https://sg.run/Wjlj semgrep.dev: rule: r_id: 18797 rv_id: 1263856 rule_id: qNUQDQ version_id: PkTR335 url: https://semgrep.dev/playground/r/PkTR335/terraform.gcp.security.gcp-insecure-load-balancer-tls-version.gcp-insecure-load-balancer-tls-version origin: community - id: ai.csharp.detect-openai.detect-openai languages: - csharp severity: INFO message: 'Possibly found usage of AI: OpenAI' pattern-either: - pattern: using OpenAI - pattern: (ChatClient $CLIENT) - pattern: (ChatClient $CLIENT).$FUNC(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.csharp.detect-openai.detect-openai shortlink: https://sg.run/nJy7X semgrep.dev: rule: r_id: 137236 rv_id: 945113 rule_id: ZqUQvz4 version_id: YDTvRD7 url: https://semgrep.dev/playground/r/YDTvRD7/ai.csharp.detect-openai.detect-openai origin: community - id: terraform.gcp.security.gcp-vertexai-dataset-encrypted-with-cmk.gcp-vertexai-dataset-encrypted-with-cmk patterns: - pattern: | resource "google_vertex_ai_dataset" $ANYTHING { ... } - pattern-not-inside: | resource "google_vertex_ai_dataset" $ANYTHING { ... encryption_spec { ... kms_key_name = ... ... } ... } message: Ensure Vertex AI datasets uses a CMK (Customer Manager Key) metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-vertexai-dataset-encrypted-with-cmk.gcp-vertexai-dataset-encrypted-with-cmk shortlink: https://sg.run/zZjW semgrep.dev: rule: r_id: 33717 rv_id: 946979 rule_id: gxUE0O version_id: RGTAPoA url: https://semgrep.dev/playground/r/RGTAPoA/terraform.gcp.security.gcp-vertexai-dataset-encrypted-with-cmk.gcp-vertexai-dataset-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: ai.python.detect-huggingface.detect-huggingface languages: - python severity: INFO message: 'Possibly found usage of AI: HuggingFace' pattern-either: - pattern: import huggingface_hub metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.python.detect-huggingface.detect-huggingface shortlink: https://sg.run/5rw3A semgrep.dev: rule: r_id: 137247 rv_id: 945124 rule_id: JDUNYdD version_id: rxT6r2r url: https://semgrep.dev/playground/r/rxT6r2r/ai.python.detect-huggingface.detect-huggingface origin: community - id: ai.python.detect-langchain.detect-langchain languages: - python severity: INFO message: 'Possibly found usage of AI tooling: LangChain' pattern-either: - pattern: import langchain_openai - pattern: ChatOpenAI(...) - pattern: import langchain_community - pattern: Ollama(...) - pattern: import langchain_anthropic - pattern: ChatAnthropic(...) - pattern: import langchain_cohere - pattern: ChatCohere(...) - pattern: import langchain_core - pattern: import langchain metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.python.detect-langchain.detect-langchain shortlink: https://sg.run/GdZ7p semgrep.dev: rule: r_id: 137248 rv_id: 945125 rule_id: 5rUd2XA version_id: bZTXwzO url: https://semgrep.dev/playground/r/bZTXwzO/ai.python.detect-langchain.detect-langchain origin: community - id: ai.python.detect-mistral.detect-mistral languages: - python severity: INFO message: 'Possibly found usage of AI: Mistral' pattern-either: - pattern: import mistralai - pattern: MistralClient(...) - pattern: $CLIENT.chat(...,model=...,...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.python.detect-mistral.detect-mistral shortlink: https://sg.run/Re30O semgrep.dev: rule: r_id: 137249 rv_id: 945126 rule_id: GdUvKQ8 version_id: NdTqkXY url: https://semgrep.dev/playground/r/NdTqkXY/ai.python.detect-mistral.detect-mistral origin: community - id: ai.python.detect-openai.detect-openai languages: - python severity: INFO message: 'Possibly found usage of AI: OpenAI' pattern-either: - pattern: import openai - pattern: from openai import $ANYTHING - pattern: OpenAI(...) - pattern: $CLIENT.chat.completions.$FUNC(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.python.detect-openai.detect-openai shortlink: https://sg.run/Abgep semgrep.dev: rule: r_id: 137250 rv_id: 945127 rule_id: ReUDZ50 version_id: kbTYk6w url: https://semgrep.dev/playground/r/kbTYk6w/ai.python.detect-openai.detect-openai origin: community - id: terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional languages: - hcl message: AWS EC2 Instance allowing use of the IMDSv1 metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' references: - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options category: security technology: - terraform - aws owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional shortlink: https://sg.run/J3BQ semgrep.dev: rule: r_id: 11302 rv_id: 1263884 rule_id: GdU0eA version_id: w8TRooE url: https://semgrep.dev/playground/r/w8TRooE/terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional origin: community pattern-either: - patterns: - pattern: http_tokens = "optional" - pattern-inside: | metadata_options { ... } - patterns: - pattern: | resource "aws_instance" "$NAME" { ... } - pattern-not: | resource "aws_instance" "$NAME" { ... metadata_options { ... http_tokens = "required" ... } ... } - pattern-not: | resource "aws_instance" "$NAME" { ... metadata_options { ... http_tokens = "optional" ... } ... } - pattern-not: | resource "aws_instance" "$NAME" { ... metadata_options { ... http_endpoint = "disabled" ... } ... } severity: ERROR - id: ai.python.detect-tensorflow.detect-tensorflow languages: - python severity: INFO message: 'Possibly found usage of AI tooling: Tensorflow' pattern-either: - pattern: import tensorflow metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.python.detect-tensorflow.detect-tensorflow shortlink: https://sg.run/DbLZY semgrep.dev: rule: r_id: 137252 rv_id: 945129 rule_id: BYUXnwy version_id: xyTqnGN url: https://semgrep.dev/playground/r/xyTqnGN/ai.python.detect-tensorflow.detect-tensorflow origin: community - id: ai.swift.detect-apple-core-ml.detect-apple-core-ml languages: - swift severity: INFO message: 'Possibly found usage of AI: Apple CoreML' pattern-either: - pattern: VNCoreMLModel(...) - pattern: MLModelConfiguration(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.swift.detect-apple-core-ml.detect-apple-core-ml shortlink: https://sg.run/WAP64 semgrep.dev: rule: r_id: 137253 rv_id: 945130 rule_id: DbU6ZDX version_id: O9TX3lv url: https://semgrep.dev/playground/r/O9TX3lv/ai.swift.detect-apple-core-ml.detect-apple-core-ml origin: community - id: ai.swift.detect-gemini.detect-gemini languages: - swift severity: INFO message: 'Possibly found usage of AI: Gemini' pattern-either: - pattern: import GoogleGenerativeAI - pattern: GenerativeModel(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.swift.detect-gemini.detect-gemini shortlink: https://sg.run/0ow6v semgrep.dev: rule: r_id: 137254 rv_id: 945131 rule_id: WAUWAvJ version_id: e1T98r9 url: https://semgrep.dev/playground/r/e1T98r9/ai.swift.detect-gemini.detect-gemini origin: community - id: ai.typescript.detect-anthropic.detect-anthropic languages: - js - ts severity: INFO message: 'Possibly found usage of AI: Anthropic' pattern-either: - pattern: import "@anthropic-ai" - pattern: import $ANYTHING from "@anthropic-ai"; - pattern: new Anthropic(...) - pattern: anthropic.messages.$FUNC(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.typescript.detect-anthropic.detect-anthropic shortlink: https://sg.run/KxZ57 semgrep.dev: rule: r_id: 137255 rv_id: 945132 rule_id: 0oULYA9 version_id: vdTGn4N url: https://semgrep.dev/playground/r/vdTGn4N/ai.typescript.detect-anthropic.detect-anthropic origin: community - id: terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging patterns: - pattern: | name = ... - pattern-inside: | resource "aws_eks_cluster" "..." { ... } - pattern-not-inside: | resource "aws_eks_cluster" "..." { ... enabled_cluster_log_types = [..., "api", ..., "audit", ...] ... } - pattern-not-inside: | resource "aws_eks_cluster" "..." { ... enabled_cluster_log_types = [..., "audit", ..., "api", ...] ... } languages: - hcl message: Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs ("api") and audit logs ("audit") of the EKS control plane through the enabled_cluster_log_types attribute. severity: WARNING metadata: references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging - https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html category: security cwe: - 'CWE-778: Insufficient Logging' technology: - terraform - aws owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging shortlink: https://sg.run/wZ3n semgrep.dev: rule: r_id: 15829 rv_id: 1263886 rule_id: x8UGx7 version_id: O9Tpxxw url: https://semgrep.dev/playground/r/O9Tpxxw/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging origin: community - id: terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled patterns: - pattern: | resource - pattern-inside: | resource "aws_eks_cluster" "..." {...} - pattern-not-inside: | resource "aws_eks_cluster" "..."{ ... vpc_config{ ... endpoint_public_access = false ... } ... } languages: - hcl message: The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access severity: WARNING metadata: category: security cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' technology: - terraform - aws owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled shortlink: https://sg.run/Albg semgrep.dev: rule: r_id: 9750 rv_id: 1263887 rule_id: KxU4v6 version_id: e1TyjjB url: https://semgrep.dev/playground/r/e1TyjjB/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled origin: community - id: ai.python.detect-pytorch.detect-pytorch languages: - python severity: INFO message: 'Possibly found usage of AI tooling: PyTorch' pattern-either: - pattern: import torch - pattern: torch.$FUNC(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.python.detect-pytorch.detect-pytorch shortlink: https://sg.run/BYgvW semgrep.dev: rule: r_id: 137251 rv_id: 945128 rule_id: AbU9ZAq version_id: w8TKJll url: https://semgrep.dev/playground/r/w8TKJll/ai.python.detect-pytorch.detect-pytorch origin: community - id: ai.ai-best-practices.cohere-hardcoded-api-key.cohere-hardcoded-api-key-javascript.cohere-hardcoded-api-key-javascript languages: - javascript - typescript severity: ERROR message: Cohere API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - cohere references: - https://docs.cohere.com/reference/about license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.cohere-hardcoded-api-key.cohere-hardcoded-api-key-javascript.cohere-hardcoded-api-key-javascript shortlink: https://sg.run/RrvXq semgrep.dev: rule: r_id: 288805 rv_id: 1413363 rule_id: 5rUPrLg version_id: kbTWydq url: https://semgrep.dev/playground/r/kbTWydq/ai.ai-best-practices.cohere-hardcoded-api-key.cohere-hardcoded-api-key-javascript.cohere-hardcoded-api-key-javascript origin: community pattern: | new CohereClient({token: "$KEY", ...}) - id: ai.ai-best-practices.hooks-dns-exfiltration.hooks-dns-exfiltration.hooks-dns-exfiltration-generic languages: - generic severity: ERROR message: DNS lookup command uses a variable in the hostname, which could exfiltrate sensitive data via DNS queries. In Claude Code and Cursor hooks, this pattern can leak secrets or environment data to attacker-controlled domains. Use static hostnames only in DNS commands. metadata: cwe: 'CWE-201: Insertion of Sensitive Information Into Sent Data' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.hooks-dns-exfiltration.hooks-dns-exfiltration.hooks-dns-exfiltration-generic shortlink: https://sg.run/wpweP semgrep.dev: rule: r_id: 286729 rv_id: 1409326 rule_id: GdUxl75 version_id: O9TQA0D url: https://semgrep.dev/playground/r/O9TQA0D/ai.ai-best-practices.hooks-dns-exfiltration.hooks-dns-exfiltration.hooks-dns-exfiltration-generic origin: community paths: include: - '*.sh' - '*.bash' pattern-regex: \b(ping|nslookup|dig|host)\s+.*\$ - id: typescript.react.portability.i18next.useselect-label-not-i18n.useselect-label-not-i18n patterns: - pattern: useSelect($X1, $X2, '$LABEL', $X4) - metavariable-regex: metavariable: $LABEL regex: (.*[A-Za-z].*) - pattern-not: useSelect($X1, $X2, t('...'), $X4) message: React useSelect() label is not internationalized - '$LABEL'. You should support different langauges in your website or app with internationalization. Instead, use packages such as `i18next` to internationalize your elements. languages: - typescript - javascript severity: WARNING metadata: category: portability technology: - react - mui - i18next references: - https://www.notion.so/hendyirawan/Internationalization-Localization-Policy-318c21674e5f44c48d6f136a6eb2e024 - https://react.i18next.com/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.portability.i18next.useselect-label-not-i18n.useselect-label-not-i18n shortlink: https://sg.run/oR37 semgrep.dev: rule: r_id: 24016 rv_id: 947022 rule_id: nJUPJL version_id: GxTP0ro url: https://semgrep.dev/playground/r/GxTP0ro/typescript.react.portability.i18next.useselect-label-not-i18n.useselect-label-not-i18n origin: community - id: generic.secrets.gitleaks.harness-api-key.harness-api-key message: A gitleaks harness-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.harness-api-key.harness-api-key shortlink: https://sg.run/gxzkJ semgrep.dev: rule: r_id: 137285 rv_id: 1262756 rule_id: NbU3pxA version_id: qkTR74Y url: https://semgrep.dev/playground/r/qkTR74Y/generic.secrets.gitleaks.harness-api-key.harness-api-key origin: community patterns: - pattern-regex: ((?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}) - id: yaml.argo.correctness.event-binding-payload-with-hyphen.event-binding-payload-with-hyphen languages: - yaml severity: WARNING message: The parameter `$VALUE` to this WorkflowEventBinding includes hyphens, which will, very confusingly, throw an error when Argo Workflows tries to invoke the workflow. Set the payload value to use underscores instead. metadata: category: correctness references: - https://argoproj.github.io/argo-workflows/variables/#expression technology: - argo - argo-workflows license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.argo.correctness.event-binding-payload-with-hyphen.event-binding-payload-with-hyphen shortlink: https://sg.run/wYBY semgrep.dev: rule: r_id: 73473 rv_id: 947031 rule_id: 5rUz6z version_id: l4Txd82 url: https://semgrep.dev/playground/r/l4Txd82/yaml.argo.correctness.event-binding-payload-with-hyphen.event-binding-payload-with-hyphen origin: community match: all: - inside: | apiVersion: argoproj.io/v1alpha1 kind: WorkflowEventBinding ... - inside: | spec: ... submit: ... arguments: ... parameters: ... - | event: $VALUE where: - metavariable: $VALUE regex: payload\..*-.* - id: ai.ai-best-practices.cohere-hardcoded-api-key.cohere-hardcoded-api-key-python.cohere-hardcoded-api-key-python languages: - python severity: ERROR message: Cohere API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - cohere references: - https://docs.cohere.com/reference/about license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.cohere-hardcoded-api-key.cohere-hardcoded-api-key-python.cohere-hardcoded-api-key-python shortlink: https://sg.run/AjqX2 semgrep.dev: rule: r_id: 288806 rv_id: 1413364 rule_id: GdUxYrE version_id: w8TWB9e url: https://semgrep.dev/playground/r/w8TWB9e/ai.ai-best-practices.cohere-hardcoded-api-key.cohere-hardcoded-api-key-python.cohere-hardcoded-api-key-python origin: community pattern-either: - pattern: cohere.Client(api_key="$KEY", ...) - pattern: cohere.ClientV2(api_key="$KEY", ...) - id: yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands languages: - yaml severity: WARNING message: The environment variable `ACTIONS_ALLOW_UNSECURE_COMMANDS` grants this workflow permissions to use the `set-env` and `add-path` commands. There is a vulnerability in these commands that could result in environment variables being modified by an attacker. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. This could result in stolen code or secrets. Don't use `ACTIONS_ALLOW_UNSECURE_COMMANDS`. Instead, use Environment Files. See https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files for more information. metadata: cwe: - 'CWE-749: Exposed Dangerous Method or Function' owasp: A06:2017 - Security Misconfiguration references: - https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ - https://github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w - https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files category: security technology: - github-actions subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands shortlink: https://sg.run/qq78 semgrep.dev: rule: r_id: 13412 rv_id: 947039 rule_id: EwUQ9x version_id: jQTzq34 url: https://semgrep.dev/playground/r/jQTzq34/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands origin: community patterns: - pattern-either: - patterns: - pattern-inside: '{env: ...}' - pattern: 'ACTIONS_ALLOW_UNSECURE_COMMANDS: true' - id: typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property message: Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html category: security confidence: MEDIUM technology: - react cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property shortlink: https://sg.run/70Zv semgrep.dev: rule: r_id: 9782 rv_id: 1263917 rule_id: 3qUBl4 version_id: RGT0Lln url: https://semgrep.dev/playground/r/RGT0Lln/typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property origin: community languages: - typescript - javascript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | function ...({..., $X, ...}) { ... } - pattern-inside: | function ...(..., $X, ...) { ... } - focus-metavariable: $X - pattern-either: - pattern: $X.$Y - pattern: $X[...] pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $BODY = $REACT.useRef(...) ... - pattern-inside: | $BODY = useRef(...) ... - pattern-inside: | $BODY = findDOMNode(...) ... - pattern-inside: | $BODY = createRef(...) ... - pattern-inside: | $BODY = $REACT.findDOMNode(...) ... - pattern-inside: | $BODY = $REACT.createRef(...) ... - pattern-either: - pattern: "$BODY. ... .$HTML = $SINK \n" - pattern: "$BODY.$HTML = $SINK \n" - metavariable-regex: metavariable: $HTML regex: (innerHTML|outerHTML) - focus-metavariable: $SINK - patterns: - pattern-either: - pattern: ReactDOM.findDOMNode(...).$HTML = $SINK - metavariable-regex: metavariable: $HTML regex: (innerHTML|outerHTML) - focus-metavariable: $SINK pattern-sanitizers: - patterns: - pattern-either: - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | import * as $S from "underscore.string" ... - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | $S = require("underscore.string") ... - pattern-either: - pattern: $S.escapeHTML(...) - patterns: - pattern-either: - pattern-inside: | import $S from "dompurify" ... - pattern-inside: | import { ..., $S,... } from "dompurify" ... - pattern-inside: | import * as $S from "dompurify" ... - pattern-inside: | $S = require("dompurify") ... - pattern-inside: | import $S from "isomorphic-dompurify" ... - pattern-inside: | import * as $S from "isomorphic-dompurify" ... - pattern-inside: | $S = require("isomorphic-dompurify") ... - pattern-either: - patterns: - pattern-inside: | $VALUE = $S(...) ... - pattern: $VALUE.sanitize(...) - patterns: - pattern-inside: | $VALUE = $S.sanitize ... - pattern: $S(...) - pattern: $S.sanitize(...) - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'xss'; ... - pattern-inside: | import * as $S from 'xss'; ... - pattern-inside: | $S = require("xss") ... - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'sanitize-html'; ... - pattern-inside: | import * as $S from "sanitize-html"; ... - pattern-inside: | $S = require("sanitize-html") ... - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | $S = new Remarkable() ... - pattern: $S.render(...) - id: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html message: Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://www.npmjs.com/package/react-markdown#security category: security technology: - react cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html shortlink: https://sg.run/9qAk semgrep.dev: rule: r_id: 9767 rv_id: 1263919 rule_id: kxURd4 version_id: BjTkZA8 url: https://semgrep.dev/playground/r/BjTkZA8/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html origin: community languages: - typescript - javascript severity: WARNING patterns: - pattern-either: - pattern-inside: | $X = require('react-markdown/with-html'); ... - pattern-inside: | $X = require('react-markdown'); ... - pattern-inside: | import 'react-markdown/with-html'; ... - pattern-inside: | import 'react-markdown'; ... - pattern-either: - pattern: | <$EL allowDangerousHtml /> - pattern: | <$EL escapeHtml={false} /> - pattern: | <$EL transformLinkUri=... /> - pattern: | <$EL transformImageUri=... /> - id: yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume patterns: - pattern-inside: | version: ... ... - pattern-either: - pattern: | volumes: - ... - /var/run/docker.sock:/var/run/docker.sock - ... - pattern: | volumes: - ... - /run/docker.sock:/run/docker.sock - ... - pattern: | volumes: - ... - /var/run/docker.sock:/run/docker.sock - ... - pattern: | volumes: - ... - /run/docker.sock:/var/run/docker.sock - ... - pattern: | volumes: - ... - /var/run/docker.sock - ... - pattern: | volumes: - ... - /run/docker.sock - ... - pattern: | volumes: - ... - ... source: /var/run/docker.sock ... - ... - pattern: | volumes: - ... - ... source: /run/docker.sock ... - ... message: Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from volumes to prevent this. metadata: references: - https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers category: security technology: - docker-compose cwe: - 'CWE-250: Execution with Unnecessary Privileges' owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume shortlink: https://sg.run/O14b semgrep.dev: rule: r_id: 10131 rv_id: 1263920 rule_id: eqUvZ9 version_id: DkTRbje url: https://semgrep.dev/playground/r/DkTRbje/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume origin: community languages: - yaml severity: WARNING - id: yaml.docker-compose.security.no-new-privileges.no-new-privileges patterns: - pattern-inside: | version: ... ... services: ... - pattern: | $SERVICE: ... image: ... - pattern-not: | $SERVICE: ... image: ... ... security_opt: - ... - no-new-privileges:true - ... - focus-metavariable: $SERVICE message: Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this. metadata: cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/ - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag category: security technology: - docker-compose cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges shortlink: https://sg.run/0n8q semgrep.dev: rule: r_id: 10054 rv_id: 1263921 rule_id: qNUoWr version_id: WrTqKwk url: https://semgrep.dev/playground/r/WrTqKwk/yaml.docker-compose.security.no-new-privileges.no-new-privileges origin: community languages: - yaml severity: WARNING - id: yaml.github-actions.security.curl-eval.curl-eval languages: - yaml message: Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity. metadata: category: security cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections technology: - github-actions - bash - curl cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/yaml.github-actions.security.curl-eval.curl-eval shortlink: https://sg.run/9r7r semgrep.dev: rule: r_id: 14967 rv_id: 1263926 rule_id: X5Udrd version_id: YDTZe7K url: https://semgrep.dev/playground/r/YDTZe7K/yaml.github-actions.security.curl-eval.curl-eval origin: community patterns: - pattern-inside: 'steps: [...]' - pattern-inside: | - run: ... ... - pattern: 'run: $SHELL' - metavariable-pattern: language: bash metavariable: $SHELL patterns: - pattern: | $DATA=<... curl ...> ... eval <... $DATA ...> severity: ERROR - id: yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath patterns: - pattern-inside: | volumes: ... - pattern: | hostPath: ... path: /var/run/docker.sock message: Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this. metadata: cwe: - 'CWE-250: Execution with Unnecessary Privileges' references: - https://kubernetes.io/docs/concepts/storage/volumes/#hostpath - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers category: security technology: - kubernetes subcategory: - vuln likelihood: LOW impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath shortlink: https://sg.run/v0pR semgrep.dev: rule: r_id: 10133 rv_id: 947054 rule_id: d8Uz6v version_id: nWTpYZe url: https://semgrep.dev/playground/r/nWTpYZe/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath origin: community languages: - yaml severity: WARNING - fix: hcl id: yaml.semgrep.consistency.lang-consistency-hcl.lang-consistency-hcl languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'hcl' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-hcl.lang-consistency-hcl shortlink: https://sg.run/5Lj0 semgrep.dev: rule: r_id: 18291 rv_id: 947079 rule_id: KxUrQx version_id: GxTP0zb url: https://semgrep.dev/playground/r/GxTP0zb/yaml.semgrep.consistency.lang-consistency-hcl.lang-consistency-hcl origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(tf|terraform)$ severity: WARNING - fix: kotlin id: yaml.semgrep.consistency.lang-consistency-kotlin.lang-consistency-kotlin languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'kotlin' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-kotlin.lang-consistency-kotlin shortlink: https://sg.run/Rg7q semgrep.dev: rule: r_id: 18293 rv_id: 947081 rule_id: lBUy2n version_id: A8TJWe1 url: https://semgrep.dev/playground/r/A8TJWe1/yaml.semgrep.consistency.lang-consistency-kotlin.lang-consistency-kotlin origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(kt)$ severity: WARNING - fix: python id: yaml.semgrep.consistency.lang-consistency-python.lang-consistency-python languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'python' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-python.lang-consistency-python shortlink: https://sg.run/A572 semgrep.dev: rule: r_id: 18294 rv_id: 947082 rule_id: YGUlO0 version_id: BjT1Bzn url: https://semgrep.dev/playground/r/BjT1Bzn/yaml.semgrep.consistency.lang-consistency-python.lang-consistency-python origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(py)$ severity: WARNING - fix: regex id: yaml.semgrep.consistency.lang-consistency-regex.lang-consistency-regex languages: - yaml message: Found '$X' in language config which diverges from semgrep.dev normalization. Please use 'regex' instead. metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.consistency.lang-consistency-regex.lang-consistency-regex shortlink: https://sg.run/BG7A semgrep.dev: rule: r_id: 18295 rv_id: 947083 rule_id: 6JUDzX version_id: DkTNWxP url: https://semgrep.dev/playground/r/DkTNWxP/yaml.semgrep.consistency.lang-consistency-regex.lang-consistency-regex origin: community patterns: - pattern: $X - pattern-inside: 'languages: ...' - metavariable-regex: metavariable: $X regex: ^(none)$ severity: WARNING - id: yaml.semgrep.key-indentation.yaml-key-indentation-check message: 'It looks like you have an YAML indentation issue -- instead of writing `$KEY`, put a space between the hyphen and what comes after! Otherwise, it reads as a single string. ' languages: - yaml severity: WARNING metadata: references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.key-indentation.yaml-key-indentation-check shortlink: https://sg.run/ORZL semgrep.dev: rule: r_id: 61175 rv_id: 947091 rule_id: NbU4pZ version_id: o5TZz21 url: https://semgrep.dev/playground/r/o5TZz21/yaml.semgrep.key-indentation.yaml-key-indentation-check origin: community pattern-either: - patterns: - pattern-inside: | rules: ... - pattern: | $KEY: >- $VALUE - focus-metavariable: $KEY - metavariable-regex: metavariable: $KEY regex: ^-(\w*)$ - id: yaml.github-actions.security.audit.unsafe-add-mask-workflow-command.unsafe-add-mask-workflow-command patterns: - pattern-regex: '::add-mask::' languages: - yaml severity: WARNING message: GitHub Actions provides the **'add-mask'** workflow command to mask sensitive data in the workflow logs. If **'add-mask'** is not used or if workflow commands have been stopped, sensitive data can leaked into the workflow logs. An attacker could simply copy the workflow to another branch and add the following payload `echo "::stop-commands::$stopMarker"` to stop workflow command processing ([described here](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#stopping-and-starting-workflow-commands)), which will cause the secret token to be exposed despite the **'add-mask'** usage. For more information, please refer to the [GitHub documentation](https://github.com/actions/toolkit/blob/main/docs/commands.md#register-a-secret). metadata: cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: A06:2017 - Security Misconfiguration category: security technology: - github-actions subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW vulnerability_class: - Dangerous Method or Function references: - https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ - https://github.com/actions/runner/issues/159 - https://github.com/actions/runner/issues/475 - https://github.com/actions/runner/issues/807 - https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-sensitive-data-in-workflows - https://github.com/github/docs/blob/main/content/actions/using-workflows/workflow-commands-for-github-actions.md#masking-a-value-in-a-log license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.github-actions.security.audit.unsafe-add-mask-workflow-command.unsafe-add-mask-workflow-command shortlink: https://sg.run/lBYDo semgrep.dev: rule: r_id: 138057 rv_id: 947040 rule_id: GdUvn8y version_id: 1QToZdr url: https://semgrep.dev/playground/r/1QToZdr/yaml.github-actions.security.audit.unsafe-add-mask-workflow-command.unsafe-add-mask-workflow-command origin: community - id: ai.ai-best-practices.cohere-missing-safety-mode.cohere-missing-safety-mode-javascript.cohere-missing-safety-mode-javascript languages: - javascript - typescript severity: WARNING message: Cohere chat called without explicit 'safety_mode' parameter. Set safetyMode to 'STRICT' or 'CONTEXTUAL' to explicitly configure content safety guardrails. See https://docs.cohere.com/docs/safety-modes metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - cohere references: - https://docs.cohere.com/docs/safety-modes license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.cohere-missing-safety-mode.cohere-missing-safety-mode-javascript.cohere-missing-safety-mode-javascript shortlink: https://sg.run/B2l6A semgrep.dev: rule: r_id: 288807 rv_id: 1413365 rule_id: ReUQn3x version_id: xyTRDK4 url: https://semgrep.dev/playground/r/xyTRDK4/ai.ai-best-practices.cohere-missing-safety-mode.cohere-missing-safety-mode-javascript.cohere-missing-safety-mode-javascript origin: community patterns: - pattern: $CLIENT.chat({...}) - pattern-not: '$CLIENT.chat({..., safetyMode: $SM, ...})' - pattern-inside: | $CLIENT = new CohereClient(...) ... - id: ai.ai-best-practices.hooks-relative-script-path.hooks-relative-script-path.hooks-relative-script-path-bash languages: - bash severity: WARNING message: Relative path used for script invocation in hook. Use absolute paths or environment variables like $CLAUDE_PROJECT_DIR, $CURSOR_PROJECT_DIR, or $HOME to ensure the correct script is executed regardless of working directory. metadata: cwe: 'CWE-426: Untrusted Search Path' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.hooks-relative-script-path.hooks-relative-script-path.hooks-relative-script-path-bash shortlink: https://sg.run/d7OKd semgrep.dev: rule: r_id: 286734 rv_id: 1409331 rule_id: WAUl7oB version_id: nWTQ5ep url: https://semgrep.dev/playground/r/nWTQ5ep/ai.ai-best-practices.hooks-relative-script-path.hooks-relative-script-path.hooks-relative-script-path-bash origin: community pattern-regex: (source|bash|sh|\.)\s+\./\S+ - id: ai.ai-best-practices.cohere-missing-safety-mode.cohere-missing-safety-mode-python.cohere-missing-safety-mode-python languages: - python severity: WARNING message: Cohere chat called without explicit 'safety_mode' parameter. Set safety_mode to 'STRICT' or 'CONTEXTUAL' to explicitly configure content safety guardrails. See https://docs.cohere.com/docs/safety-modes metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - cohere references: - https://docs.cohere.com/docs/safety-modes license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.cohere-missing-safety-mode.cohere-missing-safety-mode-python.cohere-missing-safety-mode-python shortlink: https://sg.run/D86zP semgrep.dev: rule: r_id: 288808 rv_id: 1413366 rule_id: AbUr0Qd version_id: O9TQ2N0 url: https://semgrep.dev/playground/r/O9TQ2N0/ai.ai-best-practices.cohere-missing-safety-mode.cohere-missing-safety-mode-python.cohere-missing-safety-mode-python origin: community patterns: - pattern: $CLIENT.chat(...) - pattern-not: $CLIENT.chat(..., safety_mode=$SM, ...) - pattern-inside: | $CLIENT = cohere.$CLIENTCLASS(...) ... - id: ai.ai-best-practices.hooks-stop-missing-active-check.hooks-stop-missing-active-check.hooks-stop-missing-active-check-generic languages: - generic severity: WARNING message: Stop hook outputs a "block" decision. Ensure you check stop_hook_active first and exit 0 if true, otherwise the hook will cause an infinite loop by blocking its own stop attempts. metadata: cwe: 'CWE-835: Loop with Unreachable Exit Condition' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.hooks-stop-missing-active-check.hooks-stop-missing-active-check.hooks-stop-missing-active-check-generic shortlink: https://sg.run/Er6ke semgrep.dev: rule: r_id: 286737 rv_id: 1409334 rule_id: qNU1vj8 version_id: LjTRLYk url: https://semgrep.dev/playground/r/LjTRLYk/ai.ai-best-practices.hooks-stop-missing-active-check.hooks-stop-missing-active-check.hooks-stop-missing-active-check-generic origin: community paths: include: - '*.sh' - '*.bash' pattern-regex: '"decision".*"block"' - id: ai.ai-best-practices.cohere-safety-mode-off.cohere-safety-mode-off-javascript.cohere-safety-mode-off-javascript languages: - javascript - typescript severity: ERROR message: Cohere safety mode explicitly set to 'OFF', disabling all safety guardrails. Use 'STRICT' or 'CONTEXTUAL' instead. See https://docs.cohere.com/docs/safety-modes metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - cohere references: - https://docs.cohere.com/docs/safety-modes license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.cohere-safety-mode-off.cohere-safety-mode-off-javascript.cohere-safety-mode-off-javascript shortlink: https://sg.run/We4p2 semgrep.dev: rule: r_id: 288809 rv_id: 1413367 rule_id: BYUDJdA version_id: e1T4207 url: https://semgrep.dev/playground/r/e1T4207/ai.ai-best-practices.cohere-safety-mode-off.cohere-safety-mode-off-javascript.cohere-safety-mode-off-javascript origin: community pattern: | $CLIENT.chat({..., safetyMode: "OFF", ...}) - id: ai.ai-best-practices.hooks-unconditional-allow.hooks-unconditional-allow.hooks-unconditional-allow-generic languages: - generic severity: ERROR message: Hook unconditionally allows tool execution by outputting a permissionDecision of "allow" without any conditional check. This bypasses the entire permission system. Add a conditional check to validate the tool or command before allowing. metadata: cwe: 'CWE-862: Missing Authorization' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/ai.ai-best-practices.hooks-unconditional-allow.hooks-unconditional-allow.hooks-unconditional-allow-generic shortlink: https://sg.run/7gPoW semgrep.dev: rule: r_id: 286738 rv_id: 1409335 rule_id: lBUrp9O version_id: 8KT3P2N url: https://semgrep.dev/playground/r/8KT3P2N/ai.ai-best-practices.hooks-unconditional-allow.hooks-unconditional-allow.hooks-unconditional-allow-generic origin: community paths: include: - '*.sh' - '*.bash' - '*.py' pattern-regex: permissionDecision.*allow - id: ai.ai-best-practices.hooks-unquoted-variable.hooks-unquoted-variable.hooks-unquoted-variable-bash-taint mode: taint languages: - bash severity: ERROR message: Untrusted input from stdin (e.g., via `cat | jq`) flows into a dangerous command execution sink such as `eval`, `bash -c`, or `sh -c`. In Claude Code and Cursor hooks, stdin contains JSON that may include user-controlled data. Passing this data unquoted or unsanitized to command execution functions enables OS command injection. Use safe alternatives like arrays or direct command invocation instead of eval, and always quote variable expansions. metadata: cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' category: security subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: HIGH technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/ai.ai-best-practices.hooks-unquoted-variable.hooks-unquoted-variable.hooks-unquoted-variable-bash-taint shortlink: https://sg.run/Lrewo semgrep.dev: rule: r_id: 286739 rv_id: 1409336 rule_id: PeUWeZG version_id: gETrv4r url: https://semgrep.dev/playground/r/gETrv4r/ai.ai-best-practices.hooks-unquoted-variable.hooks-unquoted-variable.hooks-unquoted-variable-bash-taint origin: community pattern-sources: - pattern: $(cat | jq ...) - pattern: $(cat) pattern-sinks: - pattern: eval $...SINK - pattern: bash -c $...SINK - pattern: sh -c $...SINK - pattern: exec $...SINK - pattern: source $...SINK - id: ai.ai-best-practices.cohere-safety-mode-off.cohere-safety-mode-off-python.cohere-safety-mode-off-python languages: - python severity: ERROR message: Cohere safety mode explicitly set to 'OFF', disabling all safety guardrails. Use 'STRICT' or 'CONTEXTUAL' instead. See https://docs.cohere.com/docs/safety-modes metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - cohere references: - https://docs.cohere.com/docs/safety-modes license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.cohere-safety-mode-off.cohere-safety-mode-off-python.cohere-safety-mode-off-python shortlink: https://sg.run/0gXyj semgrep.dev: rule: r_id: 288810 rv_id: 1413368 rule_id: DbU9X15 version_id: vdTLA1r url: https://semgrep.dev/playground/r/vdTLA1r/ai.ai-best-practices.cohere-safety-mode-off.cohere-safety-mode-off-python.cohere-safety-mode-off-python origin: community pattern: $CLIENT.chat(..., safety_mode="OFF", ...) - id: ai.ai-best-practices.hooks-unquoted-variable.hooks-unquoted-variable.hooks-unquoted-variable-bash-eval languages: - bash severity: WARNING message: Use of `eval` in a Claude Code or Cursor hook script is dangerous. The `eval` command re-parses its arguments, which can lead to command injection if any variable contains special characters or attacker-controlled data. Avoid `eval` entirely; use arrays, direct command invocation, or other safe alternatives. metadata: cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' category: security subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/ai.ai-best-practices.hooks-unquoted-variable.hooks-unquoted-variable.hooks-unquoted-variable-bash-eval shortlink: https://sg.run/8xJyE semgrep.dev: rule: r_id: 286740 rv_id: 1409337 rule_id: JDU3nyx version_id: QkTERyA url: https://semgrep.dev/playground/r/QkTERyA/ai.ai-best-practices.hooks-unquoted-variable.hooks-unquoted-variable.hooks-unquoted-variable-bash-eval origin: community pattern: eval $...ARGS - id: apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level min-version: 1.44.0 severity: WARNING languages: - apex metadata: cwe: - 'CWE-284: Improper Access Control' owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm - https://cwe.mitre.org/data/definitions/284.html - https://owasp.org/Top10/A04_2021-Insecure_Design/ category: security subcategory: - vuln technology: - salesforce impact: MEDIUM likelihood: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level shortlink: https://sg.run/XXPl semgrep.dev: rule: r_id: 72420 rv_id: 1262600 rule_id: GdURYG version_id: YDTZeD8 url: https://semgrep.dev/playground/r/YDTZeD8/apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level origin: community message: Every Apex class should have an explicit sharing mode declared. Use the `with sharing` or `without sharing` keywords on a class to specify whether sharing rules must be enforced. Use the `inherited sharing` keyword on an Apex class to run the class in the sharing mode of the class that called it. patterns: - pattern-regex: (private|public|global).*\s(class)\s.*[{] - pattern-not-regex: (private|public|global).*[with|without|inherited]\s[sharing].*\s(class)\s.*[{] - pattern-not-regex: (private|public|global).*\s(class)\s.*(extends)\s(Exception).*[{] - id: bash.curl.security.curl-pipe-bash.curl-pipe-bash languages: - bash severity: WARNING message: Data is being piped into `bash` from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the pipe, resulting in a system compromise. Avoid piping untrusted data into `bash` or any other shell if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' category: security technology: - bash - curl confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/bash.curl.security.curl-pipe-bash.curl-pipe-bash shortlink: https://sg.run/KXz6 semgrep.dev: rule: r_id: 14555 rv_id: 1262602 rule_id: qNUXrw version_id: 5PTo1Lx url: https://semgrep.dev/playground/r/5PTo1Lx/bash.curl.security.curl-pipe-bash.curl-pipe-bash origin: community patterns: - pattern-either: - pattern: curl ... | ... bash ... - pattern: curl ... | ... /bin/bash ... - pattern: '... bash <(curl ...)' - pattern: '... /bin/bash <(curl ...)' - pattern: '... bash -c "$(curl ...)"' - pattern: '... /bin/bash -c "$(curl ...)"' - id: c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string message: Use %s, %d, %c... to format your variables, otherwise this could leak information. metadata: cwe: - 'CWE-532: Insertion of Sensitive Information into Log File' references: - http://nebelwelt.net/files/13PPREW.pdf category: security technology: - c confidence: LOW owasp: - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string shortlink: https://sg.run/vzwn semgrep.dev: rule: r_id: 8833 rv_id: 1262605 rule_id: 5rUOlg version_id: A8TgdQ1 url: https://semgrep.dev/playground/r/A8TgdQ1/c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string origin: community languages: - c severity: WARNING pattern: printf(argv[$NUM]); - id: c.lang.security.insecure-use-memset.insecure-use-memset pattern: memset($...VARS) fix: memset_s($...VARS) message: When handling sensitive information in a buffer, it's important to ensure that the data is securely erased before the buffer is deleted or reused. While `memset()` is commonly used for this purpose, it can leave sensitive information behind due to compiler optimizations or other factors. To avoid this potential vulnerability, it's recommended to use the `memset_s()` function instead. `memset_s()` is a standardized function that securely overwrites the memory with a specified value, making it more difficult for an attacker to recover any sensitive data that was stored in the buffer. By using `memset_s()` instead of `memset()`, you can help to ensure that your application is more secure and less vulnerable to exploits that rely on residual data in memory. languages: - c severity: WARNING metadata: cwe: - 'CWE-14: Compiler Removal of Code to Clear Buffers' owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://cwe.mitre.org/data/definitions/14.html - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ category: security technology: - c confidence: LOW subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Memory Issues source: https://semgrep.dev/r/c.lang.security.insecure-use-memset.insecure-use-memset shortlink: https://sg.run/l9GE semgrep.dev: rule: r_id: 18213 rv_id: 1262606 rule_id: d8UK7D version_id: BjTkZdn url: https://semgrep.dev/playground/r/BjTkZdn/c.lang.security.insecure-use-memset.insecure-use-memset origin: community - id: clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe languages: - clojure severity: ERROR metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://semgrep.dev/blog/2022/xml-security-in-java - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://xerces.apache.org/xerces2-j/features.html source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/xxe-clojure-xml/xxe-clojure-xml.yml category: security technology: - clojure - xml cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe shortlink: https://sg.run/v7An semgrep.dev: rule: r_id: 71533 rv_id: 1262608 rule_id: bwU3Gj version_id: WrTqKyD url: https://semgrep.dev/playground/r/WrTqKyD/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe origin: community message: DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature "http://apache.org/xml/features/disallow-doctype-decl" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features "http://xml.org/sax/features/external-general-entities" and "http://xml.org/sax/features/external-parameter-entities" to false. patterns: - pattern-inside: | (ns ... (:require [clojure.xml :as ...])) ... - pattern-either: - pattern-inside: | (def ... ... ( ... )) - pattern-inside: | (defn ... ... ( ... )) - pattern-either: - pattern: (clojure.xml/parse $INPUT) - patterns: - pattern-inside: | (doto (javax.xml.parsers.SAXParserFactory/newInstance) ...) - pattern: (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" false) - pattern-not-inside: | (doto (javax.xml.parsers.SAXParserFactory/newInstance) ... (.setFeature "http://xml.org/sax/features/external-general-entities" false) ... (.setFeature "http://xml.org/sax/features/external-parameter-entities" false) ...) - pattern-not-inside: | (doto (javax.xml.parsers.SAXParserFactory/newInstance) ... (.setFeature "http://xml.org/sax/features/external-parameter-entities" false) ... (.setFeature "http://xml.org/sax/features/external-general-entities" false) ...) - id: clojure.lang.security.use-of-md5.use-of-md5 languages: - clojure severity: WARNING message: MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms. metadata: references: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html technology: - clojure source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' author: Gabriel Marquet category: security subcategory: - vuln confidence: HIGH likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5 shortlink: https://sg.run/BgPx semgrep.dev: rule: r_id: 52195 rv_id: 1262609 rule_id: nJU1ep version_id: 0bTKz2B url: https://semgrep.dev/playground/r/0bTKz2B/clojure.lang.security.use-of-md5.use-of-md5 origin: community pattern-either: - pattern: (MessageDigest/getInstance "MD5") - pattern: (MessageDigest/getInstance MessageDigestAlgorithms/MD5) - pattern: (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5) - pattern: (java.security.MessageDigest/getInstance "MD5") - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5) - pattern: (java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5) - id: clojure.lang.security.use-of-sha1.use-of-sha1 languages: - clojure severity: WARNING message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications. metadata: references: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html technology: - clojure owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' - 'CWE-328: Use of Weak Hash' category: security subcategory: - vuln confidence: HIGH likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues - Insecure Hashing Algorithm source: https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1 shortlink: https://sg.run/dvwX semgrep.dev: rule: r_id: 71534 rv_id: 1262610 rule_id: NbUy12 version_id: K3TKk7E url: https://semgrep.dev/playground/r/K3TKk7E/clojure.lang.security.use-of-sha1.use-of-sha1 origin: community patterns: - pattern-either: - pattern: (MessageDigest/getInstance $ALGO) - pattern: (java.security.MessageDigest/getInstance $ALGO) - metavariable-regex: metavariable: $ALGO regex: (((org\.apache\.commons\.codec\.digest\.)?MessageDigestAlgorithms/)?"?(SHA-1|SHA1)"?) - id: clojure.security.clojure-read-string.read-string-unsafe.read-string-unsafe metadata: author: Gabriel Marquet category: security confidence: LOW references: - http://www.learningclojure.com/2013/02/clojures-reader-is-unsafe.html#post-body-2898830171141471587 - https://ericnormand.me/article/clojure-web-security - https://github.com/jafingerhut/jafingerhut.github.com/blob/master/clojure-info/using-edn-safely.md#vulnerabilities-in-clojurecores-read-and-read-string source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/tree/main/security/clojure-read-string owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' likelihood: MEDIUM impact: HIGH subcategory: - audit cwe2022-top25: true cwe2021-top25: true cwe2020-top25: true technology: - clojure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/clojure.security.clojure-read-string.read-string-unsafe.read-string-unsafe shortlink: https://sg.run/NPop semgrep.dev: rule: r_id: 54771 rv_id: 1262611 rule_id: x8UEZr version_id: qkTR7XD url: https://semgrep.dev/playground/r/qkTR7XD/clojure.security.clojure-read-string.read-string-unsafe.read-string-unsafe origin: community patterns: - pattern-not-inside: | (ns ... (... :exclude [read read-string])) ... (defn $VAR [$X]...) - pattern-inside: | (defn $VAR [$X]...) - pattern: | (read-string $X) message: The default core Clojure read-string method is dangerous and can lead to deserialization vulnerabilities. Use the edn/read-string instead. languages: - clojure severity: ERROR - id: csharp.dotnet.security.audit.mass-assignment.mass-assignment message: Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://cwe.mitre.org/data/definitions/915.html - https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md subcategory: - vuln technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment shortlink: https://sg.run/7B3e semgrep.dev: rule: r_id: 26838 rv_id: 1262613 rule_id: x8Up5B version_id: YDTZeD9 url: https://semgrep.dev/playground/r/YDTZeD9/csharp.dotnet.security.audit.mass-assignment.mass-assignment origin: community languages: - csharp mode: taint pattern-sources: - patterns: - pattern-either: - pattern: | public IActionResult $METHOD(..., $TYPE $ARG, ...){ ... } - pattern: | public ActionResult $METHOD(..., $TYPE $ARG, ...){ ... } - pattern-inside: | using Microsoft.AspNetCore.Mvc; ... - pattern-not: | public IActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){ ... } - pattern-not: | public ActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){ ... } - focus-metavariable: $ARG pattern-sinks: - pattern: View(...) - id: csharp.dotnet.security.audit.misconfigured-lockout-option.misconfigured-lockout-option message: A misconfigured lockout mechanism allows an attacker to execute brute-force attacks. Account lockout must be correctly configured and enabled to prevent these attacks. severity: WARNING metadata: likelihood: LOW impact: HIGH confidence: LOW category: security cwe: - 'CWE-307: Improper Restriction of Excessive Authentication Attempts' owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - https://cwe.mitre.org/data/definitions/307.html subcategory: - audit technology: - dotnet license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/csharp.dotnet.security.audit.misconfigured-lockout-option.misconfigured-lockout-option shortlink: https://sg.run/d4Yn semgrep.dev: rule: r_id: 26334 rv_id: 1262614 rule_id: OrUd2r version_id: 6xT291g url: https://semgrep.dev/playground/r/6xT291g/csharp.dotnet.security.audit.misconfigured-lockout-option.misconfigured-lockout-option origin: community languages: - csharp patterns: - pattern-either: - pattern: | $SIGNIN.PasswordSignInAsync(...,lockoutOnFailure: false,...); - pattern: | $SIGNIN.CheckPasswordSignInAsync(...,lockoutOnFailure: false,...); - pattern-inside: | public async $TYPE $METHOD(...) { ... } - id: csharp.dotnet.security.audit.open-directory-listing.open-directory-listing message: An open directory listing is potentially exposed, potentially revealing sensitive information to attackers. severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: MEDIUM category: security cwe: - 'CWE-548: Exposure of Information Through Directory Listing' owasp: - A06:2017 - Security Misconfiguration - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://cwe.mitre.org/data/definitions/548.html - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/ - https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing subcategory: - vuln technology: - .net - mvc license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing shortlink: https://sg.run/n0y1 semgrep.dev: rule: r_id: 26336 rv_id: 1262616 rule_id: v8U8Ab version_id: zyTb2Y2 url: https://semgrep.dev/playground/r/zyTb2Y2/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing origin: community languages: - csharp patterns: - pattern-either: - pattern: (IApplicationBuilder $APP).UseDirectoryBrowser(...); - pattern: $BUILDER.Services.AddDirectoryBrowser(...); - pattern-inside: | public void Configure(...) { ... } - id: csharp.dotnet.security.audit.razor-use-of-htmlstring.razor-use-of-htmlstring message: ASP.NET Core MVC provides an HtmlString class which isn't automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability. severity: WARNING metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-116: Improper Encoding or Escaping of Output' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://cwe.mitre.org/data/definitions/116.html - https://owasp.org/Top10/A03_2021-Injection/ - https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-6.0#html-encoding-using-razor subcategory: - audit technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Encoding source: https://semgrep.dev/r/csharp.dotnet.security.audit.razor-use-of-htmlstring.razor-use-of-htmlstring shortlink: https://sg.run/E8GN semgrep.dev: rule: r_id: 27037 rv_id: 1262617 rule_id: NbUoO5 version_id: pZT03pY url: https://semgrep.dev/playground/r/pZT03pY/csharp.dotnet.security.audit.razor-use-of-htmlstring.razor-use-of-htmlstring origin: community languages: - generic paths: include: - '*.cshtml' patterns: - pattern-either: - pattern: new ...HtmlString(...) - pattern: '@(new ...HtmlString(...))' - pattern-not-inside: '@(new ...HtmlString(...HtmlEncode(...)))' - pattern-not-inside: '@(new ...HtmlString(...Encode(...)))' - pattern-not-inside: new ...HtmlString(...HtmlEncode(...)) - pattern-not-inside: new ...HtmlString(...Encode(...)) - id: csharp.dotnet.security.audit.xpath-injection.xpath-injection message: XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation. severity: ERROR metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: - 'CWE-643: Improper Neutralization of Data within XPath Expressions (''XPath Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection/ - https://cwe.mitre.org/data/definitions/643.html subcategory: - vuln technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XPath Injection source: https://semgrep.dev/r/csharp.dotnet.security.audit.xpath-injection.xpath-injection shortlink: https://sg.run/4KP7 semgrep.dev: rule: r_id: 27400 rv_id: 1262618 rule_id: x8Uj2k version_id: 2KTv2Pq url: https://semgrep.dev/playground/r/2KTv2Pq/csharp.dotnet.security.audit.xpath-injection.xpath-injection origin: community languages: - csharp mode: taint pattern-sources: - pattern-either: - pattern: $T $M($INPUT,...) {...} - pattern: | $T $M(...) { ... string $INPUT; } pattern-sinks: - pattern-either: - pattern: XPathExpression $EXPR = $NAV.Compile("..." + $INPUT + "..."); - pattern: var $EXPR = $NAV.Compile("..." + $INPUT + "..."); - pattern: XPathNodeIterator $NODE = $NAV.Select("..." + $INPUT + "..."); - pattern: var $NODE = $NAV.Select("..." + $INPUT + "..."); - pattern: Object $OBJ = $NAV.Evaluate("..." + $INPUT + "..."); - pattern: var $OBJ = $NAV.Evaluate("..." + $INPUT + "..."); - id: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery message: $METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls. severity: WARNING metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' cwe2021-top25: true cwe2022-top25: true owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests subcategory: - audit technology: - .net - mvc license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery shortlink: https://sg.run/Y0Jy semgrep.dev: rule: r_id: 18214 rv_id: 1262619 rule_id: ZqUlxE version_id: X0Tzydb url: https://semgrep.dev/playground/r/X0Tzydb/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery origin: community languages: - csharp patterns: - pattern: | [$HTTPMETHOD] public IActionResult $METHOD(...){ ... } - pattern-inside: | using Microsoft.AspNetCore.Mvc; ... - pattern-not: | [ValidateAntiForgeryToken] public IActionResult $METHOD(...){ ... } - pattern-not: | [Consumes(...)] public IActionResult $METHOD(...){ ... } - metavariable-regex: metavariable: $HTTPMETHOD regex: Http(Post|Put|Delete|Patch) - id: csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug message: ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `` severity: WARNING metadata: likelihood: LOW impact: LOW confidence: LOW category: security cwe: - 'CWE-11: ASP.NET Misconfiguration: Creating Debug Binary' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/ - https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx subcategory: - audit technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug shortlink: https://sg.run/yPWx semgrep.dev: rule: r_id: 17324 rv_id: 1262620 rule_id: 0oUrvj version_id: jQTn53E url: https://semgrep.dev/playground/r/jQTn53E/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug origin: community languages: - generic paths: include: - '*web.config*' patterns: - pattern: | - pattern-inside: | ... - id: csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm message: Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead. severity: ERROR metadata: likelihood: HIGH impact: MEDIUM confidence: MEDIUM category: security cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0 - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0 subcategory: - vuln technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm shortlink: https://sg.run/k8Qo semgrep.dev: rule: r_id: 36772 rv_id: 1262622 rule_id: WAUJr0 version_id: 9lT4bRK url: https://semgrep.dev/playground/r/9lT4bRK/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm origin: community languages: - csharp patterns: - pattern: $KEYTYPE.Create(...); - metavariable-pattern: metavariable: $KEYTYPE pattern-either: - pattern: DES - pattern: RC2 - id: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration message: You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead. severity: ERROR metadata: likelihood: HIGH impact: MEDIUM confidence: HIGH category: security cwe: - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0 - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key subcategory: - vuln technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration shortlink: https://sg.run/xjrA semgrep.dev: rule: r_id: 36774 rv_id: 1262624 rule_id: KxU3Nq version_id: rxTAK2O url: https://semgrep.dev/playground/r/rxTAK2O/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration origin: community languages: - csharp mode: taint pattern-sources: - patterns: - pattern-inside: (System.Random $RNG).NextBytes($KEY); ... - pattern: $KEY pattern-sinks: - pattern-either: - patterns: - pattern: ($KEYTYPE $CIPHER).Key = $SINK; - focus-metavariable: $SINK - metavariable-pattern: metavariable: $KEYTYPE pattern-either: - pattern: SymmetricAlgorithm - pattern: Aes - pattern: Rijndael - pattern: DES - pattern: TripleDES - pattern: RC2 - pattern: new AesGcm(...) - pattern: new AesCcm(...) - pattern: new ChaCha20Poly1305(...) - id: csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding message: You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead. severity: WARNING metadata: likelihood: HIGH impact: MEDIUM confidence: MEDIUM category: security cwe: - 'CWE-780: Use of RSA Algorithm without OAEP' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter subcategory: - vuln technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding shortlink: https://sg.run/GoJ1 semgrep.dev: rule: r_id: 35492 rv_id: 1262625 rule_id: QrU2G5 version_id: bZT53zb url: https://semgrep.dev/playground/r/bZT53zb/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding origin: community languages: - csharp pattern-either: - pattern: (RSAPKCS1KeyExchangeFormatter $FORMATER).CreateKeyExchange(...); - pattern: (RSAPKCS1KeyExchangeDeformatter $DEFORMATER).DecryptKeyExchange(...); - id: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings message: Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections. severity: WARNING metadata: likelihood: LOW impact: LOW confidence: LOW category: security cwe: - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies - https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL - https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL subcategory: - audit technology: - .net - asp - webforms license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings shortlink: https://sg.run/z1jd semgrep.dev: rule: r_id: 18217 rv_id: 1262626 rule_id: 7KUxPg version_id: NdTzyXg url: https://semgrep.dev/playground/r/NdTzyXg/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings origin: community languages: - generic paths: include: - '*web.config' patterns: - pattern-either: - pattern: | requireSSL="false" - pattern: | cookieRequireSSL="false" - pattern-either: - pattern-inside: | - pattern-inside: | - pattern-inside: | - id: csharp.lang.security.cryptography.x509certificate2-privkey.X509Certificate2-privkey severity: WARNING languages: - C# metadata: cwe: - 'CWE-310: CWE CATEGORY: Cryptographic Issues' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.privatekey category: security technology: - .net confidence: LOW subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/csharp.lang.security.cryptography.x509certificate2-privkey.X509Certificate2-privkey shortlink: https://sg.run/jDeN semgrep.dev: rule: r_id: 18221 rv_id: 1262630 rule_id: QrUk26 version_id: O9TpxlD url: https://semgrep.dev/playground/r/O9TpxlD/csharp.lang.security.cryptography.x509certificate2-privkey.X509Certificate2-privkey origin: community message: 'X509Certificate2.PrivateKey is obsolete. Use a method such as GetRSAPrivateKey() or GetECDsaPrivateKey(). Alternatively, use the CopyWithPrivateKey() method to create a new instance with a private key. Further, if you set X509Certificate2.PrivateKey to `null` or set it to another key without deleting it first, the private key will be left on disk. ' patterns: - pattern-inside: | using System.Security.Cryptography; ... - pattern-either: - pattern-inside: | X509Certificate2Collection $COLLECTION = ...; ... - pattern-inside: | X509Certificate2 $CERT = ...; ... - pattern: $CERT.PrivateKey - id: csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token patterns: - pattern: RequireSignedTokens = false - pattern-inside: | new TokenValidationParameters { ... } fix: RequireSignedTokens = true message: Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true. metadata: category: security technology: - csharp owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-347: Improper Verification of Cryptographic Signature' references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control/ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ - https://cwe.mitre.org/data/definitions/347 subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token shortlink: https://sg.run/pqzN semgrep.dev: rule: r_id: 26718 rv_id: 1262631 rule_id: KxUGLw version_id: e1Tyjrz url: https://semgrep.dev/playground/r/e1Tyjrz/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token origin: community languages: - csharp severity: ERROR - id: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine mode: taint pattern-sources: - patterns: - pattern: $A - pattern-inside: | Path.Combine(...,$A,...) - pattern-inside: | public $TYPE $M(...,$A,...){...} - pattern-not-inside: | <... Path.GetFileName($A) != $A ...> pattern-sinks: - patterns: - focus-metavariable: $X - pattern: | File.$METHOD($X,...) - metavariable-regex: metavariable: $METHOD regex: (?i)^(read|write) pattern-sanitizers: - pattern: | Path.GetFileName(...) - patterns: - pattern-inside: | $X = Path.GetFileName(...); ... - pattern: $X - patterns: - pattern: $X - pattern-inside: | if(<... Path.GetFileName($X) != $X ...>){ ... throw new $EXCEPTION(...); } ... message: String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal. languages: - csharp severity: WARNING metadata: category: security confidence: MEDIUM references: - https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/ - https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks technology: - .net cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine shortlink: https://sg.run/1RvG semgrep.dev: rule: r_id: 18222 rv_id: 1262632 rule_id: 3qU3bE version_id: vdT0644 url: https://semgrep.dev/playground/r/vdT0644/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine origin: community - id: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings severity: WARNING languages: - C# metadata: cwe: - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0 category: security technology: - .net confidence: MEDIUM subcategory: - vuln likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings shortlink: https://sg.run/9LJr semgrep.dev: rule: r_id: 18223 rv_id: 1262633 rule_id: 4bUQ81 version_id: d6Tyx4K url: https://semgrep.dev/playground/r/d6Tyx4K/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings origin: community message: The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use "*.asdf.gov" if you own all of "asdf.gov". patterns: - pattern-inside: | using System.Net; ... - pattern: $LISTENER.Prefixes.Add("$PREFIX") - metavariable-regex: metavariable: $PREFIX regex: (http|https)://(\*|\+)(.[a-zA-Z]{2,})?:[0-9]+ - id: csharp.lang.security.injections.os-command.os-command-injection severity: ERROR languages: - csharp metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/Command_Injection category: security technology: - .net confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/csharp.lang.security.injections.os-command.os-command-injection shortlink: https://sg.run/Ze6p semgrep.dev: rule: r_id: 11479 rv_id: 1262634 rule_id: 9AUOjg version_id: ZRTKAGe url: https://semgrep.dev/playground/r/ZRTKAGe/csharp.lang.security.injections.os-command.os-command-injection origin: community message: The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. patterns: - pattern-inside: | using System.Diagnostics; ... - pattern-inside: | public $T $F(..., $ARG, ...) { ... } - pattern-either: - patterns: - pattern: | Process.Start($ARG, ...); - focus-metavariable: $ARG - patterns: - pattern-inside: | Process $PROC = new Process(); ... - pattern-either: - pattern-inside: | $PROC.StartInfo.FileName = $ARG; ... - pattern-inside: | $PROC.StartInfo.Arguments = <... $ARG ...>; ... - pattern: | $PROC.Start(); - patterns: - patterns: - pattern-inside: | ProcessStartInfo $PSINFO = new ProcessStartInfo() { ... }; ... - pattern-either: - pattern-inside: | FileName = $ARG; ... - pattern-inside: | Arguments = <... $ARG ...>; ... - pattern: | Process.Start($PSINFO); - focus-metavariable: $PSINFO - patterns: - pattern-inside: | Process $PROC = new Process() { StartInfo = new ProcessStartInfo() { ... } }; ... - pattern-either: - pattern-inside: | FileName = $ARG; ... - pattern-inside: | Arguments = $ARG; ... - pattern: | $PROC.Start(); - id: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization severity: WARNING languages: - C# metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide category: security technology: - .net confidence: HIGH cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization shortlink: https://sg.run/ZeXW semgrep.dev: rule: r_id: 11135 rv_id: 1262635 rule_id: bwUOjK version_id: nWT2LGp url: https://semgrep.dev/playground/r/nWT2LGp/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization origin: community message: The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure patterns: - pattern-inside: | using System.Runtime.Serialization.Formatters.Binary; ... - pattern: | new BinaryFormatter(); - id: csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver severity: WARNING languages: - C# metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide category: security technology: - .net confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver shortlink: https://sg.run/yXjP semgrep.dev: rule: r_id: 18224 rv_id: 1262636 rule_id: PeUxb0 version_id: ExTExqN url: https://semgrep.dev/playground/r/ExTExqN/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver origin: community message: Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior. patterns: - pattern: | class $MYDCR : DataContractResolver { ... } - id: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization severity: WARNING languages: - C# metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://github.com/mgholam/fastJSON#security-warning-update category: security technology: - .net confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization shortlink: https://sg.run/nqnd semgrep.dev: rule: r_id: 11136 rv_id: 1262637 rule_id: NbUAwk version_id: 7ZTE3Wn url: https://semgrep.dev/playground/r/7ZTE3Wn/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization origin: community message: $type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe patterns: - pattern-inside: | using fastJSON; ... - pattern: | new JSONParameters { BadListTypeChecking = false } - id: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization severity: WARNING languages: - C# metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution category: security technology: - .net confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization shortlink: https://sg.run/E5e5 semgrep.dev: rule: r_id: 11137 rv_id: 1262638 rule_id: kxURnR version_id: LjTkgPk url: https://semgrep.dev/playground/r/LjTkgPk/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization origin: community message: The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability. patterns: - pattern-inside: | using MBrace.FsPickler.Json; ... - pattern: | FsPickler.CreateJsonSerializer(); - id: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full severity: WARNING languages: - C# metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0 - https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html category: security technology: - .net confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full shortlink: https://sg.run/rere semgrep.dev: rule: r_id: 18225 rv_id: 1262639 rule_id: JDUlKl version_id: 8KT5rAN url: https://semgrep.dev/playground/r/8KT5rAN/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full origin: community message: Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf pattern-either: - patterns: - pattern-either: - pattern: new BinaryServerFormatterSinkProvider { TypeFilterLevel = $LEVEL } - patterns: - pattern-inside: | $TYPE $SP = new BinaryServerFormatterSinkProvider(...); ... - pattern: | $SP.TypeFilterLevel = $LEVEL - metavariable-regex: metavariable: $LEVEL regex: (.*)TypeFilterLevel\.(Full|Low) - patterns: - pattern-inside: | $DICT["typeFilterLevel"] = $VAL; ... - pattern: new BinaryServerFormatterSinkProvider(..., $DICT, ...) - metavariable-regex: metavariable: $VAL regex: (\"Full\"|\"Low\") - id: csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization severity: ERROR languages: - C# metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks category: security technology: - .net confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization shortlink: https://sg.run/0nJq semgrep.dev: rule: r_id: 11198 rv_id: 1262640 rule_id: PeUkrK version_id: gETB7Jr url: https://semgrep.dev/playground/r/gETB7Jr/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization origin: community message: The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server. patterns: - pattern-inside: | using System.Web.Script.Serialization; ... - pattern: | new JavaScriptSerializer((SimpleTypeResolver $RESOLVER)) - id: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization severity: WARNING languages: - C# metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8 category: security technology: - .net confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization shortlink: https://sg.run/70pG semgrep.dev: rule: r_id: 11138 rv_id: 1262641 rule_id: wdU87G version_id: QkTGqnA url: https://semgrep.dev/playground/r/QkTGqnA/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization origin: community message: The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure patterns: - pattern-inside: | using System.Web.UI; ... - pattern: | new LosFormatter(); - id: csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization severity: WARNING languages: - C# metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security category: security technology: - .net confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization shortlink: https://sg.run/L0AX semgrep.dev: rule: r_id: 11139 rv_id: 1262642 rule_id: x8UW7x version_id: 3ZT4X6b url: https://semgrep.dev/playground/r/3ZT4X6b/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization origin: community message: The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure patterns: - pattern-inside: | using System.Runtime.Serialization; ... - pattern: | new NetDataContractSerializer(); - id: csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization patterns: - pattern-either: - pattern: TypeNameHandling = TypeNameHandling.$TYPEHANDLER - pattern: | $SETTINGS.TypeNameHandling = TypeNameHandling.$TYPEHANDLER; ... JsonConvert.DeserializeObject<$TYPE>(...,$SETTINGS); - pattern: | $SETTINGS.TypeNameHandling = TypeNameHandling.$TYPEHANDLER; ... JsonConvert.DeserializeObject(...,$SETTINGS); - pattern-inside: | using Newtonsoft.Json; ... - metavariable-regex: metavariable: $TYPEHANDLER regex: (All|Auto|Objects|Arrays) message: TypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None. languages: - csharp severity: WARNING metadata: category: security cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm#remarks technology: - .net - newtonsoft - json confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization shortlink: https://sg.run/8n2g semgrep.dev: rule: r_id: 11140 rv_id: 1262643 rule_id: OrUGgl version_id: 44TEjgG url: https://semgrep.dev/playground/r/44TEjgG/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization origin: community - id: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span severity: WARNING languages: - C# metadata: cwe: - 'CWE-125: Out-of-bounds Read' owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0 - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0 category: security technology: - .net confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Memory Issues source: https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span shortlink: https://sg.run/b4eW semgrep.dev: rule: r_id: 18226 rv_id: 1262645 rule_id: 5rUyEN version_id: JdTzx62 url: https://semgrep.dev/playground/r/JdTzx62/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span origin: community message: MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked. pattern-either: - pattern: MemoryMarshal.CreateSpan(...) - pattern: MemoryMarshal.CreateReadOnlySpan(...) - id: csharp.lang.security.ssrf.rest-client.ssrf severity: ERROR languages: - csharp metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security technology: - .net confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf shortlink: https://sg.run/Pb9v semgrep.dev: rule: r_id: 13701 rv_id: 1262650 rule_id: 9AURoq version_id: BjTkZzn url: https://semgrep.dev/playground/r/BjTkZzn/csharp.lang.security.ssrf.rest-client.ssrf origin: community message: SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself. patterns: - pattern-inside: | using RestSharp; ... - pattern-either: - pattern: | $T $F(..., $X, ...) { ... ... new RestClient(<... $X ...>); } - pattern: | $T $F(..., $X, ...) { ... $A $B = <... $X ...>; ... ... new RestClient($B); } - id: csharp.lang.security.open-redirect.open-redirect mode: taint pattern-sources: - patterns: - focus-metavariable: $PARAM - pattern-inside: | public $TYPE $FUNCNAME (..., string $PARAM, ...) { ... } pattern-sinks: - patterns: - pattern: Redirect(...) - pattern-not-inside: "if (IsLocalUrl(...)) { \n ... \n Redirect(...); \n \ ...\n}\n" - pattern-not-inside: "if ($URL.IsLocalUrl(...)) { \n ... \n Redirect(...); \n ...\n}\n" message: A query string parameter may contain a URL value that could cause the web application to redirect the request to a malicious website controlled by an attacker. Make sure to sanitize this parameter sufficiently. metadata: category: security technology: - csharp cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' references: - https://cwe.mitre.org/data/definitions/601.html owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/csharp.lang.security.open-redirect.open-redirect shortlink: https://sg.run/2Jr5 semgrep.dev: rule: r_id: 26719 rv_id: 1262647 rule_id: qNUBw4 version_id: GxTkezb url: https://semgrep.dev/playground/r/GxTkezb/csharp.lang.security.open-redirect.open-redirect origin: community languages: - csharp severity: ERROR - id: csharp.lang.security.ssrf.web-client.ssrf severity: ERROR languages: - csharp metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security technology: - .net confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf shortlink: https://sg.run/JxqP semgrep.dev: rule: r_id: 13702 rv_id: 1262651 rule_id: yyUPBe version_id: DkTRbxP url: https://semgrep.dev/playground/r/DkTRbxP/csharp.lang.security.ssrf.web-client.ssrf origin: community message: SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself. patterns: - pattern-inside: | using System.Net; ... - pattern-either: - pattern: | $T $F(..., $X, ...) { ... WebClient $Y = new WebClient(); ... ... $Y.OpenRead(<... $X ...>); } - pattern: | $T $F(..., $X, ...) { ... $A $B = <... $X ...>; ... WebClient $Y = new WebClient(); ... ... $Y.OpenRead($B); } - pattern: | $T $F(..., $X, ...) { ... WebClient $Y = new WebClient(); ... ... $Y.OpenReadAsync(<... $X ...>, ...); } - pattern: | $T $F(..., $X, ...) { ... $A $B = <... $X ...>; ... WebClient $Y = new WebClient(); ... ... $Y.OpenReadAsync($B, ...); } - pattern: | $T $F(..., $X, ...) { ... WebClient $Y = new WebClient(); ... ... $Y.DownloadString(<... $X ...>); } - pattern: | $T $F(..., $X, ...) { ... $A $B = <... $X ...>; ... WebClient $Y = new WebClient(); ... ... $Y.DownloadString($B); } - id: csharp.lang.security.ssrf.web-request.ssrf severity: ERROR languages: - csharp metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cwe.mitre.org/data/definitions/918.html - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security technology: - .net confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf shortlink: https://sg.run/5DWj semgrep.dev: rule: r_id: 13703 rv_id: 1262652 rule_id: r6UwoG version_id: WrTqKND url: https://semgrep.dev/playground/r/WrTqKND/csharp.lang.security.ssrf.web-request.ssrf origin: community message: The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name). patterns: - pattern-inside: | using System.Net; ... - pattern-either: - pattern: | $T $F(..., $X, ...) { ... ... WebRequest.Create(<... $X ...>); } - pattern: | $T $F($X) { ... $A $B = <... $X ...>; ... ... WebRequest.Create($B); } - pattern: | $T $F($X) { ... $A $B = <... $X ...>; ... $C $D = <... $B ...>; ... ... WebRequest.Create($D); } - id: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override mode: taint pattern-sources: - patterns: - focus-metavariable: $ARG - pattern-inside: | public $T $M(...,string $ARG,...){...} pattern-sinks: - patterns: - pattern: | XmlReader $READER = XmlReader.Create(...,$RS,...); - pattern-inside: "XmlReaderSettings $RS = new XmlReaderSettings();\n...\n$RS.DtdProcessing = DtdProcessing.Parse;\n... \n" message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data. languages: - csharp severity: WARNING metadata: category: security references: - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/ - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks technology: - .net - xml cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override shortlink: https://sg.run/wXjA semgrep.dev: rule: r_id: 18229 rv_id: 1262655 rule_id: AbU3pX version_id: qkTR7WD url: https://semgrep.dev/playground/r/qkTR7WD/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override origin: community - id: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults mode: taint pattern-sources: - patterns: - focus-metavariable: $ARG - pattern-inside: | public $T $M(...,string $ARG,...){...} pattern-sinks: - patterns: - pattern: | $READER.$METHOD(...) - pattern-not-inside: | $READER.DtdProcessing = DtdProcessing.Prohibit; ... - pattern-inside: | XmlTextReader $READER = new XmlTextReader(...); ... message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data. languages: - csharp severity: WARNING metadata: category: security references: - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/ - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks technology: - .net - xml cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults shortlink: https://sg.run/xXjL semgrep.dev: rule: r_id: 18230 rv_id: 1262656 rule_id: BYUevk version_id: l4TJRWG url: https://semgrep.dev/playground/r/l4TJRWG/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults origin: community - id: csharp.razor.security.html-raw-json.html-raw-json patterns: - pattern-either: - pattern: '@Html.Raw(Json.Encode(...))' - pattern: '@Html.Raw(JsonConvert.SerializeObject(...))' - pattern: '@Html.Raw(...ToJson(...))' message: Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded. languages: - generic metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' category: security technology: - razor owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json shortlink: https://sg.run/P86E semgrep.dev: rule: r_id: 13489 rv_id: 1262657 rule_id: lBUzPw version_id: YDTZeA9 url: https://semgrep.dev/playground/r/YDTZeA9/csharp.razor.security.html-raw-json.html-raw-json origin: community paths: include: - '*.cshtml' severity: ERROR - id: dockerfile.security.last-user-is-root.last-user-is-root patterns: - pattern: USER root - pattern-not-inside: patterns: - pattern: | USER root ... USER $X - metavariable-pattern: metavariable: $X patterns: - pattern-not: root message: The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'. severity: ERROR languages: - dockerfile metadata: cwe: - 'CWE-269: Improper Privilege Management' source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3002 references: - https://github.com/hadolint/hadolint/wiki/DL3002 category: security technology: - dockerfile confidence: MEDIUM owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - audit likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root shortlink: https://sg.run/5Z43 semgrep.dev: rule: r_id: 20147 rv_id: 1262658 rule_id: ReU2n5 version_id: 6xT29Eg url: https://semgrep.dev/playground/r/6xT29Eg/dockerfile.security.last-user-is-root.last-user-is-root origin: community - id: ai.ai-best-practices.hooks-wget-pipe-bash.hooks-wget-pipe-bash.hooks-wget-pipe-bash-generic languages: - generic severity: ERROR message: Remote script is fetched and piped directly to a shell interpreter. In Claude Code and Cursor hooks, this enables remote code execution from untrusted sources. Download the script first, inspect it, then execute it separately. metadata: cwe: 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.hooks-wget-pipe-bash.hooks-wget-pipe-bash.hooks-wget-pipe-bash-generic shortlink: https://sg.run/gp1LZ semgrep.dev: rule: r_id: 286741 rv_id: 1409338 rule_id: 5rUP7Oz version_id: 3ZT25Jb url: https://semgrep.dev/playground/r/3ZT25Jb/ai.ai-best-practices.hooks-wget-pipe-bash.hooks-wget-pipe-bash.hooks-wget-pipe-bash-generic origin: community paths: include: - '*.sh' - '*.bash' pattern-regex: (curl|wget)\s+.*\|\s*(bash|sh|zsh)\b - id: generic.bicep.security.secure-parameter-for-secrets.secure-parameter-for-secrets patterns: - pattern: param $NAME string - pattern-not-inside: | @secure() param $NAME string - metavariable-regex: metavariable: $NAME regex: (?i).*(password|secret|token) message: Mark sensitive parameters with the @secure() decorator. This avoids logging the value or displaying it in the Azure portal, Azure CLI, or Azure PowerShell. metadata: category: security technology: - bicep cwe: - 'CWE-532: Insertion of Sensitive Information into Log File' references: - https://cwe.mitre.org/data/definitions/532.html - https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-secrets owasp: - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/generic.bicep.security.secure-parameter-for-secrets.secure-parameter-for-secrets shortlink: https://sg.run/QywP semgrep.dev: rule: r_id: 31142 rv_id: 1262663 rule_id: ZqUD7P version_id: X0Tzygb url: https://semgrep.dev/playground/r/X0Tzygb/generic.bicep.security.secure-parameter-for-secrets.secure-parameter-for-secrets origin: community languages: - generic paths: include: - '*.bicep' severity: WARNING - id: generic.ci.security.bash-reverse-shell.bash_reverse_shell metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' category: security technology: - ci confidence: HIGH owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true subcategory: - audit likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell shortlink: https://sg.run/4l9l semgrep.dev: rule: r_id: 16200 rv_id: 1262664 rule_id: gxUJrJ version_id: jQTn5QE url: https://semgrep.dev/playground/r/jQTn5QE/generic.ci.security.bash-reverse-shell.bash_reverse_shell origin: community message: Semgrep found a bash reverse shell severity: ERROR languages: - generic pattern-either: - pattern: | sh -i >& /dev/udp/.../... 0>&1 - pattern: | <...>/dev/tcp/.../...; sh <&... >&... 2>& - pattern: | <...>/dev/tcp/.../...; cat <&... | while read line; do $line 2>&... >&...;done - pattern: | sh -i ...<...> /dev/tcp/.../... ...<&... 1>&... 2>& - id: generic.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded message: A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy. severity: WARNING metadata: likelihood: LOW impact: HIGH confidence: LOW category: security subcategory: - vuln cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2020-top25: true cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures technology: - secrets vulnerability_class: - Hard-coded Secrets source_rule_url: https://semgrep.dev/playground/r/qNU2d1G/achufistov6_personal_org.groovy-build-gradle-password-hardcoded license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded shortlink: https://sg.run/Kxngd semgrep.dev: rule: r_id: 137855 rv_id: 1262665 rule_id: GdUvnDx version_id: 1QTyp5j url: https://semgrep.dev/playground/r/1QTyp5j/generic.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded origin: community languages: - generic patterns: - pattern: | password = env[...] ?: "$SECRET" paths: include: - '*build.gradle' - id: generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var message: 'Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ expr }}".' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss category: security technology: - html-templates confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var shortlink: https://sg.run/weNX semgrep.dev: rule: r_id: 9029 rv_id: 1262666 rule_id: gxU1jy version_id: 9lT4bZK url: https://semgrep.dev/playground/r/9lT4bZK/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var origin: community languages: - generic paths: include: - '*.html' - '*.mustache' - '*.hbs' severity: WARNING patterns: - pattern-inside: <$TAG ...> - pattern-not-inside: ="..." - pattern-not-inside: ='...' - pattern: '{{ ... }}' fix-regex: regex: '{{(.*?)}}' replacement: '"{{\1}}"' - id: generic.html-templates.security.var-in-href.var-in-href message: Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using Flask, use 'url_for()' to safely generate a URL. If using Django, use the 'url' filter to safely generate a URL. If using Mustache, use a URL encoding library, or prepend a slash '/' to the variable for relative links (`href="/{{link}}"`). You may also consider setting the Content Security Policy (CSP) header. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI - https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url - https://github.com/pugjs/pug/issues/2952 - https://content-security-policy.com/ category: security technology: - html-templates confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/generic.html-templates.security.var-in-href.var-in-href shortlink: https://sg.run/x1kP semgrep.dev: rule: r_id: 9030 rv_id: 1262667 rule_id: QrUzD1 version_id: yeTxpAw url: https://semgrep.dev/playground/r/yeTxpAw/generic.html-templates.security.var-in-href.var-in-href origin: community languages: - generic paths: include: - '*.html' - '*.mustache' - '*.hbs' severity: WARNING patterns: - pattern-inside: - pattern-either: - pattern: href = {{ ... }} - pattern: href = "{{ ... }}" - pattern: href = '{{ ... }}' - pattern-not-inside: href = {{ url_for(...) ... }} - pattern-not-inside: href = "{{ url_for(...) ... }}" - pattern-not-inside: href = '{{ url_for(...) ... }}' - pattern-not-inside: href = "/{{ ... }}" - pattern-not-inside: href = '/{{ ... }}' - id: generic.html-templates.security.var-in-script-src.var-in-script-src message: Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough - https://github.com/ESAPI/owasp-esapi-js category: security technology: - html-templates confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/generic.html-templates.security.var-in-script-src.var-in-script-src shortlink: https://sg.run/OPob semgrep.dev: rule: r_id: 9031 rv_id: 1262668 rule_id: 3qUPnO version_id: rxTAKDO url: https://semgrep.dev/playground/r/rxTAKDO/generic.html-templates.security.var-in-script-src.var-in-script-src origin: community languages: - generic paths: include: - '*.mustache' - '*.hbs' - '*.html' severity: WARNING patterns: - pattern-inside: - pattern-not-inside: - pattern-not: paths: include: - '*.component' - '*.page' - id: go.aws-lambda.security.database-sqli.database-sqli languages: - go message: Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls. mode: taint metadata: references: - https://pkg.go.dev/database/sql#DB.Query category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - database - sql cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli shortlink: https://sg.run/e5e8 semgrep.dev: rule: r_id: 18232 rv_id: 1262909 rule_id: WAUdJ7 version_id: BjTkZkQ url: https://semgrep.dev/playground/r/BjTkZkQ/go.aws-lambda.security.database-sqli.database-sqli origin: community pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern-either: - pattern: $DB.Exec($QUERY,...) - pattern: $DB.ExecContent($QUERY,...) - pattern: $DB.Query($QUERY,...) - pattern: $DB.QueryContext($QUERY,...) - pattern: $DB.QueryRow($QUERY,...) - pattern: $DB.QueryRowContext($QUERY,...) - pattern-inside: | import "database/sql" ... pattern-sources: - patterns: - pattern-either: - pattern-inside: | func $HANDLER($CTX $CTXTYPE, $EVENT $TYPE, ...) {...} ... lambda.Start($HANDLER, ...) - patterns: - pattern-inside: | func $HANDLER($EVENT $TYPE) {...} ... lambda.Start($HANDLER, ...) - pattern-not-inside: | func $HANDLER($EVENT context.Context) {...} ... lambda.Start($HANDLER, ...) - focus-metavariable: $EVENT severity: WARNING - id: go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly patterns: - pattern-not-inside: | &sessions.Options{ ..., HttpOnly: true, ..., } - pattern: | &sessions.Options{ ..., } message: A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct. metadata: cwe: - 'CWE-1004: Sensitive Cookie Without ''HttpOnly'' Flag' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69 category: security technology: - gorilla confidence: MEDIUM subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly shortlink: https://sg.run/4xJZ semgrep.dev: rule: r_id: 9088 rv_id: 1262911 rule_id: qNUj6g version_id: WrTqKqe url: https://semgrep.dev/playground/r/WrTqKqe/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly origin: community fix-regex: regex: (HttpOnly\s*:\s+)false replacement: \1true severity: WARNING languages: - go - id: go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check patterns: - pattern-inside: | import ("github.com/gorilla/websocket") ... - patterns: - pattern-not-inside: | $UPGRADER = websocket.Upgrader{..., CheckOrigin: $FN ,...} ... - pattern-not-inside: | $UPGRADER.CheckOrigin = $FN2 ... - pattern: | $UPGRADER.Upgrade(...) message: 'The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per "gorilla/websocket" documentation: "A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery."' languages: - go severity: WARNING metadata: category: security cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://pkg.go.dev/github.com/gorilla/websocket#Upgrader technology: - gorilla confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check shortlink: https://sg.run/xXpz semgrep.dev: rule: r_id: 18430 rv_id: 1262914 rule_id: ReUKdz version_id: qkTR7RP url: https://semgrep.dev/playground/r/qkTR7RP/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check origin: community - id: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection metadata: cwe: - 'CWE-300: Channel Accessible by Non-Endpoint' references: - https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption category: security technology: - grpc confidence: HIGH owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection shortlink: https://sg.run/5Q5l semgrep.dev: rule: r_id: 9091 rv_id: 1262917 rule_id: JDUy0B version_id: 6xT2923 url: https://semgrep.dev/playground/r/6xT2923/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection origin: community message: Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using 'credentials.NewServerTLSFromFile("cert.pem", "cert.key")'. languages: - go severity: ERROR mode: taint pattern-sinks: - requires: OPTIONS and not CREDS pattern: grpc.NewServer($OPT, ...) - requires: EMPTY_CONSTRUCTOR pattern: grpc.NewServer() pattern-sources: - label: OPTIONS pattern: grpc.ServerOption{ ... } - label: CREDS pattern: grpc.Creds(...) - label: EMPTY_CONSTRUCTOR pattern: grpc.NewServer() - id: go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified message: Detected the decoding of a JWT token without a verify step. Don't use `ParseUnverified` unless you know what you're doing This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it. metadata: cwe: - 'CWE-345: Insufficient Verification of Data Authenticity' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: - jwt confidence: MEDIUM references: - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified shortlink: https://sg.run/Av66 semgrep.dev: rule: r_id: 9094 rv_id: 1262918 rule_id: ReUgJJ version_id: o5TbDbq url: https://semgrep.dev/playground/r/o5TbDbq/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified origin: community languages: - go severity: WARNING patterns: - pattern-inside: | import "github.com/dgrijalva/jwt-go" ... - pattern: | $JWT.ParseUnverified(...) - id: go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: - jwt confidence: HIGH references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm shortlink: https://sg.run/Gej1 semgrep.dev: rule: r_id: 9092 rv_id: 1262919 rule_id: 5rUOWQ version_id: zyTb2bz url: https://semgrep.dev/playground/r/zyTb2bz/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm origin: community languages: - go severity: ERROR patterns: - pattern-either: - pattern-inside: | import "github.com/golang-jwt/jwt" ... - pattern-inside: | import "github.com/dgrijalva/jwt-go" ... - pattern-either: - pattern: | jwt.SigningMethodNone - pattern: jwt.UnsafeAllowNoneSignatureType - id: go.jwt-go.security.jwt.hardcoded-jwt-key message: A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). options: interfile: true metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures category: security technology: - jwt - secrets confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key shortlink: https://sg.run/Rod2 semgrep.dev: rule: r_id: 9093 rv_id: 1262920 rule_id: GdU7Ny version_id: pZT0305 url: https://semgrep.dev/playground/r/pZT0305/go.jwt-go.security.jwt.hardcoded-jwt-key origin: community severity: WARNING languages: - go mode: taint pattern-sources: - patterns: - pattern-inside: | []byte("$F") pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $TOKEN.SignedString($F) - focus-metavariable: $F - id: go.lang.security.audit.crypto.bad_imports.insecure-module-used message: The package `net/http/cgi` is on the import blocklist. The package is vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` or a web framework to build a web application instead. metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' source-rule-url: https://github.com/securego/gosec references: - https://godoc.org/golang.org/x/crypto/sha3 category: security technology: - go confidence: MEDIUM subcategory: - audit likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used shortlink: https://sg.run/l2gj semgrep.dev: rule: r_id: 9113 rv_id: 1262921 rule_id: yyUnov version_id: 2KTv2vJ url: https://semgrep.dev/playground/r/2KTv2vJ/go.lang.security.audit.crypto.bad_imports.insecure-module-used origin: community languages: - go severity: WARNING pattern-either: - patterns: - pattern-inside: | import "net/http/cgi" ... - pattern: | cgi.$FUNC(...) - id: go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key message: Disabled host key verification detected. This allows man-in-the-middle attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to learn more about the problem and how to fix it. metadata: cwe: - 'CWE-322: Key Exchange without Entity Authentication' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec references: - https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ - https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d category: security technology: - go confidence: MEDIUM subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key shortlink: https://sg.run/Yv6X semgrep.dev: rule: r_id: 9114 rv_id: 1262922 rule_id: r6UrW9 version_id: X0TzyzN url: https://semgrep.dev/playground/r/X0TzyzN/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key origin: community languages: - go severity: WARNING pattern: ssh.InsecureIgnoreHostKey() - id: go.lang.security.audit.crypto.math_random.math-random-used metadata: cwe: - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation category: security technology: - go confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used shortlink: https://sg.run/6nK6 semgrep.dev: rule: r_id: 9115 rv_id: 1262923 rule_id: bwUwy8 version_id: jQTn5nj url: https://semgrep.dev/playground/r/jQTn5nj/go.lang.security.audit.crypto.math_random.math-random-used origin: community message: Do not use `math/rand`. Use `crypto/rand` instead. languages: - go severity: WARNING patterns: - pattern-either: - pattern: | import $RAND "$MATH" - pattern: | import "$MATH" - metavariable-regex: metavariable: $MATH regex: ^(math/rand(\/v[0-9]+)*)$ - pattern-either: - pattern-inside: | ... rand.$FUNC(...) - pattern-inside: | ... $RAND.$FUNC(...) - focus-metavariable: - $MATH fix: | crypto/rand - id: go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion message: '`MinVersion` is missing from this TLS configuration. By default, as of Go 1.22, TLS 1.2 is currently used as the minimum. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13'' to the TLS configuration to bump the minimum version to TLS 1.3.' metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls_config.go references: - https://go.dev/doc/go1.22#minor_library_changes - https://pkg.go.dev/crypto/tls#:~:text=MinVersion - https://www.us-cert.gov/ncas/alerts/TA14-290A category: security technology: - go confidence: HIGH subcategory: - audit likelihood: MEDIUM impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion shortlink: https://sg.run/oxEN semgrep.dev: rule: r_id: 9116 rv_id: 1262924 rule_id: NbUk4X version_id: 1QTypyp url: https://semgrep.dev/playground/r/1QTypyp/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion origin: community languages: - go severity: WARNING patterns: - pattern: | tls.Config{ $...CONF } - pattern-not: | tls.Config{..., MinVersion: ..., ...} fix: | tls.Config{ $...CONF, MinVersion: tls.VersionTLS13 } - id: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure message: SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'. metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls_config.go references: - https://golang.org/doc/go1.14#crypto/tls - https://www.us-cert.gov/ncas/alerts/TA14-290A category: security technology: - go confidence: HIGH subcategory: - vuln likelihood: MEDIUM impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure shortlink: https://sg.run/zvE1 semgrep.dev: rule: r_id: 9117 rv_id: 1262926 rule_id: kxUkJ2 version_id: yeTxpxj url: https://semgrep.dev/playground/r/yeTxpxj/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure origin: community languages: - go severity: WARNING fix-regex: regex: VersionSSL30 replacement: VersionTLS13 pattern: 'tls.Config{..., MinVersion: $TLS.VersionSSL30, ...}' - id: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher message: Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use. metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls.go references: - https://golang.org/pkg/crypto/tls/#InsecureCipherSuites category: security technology: - go confidence: HIGH subcategory: - vuln likelihood: HIGH impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher shortlink: https://sg.run/px8N semgrep.dev: rule: r_id: 9118 rv_id: 1262927 rule_id: wdUJYk version_id: rxTAKAZ url: https://semgrep.dev/playground/r/rxTAKAZ/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher origin: community languages: - go severity: WARNING pattern-either: - pattern: | tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_RC4_128_SHA, ...}} - pattern: | tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...}} - pattern: | tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_AES_128_CBC_SHA256, ...}} - pattern: | tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...}} - pattern: | tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...}} - pattern: | tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...}} - pattern: | tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...}} - pattern: | tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...}} - pattern: | tls.CipherSuite{..., TLS_RSA_WITH_RC4_128_SHA, ...} - pattern: | tls.CipherSuite{..., TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...} - pattern: | tls.CipherSuite{..., TLS_RSA_WITH_AES_128_CBC_SHA256, ...} - pattern: | tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...} - pattern: | tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...} - pattern: | tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...} - pattern: | tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...} - pattern: | tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...} - id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. languages: - go severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://github.com/securego/gosec#available-rules category: security technology: - go confidence: MEDIUM references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 shortlink: https://sg.run/2xB5 semgrep.dev: rule: r_id: 9119 rv_id: 1262928 rule_id: x8Un6q version_id: bZT535Y url: https://semgrep.dev/playground/r/bZT535Y/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 origin: community patterns: - pattern-inside: | import "crypto/md5" ... - pattern-either: - pattern: | md5.New() - pattern: | md5.Sum(...) - id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1 message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. languages: - go severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://github.com/securego/gosec#available-rules category: security technology: - go references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1 shortlink: https://sg.run/XBYA semgrep.dev: rule: r_id: 9120 rv_id: 1262929 rule_id: OrU31O version_id: NdTzyz1 url: https://semgrep.dev/playground/r/NdTzyz1/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1 origin: community patterns: - pattern-inside: | import "crypto/sha1" ... - pattern-either: - pattern: | sha1.New() - pattern: | sha1.Sum(...) - id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES message: Detected DES cipher algorithm which is insecure. The algorithm is considered weak and has been deprecated. Use AES instead. languages: - go severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' source-rule-url: https://github.com/securego/gosec#available-rules category: security technology: - go references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES shortlink: https://sg.run/jREA semgrep.dev: rule: r_id: 9121 rv_id: 1262930 rule_id: eqU8B3 version_id: kbTzGzA url: https://semgrep.dev/playground/r/kbTzGzA/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES origin: community patterns: - pattern-inside: | import "crypto/des" ... - pattern-either: - pattern: | des.NewTripleDESCipher(...) - pattern: | des.NewCipher(...) - id: go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key message: RSA keys should be at least 2048 bits languages: - go severity: WARNING metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/securego/gosec/blob/master/rules/rsa.go references: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms category: security technology: - go confidence: HIGH subcategory: - audit likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key shortlink: https://sg.run/9oY4 semgrep.dev: rule: r_id: 9123 rv_id: 1262932 rule_id: d8UjY3 version_id: xyTjz8L url: https://semgrep.dev/playground/r/xyTjz8L/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key origin: community patterns: - pattern-either: - pattern: | rsa.GenerateKey(..., $BITS) - pattern: | rsa.GenerateMultiPrimeKey(..., $BITS) - metavariable-comparison: metavariable: $BITS comparison: $BITS < 2048 - focus-metavariable: - $BITS fix: | 2048 - id: go.lang.security.audit.dangerous-command-write.dangerous-command-write patterns: - pattern: | $CW.Write($BYTE) - pattern-inside: | $CW,$ERR := $CMD.StdinPipe() ... - pattern-not: | $CW.Write("...") - pattern-not: | $CW.Write([]byte("...")) - pattern-not: | $CW.Write([]byte("..."+"...")) - pattern-not-inside: | $BYTE = []byte("..."); ... - pattern-not-inside: | $BYTE = []byte("..."+"..."); ... - pattern-inside: | import "os/exec" ... message: Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code. severity: ERROR languages: - go metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' category: security technology: - go confidence: LOW owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write shortlink: https://sg.run/Bko5 semgrep.dev: rule: r_id: 9107 rv_id: 1262933 rule_id: pKUOZ9 version_id: O9Tpx8N url: https://semgrep.dev/playground/r/O9Tpx8N/go.lang.security.audit.dangerous-command-write.dangerous-command-write origin: community - id: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd patterns: - pattern-either: - patterns: - pattern: | exec.Cmd {...,Path: $CMD,...} - pattern-not: | exec.Cmd {...,Path: "...",...} - pattern-not-inside: | $CMD,$ERR := exec.LookPath("..."); ... - pattern-not-inside: | $CMD = "..."; ... - patterns: - pattern: | exec.Cmd {...,Args: $ARGS,...} - pattern-not: | exec.Cmd {...,Args: []string{...},...} - pattern-not-inside: | $ARGS = []string{"...",...}; ... - pattern-not-inside: | $CMD = "..."; ... $ARGS = []string{$CMD,...}; ... - pattern-not-inside: | $CMD = exec.LookPath("..."); ... $ARGS = []string{$CMD,...}; ... - patterns: - pattern: | exec.Cmd {...,Args: []string{$CMD,...},...} - pattern-not: | exec.Cmd {...,Args: []string{"...",...},...} - pattern-not-inside: | $CMD,$ERR := exec.LookPath("..."); ... - pattern-not-inside: | $CMD = "..."; ... - patterns: - pattern-either: - pattern: | exec.Cmd {...,Args: []string{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$EXE,...},...} - patterns: - pattern: | exec.Cmd {...,Args: []string{$CMD,"-c",$EXE,...},...} - pattern-inside: | $CMD,$ERR := exec.LookPath("=~/(sh|bash|ksh|csh|tcsh|zsh)/"); ... - pattern-not: | exec.Cmd {...,Args: []string{"...","...","...",...},...} - pattern-not-inside: | $EXE = "..."; ... - pattern-inside: | import "os/exec" ... message: Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - go confidence: MEDIUM references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd shortlink: https://sg.run/Dorj semgrep.dev: rule: r_id: 9108 rv_id: 1262934 rule_id: 2ZUb8l version_id: e1Tyjeg url: https://semgrep.dev/playground/r/e1Tyjeg/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd origin: community severity: ERROR languages: - go - id: go.lang.security.audit.dangerous-exec-command.dangerous-exec-command patterns: - pattern-either: - patterns: - pattern-either: - pattern: | exec.Command($CMD,...) - pattern: | exec.CommandContext($CTX,$CMD,...) - pattern-not: | exec.Command("...",...) - pattern-not: | exec.CommandContext($CTX,"...",...) - patterns: - pattern-either: - pattern: | exec.Command("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$CMD,...) - pattern: | exec.CommandContext($CTX,"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$CMD,...) - pattern-not: | exec.Command("...","...","...",...) - pattern-not: | exec.CommandContext($CTX,"...","...","...",...) - pattern-either: - pattern: | exec.Command("=~/\/bin\/env/","=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$CMD,...) - pattern: | exec.CommandContext($CTX,"=~/\/bin\/env/","=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$CMD,...) - pattern-inside: | import "os/exec" ... - pattern-not-inside: | $CMD,$ERR := exec.LookPath("..."); ... - pattern-not-inside: | $CMD = "..."; ... message: Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - go confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command shortlink: https://sg.run/W8lA semgrep.dev: rule: r_id: 9109 rv_id: 1262935 rule_id: X5U8RQ version_id: vdT06Xp url: https://semgrep.dev/playground/r/vdT06Xp/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command origin: community severity: ERROR languages: - go - id: go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec patterns: - pattern-either: - patterns: - pattern: | syscall.$METHOD($BIN,...) - pattern-not: | syscall.$METHOD("...",...) - pattern-not-inside: | $BIN,$ERR := exec.LookPath("..."); ... - pattern-not-inside: | $BIN = "..."; ... - patterns: - pattern: | syscall.$METHOD($BIN,$ARGS,...) - pattern-not: | syscall.$METHOD($BIN,[]string{"...",...},...) - pattern-not-inside: | $ARGS := []string{"...",...}; ... - pattern-not-inside: | $CMD = "..."; ... $ARGS = []string{$CMD,...}; ... - pattern-not-inside: | $CMD,$ERR := exec.LookPath("..."); ... $ARGS = []string{$CMD,...}; ... - patterns: - pattern: | syscall.$METHOD($BIN,[]string{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$EXE,...},...) - pattern-not: | syscall.$METHOD($BIN,[]string{"...","...","...",...},...) - patterns: - pattern: | syscall.$METHOD($BIN,$ARGS,...) - pattern-either: - pattern-inside: | $ARGS := []string{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$EXE,...}; ... - pattern-inside: | $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/"; ... $ARGS = []string{$CMD,"-c",$EXE,...}; ... - pattern-inside: | $CMD,$ERR := exec.LookPath("=~/(sh|bash|ksh|csh|tcsh|zsh)/"); ... $ARGS = []string{$CMD,"-c",$EXE,...}; ... - pattern-not-inside: | $ARGS := []string{"...","...","...",...}; ... - pattern-not-inside: | $CMD = "..."; ... $ARGS = []string{$CMD,"...","...",...}; ... - pattern-not-inside: | $CMD,$ERR := exec.LookPath("..."); ... $ARGS = []string{$CMD,"...","...",...}; ... - pattern-inside: | import "syscall" ... - metavariable-regex: metavariable: $METHOD regex: (Exec|ForkExec) message: Detected non-static command inside Exec. Audit the input to 'syscall.Exec'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - go confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec shortlink: https://sg.run/0QRb semgrep.dev: rule: r_id: 9110 rv_id: 1262936 rule_id: j2UvPl version_id: d6Tyx3j url: https://semgrep.dev/playground/r/d6Tyx3j/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec origin: community severity: ERROR languages: - go - id: go.lang.security.audit.database.string-formatted-query.string-formatted-query languages: - go message: String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data. severity: WARNING metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' source-rule-url: https://github.com/securego/gosec category: security technology: - go confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query shortlink: https://sg.run/ydEr semgrep.dev: rule: r_id: 9124 rv_id: 1262937 rule_id: ZqU5bD version_id: ZRTKA2q url: https://semgrep.dev/playground/r/ZRTKA2q/go.lang.security.audit.database.string-formatted-query.string-formatted-query origin: community patterns: - metavariable-regex: metavariable: $OBJ regex: (?i).*(db|database) - pattern-not-inside: | $VAR = "..." + "..." ... $OBJ.$SINK(..., $VAR, ...) - pattern-not: $OBJ.Exec("...") - pattern-not: $OBJ.ExecContext($CTX, "...") - pattern-not: $OBJ.Query("...") - pattern-not: $OBJ.QueryContext($CTX, "...") - pattern-not: $OBJ.QueryRow("...") - pattern-not: $OBJ.QueryRow($CTX, "...") - pattern-not: $OBJ.QueryRowContext($CTX, "...") - pattern-either: - pattern: $OBJ.Exec($X + ...) - pattern: $OBJ.ExecContext($CTX, $X + ...) - pattern: $OBJ.Query($X + ...) - pattern: $OBJ.QueryContext($CTX, $X + ...) - pattern: $OBJ.QueryRow($X + ...) - pattern: $OBJ.QueryRow($CTX, $X + ...) - pattern: $OBJ.QueryRowContext($CTX, $X + ...) - pattern: $OBJ.Exec(fmt.$P("...", ...)) - pattern: $OBJ.ExecContext($CTX, fmt.$P("...", ...)) - pattern: $OBJ.Query(fmt.$P("...", ...)) - pattern: $OBJ.QueryContext($CTX, fmt.$P("...", ...)) - pattern: $OBJ.QueryRow(fmt.$P("...", ...)) - pattern: $OBJ.QueryRow($CTX, fmt.$U("...", ...)) - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...)) - patterns: - pattern-either: - pattern: $QUERY = fmt.Fprintf($F, "$SQLSTR", ...) - pattern: $QUERY = fmt.Sprintf("$SQLSTR", ...) - pattern: $QUERY = fmt.Printf("$SQLSTR", ...) - pattern: $QUERY = $X + ... - pattern-either: - pattern-inside: | func $FUNC(...) { ... $OBJ.Query($QUERY, ...) ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.ExecContext($CTX, $QUERY, ...) ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.Exec($QUERY, ...) ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryRow($CTX, $QUERY) ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryRow($QUERY) ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryContext($CTX, $QUERY) ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryRowContext($CTX, $QUERY, ...) ... } - id: go.lang.security.audit.md5-used-as-password.md5-used-as-password languages: - go severity: WARNING message: It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package. options: interfile: true metadata: category: security technology: - md5 references: - https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords - https://github.com/returntocorp/semgrep-rules/issues/1609 - https://pkg.go.dev/golang.org/x/crypto/bcrypt owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: MEDIUM interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password shortlink: https://sg.run/4eOE semgrep.dev: rule: r_id: 14688 rv_id: 1262938 rule_id: 4bU1Wj version_id: nWT2L9r url: https://semgrep.dev/playground/r/nWT2L9r/go.lang.security.audit.md5-used-as-password.md5-used-as-password origin: community mode: taint pattern-sources: - patterns: - pattern-either: - pattern: md5.New - pattern: md5.Sum pattern-sinks: - patterns: - pattern: $FUNCTION(...) - metavariable-regex: metavariable: $FUNCTION regex: (?i)(.*password.*) - id: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces message: Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string. languages: - go severity: WARNING metadata: cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://github.com/securego/gosec category: security technology: - go confidence: HIGH references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces shortlink: https://sg.run/rdE0 semgrep.dev: rule: r_id: 9125 rv_id: 1262939 rule_id: nJUz3J version_id: ExTExoK url: https://semgrep.dev/playground/r/ExTExoK/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces origin: community pattern-either: - pattern: tls.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...) - pattern: net.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...) - pattern: tls.Listen($NETWORK, "=~/^:.*$/", ...) - pattern: net.Listen($NETWORK, "=~/^:.*$/", ...) - id: go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly patterns: - pattern-not-inside: | http.Cookie{ ..., HttpOnly: true, ..., } - pattern: | http.Cookie{ ..., } message: A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Cookie. metadata: cwe: - 'CWE-1004: Sensitive Cookie Without ''HttpOnly'' Flag' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go - https://golang.org/src/net/http/cookie.go category: security technology: - go confidence: MEDIUM subcategory: - vuln likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly shortlink: https://sg.run/b73e semgrep.dev: rule: r_id: 9126 rv_id: 1262940 rule_id: EwU2Z6 version_id: 7ZTE3BW url: https://semgrep.dev/playground/r/7ZTE3BW/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly origin: community fix-regex: regex: (HttpOnly\s*:\s+)false replacement: \1true severity: WARNING languages: - go - id: go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure patterns: - pattern-not-inside: | http.Cookie{ ..., Secure: true, ..., } - pattern: | http.Cookie{ ..., } message: A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct. metadata: cwe: - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go - https://golang.org/src/net/http/cookie.go category: security technology: - go confidence: MEDIUM subcategory: - vuln likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure shortlink: https://sg.run/N4G7 semgrep.dev: rule: r_id: 9127 rv_id: 1262941 rule_id: 7KUQ8X version_id: LjTkgGE url: https://semgrep.dev/playground/r/LjTkgGE/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure origin: community fix-regex: regex: (Secure\s*:\s+)false replacement: \1true severity: WARNING languages: - go - id: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace message: Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined. metadata: cwe: - 'CWE-913: Improper Control of Dynamically-Managed Code Resources' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://github.com/returntocorp/semgrep-rules/issues/518 category: security technology: - go confidence: MEDIUM subcategory: - vuln likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace shortlink: https://sg.run/kXEK semgrep.dev: rule: r_id: 9128 rv_id: 1262942 rule_id: L1Uyjp version_id: 8KT5rNv url: https://semgrep.dev/playground/r/8KT5rNv/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace origin: community patterns: - pattern-not-inside: | package $PACKAGE ... &httptrace.ClientTrace { ... } ... - pattern: httptrace.WithClientTrace($ANY, $TRACE) severity: WARNING languages: - go - id: go.lang.security.audit.net.formatted-template-string.formatted-template-string message: Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#HTML category: security technology: - go confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string shortlink: https://sg.run/weE0 semgrep.dev: rule: r_id: 9129 rv_id: 1262943 rule_id: 8GUjDW version_id: gETB7Pe url: https://semgrep.dev/playground/r/gETB7Pe/go.lang.security.audit.net.formatted-template-string.formatted-template-string origin: community languages: - go severity: WARNING patterns: - pattern-not: template.HTML("..." + "...") - pattern-either: - pattern: template.HTML($T + $X, ...) - pattern: template.HTML(fmt.$P("...", ...), ...) - pattern: | $T = "..." ... $T = $FXN(..., $T, ...) ... template.HTML($T, ...) - pattern: | $T = fmt.$P("...", ...) ... template.HTML($T, ...) - pattern: | $T, $ERR = fmt.$P("...", ...) ... template.HTML($T, ...) - pattern: | $T = $X + $Y ... template.HTML($T, ...) - pattern: |- $T = "..." ... $OTHER, $ERR = fmt.$P(..., $T, ...) ... template.HTML($OTHER, ...) - id: go.lang.security.audit.net.fs-directory-listing.fs-directory-listing message: 'Detected usage of ''http.FileServer'' as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files.' severity: WARNING languages: - go patterns: - pattern-either: - patterns: - pattern-inside: | $FS := http.FileServer(...) ... - pattern-either: - pattern: | http.ListenAndServe(..., $FS) - pattern: | http.ListenAndServeTLS(..., $FS) - pattern: | http.Handle(..., $FS) - pattern: | http.HandleFunc(..., $FS) - patterns: - pattern: | http.$FN(..., http.FileServer(...)) - metavariable-regex: metavariable: $FN regex: (ListenAndServe|ListenAndServeTLS|Handle|HandleFunc) metadata: category: security cwe: - 'CWE-548: Exposure of Information Through Directory Listing' owasp: - A06:2017 - Security Misconfiguration - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://github.com/OWASP/Go-SCP - https://cwe.mitre.org/data/definitions/548.html confidence: MEDIUM technology: - go subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/go.lang.security.audit.net.fs-directory-listing.fs-directory-listing shortlink: https://sg.run/4R8x semgrep.dev: rule: r_id: 21300 rv_id: 1262944 rule_id: 5rU9JO version_id: QkTGqX0 url: https://semgrep.dev/playground/r/QkTGqX0/go.lang.security.audit.net.fs-directory-listing.fs-directory-listing origin: community - id: go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr message: Found a formatted template string passed to 'template. HTMLAttr()'. 'template.HTMLAttr()' does not escape contents. Be absolutely sure there is no user-controlled data in this template or validate and sanitize the data before passing it into the template. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#HTMLAttr category: security technology: - go confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr shortlink: https://sg.run/OPRp semgrep.dev: rule: r_id: 9131 rv_id: 1262945 rule_id: QrUz9R version_id: 3ZT4XRr url: https://semgrep.dev/playground/r/3ZT4XRr/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr origin: community languages: - go severity: WARNING pattern-either: - pattern: template.HTMLAttr($T + $X, ...) - pattern: template.HTMLAttr(fmt.$P("...", ...), ...) - pattern: | $T = "..." ... $T = $FXN(..., $T, ...) ... template.HTMLAttr($T, ...) - pattern: | $T = fmt.$P("...", ...) ... template.HTMLAttr($T, ...) - pattern: | $T, $ERR = fmt.$P("...", ...) ... template.HTMLAttr($T, ...) - pattern: | $T = $X + $Y ... template.HTMLAttr($T, ...) - pattern: |- $T = "..." ... $OTHER, $ERR = fmt.$P(..., $T, ...) ... template.HTMLAttr($OTHER, ...) - id: go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url message: Found a formatted template string passed to 'template.URL()'. 'template.URL()' does not escape contents, and this could result in XSS (cross-site scripting) and therefore confidential data being stolen. Sanitize data coming into this function or make sure that no user-controlled input is coming into the function. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://golang.org/pkg/html/template/#URL category: security technology: - go confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url shortlink: https://sg.run/vzE4 semgrep.dev: rule: r_id: 9133 rv_id: 1262947 rule_id: 4bUkDW version_id: PkTR3zz url: https://semgrep.dev/playground/r/PkTR3zz/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url origin: community languages: - go severity: WARNING pattern-either: - pattern: template.URL($T + $X, ...) - pattern: template.URL(fmt.$P("...", ...), ...) - pattern: | $T = "..." ... $T = $FXN(..., $T, ...) ... template.URL($T, ...) - pattern: | $T = fmt.$P("...", ...) ... template.URL($T, ...) - pattern: | $T, $ERR = fmt.$P("...", ...) ... template.URL($T, ...) - pattern: | $T = $X + $Y ... template.URL($T, ...) - pattern: |- $T = "..." ... $OTHER, $ERR = fmt.$P(..., $T, ...) ... template.URL($OTHER, ...) - id: go.lang.security.audit.net.use-tls.use-tls pattern: http.ListenAndServe($ADDR, $HANDLER) fix: http.ListenAndServeTLS($ADDR, certFile, keyFile, $HANDLER) metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://golang.org/pkg/net/http/#ListenAndServeTLS category: security technology: - go confidence: MEDIUM subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls shortlink: https://sg.run/dKbY semgrep.dev: rule: r_id: 9134 rv_id: 1262948 rule_id: PeUZ8X version_id: JdTzxkn url: https://semgrep.dev/playground/r/JdTzxkn/go.lang.security.audit.net.use-tls.use-tls origin: community message: Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information. languages: - go severity: WARNING - id: go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf patterns: - pattern-inside: | func $FUNC(..., $W http.ResponseWriter, ...) { ... var $TEMPLATE = "..." ... $W.Write([]byte(fmt.$PRINTF($TEMPLATE, ...)), ...) ... } - pattern-either: - pattern: | $PARAMS = r.URL.Query() ... $DATA, $ERR := $PARAMS[...] ... $INTERM = $ANYTHING(..., $DATA, ...) ... $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) - pattern: | $PARAMS = r.URL.Query() ... $DATA, $ERR := $PARAMS[...] ... $INTERM = $DATA[...] ... $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) - pattern: | $DATA, $ERR := r.URL.Query()[...] ... $INTERM = $DATA[...] ... $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) - pattern: | $DATA, $ERR := r.URL.Query()[...] ... $INTERM = $ANYTHING(..., $DATA, ...) ... $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) - pattern: | $PARAMS = r.URL.Query() ... $DATA, $ERR := $PARAMS[...] ... $W.Write([]byte(fmt.$PRINTF(..., $DATA, ...))) message: Found data going from url query parameters into formatted data written to ResponseWriter. This could be XSS and should not be done. If you must do this, ensure your data is sanitized or escaped. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - go confidence: MEDIUM references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf shortlink: https://sg.run/Zvon semgrep.dev: rule: r_id: 9135 rv_id: 1262949 rule_id: JDUyXB version_id: 5PTo1qr url: https://semgrep.dev/playground/r/5PTo1qr/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf origin: community severity: WARNING languages: - go - id: go.lang.security.audit.reflect-makefunc.reflect-makefunc message: '''reflect.MakeFunc'' detected. This will sidestep protections that are normally afforded by Go''s type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.' metadata: owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-913: Improper Control of Dynamically-Managed Code Resources' category: security technology: - go confidence: LOW references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc shortlink: https://sg.run/KlPd semgrep.dev: rule: r_id: 9111 rv_id: 1262950 rule_id: 10UKGb version_id: GxTkeqB url: https://semgrep.dev/playground/r/GxTkeqB/go.lang.security.audit.reflect-makefunc.reflect-makefunc origin: community severity: ERROR pattern: reflect.MakeFunc(...) languages: - go - id: go.lang.security.audit.sqli.gosql-sqli.gosql-sqli patterns: - pattern-either: - patterns: - pattern: $DB.$METHOD(...,$QUERY,...) - pattern-either: - pattern-inside: | $QUERY = $X + $Y ... - pattern-inside: | $QUERY += $X ... - pattern-inside: | $QUERY = fmt.Sprintf("...", $PARAM1, ...) ... - pattern-not-inside: | $QUERY += "..." ... - pattern-not-inside: | $QUERY = "..." + "..." ... - pattern: $DB.$METHOD(..., $X + $Y, ...) - pattern: $DB.$METHOD(..., fmt.Sprintf("...", $PARAM1, ...), ...) - pattern-either: - pattern-inside: | $DB, ... = sql.Open(...) ... - pattern-inside: | func $FUNCNAME(..., $DB *sql.DB, ...) { ... } - pattern-not: $DB.$METHOD(..., "..." + "...", ...) - metavariable-regex: metavariable: $METHOD regex: ^(Exec|ExecContent|Query|QueryContext|QueryRow|QueryRowContext)$ languages: - go message: Detected string concatenation with a non-literal variable in a "database/sql" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' references: - https://golang.org/pkg/database/sql/ category: security technology: - go confidence: LOW owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli shortlink: https://sg.run/YgOX semgrep.dev: rule: r_id: 10258 rv_id: 1262951 rule_id: YGUrnQ version_id: RGT0Lpr url: https://semgrep.dev/playground/r/RGT0Lpr/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli origin: community severity: ERROR - id: go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli patterns: - pattern-inside: | import ( ... "$IMPORT" ) ... - metavariable-regex: metavariable: $IMPORT regex: .*go-pg - pattern-either: - patterns: - pattern: $DB.$METHOD(...,$QUERY,...) - pattern-either: - pattern-inside: | $QUERY = $X + $Y ... - pattern-inside: | $QUERY += $X ... - pattern-inside: | $QUERY = fmt.Sprintf("...", $PARAM1, ...) ... - pattern-not-inside: | $QUERY += "..." ... - pattern-not-inside: | $QUERY = "..." + "..." ... - pattern: | $DB.$INTFUNC1(...).$METHOD(..., $X + $Y, ...).$INTFUNC2(...) - pattern: | $DB.$METHOD(..., fmt.Sprintf("...", $PARAM1, ...), ...) - pattern-inside: | $DB = pg.Connect(...) ... - pattern-inside: | func $FUNCNAME(..., $DB *pg.DB, ...) { ... } - pattern-not-inside: | $QUERY = fmt.Sprintf("...", ...,"...", ...) ... - pattern-not-inside: | $QUERY += "..." ... - pattern-not: $DB.$METHOD(...,"...",...) - pattern-not: | $DB.$INTFUNC1(...).$METHOD(..., "...", ...).$INTFUNC2(...) - pattern-not-inside: | $QUERY = "..." + "..." - pattern-not: | "..." - pattern-not: path.Join(...) - pattern-not: filepath.Join(...) - metavariable-regex: metavariable: $METHOD regex: ^(Where|WhereOr|Join|GroupExpr|OrderExpr|ColumnExpr)$ languages: - go message: Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' references: - https://pg.uptrace.dev/queries/ category: security technology: - go-pg confidence: LOW owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli shortlink: https://sg.run/6rA6 semgrep.dev: rule: r_id: 10259 rv_id: 1262952 rule_id: 6JUqQ1 version_id: A8Tgdqn url: https://semgrep.dev/playground/r/A8Tgdqn/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli origin: community severity: ERROR - id: go.lang.security.audit.sqli.pg-sqli.pg-sqli languages: - go message: 'Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: ''(SELECT ? FROM table, data1)''' metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' references: - https://pg.uptrace.dev/ - https://pkg.go.dev/github.com/go-pg/pg/v10 category: security technology: - go-pg confidence: LOW owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli shortlink: https://sg.run/Al94 semgrep.dev: rule: r_id: 10294 rv_id: 1262953 rule_id: AbUWXY version_id: BjTkZbQ url: https://semgrep.dev/playground/r/BjTkZbQ/go.lang.security.audit.sqli.pg-sqli.pg-sqli origin: community severity: ERROR patterns: - pattern-either: - patterns: - pattern: | $DB.$METHOD(...,$QUERY,...) - pattern-either: - pattern-inside: | $QUERY = $X + $Y ... - pattern-inside: | $QUERY += $X ... - pattern-inside: | $QUERY = fmt.Sprintf("...", $PARAM1, ...) ... - pattern-not-inside: | $QUERY += "..." ... - pattern-not-inside: | $QUERY = "..." + "..." ... - pattern: $DB.$METHOD(..., $X + $Y, ...) - pattern: $DB.$METHOD(..., fmt.Sprintf("...", $PARAM1, ...), ...) - pattern-either: - pattern-inside: | $DB = pg.Connect(...) ... - pattern-inside: | func $FUNCNAME(..., $DB *pg.DB, ...) { ... } - pattern-not: $DB.$METHOD(..., "..." + "...", ...) - metavariable-regex: metavariable: $METHOD regex: ^(Exec|ExecContext|ExecOne|ExecOneContext|Query|QueryOne|QueryContext|QueryOneContext)$ - id: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli languages: - go message: 'Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)' metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' references: - https://github.com/jackc/pgx - https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool category: security technology: - pgx confidence: LOW owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli shortlink: https://sg.run/okKN semgrep.dev: rule: r_id: 10260 rv_id: 1262954 rule_id: oqUz92 version_id: DkTRbkL url: https://semgrep.dev/playground/r/DkTRbkL/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli origin: community patterns: - pattern-either: - patterns: - pattern: $DB.$METHOD(...,$QUERY,...) - pattern-either: - pattern-inside: | $QUERY = $X + $Y ... - pattern-inside: | $QUERY += $X ... - pattern-inside: | $QUERY = fmt.Sprintf("...", $PARAM1, ...) ... - pattern-not-inside: | $QUERY += "..." ... - pattern-not-inside: | $QUERY = "..." + "..." ... - pattern: $DB.$METHOD(..., $X + $Y, ...) - pattern: $DB.$METHOD(..., fmt.Sprintf("...", $PARAM1, ...), ...) - pattern-either: - pattern-inside: | $DB, ... = pgx.Connect(...) ... - pattern-inside: | $DB, ... = pgx.NewConnPool(...) ... - pattern-inside: | $DB, ... = pgx.ConnectConfig(...) ... - pattern-inside: | func $FUNCNAME(..., $DB *pgx.Conn, ...) { ... } - pattern-not: $DB.$METHOD(..., "..." + "...", ...) - metavariable-regex: metavariable: $METHOD regex: ^(Exec|ExecEx|Query|QueryEx|QueryRow|QueryRowEx)$ severity: ERROR - id: go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name patterns: - pattern-either: - pattern: | $SMTH.MethodByName($NAME,...) - pattern: | $SMTH.FieldByName($NAME,...) - pattern-not: | $SMTH.MethodByName("...",...) - pattern-not: | $SMTH.FieldByName("...",...) - pattern-inside: | import "reflect" ... message: If an attacker can supply values that the application then uses to determine which method or field to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner. metadata: cwe: - 'CWE-470: Use of Externally-Controlled Input to Select Classes or Code (''Unsafe Reflection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - go confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name shortlink: https://sg.run/R8Xv semgrep.dev: rule: r_id: 10005 rv_id: 1262955 rule_id: BYUBdJ version_id: WrTqK8e url: https://semgrep.dev/playground/r/WrTqK8e/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name origin: community severity: WARNING languages: - go - id: go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag message: Detected template variable interpolation in an HTML tag. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over HTML but without the need to use escaped characters. Use explicit tags instead. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://github.com/golang/go/issues/19669 - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ category: security technology: - generic confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag shortlink: https://sg.run/LwJJ semgrep.dev: rule: r_id: 9139 rv_id: 1262959 rule_id: AbUzBB version_id: l4TJRZK url: https://semgrep.dev/playground/r/l4TJRZK/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag origin: community languages: - generic severity: WARNING paths: include: - '*.html' - '*.thtml' - '*.gohtml' - '*.tmpl' - '*.tpl' pattern: <{{ ... }} ... > - id: go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string message: Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://github.com/golang/go/issues/9200#issuecomment-66100328 - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ category: security technology: - generic confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string shortlink: https://sg.run/8yl7 semgrep.dev: rule: r_id: 9140 rv_id: 1262960 rule_id: BYUNR6 version_id: YDTZeEB url: https://semgrep.dev/playground/r/YDTZeEB/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string origin: community languages: - generic severity: WARNING paths: include: - '*.html' - '*.thtml' - '*.gohtml' - '*.tmpl' - '*.tpl' patterns: - pattern-inside: - pattern: '` ... {{ ... }} ...`' - id: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter message: Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users. metadata: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ - https://golang.org/pkg/io/#WriteString category: security technology: - go confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter shortlink: https://sg.run/gLwn semgrep.dev: rule: r_id: 9141 rv_id: 1262961 rule_id: DbUpEr version_id: 6xT2983 url: https://semgrep.dev/playground/r/6xT2983/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter origin: community severity: WARNING patterns: - pattern-either: - pattern-inside: | func $HANDLER(..., $WRITER http.ResponseWriter, ...) { ... } - pattern-inside: | func(..., $WRITER http.ResponseWriter, ...) { ... } - pattern-not: io.WriteString($WRITER, "...") - pattern: io.WriteString($WRITER, $STRING) languages: - go - id: go.lang.security.audit.xxe.parsing-external-entities-enabled.parsing-external-entities-enabled patterns: - pattern-inside: | import ("github.com/lestrrat-go/libxml2/parser") ... - pattern: $PARSER := parser.New(parser.XMLParseNoEnt) message: Detected enabling of "XMLParseNoEnt", which allows parsing of external entities and can lead to XXE if user controlled data is parsed by the library. Instead, do not enable "XMLParseNoEnt" or be sure to adequately sanitize user-controlled data when it is being parsed by this library. languages: - go severity: WARNING metadata: category: security cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://knowledge-base.secureflag.com/vulnerabilities/xml_injection/xml_entity_expansion_go_lang.html - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing technology: - libxml2 confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/go.lang.security.audit.xxe.parsing-external-entities-enabled.parsing-external-entities-enabled shortlink: https://sg.run/A51w semgrep.dev: rule: r_id: 18794 rv_id: 1262964 rule_id: WAUdLP version_id: pZT03n5 url: https://semgrep.dev/playground/r/pZT03n5/go.lang.security.audit.xxe.parsing-external-entities-enabled.parsing-external-entities-enabled origin: community - id: go.lang.security.filepath-clean-misuse.filepath-clean-misuse message: '`Clean` is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using `Clean` to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: `filepath.FromSlash(path.Clean("/"+strings.Trim(req.URL.Path, "/")))` However, a better solution is using the `SecureJoin` function in the package `filepath-securejoin`. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.' severity: ERROR languages: - go mode: taint pattern-sources: - patterns: - pattern-either: - pattern: | ($REQUEST : *http.Request).$ANYTHING - pattern: | ($REQUEST : http.Request).$ANYTHING - metavariable-regex: metavariable: $ANYTHING regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ pattern-sinks: - patterns: - pattern-either: - pattern: filepath.Clean($...INNER) - pattern: path.Clean($...INNER) pattern-sanitizers: - pattern-either: - pattern: | "/" + ... fix: filepath.FromSlash(filepath.Clean("/"+strings.Trim($...INNER, "/"))) options: interfile: true metadata: references: - https://pkg.go.dev/path#Clean - http://technosophos.com/2016/03/31/go-quickly-cleaning-filepaths.html - https://labs.detectify.com/2021/12/15/zero-day-path-traversal-grafana/ - https://dzx.cz/2021/04/02/go_path_traversal/ - https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control category: security technology: - go cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/go.lang.security.filepath-clean-misuse.filepath-clean-misuse shortlink: https://sg.run/ZKzw semgrep.dev: rule: r_id: 18235 rv_id: 1262967 rule_id: qNUQJe version_id: jQTn5Bj url: https://semgrep.dev/playground/r/jQTn5Bj/go.lang.security.filepath-clean-misuse.filepath-clean-misuse origin: community - id: go.lang.security.injection.raw-html-format.raw-html-format languages: - go severity: WARNING message: Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - go references: - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/ confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format shortlink: https://sg.run/3r1G semgrep.dev: rule: r_id: 14443 rv_id: 1262968 rule_id: PeUonQ version_id: 1QTyp2p url: https://semgrep.dev/playground/r/1QTyp2p/go.lang.security.injection.raw-html-format.raw-html-format origin: community mode: taint pattern-sources: - patterns: - pattern-either: - pattern: | ($REQUEST : *http.Request).$ANYTHING - pattern: | ($REQUEST : http.Request).$ANYTHING - metavariable-regex: metavariable: $ANYTHING regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ pattern-sanitizers: - pattern: html.EscapeString(...) pattern-sinks: - patterns: - pattern-either: - pattern: fmt.Printf("$HTMLSTR", ...) - pattern: fmt.Sprintf("$HTMLSTR", ...) - pattern: fmt.Fprintf($W, "$HTMLSTR", ...) - pattern: '"$HTMLSTR" + ...' - metavariable-pattern: metavariable: $HTMLSTR language: generic pattern: <$TAG ... - id: go.lang.security.injection.tainted-url-host.tainted-url-host languages: - go message: A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist. options: interfile: true metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://goteleport.com/blog/ssrf-attacks/ category: security technology: - go confidence: HIGH cwe2022-top25: true cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: MEDIUM interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host shortlink: https://sg.run/5DjW semgrep.dev: rule: r_id: 14391 rv_id: 1262970 rule_id: AbUQLr version_id: yeTxpOj url: https://semgrep.dev/playground/r/yeTxpOj/go.lang.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sources: - label: INPUT patterns: - pattern-either: - pattern: | ($REQUEST : *http.Request).$ANYTHING - pattern: | ($REQUEST : http.Request).$ANYTHING - metavariable-regex: metavariable: $ANYTHING regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ - label: CLEAN requires: INPUT patterns: - pattern-either: - pattern: | "$URLSTR" + $INPUT - patterns: - pattern-either: - pattern: fmt.Fprintf($F, "$URLSTR", $INPUT, ...) - pattern: fmt.Sprintf("$URLSTR", $INPUT, ...) - pattern: fmt.Printf("$URLSTR", $INPUT, ...) - metavariable-regex: metavariable: $URLSTR regex: .*//[a-zA-Z0-10]+\..* pattern-sinks: - requires: INPUT and not CLEAN patterns: - pattern-either: - patterns: - pattern-either: - patterns: - pattern-inside: | $CLIENT := &http.Client{...} ... - pattern: $CLIENT.$METHOD($URL, ...) - pattern: http.$METHOD($URL, ...) - metavariable-regex: metavariable: $METHOD regex: ^(Get|Head|Post|PostForm)$ - patterns: - pattern: | http.NewRequest("$METHOD", $URL, ...) - metavariable-regex: metavariable: $METHOD regex: ^(GET|HEAD|POST|POSTFORM)$ - focus-metavariable: $URL severity: WARNING - id: go.lang.security.zip.path-traversal-inside-zip-extraction message: File traversal when extracting zip archive metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' source_rule_url: https://github.com/securego/gosec/issues/205 category: security technology: - go confidence: LOW owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction shortlink: https://sg.run/Av64 semgrep.dev: rule: r_id: 9106 rv_id: 1262971 rule_id: zdUkoR version_id: rxTAK1Z url: https://semgrep.dev/playground/r/rxTAK1Z/go.lang.security.zip.path-traversal-inside-zip-extraction origin: community languages: - go severity: WARNING pattern: | reader, $ERR := zip.OpenReader($ARCHIVE) ... for _, $FILE := range reader.File { ... path := filepath.Join($TARGET, $FILE.Name) ... } - id: go.otto.security.audit.dangerous-execution.dangerous-execution message: Detected non-static script inside otto VM. Audit the input to 'VM.Run'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - otto - vm confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution shortlink: https://sg.run/4xWE semgrep.dev: rule: r_id: 9144 rv_id: 1262972 rule_id: KxUbxk version_id: bZT53ZY url: https://semgrep.dev/playground/r/bZT53ZY/go.otto.security.audit.dangerous-execution.dangerous-execution origin: community severity: ERROR patterns: - pattern-inside: | $VM = otto.New(...) ... - pattern-not: $VM.Run("...", ...) - pattern: $VM.Run(...) languages: - go - id: html.security.audit.eval-detected.eval-detected message: 'Detected the use of eval(...). This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Follow OWASP best practices to ensure you handle XSS within a JavaScript context correct, and consider using safer APIs to evaluate user-input such as JSON.parse(...). ' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - browser cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/html.security.audit.eval-detected.eval-detected shortlink: https://sg.run/eDol semgrep.dev: rule: r_id: 48732 rv_id: 1262973 rule_id: BYUOdj version_id: NdTzyZ1 url: https://semgrep.dev/playground/r/NdTzyZ1/html.security.audit.eval-detected.eval-detected origin: community languages: - html severity: WARNING patterns: - pattern-inside: | - metavariable-pattern: metavariable: $...A language: javascript patterns: - pattern-either: - pattern: $X(...) - pattern-not: $X("...") - metavariable-regex: metavariable: $X regex: ^(eval)$ - focus-metavariable: $X - id: html.security.audit.missing-integrity.missing-integrity metadata: category: security technology: - html cwe: - 'CWE-353: Missing Support for Integrity Check' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures confidence: LOW references: - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity shortlink: https://sg.run/krXA semgrep.dev: rule: r_id: 13728 rv_id: 1262975 rule_id: AbUQzj version_id: w8TRopQ url: https://semgrep.dev/playground/r/w8TRopQ/html.security.audit.missing-integrity.missing-integrity origin: community patterns: - pattern-either: - pattern: - pattern: - metavariable-pattern: metavariable: $...A patterns: - pattern-either: - pattern: src='... :// ...' - pattern: src="... :// ..." - pattern: href='... :// ...' - pattern: href="... :// ..." - pattern: src='//...' - pattern: src="//..." - pattern: href='//...' - pattern: href="//..." - pattern-not-regex: (?is).*integrity=.* - pattern-not-regex: (google-analytics\.com|fonts\.googleapis\.com|fonts\.gstatic\.com|googletagmanager\.com) - pattern-not-regex: .*rel\s*=\s*['"]?preconnect.* paths: include: - '*.html' message: "This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you\u2019re telling the browser to fetch in the 'integrity' attribute for all externally hosted files." severity: WARNING languages: - generic - id: html.security.plaintext-http-link.plaintext-http-link metadata: category: security technology: - html cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures confidence: HIGH subcategory: - vuln references: - https://cwe.mitre.org/data/definitions/319.html likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link shortlink: https://sg.run/RA5q semgrep.dev: rule: r_id: 39193 rv_id: 1262976 rule_id: AbUnNo version_id: xyTjzRL url: https://semgrep.dev/playground/r/xyTjzRL/html.security.plaintext-http-link.plaintext-http-link origin: community patterns: - pattern: ... - metavariable-regex: metavariable: $URL regex: ^(?i)http:// message: This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible. severity: WARNING languages: - html - id: java.aws-lambda.security.tainted-sql-string.tainted-sql-string languages: - java severity: ERROR message: Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries. options: interfile: true metadata: references: - https://owasp.org/www-community/attacks/SQL_Injection category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/EBYN semgrep.dev: rule: r_id: 18237 rv_id: 1262977 rule_id: YGUl4z version_id: O9TpxQN url: https://semgrep.dev/playground/r/O9TpxQN/java.aws-lambda.security.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sources: - patterns: - focus-metavariable: $EVENT - pattern-either: - pattern: | $HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) { ... } - pattern: | $HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) { ... } pattern-sinks: - patterns: - pattern-either: - pattern: | "$SQLSTR" + ... - pattern: | "$SQLSTR".concat(...) - patterns: - pattern-inside: | StringBuilder $SB = new StringBuilder("$SQLSTR"); ... - pattern: $SB.append(...) - patterns: - pattern-inside: | $VAR = "$SQLSTR"; ... - pattern: $VAR += ... - pattern: String.format("$SQLSTR", ...) - metavariable-regex: metavariable: $SQLSTR regex: (?i)(select|delete|insert|create|update|alter|drop)\b - pattern-not-inside: | System.out.$PRINTLN(...) - id: java.aws-lambda.security.tainted-sqli.tainted-sqli message: Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead. languages: - java severity: WARNING mode: taint pattern-sources: - patterns: - focus-metavariable: $EVENT - pattern-either: - pattern: | $HANDLERTYPE $HANDLER($TYPE $EVENT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) { ... } - pattern: | $HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT, com.amazonaws.services.lambda.runtime.Context $CONTEXT) { ... } pattern-sinks: - patterns: - pattern-either: - pattern: "(java.sql.CallableStatement $STMT) = ...; \n" - pattern: | (java.sql.Statement $STMT) = ...; - pattern: | (java.sql.PreparedStatement $STMT) = ...; - pattern: | $VAR = $CONN.prepareStatement(...) - pattern: | $PATH.queryForObject(...); - pattern: | (java.util.Map $STMT) = $PATH.queryForMap(...); - pattern: | (org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...; - patterns: - pattern-inside: | (String $SQL) = "$SQLSTR" + ...; ... - pattern: $PATH.$SQLCMD(..., $SQL, ...); - metavariable-regex: metavariable: $SQLSTR regex: (?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*) - metavariable-regex: metavariable: $SQLCMD regex: (execute|query|executeUpdate|batchUpdate) options: interfile: true metadata: category: security technology: - sql - java - aws-lambda cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli shortlink: https://sg.run/7942 semgrep.dev: rule: r_id: 18238 rv_id: 1262978 rule_id: 6JUDWk version_id: e1Tyj4g url: https://semgrep.dev/playground/r/e1Tyj4g/java.aws-lambda.security.tainted-sqli.tainted-sqli origin: community - id: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify message: Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token. metadata: cwe: - 'CWE-345: Insufficient Verification of Data Authenticity' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: - jwt confidence: MEDIUM references: - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify shortlink: https://sg.run/Bk95 semgrep.dev: rule: r_id: 9151 rv_id: 1262979 rule_id: pKUOE9 version_id: vdT06Lp url: https://semgrep.dev/playground/r/vdT06Lp/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify origin: community languages: - java severity: WARNING patterns: - pattern: | com.auth0.jwt.JWT.decode(...); - pattern-not-inside: |- class $CLASS { ... $RETURNTYPE $FUNC (...) { ... $VERIFIER.verify(...); ... } } - id: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret message: A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures technology: - java - secrets - jwt category: security cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret shortlink: https://sg.run/RoDK semgrep.dev: rule: r_id: 9149 rv_id: 1262980 rule_id: oqUeAn version_id: d6Tyx8j url: https://semgrep.dev/playground/r/d6Tyx8j/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret origin: community languages: - java severity: WARNING patterns: - pattern-either: - pattern: | (Algorithm $ALG) = $ALGO.$HMAC("$Y"); - pattern: | $SECRET = "$Y"; ... (Algorithm $ALG) = $ALGO.$HMAC($SECRET); - pattern: | class $CLASS { ... $TYPE $SECRET = "$Y"; ... $RETURNTYPE $FUNC (...) { ... (Algorithm $ALG) = $ALGO.$HMAC($SECRET); ... } ... } - focus-metavariable: $Y - metavariable-regex: metavariable: $HMAC regex: (HMAC384|HMAC256|HMAC512) - id: java.jax-rs.security.insecure-resteasy.default-resteasy-provider-abuse message: When a Restful webservice endpoint isn't configured with a @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution. Instead, add a @Consumes annotation to the function or class. severity: WARNING metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-502: Deserialization of Untrusted Data' cwe2021-top25: true cwe2022-top25: true owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://access.redhat.com/blogs/766093/posts/3162112 subcategory: - audit technology: - jax-rs license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/java.jax-rs.security.insecure-resteasy.default-resteasy-provider-abuse shortlink: https://sg.run/jNRD semgrep.dev: rule: r_id: 9865 rv_id: 1262983 rule_id: r6UkrD version_id: ExTExeK url: https://semgrep.dev/playground/r/ExTExeK/java.jax-rs.security.insecure-resteasy.default-resteasy-provider-abuse origin: community languages: - java patterns: - pattern: | @Path("...") public $RETURNTYPE $METHOD(...) { ...} - pattern-not-inside: | @GET public $RETURNTYPE $METHOD(...) { ...} - pattern-not-inside: | @Path("...") @Consumes(...) public $RETURNTYPE $METHOD(...) { ...} - pattern-not-inside: | @Consumes(...) public class $CLASSNAME { ... } - id: java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN references: - https://www.owasp.org/index.php/Path_Traversal category: security technology: - jax-rs cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal shortlink: https://sg.run/DoWj semgrep.dev: rule: r_id: 9152 rv_id: 1262984 rule_id: 2ZUb9l version_id: 7ZTE3KW url: https://semgrep.dev/playground/r/7ZTE3KW/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal origin: community message: Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path. severity: WARNING languages: - java pattern-either: - pattern: | $RETURNTYPE $FUNC (..., @PathParam(...) $TYPE $VAR, ...) { ... new File(..., $VAR, ...); ... } - pattern: |- $RETURNTYPE $FUNC (..., @javax.ws.rs.PathParam(...) $TYPE $VAR, ...) { ... new File(..., $VAR, ...); ... } - id: java.jboss.security.seam-log-injection.seam-log-injection patterns: - pattern: | $LOG.$INFO($X + $Y,...) - pattern-either: - pattern-inside: | import org.jboss.seam.log.Log; ... - pattern-inside: | org.jboss.seam.log.Log $LOG = ...; ... - metavariable-regex: metavariable: $INFO regex: (debug|error|fatal|info|trace|warn) languages: - java message: Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SEAM_LOG_INJECTION category: security technology: - jboss confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection shortlink: https://sg.run/3A4o semgrep.dev: rule: r_id: 9987 rv_id: 1262985 rule_id: JDUPQ7 version_id: LjTkgRE url: https://semgrep.dev/playground/r/LjTkgRE/java.jboss.security.seam-log-injection.seam-log-injection origin: community severity: ERROR - id: java.jboss.security.session_sqli.find-sql-string-concatenation message: In $METHOD, $X is used to construct a SQL query via string concatenation. languages: - java severity: ERROR pattern-either: - pattern: | $RETURN $METHOD(...,String $X,...){ ... Session $SESSION = ...; ... String $QUERY = ... + $X + ...; ... PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY); ... ResultSet $RESULT = $PS.executeQuery(); ... } - pattern: | $RETURN $METHOD(...,String $X,...){ ... String $QUERY = ... + $X + ...; ... Session $SESSION = ...; ... PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY); ... ResultSet $RESULT = $PS.executeQuery(); ... } metadata: category: security technology: - jboss confidence: MEDIUM cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation shortlink: https://sg.run/W8kA semgrep.dev: rule: r_id: 9153 rv_id: 1262986 rule_id: X5U8rQ version_id: 8KT5r3v url: https://semgrep.dev/playground/r/8KT5r3v/java.jboss.security.session_sqli.find-sql-string-concatenation origin: community - id: java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind metadata: cwe: - 'CWE-287: Improper Authentication' owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS category: security technology: - java references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind shortlink: https://sg.run/jR6A semgrep.dev: rule: r_id: 9165 rv_id: 1262988 rule_id: eqU8J3 version_id: QkTGqE0 url: https://semgrep.dev/playground/r/QkTGqE0/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind origin: community message: Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information. severity: WARNING pattern: | $ENV.put($CTX.SECURITY_AUTHENTICATION, "none"); ... $DCTX = new InitialDirContext($ENV, ...); languages: - java - id: java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size shortlink: https://sg.run/9o74 semgrep.dev: rule: r_id: 9167 rv_id: 1262989 rule_id: d8UjJ3 version_id: 3ZT4X2r url: https://semgrep.dev/playground/r/3ZT4X2r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size origin: community message: Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead. severity: WARNING languages: - java patterns: - pattern: | $KEYGEN = KeyGenerator.getInstance("Blowfish"); ... $KEYGEN.init($SIZE); - metavariable-comparison: metavariable: $SIZE comparison: $SIZE < 128 - id: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call patterns: - metavariable-pattern: metavariable: $RUNTIME patterns: - pattern-either: - pattern: (java.lang.Runtime $R) - pattern: java.lang.Runtime.getRuntime(...) - pattern-either: - pattern: $RUNTIME.exec($X + $Y); - pattern: $RUNTIME.exec(String.format(...)); - pattern: $RUNTIME.loadLibrary($X + $Y); - pattern: $RUNTIME.loadLibrary(String.format(...)); - patterns: - pattern-either: - pattern: | $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $ARG,...) - pattern: | $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...) - pattern: | $RUNTIME.exec(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...) - patterns: - pattern-either: - pattern: | $RUNTIME.exec($CMD,"-c",$ARG,...) - pattern: | $RUNTIME.exec(Arrays.asList($CMD,"-c",$ARG,...),...) - pattern: | $RUNTIME.exec(new String[]{$CMD,"-c",$ARG,...},...) - pattern-inside: | $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/"; ... - patterns: - pattern-either: - pattern: | $RUNTIME.exec($CMD, $EXECUTE, $ARG, ...) - pattern-inside: | $CMD = new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/", ...}; ... - patterns: - pattern-either: - pattern: | $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/", $BASH, $ARG,...) - pattern: | $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/",$BASH,$ARG,...),...) - pattern: | $RUNTIME.exec(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/",$BASH,$ARG,...},...) - pattern-inside: | $BASH = new String[]{"=~/(-c)/", ...}; ... - pattern-not-inside: | $ARG = "..."; ... - pattern-not: | $RUNTIME.exec("...","...","...",...) - pattern-not: | $RUNTIME.exec(new String[]{"...","...","...",...},...) - pattern-not: | $RUNTIME.exec(Arrays.asList("...","...","...",...),...) message: A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION. category: security technology: - java references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call shortlink: https://sg.run/rd90 semgrep.dev: rule: r_id: 9169 rv_id: 1262991 rule_id: nJUzvJ version_id: PkTR3ez url: https://semgrep.dev/playground/r/PkTR3ez/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call origin: community severity: ERROR languages: - java - id: java.lang.security.audit.command-injection-process-builder.command-injection-process-builder pattern-either: - patterns: - pattern: | new ProcessBuilder($CMD,...) - pattern-not-inside: | $CMD = "..."; ... - pattern-not-inside: | $CMD = Arrays.asList("...",...); ... - pattern-not-inside: | $CMD = new String[]{"...",...}; ... - pattern-not: | new ProcessBuilder("...",...) - pattern-not: | new ProcessBuilder(new String[]{"...",...},...) - pattern-not: | new ProcessBuilder(Arrays.asList("...",...),...) - patterns: - pattern: | $PB.command($CMD,...) - pattern-inside: | $TYPE $PB = new ProcessBuilder(...); ... - pattern-not-inside: | $CMD = "..."; ... - pattern-not-inside: | $CMD = Arrays.asList("...",...); ... - pattern-not-inside: | $CMD = new String[]{"...",...}; ... - pattern-not: | $PB.command("...",...) - pattern-not: | $PB.command(new String[]{"...",...},...) - pattern-not: | $PB.command(Arrays.asList("...",...),...) - patterns: - pattern-either: - pattern: | new ProcessBuilder("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...) - pattern: | new ProcessBuilder("cmd","/c",$ARG,...) - pattern: | new ProcessBuilder(Arrays.asList("cmd","/c",$ARG,...),...) - pattern: | new ProcessBuilder(new String[]{"cmd","/c",$ARG,...},...) - patterns: - pattern-either: - pattern: | new ProcessBuilder($CMD,"/c",$ARG,...) - pattern: | new ProcessBuilder(Arrays.asList($CMD,"/c",$ARG,...),...) - pattern: | new ProcessBuilder(new String[]{$CMD,"/c",$ARG,...},...) - pattern-inside: | $CMD = "cmd"; ... - pattern-not-inside: | $ARG = "..."; ... - pattern-not: | new ProcessBuilder("...","...","...",...) - pattern-not: | new ProcessBuilder(new String[]{"...","...","...",...},...) - pattern-not: | new ProcessBuilder(Arrays.asList("...","...","...",...),...) - patterns: - pattern-either: - pattern: | $PB.command("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...) - pattern: | $PB.command("cmd","/c",$ARG,...) - pattern: | $PB.command(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...) - pattern: | $PB.command(Arrays.asList("cmd","/c",$ARG,...),...) - pattern: | $PB.command(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...) - pattern: | $PB.command(new String[]{"cmd","/c",$ARG,...},...) - patterns: - pattern-either: - pattern: | $PB.command($CMD,"-c",$ARG,...) - pattern: | $PB.command(Arrays.asList($CMD,"-c",$ARG,...),...) - pattern: | $PB.command(new String[]{$CMD,"-c",$ARG,...},...) - pattern-inside: | $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/"; ... - patterns: - pattern-either: - pattern: | $PB.command($CMD,"/c",$ARG,...) - pattern: | $PB.command(Arrays.asList($CMD,"/c",$ARG,...),...) - pattern: | $PB.command(new String[]{$CMD,"/c",$ARG,...},...) - pattern-inside: | $CMD = "cmd"; ... - pattern-inside: | $TYPE $PB = new ProcessBuilder(...); ... - pattern-not-inside: | $ARG = "..."; ... - pattern-not: | $PB.command("...","...","...",...) - pattern-not: | $PB.command(new String[]{"...","...","...",...},...) - pattern-not: | $PB.command(Arrays.asList("...","...","...",...),...) message: A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection category: security technology: - java references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder shortlink: https://sg.run/gJJe semgrep.dev: rule: r_id: 9941 rv_id: 1262992 rule_id: 4bUzzo version_id: JdTzxnn url: https://semgrep.dev/playground/r/JdTzxnn/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder origin: community severity: ERROR languages: - java - id: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly metadata: cwe: - 'CWE-1004: Sensitive Cookie Without ''HttpOnly'' Flag' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.4.2 Missing Cookie Attribute control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management version: '4' category: security technology: - java references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly shortlink: https://sg.run/b7Be semgrep.dev: rule: r_id: 9170 rv_id: 1262993 rule_id: EwU2z6 version_id: 5PTo17r url: https://semgrep.dev/playground/r/5PTo17r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly origin: community message: A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);' severity: WARNING languages: - java patterns: - pattern-not-inside: $COOKIE.setValue(""); ... - pattern-either: - pattern: $COOKIE.setHttpOnly(false); - patterns: - pattern-not-inside: $COOKIE.setHttpOnly(...); ... - pattern-not-inside: $COOKIE = ResponseCookie.from(...). ...; ... - pattern: $RESPONSE.addCookie($COOKIE); - id: java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag metadata: cwe: - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.4.1 Missing Cookie Attribute control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management version: '4' category: security technology: - java references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag shortlink: https://sg.run/kXoK semgrep.dev: rule: r_id: 9172 rv_id: 1262994 rule_id: L1Uyvp version_id: GxTkelB url: https://semgrep.dev/playground/r/GxTkelB/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag origin: community message: A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);' severity: WARNING languages: - java patterns: - pattern-not-inside: $COOKIE.setValue(""); ... - pattern-either: - pattern: $COOKIE.setSecure(false); - patterns: - pattern-not-inside: $COOKIE.setSecure(...); ... - pattern-not-inside: $COOKIE = ResponseCookie.from(...). ...; ... - pattern: $RESPONSE.addCookie($COOKIE); - id: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs message: When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content. metadata: cwe: - 'CWE-93: Improper Neutralization of CRLF Sequences (''CRLF Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS category: security technology: - java references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs shortlink: https://sg.run/wek0 semgrep.dev: rule: r_id: 9173 rv_id: 1262995 rule_id: 8GUjwW version_id: RGT0LEr url: https://semgrep.dev/playground/r/RGT0LEr/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs origin: community severity: WARNING languages: - java patterns: - pattern-either: - patterns: - pattern-inside: | class $CLASS { ... Logger $LOG = ...; ... } - pattern-either: - pattern-inside: | $X $METHOD(...,HttpServletRequest $REQ,...) { ... } - pattern-inside: | $X $METHOD(...,ServletRequest $REQ,...) { ... } - pattern-inside: | $X $METHOD(...) { ... HttpServletRequest $REQ = ...; ... } - pattern-inside: | $X $METHOD(...) { ... ServletRequest $REQ = ...; ... } - pattern-inside: | $X $METHOD(...) { ... Logger $LOG = ...; ... HttpServletRequest $REQ = ...; ... } - pattern-inside: | $X $METHOD(...) { ... Logger $LOG = ...; ... ServletRequest $REQ = ...; ... } - pattern-either: - pattern: | String $VAL = $REQ.getParameter(...); ... $LOG.$LEVEL(<... $VAL ...>); - pattern: | String $VAL = $REQ.getParameter(...); ... $LOG.log($LEVEL,<... $VAL ...>); - pattern: | $LOG.$LEVEL(<... $REQ.getParameter(...) ...>); - pattern: | $LOG.log($LEVEL,<... $REQ.getParameter(...) ...>); - id: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated message: DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information. metadata: functional-categories: - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DES_USAGE asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' references: - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms category: security technology: - java subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated shortlink: https://sg.run/5Q73 semgrep.dev: rule: r_id: 9191 rv_id: 1262996 rule_id: PeUZNg version_id: A8TgdEn url: https://semgrep.dev/playground/r/A8TgdEn/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated origin: community severity: WARNING patterns: - pattern-either: - pattern-inside: $CIPHER.getInstance("=~/DES/.*/") - pattern-inside: $CIPHER.getInstance("DES") - pattern-either: - pattern: | "=~/DES/.*/" - pattern: | "DES" fix: | "AES/GCM/NoPadding" languages: - java - kt - id: java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated message: Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. metadata: functional-categories: - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE references: - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA category: security technology: - java subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated shortlink: https://sg.run/Geqn semgrep.dev: rule: r_id: 9192 rv_id: 1262997 rule_id: JDUy8J version_id: BjTkZyQ url: https://semgrep.dev/playground/r/BjTkZyQ/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated origin: community severity: WARNING patterns: - pattern-either: - pattern: | $CIPHER.getInstance("=~/DESede.*/") - pattern: | $CRYPTO.KeyGenerator.getInstance("DES") languages: - java - kt - id: java.lang.security.audit.crypto.ecb-cipher.ecb-cipher metadata: functional-categories: - crypto::search::mode::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#ECB_MODE category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher shortlink: https://sg.run/Ro9K semgrep.dev: rule: r_id: 9193 rv_id: 1262998 rule_id: 5rUOb6 version_id: DkTRbwL url: https://semgrep.dev/playground/r/DkTRbwL/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher origin: community message: Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY. severity: WARNING languages: - java patterns: - pattern: | Cipher $VAR = $CIPHER.getInstance($MODE); - metavariable-regex: metavariable: $MODE regex: .*ECB.* - id: java.lang.security.audit.crypto.gcm-detection.gcm-detection metadata: category: security functional-categories: - crypto::search::randomness::javax.crypto cwe: - 'CWE-323: Reusing a Nonce, Key Pair in Encryption' references: - https://cwe.mitre.org/data/definitions/323.html technology: - java owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-detection.gcm-detection shortlink: https://sg.run/BLLb semgrep.dev: rule: r_id: 11907 rv_id: 1262999 rule_id: 5rU88R version_id: WrTqK7e url: https://semgrep.dev/playground/r/WrTqK7e/java.lang.security.audit.crypto.gcm-detection.gcm-detection origin: community languages: - java message: GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different. Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted. patterns: - pattern-either: - pattern: $METHOD.getInstance("AES/GCM/NoPadding",...); - pattern: new GCMParameterSpec(...); severity: INFO - id: java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse metadata: functional-categories: - crypto::search::randomness::javax.crypto cwe: - 'CWE-323: Reusing a Nonce, Key Pair in Encryption' category: security source-rule-url: https://www.youtube.com/watch?v=r1awgAl90wM technology: - java owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse shortlink: https://sg.run/Dww2 semgrep.dev: rule: r_id: 11908 rv_id: 1263000 rule_id: GdUZZ3 version_id: 0bTKzGk url: https://semgrep.dev/playground/r/0bTKzGk/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse origin: community languages: - java message: 'GCM IV/nonce is reused: encryption can be totally useless' patterns: - pattern-either: - pattern: new GCMParameterSpec(..., "...".getBytes(...), ...); - pattern: byte[] $NONCE = "...".getBytes(...); ... new GCMParameterSpec(..., $NONCE, ...); severity: ERROR - id: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher patterns: - pattern-either: - pattern: new NullCipher(...); - pattern: new javax.crypto.NullCipher(...); metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher shortlink: https://sg.run/AvA4 semgrep.dev: rule: r_id: 9194 rv_id: 1263001 rule_id: GdU7pw version_id: K3TKkgB url: https://semgrep.dev/playground/r/K3TKkgB/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher origin: community message: 'NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.' severity: WARNING languages: - java - id: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector message: Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption. metadata: cwe: - 'CWE-329: Generation of Predictable IV with CBC Mode' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#STATIC_IV asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' references: - https://cwe.mitre.org/data/definitions/329.html category: security technology: - java subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector shortlink: https://sg.run/BkB5 semgrep.dev: rule: r_id: 9195 rv_id: 1263002 rule_id: ReUgj1 version_id: qkTR7vP url: https://semgrep.dev/playground/r/qkTR7vP/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector origin: community severity: WARNING languages: - java pattern-either: - pattern: | byte[] $IV = { ... }; ... new IvParameterSpec($IV, ...); - pattern: | class $CLASS { byte[] $IV = { ... }; ... $METHOD(...) { ... new IvParameterSpec($IV, ...); ... } } - id: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier message: Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks. metadata: cwe: - 'CWE-295: Improper Certificate Validation' owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER asvs: section: V9 Communications Verification Requirements control_id: 9.2.1 Weak TLS control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements version: '4' category: security technology: - java references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier shortlink: https://sg.run/5QoD semgrep.dev: rule: r_id: 9203 rv_id: 1263006 rule_id: lBU9n8 version_id: 5PTo17W url: https://semgrep.dev/playground/r/5PTo17W/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier origin: community severity: WARNING languages: - java pattern-either: - pattern: | class $CLASS implements HostnameVerifier { ... public boolean verify(...) { return true; } } - pattern: |- new HostnameVerifier(...){ public boolean verify(...) { return true; } } - pattern: import org.apache.http.conn.ssl.NoopHostnameVerifier; - id: java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager metadata: cwe: - 'CWE-295: Improper Certificate Validation' owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER asvs: section: V9 Communications Verification Requirements control_id: 9.2.1 Weak TLS control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements version: '4' references: - https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https category: security technology: - java subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager shortlink: https://sg.run/GePy semgrep.dev: rule: r_id: 9204 rv_id: 1263007 rule_id: YGUR9A version_id: GxTkel1 url: https://semgrep.dev/playground/r/GxTkel1/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager origin: community message: Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information. severity: WARNING languages: - java patterns: - pattern-either: - pattern-inside: | class $CLASS implements X509TrustManager { ... } - pattern-inside: | new X509TrustManager() { ... } - pattern-inside: | class $CLASS implements X509ExtendedTrustManager { ... } - pattern-inside: | new X509ExtendedTrustManager() { ... } - pattern-not: public void checkClientTrusted(...) { $SOMETHING; } - pattern-not: public void checkServerTrusted(...) { $SOMETHING; } - pattern-either: - pattern: public void checkClientTrusted(...) {} - pattern: public void checkServerTrusted(...) {} - pattern: public X509Certificate[] getAcceptedIssuers(...) { return null; } - id: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket metadata: functional-categories: - net::search::crypto-config::java.net cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket shortlink: https://sg.run/W8zA semgrep.dev: rule: r_id: 9197 rv_id: 1263008 rule_id: BYUN3X version_id: RGT0LEj url: https://semgrep.dev/playground/r/RGT0LEj/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket origin: community message: Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead. severity: WARNING languages: - java pattern-either: - pattern: new ServerSocket(...) - pattern: new Socket(...) - id: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb pattern: $CIPHER.getInstance("=~/AES/ECB.*/") metadata: functional-categories: - crypto::search::mode::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb shortlink: https://sg.run/dB2Y semgrep.dev: rule: r_id: 48734 rv_id: 1263009 rule_id: WAU2yA version_id: A8TgdEo url: https://semgrep.dev/playground/r/A8TgdEo/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb origin: community message: 'Use of AES with ECB mode detected. ECB doesn''t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.' severity: WARNING languages: - java - id: java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 pattern: $CIPHER.getInstance("RC4") metadata: functional-categories: - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 shortlink: https://sg.run/7OYR semgrep.dev: rule: r_id: 48738 rv_id: 1263015 rule_id: lBUw8k version_id: qkTR7vk url: https://semgrep.dev/playground/r/qkTR7vk/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 origin: community message: 'Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.' severity: WARNING languages: - java - id: java.lang.security.audit.crypto.use-of-sha1.use-of-sha1 message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications. languages: - java severity: WARNING metadata: functional-categories: - crypto::search::hash-algorithm::javax.crypto owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1 asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1 shortlink: https://sg.run/bXNp semgrep.dev: rule: r_id: 17326 rv_id: 1263016 rule_id: qNUWNn version_id: l4TJRpL url: https://semgrep.dev/playground/r/l4TJRpL/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1 origin: community pattern-either: - patterns: - pattern: | java.security.MessageDigest.getInstance("$ALGO", ...); - metavariable-regex: metavariable: $ALGO regex: (SHA1|SHA-1) - pattern: | $DU.getSha1Digest().digest(...) - id: python.lang.correctness.list-modify-iterating.list-modify-while-iterate message: It appears that `$LIST` is a list that is being modified while in a for loop. This will likely cause a runtime error or an infinite loop. languages: - python severity: ERROR pattern-either: - pattern: | for $ELEMENT in $LIST: ... $LIST.pop(...) - pattern: | for $ELEMENT in $LIST: ... $LIST.push(...) - pattern: | for $ELEMENT in $LIST: ... $LIST.append(...) - pattern: | for $ELEMENT in $LIST: ... $LIST.extend(...) - pattern: | for $ELEMENT in $LIST: ... $LIST.remove(...) metadata: category: correctness technology: - python references: - https://unspecified.wordpress.com/2009/02/12/thou-shalt-not-modify-a-list-during-iteration/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.list-modify-iterating.list-modify-while-iterate shortlink: https://sg.run/0Qr5 semgrep.dev: rule: r_id: 9598 rv_id: 946295 rule_id: GdU7wZ version_id: kbTYklJ url: https://semgrep.dev/playground/r/kbTYklJ/python.lang.correctness.list-modify-iterating.list-modify-while-iterate origin: community - id: python.lang.correctness.pdb.pdb-remove pattern-either: - pattern: pdb.$X(...) - pattern: pdb.Pdb.$X(...) message: pdb is an interactive debugging tool and you may have forgotten to remove it before committing your code languages: - python severity: WARNING metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.pdb.pdb-remove shortlink: https://sg.run/Kl0X semgrep.dev: rule: r_id: 9599 rv_id: 946296 rule_id: ReUgv3 version_id: w8TKJxO url: https://semgrep.dev/playground/r/w8TKJxO/python.lang.correctness.pdb.pdb-remove origin: community - id: python.lang.correctness.pytest-assert_match-after-path-patch.pytest-assert_match-after-path-patch patterns: - pattern-inside: | import pytest ... - pattern-either: - pattern-inside: | mocker.patch("pathlib.Path", $MOCKED_VALUE) ... - pattern-inside: | mocker.patch.object(pathlib.Path, $METHOD, $MOCKED_VALUE) ... - pattern: snapshot.assert_match(...) message: snapshot.assert_match makes use of pathlib to create files. Patching $METHOD may result in unexpected snapshot behavior languages: - python severity: WARNING metadata: category: correctness technology: - python references: - https://github.com/returntocorp/semgrep/pull/5459 - https://pypi.org/project/pytest-snapshot/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.pytest-assert_match-after-path-patch.pytest-assert_match-after-path-patch shortlink: https://sg.run/j4yD semgrep.dev: rule: r_id: 24165 rv_id: 946297 rule_id: NbUd5B version_id: xyTqne7 url: https://semgrep.dev/playground/r/xyTqne7/python.lang.correctness.pytest-assert_match-after-path-patch.pytest-assert_match-after-path-patch origin: community - id: python.lang.correctness.return-in-init.yield-in-init patterns: - pattern-inside: | class $A(...): ... - pattern-inside: | def __init__(...): ... - pattern-not-inside: | def __init__(...): ... def $F(...): ... - pattern-either: - pattern: yield ... - pattern: yield message: '`yield` should never appear inside a class __init__ function. This will cause a runtime error.' languages: - python severity: ERROR metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.return-in-init.yield-in-init shortlink: https://sg.run/PJ6Y semgrep.dev: rule: r_id: 9601 rv_id: 946299 rule_id: BYUNYe version_id: e1T98kK url: https://semgrep.dev/playground/r/e1T98kK/python.lang.correctness.return-in-init.yield-in-init origin: community - id: python.lang.correctness.sync-sleep-in-async-code.sync-sleep-in-async-code patterns: - pattern: time.sleep(...) - pattern-inside: | async def $F(...): ... - pattern-not-inside: | async def $F(...): def $INNER(...): ... message: Synchronous time.sleep in async code will block the event loop and not allow other tasks to execute. Use asyncio.sleep() instead. languages: - python severity: WARNING metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.sync-sleep-in-async-code.sync-sleep-in-async-code shortlink: https://sg.run/9vrz semgrep.dev: rule: r_id: 15823 rv_id: 946300 rule_id: yyUAP4 version_id: vdTGnz6 url: https://semgrep.dev/playground/r/vdTGnz6/python.lang.correctness.sync-sleep-in-async-code.sync-sleep-in-async-code origin: community - id: python.lang.correctness.tempfile.flush.tempfile-without-flush languages: - python message: Using '$F.name' without '.flush()' or '.close()' may cause an error because the file may not exist when '$F.name' is used. Use '.flush()' or close the file before using '$F.name'. pattern-either: - patterns: - pattern-not-inside: | $F = tempfile.NamedTemporaryFile(...) ... $F.write(...) ... $F.flush() ... $F.name - pattern-not-inside: | $F = tempfile.NamedTemporaryFile(...) ... $F.write(...) ... $F.close() ... $F.name - pattern-not-inside: | $F = tempfile.NamedTemporaryFile(..., delete=False, ...) ... $F.close() ... $F.name - pattern-inside: | $F = tempfile.NamedTemporaryFile(...) ... - pattern: | $F.name - patterns: - pattern-not-inside: | with tempfile.NamedTemporaryFile(...) as $F: ... $F.write(...) ... $F.flush() ... $F.name - pattern-not-inside: | with tempfile.NamedTemporaryFile(...) as $F: ... $F.write(...) ... $F.close() ... $F.name - pattern-not-inside: | with tempfile.NamedTemporaryFile(...) as $F: ... $MODULE.dump(..., $F, ...) ... $F.flush() ... $F.name - pattern-not-inside: | with tempfile.NamedTemporaryFile(...) as $F: ... $MODULE.dump(..., $F, ...) ... $F.close() ... $F.name - pattern-inside: | with tempfile.NamedTemporaryFile(...) as $F: ... - pattern: | $F.name severity: ERROR metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.tempfile.flush.tempfile-without-flush shortlink: https://sg.run/l23y semgrep.dev: rule: r_id: 9613 rv_id: 946301 rule_id: 2ZUb0A version_id: d6TPjGW url: https://semgrep.dev/playground/r/d6TPjGW/python.lang.correctness.tempfile.flush.tempfile-without-flush origin: community - id: python.lang.correctness.tempfile.mktemp.tempfile-insecure pattern: tempfile.mktemp(...) message: 'Use tempfile.NamedTemporaryFile instead. From the official Python documentation: THIS FUNCTION IS UNSAFE AND SHOULD NOT BE USED. The file name may refer to a file that did not exist at some point, but by the time you get around to creating it, someone else may have beaten you to the punch.' languages: - python severity: ERROR metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.tempfile.mktemp.tempfile-insecure shortlink: https://sg.run/Yvye semgrep.dev: rule: r_id: 9614 rv_id: 946302 rule_id: X5U83p version_id: ZRT35Pr url: https://semgrep.dev/playground/r/ZRT35Pr/python.lang.correctness.tempfile.mktemp.tempfile-insecure origin: community - id: python.lang.correctness.test-is-missing-assert.test-is-missing-assert languages: - python message: Comparison without assertion. The result of this comparison is not used. Perhaps this expression is missing an `assert` keyword. patterns: - pattern: $A == $B - pattern-not-inside: assert ... - pattern-not-inside: $X = ... - pattern-not-inside: $X += ... - pattern-not-inside: $X |= ... - pattern-not-inside: $X &= ... - pattern-not-inside: yield $X - pattern-not-inside: $X and $Y - pattern-not-inside: $X or $Y - pattern-not-inside: return ... - pattern-not-inside: $FUNC(...) - pattern-not-inside: | while $EXPR: ... - pattern-not-inside: | with (...): ... - pattern-not-inside: | [...] - pattern-not-inside: | $EXPR[...] - pattern-not-inside: | if ...: ... severity: WARNING paths: include: - test*.py metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.test-is-missing-assert.test-is-missing-assert shortlink: https://sg.run/kJ8X semgrep.dev: rule: r_id: 72428 rv_id: 946303 rule_id: qNUyJj version_id: nWTpz4B url: https://semgrep.dev/playground/r/nWTpz4B/python.lang.correctness.test-is-missing-assert.test-is-missing-assert origin: community - id: python.lang.correctness.unchecked-returns.unchecked-subprocess-call patterns: - pattern: subprocess.$CALL(...) - pattern-not-inside: $S = subprocess.call(...) - pattern-not-inside: subprocess.call(...) == $X - pattern-not-inside: return subprocess.call(...) - metavariable-pattern: metavariable: $CALL pattern: call - focus-metavariable: $CALL fix: check_call message: This is not checking the return value of this subprocess call; if it fails no exception will be raised. Consider subprocess.check_call() instead languages: - python severity: WARNING metadata: references: - https://docs.python.org/3/library/subprocess.html#subprocess.check_call category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.unchecked-returns.unchecked-subprocess-call shortlink: https://sg.run/J9Ww semgrep.dev: rule: r_id: 9602 rv_id: 946304 rule_id: DbUp82 version_id: ExTg2D9 url: https://semgrep.dev/playground/r/ExTg2D9/python.lang.correctness.unchecked-returns.unchecked-subprocess-call origin: community - id: python.lang.maintainability.improper-list-concat.improper-list-concat languages: - python message: 'This expression will evaluate to be ONLY value the of the `else` clause if the condition `$EXPRESSION` is false. If you meant to do list concatenation, put parentheses around the entire concatenation expression, like this: `[''a'', ''b'', ''c''] + ([''d''] if x else [''e''])`. If this is the intended behavior, the expression may be confusing to others, and you may wish to add parentheses for readability.' metadata: category: maintainability technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.improper-list-concat.improper-list-concat shortlink: https://sg.run/668w semgrep.dev: rule: r_id: 14115 rv_id: 946308 rule_id: v8U9NQ version_id: gETe1XZ url: https://semgrep.dev/playground/r/gETe1XZ/python.lang.maintainability.improper-list-concat.improper-list-concat origin: community pattern: '[...] + [...] if $EXPRESSION else [...]' severity: INFO - id: python.lang.maintainability.useless-assign-keyed.useless-assignment-keyed message: key `$Y` in `$X` is assigned twice; the first assignment is useless languages: - python severity: INFO pattern-either: - pattern: | $X[$Y] = ... $X[$Y] = ... - pattern: | $X[$Y][$Z] = ... $X[$Y][$Z] = ... metadata: category: maintainability technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.maintainability.useless-assign-keyed.useless-assignment-keyed shortlink: https://sg.run/zv6G semgrep.dev: rule: r_id: 9617 rv_id: 946312 rule_id: 9AU1KY version_id: PkTQZGZ url: https://semgrep.dev/playground/r/PkTQZGZ/python.lang.maintainability.useless-assign-keyed.useless-assignment-keyed origin: community - id: python.lang.correctness.writing-to-file-in-read-mode.writing-to-file-in-read-mode message: The file object '$FD' was opened in read mode, but is being written to. This will cause a runtime error. patterns: - pattern-either: - pattern-inside: | $FD = open($NAME, "r", ...) ... - pattern-inside: | $FD = open($NAME, "rb", ...) ... - pattern-inside: | with open($NAME, "r", ...) as $FD: ... - pattern-inside: | with open($NAME, "rb", ...) as $FD: ... - pattern: $FD.write(...) severity: ERROR languages: - python metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.writing-to-file-in-read-mode.writing-to-file-in-read-mode shortlink: https://sg.run/RozO semgrep.dev: rule: r_id: 9605 rv_id: 946307 rule_id: KxUbyG version_id: 8KTKjke url: https://semgrep.dev/playground/r/8KTKjke/python.lang.correctness.writing-to-file-in-read-mode.writing-to-file-in-read-mode origin: community - id: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request message: Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values. languages: - java severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern: | (HttpServletRequest $REQ) - patterns: - pattern-inside: | (javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...); ... for (javax.servlet.http.Cookie $COOKIE: $COOKIES) { ... } - pattern: | $COOKIE.getValue(...) pattern-sinks: - patterns: - pattern-either: - pattern: | (ProcessBuilder $PB) = ...; - patterns: - pattern: | (Process $P) = ...; - pattern-not: | (Process $P) = (java.lang.Runtime $R).exec(...); - patterns: - pattern: (java.lang.Runtime $R).exec($CMD, ...); - focus-metavariable: $CMD - patterns: - pattern-either: - pattern-inside: "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(ProcessBuilder $PB) = ...;\n...\n$PB.command($ARGLIST);\n" - pattern-inside: "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(ProcessBuilder $PB) = ...;\n" - pattern-inside: "(java.util.List<$TYPE> $ARGLIST) = ...; \n...\n(Process $P) = ...;\n" - pattern: | $ARGLIST.add(...); metadata: category: security technology: - java cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request shortlink: https://sg.run/8zPN semgrep.dev: rule: r_id: 18240 rv_id: 1263042 rule_id: zdUWrg version_id: LjTkg9J url: https://semgrep.dev/playground/r/LjTkg9J/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request origin: community - id: ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-go.gemini-hardcoded-api-key-go languages: - go severity: ERROR message: Google Gemini API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - gemini - google references: - https://ai.google.dev/gemini-api/docs/api-key license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-go.gemini-hardcoded-api-key-go shortlink: https://sg.run/l0GZE semgrep.dev: rule: r_id: 288813 rv_id: 1413371 rule_id: KxUz87l version_id: nWTQ1O8 url: https://semgrep.dev/playground/r/nWTQ1O8/ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-go.gemini-hardcoded-api-key-go origin: community patterns: - pattern: option.WithAPIKey("$KEY") - metavariable-regex: metavariable: $KEY regex: ^AIza - id: ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-java.gemini-hardcoded-api-key-java languages: - java severity: ERROR message: Google Gemini API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - gemini - google references: - https://ai.google.dev/gemini-api/docs/api-key license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-java.gemini-hardcoded-api-key-java shortlink: https://sg.run/YKJ8y semgrep.dev: rule: r_id: 288814 rv_id: 1413372 rule_id: qNU1LXq version_id: ExTe3R2 url: https://semgrep.dev/playground/r/ExTe3R2/ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-java.gemini-hardcoded-api-key-java origin: community patterns: - pattern: $OBJ.apiKey("$KEY") - metavariable-regex: metavariable: $KEY regex: ^AIza - id: java.lang.security.audit.unsafe-reflection.unsafe-reflection patterns: - pattern: | Class.forName($CLASS,...) - pattern-not: | Class.forName("...",...) - pattern-not-inside: | $CLASS = "..."; ... message: If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner. metadata: cwe: - 'CWE-470: Use of Externally-Controlled Input to Select Classes or Code (''Unsafe Reflection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection category: security technology: - java references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection shortlink: https://sg.run/R8X8 semgrep.dev: rule: r_id: 9993 rv_id: 1263047 rule_id: DbUW1W version_id: 44TEj5L url: https://semgrep.dev/playground/r/44TEj5L/java.lang.security.audit.unsafe-reflection.unsafe-reflection origin: community severity: WARNING languages: - java - id: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect message: Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs. metadata: cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.1.5 Open Redirect control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation-requirements version: '4' category: security technology: - java references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - vuln impact: LOW likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect shortlink: https://sg.run/Q51P semgrep.dev: rule: r_id: 9186 rv_id: 1263048 rule_id: WAUo0p version_id: PkTR329 url: https://semgrep.dev/playground/r/PkTR329/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect origin: community severity: WARNING languages: - java pattern-either: - pattern: | $X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) { ... $RES.sendRedirect($URL); ... } - pattern: | $X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) { ... $RES.sendRedirect($URL); ... } - pattern: | $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) { ... String $URL = $REQ.getParameter(...); ... $RES.sendRedirect($URL); ... } - pattern: | $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) { ... String $URL = $REQ.getParameter(...); ... $RES.sendRedirect($URL); ... } - pattern: | $X $METHOD(...,String $URL,...) { ... HttpServletResponse $RES = ...; ... $RES.sendRedirect($URL); ... } - pattern: | $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) { ... $RES.sendRedirect($REQ.getParameter(...)); ... } - pattern: | $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) { ... $RES.sendRedirect($REQ.getParameter(...)); ... } - pattern: | $X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) { ... $RES.addHeader("Location",$URL); ... } - pattern: | $X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) { ... $RES.addHeader("Location",$URL); ... } - pattern: | $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) { ... String $URL = $REQ.getParameter(...); ... $RES.addHeader("Location",$URL); ... } - pattern: | $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) { ... String $URL = $REQ.getParameter(...); ... $RES.addHeader("Location",$URL); ... } - pattern: | $X $METHOD(...,String $URL,...) { ... HttpServletResponse $RES = ...; ... $RES.addHeader("Location",$URL); ... } - pattern: | $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) { ... $RES.addHeader("Location",$REQ.getParameter(...)); ... } - pattern: |- $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) { ... $RES.addHeader("Location",$REQ.getParameter(...)); ... } - id: java.lang.security.audit.url-rewriting.url-rewriting message: URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties. metadata: cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING category: security technology: - java references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting shortlink: https://sg.run/3x7b semgrep.dev: rule: r_id: 9187 rv_id: 1263049 rule_id: 0oU5j3 version_id: JdTzxGb url: https://semgrep.dev/playground/r/JdTzxGb/java.lang.security.audit.url-rewriting.url-rewriting origin: community severity: WARNING languages: - java pattern-either: - pattern: | $X $METHOD(...,HttpServletResponse $RES,...) { ... $RES.encodeURL(...); ... } - pattern: | $X $METHOD(...,HttpServletResponse $RES,...) { ... $RES.encodeUrl(...); ... } - pattern: | $X $METHOD(...,HttpServletResponse $RES,...) { ... $RES.encodeRedirectURL(...); ... } - pattern: | $X $METHOD(...,HttpServletResponse $RES,...) { ... $RES.encodeRedirectUrl(...); ... } - pattern: | $X $METHOD(...) { ... HttpServletResponse $RES = ...; ... $RES.encodeURL(...); ... } - pattern: | $X $METHOD(...) { ... HttpServletResponse $RES = ...; ... $RES.encodeUrl(...); ... } - pattern: | $X $METHOD(...) { ... HttpServletResponse $RES = ...; ... $RES.encodeRedirectURL(...); ... } - pattern: |- $X $METHOD(...) { ... HttpServletResponse $RES = ...; ... $RES.encodeRedirectUrl(...); ... } - id: java.lang.security.audit.weak-ssl-context.weak-ssl-context metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source_rule_url: https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT references: - https://tools.ietf.org/html/rfc7568 - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html category: security technology: - java subcategory: - audit likelihood: LOW impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context shortlink: https://sg.run/4x7E semgrep.dev: rule: r_id: 9188 rv_id: 1263050 rule_id: KxUb1k version_id: 5PTo1rW url: https://semgrep.dev/playground/r/5PTo1rW/java.lang.security.audit.weak-ssl-context.weak-ssl-context origin: community message: An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance("TLSv1.2") for the best security. severity: WARNING languages: - java patterns: - pattern-not: SSLContext.getInstance("TLSv1.3") - pattern-not: SSLContext.getInstance("TLSv1.2") - pattern: SSLContext.getInstance("...") fix-regex: regex: (.*?)\.getInstance$.*?$ replacement: \1.getInstance("TLSv1.2") - id: python.sqlalchemy.correctness.delete-where.delete-where-no-execute patterns: - pattern: $X.delete().where(...) - pattern-not-inside: $X.delete().where(...).execute() - pattern-not-inside: $C.execute(...) message: .delete().where(...) results in a no-op in SQLAlchemy unless the command is executed, use .filter(...).delete() instead. languages: - python severity: ERROR metadata: category: correctness technology: - sqlalchemy license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.sqlalchemy.correctness.delete-where.delete-where-no-execute shortlink: https://sg.run/KWp7 semgrep.dev: rule: r_id: 9699 rv_id: 946448 rule_id: GdU0LJ version_id: nWTpzKG url: https://semgrep.dev/playground/r/nWTpzKG/python.sqlalchemy.correctness.delete-where.delete-where-no-execute origin: community - id: python.sqlalchemy.performance.performance-improvements.len-all-count pattern: len($X.all()) message: Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side. languages: - python severity: WARNING metadata: category: performance technology: - sqlalchemy license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count shortlink: https://sg.run/4y8g semgrep.dev: rule: r_id: 9700 rv_id: 946449 rule_id: ReUPOw version_id: ExTg2Gr url: https://semgrep.dev/playground/r/ExTg2Gr/python.sqlalchemy.performance.performance-improvements.len-all-count origin: community - id: python.sqlalchemy.performance.performance-improvements.batch-import pattern: | for $X in $Y: db.session.add($Z) message: Rather than adding one element at a time, consider batch loading to improve performance. languages: - python severity: WARNING metadata: category: performance technology: - sqlalchemy license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.batch-import shortlink: https://sg.run/PprN semgrep.dev: rule: r_id: 9701 rv_id: 946450 rule_id: AbUWjy version_id: 7ZTrQAb url: https://semgrep.dev/playground/r/7ZTrQAb/python.sqlalchemy.performance.performance-improvements.batch-import origin: community - id: ruby.lang.security.divide-by-zero.divide-by-zero message: Detected a possible ZeroDivisionError. metadata: cwe: - 'CWE-369: Divide By Zero' references: - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb category: security technology: - ruby confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero shortlink: https://sg.run/KWpP semgrep.dev: rule: r_id: 9711 rv_id: 946476 rule_id: oqUzXA version_id: BjT1NPZ url: https://semgrep.dev/playground/r/BjT1NPZ/ruby.lang.security.divide-by-zero.divide-by-zero origin: community languages: - ruby severity: WARNING mode: taint pattern-sources: - patterns: - pattern: $VAR - metavariable-regex: metavariable: $VAR regex: ^\d*(?!\.)$ pattern-sinks: - patterns: - pattern-inside: $NUMER / 0 - pattern: $NUMER - id: java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing severity: ERROR metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://semgrep.dev/blog/2022/xml-security-in-java - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://blog.sonarsource.com/secure-xml-processor - https://xerces.apache.org/xerces2-j/features.html category: security technology: - java - xml cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing shortlink: https://sg.run/Gj32 semgrep.dev: rule: r_id: 59048 rv_id: 1263061 rule_id: j2Udpk version_id: YDTZeko url: https://semgrep.dev/playground/r/YDTZeko/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing origin: community message: DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory. mode: taint pattern-sources: - by-side-effect: true patterns: - pattern-either: - pattern: | $FACTORY = SAXParserFactory.newInstance(); - patterns: - pattern: $FACTORY - pattern-inside: | class $C { ... $V $FACTORY = SAXParserFactory.newInstance(); ... } - pattern-not-inside: | class $C { ... $V $FACTORY = SAXParserFactory.newInstance(); static { ... $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); ... } ... } - pattern-not-inside: | class $C { ... $V $FACTORY = SAXParserFactory.newInstance(); static { ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); ... } ... } - pattern-not-inside: | class $C { ... $V $FACTORY = SAXParserFactory.newInstance(); static { ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... } ... } pattern-sinks: - patterns: - pattern: $FACTORY.newSAXParser(); pattern-sanitizers: - by-side-effect: true pattern-either: - patterns: - pattern-either: - pattern: | $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - pattern: | $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - pattern: | $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); - focus-metavariable: $FACTORY - patterns: - pattern-either: - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); ... } ... } - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... } ... } - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities",false); ... } ... } - pattern: $M($X) - focus-metavariable: $X fix: | $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); $FACTORY.newSAXParser(); languages: - java - id: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled severity: ERROR metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://semgrep.dev/blog/2022/xml-security-in-java - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://blog.sonarsource.com/secure-xml-processor - https://xerces.apache.org/xerces2-j/features.html category: security technology: - java - xml cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled shortlink: https://sg.run/1wyQ semgrep.dev: rule: r_id: 59622 rv_id: 1263062 rule_id: v8UeQ1 version_id: 6xT29GK url: https://semgrep.dev/playground/r/6xT29GK/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled origin: community message: DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes "accessExternalDTD" and "accessExternalStylesheet" to "". mode: taint pattern-sources: - by-side-effect: true patterns: - pattern-either: - pattern: | $FACTORY = TransformerFactory.newInstance(); - patterns: - pattern: $FACTORY - pattern-inside: | class $C { ... $V $FACTORY = TransformerFactory.newInstance(); ... } - pattern-not-inside: | class $C { ... $V $FACTORY = TransformerFactory.newInstance(); static { ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); ... } ... } - pattern-not-inside: | class $C { ... $V $FACTORY = TransformerFactory.newInstance(); static { ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ... } ... } - pattern-not-inside: | class $C { ... $V $FACTORY = TransformerFactory.newInstance(); static { ... $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); ... $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); ... } ... } - pattern-not-inside: | class $C { ... $V $FACTORY = TransformerFactory.newInstance(); static { ... $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); ... $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); ... } ... } pattern-sinks: - patterns: - pattern: $FACTORY.newTransformer(...); pattern-sanitizers: - by-side-effect: true pattern-either: - patterns: - pattern-either: - pattern: | $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - pattern: | $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); - pattern: | $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); ... $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); - pattern: | $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); ... $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); - focus-metavariable: $FACTORY - patterns: - pattern-either: - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ... } ... } - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ... $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); ... } ... } - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); ... $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); ... } ... } - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setAttribute("=~/.*accessExternalDTD.*/", ""); ... $FACTORY.setAttribute("=~/.*accessExternalStylesheet.*/", ""); ... } ... } - pattern: $M($X) - focus-metavariable: $X fix: | $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); $FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); $FACTORY.newTransformer(...); languages: - java - id: java.lang.security.do-privileged-use.do-privileged-use severity: WARNING languages: - java metadata: cwe: - 'CWE-269: Improper Privilege Management' references: - https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html - https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation - http://phrack.org/papers/escaping_the_java_sandbox.html category: security technology: - java owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use shortlink: https://sg.run/6n76 semgrep.dev: rule: r_id: 9159 rv_id: 1263063 rule_id: bwUw28 version_id: o5TbDoY url: https://semgrep.dev/playground/r/o5TbDoY/java.lang.security.do-privileged-use.do-privileged-use origin: community message: Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible. patterns: - pattern-inside: | import java.security.*; ... - pattern-either: - pattern: AccessController.doPrivileged(...); - pattern: class $ACTION implements PrivilegedAction { ... } - id: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN references: - https://www.owasp.org/index.php/Path_Traversal category: security technology: - java cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal shortlink: https://sg.run/oxXN semgrep.dev: rule: r_id: 9160 rv_id: 1263064 rule_id: NbUk7X version_id: zyTb2rq url: https://semgrep.dev/playground/r/zyTb2rq/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal origin: community message: Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path. mode: taint pattern-sources: - patterns: - pattern-either: - pattern: | (HttpServletRequest $REQ) - patterns: - pattern-inside: | (javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...); ... for (javax.servlet.http.Cookie $COOKIE: $COOKIES) { ... } - pattern: | $COOKIE.getValue(...) - patterns: - pattern-inside: | $TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(...); ... - pattern: | $PARAM = $VALS[$INDEX]; pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) pattern-sinks: - patterns: - pattern-either: - pattern: | (java.io.File $FILE) = ... - pattern: | (java.io.FileOutputStream $FOS) = ... - pattern: | new java.io.FileInputStream(...) severity: ERROR languages: - java - id: java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization severity: WARNING languages: - java metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.3 Insecue Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf category: security technology: - java cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization shortlink: https://sg.run/zvO1 semgrep.dev: rule: r_id: 9161 rv_id: 1263065 rule_id: kxUk12 version_id: pZT03A1 url: https://semgrep.dev/playground/r/pZT03A1/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization origin: community message: JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method. patterns: - pattern-inside: | public class $JMS_LISTENER implements MessageListener { ... public void onMessage(Message $JMS_MSG) { ... } } - pattern-either: - pattern-inside: $X = $Y.getObject(...); - pattern-inside: $X = ($Z) $Y.getObject(...); - id: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss message: 'Cross-site scripting detected in HttpServletResponse writer with variable ''$VAR''. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: ''Encode.forHtml($VAR)''.' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET category: security technology: - java references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss shortlink: https://sg.run/pxjN semgrep.dev: rule: r_id: 9162 rv_id: 1263066 rule_id: wdUJOk version_id: 2KTv2EG url: https://semgrep.dev/playground/r/2KTv2EG/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss origin: community severity: ERROR patterns: - pattern-inside: $TYPE $FUNC(..., HttpServletResponse $RESP, ...) { ... } - pattern-inside: $VAR = $REQ.getParameter(...); ... - pattern-either: - pattern: $RESP.getWriter(...).write(..., $VAR, ...); - pattern: | $WRITER = $RESP.getWriter(...); ... $WRITER.write(..., $VAR, ...); languages: - java - id: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor languages: - java metadata: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: - https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability category: security technology: - snakeyaml cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor shortlink: https://sg.run/L8qY semgrep.dev: rule: r_id: 12683 rv_id: 1263067 rule_id: 6JU67x version_id: X0Tzynw url: https://semgrep.dev/playground/r/X0Tzynw/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor origin: community message: Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument. patterns: - pattern: | $Y = new org.yaml.snakeyaml.Yaml(); ... $Y.load(...); severity: WARNING - id: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe severity: WARNING metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://semgrep.dev/blog/2022/xml-security-in-java - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser category: security technology: - java cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe shortlink: https://sg.run/XBwA semgrep.dev: rule: r_id: 9164 rv_id: 1263069 rule_id: OrU35O version_id: 1QTypQZ url: https://semgrep.dev/playground/r/1QTypQZ/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe origin: community message: XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false. patterns: - pattern-not-inside: | $METHOD(...) { ... $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false); ... } - pattern-not-inside: | $METHOD(...) { ... $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ... } - pattern-not-inside: | $METHOD(...) { ... $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.FALSE); ... } - pattern-not-inside: | $METHOD(...) { ... $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); ... } - pattern-either: - pattern: javax.xml.stream.XMLInputFactory.newFactory(...) - pattern: new XMLInputFactory(...) languages: - java - id: java.mongodb.security.injection.audit.mongodb-nosqli.mongodb-nosqli message: Detected non-constant data passed into a NoSQL query using the 'where' evaluation operator. If this data can be controlled by an external user, this is a NoSQL injection. Ensure data passed to the NoSQL query is not user controllable, or properly sanitize the data. Ideally, avoid using the 'where' operator at all and instead use the helper methods provided by com.mongodb.client.model.Filters with comparative operators such as eq, ne, lt, gt, etc. languages: - java severity: WARNING patterns: - pattern-either: - pattern: (com.mongodb.BasicDBObject $QUERY).put("$where", $INPUT); - pattern: | (HashMap $MAP).put("$where", $INPUT); ... (com.mongodb.BasicDBObject $QUERY).putAll($MAP); - pattern: (com.mongodb.BasicDBObject $QUERY).append("$where", $INPUT); - pattern: new com.mongodb.BasicDBObject("$where", $INPUT); - pattern: | (HashMap $MAP).put("$where", $INPUT); ... new com.mongodb.BasicDBObject($MAP); - pattern: | (HashMap $MAP).put("$where", $INPUT); ... String json = new JSONObject($MAP).toString(); ... (com.mongodb.BasicDBObject $QUERY).parse((String $JSON)); - pattern: com.mongodb.BasicDBObjectBuilder.start().add("$where", $INPUT); - pattern: com.mongodb.BasicDBObjectBuilder.start().append("$where", $INPUT); - pattern: com.mongodb.BasicDBObjectBuilder.start("$where", $INPUT); - pattern: | (HashMap $MAP).put("$where", $INPUT); ... com.mongodb.BasicDBObjectBuilder.start($MAP); - metavariable-pattern: metavariable: $INPUT patterns: - pattern: | ... - pattern-not: | "..." metadata: category: security technology: - nosql - mongodb cwe: - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.4 Injection Prevention control_url: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention version: '5' references: - https://owasp.org/Top10/A03_2021-Injection - https://www.mongodb.com/docs/manual/tutorial/query-documents/ - https://www.mongodb.com/docs/manual/reference/operator/query/where/ subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/java.mongodb.security.injection.audit.mongodb-nosqli.mongodb-nosqli shortlink: https://sg.run/01Yb semgrep.dev: rule: r_id: 39998 rv_id: 1263070 rule_id: 5rUYjk version_id: 9lT4b6k url: https://semgrep.dev/playground/r/9lT4b6k/java.mongodb.security.injection.audit.mongodb-nosqli.mongodb-nosqli origin: community - id: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization severity: WARNING languages: - java metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ category: security technology: - rmi cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization shortlink: https://sg.run/oxg6 semgrep.dev: rule: r_id: 9216 rv_id: 1263071 rule_id: bwUwj4 version_id: yeTxpeP url: https://semgrep.dev/playground/r/yeTxpeP/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization origin: community message: Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON. patterns: - pattern: | interface $INTERFACE extends Remote { $RETURNTYPE $METHOD($CLASS $PARAM) throws RemoteException; } - metavariable-regex: metavariable: $CLASS regex: (?!int|boolean|short|long|byte|char|float|double) - id: java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization severity: ERROR metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://frohoff.github.io/appseccali-marshalling-pickles/ - https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi - https://youtu.be/t_aw1mDNhzI - https://github.com/qtc-de/remote-method-guesser - https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331 category: security technology: - rmi cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization shortlink: https://sg.run/zvnl semgrep.dev: rule: r_id: 9217 rv_id: 1263072 rule_id: NbUkw5 version_id: rxTAKN2 url: https://semgrep.dev/playground/r/rxTAKN2/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization origin: community message: Using an arbitrary object ('$PARAMTYPE $PARAM') with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON. languages: - java patterns: - pattern: | interface $INTERFACE extends Remote { $RETURNTYPE $METHOD($PARAMTYPE $PARAM) throws RemoteException; } - metavariable-pattern: metavariable: $PARAMTYPE language: generic patterns: - pattern-not: String - pattern-not: java.lang.String - pattern-not: boolean - pattern-not: Boolean - pattern-not: java.lang.Boolean - pattern-not: byte - pattern-not: Byte - pattern-not: java.lang.Byte - pattern-not: char - pattern-not: Character - pattern-not: java.lang.Character - pattern-not: double - pattern-not: Double - pattern-not: java.lang.Double - pattern-not: float - pattern-not: Float - pattern-not: java.lang.Float - pattern-not: int - pattern-not: Integer - pattern-not: java.lang.Integer - pattern-not: long - pattern-not: Long - pattern-not: java.lang.Long - pattern-not: short - pattern-not: Short - pattern-not: java.lang.Short - id: java.servlets.security.cookie-setsecure.cookie-setSecure patterns: - patterns: - pattern-inside: | $COOKIE = new Cookie(...); ... - pattern: | $COOKIE.setSecure(false); - pattern-not-inside: | $COOKIE = new Cookie(...); ... $COOKIE.setSecure(true); message: 'Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.' fix-regex: regex: setSecure$false$ replacement: setSecure(true) metadata: vulnerability: Insecure Transport owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: - https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean) - https://owasp.org/www-community/controls/SecureCookieAttribute category: security technology: - java - cookie subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/java.servlets.security.cookie-setsecure.cookie-setSecure shortlink: https://sg.run/Nb4qN semgrep.dev: rule: r_id: 92971 rv_id: 1263074 rule_id: DbU6pdz version_id: NdTzyJe url: https://semgrep.dev/playground/r/NdTzyJe/java.servlets.security.cookie-setsecure.cookie-setSecure origin: community languages: - java severity: WARNING - id: java.spring.security.audit.spel-injection.spel-injection message: A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPEL_INJECTION category: security technology: - spring references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection shortlink: https://sg.run/XBp4 semgrep.dev: rule: r_id: 9220 rv_id: 1263075 rule_id: x8Un7b version_id: kbTzG5Y url: https://semgrep.dev/playground/r/kbTzG5Y/java.spring.security.audit.spel-injection.spel-injection origin: community severity: WARNING languages: - java patterns: - pattern-either: - pattern-inside: | class $CLASS { ... ExpressionParser $PARSER; ... } - pattern-inside: | class $CLASS { ... ExpressionParser $PARSER = ...; ... } - pattern-inside: | $X $METHOD(...) { ... ExpressionParser $PARSER = ...; ... } - pattern-inside: | class $CLASS { ... SpelExpressionParser $PARSER; ... } - pattern-inside: | class $CLASS { ... SpelExpressionParser $PARSER = ...; ... } - pattern-inside: | $X $METHOD(...) { ... SpelExpressionParser $PARSER = ...; ... } - pattern-inside: | class $CLASS { ... TemplateAwareExpressionParser $PARSER; ... } - pattern-inside: | class $CLASS { ... TemplateAwareExpressionParser $PARSER = ...; ... } - pattern-inside: | $X $METHOD(...) { ... TemplateAwareExpressionParser $PARSER = ...; ... } - pattern: | $X $METHOD(...) { ... $PARSER.parseExpression(...); ... } - pattern-not: | $X $METHOD(...) { ... $PARSER.parseExpression("..."); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $PARSER.parseExpression($S); ... } - id: java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml patterns: - pattern-inside: | management: ... endpoints: ... web: ... exposure: ... - pattern: | include: "*" message: Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk. severity: WARNING languages: - yaml metadata: cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785 - https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators category: security technology: - spring cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml shortlink: https://sg.run/1Bzw semgrep.dev: rule: r_id: 29422 rv_id: 1263076 rule_id: eqUerQ version_id: w8TRo5n url: https://semgrep.dev/playground/r/w8TRo5n/java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml origin: community - id: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled pattern: management.endpoints.web.exposure.include=* message: Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk. severity: ERROR languages: - generic paths: include: - '*properties' metadata: cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785 - https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators category: security technology: - spring cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled shortlink: https://sg.run/L0vY semgrep.dev: rule: r_id: 10439 rv_id: 1263077 rule_id: EwU4vg version_id: xyTjzwp url: https://semgrep.dev/playground/r/xyTjzwp/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled origin: community - id: java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml patterns: - pattern-inside: | management: ... endpoints: ... web: ... exposure: ... include: ... - pattern: | include: [..., $ACTUATOR, ...] - metavariable-comparison: metavariable: $ACTUATOR comparison: not str($ACTUATOR) in ["health","*"] message: Spring Boot Actuator "$ACTUATOR" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured. severity: WARNING languages: - yaml metadata: cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785 - https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators category: security technology: - spring cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml shortlink: https://sg.run/JzKQ semgrep.dev: rule: r_id: 32290 rv_id: 1263078 rule_id: kxUWpX version_id: O9TpxBp url: https://semgrep.dev/playground/r/O9TpxBp/java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml origin: community - id: java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled patterns: - pattern: management.endpoints.web.exposure.include=$...ACTUATORS - metavariable-comparison: metavariable: $...ACTUATORS comparison: not str($...ACTUATORS) in ["health","*"] message: Spring Boot Actuators "$...ACTUATORS" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured. severity: WARNING languages: - generic options: generic_ellipsis_max_span: 0 metadata: cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785 - https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators category: security technology: - spring cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled shortlink: https://sg.run/5g23 semgrep.dev: rule: r_id: 32291 rv_id: 1263079 rule_id: wdUWrZ version_id: e1Tyjqe url: https://semgrep.dev/playground/r/e1Tyjqe/java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled origin: community - id: java.spring.security.audit.spring-jsp-eval.spring-jsp-eval pattern: | message: A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. severity: WARNING languages: - generic metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#JSP_SPRING_EVAL category: security technology: - spring references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval shortlink: https://sg.run/Q88o semgrep.dev: rule: r_id: 9942 rv_id: 1263081 rule_id: PeUkkL version_id: d6TyxL7 url: https://semgrep.dev/playground/r/d6TyxL7/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval origin: community paths: include: - '*.jsp' - id: java.spring.security.audit.spring-sqli.spring-sqli mode: taint pattern-sources: - patterns: - pattern: $ARG - pattern-inside: | public $T $M (..., String $ARG,...){...} pattern-sanitizers: - not_conflicting: true pattern-either: - patterns: - focus-metavariable: $A - pattern-inside: | new $TYPE(...,$A,...); pattern-sinks: - patterns: - pattern-either: - patterns: - focus-metavariable: $A - pattern: | new PreparedStatementCreatorFactory($A,...); - patterns: - focus-metavariable: $A - pattern: | (JdbcTemplate $T).$M($A,...) - patterns: - pattern: (String $A) - pattern-inside: | (JdbcTemplate $T).batchUpdate(...) - patterns: - focus-metavariable: $A - pattern: | NamedParameterBatchUpdateUtils.$M($A,...) - patterns: - focus-metavariable: $A - pattern: | BatchUpdateUtils.$M($A,...) message: Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'. languages: - java severity: WARNING options: taint_assume_safe_numbers: true taint_assume_safe_booleans: true metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' category: security technology: - spring owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli shortlink: https://sg.run/1Z3x semgrep.dev: rule: r_id: 9222 rv_id: 1263082 rule_id: eqU8N2 version_id: ZRTKAWW url: https://semgrep.dev/playground/r/ZRTKAWW/java.spring.security.audit.spring-sqli.spring-sqli origin: community - id: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect message: Application redirects a user to a destination URL specified by a user supplied parameter that is not validated. metadata: cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT category: security technology: - spring references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect shortlink: https://sg.run/9oXz semgrep.dev: rule: r_id: 9223 rv_id: 1263083 rule_id: v8Un7w version_id: nWT2Lk0 url: https://semgrep.dev/playground/r/nWT2Lk0/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect origin: community severity: WARNING languages: - java pattern-either: - pattern: | $X $METHOD(...,String $URL,...) { return "redirect:" + $URL; } - pattern: | $X $METHOD(...,String $URL,...) { ... String $REDIR = "redirect:" + $URL; ... return $REDIR; ... } - pattern: | $X $METHOD(...,String $URL,...) { ... new ModelAndView("redirect:" + $URL); ... } - pattern: |- $X $METHOD(...,String $URL,...) { ... String $REDIR = "redirect:" + $URL; ... new ModelAndView($REDIR); ... } - id: java.spring.security.injection.tainted-file-path.tainted-file-path languages: - java severity: ERROR message: Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path. options: interfile: true metadata: cwe: - 'CWE-23: Relative Path Traversal' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security technology: - java - spring subcategory: - vuln impact: HIGH likelihood: MEDIUM confidence: HIGH interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path shortlink: https://sg.run/x9o0 semgrep.dev: rule: r_id: 22074 rv_id: 1263084 rule_id: lBUxok version_id: ExTEx6Y url: https://semgrep.dev/playground/r/ExTEx6Y/java.spring.security.injection.tainted-file-path.tainted-file-path origin: community mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { ... } - pattern-inside: | $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { ... } - metavariable-regex: metavariable: $TYPE regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) - metavariable-regex: metavariable: $REQ regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) - focus-metavariable: $SOURCE pattern-sinks: - patterns: - pattern-either: - pattern: new File(...) - pattern: new java.io.File(...) - pattern: new FileReader(...) - pattern: new java.io.FileReader(...) - pattern: new FileInputStream(...) - pattern: new java.io.FileInputStream(...) - pattern: (Paths $PATHS).get(...) - patterns: - pattern: | $CLASS.$FUNC(...) - metavariable-regex: metavariable: $FUNC regex: ^(getResourceAsStream|getResource)$ - patterns: - pattern-either: - pattern: new ClassPathResource($FILE, ...) - pattern: ResourceUtils.getFile($FILE, ...) - pattern: new FileOutputStream($FILE, ...) - pattern: new java.io.FileOutputStream($FILE, ...) - pattern: new StreamSource($FILE, ...) - pattern: new javax.xml.transform.StreamSource($FILE, ...) - pattern: FileUtils.openOutputStream($FILE, ...) - focus-metavariable: $FILE pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) - id: ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-python.gemini-hardcoded-api-key-python languages: - python severity: ERROR message: Google Gemini API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - gemini - google references: - https://ai.google.dev/gemini-api/docs/api-key license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-python.gemini-hardcoded-api-key-python shortlink: https://sg.run/ol3N0 semgrep.dev: rule: r_id: 288816 rv_id: 1413374 rule_id: YGU6kAq version_id: LjTRo7r url: https://semgrep.dev/playground/r/LjTRo7r/ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-python.gemini-hardcoded-api-key-python origin: community pattern-either: - patterns: - pattern: genai.configure(api_key="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^AIza - patterns: - pattern: genai.Client(api_key="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^AIza - patterns: - pattern: $MOD.Client(api_key="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^AIza - metavariable-regex: metavariable: $MOD regex: genai - id: java.spring.security.injection.tainted-system-command.tainted-system-command languages: - java severity: ERROR mode: taint pattern-propagators: - pattern: (StringBuilder $STRB).append($INPUT) from: $INPUT to: $STRB label: CONCAT requires: INPUT pattern-sources: - patterns: - pattern-either: - pattern-inside: | $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { ... } - pattern-inside: | $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { ... } - metavariable-regex: metavariable: $TYPE regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) - metavariable-regex: metavariable: $REQ regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) - focus-metavariable: $SOURCE label: INPUT - patterns: - pattern-either: - pattern: $X + $SOURCE - pattern: $SOURCE + $Y - pattern: String.format("...", ..., $SOURCE, ...) - pattern: String.join("...", ..., $SOURCE, ...) - pattern: (String $STR).concat($SOURCE) - pattern: $SOURCE.concat(...) - pattern: $X += $SOURCE - pattern: $SOURCE += $X label: CONCAT requires: INPUT pattern-sinks: - patterns: - pattern-either: - pattern: | (Process $P) = new Process(...); - pattern: | (ProcessBuilder $PB).command(...); - patterns: - pattern-either: - pattern: | (Runtime $R).$EXEC(...); - pattern: | Runtime.getRuntime(...).$EXEC(...); - metavariable-regex: metavariable: $EXEC regex: (exec|loadLibrary|load) - patterns: - pattern: | (ProcessBuilder $PB).command(...).$ADD(...); - metavariable-regex: metavariable: $ADD regex: (add|addAll) - patterns: - pattern-either: - patterns: - pattern-inside: | $BUILDER = new ProcessBuilder(...); ... - pattern: $BUILDER.start(...) - pattern: | new ProcessBuilder(...). ... .start(...); requires: CONCAT message: 'Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder("ls", "-al", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can''t run arbitrary commands.' metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection category: security technology: - java - spring confidence: HIGH references: - https://www.stackhawk.com/blog/command-injection-java/ - https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html - https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command shortlink: https://sg.run/epY0 semgrep.dev: rule: r_id: 22076 rv_id: 1263087 rule_id: 6JUxGN version_id: 8KT5rnP url: https://semgrep.dev/playground/r/8KT5rnP/java.spring.security.injection.tainted-system-command.tainted-system-command origin: community - id: java.spring.security.injection.tainted-url-host.tainted-url-host languages: - java severity: ERROR message: User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters. options: interfile: true metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security technology: - java - spring cwe2022-top25: true cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host shortlink: https://sg.run/vkYn semgrep.dev: rule: r_id: 22077 rv_id: 1263088 rule_id: oqUZo8 version_id: gETB708 url: https://semgrep.dev/playground/r/gETB708/java.spring.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { ... } - pattern-inside: | $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { ... } - metavariable-regex: metavariable: $TYPE regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) - metavariable-regex: metavariable: $REQ regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) - focus-metavariable: $SOURCE pattern-sinks: - pattern-either: - pattern: new URL($ONEARG) - patterns: - pattern-either: - pattern: | "$URLSTR" + ... - pattern: | "$URLSTR".concat(...) - patterns: - pattern-inside: | StringBuilder $SB = new StringBuilder("$URLSTR"); ... - pattern: $SB.append(...) - patterns: - pattern-inside: | $VAR = "$URLSTR"; ... - pattern: $VAR += ... - patterns: - pattern: String.format("$URLSTR", ...) - pattern-not: String.format("$URLSTR", "...", ...) - patterns: - pattern-inside: | String $VAR = "$URLSTR"; ... - pattern: String.format($VAR, ...) - metavariable-regex: metavariable: $URLSTR regex: http(s?)://%(v|s|q).* - id: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping patterns: - pattern-inside: | @RequestMapping(...) $RETURNTYPE $METHOD(...) { ... } - pattern-not-inside: | @RequestMapping(..., method = $X, ...) $RETURNTYPE $METHOD(...) { ... } - pattern: | RequestMapping message: Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST'). severity: WARNING metadata: cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING references: - https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING category: security technology: - spring cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping shortlink: https://sg.run/2xlq semgrep.dev: rule: r_id: 9219 rv_id: 1263089 rule_id: wdUJ7q version_id: QkTGq2l url: https://semgrep.dev/playground/r/QkTGq2l/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping origin: community languages: - java - id: java.lang.security.audit.xml-decoder.xml-decoder message: XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention. metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XML_DECODER references: - https://semgrep.dev/blog/2022/xml-security-in-java - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html category: security technology: - java cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder shortlink: https://sg.run/PJjq semgrep.dev: rule: r_id: 9189 rv_id: 1263051 rule_id: qNUj3y version_id: GxTkeY1 url: https://semgrep.dev/playground/r/GxTkeY1/java.lang.security.audit.xml-decoder.xml-decoder origin: community severity: WARNING languages: - java patterns: - pattern: | $X $METHOD(...) { ... new XMLDecoder(...); ... } - pattern-not: | $X $METHOD(...) { ... new XMLDecoder("..."); ... } - pattern-not: |- $X $METHOD(...) { ... String $STR = "..."; ... new XMLDecoder($STR); ... } - id: java.lang.security.audit.xss.jsp.no-scriptlets.no-scriptlets message: JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-116: Improper Encoding or Escaping of Output' references: - https://stackoverflow.com/a/3180202 - https://stackoverflow.com/a/4948856 category: security technology: - jsp subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Encoding source: https://semgrep.dev/r/java.lang.security.audit.xss.jsp.no-scriptlets.no-scriptlets shortlink: https://sg.run/l2LG semgrep.dev: rule: r_id: 9213 rv_id: 1263052 rule_id: 9AU1Pq version_id: RGT0Lnj url: https://semgrep.dev/playground/r/RGT0Lnj/java.lang.security.audit.xss.jsp.no-scriptlets.no-scriptlets origin: community pattern-regex: \<\%[^\@].* paths: include: - '*.jsp' languages: - regex severity: WARNING - id: java.lang.security.audit.xss.jsp.use-escapexml.use-escapexml message: Detected an Expression Language segment that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'escapeXml' function from the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more information. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-116: Improper Encoding or Escaping of Output' references: - https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm - https://stackoverflow.com/a/4948856 - https://stackoverflow.com/a/3180202 category: security technology: - jsp subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Encoding source: https://semgrep.dev/r/java.lang.security.audit.xss.jsp.use-escapexml.use-escapexml shortlink: https://sg.run/Yv2o semgrep.dev: rule: r_id: 9214 rv_id: 1263053 rule_id: yyUn7e version_id: A8Tgd0o url: https://semgrep.dev/playground/r/A8Tgd0o/java.lang.security.audit.xss.jsp.use-escapexml.use-escapexml origin: community pattern-regex: \$\{(?!.*escapeXml).*\} paths: include: - '*.jsp' languages: - regex severity: WARNING - id: java.lang.security.audit.xss.jsp.use-jstl-escaping.use-jstl-escaping message: Detected an Expression Language segment in a tag that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'out' tag from the JSTL taglib to escape this expression. See https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm for more information. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-116: Improper Encoding or Escaping of Output' references: - https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm - https://stackoverflow.com/a/4948856 - https://stackoverflow.com/a/3180202 category: security technology: - jsp subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Encoding source: https://semgrep.dev/r/java.lang.security.audit.xss.jsp.use-jstl-escaping.use-jstl-escaping shortlink: https://sg.run/6nzL semgrep.dev: rule: r_id: 9215 rv_id: 1263054 rule_id: r6Ur7G version_id: BjTkZJ0 url: https://semgrep.dev/playground/r/BjTkZJ0/java.lang.security.audit.xss.jsp.use-jstl-escaping.use-jstl-escaping origin: community pattern-regex: <(?![A-Za-z0-9]+:out).*?\$\{.*?\}.*> paths: include: - '*.jsp' languages: - regex severity: WARNING - id: ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-javascript.gemini-hardcoded-api-key-javascript languages: - javascript - typescript severity: ERROR message: Google Gemini API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - gemini - google references: - https://ai.google.dev/gemini-api/docs/api-key license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-javascript.gemini-hardcoded-api-key-javascript shortlink: https://sg.run/6WP61 semgrep.dev: rule: r_id: 288815 rv_id: 1413373 rule_id: lBUro8B version_id: 7ZTKjDe url: https://semgrep.dev/playground/r/7ZTKjDe/ai.ai-best-practices.gemini-hardcoded-api-key.gemini-hardcoded-api-key-javascript.gemini-hardcoded-api-key-javascript origin: community patterns: - pattern: new GoogleGenerativeAI("$KEY") - metavariable-regex: metavariable: $KEY regex: ^AIza - id: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing severity: ERROR metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://semgrep.dev/blog/2022/xml-security-in-java - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://blog.sonarsource.com/secure-xml-processor - https://xerces.apache.org/xerces2-j/features.html category: security technology: - java - xml cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing shortlink: https://sg.run/PYBz semgrep.dev: rule: r_id: 18245 rv_id: 1263058 rule_id: 10UPQB version_id: K3TKk80 url: https://semgrep.dev/playground/r/K3TKk80/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing origin: community message: DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature "http://apache.org/xml/features/disallow-doctype-decl" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features "http://xml.org/sax/features/external-general-entities" and "http://xml.org/sax/features/external-parameter-entities" to false. mode: taint pattern-sources: - by-side-effect: true patterns: - pattern-either: - pattern: | $FACTORY = DocumentBuilderFactory.newInstance(); - patterns: - pattern: $FACTORY - pattern-inside: | class $C { ... $V $FACTORY = DocumentBuilderFactory.newInstance(); ... } - pattern-not-inside: | class $C { ... $V $FACTORY = DocumentBuilderFactory.newInstance(); static { ... $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); ... } ... } - pattern-not-inside: | class $C { ... $V $FACTORY = DocumentBuilderFactory.newInstance(); static { ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); ... } ... } - pattern-not-inside: | class $C { ... $V $FACTORY = DocumentBuilderFactory.newInstance(); static { ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... } ... } pattern-sinks: - patterns: - pattern: $FACTORY.newDocumentBuilder(); pattern-sanitizers: - by-side-effect: true pattern-either: - patterns: - pattern-either: - pattern: | $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - pattern: | $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - pattern: | $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); - focus-metavariable: $FACTORY - patterns: - pattern-either: - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); ... } ... } - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... } ... } - pattern-inside: | class $C { ... $T $M(...) { ... $FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ... $FACTORY.setFeature("http://xml.org/sax/features/external-general-entities",false); ... } ... } - pattern: $M($X) - focus-metavariable: $X fix: | $FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); $FACTORY.newDocumentBuilder(); languages: - java - id: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true severity: ERROR metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://semgrep.dev/blog/2022/xml-security-in-java - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://blog.sonarsource.com/secure-xml-processor category: security technology: - java - xml cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true shortlink: https://sg.run/JgPy semgrep.dev: rule: r_id: 18246 rv_id: 1263059 rule_id: 9AUJ6r version_id: qkTR7Lk url: https://semgrep.dev/playground/r/qkTR7Lk/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true origin: community message: External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature "http://xml.org/sax/features/external-general-entities" to false. pattern: $DBFACTORY.setFeature("http://xml.org/sax/features/external-general-entities", true); fix: $DBFACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); languages: - java - id: java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true severity: ERROR metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://semgrep.dev/blog/2022/xml-security-in-java - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://blog.sonarsource.com/secure-xml-processor category: security technology: - java - xml cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true shortlink: https://sg.run/5Lv0 semgrep.dev: rule: r_id: 18247 rv_id: 1263060 rule_id: yyUNeo version_id: l4TJRoL url: https://semgrep.dev/playground/r/l4TJRoL/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true origin: community message: External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature "http://xml.org/sax/features/external-parameter-entities" to false. pattern: $DBFACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", true); fix: $DBFACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); languages: - java - id: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration message: The target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed to receive the message. metadata: owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-345: Insufficient Verification of Data Authenticity' category: security technology: - browser subcategory: - audit likelihood: HIGH impact: MEDIUM confidence: MEDIUM references: - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration shortlink: https://sg.run/PJ4p semgrep.dev: rule: r_id: 9245 rv_id: 1263125 rule_id: KxUbq4 version_id: jQTn5ND url: https://semgrep.dev/playground/r/jQTn5ND/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration origin: community languages: - javascript - typescript severity: WARNING pattern: $OBJECT.postMessage(...,'*',...) - id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection message: If unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security technology: - chrome-remote-interface references: - https://github.com/cyrus-and/chrome-remote-interface cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection shortlink: https://sg.run/J9kj semgrep.dev: rule: r_id: 9246 rv_id: 1263126 rule_id: qNUjnb version_id: 1QTypkQ url: https://semgrep.dev/playground/r/1QTypkQ/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-inside: function ... (..., $ARG,...) {...} - focus-metavariable: $ARG pattern-sinks: - patterns: - pattern-either: - pattern-inside: | require('chrome-remote-interface'); ... - pattern-inside: | import 'chrome-remote-interface'; ... - pattern-either: - pattern: | $RUNTIME.compileScript({expression: $SINK},...) - pattern: | $RUNTIME.evaluate({expression: $SINK},...) - pattern: | $PAGE.navigate({url: $SINK},...) - pattern: | $RUNTIME.printToPDF({headerTemplate: $SINK},...) - pattern: | $RUNTIME.printToPDF({footerTemplate: $SINK},...) - pattern: | $PAGE.setDocumentContent({html: $SINK},...) - focus-metavariable: $SINK - id: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage message: A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies. metadata: category: security references: - https://www.npmjs.com/package/csurf - https://www.npmjs.com/package/csrf - https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control technology: - javascript - typescript - express cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage shortlink: https://sg.run/BxzR semgrep.dev: rule: r_id: 22551 rv_id: 1263128 rule_id: wdUKEq version_id: yeTxp5d url: https://semgrep.dev/playground/r/yeTxp5d/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage origin: community languages: - javascript - typescript severity: INFO patterns: - pattern-inside: | $EXPRESS = require('express') ... - pattern-not-inside: | import {$CSRF} from 'csurf' ... - pattern-not-inside: | require('csurf') ... - pattern-not-inside: | import {$CSRF} from 'csrf' ... - pattern-not-inside: | require('csrf') ... - pattern: | $APP = $EXPRESS() - id: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing message: Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource. options: interfile: true metadata: interfile: true cwe: - 'CWE-548: Exposure of Information Through Directory Listing' owasp: - A06:2017 - Security Misconfiguration - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control category: security technology: - express references: - https://www.npmjs.com/package/serve-index - https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/ subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing shortlink: https://sg.run/DX2G semgrep.dev: rule: r_id: 22552 rv_id: 1263129 rule_id: x8UqEb version_id: rxTAKGb url: https://semgrep.dev/playground/r/rxTAKGb/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern: | $APP.use(require('serve-index')(...)) - patterns: - pattern-either: - pattern-inside: | $SERVEINDEX = require('serve-index') ... - pattern-inside: | import $SERVEINDEX from 'serve-index' ... - pattern-inside: | import * as $SERVEINDEX from 'serve-index' ... - pattern-either: - patterns: - pattern-inside: | $VALUE = $SERVEINDEX(...) ... - pattern: | $VALUE(...) - pattern: | $APP.use(..., $SERVEINDEX(...), ...) - id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name message: "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly." severity: WARNING languages: - javascript - typescript metadata: cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: - express cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: LOW confidence: MEDIUM references: - https://owasp.org/Top10/A04_2021-Insecure_Design license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name shortlink: https://sg.run/1Z5x semgrep.dev: rule: r_id: 9266 rv_id: 1263130 rule_id: eqU8k2 version_id: bZT536J url: https://semgrep.dev/playground/r/bZT536J/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name origin: community patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session'); ... - pattern-inside: | $SESSION = require('express-session'); ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {name:...} ...>,...) - pattern-not-inside: | $OPTS = <... {name:...} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.name = ...; ... $SESSION($OPTS,...); - id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure message: 'Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.' severity: WARNING languages: - javascript - typescript metadata: cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: - express cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: LOW confidence: MEDIUM references: - https://owasp.org/Top10/A04_2021-Insecure_Design license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure shortlink: https://sg.run/9oKz semgrep.dev: rule: r_id: 9267 rv_id: 1263131 rule_id: v8Unzw version_id: NdTzyrv url: https://semgrep.dev/playground/r/NdTzyrv/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure origin: community patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session'); ... - pattern-inside: | $SESSION = require('express-session'); ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{secure:true}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{secure:true}} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {secure:true} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {secure:true} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE.secure = true; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.secure = true; ... $SESSION($OPTS,...); - id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly message: 'Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.' severity: WARNING languages: - javascript - typescript metadata: cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: - express cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: LOW confidence: MEDIUM references: - https://owasp.org/Top10/A04_2021-Insecure_Design license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly shortlink: https://sg.run/ydBO semgrep.dev: rule: r_id: 9268 rv_id: 1263132 rule_id: d8UjGo version_id: kbTzGev url: https://semgrep.dev/playground/r/kbTzGev/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly origin: community patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session'); ... - pattern-inside: | $SESSION = require('express-session'); ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{httpOnly:true}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{httpOnly:true}} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {httpOnly:true} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {httpOnly:true} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE.httpOnly = true; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.httpOnly = true; ... $SESSION($OPTS,...); - id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain message: 'Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.' severity: WARNING languages: - javascript - typescript metadata: cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: - express cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: LOW confidence: MEDIUM references: - https://owasp.org/Top10/A04_2021-Insecure_Design license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain shortlink: https://sg.run/rd41 semgrep.dev: rule: r_id: 9269 rv_id: 1263133 rule_id: ZqU5Pn version_id: w8TRoyd url: https://semgrep.dev/playground/r/w8TRoyd/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain origin: community patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session'); ... - pattern-inside: | $SESSION = require('express-session'); ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{domain:...}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{domain:...}} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {domain:...} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {domain:...} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE.domain = ...; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.domain = ...; ... $SESSION($OPTS,...); - id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path message: 'Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.' severity: WARNING languages: - javascript - typescript metadata: cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: - express cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: LOW confidence: MEDIUM references: - https://owasp.org/Top10/A04_2021-Insecure_Design license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path shortlink: https://sg.run/b7pd semgrep.dev: rule: r_id: 9270 rv_id: 1263134 rule_id: nJUz4X version_id: xyTjzQD url: https://semgrep.dev/playground/r/xyTjzQD/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path origin: community patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session'); ... - pattern-inside: | $SESSION = require('express-session'); ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{path:...}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{path:...}} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {path:...} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {path:...} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE.path = ...; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.path = ...; ... $SESSION($OPTS,...); - id: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires message: 'Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.' severity: WARNING languages: - javascript - typescript metadata: cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design source-rule-url: https://expressjs.com/en/advanced/best-practice-security.html category: security technology: - express cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: LOW confidence: MEDIUM references: - https://owasp.org/Top10/A04_2021-Insecure_Design license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires shortlink: https://sg.run/N4eG semgrep.dev: rule: r_id: 9271 rv_id: 1263135 rule_id: EwU2DZ version_id: O9TpxRq url: https://semgrep.dev/playground/r/O9TpxRq/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires origin: community patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session'); ... - pattern-inside: | $SESSION = require('express-session'); ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{expires:...}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{expires:...}} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {expires:...} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {expires:...} ...>; ... $SESSION($OPTS,...); - pattern-not-inside: | $OPTS = ...; ... $COOKIE.expires = ...; ... $SESSION($OPTS,...); - pattern-not-inside: |- $OPTS = ...; ... $OPTS.cookie.expires = ...; ... $SESSION($OPTS,...); - id: javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage message: Detected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function. metadata: category: security references: - https://github.com/mmckegg/notevil cwe: - 'CWE-1104: Use of Unmaintained Third Party Components' owasp: - A06:2021 - Vulnerable and Outdated Components - A03:2025 - Software Supply Chain Failures technology: - javascript - typescript subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage shortlink: https://sg.run/W70E semgrep.dev: rule: r_id: 22553 rv_id: 1263136 rule_id: OrUX9K version_id: e1TyjGl url: https://semgrep.dev/playground/r/e1TyjGl/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern-inside: | import $EVAL from 'notevil' ... - pattern-inside: | import {$EVAL} from 'notevil' ... - pattern-inside: | $EVAL = require('notevil') ... - pattern-either: - patterns: - pattern: $EVAL(...) - pattern-not: $EVAL('...') - patterns: - pattern-either: - pattern: $VM.runInContext("$CMD", ...) - pattern: $VM.runInNewContext("$CMD", ...) - pattern: $VM.runInThisContext("$CMD", ...) - pattern: $VM.compileFunction("$CMD", ...) - metavariable-pattern: patterns: - pattern: $EVAL(...) - pattern-not: $EVAL('...') metavariable: $CMD language: typescript - id: javascript.express.security.audit.express-libxml-noent.express-libxml-noent message: The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected. options: interfile: true metadata: interfile: true references: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html technology: - express category: security cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent shortlink: https://sg.run/Z75x semgrep.dev: rule: r_id: 22079 rv_id: 1263138 rule_id: pKUNeD version_id: d6TyxpX url: https://semgrep.dev/playground/r/d6TyxpX/javascript.express.security.audit.express-libxml-noent.express-libxml-noent origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - pattern: $REQ.files.$ANYTHING.data.toString('utf8') - pattern: $REQ.files.$ANYTHING['data'].toString('utf8') - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body - pattern: files.$ANYTHING.data.toString('utf8') - pattern: files.$ANYTHING['data'].toString('utf8') pattern-sinks: - pattern-either: - patterns: - pattern-either: - pattern-inside: | $XML = require('$IMPORT') ... - pattern-inside: | import $XML from '$IMPORT' ... - pattern-inside: | import * as $XML from '$IMPORT' ... - metavariable-regex: metavariable: $IMPORT regex: ^(libxmljs|libxmljs2)$ - pattern-inside: $XML.$FUNC($QUERY, {...,noent:true,...}) - metavariable-regex: metavariable: $FUNC regex: ^(parseXmlString|parseXml)$ - focus-metavariable: $QUERY - id: javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent message: Detected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it. metadata: references: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent shortlink: https://sg.run/n8Ag semgrep.dev: rule: r_id: 22080 rv_id: 1263139 rule_id: 2ZUY52 version_id: ZRTKAXb url: https://semgrep.dev/playground/r/ZRTKAXb/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - patterns: - pattern-either: - pattern: $VM.runInContext("$CMD", ...) - pattern: $VM.runInNewContext("$CMD", ...) - pattern: $VM.runInThisContext("$CMD", ...) - pattern: $VM.compileFunction("$CMD", ...) - metavariable-pattern: metavariable: $CMD language: typescript pattern-either: - pattern: | $LIBXML.parseXml($DATA, {..., noent: true, ...}, ...) - patterns: - pattern-inside: | $OPTS = {..., noent: true, ...} ... - pattern: $LIBXML.parseXml( $DATA, $OPTS ) - pattern: | $LIBXML.parseXml($DATA, {..., noent: true, ...}, ...) - patterns: - pattern-inside: | $OPTS = {..., noent: true, ...} ... - pattern: $LIBXML.parseXml( $DATA, $OPTS ) - id: javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal message: Possible writing outside of the destination, make sure that the target path is nested in the intended destination metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' category: security references: - https://owasp.org/www-community/attacks/Path_Traversal technology: - express - node.js cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal shortlink: https://sg.run/weRn semgrep.dev: rule: r_id: 9273 rv_id: 1263141 rule_id: L1Uyb8 version_id: ExTExX0 url: https://semgrep.dev/playground/r/ExTExX0/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - focus-metavariable: $SINK - pattern-either: - pattern-inside: | $PATH = require('path'); ... - pattern-inside: | import $PATH from 'path'; ... - pattern-either: - pattern: $PATH.join(...,$SINK,...) - pattern: $PATH.resolve(...,$SINK,...) - patterns: - focus-metavariable: $SINK - pattern-inside: | import 'path'; ... - pattern-either: - pattern: path.join(...,$SINK,...) - pattern: path.resolve(...,$SINK,...) pattern-sanitizers: - pattern: $Y.replace(...) - pattern: $Y.indexOf(...) - pattern: | function ... (...) { ... <... $Y.indexOf(...) ...> ... } - patterns: - pattern: $FUNC(...) - metavariable-regex: metavariable: $FUNC regex: sanitize - id: javascript.express.security.audit.express-res-sendfile.express-res-sendfile message: The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing. metadata: references: - https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html technology: - express category: security cwe: - 'CWE-73: External Control of File Name or Path' owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile shortlink: https://sg.run/7DJk semgrep.dev: rule: r_id: 22082 rv_id: 1263142 rule_id: j2UzDx version_id: 7ZTE3X9 url: https://semgrep.dev/playground/r/7ZTE3X9/javascript.express.security.audit.express-res-sendfile.express-res-sendfile origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body - patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | function ... (...,$REQ: $TYPE, ...) {...} - metavariable-regex: metavariable: $TYPE regex: ^(string|String) pattern-sinks: - patterns: - pattern-either: - pattern: $RES.$METH($QUERY,...) - pattern-not-inside: $RES.$METH($QUERY,$OPTIONS) - metavariable-regex: metavariable: $METH regex: ^(sendfile|sendFile)$ - focus-metavariable: $QUERY - id: javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret message: A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). options: interfile: true metadata: interfile: true cwe: - 'CWE-798: Use of Hard-coded Credentials' references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures category: security technology: - express - secrets cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret shortlink: https://sg.run/LYvG semgrep.dev: rule: r_id: 22083 rv_id: 1263143 rule_id: 10Uo39 version_id: LjTkgle url: https://semgrep.dev/playground/r/LjTkgle/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern-inside: | $SESSION = require('express-session'); ... - pattern-inside: | import $SESSION from 'express-session' ... - pattern-inside: | import {..., $SESSION, ...} from 'express-session' ... - pattern-inside: | import * as $SESSION from 'express-session' ... - patterns: - pattern-either: - pattern-inside: $APP.use($SESSION({...})) - pattern: | $SECRET = $VALUE ... $APP.use($SESSION($SECRET)) - pattern: | secret: '$Y' - id: javascript.express.security.audit.express-ssrf.express-ssrf message: 'The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. ' metadata: references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' technology: - express category: security owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf shortlink: https://sg.run/0PNw semgrep.dev: rule: r_id: 22554 rv_id: 1263144 rule_id: eqU9l2 version_id: 8KT5rBr url: https://semgrep.dev/playground/r/8KT5rBr/javascript.express.security.audit.express-ssrf.express-ssrf origin: community languages: - javascript - typescript severity: WARNING mode: taint options: taint_unify_mvars: true pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, ...) {...} - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,...) => {...} - pattern-inside: | ({ $REQ }: $EXPRESS.Request,...) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $REQUEST = require('request') ... - pattern-inside: | import * as $REQUEST from 'request' ... - pattern-inside: | import $REQUEST from 'request' ... - pattern-either: - pattern: $REQUEST.$METHOD("$HTTP"+$REQ. ... .$VALUE) - pattern: $REQUEST.$METHOD("$HTTP"+$REQ. ... .$VALUE + $...A) - pattern: $REQUEST.$METHOD(`$HTTP${$REQ. ... .$VALUE}...`) - pattern: $REQUEST.$METHOD("$HTTP"+$REQ.$VALUE[...]) - pattern: $REQUEST.$METHOD("$HTTP"+$REQ.$VALUE[...] + $...A) - pattern: $REQUEST.$METHOD(`$HTTP${$REQ.$VALUE[...]}...`) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|patch|del|head|delete)$ - metavariable-regex: metavariable: $HTTP regex: ^(https?:\/\/|//)$ - pattern-either: - pattern: $REQ. ... .$VALUE - patterns: - pattern-either: - pattern-inside: | $REQUEST = require('request') ... - pattern-inside: | import * as $REQUEST from 'request' ... - pattern-inside: | import $REQUEST from 'request' ... - pattern-either: - pattern: $REQUEST.$METHOD($REQ. ... .$VALUE,...) - pattern: $REQUEST.$METHOD($REQ. ... .$VALUE + $...A,...) - pattern: $REQUEST.$METHOD(`${$REQ. ... .$VALUE}...`,...) - pattern: $REQ. ... .$VALUE - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|patch|del|head|delete)$ - patterns: - pattern-either: - pattern-inside: | $REQUEST = require('request') ... - pattern-inside: | import * as $REQUEST from 'request' ... - pattern-inside: | import $REQUEST from 'request' ... - pattern-either: - pattern: $REQUEST.$METHOD($REQ.$VALUE['...'],...) - pattern: $REQUEST.$METHOD($REQ.$VALUE['...'] + $...A,...) - pattern: $REQUEST.$METHOD(`${$REQ.$VALUE['...']}...`,...) - pattern: $REQ.$VALUE - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|patch|del|head|delete)$ - patterns: - pattern-either: - pattern-inside: | $REQUEST = require('request') ... - pattern-inside: | import * as $REQUEST from 'request' ... - pattern-inside: | import $REQUEST from 'request' ... - pattern-either: - pattern-inside: | $ASSIGN = $REQ. ... .$VALUE ... - pattern-inside: | $ASSIGN = $REQ. ... .$VALUE['...'] ... - pattern-inside: | $ASSIGN = $REQ. ... .$VALUE + $...A ... - pattern-inside: "$ASSIGN = $REQ. ... .$VALUE['...'] + $...A\n... \n" - pattern-inside: | $ASSIGN = `${$REQ. ... .$VALUE}...` ... - pattern-inside: "$ASSIGN = `${$REQ. ... .$VALUE['...']}...`\n... \n" - patterns: - pattern-either: - pattern-inside: | $ASSIGN = "$HTTP"+ $REQ. ... .$VALUE ... - pattern-inside: | $ASSIGN = "$HTTP"+$REQ. ... .$VALUE + $...A ... - pattern-inside: | $ASSIGN = "$HTTP"+$REQ.$VALUE[...] ... - pattern-inside: | $ASSIGN = "$HTTP"+$REQ.$VALUE[...] + $...A ... - pattern-inside: | $ASSIGN = `$HTTP${$REQ.$VALUE[...]}...` ... - metavariable-regex: metavariable: $HTTP regex: ^(https?:\/\/|//)$ - pattern-either: - pattern: $REQUEST.$METHOD($ASSIGN,...) - pattern: $REQUEST.$METHOD($ASSIGN + $...FOO,...) - pattern: $REQUEST.$METHOD(`${$ASSIGN}...`,...) - patterns: - pattern-either: - pattern: $REQUEST.$METHOD("$HTTP"+$ASSIGN,...) - pattern: $REQUEST.$METHOD("$HTTP"+$ASSIGN + $...A,...) - pattern: $REQUEST.$METHOD(`$HTTP${$ASSIGN}...`,...) - metavariable-regex: metavariable: $HTTP regex: ^(https?:\/\/|//)$ - pattern: $ASSIGN - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|patch|del|head|delete)$ - id: javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization message: The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from(). options: interfile: true metadata: interfile: true technology: - express category: security cwe: - 'CWE-502: Deserialization of Untrusted Data' references: - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html source_rule_url: - https://github.com/ajinabraham/njsscan/blob/75bfbeb9c8d72999e4d527dfa2548f7f0f3cc48a/njsscan/rules/semantic_grep/eval/eval_deserialize.yaml owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization shortlink: https://sg.run/8W5j semgrep.dev: rule: r_id: 22084 rv_id: 1263145 rule_id: 9AUyqj version_id: gETB7nD url: https://semgrep.dev/playground/r/gETB7nD/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - pattern: $REQ.files.$ANYTHING.data.toString('utf8') - pattern: $REQ.files.$ANYTHING['data'].toString('utf8') - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body - pattern: files.$ANYTHING.data.toString('utf8') - pattern: files.$ANYTHING['data'].toString('utf8') pattern-sinks: - pattern-either: - patterns: - pattern-either: - pattern-inside: | $SER = require('$IMPORT') ... - pattern-inside: | import $SER from '$IMPORT' ... - pattern-inside: | import * as $SER from '$IMPORT' ... - metavariable-regex: metavariable: $IMPORT regex: ^(node-serialize|serialize-to-js)$ - pattern: $SER.$FUNC(...) - metavariable-regex: metavariable: $FUNC regex: ^(unserialize|deserialize)$ - id: javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event message: Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities metadata: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' category: security technology: - express references: - https://www.npmjs.com/package/xml2json cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event shortlink: https://sg.run/x1AA semgrep.dev: rule: r_id: 9274 rv_id: 1263146 rule_id: 8GUjkk version_id: QkTGqgo url: https://semgrep.dev/playground/r/QkTGqgo/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - pattern-inside: | require('xml2json'); ... - pattern-inside: | import 'xml2json'; ... - pattern: $REQ.on('...', function(...) { ... $EXPAT.toJson($INPUT,...); ... }) - focus-metavariable: $INPUT - id: javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect message: It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect. metadata: owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.1 Insecue Redirect control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation version: '4' category: security technology: - express subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect shortlink: https://sg.run/OPv2 semgrep.dev: rule: r_id: 9275 rv_id: 1263147 rule_id: gxU12X version_id: 3ZT4Xev url: https://semgrep.dev/playground/r/3ZT4Xev/javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern-inside: | $UNK = query.$B; ... - pattern-inside: | $UNK = $A.query.$B; ... - pattern-inside: | $UNK = req.$SOMETHING; ... - pattern: $RES.redirect(..., <... $UNK ...>, ...) - id: javascript.express.security.audit.remote-property-injection.remote-property-injection message: Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties. metadata: confidence: LOW owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-522: Insufficiently Protected Credentials' category: security technology: - express references: - https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection shortlink: https://sg.run/Z4gn semgrep.dev: rule: r_id: 13579 rv_id: 1263148 rule_id: JDUL1B version_id: 44TEjGX url: https://semgrep.dev/playground/r/44TEjGX/javascript.express.security.audit.remote-property-injection.remote-property-injection origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-inside: $OBJ[...] = ... - pattern-not-inside: $OBJ["..."] = ... - pattern-not-inside: $OBJ[...] = "..." - pattern: $INDEX - pattern-not: | "..." + $INDEX - pattern-not: | $INDEX + "..." pattern-sanitizers: - patterns: - pattern: var $X = ... - pattern-not: var $X = $REQ.$ANY - id: javascript.express.security.audit.xss.direct-response-write.direct-response-write message: Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. options: interfile: true metadata: interfile: true references: - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM vulnerability_class: - Cross-Site-Scripting (XSS) license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write shortlink: https://sg.run/vzGl semgrep.dev: rule: r_id: 9277 rv_id: 1263150 rule_id: 3qUPA1 version_id: JdTzxeg url: https://semgrep.dev/playground/r/JdTzxeg/javascript.express.security.audit.xss.direct-response-write.direct-response-write origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options) - pattern-not-inside: | function ... ($REQ, $RES) { ... $RES.$SET('Content-Type', '$TYPE') } - pattern-not-inside: | $APP.$METHOD(..., function $FUNC($REQ, $RES) { ... $RES.$SET('Content-Type', '$TYPE') }) - pattern-not-inside: | function ... ($REQ, $RES, $NEXT) { ... $RES.$SET('Content-Type', '$TYPE') } - pattern-not-inside: | function ... ($REQ, $RES) { ... $RES.set('$TYPE') } - pattern-not-inside: | $APP.$METHOD(..., function $FUNC($REQ, $RES) { ... $RES.set('$TYPE') }) - pattern-not-inside: | function ... ($REQ, $RES, $NEXT) { ... $RES.set('$TYPE') } - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - pattern-not-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => { ... $RES.$SET('Content-Type', '$TYPE') } - pattern-not-inside: | ({ $REQ }: Request,$RES: Response) => { ... $RES.$SET('Content-Type', '$TYPE') } - pattern-not-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => { ... $RES.set('$TYPE') } - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: body pattern-sinks: - patterns: - pattern-inside: function ... (..., $RES,...) {...} - pattern-either: - pattern: $RES.write($ARG) - pattern: $RES.send($ARG) - pattern-not: $RES. ... .set('...'). ... .send($ARG) - pattern-not: $RES. ... .type('...'). ... .send($ARG) - pattern-not-inside: $RES.$METHOD({ ... }) - focus-metavariable: $ARG pattern-sanitizers: - patterns: - pattern-either: - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | import * as $S from "underscore.string" ... - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | $S = require("underscore.string") ... - pattern-either: - pattern: $S.escapeHTML(...) - patterns: - pattern-either: - pattern-inside: | import $S from "dompurify" ... - pattern-inside: | import { ..., $S,... } from "dompurify" ... - pattern-inside: | import * as $S from "dompurify" ... - pattern-inside: | $S = require("dompurify") ... - pattern-inside: | import $S from "isomorphic-dompurify" ... - pattern-inside: | import * as $S from "isomorphic-dompurify" ... - pattern-inside: | $S = require("isomorphic-dompurify") ... - pattern-either: - patterns: - pattern-inside: | $VALUE = $S(...) ... - pattern: $VALUE.sanitize(...) - patterns: - pattern-inside: | $VALUE = $S.sanitize ... - pattern: $S(...) - pattern: $S.sanitize(...) - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'xss'; ... - pattern-inside: | import * as $S from 'xss'; ... - pattern-inside: | $S = require("xss") ... - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'sanitize-html'; ... - pattern-inside: | import * as $S from "sanitize-html"; ... - pattern-inside: | $S = require("sanitize-html") ... - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | $S = new Remarkable() ... - pattern: $S.render(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'express-xss-sanitizer'; ... - pattern-inside: | import * as $S from "express-xss-sanitizer"; ... - pattern-inside: | const { ..., $S, ... } = require('express-xss-sanitizer'); ... - pattern-inside: | var { ..., $S, ... } = require('express-xss-sanitizer'); ... - pattern-inside: | let { ...,$S,... } = require('express-xss-sanitizer'); ... - pattern-inside: | $S = require("express-xss-sanitizer") ... - pattern: $S(...) - patterns: - pattern: $RES. ... .type('$F'). ... .send(...) - metavariable-regex: metavariable: $F regex: (?!.*text/html) - patterns: - pattern-inside: | $X = [...]; ... - pattern: | if(<... !$X.includes($SOURCE)...>) { ... return ... } ... - pattern: $SOURCE - id: javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape message: Detected an explicit unescape in an EJS template, using '<%- ... %>' If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need escaping, ensure no external data can reach this location. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/ category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape shortlink: https://sg.run/dKXQ semgrep.dev: rule: r_id: 9278 rv_id: 1263151 rule_id: 4bUkPO version_id: 5PTo13n url: https://semgrep.dev/playground/r/5PTo13n/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape origin: community languages: - regex severity: WARNING paths: include: - '*.ejs' - '*.html' pattern-regex: <%-((?!include).)*?%> fix-regex: regex: <%-(.*?)%> replacement: <%=\1%> - id: javascript.express.security.audit.xss.ejs.var-in-href.var-in-href message: 'Detected a template variable used in an anchor tag with the ''href'' attribute. This allows a malicious actor to input the ''javascript:'' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href=''/<%= link %>''. You may also consider setting the Content Security Policy (CSP) header.' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI - https://github.com/pugjs/pug/issues/2952 category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-href.var-in-href shortlink: https://sg.run/Zv0p semgrep.dev: rule: r_id: 9279 rv_id: 1263152 rule_id: PeUZrg version_id: GxTkeWL url: https://semgrep.dev/playground/r/GxTkeWL/javascript.express.security.audit.xss.ejs.var-in-href.var-in-href origin: community languages: - regex severity: WARNING paths: include: - '*.ejs' - '*.html' pattern-regex: ]*?[^\/&=]<%.*?%>.*?> - id: javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src message: Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough - https://github.com/ESAPI/owasp-esapi-js category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src shortlink: https://sg.run/ndxZ semgrep.dev: rule: r_id: 9280 rv_id: 1263153 rule_id: JDUyrJ version_id: RGT0LwD url: https://semgrep.dev/playground/r/RGT0LwD/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src origin: community languages: - generic severity: WARNING patterns: - pattern-inside: - pattern-not-inside: - pattern: '{{ ... }}' paths: include: - '*.mustache' - '*.hbs' - '*.html' - id: javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes message: Detected a unescaped variables using '&attributes'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://pugjs.org/language/attributes.html#attributes category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes shortlink: https://sg.run/Q5jk semgrep.dev: rule: r_id: 9286 rv_id: 1263158 rule_id: DbUpyq version_id: 0bTKz6J url: https://semgrep.dev/playground/r/0bTKz6J/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes origin: community languages: - regex severity: WARNING paths: include: - '*.pug' pattern-regex: .*&attributes.* - id: javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape message: Detected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://pugjs.org/language/code.html#unescaped-buffered-code - https://pugjs.org/language/attributes.html#unescaped-attributes category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape shortlink: https://sg.run/3xbe semgrep.dev: rule: r_id: 9287 rv_id: 1263159 rule_id: WAUonl version_id: K3TKkO7 url: https://semgrep.dev/playground/r/K3TKkO7/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape origin: community languages: - regex severity: WARNING paths: include: - '*.pug' pattern-either: - pattern-regex: \w.*(!=)[^=].* - pattern-regex: '!{.*?}' - id: javascript.express.security.cors-misconfiguration.cors-misconfiguration message: By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings. metadata: owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe: - 'CWE-346: Origin Validation Error' category: security references: - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS technology: - express subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/javascript.express.security.cors-misconfiguration.cors-misconfiguration shortlink: https://sg.run/nKXO semgrep.dev: rule: r_id: 13580 rv_id: 1263162 rule_id: 5rULJQ version_id: YDTZe8Y url: https://semgrep.dev/playground/r/YDTZe8Y/javascript.express.security.cors-misconfiguration.cors-misconfiguration origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - pattern: $RES.set($HEADER, $X) - pattern: $RES.header($HEADER, $X) - pattern: $RES.setHeader($HEADER, $X) - pattern: | $RES.set({$HEADER: $X}, ...) - pattern: | $RES.writeHead($STATUS, {$HEADER: $X}, ...) - focus-metavariable: $X - metavariable-regex: metavariable: $HEADER regex: .*(Access-Control-Allow-Origin|access-control-allow-origin).* - id: javascript.express.security.express-data-exfiltration.express-data-exfiltration message: Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability. metadata: owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' references: - https://en.wikipedia.org/wiki/Mass_assignment_vulnerability - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html category: security technology: - express subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration shortlink: https://sg.run/pkpL semgrep.dev: rule: r_id: 12818 rv_id: 1263163 rule_id: ReUo60 version_id: 6xT290x url: https://semgrep.dev/playground/r/6xT290x/javascript.express.security.express-data-exfiltration.express-data-exfiltration origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - pattern: Object.assign(...) - id: javascript.express.security.express-expat-xxe.express-expat-xxe message: Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities. options: interfile: true metadata: interfile: true owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://github.com/astro/node-expat category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe shortlink: https://sg.run/BkXx semgrep.dev: rule: r_id: 9251 rv_id: 1263164 rule_id: zdUkJl version_id: o5TbD5l url: https://semgrep.dev/playground/r/o5TbD5l/javascript.express.security.express-expat-xxe.express-expat-xxe origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $XML = require('node-expat') ... - pattern-inside: | import $XML from 'node-expat' ... - pattern-inside: | import * as $XML from 'node-expat' ... - pattern-either: - pattern-inside: | $PARSER = new $XML.Parser(...); ... - pattern-either: - pattern: $PARSER.parse($QUERY) - pattern: $PARSER.write($QUERY) - focus-metavariable: $QUERY - id: javascript.express.security.express-insecure-template-usage.express-insecure-template-usage message: User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability. options: interfile: true metadata: interfile: true category: security cwe: - 'CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine' owasp: - A03:2021 - Injection - A01:2017 - Injection - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html technology: - javascript - typescript - express - pug - jade - dot - ejs - nunjucks - lodash - handlbars - mustache - hogan.js - eta - squirrelly source_rule_url: - https://github.com/github/codeql/blob/2ba2642c7ab29b9eedef33bcc2b8cd1d203d0c10/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage shortlink: https://sg.run/b49v semgrep.dev: rule: r_id: 19226 rv_id: 1263165 rule_id: EwUr9k version_id: zyTb2eD url: https://semgrep.dev/playground/r/zyTb2eD/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-propagators: - pattern: $MODEL.$FIND($E).then((...,$S,...)=>{...}) from: $E to: $S pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - pattern-either: - patterns: - pattern-either: - pattern-inside: | $PUG = require('pug') ... - pattern-inside: | import * as $PUG from 'pug' ... - pattern-inside: | $PUG = require('jade') ... - pattern-inside: | import * as $PUG from 'jade' ... - pattern-either: - pattern: $PUG.compile(...) - pattern: $PUG.compileClient(...) - pattern: $PUG.compileClientWithDependenciesTracked(...) - pattern: $PUG.render(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('dot') ... - pattern-inside: | import * as $PUG from 'dot' ... - pattern-either: - pattern: $PUG.template(...) - pattern: $PUG.compile(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('ejs') ... - pattern-inside: | import * as $PUG from 'ejs' ... - pattern-either: - pattern: $PUG.render(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('nunjucks') ... - pattern-inside: | import * as $PUG from 'nunjucks' ... - pattern-either: - pattern: $PUG.renderString(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('lodash') ... - pattern-inside: | import * as $PUG from 'lodash' ... - pattern-either: - pattern: $PUG.template(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('mustache') ... - pattern-inside: | import * as $PUG from 'mustache' ... - pattern-inside: | $PUG = require('eta') ... - pattern-inside: | import * as $PUG from 'eta' ... - pattern-inside: | $PUG = require('squirrelly') ... - pattern-inside: | import * as $PUG from 'squirrelly' ... - pattern-either: - pattern: $PUG.render(...) - patterns: - pattern-either: - pattern-inside: | $PUG = require('hogan.js') ... - pattern-inside: | import * as $PUG from 'hogan.js' ... - pattern-inside: | $PUG = require('handlebars') ... - pattern-inside: | import * as $PUG from 'handlebars' ... - pattern-either: - pattern: $PUG.compile(...) - id: ai.ai-best-practices.mcp-command-injection.mcp-command-injection.mcp-command-injection-python mode: taint languages: - python severity: ERROR message: User input from an MCP tool handler flows into a command execution sink without sanitization. An attacker could inject arbitrary OS commands via tool arguments. Use subprocess with a list of arguments (shell=False) or sanitize input with shlex.quote() before passing to shell commands. metadata: cwe: 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' category: security confidence: HIGH subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - mcp references: - https://modelcontextprotocol.io/specification/draft/basic/security_best_practices license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/ai.ai-best-practices.mcp-command-injection.mcp-command-injection.mcp-command-injection-python shortlink: https://sg.run/0gZn5 semgrep.dev: rule: r_id: 286754 rv_id: 1409351 rule_id: oqUyLzr version_id: qkTvAqD url: https://semgrep.dev/playground/r/qkTvAqD/ai.ai-best-practices.mcp-command-injection.mcp-command-injection.mcp-command-injection-python origin: community pattern-sources: - patterns: - pattern: | @$SERVER.tool() def $FUNC(..., $PARAM, ...): ... - focus-metavariable: $PARAM pattern-sinks: - patterns: - pattern: os.system($SINK) - focus-metavariable: $SINK - patterns: - pattern: subprocess.run($SINK, ..., shell=True, ...) - focus-metavariable: $SINK - patterns: - pattern: subprocess.call($SINK, ..., shell=True, ...) - focus-metavariable: $SINK - patterns: - pattern: subprocess.Popen($SINK, ..., shell=True, ...) - focus-metavariable: $SINK - patterns: - pattern: eval($SINK) - focus-metavariable: $SINK - patterns: - pattern: exec($SINK) - focus-metavariable: $SINK pattern-sanitizers: - pattern: shlex.quote(...) - id: java.lang.security.audit.crypto.weak-random.weak-random message: Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead. languages: - java severity: WARNING metadata: functional-categories: - crypto::search::randomness::java.security owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-330: Use of Insufficiently Random Values' category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random shortlink: https://sg.run/NwBp semgrep.dev: rule: r_id: 17327 rv_id: 1263018 rule_id: lBUW5D version_id: 6xT29RK url: https://semgrep.dev/playground/r/6xT29RK/java.lang.security.audit.crypto.weak-random.weak-random origin: community pattern-either: - pattern: | new java.util.Random(...).$FUNC(...) - pattern: | java.lang.Math.random(...) - id: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key message: RSA keys should be at least 2048 bits based on NIST recommendation. languages: - java severity: WARNING metadata: functional-categories: - crypto::search::key-length::java.security cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' references: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms category: security technology: - java subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key shortlink: https://sg.run/4x6x semgrep.dev: rule: r_id: 9200 rv_id: 1263019 rule_id: 0oU5P5 version_id: o5TbDLY url: https://semgrep.dev/playground/r/o5TbDLY/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key origin: community patterns: - pattern: | KeyPairGenerator $KEY = $G.getInstance("RSA"); ... $KEY.initialize($BITS); - metavariable-comparison: metavariable: $BITS comparison: $BITS < 2048 - id: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell patterns: - pattern-either: - pattern: | $SHELL.parse(...) - pattern: | $SHELL.evaluate(...) - pattern: | $SHELL.parseClass(...) - pattern-either: - pattern-inside: | groovy.lang.GroovyShell $SHELL = ...; ... - pattern-inside: | groovy.lang.GroovyClassLoader $SHELL = ...; ... - pattern-not: | $SHELL.parse("...",...) - pattern-not: | $SHELL.evaluate("...",...) - pattern-not: | $SHELL.parseClass("...",...) message: A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#GROOVY_SHELL category: security technology: - groovy references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell shortlink: https://sg.run/58LK semgrep.dev: rule: r_id: 10091 rv_id: 1263020 rule_id: ReUPKp version_id: zyTb2Nq url: https://semgrep.dev/playground/r/zyTb2Nq/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell origin: community languages: - java severity: WARNING - id: java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.5 Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' category: security technology: - jdbc references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string shortlink: https://sg.run/dKWY semgrep.dev: rule: r_id: 9178 rv_id: 1263026 rule_id: PeUZNX version_id: 9lT4bqk url: https://semgrep.dev/playground/r/9lT4bqk/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string origin: community message: 'Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: ''jdbc.queryForObject("select * from table where name = ?", Integer.class, parameterName);''' patterns: - pattern-inside: | $JDBC = new JdbcTemplate(...); ... - pattern-either: - pattern: $JDBC.queryForObject($STR + $VAR, ...); - pattern: $JDBC.queryForObject(String.format(...), ...); - pattern: | String $Q = $STR + $VAR; ... $JDBC.queryForObject($Q, ...); - pattern: | String $Q = String.format(...); ... $JDBC.queryForObject($Q, ...); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.queryForObject($Q, ...); - pattern: $JDBC.queryForList($STR + $VAR); - pattern: $JDBC.queryForList(String.format(...)); - pattern: | String $Q = $STR + $VAR; ... $JDBC.queryForList($Q); - pattern: | String $Q = String.format(...); ... $JDBC.queryForList($Q); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.queryForList($Q, ...); - pattern: $JDBC.update($STR + $VAR); - pattern: $JDBC.update(String.format(...)); - pattern: | String $Q = $STR + $VAR; ... $JDBC.update($Q); - pattern: | String $Q = String.format(...); ... $JDBC.update($Q); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.update($Q, ...); - pattern: $JDBC.execute($STR + $VAR); - pattern: $JDBC.execute(String.format(...)); - pattern: | String $Q = $STR + $VAR; ... $JDBC.execute($Q); - pattern: | String $Q = String.format(...); ... $JDBC.execute($Q); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.execute($Q, ...); - pattern: $JDBC.insert($STR + $VAR); - pattern: $JDBC.insert(String.format(...)); - pattern: | String $Q = $STR + $VAR; ... $JDBC.insert($Q); - pattern: | String $Q = String.format(...); ... $JDBC.insert($Q); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.insert($Q, ...); severity: WARNING languages: - java - id: java.lang.security.audit.md5-used-as-password.md5-used-as-password languages: - java severity: WARNING message: It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")` or, if using Spring, `org.springframework.security.crypto.bcrypt`. metadata: category: security technology: - java - md5 references: - https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html - https://github.com/returntocorp/semgrep-rules/issues/1609 - https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory - https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password shortlink: https://sg.run/JxEQ semgrep.dev: rule: r_id: 14690 rv_id: 1263029 rule_id: JDULAW version_id: bZT53QB url: https://semgrep.dev/playground/r/bZT53QB/java.lang.security.audit.md5-used-as-password.md5-used-as-password origin: community mode: taint pattern-sources: - patterns: - pattern-inside: | $TYPE $MD = MessageDigest.getInstance("MD5"); ... - pattern: $MD.digest(...); pattern-sinks: - patterns: - pattern: $MODEL.$METHOD(...); - metavariable-regex: metavariable: $METHOD regex: (?i)(.*password.*) - id: java.lang.security.audit.object-deserialization.object-deserialization metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION references: - https://www.owasp.org/index.php/Deserialization_of_untrusted_data - https://www.oracle.com/java/technologies/javase/seccodeguide.html#8 category: security technology: - java cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization shortlink: https://sg.run/Ek0A semgrep.dev: rule: r_id: 9181 rv_id: 1263030 rule_id: GdU7py version_id: NdTzyGe url: https://semgrep.dev/playground/r/NdTzyGe/java.lang.security.audit.object-deserialization.object-deserialization origin: community message: Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object. severity: WARNING languages: - java pattern: new ObjectInputStream(...); - id: java.lang.security.audit.ognl-injection.ognl-injection message: A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OGNL_INJECTION category: security technology: - ognl references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection shortlink: https://sg.run/7o7R semgrep.dev: rule: r_id: 9182 rv_id: 1263031 rule_id: ReUgjJ version_id: kbTzG3Y url: https://semgrep.dev/playground/r/kbTzG3Y/java.lang.security.audit.ognl-injection.ognl-injection origin: community severity: WARNING languages: - java patterns: - pattern-either: - pattern: | $X $METHOD(...,OgnlReflectionProvider $P,...) { ... $P.getGetMethod($T, $INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlReflectionProvider $P,...) { ... $P.getSetMethod($T, $INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlReflectionProvider $P,...) { ... $P.getField($T, $INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlReflectionProvider $P,...) { ... $P.setProperties($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlReflectionProvider $P,...) { ... $P.setProperty($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlReflectionProvider $P,...) { ... $P.getValue($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlReflectionProvider $P,...) { ... $P.setValue($INPUT,...); ... } - pattern: | $X $METHOD(...,ReflectionProvider $P,...) { ... $P.getGetMethod($T, $INPUT,...); ... } - pattern: | $X $METHOD(...,ReflectionProvider $P,...) { ... $P.getSetMethod($T, $INPUT,...); ... } - pattern: | $X $METHOD(...,ReflectionProvider $P,...) { ... $P.getField($T, $INPUT,...); ... } - pattern: | $X $METHOD(...,ReflectionProvider $P,...) { ... $P.setProperties($INPUT,...); ... } - pattern: | $X $METHOD(...,ReflectionProvider $P,...) { ... $P.setProperty($INPUT,...); ... } - pattern: | $X $METHOD(...,ReflectionProvider $P,...) { ... $P.getValue($INPUT,...); ... } - pattern: | $X $METHOD(...,ReflectionProvider $P,...) { ... $P.setValue($INPUT,...); ... } - pattern: | $X $METHOD(...,TextParseUtil $P,...) { ... $P.translateVariables($INPUT,...); ... } - pattern: | $X $METHOD(...,TextParseUtil $P,...) { ... $P.translateVariablesCollection($INPUT,...); ... } - pattern: | $X $METHOD(...,TextParseUtil $P,...) { ... $P.shallBeIncluded($INPUT,...); ... } - pattern: | $X $METHOD(...,TextParseUtil $P,...) { ... $P.commaDelimitedStringToSet($INPUT,...); ... } - pattern: | $X $METHOD(...,TextParser $P,...) { ... $P.evaluate($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlTextParser $P,...) { ... $P.evaluate($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlUtil $P,...) { ... $P.setProperties($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlUtil $P,...) { ... $P.setProperty($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlUtil $P,...) { ... $P.getValue($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlUtil $P,...) { ... $P.setValue($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlUtil $P,...) { ... $P.callMethod($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlUtil $P,...) { ... $P.compile($INPUT,...); ... } - pattern: | $X $METHOD(...,VelocityStrutsUtil $P,...) { ... $P.evaluate($INPUT,...); ... } - pattern: | $X $METHOD(...,StrutsUtil $P,...) { ... $P.isTrue($INPUT,...); ... } - pattern: | $X $METHOD(...,StrutsUtil $P,...) { ... $P.findString($INPUT,...); ... } - pattern: | $X $METHOD(...,StrutsUtil $P,...) { ... $P.findValue($INPUT,...); ... } - pattern: | $X $METHOD(...,StrutsUtil $P,...) { ... $P.getText($INPUT,...); ... } - pattern: | $X $METHOD(...,StrutsUtil $P,...) { ... $P.translateVariables($INPUT,...); ... } - pattern: | $X $METHOD(...,StrutsUtil $P,...) { ... $P.makeSelectList($INPUT,...); ... } - pattern: | $X $METHOD(...,OgnlTool $P,...) { ... $P.findValue($INPUT,...); ... } - pattern: | $X $METHOD(...,ValueStack $P,...) { ... $P.findString($INPUT,...); ... } - pattern: | $X $METHOD(...,ValueStack $P,...) { ... $P.findValue($INPUT,...); ... } - pattern: | $X $METHOD(...,ValueStack $P,...) { ... $P.setValue($INPUT,...); ... } - pattern: | $X $METHOD(...,ValueStack $P,...) { ... $P.setParameter($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlReflectionProvider $P = ...; ... $P.getGetMethod($T, $INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlReflectionProvider $P = ...; ... $P.getSetMethod($T, $INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlReflectionProvider $P = ...; ... $P.getField($T, $INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlReflectionProvider $P = ...; ... $P.setProperties($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlReflectionProvider $P = ...; ... $P.setProperty($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlReflectionProvider $P = ...; ... $P.getValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlReflectionProvider $P = ...; ... $P.setValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ReflectionProvider $P = ...; ... $P.getGetMethod($T, $INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ReflectionProvider $P = ...; ... $P.getSetMethod($T, $INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ReflectionProvider $P = ...; ... $P.getField($T, $INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ReflectionProvider $P = ...; ... $P.setProperties($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ReflectionProvider $P = ...; ... $P.setProperty($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ReflectionProvider $P = ...; ... $P.getValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ReflectionProvider $P = ...; ... $P.setValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... TextParseUtil $P = ...; ... $P.translateVariables($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... TextParseUtil $P = ...; ... $P.translateVariablesCollection($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... TextParseUtil $P = ...; ... $P.shallBeIncluded($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... TextParseUtil $P = ...; ... $P.commaDelimitedStringToSet($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... TextParser $P = ...; ... $P.evaluate($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlTextParser $P = ...; ... $P.evaluate($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlUtil $P = ...; ... $P.setProperties($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlUtil $P = ...; ... $P.setProperty($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlUtil $P = ...; ... $P.getValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlUtil $P = ...; ... $P.setValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlUtil $P = ...; ... $P.callMethod($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlUtil $P = ...; ... $P.compile($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... VelocityStrutsUtil $P = ...; ... $P.evaluate($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... StrutsUtil $P = ...; ... $P.isTrue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... StrutsUtil $P = ...; ... $P.findString($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... StrutsUtil $P = ...; ... $P.findValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... StrutsUtil $P = ...; ... $P.getText($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... StrutsUtil $P = ...; ... $P.translateVariables($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... StrutsUtil $P = ...; ... $P.makeSelectList($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... OgnlTool $P = ...; ... $P.findValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ValueStack $P = ...; ... $P.findString($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ValueStack $P = ...; ... $P.findValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ValueStack $P = ...; ... $P.setValue($INPUT,...); ... } - pattern: | $X $METHOD(...) { ... ValueStack $P = ...; ... $P.setParameter($INPUT,...); ... } - pattern-not: | $X $METHOD(...) { ... $P.getGetMethod($T,"...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.getSetMethod($T,"...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.getField($T,"...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.setProperties("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.setProperty("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.getValue("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.setValue("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.translateVariables("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.translateVariablesCollection("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.shallBeIncluded("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.commaDelimitedStringToSet("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.evaluate("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.callMethod("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.compile("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.isTrue("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.findString("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.findValue("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.getText("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.makeSelectList("...",...); ... } - pattern-not: | $X $METHOD(...) { ... $P.setParameter("...",...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.getGetMethod($T,$S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.getSetMethod($T,$S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.getField($T,$S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.setProperties($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.setProperty($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.getValue($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.setValue($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.translateVariables($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.translateVariablesCollection($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.shallBeIncluded($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.commaDelimitedStringToSet($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.evaluate($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.callMethod($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.compile($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.isTrue($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.findString($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.findValue($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.getText($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.makeSelectList($S,...); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $P.setParameter($S,...); ... } - id: java.lang.security.audit.script-engine-injection.script-engine-injection message: Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION category: security technology: - java references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection shortlink: https://sg.run/gLqn semgrep.dev: rule: r_id: 9185 rv_id: 1263034 rule_id: DbUpAr version_id: O9TpxEp url: https://semgrep.dev/playground/r/O9TpxEp/java.lang.security.audit.script-engine-injection.script-engine-injection origin: community severity: WARNING languages: - java patterns: - pattern-either: - pattern-inside: | class $CLASS { ... ScriptEngine $SE; ... } - pattern-inside: | class $CLASS { ... ScriptEngine $SE = ...; ... } - pattern-inside: | $X $METHOD(...) { ... ScriptEngine $SE = ...; ... } - pattern: | $X $METHOD(...) { ... $SE.eval(...); ... } - pattern-not: | $X $METHOD(...) { ... $SE.eval("..."); ... } - pattern-not: | $X $METHOD(...) { ... String $S = "..."; ... $SE.eval($S); ... } - id: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli pattern-either: - patterns: - pattern-either: - pattern-inside: | String $SQL = $X + $Y; ... - pattern-inside: | String $SQL = String.format(...); ... - pattern-inside: | $VAL $FUNC(...,String $SQL,...) { ... } - pattern-not-inside: | String $SQL = "..." + "..."; ... - pattern: org.hibernate.criterion.Restrictions.sqlRestriction($SQL,...) - pattern: org.hibernate.criterion.Restrictions.sqlRestriction(String.format(...),...) - patterns: - pattern: org.hibernate.criterion.Restrictions.sqlRestriction($X + $Y,...) - pattern-not: org.hibernate.criterion.Restrictions.sqlRestriction("..." + "...",...) - patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | String $SQL = $X + $Y; ... - pattern-inside: | String $SQL = String.format(...); ... - pattern-inside: | $TYPE $FUNC(...,String $SQL,...) { ... } - pattern-not-inside: | String $SQL = "..." + "..."; ... - pattern: $SESSION.$METHOD($SQL,...) - pattern: | $SESSION.$METHOD(String.format(...),...); - pattern: | $SESSION.$METHOD($X + $Y,...); - pattern-either: - pattern-inside: | org.hibernate.Session $SESSION = ...; ... - pattern-inside: | $TYPE $FUNC(...,org.hibernate.Session $SESSION,...) { ... } - pattern-not: | $SESSION.$METHOD("..." + "...",...); - metavariable-regex: metavariable: $METHOD regex: ^(createQuery|createSQLQuery)$ message: Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_HIBERNATE asvs: section: V5 Stored Cryptography Verification Requirements control_id: 5.3.5 Insecure Custom Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' category: security technology: - hibernate owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli shortlink: https://sg.run/Roqg semgrep.dev: rule: r_id: 9205 rv_id: 1263035 rule_id: 6JUjPD version_id: e1Tyjbe url: https://semgrep.dev/playground/r/e1Tyjbe/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli origin: community languages: - java severity: WARNING - id: java.lang.security.audit.sqli.turbine-sqli.turbine-sqli pattern-either: - patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | String $SQL = $X + $Y; ... - pattern-inside: | String $SQL = String.format(...); ... - pattern-inside: | $VAL $FUNC(...,String $SQL,...) { ... } - pattern-not-inside: | String $SQL = "..." + "..."; ... - pattern: $PEER.executeQuery($SQL,...) - pattern: | $PEER.executeQuery(String.format(...),...) - pattern: | $PEER.executeQuery($X + $Y,...) - pattern-not: | $PEER.executeQuery("..." + "...",...) - metavariable-regex: metavariable: $PEER regex: (BasePeer|GroupPeer) - patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | String $SQL = $X + $Y; ... - pattern-inside: | String $SQL = String.format(...); ... - pattern-inside: | $VAL $FUNC(...,String $SQL,...) { ... } - pattern-not-inside: | String $SQL = "..." + "..."; ... - pattern: $P.executeQuery($SQL,...) - pattern: | $P.executeQuery(String.format(...),...) - pattern: | $P.executeQuery($X + $Y,...) - pattern-either: - pattern-inside: | BasePeer $P = ...; ... - pattern-inside: | GroupPeer $P = ...; ... - pattern-inside: | $VAL $FUNC(...,GroupPeer $P,...) { ... } - pattern-inside: | $VAL $FUNC(...,BasePeer $P,...) { ... } - pattern-not: | $P.executeQuery("..." + "...",...) message: Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'. languages: - java severity: WARNING metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' category: security technology: - turbine owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli shortlink: https://sg.run/W8zL semgrep.dev: rule: r_id: 9209 rv_id: 1263040 rule_id: 2ZUbJ3 version_id: ExTExvY url: https://semgrep.dev/playground/r/ExTExvY/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli origin: community - id: java.lang.security.audit.sqli.vertx-sqli.vertx-sqli message: Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'. languages: - java severity: WARNING patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | String $SQL = $X + $Y; ... - pattern-inside: | String $SQL = String.format(...); ... - pattern-inside: | $TYPE $FUNC(...,String $SQL,...) { ... } - pattern-not-inside: | String $SQL = "..." + "..."; ... - pattern: $SC.$METHOD($SQL,...) - pattern: | $SC.$METHOD(String.format(...),...); - pattern: | $SC.$METHOD($X + $Y,...); - pattern-either: - pattern-inside: | SqlClient $SC = ...; ... - pattern-inside: | SqlConnection $SC = ...; ... - pattern-inside: | $TYPE $FUNC(...,SqlClient $SC,...) { ... } - pattern-inside: | $TYPE $FUNC(...,SqlConnection $SC,...) { ... } - pattern-not: | $SC.$METHOD("..." + "...",...); - metavariable-regex: metavariable: $METHOD regex: ^(query|preparedQuery|prepare)$ metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' category: security technology: - vertx owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli shortlink: https://sg.run/0QKB semgrep.dev: rule: r_id: 9210 rv_id: 1263041 rule_id: X5U86z version_id: 7ZTE3Z5 url: https://semgrep.dev/playground/r/7ZTE3Z5/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli origin: community - id: javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization message: Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`. metadata: category: security technology: - javascript - typescript owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://www.npmjs.com/package/dompurify - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization shortlink: https://sg.run/AzoB semgrep.dev: rule: r_id: 22550 rv_id: 1263104 rule_id: kxUYE9 version_id: l4TJR1L url: https://semgrep.dev/playground/r/l4TJR1L/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization origin: community languages: - javascript - typescript severity: INFO patterns: - pattern-either: - pattern: $STR.$FUNC('<', '<') - pattern: $STR.$FUNC('>', '>') - pattern: $STR.$FUNC('"', '"') - pattern: $STR.$FUNC("'", ''') - pattern: $STR.$FUNC('&', '&') - metavariable-regex: metavariable: $FUNC regex: (replace|replaceAll) - id: javascript.aws-lambda.security.detect-child-process.detect-child-process message: Allowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection category: security technology: - javascript - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/javascript.aws-lambda.security.detect-child-process.detect-child-process shortlink: https://sg.run/Ggoq semgrep.dev: rule: r_id: 18248 rv_id: 1263105 rule_id: r6UDNQ version_id: YDTZe4o url: https://semgrep.dev/playground/r/YDTZe4o/javascript.aws-lambda.security.detect-child-process.detect-child-process origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern: $EVENT - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC pattern-sinks: - patterns: - focus-metavariable: $CMD - pattern-either: - pattern: exec($CMD,...) - pattern: execSync($CMD,...) - pattern: spawn($CMD,...) - pattern: spawnSync($CMD,...) - pattern: $CP.exec($CMD,...) - pattern: $CP.execSync($CMD,...) - pattern: $CP.spawn($CMD,...) - pattern: $CP.spawnSync($CMD,...) - pattern-either: - pattern-inside: | require('child_process') ... - pattern-inside: | import 'child_process' ... - id: javascript.aws-lambda.security.knex-sqli.knex-sqli message: 'Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw(''SELECT $1 from table'', [userinput])`' metadata: references: - https://knexjs.org/#Builder-fromRaw - https://knexjs.org/#Builder-whereRaw category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - knex cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli shortlink: https://sg.run/RgWq semgrep.dev: rule: r_id: 18249 rv_id: 1263106 rule_id: bwUBlj version_id: JdTzxKg url: https://semgrep.dev/playground/r/JdTzxKg/javascript.aws-lambda.security.knex-sqli.knex-sqli origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern: $EVENT pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern-either: - pattern: $KNEX.fromRaw($QUERY, ...) - pattern: $KNEX.whereRaw($QUERY, ...) - pattern: $KNEX.raw($QUERY, ...) - pattern-either: - pattern-inside: | require('knex') ... - pattern-inside: | import 'knex' ... - id: javascript.aws-lambda.security.mysql-sqli.mysql-sqli message: 'Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(''SELECT $1 from table'', [userinput])`' metadata: references: - https://www.npmjs.com/package/mysql2 category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - mysql - mysql2 cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/javascript.aws-lambda.security.mysql-sqli.mysql-sqli shortlink: https://sg.run/A502 semgrep.dev: rule: r_id: 18250 rv_id: 1263107 rule_id: NbUBJ2 version_id: 5PTo1En url: https://semgrep.dev/playground/r/5PTo1En/javascript.aws-lambda.security.mysql-sqli.mysql-sqli origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern: $EVENT pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern-either: - pattern: $POOL.query($QUERY, ...) - pattern: $POOL.execute($QUERY, ...) - pattern-either: - pattern-inside: | require('mysql') ... - pattern-inside: | require('mysql2') ... - pattern-inside: | require('mysql2/promise') ... - pattern-inside: | import 'mysql' ... - pattern-inside: | import 'mysql2' ... - pattern-inside: | import 'mysql2/promise' ... - id: javascript.aws-lambda.security.pg-sqli.pg-sqli message: 'Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query(''SELECT $1 from table'', [userinput])`' metadata: references: - https://node-postgres.com/features/queries category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - postgres - pg cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli shortlink: https://sg.run/BGKA semgrep.dev: rule: r_id: 18251 rv_id: 1263108 rule_id: kxU25P version_id: GxTkeJL url: https://semgrep.dev/playground/r/GxTkeJL/javascript.aws-lambda.security.pg-sqli.pg-sqli origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern: $EVENT pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern-either: - pattern: $DB.query($QUERY, ...) - pattern-either: - pattern-inside: | require('pg') ... - pattern-inside: | import 'pg' ... - id: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli message: 'Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query(''SELECT * FROM projects WHERE status = ?'', { replacements: [''active''], type: QueryTypes.SELECT });`' metadata: references: - https://sequelize.org/master/manual/raw-queries.html category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - sequelize cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli shortlink: https://sg.run/DAlP semgrep.dev: rule: r_id: 18252 rv_id: 1263109 rule_id: wdUA5o version_id: RGT0LrD url: https://semgrep.dev/playground/r/RGT0LrD/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern: $EVENT pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern-either: - pattern: $DB.query($QUERY, ...) - pattern-either: - pattern-inside: | require('sequelize') ... - pattern-inside: | import 'sequelize' ... - id: javascript.aws-lambda.security.tainted-eval.tainted-eval message: The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - javascript - aws-lambda subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval shortlink: https://sg.run/WjY2 semgrep.dev: rule: r_id: 18253 rv_id: 1263110 rule_id: x8UNw5 version_id: A8TgdLk url: https://semgrep.dev/playground/r/A8TgdLk/javascript.aws-lambda.security.tainted-eval.tainted-eval origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern: $EVENT - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC pattern-sinks: - patterns: - focus-metavariable: $CODE - pattern-either: - pattern: eval($CODE) - pattern: Function(...,$CODE) - pattern: new Function(...,$CODE) - id: javascript.aws-lambda.security.tainted-html-response.tainted-html-response message: Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-response.tainted-html-response shortlink: https://sg.run/0Gvj semgrep.dev: rule: r_id: 18254 rv_id: 1263111 rule_id: OrUJBY version_id: BjTkZ8D url: https://semgrep.dev/playground/r/BjTkZ8D/javascript.aws-lambda.security.tainted-html-response.tainted-html-response origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern: $EVENT pattern-sinks: - patterns: - focus-metavariable: $BODY - pattern-inside: | {..., headers: {..., 'Content-Type': 'text/html', ...}, body: $BODY, ... } - id: javascript.aws-lambda.security.tainted-sql-string.tainted-sql-string message: Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries. metadata: references: - https://owasp.org/www-community/attacks/SQL_Injection category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/javascript.aws-lambda.security.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/KgJ5 semgrep.dev: rule: r_id: 18255 rv_id: 1263113 rule_id: eqUDqW version_id: WrTqKjZ url: https://semgrep.dev/playground/r/WrTqKjZ/javascript.aws-lambda.security.tainted-sql-string.tainted-sql-string origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern: $EVENT pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: | "$SQLSTR" + $EXPR - pattern: | "$SQLSTR".concat(...) - pattern: util.format($SQLSTR, ...) - metavariable-regex: metavariable: $SQLSTR regex: .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* - patterns: - pattern: | `...${...}...` - pattern-regex: | .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* - pattern-not-inside: | console.$LOG(...) - id: javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection message: The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' category: security technology: - javascript - aws-lambda cwe2022-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection shortlink: https://sg.run/q9w7 semgrep.dev: rule: r_id: 18256 rv_id: 1263114 rule_id: v8UOdZ version_id: 0bTKz9J url: https://semgrep.dev/playground/r/0bTKz9J/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern: $EVENT - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC pattern-sinks: - patterns: - pattern-either: - pattern-inside: | require('vm'); ... - pattern-inside: | import 'vm' ... - pattern-either: - pattern: $VM.runInContext($X,...) - pattern: $VM.runInNewContext($X,...) - pattern: $VM.runInThisContext($X,...) - pattern: $VM.compileFunction($X,...) - pattern: new $VM.Script($X,...) - pattern: new $VM.SourceTextModule($X,...) - pattern: runInContext($X,...) - pattern: runInNewContext($X,...) - pattern: runInThisContext($X,...) - pattern: compileFunction($X,...) - pattern: new Script($X,...) - pattern: new SourceTextModule($X,...) - id: javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods message: Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize. metadata: confidence: LOW references: - https://docs.angularjs.org/api/ng/function/angular.element - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' technology: - angularjs owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods shortlink: https://sg.run/ydnO semgrep.dev: rule: r_id: 9224 rv_id: 1263090 rule_id: d8Ujdo version_id: 3ZT4Xbz url: https://semgrep.dev/playground/r/3ZT4Xbz/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods origin: community languages: - javascript - typescript severity: INFO mode: taint pattern-sources: - patterns: - pattern-either: - patterns: - pattern-inside: | function(..., $SCOPE, ...) { ... } - focus-metavariable: $SCOPE - metavariable-regex: metavariable: $SCOPE regex: ^\$scope$ - pattern: $rootScope - pattern: $injector.get('$rootScope') - pattern: $injector.get('$scope') pattern-sinks: - patterns: - pattern-either: - pattern-inside: | angular.element(...). ... .$SINK($QUERY) - pattern-inside: | $ANGULAR = angular.element(...) ... $ANGULAR. ... .$SINK($QUERY) - metavariable-regex: metavariable: $SINK regex: ^(after|append|html|prepend|replaceWith|wrap)$ - focus-metavariable: $QUERY pattern-sanitizers: - patterns: - pattern-either: - pattern: $sce.getTrustedHtml(...) - pattern: $sanitize(...) - pattern: DOMPurify.sanitize(...) - id: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint message: Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize. metadata: confidence: MEDIUM cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://docs.angularjs.org/api/ng/function/angular.element - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security technology: - angularjs owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint shortlink: https://sg.run/5AQ0 semgrep.dev: rule: r_id: 21503 rv_id: 1263091 rule_id: GdUP71 version_id: 44TEj8L url: https://semgrep.dev/playground/r/44TEj8L/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern: window.location.search - pattern: window.document.location.search - pattern: document.location.search - pattern: location.search - pattern: $location.search(...) - patterns: - pattern-either: - pattern: $DECODE(<... location.hash ...>) - pattern: $DECODE(<... window.location.hash ...>) - pattern: $DECODE(<... document.location.hash ...>) - pattern: $DECODE(<... location.href ...>) - pattern: $DECODE(<... window.location.href ...>) - pattern: $DECODE(<... document.location.href ...>) - pattern: $DECODE(<... document.URL ...>) - pattern: $DECODE(<... window.document.URL ...>) - pattern: $DECODE(<... document.location.href ...>) - pattern: $DECODE(<... document.location.href ...>) - pattern: $DECODE(<... $location.absUrl() ...>) - pattern: $DECODE(<... $location.url() ...>) - pattern: $DECODE(<... $location.hash() ...>) - metavariable-regex: metavariable: $DECODE regex: ^(unescape|decodeURI|decodeURIComponent)$ - patterns: - pattern-inside: $http.$METHOD(...).$CONTINUE(function $FUNC($RES) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|delete|head|jsonp|post|put|patch) - pattern: $RES.data pattern-sinks: - patterns: - pattern-either: - pattern-inside: | angular.element(...). ... .$SINK($QUERY) - pattern-inside: | $ANGULAR = angular.element(...) ... $ANGULAR. ... .$SINK($QUERY) - metavariable-regex: metavariable: $SINK regex: ^(after|append|html|prepend|replaceWith|wrap)$ - focus-metavariable: $QUERY pattern-sanitizers: - patterns: - pattern-either: - pattern: $sce.getTrustedHtml(...) - pattern: $sanitize(...) - pattern: DOMPurify.sanitize(...) - id: javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect message: Use of $window.location.href can lead to open-redirect if user input is used for redirection. metadata: asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.1 Insecue Redirect control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation version: '4' references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsJs - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' technology: - angular owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect shortlink: https://sg.run/rdn1 semgrep.dev: rule: r_id: 9225 rv_id: 1263092 rule_id: ZqU5Yn version_id: PkTR3b9 url: https://semgrep.dev/playground/r/PkTR3b9/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect origin: community languages: - javascript - typescript severity: ERROR patterns: - pattern: | $window.location.href = ... - pattern-not: | $window.location.href = "..." - id: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading message: $sceDelegateProvider allowlisting can introduce security issues if wildcards are used. metadata: references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsJs - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' technology: - angular owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading shortlink: https://sg.run/b7kd semgrep.dev: rule: r_id: 9226 rv_id: 1263093 rule_id: nJUzgX version_id: JdTzxKb url: https://semgrep.dev/playground/r/JdTzxKb/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading origin: community languages: - javascript - typescript severity: WARNING pattern-either: - pattern: | $sceDelegateProvider.resourceUrlWhitelist([...,'**',...]); - patterns: - pattern: | $sceDelegateProvider.resourceUrlWhitelist([...,$DOM,...]); - metavariable-regex: metavariable: $DOM regex: ^'.*\*\*.+'$ - id: javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled message: $sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://docs.angularjs.org/api/ng/service/$sce - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security technology: - angular owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled shortlink: https://sg.run/N4DG semgrep.dev: rule: r_id: 9227 rv_id: 1263094 rule_id: EwU20Z version_id: 5PTo1EW url: https://semgrep.dev/playground/r/5PTo1EW/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled origin: community languages: - javascript - typescript severity: ERROR pattern: | $sceProvider.enabled(false); - id: javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method message: The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsCss - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security technology: - angular cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method shortlink: https://sg.run/kXgo semgrep.dev: rule: r_id: 9228 rv_id: 1263095 rule_id: 7KUQ4k version_id: GxTkeB1 url: https://semgrep.dev/playground/r/GxTkeB1/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern: | $SOURCE = $scope.$INPUT; $sce.trustAsCss($SOURCE); - pattern: | $sce.trustAsCss($scope.$INPUT); - pattern-inside: | app.controller(..., function($scope,$sce){ ... }); - id: javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method message: The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security technology: - angular cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method shortlink: https://sg.run/wenn semgrep.dev: rule: r_id: 9229 rv_id: 1263096 rule_id: L1Uy88 version_id: RGT0L9j url: https://semgrep.dev/playground/r/RGT0L9j/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern: | $SOURCE = $scope.$INPUT; $sce.trustAsHtml($SOURCE); - pattern: | $sce.trustAsHtml($scope.$INPUT); - pattern-inside: | app.controller(..., function($scope,$sce){ ... }); - id: javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method message: The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API. metadata: references: - https://docs.angularjs.org/api/ng/service/$sce - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' technology: - angular owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method shortlink: https://sg.run/OPW2 semgrep.dev: rule: r_id: 9231 rv_id: 1263098 rule_id: gxU1QX version_id: BjTkZv0 url: https://semgrep.dev/playground/r/BjTkZv0/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-inside: | app.controller(..., function($scope,$sce) { ... }); - pattern: $scope.$X pattern-sinks: - pattern: $sce.trustAs(...) - pattern: $sce.trustAsHtml(...) - id: javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method message: The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsResourceUrl - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security technology: - angular cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method shortlink: https://sg.run/eLOd semgrep.dev: rule: r_id: 9232 rv_id: 1263099 rule_id: QrUzeq version_id: DkTRb7y url: https://semgrep.dev/playground/r/DkTRb7y/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern: | $SOURCE = $scope.$INPUT; $sce.trustAsResourceUrl($SOURCE); - pattern: | $sce.trustAsResourceUrl($scope.$INPUT); - pattern-inside: | app.controller(..., function($scope,$sce){ ... }); - id: javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method message: The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security technology: - angular cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method shortlink: https://sg.run/vznl semgrep.dev: rule: r_id: 9233 rv_id: 1263100 rule_id: 3qUP01 version_id: WrTqKJK url: https://semgrep.dev/playground/r/WrTqKJK/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern: | $SOURCE = $scope.$INPUT; $sce.trustAsUrl($SOURCE); - pattern: | $sce.trustAsUrl($scope.$INPUT); - pattern-inside: | app.controller(..., function($scope,$sce){ ... }); - id: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method message: The use of $translateProvider.translations method can be dangerous if user input is provided to this API. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf category: security technology: - angular - typescript owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method shortlink: https://sg.run/ZvXp semgrep.dev: rule: r_id: 9235 rv_id: 1263101 rule_id: PeUZPg version_id: 0bTKzqX url: https://semgrep.dev/playground/r/0bTKzqX/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method origin: community languages: - javascript severity: WARNING patterns: - pattern: | $translateProvider.translations(...,$SOURCE); - pattern-inside: | app.controller(..., function($scope,$sce){ ... }); - id: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config message: Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment. metadata: references: - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html - https://eprint.iacr.org/2016/759.pdf - https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf - https://datatracker.ietf.org/doc/html/rfc9106#section-4 category: security cwe: - 'CWE-916: Use of Password Hash With Insufficient Computational Effort' technology: - argon2 - cryptography owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - vuln impact: LOW likelihood: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config shortlink: https://sg.run/ALq4 semgrep.dev: rule: r_id: 20150 rv_id: 1263103 rule_id: DbU2X8 version_id: qkTR7Jk url: https://semgrep.dev/playground/r/qkTR7Jk/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-inside: | $ARGON = require('argon2'); ... - pattern: | {type: ...} pattern-sinks: - patterns: - pattern: | $Y - pattern-inside: | $ARGON.hash(...,$Y) pattern-sanitizers: - patterns: - pattern: '{type: $ARGON.argon2id}' - id: javascript.jquery.security.audit.prohibit-jquery-html.prohibit-jquery-html message: JQuery's `html` function is susceptible to Cross Site Scripting (XSS) attacks. If you're just passing text, consider `text` instead. Otherwise, use a function that escapes HTML such as edX's `HtmlUtils.setHtml()`. metadata: shortDesription: Use of JQuery's unsafe html() function. help: | ## Remediation Avoid using JQuery's html() function. If the string is plain text, use the text() function instead. Otherwise, use a function that escapes html such as edx's HtmlUtils.setHtml(). tags: - security precision: high owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss.html#javascript-concat-html - https://stackoverflow.com/questions/8318581/html-vs-innerhtml-jquery-javascript-xss-attacks - https://api.jquery.com/text/#text-text category: security technology: - jquery cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.jquery.security.audit.prohibit-jquery-html.prohibit-jquery-html shortlink: https://sg.run/0Q9B semgrep.dev: rule: r_id: 9298 rv_id: 1263186 rule_id: BYUNLk version_id: 7ZTE3Y9 url: https://semgrep.dev/playground/r/7ZTE3Y9/javascript.jquery.security.audit.prohibit-jquery-html.prohibit-jquery-html origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern: | $X.html(...) - pattern-not: | $X.html("...",...) - pattern-not: $X.html() - id: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify message: Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token. metadata: cwe: - 'CWE-345: Insufficient Verification of Data Authenticity' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.3 Insecue Stateless Session Tokens control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management version: '4' category: security technology: - jwt subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify shortlink: https://sg.run/J9YP semgrep.dev: rule: r_id: 9302 rv_id: 1263187 rule_id: KxUbL3 version_id: LjTkgpe url: https://semgrep.dev/playground/r/LjTkgpe/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-inside: | $JWT = require('jsonwebtoken'); ... - pattern-not-inside: | ... $JWT.verify($TOKEN, ...) ... - pattern-not-inside: | ... if (<... $JWT.verify($TOKEN, ...) ...>) { ... } ... - pattern: $JWT.decode($TOKEN, ...) - id: javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data message: The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload. metadata: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-522: Insufficiently Protected Credentials' source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.3 Insecue Stateless Session Tokens control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management version: '4' category: security technology: - jwt cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A04_2021-Insecure_Design license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data shortlink: https://sg.run/5Qkj semgrep.dev: rule: r_id: 9303 rv_id: 1263188 rule_id: qNUjwe version_id: 8KT5rLr url: https://semgrep.dev/playground/r/8KT5rLr/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-inside: | $JWT = require('jsonwebtoken'); ... - pattern-either: - pattern-inside: function (...,$INPUT,...) {...} - pattern-inside: function $F(...,$INPUT,...) {...} - pattern: $JWT.sign($INPUT,...) - id: javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret message: A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.2 Static API keys or secret control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management version: '4' category: security technology: - jwt - javascript - secrets cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret shortlink: https://sg.run/4xN9 semgrep.dev: rule: r_id: 9300 rv_id: 1263189 rule_id: WAUon7 version_id: gETB75D url: https://semgrep.dev/playground/r/gETB75D/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern: "$X = '...' \n" - pattern: "$X = '$Y' \n" - patterns: - pattern-either: - pattern-inside: | $JWT.sign($DATA,"...",...); - pattern-inside: | $JWT.verify($DATA,"...",...); pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $JWT = require("jsonwebtoken") ... - pattern-inside: | import $JWT from "jsonwebtoken" ... - pattern-inside: | import * as $JWT from "jsonwebtoken" ... - pattern-inside: | import {...,$JWT,...} from "jsonwebtoken" ... - pattern-either: - pattern-inside: | $JWT.sign($DATA,$VALUE,...); - pattern-inside: | $JWT.verify($DATA,$VALUE,...); - focus-metavariable: $VALUE - id: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.3 Insecue Stateless Session Tokens control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management version: '4' category: security technology: - jwt subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg shortlink: https://sg.run/PJXv semgrep.dev: rule: r_id: 9301 rv_id: 1263190 rule_id: 0oU53g version_id: QkTGqQo url: https://semgrep.dev/playground/r/QkTGqQo/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg origin: community languages: - javascript - typescript severity: ERROR patterns: - pattern-inside: | $JWT = require("jsonwebtoken"); ... - pattern: $JWT.verify($P, $X, {algorithms:[...,'none',...]},...) - id: javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify message: Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Set 'verify' to `true` before using the token. severity: ERROR metadata: owasp: - A05:2021 - Security Misconfiguration - A07:2021 - Identification and Authentication Failures - A02:2025 - Security Misconfiguration - A07:2025 - Authentication Failures cwe: - 'CWE-287: Improper Authentication' - 'CWE-345: Insufficient Verification of Data Authenticity' - 'CWE-347: Improper Verification of Cryptographic Signature' category: security subcategory: - vuln technology: - jwt-simple - jwt confidence: HIGH likelihood: MEDIUM impact: HIGH references: - https://www.npmjs.com/package/jwt-simple - https://cwe.mitre.org/data/definitions/287 - https://cwe.mitre.org/data/definitions/345 - https://cwe.mitre.org/data/definitions/347 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues - Improper Authentication source: https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify shortlink: https://sg.run/zdjod semgrep.dev: rule: r_id: 120561 rv_id: 1263191 rule_id: r6UyNLy version_id: 3ZT4Xxv url: https://semgrep.dev/playground/r/3ZT4Xxv/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify origin: community languages: - javascript - typescript patterns: - pattern-inside: | $JWT = require('jwt-simple'); ... - pattern: $JWT.decode($TOKEN, $SECRET, $NOVERIFY, ...) - metavariable-pattern: metavariable: $NOVERIFY patterns: - pattern-either: - pattern: | true - pattern: | "..." - id: javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename message: Detected that function argument `$ARG` has entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated. metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' references: - https://owasp.org/www-community/attacks/Path_Traversal owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-fs-filename.js category: security technology: - typescript cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename shortlink: https://sg.run/8RNQ semgrep.dev: rule: r_id: 12684 rv_id: 1263194 rule_id: oqUrQl version_id: JdTzxZg url: https://semgrep.dev/playground/r/JdTzxZg/javascript.lang.security.audit.detect-non-literal-fs-filename.detect-non-literal-fs-filename origin: community languages: - typescript - javascript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-inside: function ... (..., $ARG,...) {...} - focus-metavariable: $ARG pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $FS = require('fs') ... - pattern-inside: | $FS = require('fs/promises') ... - pattern-inside: | import * as $FS from 'fs' ... - pattern-inside: | import $FS from 'fs' ... - pattern-inside: | import * as $FS from 'fs/promises' ... - pattern-inside: | import $FS from 'fs/promises' ... - pattern-not: $FS. ... .$METHOD("...", ...) - pattern-either: - pattern: $FS. ... .access($FILE,...) - pattern: $FS. ... .appendFile($FILE,...) - pattern: $FS. ... .chmod($FILE,...) - pattern: $FS. ... .chown($FILE,...) - pattern: $FS. ... .close($FILE,...) - pattern: $FS. ... .copyFile($FILE,...) - pattern: $FS. ... .copyFile($SMTH, $FILE,...) - pattern: $FS. ... .cp($FILE, ...) - pattern: $FS. ... .cp($SMTH, $FILE, ...) - pattern: $FS. ... .createReadStream($FILE,...) - pattern: $FS. ... .createWriteStream($FILE,...) - pattern: $FS. ... .exists($FILE, ...) - pattern: $FS. ... .fchmod($FILE, ...) - pattern: $FS. ... .fchown($FILE, ...) - pattern: $FS. ... .fdatasync($FILE, ...) - pattern: $FS. ... .fstat($FILE, ...) - pattern: $FS. ... .fsync($FILE, ...) - pattern: $FS. ... .ftruncate($FILE, ...) - pattern: $FS. ... .futimes($FILE, ...) - pattern: $FS. ... .lchmod($FILE, ...) - pattern: $FS. ... .lchown($FILE, ...) - pattern: $FS. ... .lutimes($FILE, ...) - pattern: $FS. ... .link($FILE, ...) - pattern: $FS. ... .link($SMTH, $FILE, ...) - pattern: $FS. ... .lstat($FILE, ...) - pattern: $FS. ... .mkdir($FILE, ...) - pattern: $FS. ... .mkdtemp($FILE, ...) - pattern: $FS. ... .open($FILE, ...) - pattern: $FS. ... .opendir($FILE, ...) - pattern: $FS. ... .read($FILE, ...) - pattern: $FS. ... .read($FILE, ...) - pattern: $FS. ... .readdir($FILE, ...) - pattern: $FS. ... .readFile($FILE, ...) - pattern: $FS. ... .readlink($FILE, ...) - pattern: $FS. ... .readv($FILE, ...) - pattern: $FS. ... .realpath($FILE, ...) - pattern: $FS. ... .realpath.native($FILE, ...) - pattern: $FS. ... .rename($FILE, ...) - pattern: $FS. ... .rename($SMTH, $FILE, ...) - pattern: $FS. ... .rmdir($FILE, ...) - pattern: $FS. ... .rm($FILE, ...) - pattern: $FS. ... .stat($FILE, ...) - pattern: $FS. ... .symlink($SMTH, $FILE, ...) - pattern: $FS. ... .symlink($FILE, ...) - pattern: $FS. ... .truncate($FILE, ...) - pattern: $FS. ... .unlink($FILE, ...) - pattern: $FS. ... .unwatchFile($FILE, ...) - pattern: $FS. ... .utimes($FILE, ...) - pattern: $FS. ... .watch($FILE, ...) - pattern: $FS. ... .watchFile($FILE, ...) - pattern: $FS. ... .write($FILE, ...) - pattern: $FS. ... .writeFile($FILE, ...) - pattern: $FS. ... .writev($FILE, ...) - pattern: $FS. ... .accessSync($FILE, ...) - pattern: $FS. ... .appendFileSync($FILE, ...) - pattern: $FS. ... .chmodSync($FILE, ...) - pattern: $FS. ... .chownSync($FILE, ...) - pattern: $FS. ... .closeSync($FILE, ...) - pattern: $FS. ... .copyFileSync($FILE, ...) - pattern: $FS. ... .copyFileSync($SMTH, $FILE, ...) - pattern: $FS. ... .cpSync($FILE, ...) - pattern: $FS. ... .cpSync($SMTH, $FILE, ...) - pattern: $FS. ... .existsSync($FILE, ...) - pattern: $FS. ... .fchmodSync($FILE, ...) - pattern: $FS. ... .fchownSync($FILE, ...) - pattern: $FS. ... .fdatasyncSync($FILE, ...) - pattern: $FS. ... .fstatSync($FILE, ...) - pattern: $FS. ... .fsyncSync($FILE, ...) - pattern: $FS. ... .ftruncateSync($FILE, ...) - pattern: $FS. ... .futimesSync($FILE, ...) - pattern: $FS. ... .lchmodSync($FILE, ...) - pattern: $FS. ... .lchownSync($FILE, ...) - pattern: $FS. ... .lutimesSync($FILE, ...) - pattern: $FS. ... .linkSync($FILE, ...) - pattern: $FS. ... .linkSync($SMTH, $FILE, ...) - pattern: $FS. ... .lstatSync($FILE, ...) - pattern: $FS. ... .mkdirSync($FILE, ...) - pattern: $FS. ... .mkdtempSync($FILE, ...) - pattern: $FS. ... .opendirSync($FILE, ...) - pattern: $FS. ... .openSync($FILE, ...) - pattern: $FS. ... .readdirSync($FILE, ...) - pattern: $FS. ... .readFileSync($FILE, ...) - pattern: $FS. ... .readlinkSync($FILE, ...) - pattern: $FS. ... .readSync($FILE, ...) - pattern: $FS. ... .readSync($FILE, ...) - pattern: $FS. ... .readvSync($FILE, ...) - pattern: $FS. ... .realpathync($FILE, ...) - pattern: $FS. ... .realpathSync.native($FILE, ...) - pattern: $FS. ... .renameSync($FILE, ...) - pattern: $FS. ... .renameSync($SMTH, $FILE, ...) - pattern: $FS. ... .rmdirSync($FILE, ...) - pattern: $FS. ... .rmSync($FILE, ...) - pattern: $FS. ... .statSync($FILE, ...) - pattern: $FS. ... .symlinkSync($FILE, ...) - pattern: $FS. ... .symlinkSync($SMTH, $FILE, ...) - pattern: $FS. ... .truncateSync($FILE, ...) - pattern: $FS. ... .unlinkSync($FILE, ...) - pattern: $FS. ... .utimesSync($FILE, ...) - pattern: $FS. ... .writeFileSync($FILE, ...) - pattern: $FS. ... .writeSync($FILE, ...) - pattern: $FS. ... .writevSync($FILE, ...) - focus-metavariable: $FILE - patterns: - pattern-either: - pattern-inside: | import 'fs' ... - pattern-inside: | import 'fs/promises' ... - pattern-not: $METHOD("...", ...) - pattern-either: - pattern: access($FILE,...) - pattern: appendFile($FILE,...) - pattern: chmod($FILE,...) - pattern: chown($FILE,...) - pattern: close($FILE,...) - pattern: copyFile($FILE,...) - pattern: copyFile($SMTH, $FILE,...) - pattern: cp($FILE, ...) - pattern: cp($SMTH, $FILE, ...) - pattern: createReadStream($FILE,...) - pattern: createWriteStream($FILE,...) - pattern: exists($FILE, ...) - pattern: fchmod($FILE, ...) - pattern: fchown($FILE, ...) - pattern: fdatasync($FILE, ...) - pattern: fstat($FILE, ...) - pattern: fsync($FILE, ...) - pattern: ftruncate($FILE, ...) - pattern: futimes($FILE, ...) - pattern: lchmod($FILE, ...) - pattern: lchown($FILE, ...) - pattern: lutimes($FILE, ...) - pattern: link($FILE, ...) - pattern: link($SMTH, $FILE, ...) - pattern: lstat($FILE, ...) - pattern: mkdir($FILE, ...) - pattern: mkdtemp($FILE, ...) - pattern: open($FILE, ...) - pattern: opendir($FILE, ...) - pattern: read($FILE, ...) - pattern: read($FILE, ...) - pattern: readdir($FILE, ...) - pattern: readFile($FILE, ...) - pattern: readlink($FILE, ...) - pattern: readv($FILE, ...) - pattern: realpath($FILE, ...) - pattern: realpath.native($FILE, ...) - pattern: rename($FILE, ...) - pattern: rename($SMTH, $FILE, ...) - pattern: rmdir($FILE, ...) - pattern: rm($FILE, ...) - pattern: stat($FILE, ...) - pattern: symlink($SMTH, $FILE, ...) - pattern: symlink($FILE, ...) - pattern: truncate($FILE, ...) - pattern: unlink($FILE, ...) - pattern: unwatchFile($FILE, ...) - pattern: utimes($FILE, ...) - pattern: watch($FILE, ...) - pattern: watchFile($FILE, ...) - pattern: write($FILE, ...) - pattern: writeFile($FILE, ...) - pattern: writev($FILE, ...) - pattern: accessSync($FILE, ...) - pattern: appendFileSync($FILE, ...) - pattern: chmodSync($FILE, ...) - pattern: chownSync($FILE, ...) - pattern: closeSync($FILE, ...) - pattern: copyFileSync($FILE, ...) - pattern: copyFileSync($SMTH, $FILE, ...) - pattern: cpSync($FILE, ...) - pattern: cpSync($SMTH, $FILE, ...) - pattern: existsSync($FILE, ...) - pattern: fchmodSync($FILE, ...) - pattern: fchownSync($FILE, ...) - pattern: fdatasyncSync($FILE, ...) - pattern: fstatSync($FILE, ...) - pattern: fsyncSync($FILE, ...) - pattern: ftruncateSync($FILE, ...) - pattern: futimesSync($FILE, ...) - pattern: lchmodSync($FILE, ...) - pattern: lchownSync($FILE, ...) - pattern: lutimesSync($FILE, ...) - pattern: linkSync($FILE, ...) - pattern: linkSync($SMTH, $FILE, ...) - pattern: lstatSync($FILE, ...) - pattern: mkdirSync($FILE, ...) - pattern: mkdtempSync($FILE, ...) - pattern: opendirSync($FILE, ...) - pattern: openSync($FILE, ...) - pattern: readdirSync($FILE, ...) - pattern: readFileSync($FILE, ...) - pattern: readlinkSync($FILE, ...) - pattern: readSync($FILE, ...) - pattern: readSync($FILE, ...) - pattern: readvSync($FILE, ...) - pattern: realpathync($FILE, ...) - pattern: realpathSync.native($FILE, ...) - pattern: renameSync($FILE, ...) - pattern: renameSync($SMTH, $FILE, ...) - pattern: rmdirSync($FILE, ...) - pattern: rmSync($FILE, ...) - pattern: statSync($FILE, ...) - pattern: symlinkSync($FILE, ...) - pattern: symlinkSync($SMTH, $FILE, ...) - pattern: truncateSync($FILE, ...) - pattern: unlinkSync($FILE, ...) - pattern: utimesSync($FILE, ...) - pattern: writeFileSync($FILE, ...) - pattern: writeSync($FILE, ...) - pattern: writevSync($FILE, ...) - focus-metavariable: $FILE - id: javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution message: Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval() metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - bluebird references: - http://bluebirdjs.com/docs/getting-started.html cwe2022-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution shortlink: https://sg.run/ndnZ semgrep.dev: rule: r_id: 9236 rv_id: 1263115 rule_id: JDUy9J version_id: K3TKkQ7 url: https://semgrep.dev/playground/r/K3TKkQ7/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-inside: function ... (..., $ARG,...) {...} - focus-metavariable: $ARG pattern-sinks: - patterns: - pattern-either: - pattern: $UTIL.toFastProperties($SINK,...) - pattern: toFastProperties($SINK,...) - pattern-either: - pattern-inside: | $BB = require('bluebird'); ... - pattern-inside: | import 'bluebird'; ... - focus-metavariable: $SINK - id: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret message: A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). options: interfile: true metadata: interfile: true cwe: - 'CWE-798: Use of Hard-coded Credentials' references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures category: security technology: - express - secrets cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret shortlink: https://sg.run/Do1d semgrep.dev: rule: r_id: 9252 rv_id: 1263166 rule_id: pKUOjy version_id: pZT03Q0 url: https://semgrep.dev/playground/r/pZT03Q0/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern-inside: | $JWT = require('express-jwt'); ... - pattern-inside: | import $JWT from 'express-jwt'; ... - pattern-inside: | import * as $JWT from 'express-jwt'; ... - pattern-inside: | import { ..., $JWT, ... } from 'express-jwt'; ... - pattern-either: - pattern: | $JWT({...,secret: "$Y",...},...) - pattern: | $OPTS = "$Y"; ... $JWT({...,secret: $OPTS},...); - focus-metavariable: $Y - id: javascript.browser.security.dom-based-xss.dom-based-xss message: 'Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/DOM_Based_XSS category: security technology: - browser cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss shortlink: https://sg.run/EkeL semgrep.dev: rule: r_id: 9237 rv_id: 1263116 rule_id: 5rUOg6 version_id: qkTR7eW url: https://semgrep.dev/playground/r/qkTR7eW/javascript.browser.security.dom-based-xss.dom-based-xss origin: community languages: - javascript - typescript severity: ERROR pattern-either: - pattern: document.write(<... document.location.$W ...>) - pattern: document.write(<... location.$W ...>) - id: javascript.browser.security.eval-detected.eval-detected message: Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.2.4 Dynamic Code Execution Features control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing version: '4' category: security technology: - browser subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected shortlink: https://sg.run/7ope semgrep.dev: rule: r_id: 9238 rv_id: 1263117 rule_id: GdU7dw version_id: l4TJR2y url: https://semgrep.dev/playground/r/l4TJR2y/javascript.browser.security.eval-detected.eval-detected origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-not: eval("...") - pattern: eval(...) - id: javascript.express.security.express-phantom-injection.express-phantom-injection message: If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security technology: - express references: - https://phantomjs.org/page-automation.html cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/javascript.express.security.express-phantom-injection.express-phantom-injection shortlink: https://sg.run/W8BL semgrep.dev: rule: r_id: 9253 rv_id: 1263167 rule_id: 2ZUbx3 version_id: 2KTv26p url: https://semgrep.dev/playground/r/2KTv26p/javascript.express.security.express-phantom-injection.express-phantom-injection origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - pattern-inside: | require('phantom'); ... - pattern-inside: | import 'phantom'; ... - pattern-either: - pattern: $PAGE.open($SINK,...) - pattern: $PAGE.setContent($SINK,...) - pattern: $PAGE.openUrl($SINK,...) - pattern: $PAGE.evaluateJavaScript($SINK,...) - pattern: $PAGE.property("content",$SINK,...) - focus-metavariable: $SINK - id: javascript.express.security.express-puppeteer-injection.express-puppeteer-injection message: If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security technology: - express references: - https://pptr.dev/api/puppeteer.page cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection shortlink: https://sg.run/0QJB semgrep.dev: rule: r_id: 9254 rv_id: 1263168 rule_id: X5U8Nz version_id: X0TzyJY url: https://semgrep.dev/playground/r/X0TzyJY/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - pattern-inside: | require('puppeteer'); ... - pattern-inside: | import 'puppeteer'; ... - pattern-either: - pattern: $PAGE.goto($SINK,...) - pattern: $PAGE.setContent($SINK,...) - pattern: $PAGE.evaluate($SINK,...) - pattern: $PAGE.evaluate($CODE,$SINK,...) - pattern: $PAGE.evaluateHandle($SINK,...) - pattern: $PAGE.evaluateHandle($CODE,$SINK,...) - pattern: $PAGE.evaluateOnNewDocument($SINK,...) - pattern: $PAGE.evaluateOnNewDocument($CODE,$SINK,...) - focus-metavariable: $SINK - id: javascript.express.security.express-sandbox-injection.express-sandbox-code-injection message: Make sure that unverified user data can not reach `sandbox`. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' category: security technology: - express cwe2022-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection shortlink: https://sg.run/KlwL semgrep.dev: rule: r_id: 9255 rv_id: 1263169 rule_id: j2UvXB version_id: jQTn59D url: https://semgrep.dev/playground/r/jQTn59D/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-inside: | $SANDBOX = require('sandbox'); ... - pattern-either: - patterns: - pattern-inside: | $S = new $SANDBOX(...); ... - pattern: | $S.run(...) - pattern: | new $SANDBOX($OPTS).run(...) - pattern: new $SANDBOX().run(...) - id: javascript.express.security.express-vm-injection.express-vm-injection message: Make sure that unverified user data can not reach `$VM`. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' category: security technology: - express cwe2022-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection shortlink: https://sg.run/jkqJ semgrep.dev: rule: r_id: 12821 rv_id: 1263170 rule_id: DbUKPX version_id: 1QTypXQ url: https://semgrep.dev/playground/r/1QTypXQ/javascript.express.security.express-vm-injection.express-vm-injection origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-inside: | $VM = require('vm'); ... - pattern-either: - pattern: | $VM.runInContext(...) - pattern: | $VM.runInNewContext(...) - pattern: | $VM.compileFunction(...) - pattern: | $VM.runInThisContext(...) - pattern: new $VM.Script(...) - id: javascript.express.security.express-vm2-injection.express-vm2-injection message: Make sure that unverified user data can not reach `vm2`. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' category: security technology: - express cwe2022-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection shortlink: https://sg.run/1GWv semgrep.dev: rule: r_id: 12822 rv_id: 1263171 rule_id: WAUPXJ version_id: 9lT4bnX url: https://semgrep.dev/playground/r/9lT4bnX/javascript.express.security.express-vm2-injection.express-vm2-injection origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-inside: | require('vm2') ... - pattern-either: - patterns: - pattern-either: - pattern-inside: | $VM = new VM(...) ... - pattern-inside: | $VM = new NodeVM(...) ... - pattern: | $VM.run(...) - pattern: | new VM(...).run(...) - pattern: | new NodeVM(...).run(...) - pattern: | new VMScript(...) - pattern: | new VM(...) - pattern: new NodeVM(...) - id: javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection message: If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security technology: - express references: - https://www.npmjs.com/package/wkhtmltopdf cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection shortlink: https://sg.run/pxe0 semgrep.dev: rule: r_id: 9262 rv_id: 1263172 rule_id: kxUkl9 version_id: yeTxpdd url: https://semgrep.dev/playground/r/yeTxpdd/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection origin: community severity: ERROR languages: - javascript - typescript mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern: $WK.generate($SINK,...) - focus-metavariable: $SINK - id: javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection message: If unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security technology: - express references: - https://www.npmjs.com/package/wkhtmltopdf cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection shortlink: https://sg.run/2xGq semgrep.dev: rule: r_id: 9263 rv_id: 1263173 rule_id: wdUJxq version_id: rxTAK8b url: https://semgrep.dev/playground/r/rxTAK8b/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-inside: | $WK = require('wkhtmltopdf'); ... - pattern: $WK($SINK,...) - focus-metavariable: $SINK - id: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe message: Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities metadata: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' category: security technology: - express references: - https://www.npmjs.com/package/xml2json cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe shortlink: https://sg.run/XBD4 semgrep.dev: rule: r_id: 9264 rv_id: 1263174 rule_id: x8Uneb version_id: bZT534J url: https://semgrep.dev/playground/r/bZT534J/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - pattern: $REQ.files.$ANYTHING.data.toString('utf8') - pattern: $REQ.files.$ANYTHING['data'].toString('utf8') - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body - pattern: files.$ANYTHING.data.toString('utf8') - pattern: files.$ANYTHING['data'].toString('utf8') pattern-sinks: - patterns: - pattern-either: - pattern-inside: | require('xml2json'); ... - pattern-inside: | import 'xml2json'; ... - pattern: $EXPAT.toJson($SINK,...) - focus-metavariable: $SINK - id: javascript.express.security.injection.raw-html-format.raw-html-format message: User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format shortlink: https://sg.run/5DO3 semgrep.dev: rule: r_id: 14691 rv_id: 1263175 rule_id: 5rUL0X version_id: NdTzyQv url: https://semgrep.dev/playground/r/NdTzyQv/javascript.express.security.injection.raw-html-format.raw-html-format origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - label: EXPRESS patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - label: EXPRESSTS patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body - label: CLEAN by-side-effect: true patterns: - pattern-either: - pattern: $A($SOURCE) - pattern: $SANITIZE. ... .$A($SOURCE) - pattern: $A. ... .$SANITIZE($SOURCE) - focus-metavariable: $SOURCE - metavariable-regex: metavariable: $A regex: (?i)(.*valid|.*sanitiz) pattern-sinks: - requires: (EXPRESS and not CLEAN) or (EXPRESSTS and not CLEAN) patterns: - pattern-either: - patterns: - pattern-either: - pattern: '"$HTMLSTR" + $EXPR' - pattern: '"$HTMLSTR".concat(...)' - pattern: util.format($HTMLSTR, ...) - metavariable-pattern: metavariable: $HTMLSTR language: generic pattern: <$TAG ... - patterns: - pattern: | `...` - pattern-regex: | .*<\w+.* - id: javascript.express.security.require-request.require-request message: If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server. options: interfile: true metadata: interfile: true owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-706: Use of Incorrectly-Resolved Name or Reference' source-rule-url: https://nodesecroadmap.fyi/chapter-1/threat-UIR.html category: security technology: - express references: - https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/javascript.express.security.require-request.require-request shortlink: https://sg.run/jRbl semgrep.dev: rule: r_id: 9265 rv_id: 1263177 rule_id: OrU3WK version_id: w8TRo0d url: https://semgrep.dev/playground/r/w8TRo0d/javascript.express.security.require-request.require-request origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern: require($SINK) - focus-metavariable: $SINK - id: javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration message: By letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`. metadata: references: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-451: User Interface (UI) Misrepresentation of Critical Information' category: security technology: - express subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration shortlink: https://sg.run/EvjA semgrep.dev: rule: r_id: 13581 rv_id: 1263178 rule_id: GdUrLy version_id: xyTjz3D url: https://semgrep.dev/playground/r/xyTjz3D/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... ($REQ, $RES) {...} - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - patterns: - pattern-either: - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - metavariable-regex: metavariable: $METHOD regex: ^(get|post|put|head|delete|options)$ - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => {...} - pattern-inside: | ({ $REQ }: Request,$RES: Response) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - pattern: $RES.set($HEADER, ...) - pattern: $RES.header($HEADER, ...) - pattern: $RES.setHeader($HEADER, ...) - pattern: | $RES.set({$HEADER: ...}, ...) - pattern: | $RES.writeHead($STATUS, {$HEADER: ...}, ...) - metavariable-regex: metavariable: $HEADER regex: .*(X-Frame-Options|x-frame-options).* - id: javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup message: User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - fbjs cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup shortlink: https://sg.run/J9Yj semgrep.dev: rule: r_id: 9290 rv_id: 1263179 rule_id: qNUjwb version_id: O9TpxZq url: https://semgrep.dev/playground/r/O9TpxZq/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern: createNodesFromMarkup(...) - pattern: $X.createNodesFromMarkup(...) - pattern-not: createNodesFromMarkup("...",...) - pattern-not: $X.createNodesFromMarkup("...",...) - id: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection message: Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. metadata: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' category: security technology: - grpc references: - https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection shortlink: https://sg.run/5QkD semgrep.dev: rule: r_id: 9291 rv_id: 1263180 rule_id: lBU9D8 version_id: e1TyjAl url: https://semgrep.dev/playground/r/e1TyjAl/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection origin: community languages: - javascript - typescript severity: ERROR pattern-either: - pattern: | require('grpc'); ... $GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...); - pattern: | require('grpc'); ... new $GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...); - pattern: |- require('grpc'); ... $CREDS = <... $CREDENTIALS.createInsecure() ...>; ... $GRPC($ADDR,...,$CREDS,...); - pattern: |- require('grpc'); ... $CREDS = <... $CREDENTIALS.createInsecure() ...>; ... new $GRPC($ADDR,...,$CREDS,...); - id: javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret message: A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). metadata: interfile: true cwe: - 'CWE-798: Use of Hard-coded Credentials' references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.2 Static API keys or secret control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management version: '4' category: security technology: - jose - jwt - secrets cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret shortlink: https://sg.run/Ro1g semgrep.dev: rule: r_id: 9293 rv_id: 1263182 rule_id: JDUyRl version_id: d6TyxbX url: https://semgrep.dev/playground/r/d6TyxbX/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-inside: | $JOSE = require("jose"); ... - pattern-either: - pattern-inside: | var {JWT} = $JOSE; ... - pattern-inside: | var {JWK, JWT} = $JOSE; ... - pattern-inside: | const {JWT} = $JOSE; ... - pattern-inside: | const {JWK, JWT} = $JOSE; ... - pattern-inside: | let {JWT} = $JOSE; ... - pattern-inside: | let {JWK, JWT} = $JOSE; ... - pattern-either: - pattern: | JWT.verify($P, "...", ...); - pattern: | JWT.sign($P, "...", ...); - pattern: "JWT.verify($P, JWK.asKey(\"...\"), ...); \n" - pattern: | $JWT.sign($P, JWK.asKey("..."), ...); options: symbolic_propagation: true interfile: true - id: javascript.jose.security.jwt-none-alg.jwt-none-alg message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.3 Insecue Stateless Session Tokens control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management version: '4' category: security technology: - jose - jwt subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg shortlink: https://sg.run/AvRL semgrep.dev: rule: r_id: 9294 rv_id: 1263183 rule_id: 5rUOGN version_id: ZRTKAyb url: https://semgrep.dev/playground/r/ZRTKAyb/javascript.jose.security.jwt-none-alg.jwt-none-alg origin: community languages: - javascript - typescript severity: ERROR pattern-either: - pattern: | var $JOSE = require("jose"); ... var { JWK, JWT } = $JOSE; ... var $T = JWT.verify($P, JWK.None,...); - pattern: | var $JOSE = require("jose"); ... var { JWK, JWT } = $JOSE; ... $T = JWT.verify($P, JWK.None,...); - pattern: | var $JOSE = require("jose"); ... var { JWK, JWT } = $JOSE; ... JWT.verify($P, JWK.None,...); - id: javascript.jquery.security.audit.jquery-insecure-method.jquery-insecure-method message: User controlled data in a jQuery's `.$METHOD(...)` is an anti-pattern that can lead to XSS vulnerabilities metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/xss/ - https://bugs.jquery.com/ticket/9521 category: security technology: - jquery cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.jquery.security.audit.jquery-insecure-method.jquery-insecure-method shortlink: https://sg.run/DoDd semgrep.dev: rule: r_id: 9296 rv_id: 1263184 rule_id: ReUgxk version_id: nWT2Lwv url: https://semgrep.dev/playground/r/nWT2Lwv/javascript.jquery.security.audit.jquery-insecure-method.jquery-insecure-method origin: community languages: - javascript - typescript severity: WARNING options: symbolic_propagation: true pattern-either: - patterns: - pattern-either: - pattern: $.$METHOD($VAR,...) - pattern: $(...).$METHOD($VAR,...) - pattern: jQuery.$METHOD($VAR,...) - pattern: jQuery(...).$METHOD($VAR,...) - pattern-not: $.$METHOD("...",...) - pattern-not: $(...).$METHOD("...",...) - pattern-not: jQuery.$METHOD("...",...) - pattern-not: jQuery(...).$METHOD("...",...) - metavariable-regex: metavariable: $METHOD regex: ^(html|append|prepend|wrap|wrapInner|wrapAll|before|after|globalEval|getScript)$ - patterns: - pattern-either: - pattern: $(...).$METHOD($VAR,...) - pattern: jQuery(...).$METHOD($VAR,...) - pattern-not: $("...",...).$METHOD(...) - pattern-not: jQuery("...",...).$METHOD(...) - metavariable-regex: metavariable: $METHOD regex: ^(appendTo|insertAfter|insertBefore|prependTo)$ - id: javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector message: User controlled data in a `$(...)` is an anti-pattern that can lead to XSS vulnerabilities metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/xss/ - https://bugs.jquery.com/ticket/9521 category: security technology: - jquery cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector shortlink: https://sg.run/W8NL semgrep.dev: rule: r_id: 9297 rv_id: 1263185 rule_id: AbUzlX version_id: ExTExY0 url: https://semgrep.dev/playground/r/ExTExY0/javascript.jquery.security.audit.jquery-insecure-selector.jquery-insecure-selector origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern: | $(<... window ...>) - pattern: | $(<... location ...>) - patterns: - pattern: | $X = <... window ...>; ... $(<... $X ...>); - focus-metavariable: $X - patterns: - pattern: | $X = <... location ...>; ... $(<... $X ...>); - focus-metavariable: $X - patterns: - pattern-either: - pattern-inside: | function $FUNC(..., $Y, ...) { ... } - pattern-inside: | function (..., $Y, ...) { ... } - pattern-inside: | function $FUNC(...,$Z,...) { ... $Y = <... $Z ...>; ... } - pattern-inside: | function (...,$Z,...) { ... $Y = <... $Z ...>; ... } - pattern-either: - pattern: | $(<... $Y ...>) - pattern: | $("..." + (<... $Y ...>)) - pattern: | $((<... $Y ...>) + "...") - pattern-not-inside: | $JQUERY.each(function($INDEX, $Y) { ... }) - focus-metavariable: $Y - pattern-not: | $(window) - pattern-not: | $(document) - pattern-not: | $(this) - id: javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape message: Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks. metadata: cwe: - 'CWE-116: Improper Encoding or Escaping of Output' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-disable-mustache-escape.js category: security technology: - mustache subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Encoding source: https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape shortlink: https://sg.run/Yvwd semgrep.dev: rule: r_id: 9314 rv_id: 1263213 rule_id: 9AU17r version_id: DkTRb3X url: https://semgrep.dev/playground/r/DkTRb3X/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape origin: community languages: - javascript - typescript severity: WARNING pattern: $OBJ.escapeMarkup = false - id: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression message: Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-eval-with-expression.js references: - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval! category: security technology: - javascript subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression shortlink: https://sg.run/6nwK semgrep.dev: rule: r_id: 9315 rv_id: 1263214 rule_id: yyUngo version_id: WrTqKkJ url: https://semgrep.dev/playground/r/WrTqKkJ/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | $PROP = new URLSearchParams($WINDOW. ... .location.search).get('...') ... - pattern-inside: | $PROP = new URLSearchParams(location.search).get('...') ... - pattern-inside: | $PROP = new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...') ... - pattern-inside: | $PROP = new URLSearchParams(location.hash.substring(1)).get('...') ... - focus-metavariable: $PROP - patterns: - pattern-either: - pattern-inside: | $PROPS = new URLSearchParams($WINDOW. ... .location.search) ... - pattern-inside: | $PROPS = new URLSearchParams(location.search) ... - pattern-inside: | $PROPS = new URLSearchParams($WINDOW. ... .location.hash.substring(1)) ... - pattern-inside: | $PROPS = new URLSearchParams(location.hash.substring(1)) ... - pattern: $PROPS.get('...') - focus-metavariable: $PROPS - patterns: - pattern-either: - pattern: location.href - pattern: location.hash - pattern: location.search - pattern: $WINDOW. ... .location.href - pattern: $WINDOW. ... .location.hash - pattern: $WINDOW. ... .location.search pattern-sinks: - patterns: - pattern-either: - pattern: eval(<... $SINK ...>) - pattern: window.eval(<... $SINK ...>) - pattern: new Function(<... $SINK ...>) - pattern: new Function(<... $SINK ...>)(...) - pattern: setTimeout(<... $SINK ...>,...) - pattern: setInterval(<... $SINK ...>,...) - focus-metavariable: $SINK pattern-sanitizers: - patterns: - pattern-either: - pattern: location.href = $FUNC(...) - pattern: location.hash = $FUNC(...) - pattern: location.search = $FUNC(...) - pattern: $WINDOW. ... .location.href = $FUNC(...) - pattern: $WINDOW. ... .location.hash = $FUNC(...) - pattern: $WINDOW. ... .location.search = $FUNC(...) - id: javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket message: Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections. metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' asvs: section: 'V13: API and Web Service Verification Requirements' control_id: 13.5.1 Insecure WebSocket control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x21-V13-API.md#v135-websocket-security-requirements version: '4' category: security technology: - regex owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket shortlink: https://sg.run/GWyz semgrep.dev: rule: r_id: 10048 rv_id: 1263215 rule_id: AbUWeE version_id: 0bTKzQ9 url: https://semgrep.dev/playground/r/0bTKzQ9/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket origin: community languages: - regex severity: ERROR patterns: - pattern-regex: \bws:\/\/ - pattern-not-inside: \bws:\/\/localhost.* - pattern-not-inside: \bws:\/\/127.0.0.1.* - id: javascript.lang.security.insecure-object-assign.insecure-object-assign message: Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability. metadata: cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html - https://en.wikipedia.org/wiki/Mass_assignment_vulnerability category: security technology: - javascript subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign shortlink: https://sg.run/2R0D semgrep.dev: rule: r_id: 12819 rv_id: 1263219 rule_id: AbUGOq version_id: YDTZezg url: https://semgrep.dev/playground/r/YDTZezg/javascript.lang.security.insecure-object-assign.insecure-object-assign origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern: JSON.parse(...) - pattern-not: JSON.parse("...",...) pattern-sinks: - pattern: Object.assign(...) - id: javascript.lang.security.spawn-git-clone.spawn-git-clone message: Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection category: security technology: - git cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone shortlink: https://sg.run/2xrr semgrep.dev: rule: r_id: 9319 rv_id: 1263220 rule_id: kxUkPP version_id: 6xT29A7 url: https://semgrep.dev/playground/r/6xT29A7/javascript.lang.security.spawn-git-clone.spawn-git-clone origin: community languages: - javascript - typescript severity: ERROR patterns: - pattern-either: - pattern: spawn('git', ['clone',...,$F]) - pattern: $X.spawn('git', ['clone',...,$F]) - pattern: spawn('git', ['clone',...,$P,$F]) - pattern: $X.spawn('git', ['clone',...,$P,$F]) - pattern-not: spawn('git', ['clone',...,"..."]) - pattern-not: $X.spawn('git', ['clone',...,"..."]) - pattern-not: spawn('git', ['clone',...,"...","..."]) - pattern-not: $X.spawn('git', ['clone',...,"...","..."]) - id: javascript.node-crypto.security.aead-no-final.aead-no-final message: The 'final' call of a Decipher object checks the authentication tag in a mode for authenticated encryption. Failing to call 'final' will invalidate all integrity guarantees of the released ciphertext. metadata: cwe: - 'CWE-310: CWE CATEGORY: Cryptographic Issues' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security subcategory: - vuln technology: - node-crypto likelihood: HIGH impact: MEDIUM confidence: HIGH references: - https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final shortlink: https://sg.run/r6EEA semgrep.dev: rule: r_id: 146569 rv_id: 1263222 rule_id: 2ZUz884 version_id: zyTb2X0 url: https://semgrep.dev/playground/r/zyTb2X0/javascript.node-crypto.security.aead-no-final.aead-no-final origin: community languages: - javascript - typescript severity: ERROR patterns: - pattern: | $DECIPHER = $CRYPTO.createDecipheriv('$ALGO', ...) ... $DECIPHER.update(...) - pattern-not-inside: | $DECIPHER = $CRYPTO.createDecipheriv('$ALGO', ...) ... $DECIPHER.final(...) - metavariable-regex: metavariable: $ALGO regex: .*(-gcm|-ccm|-ocb|chacha20-poly1305)$ - id: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length message: The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries. metadata: cwe: - 'CWE-310: CWE CATEGORY: Cryptographic Issues' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security subcategory: - vuln technology: - node-crypto likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM references: - https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/ - https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length shortlink: https://sg.run/NbGG1 semgrep.dev: rule: r_id: 146571 rv_id: 1263223 rule_id: j2UgPP3 version_id: pZT03qd url: https://semgrep.dev/playground/r/pZT03qd/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length origin: community languages: - javascript - typescript severity: ERROR patterns: - pattern: | $CRYPTO.createDecipheriv('$ALGO', $KEY, $IV) - metavariable-regex: metavariable: $ALGO regex: .*(-gcm)$ - id: javascript.node-expat.security.audit.expat-xxe.expat-xxe message: If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities metadata: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' category: security technology: - node-expat cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe shortlink: https://sg.run/eLdL semgrep.dev: rule: r_id: 9332 rv_id: 1263224 rule_id: gxU171 version_id: 2KTv2AZ url: https://semgrep.dev/playground/r/2KTv2AZ/javascript.node-expat.security.audit.expat-xxe.expat-xxe origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern: | var $EXPAT = require('node-expat'); ... new $EXPAT.Parser(...); ... $PARSER.parse(...); - pattern: | var $EXPAT = require('node-expat'); ... new $EXPAT.Parser(...); ... $PARSER.write(...); - pattern: | require('node-expat'); ... new Parser(...); ... $PARSER.parse(...); - pattern: | require('node-expat'); ... new Parser(...); ... $PARSER.write(...); - pattern-not: | var $EXPAT = require('node-expat'); ... new $EXPAT.Parser(...); ... $PARSER.parse("..."); - pattern-not: | var $EXPAT = require('node-expat'); ... new $EXPAT.Parser(...); ... $PARSER.write("..."); - pattern-not: | require('node-expat'); ... new Parser(...); ... $PARSER.parse("..."); - pattern-not: | require('node-expat'); ... new Parser(...); ... $PARSER.write("..."); - pattern-not: | $X = "..."; ... $PARSER.parse($X); - pattern-not: |- $X = "..."; ... $PARSER.write($X); - id: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection message: If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities metadata: owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security technology: - wkhtmltopdf cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29 license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection shortlink: https://sg.run/qx8O semgrep.dev: rule: r_id: 9356 rv_id: 1263252 rule_id: j2Uv58 version_id: 5PTo1xA url: https://semgrep.dev/playground/r/5PTo1xA/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-inside: | $WK = require('wkhtmltopdf'); ... - pattern-not-inside: | var $INPUT = "..."; ... - pattern: $WK($INPUT,...) - pattern-not: $WK("...",...) - id: javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe message: If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities metadata: owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' category: security technology: - xml2json cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe shortlink: https://sg.run/l27o semgrep.dev: rule: r_id: 9357 rv_id: 1263253 rule_id: 10UKpB version_id: GxTkeg8 url: https://semgrep.dev/playground/r/GxTkeg8/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern: | var $XML = require('xml2json'); ... $XML.toJson(...); - pattern-not: | var $XML = require('xml2json'); ... $XML.toJson("...",...); - pattern-not: |- var $XML = require('xml2json'); ... var $S = "..."; ... $XML.toJson($S,...); - id: json.aws.security.public-s3-bucket.public-s3-bucket languages: - json message: Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values. metadata: category: security cwe: - 'CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html technology: - aws subcategory: - vuln likelihood: LOW impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket shortlink: https://sg.run/lxv5 semgrep.dev: rule: r_id: 13413 rv_id: 1263254 rule_id: 7KUpLy version_id: RGT0Ld0 url: https://semgrep.dev/playground/r/RGT0Ld0/json.aws.security.public-s3-bucket.public-s3-bucket origin: community patterns: - pattern-inside: | $BUCKETNAME: { "Type": "AWS::S3::Bucket", "Properties": { ..., }, ..., } - pattern-either: - pattern: | "PublicAccessBlockConfiguration": { ..., "RestrictPublicBuckets": false, ..., }, - pattern: | "PublicAccessBlockConfiguration": { ..., "IgnorePublicAcls": false, ..., }, - pattern: | "PublicAccessBlockConfiguration": { ..., "BlockPublicAcls": false, ..., }, - pattern: | "PublicAccessBlockConfiguration": { ..., "BlockPublicPolicy": false, ..., }, severity: WARNING - id: json.aws.security.public-s3-policy-statement.public-s3-policy-statement pattern: | { "Effect": "Allow", "Principal": "*", "Resource": [ ..., "=~/arn:aws:s3.*/", ... ], ... } message: Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket. metadata: owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls' references: - https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html category: security technology: - aws subcategory: - vuln likelihood: LOW impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/json.aws.security.public-s3-policy-statement.public-s3-policy-statement shortlink: https://sg.run/Yv1d semgrep.dev: rule: r_id: 9358 rv_id: 1263255 rule_id: 9AU1br version_id: A8Tgdxq url: https://semgrep.dev/playground/r/A8Tgdxq/json.aws.security.public-s3-policy-statement.public-s3-policy-statement origin: community severity: WARNING languages: - json - id: kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded message: A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy. severity: WARNING metadata: likelihood: LOW impact: HIGH confidence: MEDIUM category: security subcategory: - vuln cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2020-top25: true cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures technology: - secrets vulnerability_class: - Hard-coded Secrets source_rule_url: https://semgrep.dev/playground/r/d8Ur5BA/achufistov6_personal_org.build-gradle-password-hardcoded license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded shortlink: https://sg.run/qN29x semgrep.dev: rule: r_id: 137856 rv_id: 1263257 rule_id: ReUD6Kg version_id: DkTRbLX url: https://semgrep.dev/playground/r/DkTRbLX/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded origin: community languages: - kotlin options: symbolic_propagation: true patterns: - pattern-either: - pattern: '$PASS = env[...] ?: $VALUE' - metavariable-regex: metavariable: $PASS regex: (password|pass|passwd|loginPassword) - metavariable-pattern: language: generic metavariable: $VALUE patterns: - pattern-either: - pattern-regex: ^[A-Za-z0-9/+=]+$ paths: include: - '*build.gradle.kts' - id: kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind metadata: cwe: - 'CWE-287: Improper Authentication' owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS category: security technology: - kotlin references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind shortlink: https://sg.run/rY2n semgrep.dev: rule: r_id: 15125 rv_id: 1263258 rule_id: v8U9Q7 version_id: WrTqKgJ url: https://semgrep.dev/playground/r/WrTqKgJ/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind origin: community message: Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information. severity: WARNING pattern: | $ENV.put($CTX.SECURITY_AUTHENTICATION, "none") ... $DCTX = InitialDirContext($ENV, ...) languages: - kt - id: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call message: A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION. category: security technology: - kt references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call shortlink: https://sg.run/6nEK semgrep.dev: rule: r_id: 9359 rv_id: 1263259 rule_id: yyUnpo version_id: 0bTKzZ9 url: https://semgrep.dev/playground/r/0bTKzZ9/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call origin: community severity: ERROR languages: - kt pattern-either: - pattern: $RUNTIME.exec($X + $Y) - pattern: $RUNTIME.exec(String.format(...)) - pattern: $RUNTIME.loadLibrary($X + $Y) - pattern: $RUNTIME.loadLibrary(String.format(...)) - id: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly metadata: cwe: - 'CWE-1004: Sensitive Cookie Without ''HttpOnly'' Flag' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE category: security technology: - kt references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly shortlink: https://sg.run/ox7X semgrep.dev: rule: r_id: 9360 rv_id: 1263260 rule_id: r6UrKQ version_id: K3TKkRO url: https://semgrep.dev/playground/r/K3TKkRO/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly origin: community message: A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);' severity: WARNING languages: - kt patterns: - pattern-not-inside: | $COOKIE.setValue("") ... - pattern-either: - pattern: $COOKIE.setHttpOnly(false) - patterns: - pattern-not-inside: | $COOKIE.setHttpOnly(...) ... - pattern: $RESPONSE.addCookie($COOKIE) - id: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT asvs: section: V9 Communications Verification Requirements control_id: 9.1.3 Weak TLS control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements version: '4' category: security technology: - kotlin references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated shortlink: https://sg.run/RXEK semgrep.dev: rule: r_id: 14693 rv_id: 1263262 rule_id: ReU3Yb version_id: l4TJRYY url: https://semgrep.dev/playground/r/l4TJRYY/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated origin: community message: DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2. severity: WARNING languages: - kt pattern: DefaultHttpClient(...) fix-regex: regex: DefaultHttpClient replacement: SystemDefaultHttpClient - id: kotlin.lang.security.gcm-detection.gcm-detection metadata: category: security cwe: - 'CWE-323: Reusing a Nonce, Key Pair in Encryption' references: - https://cwe.mitre.org/data/definitions/323.html technology: - kotlin owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection shortlink: https://sg.run/WpPA semgrep.dev: rule: r_id: 14697 rv_id: 1263264 rule_id: WAUyAW version_id: 6xT29k7 url: https://semgrep.dev/playground/r/6xT29k7/kotlin.lang.security.gcm-detection.gcm-detection origin: community languages: - kt message: GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted. patterns: - pattern-either: - pattern: $METHOD.getInstance("AES/GCM/NoPadding",...) - pattern: GCMParameterSpec(...) severity: INFO - id: kotlin.lang.security.use-of-md5.use-of-md5 message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. languages: - kt severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 category: security technology: - kotlin references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5 shortlink: https://sg.run/4eQx semgrep.dev: rule: r_id: 14700 rv_id: 1263267 rule_id: qNUXPj version_id: pZT03Jd url: https://semgrep.dev/playground/r/pZT03Jd/kotlin.lang.security.use-of-md5.use-of-md5 origin: community pattern-either: - pattern: | java.security.MessageDigest.getInstance("MD5") - pattern: | org.apache.commons.codec.digest.DigestUtils.getMd5Digest() - id: kotlin.lang.security.use-of-sha1.use-of-sha1 message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. languages: - kt severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1 asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' category: security technology: - kotlin references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/kotlin.lang.security.use-of-sha1.use-of-sha1 shortlink: https://sg.run/N1pp semgrep.dev: rule: r_id: 15127 rv_id: 1263268 rule_id: ZqUOdd version_id: 2KTv2XZ url: https://semgrep.dev/playground/r/2KTv2XZ/kotlin.lang.security.use-of-sha1.use-of-sha1 origin: community pattern-either: - patterns: - pattern: | $VAR = $MD.getInstance("$ALGO") - metavariable-regex: metavariable: $ALGO regex: (SHA1|SHA-1) - pattern: | $DU.getSha1Digest().digest(...) - id: kotlin.lang.security.weak-rsa.use-of-weak-rsa-key message: RSA keys should be at least 2048 bits based on NIST recommendation. languages: - kt severity: WARNING metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' references: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms category: security technology: - kotlin subcategory: - audit likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key shortlink: https://sg.run/krq7 semgrep.dev: rule: r_id: 15128 rv_id: 1263269 rule_id: nJUZNL version_id: X0TzypE url: https://semgrep.dev/playground/r/X0TzypE/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key origin: community patterns: - pattern-either: - pattern: | $KEY = $G.getInstance("RSA") ... $KEY.initialize($BITS) - metavariable-comparison: metavariable: $BITS comparison: $BITS < 2048 - id: php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query languages: - php message: Detected string concatenation with a non-literal variable in a Doctrine DBAL query method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. metadata: category: security cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html technology: - doctrine cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query shortlink: https://sg.run/KXWn semgrep.dev: rule: r_id: 13799 rv_id: 1263270 rule_id: X5UdZj version_id: jQTn5pd url: https://semgrep.dev/playground/r/jQTn5pd/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query origin: community patterns: - pattern-either: - pattern: $CONNECTION->prepare($QUERY,...) - pattern: $CONNECTION->createQuery($QUERY,...) - pattern: $CONNECTION->executeQuery($QUERY,...) - pattern-either: - pattern-inside: | use Doctrine\DBAL\Connection; ... - pattern-inside: | $CONNECTION = $SMTH->getConnection(...); ... - pattern-not: $CONNECTION->prepare("...",...) - pattern-not: $CONNECTION->createQuery("...",...) - pattern-not: $CONNECTION->executeQuery("...",...) severity: WARNING - id: php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query languages: - php message: '`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.' metadata: category: security cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html technology: - doctrine cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query shortlink: https://sg.run/jwDJ semgrep.dev: rule: r_id: 13965 rv_id: 1263271 rule_id: kxUw23 version_id: 1QTypnG url: https://semgrep.dev/playground/r/1QTypnG/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query origin: community mode: taint pattern-sinks: - patterns: - focus-metavariable: $SINK - pattern-either: - pattern: $QUERY->add(...,$SINK,...) - pattern: $QUERY->select(...,$SINK,...) - pattern: $QUERY->addSelect(...,$SINK,...) - pattern: $QUERY->delete(...,$SINK,...) - pattern: $QUERY->update(...,$SINK,...) - pattern: $QUERY->insert(...,$SINK,...) - pattern: $QUERY->from(...,$SINK,...) - pattern: $QUERY->join(...,$SINK,...) - pattern: $QUERY->innerJoin(...,$SINK,...) - pattern: $QUERY->leftJoin(...,$SINK,...) - pattern: $QUERY->rightJoin(...,$SINK,...) - pattern: $QUERY->where(...,$SINK,...) - pattern: $QUERY->andWhere(...,$SINK,...) - pattern: $QUERY->orWhere(...,$SINK,...) - pattern: $QUERY->groupBy(...,$SINK,...) - pattern: $QUERY->addGroupBy(...,$SINK,...) - pattern: $QUERY->having(...,$SINK,...) - pattern: $QUERY->andHaving(...,$SINK,...) - pattern: $QUERY->orHaving(...,$SINK,...) - pattern: $QUERY->orderBy(...,$SINK,...) - pattern: $QUERY->addOrderBy(...,$SINK,...) - pattern: $QUERY->set($SINK,...) - pattern: $QUERY->setValue($SINK,...) - pattern-either: - pattern-inside: | $Q = $X->createQueryBuilder(); ... - pattern-inside: | $Q = new QueryBuilder(...); ... pattern-sources: - patterns: - pattern-either: - pattern: sprintf(...) - pattern: | "...".$SMTH severity: WARNING - id: php.lang.security.assert-use.assert-use mode: taint pattern-sources: - pattern-either: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST - pattern: $_SERVER - patterns: - pattern: | Route::$METHOD($ROUTENAME, function(..., $ARG, ...) { ... }) - focus-metavariable: $ARG pattern-sinks: - patterns: - pattern: assert($SINK, ...); - pattern-not: assert("...", ...); - pattern: $SINK message: Calling assert with user input is equivalent to eval'ing. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' references: - https://www.php.net/manual/en/function.assert - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php category: security technology: - php confidence: HIGH subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/php.lang.security.assert-use.assert-use shortlink: https://sg.run/3xXW semgrep.dev: rule: r_id: 9387 rv_id: 1263272 rule_id: DbUpjk version_id: 9lT4bLx url: https://semgrep.dev/playground/r/9lT4bLx/php.lang.security.assert-use.assert-use origin: community languages: - php severity: ERROR - id: php.lang.security.audit.assert-use-audit.assert-use-audit patterns: - pattern: assert($ASSERT, ...); - pattern-not: assert("...", ...); - metavariable-regex: metavariable: $ASSERT regex: \A\$[A-Za-z\[\]\-_'"\$]+(\-\>\w+)?\Z message: Calling assert with user input is equivalent to eval'ing. metadata: owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' references: - https://www.php.net/manual/en/function.assert - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/AssertsSniff.php category: security technology: - php confidence: LOW subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/php.lang.security.audit.assert-use-audit.assert-use-audit shortlink: https://sg.run/39eb semgrep.dev: rule: r_id: 31143 rv_id: 1263273 rule_id: nJUQ8N version_id: yeTxpz7 url: https://semgrep.dev/playground/r/yeTxpz7/php.lang.security.audit.assert-use-audit.assert-use-audit origin: community languages: - php severity: ERROR - id: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate patterns: - pattern: openssl_decrypt(...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... if($DECRYPTED_STRING === false){ ... } - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... if($DECRYPTED_STRING == false){ ... } - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... if(false === $DECRYPTED_STRING){ ... } - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... if(false == $DECRYPTED_STRING){ ... } - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... assertTrue(false !== $DECRYPTED_STRING,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... assertTrue($DECRYPTED_STRING !== false,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... $REFERENCE::assertTrue(false !== $DECRYPTED_STRING,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... $REFERENCE::assertTrue($DECRYPTED_STRING !== false,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... assert(false !== $DECRYPTED_STRING,...); - pattern-not-inside: | $DECRYPTED_STRING = openssl_decrypt(...); ... assert($DECRYPTED_STRING !== false,...); message: The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`. languages: - php severity: WARNING metadata: references: - https://www.php.net/manual/en/function.openssl-decrypt.php cwe: - 'CWE-252: Unchecked Return Value' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures technology: - php - openssl category: security subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate shortlink: https://sg.run/kzn7 semgrep.dev: rule: r_id: 17328 rv_id: 1263274 rule_id: YGUAoe version_id: rxTAKXz url: https://semgrep.dev/playground/r/rxTAKXz/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate origin: community - id: php.lang.security.backticks-use.backticks-use pattern: '`...`;' message: Backticks use may lead to command injection vulnerabilities. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' references: - https://www.php.net/manual/en/language.operators.execution.php - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php category: security technology: - php owasp: - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use shortlink: https://sg.run/4xj9 semgrep.dev: rule: r_id: 9388 rv_id: 1263276 rule_id: WAUow7 version_id: NdTzyEy url: https://semgrep.dev/playground/r/NdTzyEy/php.lang.security.backticks-use.backticks-use origin: community languages: - php severity: ERROR - id: php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off patterns: - pattern-either: - pattern: | $ARG = $IS_VERIFIED; ... curl_setopt(..., CURLOPT_SSL_VERIFYPEER, $ARG); - pattern: curl_setopt(..., CURLOPT_SSL_VERIFYPEER, $IS_VERIFIED) - metavariable-regex: metavariable: $IS_VERIFIED regex: 0|false|null message: SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED) metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: - https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/ category: security technology: - php owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: LOW impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off shortlink: https://sg.run/PJqv semgrep.dev: rule: r_id: 9389 rv_id: 1263277 rule_id: 0oU5Xg version_id: kbTzG9b url: https://semgrep.dev/playground/r/kbTzG9b/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off origin: community languages: - php severity: ERROR - id: php.lang.security.deserialization.extract-user-data mode: taint pattern-sources: - pattern-either: - pattern: $_GET[...] - pattern: $_FILES[...] - pattern: $_POST[...] pattern-sinks: - pattern: extract(...) pattern-sanitizers: - pattern: extract($VAR, EXTR_SKIP,...) message: Do not call 'extract()' on user-controllable data. If you must, then you must also provide the EXTR_SKIP flag to prevent overwriting existing variables. languages: - php metadata: category: security cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures technology: - php references: - https://www.php.net/manual/en/function.extract.php#refsect1-function.extract-notes cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/php.lang.security.deserialization.extract-user-data shortlink: https://sg.run/6bv1 semgrep.dev: rule: r_id: 18259 rv_id: 1263278 rule_id: nJUykq version_id: w8TRovw url: https://semgrep.dev/playground/r/w8TRovw/php.lang.security.deserialization.extract-user-data origin: community severity: ERROR - id: php.lang.security.eval-use.eval-use patterns: - pattern: eval(...); - pattern-not: eval('...'); message: Evaluating non-constant commands. This can lead to command injection. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' references: - https://www.php.net/manual/en/function.eval - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php category: security technology: - php owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/php.lang.security.eval-use.eval-use shortlink: https://sg.run/J9AP semgrep.dev: rule: r_id: 9390 rv_id: 1263279 rule_id: KxUbX3 version_id: xyTjz1X url: https://semgrep.dev/playground/r/xyTjz1X/php.lang.security.eval-use.eval-use origin: community languages: - php severity: ERROR - id: php.lang.security.exec-use.exec-use patterns: - pattern: $FUNC(...); - pattern-not: $FUNC('...', ...); - metavariable-regex: metavariable: $FUNC regex: exec|passthru|proc_open|popen|shell_exec|system|pcntl_exec message: Executing non-constant commands. This can lead to command injection. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' references: - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php category: security technology: - php owasp: - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/php.lang.security.exec-use.exec-use shortlink: https://sg.run/5Q1j semgrep.dev: rule: r_id: 9391 rv_id: 1263280 rule_id: qNUjye version_id: O9TpxrP url: https://semgrep.dev/playground/r/O9TpxrP/php.lang.security.exec-use.exec-use origin: community languages: - php severity: ERROR - id: php.lang.security.file-inclusion.file-inclusion message: Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly. metadata: cwe: - 'CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (''PHP Remote File Inclusion'')' references: - https://www.php.net/manual/en/function.include.php - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/EasyRFISniff.php - https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Types_of_Inclusion category: security technology: - php owasp: - A03:2021 - Injection - A05:2025 - Injection subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/php.lang.security.file-inclusion.file-inclusion shortlink: https://sg.run/Ge56 semgrep.dev: rule: r_id: 9392 rv_id: 1263281 rule_id: lBU90N version_id: e1Tyjwx url: https://semgrep.dev/playground/r/e1Tyjwx/php.lang.security.file-inclusion.file-inclusion origin: community languages: - php severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST - pattern: $_SERVER pattern-sanitizers: - patterns: - pattern-either: - pattern-inside: basename($PATH, ...) - pattern-inside: linkinfo($PATH, ...) - pattern-inside: readlink($PATH, ...) - pattern-inside: realpath($PATH, ...) - pattern-inside: include_safe(...) pattern-sinks: - patterns: - pattern-inside: $FUNC(...); - pattern: $VAR - metavariable-regex: metavariable: $FUNC regex: \b(include|include_once|require|require_once)\b - id: php.lang.security.ftp-use.ftp-use patterns: - pattern: $FUNC(...); - metavariable-regex: metavariable: $FUNC regex: ftp_.+ message: FTP allows for unencrypted file transfers. Consider using an encrypted alternative. metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: - https://www.php.net/manual/en/intro.ftp.php - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php category: security technology: - php owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use shortlink: https://sg.run/RoYN semgrep.dev: rule: r_id: 9393 rv_id: 1263282 rule_id: PeUZyE version_id: vdT06Jk url: https://semgrep.dev/playground/r/vdT06Jk/php.lang.security.ftp-use.ftp-use origin: community languages: - php severity: ERROR - id: php.lang.security.injection.echoed-request.echoed-request mode: taint message: '`Echo`ing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.' languages: - php severity: ERROR pattern-sources: - pattern: $_REQUEST - pattern: $_GET - pattern: $_POST pattern-sinks: - pattern: echo $...VARS; pattern-sanitizers: - pattern: htmlentities(...) - pattern: htmlspecialchars(...) - pattern: strip_tags(...) - pattern: isset(...) - pattern: empty(...) - pattern: esc_html(...) - pattern: esc_attr(...) - pattern: wp_kses(...) - pattern: e(...) - pattern: twig_escape_filter(...) - pattern: xss_clean(...) - pattern: html_escape(...) - pattern: Html::escape(...) - pattern: Xss::filter(...) - pattern: escapeHtml(...) - pattern: escapeHtml(...) - pattern: escapeHtmlAttr(...) fix: echo htmlentities($...VARS); metadata: technology: - php cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security references: - https://www.php.net/manual/en/function.htmlentities.php - https://www.php.net/manual/en/reserved.variables.request.php - https://www.php.net/manual/en/reserved.variables.post.php - https://www.php.net/manual/en/reserved.variables.get.php - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/php.lang.security.injection.echoed-request.echoed-request shortlink: https://sg.run/Bqqb semgrep.dev: rule: r_id: 31707 rv_id: 1263283 rule_id: BYUyyg version_id: d6TyxE9 url: https://semgrep.dev/playground/r/d6TyxE9/php.lang.security.injection.echoed-request.echoed-request origin: community - id: php.lang.security.injection.printed-request.printed-request mode: taint message: '`Printing user input risks cross-site scripting vulnerability. You should use `htmlentities()` when showing data to users.' languages: - php severity: ERROR pattern-sources: - pattern: $_REQUEST - pattern: $_GET - pattern: $_POST pattern-sinks: - pattern: print($...VARS); pattern-sanitizers: - pattern: htmlentities(...) - pattern: htmlspecialchars(...) - pattern: strip_tags(...) - pattern: isset(...) - pattern: empty(...) - pattern: esc_html(...) - pattern: esc_attr(...) - pattern: wp_kses(...) - pattern: e(...) - pattern: twig_escape_filter(...) - pattern: xss_clean(...) - pattern: html_escape(...) - pattern: Html::escape(...) - pattern: Xss::filter(...) - pattern: escapeHtml(...) - pattern: escapeHtml(...) - pattern: escapeHtmlAttr(...) fix: print(htmlentities($...VARS)); metadata: technology: - php cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security references: - https://www.php.net/manual/en/function.htmlentities.php - https://www.php.net/manual/en/reserved.variables.request.php - https://www.php.net/manual/en/reserved.variables.post.php - https://www.php.net/manual/en/reserved.variables.get.php - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request shortlink: https://sg.run/QrxEJ semgrep.dev: rule: r_id: 128886 rv_id: 1263284 rule_id: KxUvRBw version_id: ZRTKAk4 url: https://semgrep.dev/playground/r/ZRTKAk4/php.lang.security.injection.printed-request.printed-request origin: community - id: php.lang.security.injection.tainted-callable.tainted-callable severity: WARNING message: Callable based on user input risks remote code execution. metadata: technology: - php category: security cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://www.php.net/manual/en/language.types.callable.php subcategory: - vuln impact: HIGH likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable shortlink: https://sg.run/YGb33 semgrep.dev: rule: r_id: 141958 rv_id: 1263285 rule_id: 0oULBKK version_id: nWT2L5x url: https://semgrep.dev/playground/r/nWT2L5x/php.lang.security.injection.tainted-callable.tainted-callable origin: community languages: - php mode: taint pattern-sources: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST - pattern: file_get_contents('php://input') pattern-sinks: - patterns: - pattern: $CALLABLE - pattern-either: - pattern-inside: $ARRAYITERATOR->uasort($CALLABLE) - pattern-inside: $ARRAYITERATOR->uksort($CALLABLE) - pattern-inside: $EVENTHTTP->setCallback($CALLABLE, ...) - pattern-inside: $EVENTHTTPCONNECTION->setCloseCallback($CALLABLE, ...) - pattern-inside: $EVLOOP->fork($CALLABLE, ...) - pattern-inside: $EVLOOP->idle($CALLABLE, ...) - pattern-inside: $EVLOOP->prepare($CALLABLE, ...) - pattern-inside: $EVWATCHER->setCallback($CALLABLE) - pattern-inside: $GEARMANCLIENT->setClientCallback($CALLABLE) - pattern-inside: $GEARMANCLIENT->setCompleteCallback($CALLABLE) - pattern-inside: $GEARMANCLIENT->setCreatedCallback($CALLABLE) - pattern-inside: $GEARMANCLIENT->setDataCallback($CALLABLE) - pattern-inside: $GEARMANCLIENT->setExceptionCallback($CALLABLE) - pattern-inside: $GEARMANCLIENT->setFailCallback($CALLABLE) - pattern-inside: $GEARMANCLIENT->setStatusCallback($CALLABLE) - pattern-inside: $GEARMANCLIENT->setWarningCallback($CALLABLE) - pattern-inside: $GEARMANCLIENT->setWorkloadCallback($CALLABLE) - pattern-inside: $IMAGICK->setProgressMonitor($CALLABLE) - pattern-inside: $OAUTHPROVIDER->consumerHandler($CALLABLE) - pattern-inside: $OAUTHPROVIDER->tokenHandler($CALLABLE) - pattern-inside: $PDO->sqliteCreateCollation($NAME, $CALLABLE) - pattern-inside: $PDOSTATEMENT->fetchAll(PDO::FETCH_FUNC, $CALLABLE) - pattern-inside: $SQLITE3->createCollation($NAME, $CALLABLE) - pattern-inside: $SQLITE3->setAuthorizer($CALLABLE) - pattern-inside: $ZIPARCHIVE->registerCancelCallback($CALLABLE) - pattern-inside: $ZIPARCHIVE->registerProgressCallback($RATE, $CALLABLE) - pattern-inside: $ZMQDEVICE->setIdleCallback($CALLABLE, ...) - pattern-inside: $ZMQDEVICE->setTimerCallback($CALLABLE, ...) - pattern-inside: apcu_entry($KEY, $CALLABLE, ...) - pattern-inside: array_filter($ARRAY, $CALLABLE, ...) - pattern-inside: array_map($CALLABLE, ...) - pattern-inside: array_reduce($ARRAY, $CALLABLE, ...) - pattern-inside: array_walk_recursive($ARRAY, $CALLABLE, ...) - pattern-inside: array_walk($ARRAY, $CALLABLE, ...) - pattern-inside: call_user_func_array($CALLABLE, ...) - pattern-inside: call_user_func($CALLABLE, ...) - pattern-inside: Closure::fromCallable($CALLABLE) - pattern-inside: createCollation($NAME, $CALLABLE) - pattern-inside: eio_grp($CALLABLE, ...) - pattern-inside: eio_nop($PRI, $CALLABLE, ...) - pattern-inside: eio_sync($PRI, $CALLABLE, ...) - pattern-inside: EvPrepare::createStopped($CALLABLE, ...) - pattern-inside: fann_set_callback($ANN, $CALLABLE) - pattern-inside: fdf_enum_values($FDF_DOCUMENT, $CALLABLE, ...) - pattern-inside: forward_static_call_array($CALLABLE, ...) - pattern-inside: forward_static_call($CALLABLE, ...) - pattern-inside: header_register_callback($CALLABLE) - pattern-inside: ibase_set_event_handler($CALLABLE, ...) - pattern-inside: IntlChar::enumCharTypes($CALLABLE) - pattern-inside: iterator_apply($ITERATOR, $CALLABLE) - pattern-inside: ldap_set_rebind_proc($LDAP, $CALLABLE) - pattern-inside: libxml_set_external_entity_loader($CALLABLE, ...) - pattern-inside: new CallbackFilterIterator($ITERATOR, $CALLABLE) - pattern-inside: new EvCheck($CALLABLE, ...) - pattern-inside: new EventHttpRequest($CALLABLE, ...) - pattern-inside: new EvFork($CALLABLE, ...) - pattern-inside: new EvIdle($CALLABLE, ...) - pattern-inside: new Fiber($CALLABLE) - pattern-inside: new Memcached($PERSISTENT_ID, $CALLABLE, ...) - pattern-inside: new RecursiveCallbackFilterIterator($ITERATOR, $CALLABLE) - pattern-inside: new Zookeeper($HOST, $CALLABLE, ...) - pattern-inside: ob_start($CALLABLE, ...) - pattern-inside: oci_register_taf_callback($CONNECTION, $CALLABLE) - pattern-inside: readline_callback_handler_install($PROMPT, $CALLABLE) - pattern-inside: readline_completion_function($CALLABLE) - pattern-inside: register_shutdown_function($CALLABLE, ...) - pattern-inside: register_tick_function($CALLABLE, ...) - pattern-inside: rnp_ffi_set_pass_provider($FFI, $CALLABLE) - pattern-inside: sapi_windows_set_ctrl_handler($CALLABLE, ...) - pattern-inside: set_error_handler($CALLABLE, ...) - pattern-inside: set_exception_handler($CALLABLE) - pattern-inside: setAuthorizer($CALLABLE) - pattern-inside: spl_autoload_register($CALLABLE, ...) - pattern-inside: uasort($ARRAY, $CALLABLE) - pattern-inside: uksort($ARRAY, $CALLABLE) - pattern-inside: usort($ARRAY, $CALLABLE) - pattern-inside: xml_set_character_data_handler($PARSER, $CALLABLE) - pattern-inside: xml_set_default_handler($PARSER, $CALLABLE) - pattern-inside: xml_set_element_handler($PARSER, $CALLABLE, $CALLABLE) - pattern-inside: xml_set_notation_decl_handler($PARSER, $CALLABLE) - pattern-inside: Yar_Concurrent_Client::loop($CALLABLE, ...) - id: php.lang.security.injection.tainted-exec.tainted-exec languages: - php severity: WARNING message: User input is passed to a function that executes a shell command. This can lead to remote code execution. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' category: security technology: - php owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - vuln impact: HIGH likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec shortlink: https://sg.run/kxEEz semgrep.dev: rule: r_id: 146572 rv_id: 1263286 rule_id: 10UOGG5 version_id: ExTExyR url: https://semgrep.dev/playground/r/ExTExyR/php.lang.security.injection.tainted-exec.tainted-exec origin: community mode: taint pattern-sources: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST - pattern: file_get_contents('php://input') pattern-sanitizers: - patterns: - pattern-either: - pattern: escapeshellcmd(...) - pattern: escapeshellarg(...) pattern-sinks: - patterns: - pattern-either: - pattern: exec(...) - pattern: system(...) - pattern: passthru(...) - patterns: - pattern: proc_open(...) - pattern-not: proc_open([...], ...) - pattern: popen(...) - pattern: expect_popen(...) - pattern: shell_exec(...) - pattern: | `...` - id: php.lang.security.injection.tainted-filename.tainted-filename severity: WARNING message: File name based on user input risks server-side request forgery. metadata: technology: - php category: security cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29 cwe2022-top25: true cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename shortlink: https://sg.run/Ayqp semgrep.dev: rule: r_id: 16250 rv_id: 1263287 rule_id: 5rUpro version_id: 7ZTE3J1 url: https://semgrep.dev/playground/r/7ZTE3J1/php.lang.security.injection.tainted-filename.tainted-filename origin: community languages: - php mode: taint pattern-sources: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST - pattern: $_SERVER pattern-sanitizers: - patterns: - pattern-either: - pattern-inside: basename($PATH, ...) - pattern-inside: linkinfo($PATH, ...) - pattern-inside: readlink($PATH, ...) - pattern-inside: realpath($PATH, ...) pattern-sinks: - patterns: - pattern-either: - pattern-inside: opcache_compile_file($FILENAME, ...) - pattern-inside: opcache_invalidate($FILENAME, ...) - pattern-inside: opcache_is_script_cached($FILENAME, ...) - pattern-inside: runkit7_import($FILENAME, ...) - pattern-inside: readline_read_history($FILENAME, ...) - pattern-inside: readline_write_history($FILENAME, ...) - pattern-inside: rar_open($FILENAME, ...) - pattern-inside: zip_open($FILENAME, ...) - pattern-inside: gzfile($FILENAME, ...) - pattern-inside: gzopen($FILENAME, ...) - pattern-inside: readgzfile($FILENAME, ...) - pattern-inside: hash_file($ALGO, $FILENAME, ...) - pattern-inside: hash_update_file($CONTEXT, $FILENAME, ...) - pattern-inside: pg_trace($FILENAME, ...) - pattern-inside: dio_open($FILENAME, ...) - pattern-inside: finfo_file($FINFO, $FILENAME, ...) - pattern-inside: mime_content_type($FILENAME, ...) - pattern-inside: chgrp($FILENAME, ...) - pattern-inside: chmod($FILENAME, ...) - pattern-inside: chown($FILENAME, ...) - pattern-inside: clearstatcache($CLEAR_REALPATH_CACHE, $FILENAME, ...) - pattern-inside: file_exists($FILENAME, ...) - pattern-inside: file_get_contents($FILENAME, ...) - pattern-inside: file_put_contents($FILENAME, ...) - pattern-inside: file($FILENAME, ...) - pattern-inside: fileatime($FILENAME, ...) - pattern-inside: filectime($FILENAME, ...) - pattern-inside: filegroup($FILENAME, ...) - pattern-inside: fileinode($FILENAME, ...) - pattern-inside: filemtime($FILENAME, ...) - pattern-inside: fileowner($FILENAME, ...) - pattern-inside: fileperms($FILENAME, ...) - pattern-inside: filesize($FILENAME, ...) - pattern-inside: filetype($FILENAME, ...) - pattern-inside: fnmatch($PATTERN, $FILENAME, ...) - pattern-inside: fopen($FILENAME, ...) - pattern-inside: is_dir($FILENAME, ...) - pattern-inside: is_executable($FILENAME, ...) - pattern-inside: is_file($FILENAME, ...) - pattern-inside: is_link($FILENAME, ...) - pattern-inside: is_readable($FILENAME, ...) - pattern-inside: is_uploaded_file($FILENAME, ...) - pattern-inside: is_writable($FILENAME, ...) - pattern-inside: lchgrp($FILENAME, ...) - pattern-inside: lchown($FILENAME, ...) - pattern-inside: lstat($FILENAME, ...) - pattern-inside: parse_ini_file($FILENAME, ...) - pattern-inside: readfile($FILENAME, ...) - pattern-inside: stat($FILENAME, ...) - pattern-inside: touch($FILENAME, ...) - pattern-inside: unlink($FILENAME, ...) - pattern-inside: xattr_get($FILENAME, ...) - pattern-inside: xattr_list($FILENAME, ...) - pattern-inside: xattr_remove($FILENAME, ...) - pattern-inside: xattr_set($FILENAME, ...) - pattern-inside: xattr_supported($FILENAME, ...) - pattern-inside: enchant_broker_request_pwl_dict($BROKER, $FILENAME, ...) - pattern-inside: pspell_config_personal($CONFIG, $FILENAME, ...) - pattern-inside: pspell_config_repl($CONFIG, $FILENAME, ...) - pattern-inside: pspell_new_personal($FILENAME, ...) - pattern-inside: exif_imagetype($FILENAME, ...) - pattern-inside: getimagesize($FILENAME, ...) - pattern-inside: image2wbmp($IMAGE, $FILENAME, ...) - pattern-inside: imagecreatefromavif($FILENAME, ...) - pattern-inside: imagecreatefrombmp($FILENAME, ...) - pattern-inside: imagecreatefromgd2($FILENAME, ...) - pattern-inside: imagecreatefromgd2part($FILENAME, ...) - pattern-inside: imagecreatefromgd($FILENAME, ...) - pattern-inside: imagecreatefromgif($FILENAME, ...) - pattern-inside: imagecreatefromjpeg($FILENAME, ...) - pattern-inside: imagecreatefrompng($FILENAME, ...) - pattern-inside: imagecreatefromtga($FILENAME, ...) - pattern-inside: imagecreatefromwbmp($FILENAME, ...) - pattern-inside: imagecreatefromwebp($FILENAME, ...) - pattern-inside: imagecreatefromxbm($FILENAME, ...) - pattern-inside: imagecreatefromxpm($FILENAME, ...) - pattern-inside: imageloadfont($FILENAME, ...) - pattern-inside: imagexbm($IMAGE, $FILENAME, ...) - pattern-inside: iptcembed($IPTC_DATA, $FILENAME, ...) - pattern-inside: mailparse_msg_extract_part_file($MIMEMAIL, $FILENAME, ...) - pattern-inside: mailparse_msg_extract_whole_part_file($MIMEMAIL, $FILENAME, ...) - pattern-inside: mailparse_msg_parse_file($FILENAME, ...) - pattern-inside: fdf_add_template($FDF_DOCUMENT, $NEWPAGE, $FILENAME, ...) - pattern-inside: fdf_get_ap($FDF_DOCUMENT, $FIELD, $FACE, $FILENAME, ...) - pattern-inside: fdf_open($FILENAME, ...) - pattern-inside: fdf_save($FDF_DOCUMENT, $FILENAME, ...) - pattern-inside: fdf_set_ap($FDF_DOCUMENT, $FIELD_NAME, $FACE, $FILENAME, ...) - pattern-inside: ps_add_launchlink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME, ...) - pattern-inside: ps_add_pdflink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME, ...) - pattern-inside: ps_open_file($PSDOC, $FILENAME, ...) - pattern-inside: ps_open_image_file($PSDOC, $TYPE, $FILENAME, ...) - pattern-inside: posix_access($FILENAME, ...) - pattern-inside: posix_mkfifo($FILENAME, ...) - pattern-inside: posix_mknod($FILENAME, ...) - pattern-inside: ftok($FILENAME, ...) - pattern-inside: fann_cascadetrain_on_file($ANN, $FILENAME, ...) - pattern-inside: fann_read_train_from_file($FILENAME, ...) - pattern-inside: fann_train_on_file($ANN, $FILENAME, ...) - pattern-inside: highlight_file($FILENAME, ...) - pattern-inside: php_strip_whitespace($FILENAME, ...) - pattern-inside: stream_resolve_include_path($FILENAME, ...) - pattern-inside: swoole_async_read($FILENAME, ...) - pattern-inside: swoole_async_readfile($FILENAME, ...) - pattern-inside: swoole_async_write($FILENAME, ...) - pattern-inside: swoole_async_writefile($FILENAME, ...) - pattern-inside: swoole_load_module($FILENAME, ...) - pattern-inside: tidy_parse_file($FILENAME, ...) - pattern-inside: tidy_repair_file($FILENAME, ...) - pattern-inside: get_meta_tags($FILENAME, ...) - pattern-inside: yaml_emit_file($FILENAME, ...) - pattern-inside: yaml_parse_file($FILENAME, ...) - pattern-inside: curl_file_create($FILENAME, ...) - pattern-inside: ftp_chmod($FTP, $PERMISSIONS, $FILENAME, ...) - pattern-inside: ftp_delete($FTP, $FILENAME, ...) - pattern-inside: ftp_mdtm($FTP, $FILENAME, ...) - pattern-inside: ftp_size($FTP, $FILENAME, ...) - pattern-inside: rrd_create($FILENAME, ...) - pattern-inside: rrd_fetch($FILENAME, ...) - pattern-inside: rrd_graph($FILENAME, ...) - pattern-inside: rrd_info($FILENAME, ...) - pattern-inside: rrd_last($FILENAME, ...) - pattern-inside: rrd_lastupdate($FILENAME, ...) - pattern-inside: rrd_tune($FILENAME, ...) - pattern-inside: rrd_update($FILENAME, ...) - pattern-inside: snmp_read_mib($FILENAME, ...) - pattern-inside: ssh2_sftp_chmod($SFTP, $FILENAME, ...) - pattern-inside: ssh2_sftp_realpath($SFTP, $FILENAME, ...) - pattern-inside: ssh2_sftp_unlink($SFTP, $FILENAME, ...) - pattern-inside: apache_lookup_uri($FILENAME, ...) - pattern-inside: md5_file($FILENAME, ...) - pattern-inside: sha1_file($FILENAME, ...) - pattern-inside: simplexml_load_file($FILENAME, ...) - pattern: $FILENAME - id: php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation languages: - php severity: WARNING message: <- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application. metadata: cwe: - 'CWE-470: Use of Externally-Controlled Input to Select Classes or Code (''Unsafe Reflection'')' category: security technology: - php owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation shortlink: https://sg.run/7ndw semgrep.dev: rule: r_id: 16438 rv_id: 1263288 rule_id: v8U4DA version_id: LjTkgLy url: https://semgrep.dev/playground/r/LjTkgLy/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation origin: community mode: taint pattern-sources: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST - pattern: $_SERVER pattern-sinks: - patterns: - pattern-either: - pattern-inside: new $SINK(...) - pattern: $SINK - id: php.lang.security.injection.tainted-session.tainted-session severity: WARNING message: Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues. metadata: technology: - php category: security cwe: - 'CWE-284: Improper Access Control' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://en.wikipedia.org/wiki/Session_poisoning cwe2022-top25: true cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session shortlink: https://sg.run/bxNp semgrep.dev: rule: r_id: 73470 rv_id: 1263289 rule_id: 4bUdoP version_id: 8KT5rPE url: https://semgrep.dev/playground/r/8KT5rPE/php.lang.security.injection.tainted-session.tainted-session origin: community languages: - php mode: taint pattern-sources: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST pattern-sanitizers: - patterns: - pattern-either: - pattern: $A . $B - pattern: bin2hex(...) - pattern: crc32(...) - pattern: crypt(...) - pattern: filter_input(...) - pattern: filter_var(...) - pattern: hash(...) - pattern: md5(...) - pattern: preg_filter(...) - pattern: preg_grep(...) - pattern: preg_match_all(...) - pattern: sha1(...) - pattern: sprintf(...) - pattern: str_contains(...) - pattern: str_ends_with(...) - pattern: str_starts_with(...) - pattern: strcasecmp(...) - pattern: strchr(...) - pattern: stripos(...) - pattern: stristr(...) - pattern: strnatcasecmp(...) - pattern: strnatcmp(...) - pattern: strncmp(...) - pattern: strpbrk(...) - pattern: strpos(...) - pattern: strripos(...) - pattern: strrpos(...) - pattern: strspn(...) - pattern: strstr(...) - pattern: strtok(...) - pattern: substr_compare(...) - pattern: substr_count(...) - pattern: vsprintf(...) pattern-sinks: - patterns: - pattern-inside: $_SESSION[$KEY] = $VAL; - pattern: $KEY - id: php.lang.security.injection.tainted-sql-string.tainted-sql-string languages: - php severity: ERROR message: User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare("INSERT INTO test(id, label) VALUES (?, ?)");`) or a safe library. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/SQL_Injection category: security technology: - php cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/lZYG semgrep.dev: rule: r_id: 14757 rv_id: 1263290 rule_id: qNUXdL version_id: gETB7vY url: https://semgrep.dev/playground/r/gETB7vY/php.lang.security.injection.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sanitizers: - pattern-either: - pattern: mysqli_real_escape_string(...) - pattern: real_escape_string(...) - pattern: $MYSQLI->real_escape_string(...) pattern-sources: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST pattern-sinks: - pattern-either: - patterns: - pattern: | sprintf($SQLSTR, ...) - metavariable-regex: metavariable: $SQLSTR regex: (?is).*\b(select|delete|insert|create|update|alter|drop)\b.* - patterns: - pattern: | "...$EXPR..." - metavariable-regex: metavariable: $EXPR regex: (?is).*\b(select|delete|insert|create|update|alter|drop)\b.* - patterns: - pattern: | "$SQLSTR".$EXPR - metavariable-regex: metavariable: $SQLSTR regex: (?is).*\b(select|delete|insert|create|update|alter|drop)\b.* - id: php.lang.security.injection.tainted-url-host.tainted-url-host languages: - php severity: WARNING message: User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security technology: - php cwe2022-top25: true cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host shortlink: https://sg.run/Y8no semgrep.dev: rule: r_id: 14758 rv_id: 1263291 rule_id: lBU8K1 version_id: QkTGqRd url: https://semgrep.dev/playground/r/QkTGqRd/php.lang.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sources: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST pattern-sinks: - pattern-either: - patterns: - pattern: | sprintf($URLSTR, ...) - metavariable-pattern: metavariable: $URLSTR language: generic pattern: $SCHEME://%s - patterns: - pattern: | "...{$EXPR}..." - pattern-regex: | .*://\{.* - patterns: - pattern: | "...$EXPR..." - pattern-regex: | .*://\$.* - patterns: - pattern: | "...".$EXPR - pattern-regex: | .*://["'].* - id: php.lang.security.ldap-bind-without-password.ldap-bind-without-password patterns: - pattern-either: - pattern: ldap_bind($LDAP, $DN, NULL) - pattern: ldap_bind($LDAP, $DN, '') - patterns: - pattern: ldap_bind(...) - pattern-not: ldap_bind($LDAP, $DN, $PASSWORD) message: Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. metadata: references: - https://www.php.net/manual/en/function.ldap-bind.php cwe: - 'CWE-287: Improper Authentication' owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures category: security technology: - php cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/php.lang.security.ldap-bind-without-password.ldap-bind-without-password shortlink: https://sg.run/18Rv semgrep.dev: rule: r_id: 13966 rv_id: 1263292 rule_id: wdUjA5 version_id: 3ZT4X56 url: https://semgrep.dev/playground/r/3ZT4X56/php.lang.security.ldap-bind-without-password.ldap-bind-without-password origin: community languages: - php severity: WARNING - id: php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval patterns: - pattern: mb_ereg_replace($PATTERN, $REPL, $STR, $OPTIONS); - pattern-not: mb_ereg_replace($PATTERN, $REPL, $STR, "..."); message: Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' references: - https://www.php.net/manual/en/function.mb-ereg-replace.php - https://www.php.net/manual/en/function.mb-regex-set-options.php category: security technology: - php owasp: - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval shortlink: https://sg.run/AvdB semgrep.dev: rule: r_id: 9394 rv_id: 1263293 rule_id: JDUyj4 version_id: 44TEjKQ url: https://semgrep.dev/playground/r/44TEjKQ/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval origin: community languages: - php severity: ERROR - id: php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv patterns: - pattern-either: - pattern: openssl_encrypt($D, $M, $K, $FLAGS, "...",...); - pattern: openssl_decrypt($D, $M, $K, $FLAGS, "...",...); - metavariable-comparison: metavariable: $M comparison: re.match(".*-CBC",$M) message: Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext attacks against encrypted data. languages: - php severity: ERROR metadata: cwe: - 'CWE-329: Generation of Predictable IV with CBC Mode' references: - https://csrc.nist.gov/publications/detail/sp/800-38a/final owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures technology: - php - openssl category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv shortlink: https://sg.run/LgWJ semgrep.dev: rule: r_id: 19039 rv_id: 1263295 rule_id: DbUGbE version_id: JdTzxOD url: https://semgrep.dev/playground/r/JdTzxOD/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv origin: community - id: php.lang.security.php-permissive-cors.php-permissive-cors patterns: - pattern: header($VALUE,...) - pattern-either: - pattern: header("...",...) - pattern-inside: | $VALUE = "..."; ... - metavariable-regex: metavariable: $VALUE regex: (\'|\")\s*(Access-Control-Allow-Origin|access-control-allow-origin)\s*:\s*(\*)\s*(\'|\") message: Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. metadata: references: - https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe: - 'CWE-346: Origin Validation Error' category: security technology: - php subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors shortlink: https://sg.run/y1XR semgrep.dev: rule: r_id: 13968 rv_id: 1263296 rule_id: OrU6JZ version_id: 5PTo1KA url: https://semgrep.dev/playground/r/5PTo1KA/php.lang.security.php-permissive-cors.php-permissive-cors origin: community languages: - php severity: WARNING - id: php.lang.security.php-ssrf.php-ssrf patterns: - pattern-either: - pattern: | $VAR=$DATA; ... $FUNCS(...,$VAR, ...); - pattern: $FUNCS(...,$DATA, ...); - metavariable-pattern: metavariable: $DATA patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST - metavariable-pattern: metavariable: $FUNCS patterns: - pattern-either: - pattern: curl_setopt - pattern: fopen - pattern: file_get_contents - pattern: curl_init - pattern: readfile message: The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Dangerous function $FUNCS with payload $DATA metadata: references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' category: security technology: - php owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control cwe2022-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/php.lang.security.php-ssrf.php-ssrf shortlink: https://sg.run/OAw2 semgrep.dev: rule: r_id: 36775 rv_id: 1263297 rule_id: qNUJlw version_id: GxTkeb8 url: https://semgrep.dev/playground/r/GxTkeb8/php.lang.security.php-ssrf.php-ssrf origin: community languages: - php severity: ERROR - id: php.lang.security.phpinfo-use.phpinfo-use pattern: phpinfo(...); message: The 'phpinfo' function may reveal sensitive information about your environment. metadata: cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' references: - https://www.php.net/manual/en/function.phpinfo - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php category: security technology: - php owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use shortlink: https://sg.run/W82E semgrep.dev: rule: r_id: 9397 rv_id: 1263298 rule_id: ReUglY version_id: RGT0LN0 url: https://semgrep.dev/playground/r/RGT0LN0/php.lang.security.phpinfo-use.phpinfo-use origin: community languages: - php severity: ERROR - id: php.lang.security.redirect-to-request-uri.redirect-to-request-uri patterns: - pattern-either: - pattern: | header('$LOCATION' . $_SERVER['REQUEST_URI']); - pattern: | header('$LOCATION' . $_SERVER['REQUEST_URI'] . $MORE); - metavariable-regex: metavariable: $LOCATION regex: ^(?i)location:\s*$ message: Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes. E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain. metadata: references: - https://www.php.net/manual/en/reserved.variables.server.php - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html category: security technology: - php owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' likelihood: MEDIUM impact: LOW confidence: MEDIUM subcategory: - vuln license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/php.lang.security.redirect-to-request-uri.redirect-to-request-uri shortlink: https://sg.run/RWl2 semgrep.dev: rule: r_id: 35493 rv_id: 1263299 rule_id: 3qUb4n version_id: A8Tgdvq url: https://semgrep.dev/playground/r/A8Tgdvq/php.lang.security.redirect-to-request-uri.redirect-to-request-uri origin: community languages: - php severity: WARNING - id: php.lang.security.unlink-use.unlink-use patterns: - pattern: unlink(...) - pattern-not: unlink("...",...) message: Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to. metadata: references: - https://www.php.net/manual/en/function.unlink - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html category: security technology: - php owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use shortlink: https://sg.run/rYeR semgrep.dev: rule: r_id: 13969 rv_id: 1263301 rule_id: eqUzDE version_id: DkTRbBX url: https://semgrep.dev/playground/r/DkTRbBX/php.lang.security.unlink-use.unlink-use origin: community languages: - php severity: WARNING - id: php.lang.security.unserialize-use.unserialize-use patterns: - pattern: unserialize(...) - pattern-not: unserialize("...",...) message: Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers). metadata: references: - https://www.php.net/manual/en/function.unserialize.php - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html category: security technology: - php owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use shortlink: https://sg.run/b24E semgrep.dev: rule: r_id: 13970 rv_id: 1263302 rule_id: v8U9OJ version_id: WrTqKeJ url: https://semgrep.dev/playground/r/WrTqKeJ/php.lang.security.unserialize-use.unserialize-use origin: community languages: - php severity: WARNING - id: php.lang.security.weak-crypto.weak-crypto patterns: - pattern-either: - pattern: crypt(...) - pattern: hash('md5', ...) - pattern: hash('sha1', ...) - pattern: md5_file(...) - pattern: md5(...) - pattern: sha1_file(...) - pattern: sha1(...) - pattern: str_rot13(...) message: Detected usage of weak crypto function. Consider using stronger alternatives. metadata: cwe: - 'CWE-328: Use of Weak Hash' references: - https://www.php.net/manual/en/book.sodium.php - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php category: security technology: - php owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/php.lang.security.weak-crypto.weak-crypto shortlink: https://sg.run/KlBn semgrep.dev: rule: r_id: 9399 rv_id: 1263303 rule_id: BYUNAg version_id: 0bTKz09 url: https://semgrep.dev/playground/r/0bTKz09/php.lang.security.weak-crypto.weak-crypto origin: community languages: - php severity: ERROR - id: php.laravel.security.laravel-active-debug-code.laravel-active-debug-code patterns: - pattern-either: - pattern: | putenv("APP_DEBUG=true") - pattern: | config(['app.debug' => 'true']) - pattern: | $_ENV["APP_DEBUG"] = 'true' message: Found an instance setting the APP_DEBUG environment variable to true. In your production environment, this should always be false. Otherwise, you risk exposing sensitive configuration values to potential attackers. Instead, set this to false. languages: - php severity: ERROR metadata: category: security cwe: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration technology: - php - laravel references: - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md - https://laravel.com/docs/9.x/configuration subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/php.laravel.security.laravel-active-debug-code.laravel-active-debug-code shortlink: https://sg.run/3G3D semgrep.dev: rule: r_id: 23087 rv_id: 1263304 rule_id: oqUZ7A version_id: K3TKkAO url: https://semgrep.dev/playground/r/K3TKkAO/php.laravel.security.laravel-active-debug-code.laravel-active-debug-code origin: community - id: php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection mode: taint pattern-sources: - patterns: - focus-metavariable: $ARG - pattern-inside: | Route::$METHOD($ROUTE_NAME, function(...,$ARG,...){...}) pattern-sanitizers: - patterns: - pattern: | DB::raw("...",[...]) pattern-sinks: - patterns: - pattern: | DB::raw(...) message: HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation. languages: - php severity: WARNING metadata: category: security cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md technology: - php - laravel cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection shortlink: https://sg.run/x94g semgrep.dev: rule: r_id: 21674 rv_id: 1263305 rule_id: zdUln0 version_id: qkTR7A9 url: https://semgrep.dev/playground/r/qkTR7A9/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection origin: community - id: php.laravel.security.laravel-blade-form-missing-csrf.laravel-blade-form-missing-csrf message: Detected a form executing a state-changing HTTP method `$METHOD` to route definition `$...ROUTE` without a Laravel CSRF decorator or explicit CSRF token implementation. If this form modifies sensitive state this will open your application to Cross-Site Request Forgery (CSRF) attacks. severity: WARNING metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' cwe2021-top25: true cwe2022-top25: true owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://laravel.com/docs/9.x/csrf subcategory: - audit technology: - php - laravel - blade license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/php.laravel.security.laravel-blade-form-missing-csrf.laravel-blade-form-missing-csrf shortlink: https://sg.run/Obyn semgrep.dev: rule: r_id: 21675 rv_id: 1263306 rule_id: pKUNzd version_id: l4TJR3Y url: https://semgrep.dev/playground/r/l4TJR3Y/php.laravel.security.laravel-blade-form-missing-csrf.laravel-blade-form-missing-csrf origin: community languages: - generic paths: include: - '*.blade.php' patterns: - pattern: | action="$...ROUTE" - pattern-inside: |
... - pattern-not-inside: | - metavariable-pattern: metavariable: $...ROUTE language: generic patterns: - pattern-not-regex: \A\s*\Z - pattern-not: '#' - metavariable-regex: metavariable: $METHOD regex: (?i)(post|put|patch|delete) - pattern-not-inside: | ... ... ... @csrf - pattern-not-inside: | ... ... ... csrf_field() - pattern-not-inside: | ... ... ... csrf_token() - id: php.laravel.security.laravel-cookie-http-only.laravel-cookie-http-only patterns: - pattern: | 'cookie' - pattern-inside: | return [ ..., 'cookie' => env(...), ... ]; - pattern-not-inside: | return [ ..., 'http_only' => true, ... ]; - pattern-not-inside: | return [ ..., 'http_only' => env('$NAME', $DEFAULT), ... ]; paths: include: - '*session.php' message: 'Found a configuration file where the HttpOnly attribute is not set to true. Setting `http_only` to true makes sure that your cookies are inaccessible from Javascript, which mitigates XSS attacks. Instead, set the ''http_only'' like so: `http_only` => true ' languages: - php severity: ERROR metadata: category: security cwe: - 'CWE-1004: Sensitive Cookie Without ''HttpOnly'' Flag' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration technology: - php - laravel references: - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/php.laravel.security.laravel-cookie-http-only.laravel-cookie-http-only shortlink: https://sg.run/4Rz7 semgrep.dev: rule: r_id: 23088 rv_id: 1263307 rule_id: zdUlxE version_id: YDTZegg url: https://semgrep.dev/playground/r/YDTZegg/php.laravel.security.laravel-cookie-http-only.laravel-cookie-http-only origin: community - id: php.laravel.security.laravel-cookie-long-timeout.laravel-cookie-long-timeout patterns: - pattern: | 'lifetime' - pattern-inside: | return [ ..., 'lifetime' => $TIME, ... ]; - pattern-not-inside: | return [ ..., 'lifetime' => env("$VAR", $DEFAULT), ... ]; - metavariable-comparison: metavariable: $TIME comparison: $TIME > 30 paths: include: - '*session.php' message: Found a configuration file where the lifetime attribute is over 30 minutes. languages: - php severity: ERROR metadata: category: security cwe: - 'CWE-1004: Sensitive Cookie Without ''HttpOnly'' Flag' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration technology: - php - laravel references: - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/php.laravel.security.laravel-cookie-long-timeout.laravel-cookie-long-timeout shortlink: https://sg.run/P1R0 semgrep.dev: rule: r_id: 23089 rv_id: 1263308 rule_id: pKUNB7 version_id: JdTzxOw url: https://semgrep.dev/playground/r/JdTzxOw/php.laravel.security.laravel-cookie-long-timeout.laravel-cookie-long-timeout origin: community - id: php.laravel.security.laravel-cookie-null-domain.laravel-cookie-null-domain patterns: - pattern: | 'cookie' - pattern-inside: | return [ ..., 'cookie' => env(...), ... ]; - pattern-not-inside: | return [ ..., 'domain' => null, ... ]; - pattern-not-inside: | return [ ..., 'domain' => env('$NAME', $DEFAULT), ... ]; paths: include: - '*session.php' message: 'Found a configuration file where the domain attribute is not set to null. It is recommended (unless you are using sub-domain route registrations) to set this attribute to null so that only the same origin can set the cookie, thus protecting your cookies. ' languages: - php severity: ERROR metadata: category: security cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control technology: - php - laravel references: - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/php.laravel.security.laravel-cookie-null-domain.laravel-cookie-null-domain shortlink: https://sg.run/JbLk semgrep.dev: rule: r_id: 23090 rv_id: 1263309 rule_id: 2ZUYDx version_id: 5PTo1K0 url: https://semgrep.dev/playground/r/5PTo1K0/php.laravel.security.laravel-cookie-null-domain.laravel-cookie-null-domain origin: community - id: php.laravel.security.laravel-cookie-same-site.laravel-cookie-same-site patterns: - pattern: | 'cookie' - pattern-inside: | return [ ..., 'cookie' => env(...), ... ]; - pattern-not-inside: | return [ ..., 'same_site' => 'lax', ... ]; - pattern-not-inside: | return [ ..., 'same_site' => 'strict', ... ]; - pattern-not-inside: | return [ ..., 'same_site' => env('$NAME', $DEFAULT), ... ]; paths: include: - '*session.php' message: Found a configuration file where the same_site attribute is not set to 'lax' or 'strict'. Setting 'same_site' to 'lax' or 'strict' restricts cookies to a first-party or same-site context, which will protect your cookies and prevent CSRF. languages: - php severity: ERROR metadata: category: security cwe: - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control technology: - php - laravel references: - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/php.laravel.security.laravel-cookie-same-site.laravel-cookie-same-site shortlink: https://sg.run/5Apk semgrep.dev: rule: r_id: 23091 rv_id: 1263310 rule_id: X5ULvK version_id: GxTkebK url: https://semgrep.dev/playground/r/GxTkebK/php.laravel.security.laravel-cookie-same-site.laravel-cookie-same-site origin: community - id: php.laravel.security.laravel-cookie-secure-set.laravel-cookie-secure-set patterns: - pattern: | 'cookie' - pattern-inside: | return [ ..., 'cookie' => env(...), ... ]; - pattern-not-inside: | return [ ..., 'secure' => true, ... ]; - pattern-not-inside: | return [ ..., 'secure' => env('$NAME', $DEFAULT), ... ]; paths: include: - '*session.php' message: 'Found a configuration file where the secure attribute is not set to ''true''. Setting ''secure'' to ''true'' prevents the client from transmitting the cookie over unencrypted channels and therefore prevents cookies from being stolen through man in the middle attacks. ' languages: - php severity: ERROR metadata: category: security cwe: - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration technology: - php - laravel references: - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/php.laravel.security.laravel-cookie-secure-set.laravel-cookie-secure-set shortlink: https://sg.run/GXnG semgrep.dev: rule: r_id: 23092 rv_id: 1263311 rule_id: j2UzE5 version_id: RGT0LN6 url: https://semgrep.dev/playground/r/RGT0LN6/php.laravel.security.laravel-cookie-secure-set.laravel-cookie-secure-set origin: community - id: php.laravel.security.laravel-sql-injection.laravel-sql-injection metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' category: security technology: - laravel references: - https://laravel.com/docs/8.x/queries cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection shortlink: https://sg.run/x40p semgrep.dev: rule: r_id: 16830 rv_id: 1263313 rule_id: j2UQdp version_id: BjTkZ45 url: https://semgrep.dev/playground/r/BjTkZ45/php.laravel.security.laravel-sql-injection.laravel-sql-injection origin: community severity: WARNING message: Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements. languages: - php mode: taint pattern-sources: - patterns: - pattern-either: - pattern: $_GET - pattern: $_POST - pattern: $_COOKIE - pattern: $_REQUEST - pattern: $_SERVER pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: $SQL - pattern-either: - pattern-inside: DB::table(...)->whereRaw($SQL, ...) - pattern-inside: DB::table(...)->orWhereRaw($SQL, ...) - pattern-inside: DB::table(...)->groupByRaw($SQL, ...) - pattern-inside: DB::table(...)->havingRaw($SQL, ...) - pattern-inside: DB::table(...)->orHavingRaw($SQL, ...) - pattern-inside: DB::table(...)->orderByRaw($SQL, ...) - patterns: - pattern: $EXPRESSION - pattern-either: - pattern-inside: DB::table(...)->selectRaw($EXPRESSION, ...) - pattern-inside: DB::table(...)->fromRaw($EXPRESSION, ...) - patterns: - pattern: $COLUMNS - pattern-either: - pattern-inside: DB::table(...)->whereNull($COLUMNS, ...) - pattern-inside: DB::table(...)->orWhereNull($COLUMN) - pattern-inside: DB::table(...)->whereNotNull($COLUMNS, ...) - pattern-inside: DB::table(...)->whereRowValues($COLUMNS, ...) - pattern-inside: DB::table(...)->orWhereRowValues($COLUMNS, ...) - pattern-inside: DB::table(...)->find($ID, $COLUMNS) - pattern-inside: DB::table(...)->paginate($PERPAGE, $COLUMNS, ...) - pattern-inside: DB::table(...)->simplePaginate($PERPAGE, $COLUMNS, ...) - pattern-inside: DB::table(...)->cursorPaginate($PERPAGE, $COLUMNS, ...) - pattern-inside: DB::table(...)->getCountForPagination($COLUMNS) - pattern-inside: DB::table(...)->aggregate($FUNCTION, $COLUMNS) - pattern-inside: DB::table(...)->numericAggregate($FUNCTION, $COLUMNS) - pattern-inside: DB::table(...)->insertUsing($COLUMNS, ...) - pattern-inside: DB::table(...)->select($COLUMNS) - pattern-inside: DB::table(...)->get($COLUMNS) - pattern-inside: DB::table(...)->count($COLUMNS) - patterns: - pattern: $COLUMN - pattern-either: - pattern-inside: DB::table(...)->whereIn($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereIn($COLUMN, ...) - pattern-inside: DB::table(...)->whereNotIn($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereNotIn($COLUMN, ...) - pattern-inside: DB::table(...)->whereIntegerInRaw($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereIntegerInRaw($COLUMN, ...) - pattern-inside: DB::table(...)->whereIntegerNotInRaw($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereIntegerNotInRaw($COLUMN, ...) - pattern-inside: DB::table(...)->whereBetweenColumns($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereBetween($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereBetweenColumns($COLUMN, ...) - pattern-inside: DB::table(...)->whereNotBetween($COLUMN, ...) - pattern-inside: DB::table(...)->whereNotBetweenColumns($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereNotBetween($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereNotBetweenColumns($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereNotNull($COLUMN) - pattern-inside: DB::table(...)->whereDate($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereDate($COLUMN, ...) - pattern-inside: DB::table(...)->whereTime($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereTime($COLUMN, ...) - pattern-inside: DB::table(...)->whereDay($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereDay($COLUMN, ...) - pattern-inside: DB::table(...)->whereMonth($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereMonth($COLUMN, ...) - pattern-inside: DB::table(...)->whereYear($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereYear($COLUMN, ...) - pattern-inside: DB::table(...)->whereJsonContains($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereJsonContains($COLUMN, ...) - pattern-inside: DB::table(...)->whereJsonDoesntContain($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereJsonDoesntContain($COLUMN, ...) - pattern-inside: DB::table(...)->whereJsonLength($COLUMN, ...) - pattern-inside: DB::table(...)->orWhereJsonLength($COLUMN, ...) - pattern-inside: DB::table(...)->having($COLUMN, ...) - pattern-inside: DB::table(...)->orHaving($COLUMN, ...) - pattern-inside: DB::table(...)->havingBetween($COLUMN, ...) - pattern-inside: DB::table(...)->orderBy($COLUMN, ...) - pattern-inside: DB::table(...)->orderByDesc($COLUMN) - pattern-inside: DB::table(...)->latest($COLUMN) - pattern-inside: DB::table(...)->oldest($COLUMN) - pattern-inside: DB::table(...)->forPageBeforeId($PERPAGE, $LASTID, $COLUMN) - pattern-inside: DB::table(...)->forPageAfterId($PERPAGE, $LASTID, $COLUMN) - pattern-inside: DB::table(...)->value($COLUMN) - pattern-inside: DB::table(...)->pluck($COLUMN, ...) - pattern-inside: DB::table(...)->implode($COLUMN, ...) - pattern-inside: DB::table(...)->min($COLUMN) - pattern-inside: DB::table(...)->max($COLUMN) - pattern-inside: DB::table(...)->sum($COLUMN) - pattern-inside: DB::table(...)->avg($COLUMN) - pattern-inside: DB::table(...)->average($COLUMN) - pattern-inside: DB::table(...)->increment($COLUMN, ...) - pattern-inside: DB::table(...)->decrement($COLUMN, ...) - pattern-inside: DB::table(...)->where($COLUMN, ...) - pattern-inside: DB::table(...)->orWhere($COLUMN, ...) - pattern-inside: DB::table(...)->addSelect($COLUMN) - patterns: - pattern: $QUERY - pattern-inside: DB::unprepared($QUERY) - id: php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator mode: taint pattern-sources: - patterns: - pattern: | public function $F(...,Request $R,...){...} - focus-metavariable: $R - patterns: - pattern-either: - pattern: | $this->$PROPERTY - pattern: | $this->$PROPERTY->$GET - metavariable-pattern: metavariable: $PROPERTY patterns: - pattern-either: - pattern: query - pattern: request - pattern: headers - pattern: cookies - pattern: cookie - pattern: files - pattern: file - pattern: allFiles - pattern: input - pattern: all - pattern: post - pattern: json - pattern-either: - pattern-inside: | class $CL extends Illuminate\Http\Request {...} - pattern-inside: | class $CL extends Illuminate\Foundation\Http\FormRequest {...} pattern-sinks: - patterns: - pattern: | Illuminate\Validation\Rule::unique(...)->ignore(...,$IGNORE,...) - focus-metavariable: $IGNORE message: Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection. languages: - php severity: ERROR metadata: category: security cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection technology: - php - laravel references: - https://laravel.com/docs/9.x/validation#rule-unique cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator shortlink: https://sg.run/vkeb semgrep.dev: rule: r_id: 21677 rv_id: 1263314 rule_id: X5ULgE version_id: DkTRbBl url: https://semgrep.dev/playground/r/DkTRbBl/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator origin: community - id: php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled patterns: - pattern-either: - pattern: $X->createForm($TYPE, $TASK, [..., 'csrf_protection' => false, ...], ...) - pattern: $X->prependExtensionConfig('framework', [..., 'csrf_protection' => false, ...], ...) - pattern: $X->loadFromExtension('framework', [..., 'csrf_protection' => false, ...], ...) - pattern: $X->setDefaults([..., 'csrf_protection' => false, ...], ...) - patterns: - pattern-either: - pattern: $X->createForm($TYPE, $TASK, [..., 'csrf_protection' => $VAL, ...], ...) - pattern: $X->prependExtensionConfig('framework', [..., 'csrf_protection' => $VAL, ...], ...) - pattern: $X->loadFromExtension('framework', [..., 'csrf_protection' => $VAL, ...], ...) - pattern: $X->setDefaults([..., 'csrf_protection' => $VAL, ...], ...) - pattern-inside: | $VAL = false; ... message: CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`. metadata: references: - https://symfony.com/doc/current/security/csrf.html cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control category: security technology: - symfony cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled shortlink: https://sg.run/N1gz semgrep.dev: rule: r_id: 13971 rv_id: 1263315 rule_id: d8UeKO version_id: WrTqKeL url: https://semgrep.dev/playground/r/WrTqKeL/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled origin: community languages: - php severity: WARNING - id: php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect patterns: - pattern: $this->redirect(...) - pattern-not: $this->redirect("...") - pattern-not: $this->redirect() message: The `redirect()` method does not check its destination in any way. If you redirect to a URL provided by end-users, your application may be open to the unvalidated redirects security vulnerability. Consider using literal values or an allowlist to validate URLs. languages: - php metadata: references: - https://symfony.com/doc/current/controller.html#redirecting - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' category: security technology: - symfony subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect shortlink: https://sg.run/4ey5 semgrep.dev: rule: r_id: 13800 rv_id: 1263316 rule_id: j2U3q8 version_id: 0bTKz0j url: https://semgrep.dev/playground/r/0bTKz0j/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect origin: community severity: WARNING - id: php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors patterns: - pattern-inside: | use Symfony\Component\HttpFoundation\Response; ... - pattern-either: - patterns: - pattern-either: - pattern: | new Symfony\Component\HttpFoundation\Response($X, $Y, $HEADERS, ...) - pattern: new Response($X, $Y, $HEADERS, ...) - pattern-either: - pattern: new $R($X, $Y, [$KEY => $VALUE], ...) - pattern-inside: | $HEADERS = [$KEY => $VALUE]; ... - patterns: - pattern: $RES->headers->set($KEY, $VALUE) - metavariable-regex: metavariable: $KEY regex: (\'|\")\s*(Access-Control-Allow-Origin|access-control-allow-origin)\s*(\'|\") - metavariable-regex: metavariable: $VALUE regex: (\'|\")\s*(\*)\s*(\'|\") message: Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. metadata: references: - https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe: - 'CWE-346: Origin Validation Error' category: security technology: - symfony subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors shortlink: https://sg.run/kr92 semgrep.dev: rule: r_id: 13972 rv_id: 1263317 rule_id: ZqUOlR version_id: K3TKkAW url: https://semgrep.dev/playground/r/K3TKkAW/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors origin: community languages: - php severity: WARNING - id: php.wordpress-plugins.security.audit.wp-ajax-no-auth-and-auth-hooks-audit.wp-ajax-no-auth-and-auth-hooks-audit patterns: - pattern: add_action($HOOK,...) - metavariable-regex: metavariable: $HOOK regex: '''wp_ajax_.*''' message: These hooks allow the developer to handle the custom AJAX endpoints."wp_ajax_$action" hook get fires for any authenticated user and "wp_ajax_nopriv_$action" hook get fires for non-authenticated users. paths: include: - '**/wp-content/plugins/**/*.php' languages: - php severity: WARNING metadata: category: security confidence: LOW likelihood: LOW impact: MEDIUM subcategory: - audit technology: - Wordpress Plugins references: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#authorisation - https://developer.wordpress.org/reference/hooks/wp_ajax_action/ owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-285: Improper Authorization' license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ajax-no-auth-and-auth-hooks-audit.wp-ajax-no-auth-and-auth-hooks-audit shortlink: https://sg.run/B0eA semgrep.dev: rule: r_id: 39195 rv_id: 1263318 rule_id: DbUe2y version_id: qkTR7An url: https://semgrep.dev/playground/r/qkTR7An/php.wordpress-plugins.security.audit.wp-ajax-no-auth-and-auth-hooks-audit.wp-ajax-no-auth-and-auth-hooks-audit origin: community - id: php.wordpress-plugins.security.audit.wp-authorisation-checks-audit.wp-authorisation-checks-audit patterns: - pattern: $FUNCTION(...) - metavariable-regex: metavariable: $FUNCTION regex: current_user_can|is_admin|is_user_logged_in|is_user_admin message: These are some of the patterns used for authorisation. Look properly if the authorisation is proper or not. paths: include: - '**/wp-content/plugins/**/*.php' languages: - php severity: WARNING metadata: category: security confidence: LOW likelihood: LOW impact: MEDIUM subcategory: - audit technology: - Wordpress Plugins references: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#authorisation owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-285: Improper Authorization' license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-authorisation-checks-audit.wp-authorisation-checks-audit shortlink: https://sg.run/DqeP semgrep.dev: rule: r_id: 39196 rv_id: 1263319 rule_id: WAU6YK version_id: l4TJR3D url: https://semgrep.dev/playground/r/l4TJR3D/php.wordpress-plugins.security.audit.wp-authorisation-checks-audit.wp-authorisation-checks-audit origin: community - id: php.wordpress-plugins.security.audit.wp-code-execution-audit.wp-code-execution-audit patterns: - pattern-either: - pattern: eval(...) - pattern: assert(...) - pattern: call_user_func(...) message: These functions can lead to code injection if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions. paths: include: - '**/wp-content/plugins/**/*.php' languages: - php severity: WARNING metadata: category: security confidence: LOW likelihood: LOW impact: HIGH subcategory: - audit technology: - Wordpress Plugins references: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#php-code-execution owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-code-execution-audit.wp-code-execution-audit shortlink: https://sg.run/WKD2 semgrep.dev: rule: r_id: 39197 rv_id: 1263320 rule_id: 0oU6pX version_id: YDTZege url: https://semgrep.dev/playground/r/YDTZege/php.wordpress-plugins.security.audit.wp-code-execution-audit.wp-code-execution-audit origin: community - id: php.wordpress-plugins.security.audit.wp-command-execution-audit.wp-command-execution-audit patterns: - pattern-either: - pattern: system(...) - pattern: exec(...) - pattern: passthru(...) - pattern: shell_exec(...) message: These functions can lead to command execution if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions. paths: include: - '**/wp-content/plugins/**/*.php' languages: - php severity: WARNING metadata: category: security confidence: LOW likelihood: LOW impact: HIGH subcategory: - audit technology: - Wordpress Plugins references: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#command-execution owasp: - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-command-execution-audit.wp-command-execution-audit shortlink: https://sg.run/01Wj semgrep.dev: rule: r_id: 39198 rv_id: 1263321 rule_id: KxUOw0 version_id: 6xT294o url: https://semgrep.dev/playground/r/6xT294o/php.wordpress-plugins.security.audit.wp-command-execution-audit.wp-command-execution-audit origin: community - id: php.wordpress-plugins.security.audit.wp-csrf-audit.wp-csrf-audit pattern: check_ajax_referer(...,...,false) message: Passing false or 0 as the third argument to this function will not cause the script to die, making the check useless. paths: include: - '**/wp-content/plugins/**/*.php' languages: - php severity: WARNING metadata: category: security confidence: LOW likelihood: LOW impact: MEDIUM subcategory: - audit technology: - Wordpress Plugins references: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#cross-site-request-forgery-csrf - https://developer.wordpress.org/reference/functions/check_ajax_referer/ owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-csrf-audit.wp-csrf-audit shortlink: https://sg.run/K2y5 semgrep.dev: rule: r_id: 39199 rv_id: 1263322 rule_id: qNUKpk version_id: o5TbDGN url: https://semgrep.dev/playground/r/o5TbDGN/php.wordpress-plugins.security.audit.wp-csrf-audit.wp-csrf-audit origin: community - id: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server message: Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information. severity: WARNING metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: - A02:2021 - Cryptographic Failures - A03:2017 - Sensitive Data Exposure - A04:2025 - Cryptographic Failures references: - https://nodejs.org/api/http.html#http_class_http_agent - https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY subcategory: - audit technology: - node.js vulnerability: Insecure Transport license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server shortlink: https://sg.run/x1zL semgrep.dev: rule: r_id: 9430 rv_id: 1263329 rule_id: 7KUQAE version_id: 9lT4bNd url: https://semgrep.dev/playground/r/9lT4bNd/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server origin: community languages: - javascript patterns: - pattern-inside: | $HTTP = require('http'); ... - pattern-either: - pattern: | $HTTP.$FUNC(...); - pattern: | new $HTTP.$FUNC2(...); - pattern: $HTTP - id: python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator message: 'Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.' metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection category: security technology: - airflow references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator shortlink: https://sg.run/ndBY semgrep.dev: rule: r_id: 9436 rv_id: 1263330 rule_id: 4bUkOY version_id: yeTxpb3 url: https://semgrep.dev/playground/r/yeTxpb3/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator origin: community languages: - python severity: ERROR pattern-either: - pattern: | airflow.operators.bash_operator.BashOperator(..., bash_command="..." + $CONCAT, ...) - pattern: | airflow.operators.bash_operator.BashOperator(..., bash_command="...".format(...), ...) - pattern: | airflow.operators.bash_operator.BashOperator(..., bash_command=f"...", ...) - pattern: | airflow.operators.bash_operator.BashOperator(..., bash_command="..." % $PARAMS, ...) - pattern: | $CMD = "..." % $PARAMS ... airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...) - pattern: | $CMD = $STR.format(...) ... airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...) - pattern: | $CMD = f"..." ... airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...) - pattern: | $CMD = "..." + $CONCAT ... airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...) - pattern: | $CMD = "..." ... $CMD += $CONCAT ... airflow.operators.bash_operator.BashOperator(..., bash_command=$CMD, ...) - id: python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec mode: taint pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - focus-metavariable: $CMD - pattern-either: - pattern: asyncio.create_subprocess_exec($PROG, $CMD, ...) - pattern: asyncio.create_subprocess_exec($PROG, [$CMD, ...], ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, $CMD, ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, [$CMD, ...], ...) - pattern: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...) - pattern: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...], ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...], ...) message: Detected 'create_subprocess_exec' function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec - https://docs.python.org/3/library/shlex.html category: security technology: - python cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec shortlink: https://sg.run/oyv0 semgrep.dev: rule: r_id: 18260 rv_id: 1263331 rule_id: EwUrX8 version_id: rxTAKgo url: https://semgrep.dev/playground/r/rxTAKgo/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec origin: community languages: - python severity: ERROR - id: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec mode: taint pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - focus-metavariable: $CMD - pattern-either: - pattern: $LOOP.subprocess_exec($PROTOCOL, $CMD, ...) - pattern: $LOOP.subprocess_exec($PROTOCOL, [$CMD, ...], ...) - pattern: $LOOP.subprocess_exec($PROTOCOL, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...) - pattern: $LOOP.subprocess_exec($PROTOCOL, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...], ...) message: Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec - https://docs.python.org/3/library/shlex.html category: security technology: - python - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec shortlink: https://sg.run/z14d semgrep.dev: rule: r_id: 18261 rv_id: 1263332 rule_id: 7KUxXg version_id: bZT53Ww url: https://semgrep.dev/playground/r/bZT53Ww/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec origin: community languages: - python severity: ERROR - id: python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell mode: taint pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - focus-metavariable: $CMD - pattern-either: - pattern: $LOOP.subprocess_shell($PROTOCOL, $CMD) - pattern: asyncio.subprocess.create_subprocess_shell($CMD, ...) - pattern: asyncio.create_subprocess_shell($CMD, ...) message: Detected asyncio subprocess function with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/asyncio-subprocess.html - https://docs.python.org/3/library/shlex.html category: security technology: - python - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell shortlink: https://sg.run/p9vZ semgrep.dev: rule: r_id: 18262 rv_id: 1263333 rule_id: L1UEl7 version_id: NdTzyWA url: https://semgrep.dev/playground/r/NdTzyWA/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell origin: community languages: - python severity: ERROR - id: python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process mode: taint message: Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Ensure no external data reaches here. metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' category: security technology: - python - aws-lambda references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process shortlink: https://sg.run/2AjL semgrep.dev: rule: r_id: 18263 rv_id: 1263334 rule_id: 8GUGBq version_id: kbTzGv8 url: https://semgrep.dev/playground/r/kbTzGv8/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process origin: community languages: - python severity: ERROR pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - focus-metavariable: $CMD - pattern-either: - patterns: - pattern: os.$METHOD($MODE, $CMD, ...) - metavariable-regex: metavariable: $METHOD regex: (spawnl|spawnle|spawnlp|spawnlpe|spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp|startfile) - patterns: - pattern-inside: os.$METHOD($MODE, $BASH, ["-c", $CMD,...],...) - metavariable-regex: metavariable: $METHOD regex: (spawnv|spawnve|spawnvp|spawnvp|spawnvpe|posix_spawn|posix_spawnp) - metavariable-regex: metavariable: $BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - patterns: - pattern-inside: os.$METHOD($MODE, $BASH, "-c", $CMD,...) - metavariable-regex: metavariable: $METHOD regex: (spawnl|spawnle|spawnlp|spawnlpe) - metavariable-regex: metavariable: $BASH regex: (.*)(sh|bash|ksh|csh|tcsh|zsh) - id: python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use mode: taint message: Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. The default option for `shell` is False, and this is secure by default. Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` means you have to split the command string into an array of strings for the command and its arguments. You may consider using 'shlex.split()' for this purpose. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/subprocess.html - https://docs.python.org/3/library/shlex.html category: security technology: - python - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use shortlink: https://sg.run/XZ7B semgrep.dev: rule: r_id: 18264 rv_id: 1263335 rule_id: gxUyn1 version_id: w8TRogj url: https://semgrep.dev/playground/r/w8TRogj/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use origin: community languages: - python severity: ERROR pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - pattern: subprocess.$FUNC(..., shell=True, ...) pattern-sanitizers: - pattern: shlex.split(...) - pattern: pipes.quote(...) - pattern: shlex.quote(...) - id: python.aws-lambda.security.dangerous-system-call.dangerous-system-call mode: taint message: Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability. metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.2.4 Dyanmic Code Execution Features control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements version: '4' category: security technology: - python references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call shortlink: https://sg.run/jDvN semgrep.dev: rule: r_id: 18265 rv_id: 1263336 rule_id: QrUkg6 version_id: xyTjzbG url: https://semgrep.dev/playground/r/xyTjzbG/python.aws-lambda.security.dangerous-system-call.dangerous-system-call origin: community languages: - python severity: ERROR pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - focus-metavariable: $CMD - pattern-either: - pattern: os.system($CMD,...) - pattern: os.popen($CMD,...) - pattern: os.popen2($CMD,...) - pattern: os.popen3($CMD,...) - pattern: os.popen4($CMD,...) - id: ai.ai-best-practices.mcp-credential-in-response.mcp-credential-in-response.mcp-credential-in-response-python languages: - python severity: WARNING message: MCP tool returns a dictionary containing credential-like keys such as api_key, password, secret, or token. Exposing credentials in tool responses risks leaking them to the LLM context or logs. Remove sensitive fields before returning data from MCP tools. metadata: cwe: 'CWE-522: Insufficiently Protected Credentials' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: MEDIUM technology: - mcp references: - https://modelcontextprotocol.io/specification/draft/basic/security_best_practices license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/ai.ai-best-practices.mcp-credential-in-response.mcp-credential-in-response.mcp-credential-in-response-python shortlink: https://sg.run/Kd1WX semgrep.dev: rule: r_id: 286755 rv_id: 1409352 rule_id: zdUAByY version_id: l4Tp3PG url: https://semgrep.dev/playground/r/l4Tp3PG/ai.ai-best-practices.mcp-credential-in-response.mcp-credential-in-response.mcp-credential-in-response-python origin: community patterns: - pattern-inside: | @$SERVER.tool() def $FUNC(...): ... - pattern-either: - pattern: 'return {..., "api_key": $VAL, ...}' - pattern: 'return {..., "password": $VAL, ...}' - pattern: 'return {..., "secret": $VAL, ...}' - pattern: 'return {..., "token": $VAL, ...}' - pattern: 'return {..., "access_token": $VAL, ...}' - pattern: 'return {..., "secret_key": $VAL, ...}' - pattern: 'return {..., "private_key": $VAL, ...}' - id: python.aws-lambda.security.psycopg-sqli.psycopg-sqli languages: - python message: 'Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(''SELECT * FROM projects WHERE status = %s'', ''active'')`' mode: taint metadata: references: - https://www.psycopg.org/docs/cursor.html#cursor.execute - https://www.psycopg.org/docs/cursor.html#cursor.executemany - https://www.psycopg.org/docs/cursor.html#cursor.mogrify category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - psycopg - psycopg2 cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.aws-lambda.security.psycopg-sqli.psycopg-sqli shortlink: https://sg.run/9L8r semgrep.dev: rule: r_id: 18267 rv_id: 1263338 rule_id: 4bUQG1 version_id: e1TyjPZ url: https://semgrep.dev/playground/r/e1TyjPZ/python.aws-lambda.security.psycopg-sqli.psycopg-sqli origin: community pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern-either: - pattern: $CURSOR.execute($QUERY,...) - pattern: $CURSOR.executemany($QUERY,...) - pattern: $CURSOR.mogrify($QUERY,...) - pattern-inside: | import psycopg2 ... pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... severity: WARNING - id: ai.ai-best-practices.gemini-missing-safety-settings.gemini-missing-safety-settings-python.gemini-missing-safety-settings-python languages: - python severity: WARNING message: Gemini generate_content() called without safety_settings. Configure safety settings to control content filtering thresholds for harmful content categories. metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - gemini references: - https://ai.google.dev/gemini-api/docs/safety-settings license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.gemini-missing-safety-settings.gemini-missing-safety-settings-python.gemini-missing-safety-settings-python shortlink: https://sg.run/pGDyZ semgrep.dev: rule: r_id: 288818 rv_id: 1413376 rule_id: oqUyo2k version_id: gETro6J url: https://semgrep.dev/playground/r/gETro6J/ai.ai-best-practices.gemini-missing-safety-settings.gemini-missing-safety-settings-python.gemini-missing-safety-settings-python origin: community patterns: - pattern: $MODEL.generate_content(...) - pattern-not: $MODEL.generate_content(..., safety_settings=$SETTINGS, ...) - id: ai.ai-best-practices.mcp-hardcoded-config-secret.mcp-hardcoded-config-secret.mcp-hardcoded-config-secret-generic languages: - generic severity: ERROR message: Plaintext API key or token detected in MCP configuration file. Hardcoded secrets in config files risk exposure through version control or file sharing. Use environment variable references or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security confidence: HIGH subcategory: - vuln likelihood: HIGH impact: MEDIUM technology: - mcp references: - https://modelcontextprotocol.io/specification/draft/basic/security_best_practices license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.mcp-hardcoded-config-secret.mcp-hardcoded-config-secret.mcp-hardcoded-config-secret-generic shortlink: https://sg.run/q6ery semgrep.dev: rule: r_id: 286756 rv_id: 1409353 rule_id: pKU62Gz version_id: YDTwgP9 url: https://semgrep.dev/playground/r/YDTwgP9/ai.ai-best-practices.mcp-hardcoded-config-secret.mcp-hardcoded-config-secret.mcp-hardcoded-config-secret-generic origin: community paths: include: - '*mcp*.json' - claude_desktop_config.json pattern-either: - pattern-regex: :\s*"sk-[a-zA-Z0-9]{20,}" - pattern-regex: :\s*"sk-ant-[a-zA-Z0-9\-]{20,}" - pattern-regex: :\s*"sk-proj-[a-zA-Z0-9\-]{20,}" - pattern-regex: :\s*"hf_[a-zA-Z0-9]{20,}" - pattern-regex: :\s*"AIza[a-zA-Z0-9\-_]{20,}" - id: ai.ai-best-practices.mcp-ssrf.mcp-ssrf.mcp-ssrf-python mode: taint languages: - python severity: ERROR message: User input from an MCP tool handler flows into an HTTP request URL without validation. An attacker could supply internal network URLs to access internal services (SSRF). Validate and restrict URLs with an allowlist or parse with urllib.parse.urlparse() before making requests. metadata: cwe: 'CWE-918: Server-Side Request Forgery (SSRF)' category: security confidence: HIGH subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - mcp references: - https://modelcontextprotocol.io/specification/draft/basic/security_best_practices license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/ai.ai-best-practices.mcp-ssrf.mcp-ssrf.mcp-ssrf-python shortlink: https://sg.run/l0bj9 semgrep.dev: rule: r_id: 286757 rv_id: 1409354 rule_id: 2ZUQR47 version_id: JdTnOgr url: https://semgrep.dev/playground/r/JdTnOgr/ai.ai-best-practices.mcp-ssrf.mcp-ssrf.mcp-ssrf-python origin: community pattern-sources: - patterns: - pattern: | @$SERVER.tool() def $FUNC(..., $PARAM, ...): ... - focus-metavariable: $PARAM pattern-sinks: - patterns: - pattern: requests.get($SINK, ...) - focus-metavariable: $SINK - patterns: - pattern: requests.post($SINK, ...) - focus-metavariable: $SINK - patterns: - pattern: requests.put($SINK, ...) - focus-metavariable: $SINK - patterns: - pattern: requests.delete($SINK, ...) - focus-metavariable: $SINK - patterns: - pattern: urllib.request.urlopen($SINK) - focus-metavariable: $SINK pattern-sanitizers: - pattern: urllib.parse.urlparse(...) - id: python.aws-lambda.security.pymssql-sqli.pymssql-sqli languages: - python message: 'Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(''SELECT * FROM projects WHERE status = %s'', ''active'')`' mode: taint metadata: references: - https://pypi.org/project/pymssql/ category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - pymssql cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli shortlink: https://sg.run/yXvP semgrep.dev: rule: r_id: 18268 rv_id: 1263339 rule_id: PeUxO0 version_id: vdT06bG url: https://semgrep.dev/playground/r/vdT06bG/python.aws-lambda.security.pymssql-sqli.pymssql-sqli origin: community pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern: $CURSOR.execute($QUERY,...) - pattern-inside: | import pymssql ... pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... severity: WARNING - id: python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli languages: - python message: 'Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute(''SELECT * FROM projects WHERE status = ?'', ''active'')`' mode: taint metadata: references: - https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda - sqlalchemy cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli shortlink: https://sg.run/b48W semgrep.dev: rule: r_id: 18270 rv_id: 1263341 rule_id: 5rUy3N version_id: ZRTKARp url: https://semgrep.dev/playground/r/ZRTKARp/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli origin: community pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern: $CURSOR.execute($QUERY,...) - pattern-inside: | import sqlalchemy ... pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... severity: WARNING - id: python.aws-lambda.security.tainted-code-exec.tainted-code-exec mode: taint pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - pattern-either: - pattern: eval($CODE, ...) - pattern: exec($CODE, ...) message: Detected the use of `exec/eval`.This can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.2.4 Dyanmic Code Execution Features control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements version: '4' category: security technology: - python references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.aws-lambda.security.tainted-code-exec.tainted-code-exec shortlink: https://sg.run/Ng7y semgrep.dev: rule: r_id: 18271 rv_id: 1263342 rule_id: GdUDJP version_id: nWT2LD2 url: https://semgrep.dev/playground/r/nWT2LD2/python.aws-lambda.security.tainted-code-exec.tainted-code-exec origin: community languages: - python severity: WARNING - id: python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization mode: taint pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... pattern-sinks: - patterns: - focus-metavariable: $SINK - pattern-either: - pattern: pickle.load($SINK,...) - pattern: pickle.loads($SINK,...) - pattern: _pickle.load($SINK,...) - pattern: _pickle.loads($SINK,...) - pattern: cPickle.load($SINK,...) - pattern: cPickle.loads($SINK,...) - pattern: dill.load($SINK,...) - pattern: dill.loads($SINK,...) - pattern: shelve.open($SINK,...) message: Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format. metadata: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: - https://docs.python.org/3/library/pickle.html - https://davidhamann.de/2020/04/05/exploiting-python-pickle/ category: security technology: - python - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization shortlink: https://sg.run/JbjW semgrep.dev: rule: r_id: 21602 rv_id: 1263345 rule_id: JDUDQg version_id: LjTkgd9 url: https://semgrep.dev/playground/r/LjTkgd9/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization origin: community languages: - python severity: WARNING - id: python.aws-lambda.security.tainted-sql-string.tainted-sql-string languages: - python message: Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries. metadata: references: - https://owasp.org/www-community/attacks/SQL_Injection category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' technology: - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/wXvA semgrep.dev: rule: r_id: 18273 rv_id: 1263346 rule_id: AbU3LX version_id: 8KT5ron url: https://semgrep.dev/playground/r/8KT5ron/python.aws-lambda.security.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sinks: - patterns: - pattern-either: - pattern: | "$SQLSTR" + ... - pattern: | "$SQLSTR" % ... - pattern: | "$SQLSTR".format(...) - pattern: | f"$SQLSTR{...}..." - metavariable-regex: metavariable: $SQLSTR regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.*= - pattern-not-inside: | print(...) pattern-sources: - patterns: - pattern: event - pattern-inside: | def $HANDLER(event, context): ... severity: ERROR - id: python.boto3.security.hardcoded-token.hardcoded-token message: A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - https://bento.dev/checks/boto3/hardcoded-access-token/ - https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/ owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures category: security technology: - boto3 - secrets cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token shortlink: https://sg.run/LwQ6 semgrep.dev: rule: r_id: 9439 rv_id: 1263347 rule_id: 5rUOwK version_id: gETB78n url: https://semgrep.dev/playground/r/gETB78n/python.boto3.security.hardcoded-token.hardcoded-token origin: community languages: - python severity: WARNING mode: taint pattern-sources: - pattern: | "..." pattern-sinks: - patterns: - pattern-either: - pattern: $W(...,$TOKEN="$VALUE",...) - pattern: $BOTO. ... .$W(...,$TOKEN="$VALUE",...) - metavariable-regex: metavariable: $TOKEN regex: (aws_session_token|aws_access_key_id|aws_secret_access_key) - metavariable-pattern: language: generic metavariable: $VALUE patterns: - pattern-either: - pattern-regex: ^AKI - pattern-regex: ^[A-Za-z0-9/+=]+$ - metavariable-analysis: metavariable: $VALUE analyzer: entropy - id: python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4 message: ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98 cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers category: security technology: - cryptography subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM functional-categories: - crypto::search::symmetric-algorithm::cryptography license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4 shortlink: https://sg.run/xoZL semgrep.dev: rule: r_id: 33630 rv_id: 1263348 rule_id: KxU8gK version_id: QkTGq3Q url: https://semgrep.dev/playground/r/QkTGq3Q/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4 origin: community severity: WARNING languages: - python patterns: - pattern: cryptography.hazmat.primitives.ciphers.algorithms.$ARC4($KEY) - pattern-inside: cryptography.hazmat.primitives.ciphers.Cipher(...) - metavariable-regex: metavariable: $ARC4 regex: ^(ARC4)$ - focus-metavariable: $ARC4 fix: AES - id: go.lang.security.audit.crypto.sha224-hash.sha224-hash pattern-either: - patterns: - pattern-inside: | import "crypto/sha256" ... - pattern-either: - pattern: | sha256.New224() - pattern: | sha256.Sum224(...) - patterns: - pattern-inside: | import "golang.org/x/crypto/sha3" ... - pattern-either: - pattern: | sha3.New224() - pattern: | sha3.Sum224(...) message: This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security. languages: - go severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' category: security technology: - go references: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography subcategory: - vuln likelihood: LOW impact: LOW confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash shortlink: https://sg.run/ReJwY semgrep.dev: rule: r_id: 151749 rv_id: 1262925 rule_id: GdUvElR version_id: 9lT4b4w url: https://semgrep.dev/playground/r/9lT4b4w/go.lang.security.audit.crypto.sha224-hash.sha224-hash origin: community - id: java.lang.security.audit.crypto.use-of-sha224.use-of-sha224 message: This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security. languages: - java severity: WARNING metadata: functional-categories: - crypto::search::hash-algorithm::javax.crypto owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-328: Use of Weak Hash' asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' category: security technology: - java references: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography subcategory: - vuln likelihood: LOW impact: LOW confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224 shortlink: https://sg.run/Ab2KQ semgrep.dev: rule: r_id: 151750 rv_id: 1263017 rule_id: ReUDGEz version_id: YDTZewo url: https://semgrep.dev/playground/r/YDTZewo/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224 origin: community pattern-either: - pattern: org.apache.commons.codec.digest.DigestUtils.getSha3_224Digest() - pattern: org.apache.commons.codec.digest.DigestUtils.getSha512_224Digest() - pattern: org.apache.commons.codec.digest.DigestUtils.sha3_224(...) - pattern: org.apache.commons.codec.digest.DigestUtils.sha3_224Hex(...) - pattern: org.apache.commons.codec.digest.DigestUtils.sha512_224(...) - pattern: org.apache.commons.codec.digest.DigestUtils.sha512_224Hex(...) - pattern: new org.apache.commons.codec.digest.DigestUtils(org.apache.commons.codec.digest.MessageDigestAlgorithms.SHA_224) - pattern: new org.apache.commons.codec.digest.DigestUtils(org.apache.commons.codec.digest.MessageDigestAlgorithms.SHA_512_224) - pattern: new org.apache.commons.codec.digest.DigestUtils(org.apache.commons.codec.digest.MessageDigestAlgorithms.SHA3_224) - patterns: - pattern: java.security.MessageDigest.getInstance("$ALGO", ...); - metavariable-regex: metavariable: $ALGO regex: .*224 - id: python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish message: Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98 cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers - https://tools.ietf.org/html/rfc5469 category: security technology: - cryptography subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM functional-categories: - crypto::search::symmetric-algorithm::cryptography license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish shortlink: https://sg.run/OdzL semgrep.dev: rule: r_id: 33631 rv_id: 1263349 rule_id: qNULvO version_id: 3ZT4XK7 url: https://semgrep.dev/playground/r/3ZT4XK7/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish origin: community severity: WARNING languages: - python patterns: - pattern: cryptography.hazmat.primitives.ciphers.algorithms.$BLOWFISH($KEY) - metavariable-regex: metavariable: $BLOWFISH regex: ^(Blowfish)$ - focus-metavariable: $BLOWFISH fix: AES - id: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea message: IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98 cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures bandit-code: B304 references: - https://tools.ietf.org/html/rfc5469 - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA category: security technology: - cryptography subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM functional-categories: - crypto::search::symmetric-algorithm::cryptography license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea shortlink: https://sg.run/3xyK semgrep.dev: rule: r_id: 9443 rv_id: 1263350 rule_id: BYUNPg version_id: 44TEjNJ url: https://semgrep.dev/playground/r/44TEjNJ/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea origin: community severity: WARNING languages: - python patterns: - pattern: cryptography.hazmat.primitives.ciphers.algorithms.$IDEA($KEY) - metavariable-regex: metavariable: $IDEA regex: ^(IDEA)$ - focus-metavariable: $IDEA fix: AES - id: python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb message: ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. Use a different, cryptographically strong mode instead, such as GCM. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L101 cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures bandit-code: B305 references: - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes - https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption category: security technology: - cryptography subcategory: - audit likelihood: LOW impact: LOW confidence: MEDIUM functional-categories: - crypto::search::mode::cryptography license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb shortlink: https://sg.run/4xr5 semgrep.dev: rule: r_id: 9444 rv_id: 1263351 rule_id: DbUp5g version_id: PkTR3w7 url: https://semgrep.dev/playground/r/PkTR3w7/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb origin: community severity: WARNING languages: - python pattern: cryptography.hazmat.primitives.ciphers.modes.ECB($IV) fix: cryptography.hazmat.primitives.ciphers.modes.GCM($IV) - id: python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures bandit-code: B303 references: - https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5 - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability - http://2012.sharcs.org/slides/stevens.pdf - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html category: security technology: - cryptography subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM functional-categories: - crypto::search::symmetric-algorithm::cryptography license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 shortlink: https://sg.run/eY88 semgrep.dev: rule: r_id: 33632 rv_id: 1263352 rule_id: lBUopp version_id: JdTzxww url: https://semgrep.dev/playground/r/JdTzxww/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 origin: community severity: WARNING languages: - python patterns: - pattern: cryptography.hazmat.primitives.hashes.$MD5() - metavariable-regex: metavariable: $MD5 regex: ^(MD5)$ - focus-metavariable: $MD5 fix: SHA256 - id: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 patterns: - pattern: cryptography.hazmat.primitives.hashes.$SHA(...) - metavariable-pattern: metavariable: $SHA pattern: | SHA1 - focus-metavariable: $SHA fix: | SHA256 message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures bandit-code: B303 references: - https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1 - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability - http://2012.sharcs.org/slides/stevens.pdf - https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html category: security technology: - cryptography subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM functional-categories: - crypto::search::symmetric-algorithm::cryptography license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 shortlink: https://sg.run/J9Qy semgrep.dev: rule: r_id: 9446 rv_id: 1263353 rule_id: 0oU5dN version_id: 5PTo1l0 url: https://semgrep.dev/playground/r/5PTo1l0/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 origin: community severity: WARNING languages: - python - id: python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size patterns: - pattern-either: - pattern: cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key(..., key_size=$SIZE, ...) - pattern: cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key($SIZE, ...) - metavariable-comparison: metavariable: $SIZE comparison: $SIZE < 2048 - focus-metavariable: $SIZE fix: | 2048 message: Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher. metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/ - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf category: security technology: - cryptography subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM functional-categories: - crypto::search::key-length::cryptography license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size shortlink: https://sg.run/5Qb0 semgrep.dev: rule: r_id: 9447 rv_id: 1263354 rule_id: KxUb0x version_id: GxTkeOK url: https://semgrep.dev/playground/r/GxTkeOK/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size origin: community languages: - python severity: WARNING - id: python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size patterns: - pattern-inside: cryptography.hazmat.primitives.asymmetric.ec.generate_private_key(...) - pattern: cryptography.hazmat.primitives.asymmetric.ec.$SIZE - metavariable-pattern: metavariable: $SIZE pattern-either: - pattern: SECP192R1 - pattern: SECT163K1 - pattern: SECT163R2 - focus-metavariable: $SIZE fix: | SECP256R1 message: Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use 'ec.SECP256R1'. metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves category: security technology: - cryptography subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM functional-categories: - crypto::search::key-length::cryptography license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size shortlink: https://sg.run/GeQq semgrep.dev: rule: r_id: 9448 rv_id: 1263355 rule_id: qNUjZ3 version_id: RGT0LW6 url: https://semgrep.dev/playground/r/RGT0LW6/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size origin: community languages: - python severity: WARNING - id: php.lang.security.audit.sha224-hash.sha224-hash pattern-either: - pattern: hash('sha224', ...); - pattern: hash('sha512/224', ...); - pattern: hash('sha3-224', ...); - pattern: hash_hmac('sha224', ...); - pattern: hash_hmac('sha512/224', ...); - pattern: hash_hmac('sha3-224', ...); message: This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security. metadata: cwe: - 'CWE-328: Use of Weak Hash' references: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography category: security technology: - php owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - audit likelihood: LOW impact: LOW confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insecure Hashing Algorithm source: https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash shortlink: https://sg.run/BYXqv semgrep.dev: rule: r_id: 151751 rv_id: 1263275 rule_id: AbU97EA version_id: bZT53Jo url: https://semgrep.dev/playground/r/bZT53Jo/php.lang.security.audit.sha224-hash.sha224-hash origin: community languages: - php severity: WARNING - id: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size patterns: - pattern-either: - pattern: cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key(..., key_size=$SIZE, ...) - pattern: cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key($EXP, $SIZE, ...) - metavariable-comparison: metavariable: $SIZE comparison: $SIZE < 2048 - focus-metavariable: $SIZE fix: | 2048 message: Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher. metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/ - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf category: security technology: - cryptography subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM functional-categories: - crypto::search::key-length::cryptography license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size shortlink: https://sg.run/RoQq semgrep.dev: rule: r_id: 9449 rv_id: 1263356 rule_id: lBU9jn version_id: A8TgdPK url: https://semgrep.dev/playground/r/A8TgdPK/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size origin: community languages: - python severity: WARNING - id: python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication message: 'An encryption mode of operation is being used without proper message authentication. This can potentially result in the encrypted content to be decrypted by an attacker. Consider instead use an AEAD mode of operation like GCM. ' languages: - python severity: ERROR metadata: category: security technology: - cryptography cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication shortlink: https://sg.run/N9JL semgrep.dev: rule: r_id: 31871 rv_id: 1263357 rule_id: lBUpNZ version_id: BjTkZj5 url: https://semgrep.dev/playground/r/BjTkZj5/python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication origin: community patterns: - pattern-either: - patterns: - pattern: | Cipher(..., $HAZMAT_MODE(...),...) - pattern-not-inside: | Cipher(..., $HAZMAT_MODE(...),...) ... HMAC(...) - pattern-not-inside: | Cipher(..., $HAZMAT_MODE(...),...) ... hmac.HMAC(...) - metavariable-pattern: metavariable: $HAZMAT_MODE patterns: - pattern-either: - pattern: modes.CTR - pattern: modes.CBC - pattern: modes.CFB - pattern: modes.OFB - id: python.distributed.security.require-encryption patterns: - pattern: | distributed.security.Security(..., require_encryption=$VAL, ...) - metavariable-pattern: metavariable: $VAL pattern: | False - focus-metavariable: $VAL fix: | True message: Initializing a security context for Dask (`distributed`) without "require_encryption" keyword argument may silently fail to provide security. severity: WARNING metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters category: security technology: - distributed subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/python.distributed.security.require-encryption shortlink: https://sg.run/AvQ2 semgrep.dev: rule: r_id: 9450 rv_id: 1263358 rule_id: YGURy0 version_id: DkTRbol url: https://semgrep.dev/playground/r/DkTRbol/python.distributed.security.require-encryption origin: community languages: - python - id: python.django.security.audit.avoid-mark-safe.avoid-mark-safe patterns: - pattern-not-inside: django.utils.html.format_html(...) - pattern-not: django.utils.safestring.mark_safe("...") - pattern: django.utils.safestring.mark_safe(...) message: '''mark_safe()'' is used to mark a string as "safe" for HTML output. This disables escaping and could therefore subject the content to XSS attacks. Use ''django.utils.html.format_html()'' to build HTML for rendering instead.' metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.safestring.mark_safe - https://docs.djangoproject.com/en/3.0/ref/utils/#django.utils.html.format_html category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.avoid-mark-safe.avoid-mark-safe shortlink: https://sg.run/yd0P semgrep.dev: rule: r_id: 9468 rv_id: 1263360 rule_id: eqU8Wr version_id: 0bTKzkj url: https://semgrep.dev/playground/r/0bTKzkj/python.django.security.audit.avoid-mark-safe.avoid-mark-safe origin: community languages: - python severity: WARNING - id: python.django.security.audit.csrf-exempt.no-csrf-exempt pattern: | @django.views.decorators.csrf.csrf_exempt def $R(...): ... message: Detected usage of @csrf_exempt, which indicates that there is no CSRF token set for this route. This could lead to an attacker manipulating the user's account and exfiltration of private data. Instead, create a function without this decorator. metadata: cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control category: security technology: - django references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/python.django.security.audit.csrf-exempt.no-csrf-exempt shortlink: https://sg.run/rd5e semgrep.dev: rule: r_id: 9469 rv_id: 1263361 rule_id: v8UnqO version_id: K3TKk9W url: https://semgrep.dev/playground/r/K3TKk9W/python.django.security.audit.csrf-exempt.no-csrf-exempt origin: community languages: - python severity: WARNING - id: python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql languages: - python message: Detected a Custom Expression ''$EXPRESSION'' calling ''as_sql(...).'' This could lead to SQL injection, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.Func.as_sql - https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/ category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql shortlink: https://sg.run/b7bW semgrep.dev: rule: r_id: 9470 rv_id: 1263362 rule_id: d8Ujk6 version_id: qkTR7gn url: https://semgrep.dev/playground/r/qkTR7gn/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql origin: community pattern: $EXPRESSION.as_sql(...) severity: WARNING - id: python.django.security.audit.extends-custom-expression.extends-custom-expression languages: - python message: 'Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.' metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection - https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/ category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression shortlink: https://sg.run/N4Ay semgrep.dev: rule: r_id: 9471 rv_id: 1263364 rule_id: ZqU5z3 version_id: YDTZeGe url: https://semgrep.dev/playground/r/YDTZeGe/python.django.security.audit.extends-custom-expression.extends-custom-expression origin: community severity: WARNING pattern-either: - pattern: | class $CLASS(..., django.db.models.Func, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Func, ...): ... - pattern: | class $CLASS(..., django.db.models.Expression, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Expression, ...): ... - pattern: | class $CLASS(..., django.db.models.Value, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Value, ...): ... - pattern: | class $CLASS(..., django.db.models.DurationValue, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.DurationValue, ...): ... - pattern: | class $CLASS(..., django.db.models.RawSQL, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.RawSQL, ...): ... - pattern: | class $CLASS(..., django.db.models.Star, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Star, ...): ... - pattern: | class $CLASS(..., django.db.models.Random, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Random, ...): ... - pattern: | class $CLASS(..., django.db.models.Col, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Col, ...): ... - pattern: | class $CLASS(..., django.db.models.Ref, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Ref, ...): ... - pattern: | class $CLASS(..., django.db.models.ExpressionList, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.ExpressionList, ...): ... - pattern: | class $CLASS(..., django.db.models.ExpressionWrapper, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.ExpressionWrapper, ...): ... - pattern: | class $CLASS(..., django.db.models.When, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.When, ...): ... - pattern: | class $CLASS(..., django.db.models.Case, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Case, ...): ... - pattern: | class $CLASS(..., django.db.models.Subquery, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Subquery, ...): ... - pattern: | class $CLASS(..., django.db.models.Exists, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Exists, ...): ... - pattern: | class $CLASS(..., django.db.models.Window, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.Window, ...): ... - pattern: | class $CLASS(..., django.db.models.WindowFrame, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.WindowFrame, ...): ... - pattern: | class $CLASS(..., django.db.models.RowRange, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.RowRange, ...): ... - pattern: | class $CLASS(..., django.db.models.ValueRange, ...): ... - pattern: | class $CLASS(..., django.db.models.expressions.ValueRange, ...): ... - id: python.django.security.audit.query-set-extra.avoid-query-set-extra message: QuerySet.extra' does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using '.extra', use the Django ORM and parameterized queries such as `People.objects.get(name='Bob')`. metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra - https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/ category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra shortlink: https://sg.run/kXZP semgrep.dev: rule: r_id: 9472 rv_id: 1263365 rule_id: nJUzBP version_id: 6xT297o url: https://semgrep.dev/playground/r/6xT297o/python.django.security.audit.query-set-extra.avoid-query-set-extra origin: community languages: - python severity: WARNING patterns: - pattern: $MODEL.extra(...) - pattern-not-inside: '$MODEL.extra(select = {$KEY: "..."})' - id: python.django.security.audit.raw-query.avoid-raw-sql message: 'Detected the use of ''RawSQL'' or ''raw'' indicating the execution of a non-parameterized SQL query. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use Django ORM and parameterized queries before raw SQL. An example of using the Django ORM is: `People.objects.get(name=''Bob'')`' metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b611_django_rawsql_used.html cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#raw-sql-expressions - https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/ category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.django.security.audit.raw-query.avoid-raw-sql shortlink: https://sg.run/weDA semgrep.dev: rule: r_id: 9473 rv_id: 1263366 rule_id: EwU2JA version_id: o5TbDQN url: https://semgrep.dev/playground/r/o5TbDQN/python.django.security.audit.raw-query.avoid-raw-sql origin: community languages: - python severity: WARNING patterns: - pattern-either: - pattern: $MODEL.objects.raw($QUERY, ...) - pattern: django.db.models.expressions.RawSQL(...) - pattern-not: $MODEL.objects.raw("...") - pattern-not: django.db.models.expressions.RawSQL("...") - id: python.django.security.audit.secure-cookies.django-secure-set-cookie patterns: - pattern-either: - pattern-inside: | import django.http.HttpResponse ... - pattern-inside: | import django.shortcuts.render ... - pattern-not-inside: | LANGUAGE_QUERY_PARAMETER = 'language' ... def set_language(request): ... # Exclude vendored contrib/messages/storage/cookie.py - pattern-not-inside: | class CookieStorage(django.contrib.messages.storage.base.BaseStorage): ... # Exclude cookies handled by vendored middleware - pattern-not: response.set_cookie(django.conf.settings.SESSION_COOKIE_NAME, ...) - pattern-not: response.set_cookie(django.conf.settings.CSRF_COOKIE_NAME, ...) - pattern-not: response.set_cookie(django.conf.settings.LANGUAGE_COOKIE_NAME, ...) - pattern-not: response.set_cookie(rest_framework_jwt.settings.api_settings.JWT_AUTH_COOKIE, ...) - pattern-not: response.set_cookie(..., secure=$A, httponly=$B, samesite=$C, ...) - pattern-not: response.set_cookie(..., **$A) - pattern: response.set_cookie(...) message: Django cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None. metadata: cwe: - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.4 Missing Cookie Attributes control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management version: '4' references: - https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie - https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/ - https://bento.dev/checks/flask/secure-set-cookie/ category: security technology: - django subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie shortlink: https://sg.run/x1WL semgrep.dev: rule: r_id: 9474 rv_id: 1263367 rule_id: 7KUQ2E version_id: zyTb2gp url: https://semgrep.dev/playground/r/zyTb2gp/python.django.security.audit.secure-cookies.django-secure-set-cookie origin: community languages: - python severity: WARNING - id: python.django.security.audit.unvalidated-password.unvalidated-password patterns: - pattern-not-inside: | if <... django.contrib.auth.password_validation.validate_password(...) ...>: ... - pattern-not-inside: | django.contrib.auth.password_validation.validate_password(...) ... - pattern-not-inside: | try: ... django.contrib.auth.password_validation.validate_password(...) ... except $EX: ... ... - pattern-not-inside: | try: ... django.contrib.auth.password_validation.validate_password(...) ... except $EX as $E: ... ... - pattern-not: UserModel().set_password($X) - pattern: $MODEL.set_password($X) fix: | if django.contrib.auth.password_validation.validate_password($X, user=$MODEL): $MODEL.set_password($X) message: The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information. metadata: cwe: - 'CWE-521: Weak Password Requirements' owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation category: security technology: - django subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password shortlink: https://sg.run/OPBL semgrep.dev: rule: r_id: 9475 rv_id: 1263368 rule_id: L1UywG version_id: pZT03gB url: https://semgrep.dev/playground/r/pZT03gB/python.django.security.audit.unvalidated-password.unvalidated-password origin: community languages: - python severity: WARNING - id: python.django.security.audit.xss.class-extends-safestring.class-extends-safestring message: Found a class extending 'SafeString', 'SafeText' or 'SafeData'. These classes are for bypassing the escaping engine built in to Django and should not be used directly. Improper use of this class exposes your application to cross-site scripting (XSS) vulnerabilities. If you need this functionality, use 'mark_safe' instead and ensure no user data can reach it. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping - https://github.com/django/django/blob/f138e75910b1e541686c4dce3d8f467f6fc234cb/django/utils/safestring.py#L11 category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring shortlink: https://sg.run/Zvpw semgrep.dev: rule: r_id: 9479 rv_id: 1263369 rule_id: 3qUPve version_id: 2KTv2N1 url: https://semgrep.dev/playground/r/2KTv2N1/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring origin: community languages: - python severity: WARNING pattern-either: - pattern: | class $CLASS(django.utils.safestring.SafeString): ... - pattern: | class $CLASS(django.utils.safestring.SafeText): ... - pattern: |- class $CLASS(django.utils.safestring.SafeData): ... - id: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off message: 'Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove ''autoescape: False'' or set it to ''True''.' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/ref/settings/#templates - https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off shortlink: https://sg.run/nd7Y semgrep.dev: rule: r_id: 9480 rv_id: 1263370 rule_id: 4bUknY version_id: X0Tzye3 url: https://semgrep.dev/playground/r/X0Tzye3/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off origin: community languages: - python severity: WARNING patterns: - pattern-either: - pattern: | {..., "autoescape": $FALSE, ...} - pattern: | $D["autoescape"] = $FALSE - metavariable-pattern: metavariable: $FALSE pattern: | False - focus-metavariable: $FALSE fix: | True - id: ai.ai-best-practices.mcp-tool-poisoning.mcp-tool-poisoning.mcp-tool-poisoning-generic languages: - generic severity: ERROR message: MCP tool docstring contains suspicious directives that may indicate tool poisoning. Attackers can embed hidden instructions in tool descriptions to manipulate LLM behavior, exfiltrate data, or access sensitive files. Review the tool description for hidden instructions or social engineering. metadata: cwe: 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - mcp references: - https://modelcontextprotocol.io/specification/draft/basic/security_best_practices license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.mcp-tool-poisoning.mcp-tool-poisoning.mcp-tool-poisoning-generic shortlink: https://sg.run/YKZg4 semgrep.dev: rule: r_id: 286758 rv_id: 1409355 rule_id: X5UwYZA version_id: 5PT7K5G url: https://semgrep.dev/playground/r/5PT7K5G/ai.ai-best-practices.mcp-tool-poisoning.mcp-tool-poisoning.mcp-tool-poisoning-generic origin: community paths: include: - '*.py' pattern-either: - pattern-regex: '"""[^"]*[^"]*"""' - pattern-regex: '"""[^"]*~/\.ssh[^"]*"""' - pattern-regex: '"""[^"]*~/\.cursor/mcp\.json[^"]*"""' - pattern-regex: '"""[^"]*(?:/etc/shadow)[^"]*"""' - pattern-regex: '"""[^"]*(?:read|cat|load|parse|open|access)\s+\.env[^"]*"""' - pattern-regex: '"""[^"]*do not mention[^"]*"""' - pattern-regex: '"""[^"]*do not tell the user[^"]*"""' - pattern-regex: '"""[^"]*ignore previous instructions[^"]*"""' - id: python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse message: Detected data rendered directly to the end user via 'HttpResponse' or a similar object. This bypasses Django's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django's template engine to safely render HTML. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render - https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse shortlink: https://sg.run/EknN semgrep.dev: rule: r_id: 9481 rv_id: 1263371 rule_id: PeUZgE version_id: jQTn5eO url: https://semgrep.dev/playground/r/jQTn5eO/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse origin: community languages: - python severity: WARNING patterns: - pattern-not: django.http.$ANY("...", ...) - pattern-not: django.http.$ANY() - pattern-not: django.http.$ANY(..., content=None, ...) - pattern-not: django.http.$ANY(status=...) - pattern-not: django.http.HttpResponseNotAllowed([...]) - pattern-either: - patterns: - pattern-either: - pattern: django.http.HttpResponse(...) - pattern: django.http.HttpResponseBadRequest(...) - pattern: django.http.HttpResponseNotFound(...) - pattern: django.http.HttpResponseForbidden(...) - pattern: django.http.HttpResponseNotAllowed(...) - pattern: django.http.HttpResponseGone(...) - pattern: django.http.HttpResponseServerError(...) - pattern-not: django.http.$ANY(...,content_type=$TYPE,...) - patterns: - pattern-either: - pattern: django.http.HttpResponse(...,content_type=$TYPE,...) - pattern: django.http.HttpResponseBadRequest(...,content_type=$TYPE,...) - pattern: django.http.HttpResponseNotFound(...,content_type=$TYPE,...) - pattern: django.http.HttpResponseForbidden(...,content_type=$TYPE,...) - pattern: django.http.HttpResponseNotAllowed(...,content_type=$TYPE,...) - pattern: django.http.HttpResponseGone(...,content_type=$TYPE,...) - pattern: django.http.HttpResponseServerError(...,content_type=$TYPE,...) - metavariable-regex: metavariable: $TYPE regex: .*[tT][eE][xX][tT]/[hH][tT][mM][lL].* - id: python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe message: Detected Django filters flagged with 'is_safe'. 'is_safe' tells Django not to apply escaping on the value returned by this filter (although the input is escaped). Used improperly, 'is_safe' could expose your application to cross-site scripting (XSS) vulnerabilities. Ensure this filter does not 1) add HTML characters, 2) remove characters, or 3) use external data in any way. Consider instead removing 'is_safe' and explicitly marking safe content with 'mark_safe()'. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/topics/security/#cross-site-scripting-xss-protection - https://docs.djangoproject.com/en/3.1/howto/custom-template-tags/#filters-and-auto-escaping - https://stackoverflow.com/questions/7665512/why-use-is-safe category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe shortlink: https://sg.run/7o12 semgrep.dev: rule: r_id: 9482 rv_id: 1263372 rule_id: JDUyd4 version_id: 1QTypA8 url: https://semgrep.dev/playground/r/1QTypA8/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe origin: community languages: - python severity: WARNING pattern: |- @register.filter(..., is_safe=True, ...) def $FILTER(...): ... - id: python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter message: Passing a formatted string as first parameter to `format_html` disables the proper encoding of variables. Any HTML in the first parameter is not encoded. Using a formatted string as first parameter obscures which parameters are encoded. Correct use of `format_html` is passing a static format string as first parameter, and the variables to substitute as subsequent parameters. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter shortlink: https://sg.run/lxQo semgrep.dev: rule: r_id: 12657 rv_id: 1263373 rule_id: v8UjKg version_id: 9lT4bYd url: https://semgrep.dev/playground/r/9lT4bYd/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter origin: community languages: - python severity: WARNING pattern-either: - pattern: format_html(<... f"..." ...>, ...) - pattern: format_html("..." % ..., ...) - pattern: format_html("...".format(...), ...) - id: python.django.security.audit.xss.global-autoescape-off.global-autoescape-off message: 'Autoescape is globally disbaled for this Django application. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove ''autoescape: False'' or set it to ''True''.' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/ref/settings/#templates - https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off shortlink: https://sg.run/LwG6 semgrep.dev: rule: r_id: 9483 rv_id: 1263374 rule_id: 5rUOXK version_id: yeTxp93 url: https://semgrep.dev/playground/r/yeTxp93/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off origin: community languages: - python severity: WARNING patterns: - pattern: | {..., 'BACKEND': ..., 'OPTIONS': {..., 'autoescape': $FALSE, ...}, ...} - metavariable-pattern: metavariable: $FALSE pattern: | False - focus-metavariable: $FALSE fix: | True - id: python.django.security.audit.xss.html-magic-method.html-magic-method message: The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape - https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5 category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method shortlink: https://sg.run/8y9N semgrep.dev: rule: r_id: 9484 rv_id: 1263375 rule_id: GdU7QO version_id: rxTAKRo url: https://semgrep.dev/playground/r/rxTAKRo/python.django.security.audit.xss.html-magic-method.html-magic-method origin: community languages: - python severity: WARNING patterns: - pattern-inside: | class $CLASS(...): ... - pattern: | def __html__(...): ... - id: python.django.security.audit.xss.html-safe.html-safe message: '`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is ''safe'' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe - https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5 category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe shortlink: https://sg.run/gLO0 semgrep.dev: rule: r_id: 9485 rv_id: 1263376 rule_id: ReUg5Y version_id: bZT53Dw url: https://semgrep.dev/playground/r/bZT53Dw/python.django.security.audit.xss.html-safe.html-safe origin: community languages: - python severity: WARNING pattern-either: - pattern: django.utils.html.html_safe(...) - pattern: | @django.utils.html.html_safe class $CLASS(...): ... - id: python.django.security.audit.xss.template-autoescape-off.template-autoescape-off message: Detected a template block where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off shortlink: https://sg.run/Q5WZ semgrep.dev: rule: r_id: 9486 rv_id: 1263377 rule_id: AbUzAZ version_id: NdTzy0A url: https://semgrep.dev/playground/r/NdTzy0A/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off origin: community languages: - regex paths: include: - '*.html' severity: WARNING pattern-regex: '{%\s+autoescape\s+off\s+%}' - id: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape languages: - generic severity: INFO message: Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text. patterns: - pattern-either: - pattern: | {% blocktranslate...%} - pattern: | {% blocktrans...%} - pattern-not-inside: | {%...filter...force_escape...%} ... ... ... ... ... ... ... ... ... ... {%...endfilter...%} metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape shortlink: https://sg.run/3xpK semgrep.dev: rule: r_id: 9487 rv_id: 1263378 rule_id: BYUNwg version_id: kbTzG08 url: https://semgrep.dev/playground/r/kbTzG08/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape origin: community - id: python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape languages: - generic severity: INFO message: Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text. patterns: - pattern-either: - pattern: | {% translate ... as $TRANS ... %} ... ... ... ... ... ... ... ... ... ... {{ ... $TRANS ... }} - pattern: | {% trans ... as $TRANS ... %} ... ... ... ... ... ... ... ... ... ... {{ ... $TRANS ... }} - pattern-not: | {% translate ... as $TRANS ... %} ... ... ... ... ... ... ... ... ... ... {{ ... $TRANS ... | ... force_escape ... }} - pattern-not: | {% trans ... as $TRANS ... %} ... ... ... ... ... ... ... ... ... ... {{ ... $TRANS ... | ... force_escape ... }} - pattern-not: | {% translate ... as $TRANS ... %} ... ... ... ... ... ... ... ... ... ... {% filter force_escape %} ... ... ... ... ... ... ... ... ... ... {{ ... $TRANS ... }} - pattern-not: | {% trans ... as $TRANS ... %} ... ... ... ... ... ... ... ... ... ... {% filter force_escape %} ... ... ... ... ... ... ... ... ... ... {{ ... $TRANS ... }} metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape shortlink: https://sg.run/PJDz semgrep.dev: rule: r_id: 9489 rv_id: 1263379 rule_id: WAUov9 version_id: w8TRodj url: https://semgrep.dev/playground/r/w8TRodj/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape origin: community - id: python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq message: Detected a template variable where autoescaping is explicitly disabled with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq shortlink: https://sg.run/5Q30 semgrep.dev: rule: r_id: 9491 rv_id: 1263380 rule_id: KxUbdx version_id: xyTjzyG url: https://semgrep.dev/playground/r/xyTjzyG/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq origin: community languages: - regex paths: include: - '*.html' severity: WARNING pattern-regex: '{{.*?\|\s+safeseq(\s+}})?' - id: python.django.security.globals-as-template-context.globals-as-template-context languages: - python message: 'Using ''globals()'' as a context to ''render(...)'' is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use ''globals()''. Instead, specify each variable in a dictionary or ''django.template.Context'' object, like ''{"var1": "hello"}'' and use that instead.' metadata: category: security cwe: - 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.2/ref/settings/#templates - https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates - https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context technology: - django subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.django.security.globals-as-template-context.globals-as-template-context shortlink: https://sg.run/7GYv semgrep.dev: rule: r_id: 11938 rv_id: 1263381 rule_id: j2UR3n version_id: O9TpxKJ url: https://semgrep.dev/playground/r/O9TpxKJ/python.django.security.globals-as-template-context.globals-as-template-context origin: community pattern-either: - pattern: django.shortcuts.render(..., globals(...), ...) - pattern: django.template.Template.render(..., globals(...), ...) - patterns: - pattern-inside: | $CONTEXT = globals(...) ... - pattern-either: - pattern: django.shortcuts.render(..., $CONTEXT, ...) - pattern: django.template.Template.render(..., $CONTEXT, ...) severity: ERROR - id: python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution message: Found request data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. metadata: cwe: - 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186 category: security technology: - django subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution shortlink: https://sg.run/Kl55 semgrep.dev: rule: r_id: 9499 rv_id: 1263382 rule_id: AbUzAA version_id: e1TyjXZ url: https://semgrep.dev/playground/r/e1TyjXZ/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: | $DATA = request.$W.get(...) ... $INTERM = globals().get($DATA, ...) ... $INTERM(...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = globals().get("..." % $DATA, ...) ... $INTERM(...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = globals().get(f"...{$DATA}...", ...) ... $INTERM(...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = globals().get("...".format(..., $DATA, ...), ...) ... $INTERM(...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = globals()[$DATA] ... $INTERM(...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = globals()["..." % $DATA] ... $INTERM(...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = globals()[f"...{$DATA}..."] ... $INTERM(...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = globals()["...".format(..., $DATA, ...)] ... $INTERM(...) - pattern: | $DATA = request.$W(...) ... $INTERM = globals().get($DATA, ...) ... $INTERM(...) - pattern: | $DATA = request.$W(...) ... $INTERM = globals().get("..." % $DATA, ...) ... $INTERM(...) - pattern: | $DATA = request.$W(...) ... $INTERM = globals().get(f"...{$DATA}...", ...) ... $INTERM(...) - pattern: | $DATA = request.$W(...) ... $INTERM = globals().get("...".format(..., $DATA, ...), ...) ... $INTERM(...) - pattern: | $DATA = request.$W(...) ... $INTERM = globals()[$DATA] ... $INTERM(...) - pattern: | $DATA = request.$W(...) ... $INTERM = globals()["..." % $DATA] ... $INTERM(...) - pattern: | $DATA = request.$W(...) ... $INTERM = globals()[f"...{$DATA}..."] ... $INTERM(...) - pattern: | $DATA = request.$W(...) ... $INTERM = globals()["...".format(..., $DATA, ...)] ... $INTERM(...) - pattern: | $DATA = request.$W[...] ... $INTERM = globals().get($DATA, ...) ... $INTERM(...) - pattern: | $DATA = request.$W[...] ... $INTERM = globals().get("..." % $DATA, ...) ... $INTERM(...) - pattern: | $DATA = request.$W[...] ... $INTERM = globals().get(f"...{$DATA}...", ...) ... $INTERM(...) - pattern: | $DATA = request.$W[...] ... $INTERM = globals().get("...".format(..., $DATA, ...), ...) ... $INTERM(...) - pattern: | $DATA = request.$W[...] ... $INTERM = globals()[$DATA] ... $INTERM(...) - pattern: | $DATA = request.$W[...] ... $INTERM = globals()["..." % $DATA] ... $INTERM(...) - pattern: | $DATA = request.$W[...] ... $INTERM = globals()[f"...{$DATA}..."] ... $INTERM(...) - pattern: | $DATA = request.$W[...] ... $INTERM = globals()["...".format(..., $DATA, ...)] ... $INTERM(...) - pattern: | $DATA = request.$W ... $INTERM = globals().get($DATA, ...) ... $INTERM(...) - pattern: | $DATA = request.$W ... $INTERM = globals().get("..." % $DATA, ...) ... $INTERM(...) - pattern: | $DATA = request.$W ... $INTERM = globals().get(f"...{$DATA}...", ...) ... $INTERM(...) - pattern: | $DATA = request.$W ... $INTERM = globals().get("...".format(..., $DATA, ...), ...) ... $INTERM(...) - pattern: | $DATA = request.$W ... $INTERM = globals()[$DATA] ... $INTERM(...) - pattern: | $DATA = request.$W ... $INTERM = globals()["..." % $DATA] ... $INTERM(...) - pattern: | $DATA = request.$W ... $INTERM = globals()[f"...{$DATA}..."] ... $INTERM(...) - pattern: | $DATA = request.$W ... $INTERM = globals()["...".format(..., $DATA, ...)] ... $INTERM(...) - id: python.django.security.injection.code.user-eval-format-string.user-eval-format-string message: Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html category: security technology: - django subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string shortlink: https://sg.run/4x2z semgrep.dev: rule: r_id: 9500 rv_id: 1263383 rule_id: BYUNw9 version_id: vdT06xG url: https://semgrep.dev/playground/r/vdT06xG/python.django.security.injection.code.user-eval-format-string.user-eval-format-string origin: community patterns: - pattern-inside: | def $F(...): ... - pattern-either: - pattern: eval(..., $STR % request.$W.get(...), ...) - pattern: | $V = request.$W.get(...) ... eval(..., $STR % $V, ...) - pattern: | $V = request.$W.get(...) ... $S = $STR % $V ... eval(..., $S, ...) - pattern: eval(..., "..." % request.$W(...), ...) - pattern: | $V = request.$W(...) ... eval(..., $STR % $V, ...) - pattern: | $V = request.$W(...) ... $S = $STR % $V ... eval(..., $S, ...) - pattern: eval(..., $STR % request.$W[...], ...) - pattern: | $V = request.$W[...] ... eval(..., $STR % $V, ...) - pattern: | $V = request.$W[...] ... $S = $STR % $V ... eval(..., $S, ...) - pattern: eval(..., $STR.format(..., request.$W.get(...), ...), ...) - pattern: | $V = request.$W.get(...) ... eval(..., $STR.format(..., $V, ...), ...) - pattern: | $V = request.$W.get(...) ... $S = $STR.format(..., $V, ...) ... eval(..., $S, ...) - pattern: eval(..., $STR.format(..., request.$W(...), ...), ...) - pattern: | $V = request.$W(...) ... eval(..., $STR.format(..., $V, ...), ...) - pattern: | $V = request.$W(...) ... $S = $STR.format(..., $V, ...) ... eval(..., $S, ...) - pattern: eval(..., $STR.format(..., request.$W[...], ...), ...) - pattern: | $V = request.$W[...] ... eval(..., $STR.format(..., $V, ...), ...) - pattern: | $V = request.$W[...] ... $S = $STR.format(..., $V, ...) ... eval(..., $S, ...) - pattern: | $V = request.$W.get(...) ... eval(..., f"...{$V}...", ...) - pattern: | $V = request.$W.get(...) ... $S = f"...{$V}..." ... eval(..., $S, ...) - pattern: | $V = request.$W(...) ... eval(..., f"...{$V}...", ...) - pattern: | $V = request.$W(...) ... $S = f"...{$V}..." ... eval(..., $S, ...) - pattern: | $V = request.$W[...] ... eval(..., f"...{$V}...", ...) - pattern: | $V = request.$W[...] ... $S = f"...{$V}..." ... eval(..., $S, ...) languages: - python severity: WARNING - id: ai.ai-best-practices.gemini-missing-system-instruction.gemini-missing-system-instruction-javascript.gemini-missing-system-instruction-javascript languages: - javascript - typescript severity: WARNING message: Gemini GenerativeModel created without 'systemInstruction' parameter. A system instruction helps establish behavioral guidelines and safety boundaries for the model. See https://ai.google.dev/gemini-api/docs/safety-guidance metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - gemini references: - https://ai.google.dev/gemini-api/docs/safety-guidance license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.gemini-missing-system-instruction.gemini-missing-system-instruction-javascript.gemini-missing-system-instruction-javascript shortlink: https://sg.run/2LgpL semgrep.dev: rule: r_id: 288819 rv_id: 1413377 rule_id: zdUANnA version_id: QkTEj8k url: https://semgrep.dev/playground/r/QkTEj8k/ai.ai-best-practices.gemini-missing-system-instruction.gemini-missing-system-instruction-javascript.gemini-missing-system-instruction-javascript origin: community patterns: - pattern: $CLIENT.getGenerativeModel({...}) - pattern-not: '$CLIENT.getGenerativeModel({..., systemInstruction: $SI, ...})' - id: ai.ai-best-practices.mcp-unsanitized-return.mcp-unsanitized-return.mcp-unsanitized-return-python mode: taint languages: - python severity: WARNING message: External HTTP response data flows directly into an MCP tool return value without sanitization. Untrusted API responses may contain prompt injection payloads or malicious content that could manipulate the LLM. Sanitize or validate external data before returning it from MCP tools. metadata: cwe: 'CWE-116: Improper Encoding or Escaping of Output' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: MEDIUM technology: - mcp references: - https://modelcontextprotocol.io/specification/draft/basic/security_best_practices license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Encoding source: https://semgrep.dev/r/ai.ai-best-practices.mcp-unsanitized-return.mcp-unsanitized-return.mcp-unsanitized-return-python shortlink: https://sg.run/6W4rB semgrep.dev: rule: r_id: 286759 rv_id: 1409356 rule_id: j2U61qz version_id: GxTlbwe url: https://semgrep.dev/playground/r/GxTlbwe/ai.ai-best-practices.mcp-unsanitized-return.mcp-unsanitized-return.mcp-unsanitized-return-python origin: community pattern-sources: - patterns: - pattern-either: - pattern: requests.get(...) - pattern: requests.post(...) - pattern: urllib.request.urlopen(...) pattern-sinks: - patterns: - pattern-inside: | @$SERVER.tool() def $FUNC(...): ... - pattern: return $SINK - focus-metavariable: $SINK pattern-sanitizers: - pattern: sanitize(...) - pattern: bleach.clean(...) - pattern: html.escape(...) - pattern: str.strip(...) - id: python.django.security.injection.code.user-exec.user-exec message: Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - django references: - https://owasp.org/www-community/attacks/Code_Injection subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec shortlink: https://sg.run/5Q3X semgrep.dev: rule: r_id: 9503 rv_id: 1263386 rule_id: 0oU5AW version_id: nWT2LA2 url: https://semgrep.dev/playground/r/nWT2LA2/python.django.security.injection.code.user-exec.user-exec origin: community patterns: - pattern-inside: | def $F(...): ... - pattern-either: - pattern: exec(..., request.$W.get(...), ...) - pattern: | $V = request.$W.get(...) ... exec(..., $V, ...) - pattern: exec(..., request.$W(...), ...) - pattern: | $V = request.$W(...) ... exec(..., $V, ...) - pattern: exec(..., request.$W[...], ...) - pattern: | $V = request.$W[...] ... exec(..., $V, ...) - pattern: | loop = asyncio.get_running_loop() ... await loop.run_in_executor(None, exec, request.$W[...]) - pattern: | $V = request.$W[...] ... loop = asyncio.get_running_loop() ... await loop.run_in_executor(None, exec, $V) - pattern: | loop = asyncio.get_running_loop() ... await loop.run_in_executor(None, exec, request.$W.get(...)) - pattern: | $V = request.$W.get(...) ... loop = asyncio.get_running_loop() ... await loop.run_in_executor(None, exec, $V) languages: - python severity: WARNING - id: python.django.security.injection.command.command-injection-os-system.command-injection-os-system message: Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/Command_Injection category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system shortlink: https://sg.run/Gen2 semgrep.dev: rule: r_id: 9504 rv_id: 1263387 rule_id: KxUbp2 version_id: ExTExPo url: https://semgrep.dev/playground/r/ExTExPo/python.django.security.injection.command.command-injection-os-system.command-injection-os-system origin: community languages: - python severity: ERROR patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: os.system(..., request.$W.get(...), ...) - pattern: os.system(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: os.system(..., $S % request.$W.get(...), ...) - pattern: os.system(..., f"...{request.$W.get(...)}...", ...) - pattern: | $DATA = request.$W.get(...) ... os.system(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... os.system(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... os.system(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... os.system(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... os.system(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... os.system(..., $INTERM, ...) - pattern: $A = os.system(..., request.$W.get(...), ...) - pattern: $A = os.system(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: $A = os.system(..., $S % request.$W.get(...), ...) - pattern: $A = os.system(..., f"...{request.$W.get(...)}...", ...) - pattern: return os.system(..., request.$W.get(...), ...) - pattern: return os.system(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: return os.system(..., $S % request.$W.get(...), ...) - pattern: return os.system(..., f"...{request.$W.get(...)}...", ...) - pattern: os.system(..., request.$W(...), ...) - pattern: os.system(..., $S.format(..., request.$W(...), ...), ...) - pattern: os.system(..., $S % request.$W(...), ...) - pattern: os.system(..., f"...{request.$W(...)}...", ...) - pattern: | $DATA = request.$W(...) ... os.system(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... os.system(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... os.system(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... os.system(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... os.system(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... os.system(..., $INTERM, ...) - pattern: $A = os.system(..., request.$W(...), ...) - pattern: $A = os.system(..., $S.format(..., request.$W(...), ...), ...) - pattern: $A = os.system(..., $S % request.$W(...), ...) - pattern: $A = os.system(..., f"...{request.$W(...)}...", ...) - pattern: return os.system(..., request.$W(...), ...) - pattern: return os.system(..., $S.format(..., request.$W(...), ...), ...) - pattern: return os.system(..., $S % request.$W(...), ...) - pattern: return os.system(..., f"...{request.$W(...)}...", ...) - pattern: os.system(..., request.$W[...], ...) - pattern: os.system(..., $S.format(..., request.$W[...], ...), ...) - pattern: os.system(..., $S % request.$W[...], ...) - pattern: os.system(..., f"...{request.$W[...]}...", ...) - pattern: | $DATA = request.$W[...] ... os.system(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... os.system(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... os.system(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... os.system(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... os.system(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... os.system(..., $INTERM, ...) - pattern: $A = os.system(..., request.$W[...], ...) - pattern: $A = os.system(..., $S.format(..., request.$W[...], ...), ...) - pattern: $A = os.system(..., $S % request.$W[...], ...) - pattern: $A = os.system(..., f"...{request.$W[...]}...", ...) - pattern: return os.system(..., request.$W[...], ...) - pattern: return os.system(..., $S.format(..., request.$W[...], ...), ...) - pattern: return os.system(..., $S % request.$W[...], ...) - pattern: return os.system(..., f"...{request.$W[...]}...", ...) - pattern: os.system(..., request.$W, ...) - pattern: os.system(..., $S.format(..., request.$W, ...), ...) - pattern: os.system(..., $S % request.$W, ...) - pattern: os.system(..., f"...{request.$W}...", ...) - pattern: | $DATA = request.$W ... os.system(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W ... os.system(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W ... os.system(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W ... os.system(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... os.system(..., $INTERM, ...) - pattern: | $DATA = request.$W ... os.system(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... os.system(..., $INTERM, ...) - pattern: $A = os.system(..., request.$W, ...) - pattern: $A = os.system(..., $S.format(..., request.$W, ...), ...) - pattern: $A = os.system(..., $S % request.$W, ...) - pattern: $A = os.system(..., f"...{request.$W}...", ...) - pattern: return os.system(..., request.$W, ...) - pattern: return os.system(..., $S.format(..., request.$W, ...), ...) - pattern: return os.system(..., $S % request.$W, ...) - pattern: return os.system(..., f"...{request.$W}...", ...) - id: python.django.security.injection.command.subprocess-injection.subprocess-injection languages: - python mode: taint options: symbolic_propagation: true pattern-sources: - patterns: - pattern-inside: | def $FUNC(..., $REQUEST, ...): ... - focus-metavariable: $REQUEST - metavariable-pattern: metavariable: $REQUEST patterns: - pattern: request - pattern-not-inside: request.build_absolute_uri pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: subprocess.$FUNC(...) - pattern-not: subprocess.$FUNC("...", ...) - pattern-not: subprocess.$FUNC(["...", ...], ...) - pattern-not-inside: | $CMD = ["...", ...] ... subprocess.$FUNC($CMD, ...) - patterns: - pattern: subprocess.$FUNC(["$SHELL", "-c", ...], ...) - metavariable-regex: metavariable: $SHELL regex: ^(sh|bash|ksh|csh|tcsh|zsh)$ - patterns: - pattern: subprocess.$FUNC(["$INTERPRETER", ...], ...) - metavariable-regex: metavariable: $INTERPRETER regex: ^(python|python\d)$ pattern-sanitizers: - patterns: - pattern: $DICT[$KEY] - focus-metavariable: $KEY severity: ERROR message: Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands. metadata: category: security technology: - flask owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ confidence: HIGH cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.django.security.injection.command.subprocess-injection.subprocess-injection shortlink: https://sg.run/49BE semgrep.dev: rule: r_id: 31144 rv_id: 1263388 rule_id: EwUepx version_id: 7ZTE3qK url: https://semgrep.dev/playground/r/7ZTE3qK/python.django.security.injection.command.subprocess-injection.subprocess-injection origin: community - id: python.django.security.injection.csv-writer-injection.csv-writer-injection languages: - python message: Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs. metadata: category: security confidence: MEDIUM cwe: - 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://github.com/raphaelm/defusedcsv - https://owasp.org/www-community/attacks/CSV_Injection - https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities technology: - django - python subcategory: - vuln impact: MEDIUM likelihood: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.django.security.injection.csv-writer-injection.csv-writer-injection shortlink: https://sg.run/Pw9q semgrep.dev: rule: r_id: 31145 rv_id: 1263389 rule_id: 7KUK1y version_id: LjTkgD9 url: https://semgrep.dev/playground/r/LjTkgD9/python.django.security.injection.csv-writer-injection.csv-writer-injection origin: community mode: taint pattern-sinks: - patterns: - pattern-inside: | $WRITER = csv.writer(...) ... $WRITER.$WRITE(...) - pattern: $WRITER.$WRITE(...) - metavariable-regex: metavariable: $WRITE regex: ^(writerow|writerows|writeheader)$ pattern-sources: - patterns: - pattern-inside: | def $FUNC(..., $REQUEST, ...): ... - focus-metavariable: $REQUEST - metavariable-pattern: metavariable: $REQUEST patterns: - pattern: request - pattern-not-inside: request.build_absolute_uri severity: ERROR - id: python.django.security.injection.email.xss-html-email-body.xss-html-email-body message: Found request data in an EmailMessage that is set to use HTML. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS. metadata: cwe: - 'CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (''Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://www.damonkohler.com/2008/12/email-injection.html category: security technology: - django subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/python.django.security.injection.email.xss-html-email-body.xss-html-email-body shortlink: https://sg.run/RoBe semgrep.dev: rule: r_id: 9505 rv_id: 1263390 rule_id: qNUj02 version_id: 8KT5rOn url: https://semgrep.dev/playground/r/8KT5rOn/python.django.security.injection.email.xss-html-email-body.xss-html-email-body origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... $EMAIL.content_subtype = "html" ... - pattern-either: - pattern: django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... django.core.mail.EmailMessage($SUBJ, $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $B.$C(..., $DATA, ...) ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...) - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W.get(...), ...) - pattern: django.core.mail.EmailMessage($SUBJ, request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... django.core.mail.EmailMessage($SUBJ, $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $B.$C(..., $DATA, ...) ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W(...), ...) - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W(...), ...) - pattern: django.core.mail.EmailMessage($SUBJ, request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... django.core.mail.EmailMessage($SUBJ, $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $B.$C(..., $DATA, ...) ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W[...], ...) - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W[...], ...) - pattern: django.core.mail.EmailMessage($SUBJ, request.$W, ...) - pattern: | $DATA = request.$W ... django.core.mail.EmailMessage($SUBJ, $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W ... django.core.mail.EmailMessage($SUBJ, $B.$C(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $B.$C(..., $DATA, ...) ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W ... django.core.mail.EmailMessage($SUBJ, $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: | $DATA = request.$W ... django.core.mail.EmailMessage($SUBJ, f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... django.core.mail.EmailMessage($SUBJ, $INTERM, ...) - pattern: $A = django.core.mail.EmailMessage($SUBJ, request.$W, ...) - pattern: return django.core.mail.EmailMessage($SUBJ, request.$W, ...) - id: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message message: Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS. metadata: cwe: - 'CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (''Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://www.damonkohler.com/2008/12/email-injection.html category: security technology: - django subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message shortlink: https://sg.run/Avx8 semgrep.dev: rule: r_id: 9506 rv_id: 1263391 rule_id: lBU9Ll version_id: gETB7Gn url: https://semgrep.dev/playground/r/gETB7Gn/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: django.core.mail.send_mail(..., html_message=request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... django.core.mail.send_mail(..., html_message=$DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.core.mail.send_mail(..., html_message=$STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.core.mail.send_mail(..., html_message=$STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W.get(...), ...) - pattern: return django.core.mail.send_mail(..., html_message=request.$W.get(...), ...) - pattern: django.core.mail.send_mail(..., html_message=request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... django.core.mail.send_mail(..., html_message=$DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.core.mail.send_mail(..., html_message=$STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.core.mail.send_mail(..., html_message=$STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W(...), ...) - pattern: return django.core.mail.send_mail(..., html_message=request.$W(...), ...) - pattern: django.core.mail.send_mail(..., html_message=request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... django.core.mail.send_mail(..., html_message=$DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.core.mail.send_mail(..., html_message=$STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.core.mail.send_mail(..., html_message=$STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W[...], ...) - pattern: return django.core.mail.send_mail(..., html_message=request.$W[...], ...) - pattern: django.core.mail.send_mail(..., html_message=request.$W, ...) - pattern: | $DATA = request.$W ... django.core.mail.send_mail(..., html_message=$DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W ... django.core.mail.send_mail(..., html_message=$STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W ... django.core.mail.send_mail(..., html_message=$STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W ... django.core.mail.send_mail(..., html_message=f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: | $DATA = request.$W ... django.core.mail.send_mail(..., html_message=$STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... django.core.mail.send_mail(..., html_message=$INTERM, ...) - pattern: $A = django.core.mail.send_mail(..., html_message=request.$W, ...) - pattern: return django.core.mail.send_mail(..., html_message=request.$W, ...) - id: python.django.security.injection.mass-assignment.mass-assignment languages: - python severity: WARNING message: Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using '**request.$W', assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html. metadata: cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures owaspapi: 'API6: Mass Assignment' references: - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html category: security technology: - django subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/python.django.security.injection.mass-assignment.mass-assignment shortlink: https://sg.run/Ro0q semgrep.dev: rule: r_id: 9493 rv_id: 1263392 rule_id: lBU97n version_id: QkTGqlQ url: https://semgrep.dev/playground/r/QkTGqlQ/python.django.security.injection.mass-assignment.mass-assignment origin: community pattern-either: - pattern: $MODEL.objects.create(**request.$W) - pattern: | $OBJ.update(**request.$W) ... $OBJ.save() - id: python.django.security.injection.open-redirect.open-redirect message: Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information. metadata: cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/ - https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231 category: security technology: - django subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect shortlink: https://sg.run/Ave2 semgrep.dev: rule: r_id: 9494 rv_id: 1263393 rule_id: PeUZgr version_id: 3ZT4XD7 url: https://semgrep.dev/playground/r/3ZT4XD7/python.django.security.injection.open-redirect.open-redirect origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-not-inside: | def $FUNC(...): ... django.utils.http.is_safe_url(...) ... - pattern-not-inside: | def $FUNC(...): ... if <... django.utils.http.is_safe_url(...) ...>: ... - pattern-not-inside: | def $FUNC(...): ... django.utils.http.url_has_allowed_host_and_scheme(...) ... - pattern-not-inside: | def $FUNC(...): ... if <... django.utils.http.url_has_allowed_host_and_scheme(...) ...>: ... - pattern-either: - pattern: django.shortcuts.redirect(..., request.$W.get(...), ...) - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: django.shortcuts.redirect(..., $S % request.$W.get(...), ...) - pattern: django.shortcuts.redirect(..., f"...{request.$W.get(...)}...", ...) - pattern: | $DATA = request.$W.get(...) ... django.shortcuts.redirect(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.shortcuts.redirect(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.shortcuts.redirect(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.shortcuts.redirect(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: $A = django.shortcuts.redirect(..., request.$W.get(...), ...) - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: $A = django.shortcuts.redirect(..., $S % request.$W.get(...), ...) - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W.get(...)}...", ...) - pattern: return django.shortcuts.redirect(..., request.$W.get(...), ...) - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: return django.shortcuts.redirect(..., $S % request.$W.get(...), ...) - pattern: return django.shortcuts.redirect(..., f"...{request.$W.get(...)}...", ...) - pattern: django.shortcuts.redirect(..., request.$W(...), ...) - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W(...), ...), ...) - pattern: django.shortcuts.redirect(..., $S % request.$W(...), ...) - pattern: django.shortcuts.redirect(..., f"...{request.$W(...)}...", ...) - pattern: | $DATA = request.$W(...) ... django.shortcuts.redirect(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.shortcuts.redirect(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.shortcuts.redirect(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.shortcuts.redirect(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: $A = django.shortcuts.redirect(..., request.$W(...), ...) - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W(...), ...), ...) - pattern: $A = django.shortcuts.redirect(..., $S % request.$W(...), ...) - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W(...)}...", ...) - pattern: return django.shortcuts.redirect(..., request.$W(...), ...) - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W(...), ...), ...) - pattern: return django.shortcuts.redirect(..., $S % request.$W(...), ...) - pattern: return django.shortcuts.redirect(..., f"...{request.$W(...)}...", ...) - pattern: django.shortcuts.redirect(..., request.$W[...], ...) - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W[...], ...), ...) - pattern: django.shortcuts.redirect(..., $S % request.$W[...], ...) - pattern: django.shortcuts.redirect(..., f"...{request.$W[...]}...", ...) - pattern: | $DATA = request.$W[...] ... django.shortcuts.redirect(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.shortcuts.redirect(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.shortcuts.redirect(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.shortcuts.redirect(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: $A = django.shortcuts.redirect(..., request.$W[...], ...) - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W[...], ...), ...) - pattern: $A = django.shortcuts.redirect(..., $S % request.$W[...], ...) - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W[...]}...", ...) - pattern: return django.shortcuts.redirect(..., request.$W[...], ...) - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W[...], ...), ...) - pattern: return django.shortcuts.redirect(..., $S % request.$W[...], ...) - pattern: return django.shortcuts.redirect(..., f"...{request.$W[...]}...", ...) - pattern: django.shortcuts.redirect(..., request.$W, ...) - pattern: django.shortcuts.redirect(..., $S.format(..., request.$W, ...), ...) - pattern: django.shortcuts.redirect(..., $S % request.$W, ...) - pattern: django.shortcuts.redirect(..., f"...{request.$W}...", ...) - pattern: | $DATA = request.$W ... django.shortcuts.redirect(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.shortcuts.redirect(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.shortcuts.redirect(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.shortcuts.redirect(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.shortcuts.redirect(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... django.shortcuts.redirect(..., $INTERM, ...) - pattern: $A = django.shortcuts.redirect(..., request.$W, ...) - pattern: $A = django.shortcuts.redirect(..., $S.format(..., request.$W, ...), ...) - pattern: $A = django.shortcuts.redirect(..., $S % request.$W, ...) - pattern: $A = django.shortcuts.redirect(..., f"...{request.$W}...", ...) - pattern: return django.shortcuts.redirect(..., request.$W, ...) - pattern: return django.shortcuts.redirect(..., $S.format(..., request.$W, ...), ...) - pattern: return django.shortcuts.redirect(..., $S % request.$W, ...) - pattern: return django.shortcuts.redirect(..., f"...{request.$W}...", ...) - pattern: django.http.HttpResponseRedirect(..., request.$W.get(...), ...) - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: django.http.HttpResponseRedirect(..., $S % request.$W.get(...), ...) - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W.get(...)}...", ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseRedirect(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseRedirect(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseRedirect(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: $A = django.http.HttpResponseRedirect(..., request.$W.get(...), ...) - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W.get(...), ...) - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W.get(...)}...", ...) - pattern: return django.http.HttpResponseRedirect(..., request.$W.get(...), ...) - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W.get(...), ...) - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W.get(...)}...", ...) - pattern: django.http.HttpResponseRedirect(..., request.$W(...), ...) - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...), ...), ...) - pattern: django.http.HttpResponseRedirect(..., $S % request.$W(...), ...) - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W(...)}...", ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseRedirect(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseRedirect(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseRedirect(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: $A = django.http.HttpResponseRedirect(..., request.$W(...), ...) - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...), ...), ...) - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W(...), ...) - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W(...)}...", ...) - pattern: return django.http.HttpResponseRedirect(..., request.$W(...), ...) - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W(...), ...), ...) - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W(...), ...) - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W(...)}...", ...) - pattern: django.http.HttpResponseRedirect(..., request.$W[...], ...) - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...], ...), ...) - pattern: django.http.HttpResponseRedirect(..., $S % request.$W[...], ...) - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W[...]}...", ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseRedirect(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseRedirect(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseRedirect(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: $A = django.http.HttpResponseRedirect(..., request.$W[...], ...) - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...], ...), ...) - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W[...], ...) - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W[...]}...", ...) - pattern: return django.http.HttpResponseRedirect(..., request.$W[...], ...) - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W[...], ...), ...) - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W[...], ...) - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W[...]}...", ...) - pattern: django.http.HttpResponseRedirect(..., request.$W, ...) - pattern: django.http.HttpResponseRedirect(..., $S.format(..., request.$W, ...), ...) - pattern: django.http.HttpResponseRedirect(..., $S % request.$W, ...) - pattern: django.http.HttpResponseRedirect(..., f"...{request.$W}...", ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseRedirect(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseRedirect(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseRedirect(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseRedirect(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseRedirect(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... django.http.HttpResponseRedirect(..., $INTERM, ...) - pattern: $A = django.http.HttpResponseRedirect(..., request.$W, ...) - pattern: $A = django.http.HttpResponseRedirect(..., $S.format(..., request.$W, ...), ...) - pattern: $A = django.http.HttpResponseRedirect(..., $S % request.$W, ...) - pattern: $A = django.http.HttpResponseRedirect(..., f"...{request.$W}...", ...) - pattern: return django.http.HttpResponseRedirect(..., request.$W, ...) - pattern: return django.http.HttpResponseRedirect(..., $S.format(..., request.$W, ...), ...) - pattern: return django.http.HttpResponseRedirect(..., $S % request.$W, ...) - pattern: return django.http.HttpResponseRedirect(..., f"...{request.$W}...", ...) - metavariable-regex: metavariable: $W regex: (?!get_full_path) - id: python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name message: Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library. metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name shortlink: https://sg.run/BkO2 semgrep.dev: rule: r_id: 9507 rv_id: 1263394 rule_id: YGUR36 version_id: 44TEjWJ url: https://semgrep.dev/playground/r/44TEjWJ/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name origin: community patterns: - pattern-inside: | def $F(...): ... - pattern-not-inside: | def $F(...): ... os.path.realpath(...) ... - pattern-not-inside: | def $F(...): ... os.path.abspath(...) ... - pattern-either: - pattern: | $V = request.$W.get($X) ... $FILE % ($V) - pattern: | $V = request.$W[$X] ... $FILE % ($V) - pattern: | $V = request.$W($X) ... $FILE % ($V) - pattern: | $V = request.$W ... $FILE % ($V) # match format use cases - pattern: | $V = request.$W.get($X) ... $FILE.format(..., $V, ...) - pattern: | $V = request.$W[$X] ... $FILE.format(..., $V, ...) - pattern: | $V = request.$W($X) ... $FILE.format(..., $V, ...) - pattern: | $V = request.$W ... $FILE.format(..., $V, ...) - metavariable-regex: metavariable: $FILE regex: .*\.(log|zip|txt|csv|xml|html).* languages: - python severity: WARNING - id: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join message: Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library. metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join shortlink: https://sg.run/Dovo semgrep.dev: rule: r_id: 9508 rv_id: 1263395 rule_id: 6JUjLj version_id: PkTR3q7 url: https://semgrep.dev/playground/r/PkTR3q7/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join origin: community patterns: - pattern-inside: | def $F(...): ... - pattern-not-inside: | def $F(...): ... os.path.abspath(...) ... - pattern-not-inside: | def $F(...): ... os.path.realpath(...) ... - pattern-either: - pattern: open(os.path.join(..., request.$W.get(...), ...), ...) - pattern: open(os.path.join(..., request.$W(...), ...), ...) - pattern: open(os.path.join(..., request.$W, ...), ...) - pattern: open(os.path.join(..., request.$W[...], ...), ...) - pattern: | $P = os.path.join(..., request.$W.get(...), ...) ... open($P, ...) - pattern: | $P = os.path.join(..., request.$W(...), ...) ... open($P, ...) - pattern: | $P = os.path.join(..., request.$W, ...) ... open($P, ...) - pattern: | $P = os.path.join(..., request.$W[...], ...) ... open($P, ...) - pattern: | $V = request.$W.get($X) ... $P = os.path.join(..., $V, ...) ... open($P, ...) - pattern: | $V = request.$W($X) ... $P = os.path.join(..., $V, ...) ... open($P, ...) - pattern: | $V = request.$W[$X] ... $P = os.path.join(..., $V, ...) ... open($P, ...) - pattern: | $V = request.$W ... $P = os.path.join(..., $V, ...) ... open($P, ...) - pattern: | $P = request.$W.get(...) ... open(os.path.join(..., $P, ...), ...) - pattern: | $P = request.$W(...) ... open(os.path.join(..., $P, ...), ...) - pattern: | $P = request.$W ... open(os.path.join(..., $P, ...), ...) - pattern: | $P = request.$W[...] ... open(os.path.join(..., $P, ...), ...) languages: - python severity: WARNING - id: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open message: Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library. metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open shortlink: https://sg.run/W8qg semgrep.dev: rule: r_id: 9509 rv_id: 1263396 rule_id: oqUe7z version_id: JdTzxAw url: https://semgrep.dev/playground/r/JdTzxAw/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: open(..., request.$W.get(...), ...) - pattern: open(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: open(..., $S % request.$W.get(...), ...) - pattern: open(..., f"...{request.$W.get(...)}...", ...) - pattern: | $DATA = request.$W.get(...) ... open(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W.get(...) ... open(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W.get(...) ... open(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W.get(...) ... open(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W.get(...) ... open(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: $A = open(..., request.$W.get(...), ...) - pattern: $A = open(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: $A = open(..., $S % request.$W.get(...), ...) - pattern: $A = open(..., f"...{request.$W.get(...)}...", ...) - pattern: return open(..., request.$W.get(...), ...) - pattern: return open(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: return open(..., $S % request.$W.get(...), ...) - pattern: return open(..., f"...{request.$W.get(...)}...", ...) - pattern: | $DATA = request.$W.get(...) ... with open(..., $DATA, ...) as $FD: ... - pattern: open(..., request.$W(...), ...) - pattern: open(..., $S.format(..., request.$W(...), ...), ...) - pattern: open(..., $S % request.$W(...), ...) - pattern: open(..., f"...{request.$W(...)}...", ...) - pattern: | $DATA = request.$W(...) ... open(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W(...) ... open(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W(...) ... open(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W(...) ... open(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W(...) ... open(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: $A = open(..., request.$W(...), ...) - pattern: $A = open(..., $S.format(..., request.$W(...), ...), ...) - pattern: $A = open(..., $S % request.$W(...), ...) - pattern: $A = open(..., f"...{request.$W(...)}...", ...) - pattern: return open(..., request.$W(...), ...) - pattern: return open(..., $S.format(..., request.$W(...), ...), ...) - pattern: return open(..., $S % request.$W(...), ...) - pattern: return open(..., f"...{request.$W(...)}...", ...) - pattern: | $DATA = request.$W(...) ... with open(..., $DATA, ...) as $FD: ... - pattern: open(..., request.$W[...], ...) - pattern: open(..., $S.format(..., request.$W[...], ...), ...) - pattern: open(..., $S % request.$W[...], ...) - pattern: open(..., f"...{request.$W[...]}...", ...) - pattern: | $DATA = request.$W[...] ... open(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W[...] ... open(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W[...] ... open(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W[...] ... open(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W[...] ... open(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: $A = open(..., request.$W[...], ...) - pattern: $A = open(..., $S.format(..., request.$W[...], ...), ...) - pattern: $A = open(..., $S % request.$W[...], ...) - pattern: $A = open(..., f"...{request.$W[...]}...", ...) - pattern: return open(..., request.$W[...], ...) - pattern: return open(..., $S.format(..., request.$W[...], ...), ...) - pattern: return open(..., $S % request.$W[...], ...) - pattern: return open(..., f"...{request.$W[...]}...", ...) - pattern: | $DATA = request.$W[...] ... with open(..., $DATA, ...) as $FD: ... - pattern: open(..., request.$W, ...) - pattern: open(..., $S.format(..., request.$W, ...), ...) - pattern: open(..., $S % request.$W, ...) - pattern: open(..., f"...{request.$W}...", ...) - pattern: | $DATA = request.$W ... open(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W ... open(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W ... open(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W ... open(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... with open(..., $INTERM, ...) as $FD: ... - pattern: | $DATA = request.$W ... open(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... open(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... with open(..., $INTERM, ...) as $FD: ... - pattern: $A = open(..., request.$W, ...) - pattern: $A = open(..., $S.format(..., request.$W, ...), ...) - pattern: $A = open(..., $S % request.$W, ...) - pattern: $A = open(..., f"...{request.$W}...", ...) - pattern: return open(..., request.$W, ...) - pattern: return open(..., $S.format(..., request.$W, ...), ...) - pattern: return open(..., $S % request.$W, ...) - pattern: return open(..., f"...{request.$W}...", ...) - pattern: | $DATA = request.$W ... with open(..., $DATA, ...) as $FD: ... - id: python.django.security.injection.raw-html-format.raw-html-format languages: - python severity: WARNING message: Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - django references: - https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render - https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format shortlink: https://sg.run/oYj1 semgrep.dev: rule: r_id: 14360 rv_id: 1263397 rule_id: 2ZUPER version_id: 5PTo100 url: https://semgrep.dev/playground/r/5PTo100/python.django.security.injection.raw-html-format.raw-html-format origin: community mode: taint pattern-sanitizers: - pattern: django.utils.html.escape(...) pattern-sources: - patterns: - pattern: request.$ANYTHING - pattern-not: request.build_absolute_uri pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: '"$HTMLSTR" % ...' - pattern: '"$HTMLSTR".format(...)' - pattern: '"$HTMLSTR" + ...' - pattern: f"$HTMLSTR{...}..." - patterns: - pattern-inside: | $HTML = "$HTMLSTR" ... - pattern-either: - pattern: $HTML % ... - pattern: $HTML.format(...) - pattern: $HTML + ... - metavariable-pattern: metavariable: $HTMLSTR language: generic pattern: <$TAG ... - id: python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse message: Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse shortlink: https://sg.run/BkvA semgrep.dev: rule: r_id: 9495 rv_id: 1263398 rule_id: JDUydR version_id: GxTke5K url: https://semgrep.dev/playground/r/GxTke5K/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: django.http.HttpResponse(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: django.http.HttpResponse(..., $S % request.$W.get(...), ...) - pattern: django.http.HttpResponse(..., f"...{request.$W.get(...)}...", ...) - pattern: django.http.HttpResponse(..., request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponse(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponse(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponse(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponse(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: $A = django.http.HttpResponse(..., request.$W.get(...), ...) - pattern: return django.http.HttpResponse(..., request.$W.get(...), ...) - pattern: django.http.HttpResponse(..., $S.format(..., request.$W(...), ...), ...) - pattern: django.http.HttpResponse(..., $S % request.$W(...), ...) - pattern: django.http.HttpResponse(..., f"...{request.$W(...)}...", ...) - pattern: django.http.HttpResponse(..., request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponse(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponse(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponse(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponse(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: $A = django.http.HttpResponse(..., request.$W(...), ...) - pattern: return django.http.HttpResponse(..., request.$W(...), ...) - pattern: django.http.HttpResponse(..., $S.format(..., request.$W[...], ...), ...) - pattern: django.http.HttpResponse(..., $S % request.$W[...], ...) - pattern: django.http.HttpResponse(..., f"...{request.$W[...]}...", ...) - pattern: django.http.HttpResponse(..., request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponse(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponse(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponse(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponse(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: $A = django.http.HttpResponse(..., request.$W[...], ...) - pattern: return django.http.HttpResponse(..., request.$W[...], ...) - pattern: django.http.HttpResponse(..., $S.format(..., request.$W, ...), ...) - pattern: django.http.HttpResponse(..., $S % request.$W, ...) - pattern: django.http.HttpResponse(..., f"...{request.$W}...", ...) - pattern: django.http.HttpResponse(..., request.$W, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponse(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponse(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponse(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponse(..., f"...{$DATA}...", ...) - pattern: $A = django.http.HttpResponse(..., request.$W, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... $A = django.http.HttpResponse(..., $INTERM, ...) - pattern: return django.http.HttpResponse(..., request.$W, ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponse(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponse(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... django.http.HttpResponse(..., $INTERM, ...) - id: python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest message: Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest shortlink: https://sg.run/DoZP semgrep.dev: rule: r_id: 9496 rv_id: 1263399 rule_id: 5rUOX1 version_id: RGT0LY6 url: https://semgrep.dev/playground/r/RGT0LY6/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W.get(...), ...) - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W.get(...)}...", ...) - pattern: django.http.HttpResponseBadRequest(..., request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseBadRequest(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseBadRequest(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... django.http.HttpResponseBadRequest(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W.get(...), ...) - pattern: return django.http.HttpResponseBadRequest(..., request.$W.get(...), ...) - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W(...), ...), ...) - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W(...), ...) - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W(...)}...", ...) - pattern: django.http.HttpResponseBadRequest(..., request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseBadRequest(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseBadRequest(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... django.http.HttpResponseBadRequest(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W(...), ...) - pattern: return django.http.HttpResponseBadRequest(..., request.$W(...), ...) - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W[...], ...), ...) - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W[...], ...) - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W[...]}...", ...) - pattern: django.http.HttpResponseBadRequest(..., request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseBadRequest(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseBadRequest(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... django.http.HttpResponseBadRequest(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W[...], ...) - pattern: return django.http.HttpResponseBadRequest(..., request.$W[...], ...) - pattern: django.http.HttpResponseBadRequest(..., $S.format(..., request.$W, ...), ...) - pattern: django.http.HttpResponseBadRequest(..., $S % request.$W, ...) - pattern: django.http.HttpResponseBadRequest(..., f"...{request.$W}...", ...) - pattern: django.http.HttpResponseBadRequest(..., request.$W, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseBadRequest(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseBadRequest(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseBadRequest(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseBadRequest(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: | $DATA = request.$W ... django.http.HttpResponseBadRequest(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... django.http.HttpResponseBadRequest(..., $INTERM, ...) - pattern: $A = django.http.HttpResponseBadRequest(..., request.$W, ...) - pattern: return django.http.HttpResponseBadRequest(..., request.$W, ...) - id: python.django.security.injection.request-data-fileresponse.request-data-fileresponse message: Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse. metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse shortlink: https://sg.run/W862 semgrep.dev: rule: r_id: 9497 rv_id: 1263400 rule_id: GdU7QR version_id: A8Tgd1K url: https://semgrep.dev/playground/r/A8Tgd1K/python.django.security.injection.request-data-fileresponse.request-data-fileresponse origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: django.http.FileResponse(..., request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... django.http.FileResponse(..., open($DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = open($DATA, ...) ... django.http.FileResponse(..., $INTERM, ...) - pattern: $A = django.http.FileResponse(..., request.$W.get(...), ...) - pattern: return django.http.FileResponse(..., request.$W.get(...), ...) - pattern: django.http.FileResponse(..., request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... django.http.FileResponse(..., open($DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = open($DATA, ...) ... django.http.FileResponse(..., $INTERM, ...) - pattern: $A = django.http.FileResponse(..., request.$W(...), ...) - pattern: return django.http.FileResponse(..., request.$W(...), ...) - pattern: django.http.FileResponse(..., request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... django.http.FileResponse(..., open($DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = open($DATA, ...) ... django.http.FileResponse(..., $INTERM, ...) - pattern: $A = django.http.FileResponse(..., request.$W[...], ...) - pattern: return django.http.FileResponse(..., request.$W[...], ...) - pattern: django.http.FileResponse(..., request.$W, ...) - pattern: | $DATA = request.$W ... django.http.FileResponse(..., open($DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = open($DATA, ...) ... django.http.FileResponse(..., $INTERM, ...) - pattern: $A = django.http.FileResponse(..., request.$W, ...) - pattern: return django.http.FileResponse(..., request.$W, ...) - id: python.django.security.injection.request-data-write.request-data-write message: Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized. metadata: cwe: - 'CWE-93: Improper Neutralization of CRLF Sequences (''CRLF Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - django references: - https://owasp.org/Top10/A03_2021-Injection subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write shortlink: https://sg.run/0Q6j semgrep.dev: rule: r_id: 9498 rv_id: 1263401 rule_id: ReUg5z version_id: BjTkZO5 url: https://semgrep.dev/playground/r/BjTkZO5/python.django.security.injection.request-data-write.request-data-write origin: community languages: - python severity: WARNING pattern-either: - pattern: $F.write(..., request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... $F.write(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $F.write(..., $B.$C(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $B.$C(..., $DATA, ...) ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $F.write(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $F.write(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... $F.write(..., $INTERM, ...) - pattern: $A = $F.write(..., request.$W.get(...), ...) - pattern: return $F.write(..., request.$W.get(...), ...) - pattern: $F.write(..., request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... $F.write(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $F.write(..., $B.$C(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $B.$C(..., $DATA, ...) ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $F.write(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $F.write(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... $F.write(..., $INTERM, ...) - pattern: $A = $F.write(..., request.$W(...), ...) - pattern: return $F.write(..., request.$W(...), ...) - pattern: $F.write(..., request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... $F.write(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $F.write(..., $B.$C(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $B.$C(..., $DATA, ...) ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $F.write(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $F.write(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... $F.write(..., $INTERM, ...) - pattern: $A = $F.write(..., request.$W[...], ...) - pattern: return $F.write(..., request.$W[...], ...) - pattern: $F.write(..., request.$W, ...) - pattern: | $DATA = request.$W ... $F.write(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $F.write(..., $B.$C(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $B.$C(..., $DATA, ...) ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $F.write(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... $F.write(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $F.write(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... $F.write(..., $INTERM, ...) - pattern: $A = $F.write(..., request.$W, ...) - pattern: return $F.write(..., request.$W, ...) - id: python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where message: User-controlled data from a request is passed to 'extra()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/ref/models/expressions/#.objects.extra category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where shortlink: https://sg.run/0Ql5 semgrep.dev: rule: r_id: 9510 rv_id: 1263402 rule_id: zdUkx1 version_id: DkTRb4l url: https://semgrep.dev/playground/r/DkTRb4l/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W.get(...), ...), ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W.get(...), ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W.get(...)}...", ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.extra(..., where=[..., $DATA, ...], ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], ...) - pattern: return $MODEL.objects.extra(..., where=[..., request.$W.get(...), ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W(...), ...), ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W(...), ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W(...)}...", ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.extra(..., where=[..., $DATA, ...], ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...) - pattern: return $MODEL.objects.extra(..., where=[..., request.$W(...), ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W[...], ...), ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W[...], ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W[...]}...", ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.extra(..., where=[..., $DATA, ...], ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...) - pattern: return $MODEL.objects.extra(..., where=[..., request.$W[...], ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., $S.format(..., request.$W, ...), ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., $S % request.$W, ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., f"...{request.$W}...", ...], ...) - pattern: $MODEL.objects.extra(..., where=[..., request.$W, ...], ...) - pattern: | $DATA = request.$W ... $MODEL.objects.extra(..., where=[..., $DATA, ...], ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W ... $MODEL.objects.extra(..., where=[..., $STR.format(..., $DATA, ...), ...], ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W ... $MODEL.objects.extra(..., where=[..., $STR % $DATA, ...], ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W ... $MODEL.objects.extra(..., where=[..., f"...{$DATA}...", ...], ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W ... $MODEL.objects.extra(..., where=[..., $STR + $DATA, ...], ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: $A = $MODEL.objects.extra(..., where=[..., request.$W, ...], ...) - pattern: return $MODEL.objects.extra(..., where=[..., request.$W, ...], ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...) - pattern: | $DATA = request.$W ... $MODEL.objects.extra(..., where=[..., $STR % (..., $DATA, ...), ...], ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % (..., $DATA, ...) ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % (..., $DATA, ...) ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % (..., $DATA, ...) ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % (..., $DATA, ...) ... $MODEL.objects.extra(..., where=[..., $INTERM, ...], ...) - id: python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute message: User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute shortlink: https://sg.run/qx7y semgrep.dev: rule: r_id: 9512 rv_id: 1263404 rule_id: 2ZUbDL version_id: 0bTKzRj url: https://semgrep.dev/playground/r/0bTKzRj/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: $CURSOR.execute(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: $CURSOR.execute(..., $S % request.$W.get(...), ...) - pattern: $CURSOR.execute(..., f"...{request.$W.get(...)}...", ...) - pattern: $CURSOR.execute(..., request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... $CURSOR.execute(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $CURSOR.execute(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $CURSOR.execute(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $CURSOR.execute(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: $A = $CURSOR.execute(..., request.$W.get(...), ...) - pattern: return $CURSOR.execute(..., request.$W.get(...), ...) - pattern: $CURSOR.execute(..., $S.format(..., request.$W(...), ...), ...) - pattern: $CURSOR.execute(..., $S % request.$W(...), ...) - pattern: $CURSOR.execute(..., f"...{request.$W(...)}...", ...) - pattern: $CURSOR.execute(..., request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... $CURSOR.execute(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $CURSOR.execute(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $CURSOR.execute(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $CURSOR.execute(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: $A = $CURSOR.execute(..., request.$W(...), ...) - pattern: return $CURSOR.execute(..., request.$W(...), ...) - pattern: $CURSOR.execute(..., $S.format(..., request.$W[...], ...), ...) - pattern: $CURSOR.execute(..., $S % request.$W[...], ...) - pattern: $CURSOR.execute(..., f"...{request.$W[...]}...", ...) - pattern: $CURSOR.execute(..., request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... $CURSOR.execute(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $CURSOR.execute(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $CURSOR.execute(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $CURSOR.execute(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: $A = $CURSOR.execute(..., request.$W[...], ...) - pattern: return $CURSOR.execute(..., request.$W[...], ...) - pattern: $CURSOR.execute(..., $S.format(..., request.$W, ...), ...) - pattern: $CURSOR.execute(..., $S % request.$W, ...) - pattern: $CURSOR.execute(..., f"...{request.$W}...", ...) - pattern: $CURSOR.execute(..., request.$W, ...) - pattern: | $DATA = request.$W ... $CURSOR.execute(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $CURSOR.execute(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $CURSOR.execute(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $CURSOR.execute(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... $CURSOR.execute(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $CURSOR.execute(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... $CURSOR.execute(..., $INTERM, ...) - pattern: $A = $CURSOR.execute(..., request.$W, ...) - pattern: return $CURSOR.execute(..., request.$W, ...) - pattern: | $DATA = request.$W.get(...) ... $CURSOR.execute($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $CURSOR.execute($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $CURSOR.execute($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $CURSOR.execute($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % (..., $DATA, ...) ... $CURSOR.execute($INTERM, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % (..., $DATA, ...) ... $CURSOR.execute($INTERM, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % (..., $DATA, ...) ... $CURSOR.execute($INTERM, ...) - pattern: |- $DATA = request.$W ... $INTERM = $STR % (..., $DATA, ...) ... $CURSOR.execute($INTERM, ...) - id: python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw message: Data that is possible user-controlled from a python request is passed to `raw()`. This could lead to SQL injection and attackers gaining access to protected information. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw shortlink: https://sg.run/l2v9 semgrep.dev: rule: r_id: 9513 rv_id: 1263405 rule_id: X5U8v5 version_id: K3TKkBW url: https://semgrep.dev/playground/r/K3TKkBW/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw origin: community languages: - python severity: WARNING patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: $MODEL.objects.raw(..., $S % request.$W.get(...), ...) - pattern: $MODEL.objects.raw(..., f"...{request.$W.get(...)}...", ...) - pattern: $MODEL.objects.raw(..., request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.raw(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.raw(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.raw(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.raw(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: $A = $MODEL.objects.raw(..., request.$W.get(...), ...) - pattern: return $MODEL.objects.raw(..., request.$W.get(...), ...) - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W(...), ...), ...) - pattern: $MODEL.objects.raw(..., $S % request.$W(...), ...) - pattern: $MODEL.objects.raw(..., f"...{request.$W(...)}...", ...) - pattern: $MODEL.objects.raw(..., request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.raw(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.raw(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.raw(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.raw(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: $A = $MODEL.objects.raw(..., request.$W(...), ...) - pattern: return $MODEL.objects.raw(..., request.$W(...), ...) - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W[...], ...), ...) - pattern: $MODEL.objects.raw(..., $S % request.$W[...], ...) - pattern: $MODEL.objects.raw(..., f"...{request.$W[...]}...", ...) - pattern: $MODEL.objects.raw(..., request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.raw(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.raw(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.raw(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.raw(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: $A = $MODEL.objects.raw(..., request.$W[...], ...) - pattern: return $MODEL.objects.raw(..., request.$W[...], ...) - pattern: $MODEL.objects.raw(..., $S.format(..., request.$W, ...), ...) - pattern: $MODEL.objects.raw(..., $S % request.$W, ...) - pattern: $MODEL.objects.raw(..., f"...{request.$W}...", ...) - pattern: $MODEL.objects.raw(..., request.$W, ...) - pattern: | $DATA = request.$W ... $MODEL.objects.raw(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $MODEL.objects.raw(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $MODEL.objects.raw(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $MODEL.objects.raw(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: | $DATA = request.$W ... $MODEL.objects.raw(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... $MODEL.objects.raw(..., $INTERM, ...) - pattern: $A = $MODEL.objects.raw(..., request.$W, ...) - pattern: return $MODEL.objects.raw(..., request.$W, ...) - pattern: | $DATA = request.$W.get(...) ... $MODEL.objects.raw($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $MODEL.objects.raw($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $MODEL.objects.raw($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $MODEL.objects.raw($STR % (..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % (..., $DATA, ...) ... $MODEL.objects.raw($INTERM, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % (..., $DATA, ...) ... $MODEL.objects.raw($INTERM, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % (..., $DATA, ...) ... $MODEL.objects.raw($INTERM, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % (..., $DATA, ...) ... $MODEL.objects.raw($INTERM, ...) - id: python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests message: Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests shortlink: https://sg.run/YvY4 semgrep.dev: rule: r_id: 9514 rv_id: 1263406 rule_id: j2UvEw version_id: qkTR7zn url: https://semgrep.dev/playground/r/qkTR7zn/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests origin: community languages: - python severity: ERROR patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: requests.$METHOD(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: requests.$METHOD(..., $S % request.$W.get(...), ...) - pattern: requests.$METHOD(..., f"...{request.$W.get(...)}...", ...) - pattern: requests.$METHOD(..., request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... requests.$METHOD(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... requests.$METHOD(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... requests.$METHOD(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... requests.$METHOD(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... requests.$METHOD(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: $A = requests.$METHOD(..., request.$W.get(...), ...) - pattern: return requests.$METHOD(..., request.$W.get(...), ...) - pattern: requests.$METHOD(..., $S.format(..., request.$W(...), ...), ...) - pattern: requests.$METHOD(..., $S % request.$W(...), ...) - pattern: requests.$METHOD(..., f"...{request.$W(...)}...", ...) - pattern: requests.$METHOD(..., request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... requests.$METHOD(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... requests.$METHOD(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... requests.$METHOD(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... requests.$METHOD(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... requests.$METHOD(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: $A = requests.$METHOD(..., request.$W(...), ...) - pattern: return requests.$METHOD(..., request.$W(...), ...) - pattern: requests.$METHOD(..., $S.format(..., request.$W[...], ...), ...) - pattern: requests.$METHOD(..., $S % request.$W[...], ...) - pattern: requests.$METHOD(..., f"...{request.$W[...]}...", ...) - pattern: requests.$METHOD(..., request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... requests.$METHOD(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... requests.$METHOD(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... requests.$METHOD(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... requests.$METHOD(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... requests.$METHOD(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: $A = requests.$METHOD(..., request.$W[...], ...) - pattern: return requests.$METHOD(..., request.$W[...], ...) - pattern: requests.$METHOD(..., $S.format(..., request.$W, ...), ...) - pattern: requests.$METHOD(..., $S % request.$W, ...) - pattern: requests.$METHOD(..., f"...{request.$W}...", ...) - pattern: requests.$METHOD(..., request.$W, ...) - pattern: | $DATA = request.$W ... requests.$METHOD(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W ... requests.$METHOD(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W ... requests.$METHOD(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W ... requests.$METHOD(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... requests.$METHOD(..., $INTERM, ...) - pattern: | $DATA = request.$W ... requests.$METHOD(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... requests.$METHOD(..., $INTERM, ...) - pattern: $A = requests.$METHOD(..., request.$W, ...) - pattern: return requests.$METHOD(..., request.$W, ...) - id: python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib message: Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF), which could result in attackers gaining access to private organization data. To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib shortlink: https://sg.run/6n2B semgrep.dev: rule: r_id: 9515 rv_id: 1263407 rule_id: 10UKDo version_id: l4TJRwD url: https://semgrep.dev/playground/r/l4TJRwD/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib origin: community languages: - python severity: ERROR patterns: - pattern-inside: | def $FUNC(...): ... - pattern-either: - pattern: urllib.request.urlopen(..., $S.format(..., request.$W.get(...), ...), ...) - pattern: urllib.request.urlopen(..., $S % request.$W.get(...), ...) - pattern: urllib.request.urlopen(..., f"...{request.$W.get(...)}...", ...) - pattern: urllib.request.urlopen(..., request.$W.get(...), ...) - pattern: | $DATA = request.$W.get(...) ... urllib.request.urlopen(..., $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR.format(..., $DATA, ...) ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... urllib.request.urlopen(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR % $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... urllib.request.urlopen(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = f"...{$DATA}..." ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... urllib.request.urlopen(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = $STR + $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: $A = urllib.request.urlopen(..., request.$W.get(...), ...) - pattern: return urllib.request.urlopen(..., request.$W.get(...), ...) - pattern: urllib.request.urlopen(..., $S.format(..., request.$W(...), ...), ...) - pattern: urllib.request.urlopen(..., $S % request.$W(...), ...) - pattern: urllib.request.urlopen(..., f"...{request.$W(...)}...", ...) - pattern: urllib.request.urlopen(..., request.$W(...), ...) - pattern: | $DATA = request.$W(...) ... urllib.request.urlopen(..., $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR.format(..., $DATA, ...) ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... urllib.request.urlopen(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR % $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... urllib.request.urlopen(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W(...) ... $INTERM = f"...{$DATA}..." ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... urllib.request.urlopen(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W(...) ... $INTERM = $STR + $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: $A = urllib.request.urlopen(..., request.$W(...), ...) - pattern: return urllib.request.urlopen(..., request.$W(...), ...) - pattern: urllib.request.urlopen(..., $S.format(..., request.$W[...], ...), ...) - pattern: urllib.request.urlopen(..., $S % request.$W[...], ...) - pattern: urllib.request.urlopen(..., f"...{request.$W[...]}...", ...) - pattern: urllib.request.urlopen(..., request.$W[...], ...) - pattern: | $DATA = request.$W[...] ... urllib.request.urlopen(..., $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR.format(..., $DATA, ...) ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... urllib.request.urlopen(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR % $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... urllib.request.urlopen(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W[...] ... $INTERM = f"...{$DATA}..." ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... urllib.request.urlopen(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W[...] ... $INTERM = $STR + $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: $A = urllib.request.urlopen(..., request.$W[...], ...) - pattern: return urllib.request.urlopen(..., request.$W[...], ...) - pattern: urllib.request.urlopen(..., $S.format(..., request.$W, ...), ...) - pattern: urllib.request.urlopen(..., $S % request.$W, ...) - pattern: urllib.request.urlopen(..., f"...{request.$W}...", ...) - pattern: urllib.request.urlopen(..., request.$W, ...) - pattern: | $DATA = request.$W ... urllib.request.urlopen(..., $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W ... urllib.request.urlopen(..., $STR.format(..., $DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = $STR.format(..., $DATA, ...) ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W ... urllib.request.urlopen(..., $STR % $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR % $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W ... urllib.request.urlopen(..., f"...{$DATA}...", ...) - pattern: | $DATA = request.$W ... $INTERM = f"...{$DATA}..." ... urllib.request.urlopen(..., $INTERM, ...) - pattern: | $DATA = request.$W ... urllib.request.urlopen(..., $STR + $DATA, ...) - pattern: | $DATA = request.$W ... $INTERM = $STR + $DATA ... urllib.request.urlopen(..., $INTERM, ...) - pattern: $A = urllib.request.urlopen(..., request.$W, ...) - pattern: return urllib.request.urlopen(..., request.$W, ...) - id: python.django.security.injection.tainted-sql-string.tainted-sql-string message: Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries. metadata: cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection category: security technology: - django subcategory: - audit impact: LOW likelihood: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/PbZp semgrep.dev: rule: r_id: 14701 rv_id: 1263408 rule_id: lBU8Ad version_id: YDTZeje url: https://semgrep.dev/playground/r/YDTZeje/python.django.security.injection.tainted-sql-string.tainted-sql-string origin: community severity: ERROR languages: - python mode: taint pattern-sources: - patterns: - pattern: request.$ANYTHING - pattern-not: request.build_absolute_uri pattern-sinks: - patterns: - pattern-either: - pattern: | "$SQLSTR" + ... - pattern: | "$SQLSTR" % ... - pattern: | "$SQLSTR".format(...) - pattern: | f"$SQLSTR{...}..." - metavariable-regex: metavariable: $SQLSTR regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.* - id: python.django.security.injection.tainted-url-host.tainted-url-host languages: - python message: User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit impact: MEDIUM likelihood: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host shortlink: https://sg.run/oYz6 semgrep.dev: rule: r_id: 14760 rv_id: 1263409 rule_id: 6JU1l0 version_id: JdTzxAj url: https://semgrep.dev/playground/r/JdTzxAj/python.django.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: '"$URLSTR" % ...' - metavariable-pattern: metavariable: $URLSTR language: generic patterns: - pattern-either: - pattern: $SCHEME://%s - pattern: $SCHEME://%r - patterns: - pattern: '"$URLSTR".format(...)' - metavariable-pattern: metavariable: $URLSTR language: generic pattern: $SCHEME:// { ... } - patterns: - pattern: '"$URLSTR" + ...' - metavariable-regex: metavariable: $URLSTR regex: .*://$ - patterns: - pattern: f"$URLSTR{...}..." - metavariable-regex: metavariable: $URLSTR regex: .*://$ - patterns: - pattern-inside: | $URL = "$URLSTR" ... - pattern: $URL += ... - metavariable-regex: metavariable: $URLSTR regex: .*://$ pattern-sources: - patterns: - pattern: request.$ANYTHING - pattern-not: request.build_absolute_uri severity: WARNING - id: python.django.security.locals-as-template-context.locals-as-template-context languages: - python message: 'Using ''locals()'' as a context to ''render(...)'' is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use ''locals()''. Instead, specify each variable in a dictionary or ''django.template.Context'' object, like ''{"var1": "hello"}'' and use that instead.' metadata: category: security cwe: - 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.djangoproject.com/en/3.2/ref/settings/#templates - https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates - https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context technology: - django subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context shortlink: https://sg.run/L8XL semgrep.dev: rule: r_id: 11939 rv_id: 1263410 rule_id: 10Ued2 version_id: 5PTo10w url: https://semgrep.dev/playground/r/5PTo10w/python.django.security.locals-as-template-context.locals-as-template-context origin: community pattern-either: - pattern: django.shortcuts.render(..., locals(...), ...) - pattern: django.template.Template.render(..., locals(...), ...) - patterns: - pattern-inside: | $CONTEXT = locals(...) ... - pattern-either: - pattern: django.shortcuts.render(..., $CONTEXT, ...) - pattern: django.template.Template.render(..., $CONTEXT, ...) severity: ERROR - id: python.django.security.passwords.password-empty-string.password-empty-string message: '''$VAR'' is the empty string and is being used to set the password on ''$MODEL''. If you meant to set an unusable password, set the password to None or call ''set_unusable_password()''.' metadata: cwe: - 'CWE-521: Weak Password Requirements' owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password category: security technology: - django subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/python.django.security.passwords.password-empty-string.password-empty-string shortlink: https://sg.run/oxnR semgrep.dev: rule: r_id: 9516 rv_id: 1263411 rule_id: 9AU1jW version_id: GxTke5Q url: https://semgrep.dev/playground/r/GxTke5Q/python.django.security.passwords.password-empty-string.password-empty-string origin: community patterns: - pattern-either: - pattern: | $MODEL.set_password($EMPTY) ... $MODEL.save() - pattern: | $VAR = $EMPTY ... $MODEL.set_password($VAR) ... $MODEL.save() - metavariable-regex: metavariable: $EMPTY regex: (\'\'|\"\") languages: - python severity: ERROR - id: python.django.security.passwords.use-none-for-password-default.use-none-for-password-default message: '''$VAR'' is using the empty string as its default and is being used to set the password on ''$MODEL''. If you meant to set an unusable password, set the default value to ''None'' or call ''set_unusable_password()''.' metadata: cwe: - 'CWE-521: Weak Password Requirements' owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password category: security technology: - django subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default shortlink: https://sg.run/zvBW semgrep.dev: rule: r_id: 9517 rv_id: 1263412 rule_id: yyUn6Z version_id: RGT0LYX url: https://semgrep.dev/playground/r/RGT0LYX/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default origin: community languages: - python severity: ERROR patterns: - pattern-either: - pattern: | $VAR = request.$W.get($X, $EMPTY) ... $MODEL.set_password($VAR) ... $MODEL.save(...) - pattern: | def $F(..., $VAR=$EMPTY, ...): ... $MODEL.set_password($VAR) - metavariable-pattern: metavariable: $EMPTY pattern: '""' - focus-metavariable: $EMPTY fix: | None - id: python.fastapi.security.wildcard-cors.wildcard-cors languages: - python message: CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided. mode: taint pattern-sources: - pattern: '[..., "*", ...]' pattern-sinks: - patterns: - pattern: | $APP.add_middleware( CORSMiddleware, allow_origins=$ORIGIN, ...); - focus-metavariable: $ORIGIN severity: WARNING metadata: cwe: - 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration category: security technology: - python - fastapi references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration - https://cwe.mitre.org/data/definitions/942.html likelihood: HIGH impact: LOW confidence: MEDIUM vulnerability_class: - Configuration subcategory: - vuln license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors shortlink: https://sg.run/KxApY semgrep.dev: rule: r_id: 112311 rv_id: 1263413 rule_id: lBU4JQ3 version_id: A8Tgd1R url: https://semgrep.dev/playground/r/A8Tgd1R/python.fastapi.security.wildcard-cors.wildcard-cors origin: community - id: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host message: Running flask app with host 0.0.0.0 could expose the server publicly. metadata: cwe: - 'CWE-668: Exposure of Resource to Wrong Sphere' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control category: security technology: - flask references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host shortlink: https://sg.run/eLby semgrep.dev: rule: r_id: 9532 rv_id: 1263414 rule_id: L1Uy1n version_id: BjTkZOY url: https://semgrep.dev/playground/r/BjTkZOY/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host origin: community languages: - python severity: WARNING pattern-either: - pattern: app.run(..., host="0.0.0.0", ...) - pattern: app.run(..., "0.0.0.0", ...) - id: python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly patterns: - pattern-not-inside: | if __name__ == '__main__': ... - pattern-not-inside: | def $X(...): ... - pattern: app.run(...) message: top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function metadata: cwe: - 'CWE-668: Exposure of Resource to Wrong Sphere' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control category: security technology: - flask references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly shortlink: https://sg.run/vz5b semgrep.dev: rule: r_id: 9533 rv_id: 1263415 rule_id: 8GUjdX version_id: DkTRb4z url: https://semgrep.dev/playground/r/DkTRb4z/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly origin: community languages: - python severity: WARNING - id: python.flask.security.audit.directly-returned-format-string.directly-returned-format-string message: Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with 'render_template()'. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - flask references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string shortlink: https://sg.run/Zv6o semgrep.dev: rule: r_id: 9535 rv_id: 1263416 rule_id: QrUz49 version_id: WrTqKAz url: https://semgrep.dev/playground/r/WrTqKAz/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string origin: community languages: - python severity: WARNING mode: taint pattern-sources: - pattern-either: - patterns: - pattern-inside: | @$APP.route(...) def $FUNC(..., $PARAM, ...): ... - pattern: $PARAM - pattern: | request.$FUNC.get(...) - pattern: | request.$FUNC(...) - pattern: request.$FUNC[...] pattern-sinks: - patterns: - pattern-not-inside: return "..." - pattern-either: - pattern: return "...".format(...) - pattern: return "..." % ... - pattern: return "..." + ... - pattern: return ... + "..." - pattern: return f"...{...}..." - patterns: - pattern: return $X - pattern-either: - pattern-inside: | $X = "...".format(...) ... - pattern-inside: | $X = "..." % ... ... - pattern-inside: | $X = "..." + ... ... - pattern-inside: | $X = ... + "..." ... - pattern-inside: | $X = f"...{...}..." ... - pattern-not-inside: | $X = "..." ... - id: python.flask.security.audit.flask-cors-misconfiguration.flask-cors-misconfiguration message: Setting 'support_credentials=True' together with 'origin="*"' is a CORS misconfiguration that can allow third party origins to read sensitive data. Using this configuration, flask_cors will dynamically reflects the Origin of each request in the Access-Control-Allow-Origin header, allowing all origins and allowing cookies and credentials to be sent along with request. It is recommended to specify allowed origins instead of using "*" when setting 'support_credentials=True'. languages: - python severity: WARNING patterns: - pattern-either: - pattern: | @cross_origin(..., origins="*", supports_credentials=True, ...) - pattern: | CORS(..., supports_credentials=True, origins="*", ...) - pattern: | CORS(..., resources={"...": {...,"origins": "*", "supports_credentials": True,...}}) metadata: category: security subcategory: - audit cwe: - 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures confidence: LOW likelihood: LOW impact: HIGH technology: - flask references: - https://pypi.org/project/Flask-Cors/ - https://flask-cors.readthedocs.io/en/latest/index.html license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.flask.security.audit.flask-cors-misconfiguration.flask-cors-misconfiguration shortlink: https://sg.run/AbAgp semgrep.dev: rule: r_id: 148294 rv_id: 1263417 rule_id: NbU37pz version_id: 0bTKzYL url: https://semgrep.dev/playground/r/0bTKzYL/python.flask.security.audit.flask-cors-misconfiguration.flask-cors-misconfiguration origin: community - id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING message: Hardcoded variable `TESTING` detected. Use environment variables or config files instead severity: WARNING metadata: likelihood: LOW impact: LOW confidence: LOW category: security cwe: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://bento.dev/checks/flask/avoid-hardcoded-config/ - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features subcategory: - audit technology: - flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING shortlink: https://sg.run/ndZ2 semgrep.dev: rule: r_id: 9536 rv_id: 1263419 rule_id: 3qUPoy version_id: qkTR7P1 url: https://semgrep.dev/playground/r/qkTR7P1/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING origin: community languages: - python pattern-either: - pattern: $M.config['TESTING'] = True - pattern: $M.config['TESTING'] = False - pattern: $M.update(TESTING=True, ...) - pattern: $M.update(TESTING=False, ...) - id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY message: Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead severity: ERROR metadata: likelihood: LOW impact: LOW confidence: LOW category: security cwe: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://bento.dev/checks/flask/avoid-hardcoded-config/ - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features subcategory: - audit technology: - flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY shortlink: https://sg.run/Ekde semgrep.dev: rule: r_id: 9537 rv_id: 1263420 rule_id: 4bUkX0 version_id: l4TJRA9 url: https://semgrep.dev/playground/r/l4TJRA9/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY origin: community languages: - python pattern-either: - pattern: $M.update(SECRET_KEY="=~/.*/") - pattern: $M.config['SECRET_KEY'] = "=~/.*/" - id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV message: Hardcoded variable `ENV` detected. Set this by using FLASK_ENV environment variable severity: WARNING metadata: likelihood: LOW impact: LOW confidence: LOW category: security cwe: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://bento.dev/checks/flask/avoid-hardcoded-config/ - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features subcategory: - audit technology: - flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV shortlink: https://sg.run/7oXW semgrep.dev: rule: r_id: 9538 rv_id: 1263421 rule_id: PeUZpr version_id: YDTZeKr url: https://semgrep.dev/playground/r/YDTZeKr/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV origin: community languages: - python pattern-either: - pattern: $M.update(ENV="=~/^development|production$/") - pattern: $M.config['ENV'] = "=~/^development|production$/" - id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG message: Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable severity: WARNING metadata: likelihood: LOW impact: LOW confidence: LOW category: security cwe: - 'CWE-489: Active Debug Code' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://bento.dev/checks/flask/avoid-hardcoded-config/ - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values - https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features subcategory: - audit technology: - flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Active Debug Code source: https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG shortlink: https://sg.run/LwPo semgrep.dev: rule: r_id: 9539 rv_id: 1263422 rule_id: JDUyJR version_id: 6xT29w6 url: https://semgrep.dev/playground/r/6xT29w6/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG origin: community languages: - python pattern-either: - pattern: $M.update(DEBUG=True) - pattern: $M.update(DEBUG=False) - pattern: $M.config['DEBUG'] = True - pattern: $M.config['DEBUG'] = False - id: python.flask.security.audit.render-template-string.render-template-string pattern: flask.render_template_string(...) metadata: cwe: - 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html category: security technology: - flask subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string shortlink: https://sg.run/8yjE semgrep.dev: rule: r_id: 9540 rv_id: 1263423 rule_id: 5rUOv1 version_id: o5TbDp4 url: https://semgrep.dev/playground/r/o5TbDp4/python.flask.security.audit.render-template-string.render-template-string origin: community message: Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks. languages: - python severity: WARNING - id: python.flask.security.audit.secure-set-cookie.secure-set-cookie patterns: - pattern-either: - pattern-inside: | $RESP = flask.make_response(...) ... - pattern-inside: | $RESP = flask.Response(...) ... - pattern-not: $RESP.set_cookie(..., secure=$A, httponly=$B, samesite=$C, ...) - pattern-not: $RESP.set_cookie(..., **$A) - pattern: $RESP.set_cookie(...) message: Found a Flask cookie with insecurely configured properties. By default the secure, httponly and samesite ar configured insecurely. cookies should be handled securely by setting `secure=True`, `httponly=True`, and `samesite='Lax'` in response.set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker. Include the `secure=True`, `httponly=True`, `samesite='Lax'` arguments or set these to be true in the Flask configuration. metadata: cwe: - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://flask.palletsprojects.com/en/3.0.x/api/#flask.Response.set_cookie - https://flask.palletsprojects.com/en/3.0.x/security/#set-cookie-options category: security technology: - python - flask subcategory: - audit likelihood: LOW impact: LOW confidence: LOW functional-categories: - web::search::cookie-config::flask license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/python.flask.security.audit.secure-set-cookie.secure-set-cookie shortlink: https://sg.run/gLkZ semgrep.dev: rule: r_id: 9541 rv_id: 1263424 rule_id: GdU7GR version_id: zyTb20n url: https://semgrep.dev/playground/r/zyTb20n/python.flask.security.audit.secure-set-cookie.secure-set-cookie origin: community languages: - python severity: WARNING - id: python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled message: Setting 'WTF_CSRF_ENABLED' to 'False' explicitly disables CSRF protection. options: symbolic_propagation: true metadata: cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://flask-wtf.readthedocs.io/en/1.2.x/csrf/ category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW functional-categories: - web::search::csrf-config::flask - web::search::csrf-config::flask-wtf license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled shortlink: https://sg.run/Q5AQ semgrep.dev: rule: r_id: 9542 rv_id: 1263425 rule_id: ReUgXz version_id: pZT034X url: https://semgrep.dev/playground/r/pZT034X/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled origin: community severity: WARNING languages: - python patterns: - pattern-either: - patterns: - pattern-either: - pattern: $APP.config["WTF_CSRF_ENABLED"] = $FALSE - pattern: $APP.config.WTF_CSRF_ENABLED = $FALSE - patterns: - pattern: | $APP.config.$UPDATE( ..., WTF_CSRF_ENABLED = $FALSE, ... ) - pattern-not-inside: | $APP.config.$UPDATE( ..., TESTING=True, ... ) - pattern-not-inside: | $APP.config.$UPDATE( ..., DEBUG=True, ... ) - metavariable-regex: metavariable: $UPDATE regex: ^(update|from_mapping)$ - pattern: | $OBJ = $CLASS() ... $OBJ.WTF_CSRF_ENABLED = $FALSE ... $APP.config.from_object($OBJ, ...) - pattern: | WTF_CSRF_ENABLED = $FALSE ... $APP.config.from_object(__name__) - metavariable-regex: metavariable: $FALSE regex: ^(False)$ - focus-metavariable: $FALSE fix: 'True' - id: python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content patterns: - pattern: flask.make_response(...) - pattern-not-inside: flask.make_response() - pattern-not-inside: flask.make_response("...", ...) - pattern-not-inside: 'flask.make_response({"...": "..."}, ...)' - pattern-not-inside: flask.make_response(flask.redirect(...), ...) - pattern-not-inside: flask.make_response(flask.render_template(...), ...) - pattern-not-inside: flask.make_response(flask.jsonify(...), ...) - pattern-not-inside: flask.make_response(json.dumps(...), ...) - pattern-not-inside: | $X = flask.render_template(...) ... flask.make_response($X, ...) - pattern-not-inside: | $X = flask.jsonify(...) ... flask.make_response($X, ...) - pattern-not-inside: | $X = json.dumps(...) ... flask.make_response($X, ...) message: Be careful with `flask.make_response()`. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. `flask.make_response()` will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use `flask.render_template()` which will take care of escaping. If you are returning data from an API, consider using `flask.jsonify()`. severity: WARNING metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://github.com/python-security/pyt//blob/093a077bcf12d1f58ddeb2d73ddc096623985fb0/examples/vulnerable_code/XSS_assign_to_other_var.py#L11 - https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response - https://flask.palletsprojects.com/en/1.1.x/api/#response-objects category: security technology: - flask owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content shortlink: https://sg.run/3x3p semgrep.dev: rule: r_id: 9543 rv_id: 1263426 rule_id: AbUz6A version_id: 2KTv2od url: https://semgrep.dev/playground/r/2KTv2od/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content origin: community languages: - python - id: python.flask.security.dangerous-template-string.dangerous-template-string message: Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks. metadata: cwe: - 'CWE-96: Improper Neutralization of Directives in Statically Saved Code (''Static Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html - https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti category: security technology: - flask subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string shortlink: https://sg.run/b79E semgrep.dev: rule: r_id: 9526 rv_id: 1263427 rule_id: v8UnZJ version_id: X0Tzy0L url: https://semgrep.dev/playground/r/X0Tzy0L/python.flask.security.dangerous-template-string.dangerous-template-string origin: community languages: - python severity: ERROR pattern-either: - pattern: | $V = "...".format(...) ... flask.render_template_string($V, ...) - pattern: | $V = "...".format(...) ... return flask.render_template_string($V, ...), $MORE - pattern: | $V = "..." % $S ... flask.render_template_string($V, ...) - pattern: | $V = "..." % $S ... return flask.render_template_string($V, ...), $MORE - pattern: | $V = "..." ... $V += $O ... flask.render_template_string($V, ...) - pattern: | $V = "..." ... $V += $O ... return flask.render_template_string($V, ...), $MORE - pattern: | $V = f"...{$X}..." ... flask.render_template_string($V, ...) - pattern: | $V = f"...{$X}..." ... return flask.render_template_string($V, ...), $CODE - id: python.flask.security.injection.csv-writer-injection.csv-writer-injection languages: - python message: Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs. metadata: category: security confidence: MEDIUM cwe: - 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://github.com/raphaelm/defusedcsv - https://owasp.org/www-community/attacks/CSV_Injection - https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities technology: - python - flask subcategory: - vuln impact: MEDIUM likelihood: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.flask.security.injection.csv-writer-injection.csv-writer-injection shortlink: https://sg.run/JzqQ semgrep.dev: rule: r_id: 31146 rv_id: 1263428 rule_id: L1UR2K version_id: jQTn50Y url: https://semgrep.dev/playground/r/jQTn50Y/python.flask.security.injection.csv-writer-injection.csv-writer-injection origin: community mode: taint pattern-sinks: - patterns: - pattern-inside: | $WRITER = csv.writer(...) ... $WRITER.$WRITE(...) - pattern: $WRITER.$WRITE(...) - metavariable-regex: metavariable: $WRITE regex: ^(writerow|writerows|writeheader)$ pattern-sources: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: flask.request.form.get(...) - pattern: flask.request.form[...] - pattern: flask.request.args.get(...) - pattern: flask.request.args[...] - pattern: flask.request.values.get(...) - pattern: flask.request.values[...] - pattern: flask.request.cookies.get(...) - pattern: flask.request.cookies[...] - pattern: flask.request.stream - pattern: flask.request.headers.get(...) - pattern: flask.request.headers[...] - pattern: flask.request.data - pattern: flask.request.full_path - pattern: flask.request.url - pattern: flask.request.json - pattern: flask.request.get_json() - pattern: flask.request.view_args.get(...) - pattern: flask.request.view_args[...] - patterns: - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... - focus-metavariable: $ROUTEVAR severity: ERROR - id: python.flask.security.injection.os-system-injection.os-system-injection languages: - python severity: ERROR message: User data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/Command_Injection category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.flask.security.injection.os-system-injection.os-system-injection shortlink: https://sg.run/4xzz semgrep.dev: rule: r_id: 9544 rv_id: 1263429 rule_id: BYUN99 version_id: 1QTypw7 url: https://semgrep.dev/playground/r/1QTypw7/python.flask.security.injection.os-system-injection.os-system-injection origin: community pattern-either: - patterns: - pattern: os.system(...) - pattern-either: - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... os.system(..., <... $ROUTEVAR ...>, ...) - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... $INTERM = <... $ROUTEVAR ...> ... os.system(..., <... $INTERM ...>, ...) - pattern: os.system(..., <... flask.request.$W.get(...) ...>, ...) - pattern: os.system(..., <... flask.request.$W[...] ...>, ...) - pattern: os.system(..., <... flask.request.$W(...) ...>, ...) - pattern: os.system(..., <... flask.request.$W ...>, ...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W.get(...) ...> ... os.system(<... $INTERM ...>) - pattern: os.system(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W[...] ...> ... os.system(<... $INTERM ...>) - pattern: os.system(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W(...) ...> ... os.system(<... $INTERM ...>) - pattern: os.system(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W ...> ... os.system(<... $INTERM ...>) - pattern: os.system(...) - id: python.flask.security.injection.path-traversal-open.path-traversal-open languages: - python severity: ERROR message: Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks. metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Path_Traversal category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open shortlink: https://sg.run/PJRW semgrep.dev: rule: r_id: 9545 rv_id: 1263430 rule_id: DbUpOQ version_id: 9lT4b94 url: https://semgrep.dev/playground/r/9lT4b94/python.flask.security.injection.path-traversal-open.path-traversal-open origin: community pattern-either: - patterns: - pattern: open(...) - pattern-either: - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... open(..., <... $ROUTEVAR ...>, ...) - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... with open(..., <... $ROUTEVAR ...>, ...) as $FD: ... - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... $INTERM = <... $ROUTEVAR ...> ... open(..., <... $INTERM ...>, ...) - pattern: open(..., <... flask.request.$W.get(...) ...>, ...) - pattern: open(..., <... flask.request.$W[...] ...>, ...) - pattern: open(..., <... flask.request.$W(...) ...>, ...) - pattern: open(..., <... flask.request.$W ...>, ...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W.get(...) ...> ... open(<... $INTERM ...>, ...) - pattern: open(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W[...] ...> ... open(<... $INTERM ...>, ...) - pattern: open(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W(...) ...> ... open(<... $INTERM ...>, ...) - pattern: open(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W ...> ... open(<... $INTERM ...>, ...) - pattern: open(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W.get(...) ...> ... with open(<... $INTERM ...>, ...) as $F: ... - pattern: open(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W[...] ...> ... with open(<... $INTERM ...>, ...) as $F: ... - pattern: open(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W(...) ...> ... with open(<... $INTERM ...>, ...) as $F: ... - pattern: open(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W ...> ... with open(<... $INTERM ...>, ...) as $F: ... - pattern: open(...) - id: ai.ai-best-practices.gemini-missing-system-instruction.gemini-missing-system-instruction-python.gemini-missing-system-instruction-python languages: - python severity: WARNING message: Gemini GenerativeModel created without 'system_instruction' parameter. A system instruction helps establish behavioral guidelines and safety boundaries for the model. See https://ai.google.dev/gemini-api/docs/safety-guidance metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - gemini references: - https://ai.google.dev/gemini-api/docs/safety-guidance license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.gemini-missing-system-instruction.gemini-missing-system-instruction-python.gemini-missing-system-instruction-python shortlink: https://sg.run/X2PNB semgrep.dev: rule: r_id: 288820 rv_id: 1413378 rule_id: pKU6ezO version_id: 3ZT2zlL url: https://semgrep.dev/playground/r/3ZT2zlL/ai.ai-best-practices.gemini-missing-system-instruction.gemini-missing-system-instruction-python.gemini-missing-system-instruction-python origin: community patterns: - pattern: genai.GenerativeModel(...) - pattern-not: genai.GenerativeModel(..., system_instruction=$SI, ...) - id: python.flask.security.injection.ssrf-requests.ssrf-requests languages: - python severity: ERROR message: Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests shortlink: https://sg.run/J9LW semgrep.dev: rule: r_id: 9546 rv_id: 1263432 rule_id: WAUoRx version_id: rxTAKJn url: https://semgrep.dev/playground/r/rxTAKJn/python.flask.security.injection.ssrf-requests.ssrf-requests origin: community pattern-either: - patterns: - pattern: requests.$FUNC(...) - pattern-either: - pattern-inside: | @$APP.$ROUTE_METHOD($ROUTE, ...) def $ROUTE_FUNC(..., $ROUTEVAR, ...): ... requests.$FUNC(..., <... $ROUTEVAR ...>, ...) - pattern-inside: | @$APP.$ROUTE_METHOD($ROUTE, ...) def $ROUTE_FUNC(..., $ROUTEVAR, ...): ... $INTERM = <... $ROUTEVAR ...> ... requests.$FUNC(..., <... $INTERM ...>, ...) - metavariable-regex: metavariable: $ROUTE_METHOD regex: ^(route|get|post|put|delete|patch)$ - pattern: requests.$FUNC(..., <... flask.request.$W.get(...) ...>, ...) - pattern: requests.$FUNC(..., <... flask.request.$W[...] ...>, ...) - pattern: requests.$FUNC(..., <... flask.request.$W(...) ...>, ...) - pattern: requests.$FUNC(..., <... flask.request.$W ...>, ...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W.get(...) ...> ... requests.$FUNC(<... $INTERM ...>, ...) - pattern: requests.$FUNC(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W[...] ...> ... requests.$FUNC(<... $INTERM ...>, ...) - pattern: requests.$FUNC(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W(...) ...> ... requests.$FUNC(<... $INTERM ...>, ...) - pattern: requests.$FUNC(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W ...> ... requests.$FUNC(<... $INTERM ...>, ...) - pattern: requests.$FUNC(...) - id: python.flask.security.injection.subprocess-injection.subprocess-injection languages: - python mode: taint options: symbolic_propagation: true pattern-sources: - pattern-either: - patterns: - pattern-either: - pattern: flask.request.form.get(...) - pattern: flask.request.form[...] - pattern: flask.request.args.get(...) - pattern: flask.request.args[...] - pattern: flask.request.values.get(...) - pattern: flask.request.values[...] - pattern: flask.request.cookies.get(...) - pattern: flask.request.cookies[...] - pattern: flask.request.stream - pattern: flask.request.headers.get(...) - pattern: flask.request.headers[...] - pattern: flask.request.data - pattern: flask.request.full_path - pattern: flask.request.url - pattern: flask.request.json - pattern: flask.request.get_json() - pattern: flask.request.view_args.get(...) - pattern: flask.request.view_args[...] - patterns: - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... - focus-metavariable: $ROUTEVAR pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: subprocess.$FUNC(...) - pattern-not: subprocess.$FUNC("...", ...) - pattern-not: subprocess.$FUNC(["...", ...], ...) - pattern-not-inside: | $CMD = ["...", ...] ... subprocess.$FUNC($CMD, ...) - patterns: - pattern: subprocess.$FUNC(["$SHELL", "-c", ...], ...) - metavariable-regex: metavariable: $SHELL regex: ^(sh|bash|ksh|csh|tcsh|zsh)$ - patterns: - pattern: subprocess.$FUNC(["$INTERPRETER", ...], ...) - metavariable-regex: metavariable: $INTERPRETER regex: ^(python|python\d)$ pattern-sanitizers: - patterns: - pattern: $DICT[$KEY] - focus-metavariable: $KEY severity: ERROR message: Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands. metadata: category: security technology: - flask owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' references: - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ confidence: HIGH cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection shortlink: https://sg.run/5gW3 semgrep.dev: rule: r_id: 31147 rv_id: 1263433 rule_id: 8GU3qp version_id: bZT53gQ url: https://semgrep.dev/playground/r/bZT53gQ/python.flask.security.injection.subprocess-injection.subprocess-injection origin: community - id: python.flask.security.injection.user-eval.eval-injection languages: - python severity: ERROR message: Detected user data flowing into eval. This is code injection and should be avoided. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html category: security technology: - flask subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.flask.security.injection.user-eval.eval-injection shortlink: https://sg.run/5QpX semgrep.dev: rule: r_id: 9547 rv_id: 1263436 rule_id: 0oU54W version_id: w8TRoB0 url: https://semgrep.dev/playground/r/w8TRoB0/python.flask.security.injection.user-eval.eval-injection origin: community pattern-either: - patterns: - pattern: eval(...) - pattern-either: - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... eval(..., <... $ROUTEVAR ...>, ...) - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... $INTERM = <... $ROUTEVAR ...> ... eval(..., <... $INTERM ...>, ...) - pattern: eval(..., <... flask.request.$W.get(...) ...>, ...) - pattern: eval(..., <... flask.request.$W[...] ...>, ...) - pattern: eval(..., <... flask.request.$W(...) ...>, ...) - pattern: eval(..., <... flask.request.$W ...>, ...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W.get(...) ...> ... eval(..., <... $INTERM ...>, ...) - pattern: eval(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W[...] ...> ... eval(..., <... $INTERM ...>, ...) - pattern: eval(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W(...) ...> ... eval(..., <... $INTERM ...>, ...) - pattern: eval(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W ...> ... eval(..., <... $INTERM ...>, ...) - pattern: eval(...) - id: python.flask.security.injection.user-exec.exec-injection languages: - python severity: ERROR message: Detected user data flowing into exec. This is code injection and should be avoided. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html category: security technology: - flask subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection shortlink: https://sg.run/Ge42 semgrep.dev: rule: r_id: 9548 rv_id: 1263437 rule_id: KxUbl2 version_id: xyTjzD9 url: https://semgrep.dev/playground/r/xyTjzD9/python.flask.security.injection.user-exec.exec-injection origin: community pattern-either: - patterns: - pattern: exec(...) - pattern-either: - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... exec(..., <... $ROUTEVAR ...>, ...) - pattern-inside: | @$APP.route($ROUTE, ...) def $FUNC(..., $ROUTEVAR, ...): ... $INTERM = <... $ROUTEVAR ...> ... exec(..., <... $INTERM ...>, ...) - pattern: exec(..., <... flask.request.$W.get(...) ...>, ...) - pattern: exec(..., <... flask.request.$W[...] ...>, ...) - pattern: exec(..., <... flask.request.$W(...) ...>, ...) - pattern: exec(..., <... flask.request.$W ...>, ...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W.get(...) ...> ... exec(..., <... $INTERM ...>, ...) - pattern: exec(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W[...] ...> ... exec(..., <... $INTERM ...>, ...) - pattern: exec(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W(...) ...> ... exec(..., <... $INTERM ...>, ...) - pattern: exec(...) - patterns: - pattern-inside: | $INTERM = <... flask.request.$W ...> ... exec(..., <... $INTERM ...>, ...) - pattern: exec(...) - id: python.flask.security.insecure-deserialization.insecure-deserialization metadata: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: - https://docs.python.org/3/library/pickle.html category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization shortlink: https://sg.run/N45z semgrep.dev: rule: r_id: 9527 rv_id: 1263438 rule_id: d8UjBO version_id: O9Tpx2r url: https://semgrep.dev/playground/r/O9Tpx2r/python.flask.security.insecure-deserialization.insecure-deserialization origin: community message: Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON. languages: - python severity: ERROR patterns: - pattern-inside: | @app.route(...) def $X(...): ... - pattern-not: $MODULE.$FUNC("...") - pattern-not: $MODULE.$FUNC(open("...", ...)) - pattern-either: - pattern: pickle.$FUNC(...) - pattern: _pickle.$FUNC(...) - pattern: cPickle.$FUNC(...) - pattern: dill.$FUNC(...) - pattern: shelve.$FUNC(...) - pattern: yaml.load(...) - id: python.flask.security.open-redirect.open-redirect patterns: - pattern-inside: | @$APP.route(...) def $X(...): ... - pattern-not-inside: | @$APP.route(...) def $X(...): ... if <... werkzeug.urls.url_parse($V) ...>: ... - pattern-either: - pattern: flask.redirect(<... flask.request.$W.get(...) ...>, ...) - pattern: flask.redirect(<... flask.request.$W[...] ...>, ...) - pattern: flask.redirect(<... flask.request.$W(...) ...>, ...) - pattern: flask.redirect(<... flask.request.$W ...>, ...) - pattern: | $V = flask.request.$W.get(...) ... flask.redirect(<... $V ...>, ...) - pattern: | $V = flask.request.$W[...] ... flask.redirect(<... $V ...>, ...) - pattern: | $V = flask.request.$W(...) ... flask.redirect(<... $V ...>, ...) - pattern: | $V = flask.request.$W ... flask.redirect(<... $V ...>, ...) - pattern-not: flask.redirect(flask.request.path) - pattern-not: flask.redirect(flask.request.path + ...) - pattern-not: flask.redirect(f"{flask.request.path}...") message: Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using 'url_for()' to generate links to known locations. If you must use a URL to unknown pages, consider using 'urlparse()' or similar and checking if the 'netloc' property is the same as your site's host name. See the references for more information. metadata: cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://flask-login.readthedocs.io/en/latest/#login-example - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1 - https://docs.python.org/3/library/urllib.parse.html#url-parsing category: security technology: - flask subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect shortlink: https://sg.run/kXe2 semgrep.dev: rule: r_id: 9528 rv_id: 1263439 rule_id: ZqU5LR version_id: e1Tyj2Y url: https://semgrep.dev/playground/r/e1Tyj2Y/python.flask.security.open-redirect.open-redirect origin: community languages: - python severity: ERROR - id: python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization patterns: - pattern-inside: | @app.route(...) def $X(filename): ... - pattern: flask.send_file(filename, ...) message: Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory` metadata: cwe: - 'CWE-73: External Control of File Name or Path' owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design category: security technology: - flask references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization shortlink: https://sg.run/weGP semgrep.dev: rule: r_id: 9529 rv_id: 1263440 rule_id: nJUz6A version_id: vdT06Ab url: https://semgrep.dev/playground/r/vdT06Ab/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization origin: community languages: - python severity: WARNING - id: python.flask.security.unescaped-template-extension.unescaped-template-extension message: Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection source-rule-url: https://pypi.org/project/flake8-flask/ references: - https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup - https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/ - https://bento.dev/checks/flask/unescaped-file-extension/ category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension shortlink: https://sg.run/x1Rg semgrep.dev: rule: r_id: 9530 rv_id: 1263441 rule_id: EwU293 version_id: d6Tyx52 url: https://semgrep.dev/playground/r/d6Tyx52/python.flask.security.unescaped-template-extension.unescaped-template-extension origin: community patterns: - pattern-not: flask.render_template("=~/.+\.html$/", ...) - pattern-not: flask.render_template("=~/.+\.xml$/", ...) - pattern-not: flask.render_template("=~/.+\.htm$/", ...) - pattern-not: flask.render_template("=~/.+\.xhtml$/", ...) - pattern-not: flask.render_template($X + "=~/\.html$/", ...) - pattern-not: flask.render_template($X + "=~/\.xml$/", ...) - pattern-not: flask.render_template($X + "=~/\.htm$/", ...) - pattern-not: flask.render_template($X + "=~/\.xhtml$/", ...) - pattern-not: flask.render_template("=~/.+\.html$/" % $X, ...) - pattern-not: flask.render_template("=~/.+\.xml$/" % $X, ...) - pattern-not: flask.render_template("=~/.+\.htm$/" % $X, ...) - pattern-not: flask.render_template("=~/.+\.xhtml$/" % $X, ...) - pattern-not: flask.render_template("=~/.+\.html$/".format(...), ...) - pattern-not: flask.render_template("=~/.+\.xml$/".format(...), ...) - pattern-not: flask.render_template("=~/.+\.htm$/".format(...), ...) - pattern-not: flask.render_template("=~/.+\.xhtml$/".format(...), ...) - pattern-not: flask.render_template($TEMPLATE) - pattern-either: - pattern: flask.render_template("...", ...) - pattern: flask.render_template($X + "...", ...) - pattern: flask.render_template("..." % $Y, ...) - pattern: flask.render_template("...".format(...), ...) languages: - python severity: WARNING - id: python.flask.security.unsanitized-input.response-contains-unsanitized-input message: Flask response reflects unsanitized user input. This could lead to a cross-site scripting vulnerability (https://owasp.org/www-community/attacks/xss/) in which an attacker causes arbitrary code to be executed in the user's browser. To prevent, please sanitize the user input, e.g. by rendering the response in a Jinja2 template (see considerations in https://flask.palletsprojects.com/en/1.0.x/security/). metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.0.x/security/ - https://owasp.org/www-community/attacks/xss/ category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.unsanitized-input.response-contains-unsanitized-input shortlink: https://sg.run/OPGn semgrep.dev: rule: r_id: 9531 rv_id: 1263442 rule_id: 7KUQLl version_id: ZRTKAvv url: https://semgrep.dev/playground/r/ZRTKAvv/python.flask.security.unsanitized-input.response-contains-unsanitized-input origin: community languages: - python severity: WARNING pattern-either: - pattern: | $X = flask.request.args.get(...) ... flask.make_response("...".format($X)) - pattern: | $X = flask.request.args.get(...) ... flask.make_response(f"...{$X}...") - pattern: | $X = flask.request.args.get(...) ... flask.make_response(f"...{$X}") - pattern: | $X = flask.request.args.get(...) ... flask.make_response(f"{$X}...") - id: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 message: Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://jinja.palletsprojects.com/en/2.11.x/api/#basics category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 shortlink: https://sg.run/RoKe semgrep.dev: rule: r_id: 9549 rv_id: 1263443 rule_id: qNUjN2 version_id: nWT2L1b url: https://semgrep.dev/playground/r/nWT2L1b/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 origin: community languages: - python severity: WARNING pattern-either: - pattern: jinja2.Environment(...) - pattern: jinja2.Template.render(...) - patterns: - pattern-inside: | $TEMPLATE = $ENV.get_template(...) ... - pattern: $TEMPLATE.render(...) - patterns: - pattern-inside: | $TEMPLATE = jinja2.Template(...) ... - pattern: $TEMPLATE.render(...) - id: python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup message: Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://tedboy.github.io/flask/generated/generated/flask.Markup.html category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup shortlink: https://sg.run/AvZ8 semgrep.dev: rule: r_id: 9550 rv_id: 1263444 rule_id: lBU95l version_id: ExTEx3l url: https://semgrep.dev/playground/r/ExTEx3l/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup origin: community languages: - python severity: WARNING pattern-either: - pattern: flask.Markup.unescape(...) - pattern: $MARKUPOBJ.unescape() - patterns: - pattern-either: - pattern: flask.Markup($Q) - pattern: markupsafe.Markup($Q) - metavariable-pattern: metavariable: $Q patterns: - pattern-not: '"..."' - id: python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off message: Detected a segment of a Flask template where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping - https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off shortlink: https://sg.run/Bkn2 semgrep.dev: rule: r_id: 9551 rv_id: 1263445 rule_id: YGURo6 version_id: 7ZTE3jd url: https://semgrep.dev/playground/r/7ZTE3jd/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off origin: community languages: - regex paths: include: - '*.html' severity: WARNING pattern-regex: '{%\s*autoescape\s+false\s*%}' - id: javascript.browser.security.insecure-document-method.insecure-document-method message: User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - browser cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method shortlink: https://sg.run/LwA9 semgrep.dev: rule: r_id: 9239 rv_id: 1263118 rule_id: ReUg41 version_id: YDTZeOY url: https://semgrep.dev/playground/r/YDTZeOY/javascript.browser.security.insecure-document-method.insecure-document-method origin: community languages: - javascript - typescript severity: ERROR patterns: - pattern-either: - pattern: | $EL.innerHTML = $HTML; - pattern: | $EL.outerHTML = $HTML; - pattern: document.write(...) - pattern-not: | $EL.innerHTML = "..."; - pattern-not: | $EL.outerHTML = "..."; - pattern-not: document.write("...") - id: javascript.browser.security.insecure-innerhtml.insecure-innerhtml message: User controlled data in a `$EL.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - browser cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.browser.security.insecure-innerhtml.insecure-innerhtml shortlink: https://sg.run/8y0q semgrep.dev: rule: r_id: 9240 rv_id: 1263119 rule_id: AbUz7j version_id: 6xT29zx url: https://semgrep.dev/playground/r/6xT29zx/javascript.browser.security.insecure-innerhtml.insecure-innerhtml origin: community languages: - javascript - typescript severity: ERROR patterns: - pattern: | $EL.innerHTML = $HTML; - pattern-not: | $EL.innerHTML = "..."; - id: javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation message: No validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS). metadata: owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-345: Insufficient Verification of Data Authenticity' category: security technology: - browser subcategory: - audit likelihood: LOW impact: LOW confidence: LOW references: - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation shortlink: https://sg.run/gL9x semgrep.dev: rule: r_id: 9241 rv_id: 1263120 rule_id: BYUN0X version_id: o5TbDRl url: https://semgrep.dev/playground/r/o5TbDRl/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation origin: community languages: - javascript - typescript severity: WARNING pattern-either: - patterns: - pattern: | window.addEventListener('message', $FUNC, ...) - metavariable-pattern: patterns: - pattern: | function($OBJ) { ... } - pattern-not: | function($OBJ) { ... if (<... $OBJ.origin ...>) { ... } ... } metavariable: $FUNC - patterns: - pattern-either: - pattern-inside: | function $FNAME($OBJ) { $CONTEXT } ... - pattern-inside: | $FNAME = (...) => { $CONTEXT } ... - pattern: | window.addEventListener('message', $FNAME,...) - metavariable-pattern: patterns: - pattern-not: | ... if (<... $OBJ.origin ...>) { ... } ... metavariable: $CONTEXT - id: javascript.browser.security.open-redirect-from-function.js-open-redirect-from-function message: The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection. metadata: confidence: LOW cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.1 Insecue Redirect control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation version: '4' category: security references: - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html technology: - browser subcategory: - vuln likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/javascript.browser.security.open-redirect-from-function.js-open-redirect-from-function shortlink: https://sg.run/P39e semgrep.dev: rule: r_id: 25301 rv_id: 1263121 rule_id: DbUY96 version_id: zyTb2QD url: https://semgrep.dev/playground/r/zyTb2QD/javascript.browser.security.open-redirect-from-function.js-open-redirect-from-function origin: community languages: - javascript - typescript severity: INFO mode: taint pattern-sources: - patterns: - pattern-inside: | function ... (..., $PROP, ...) { ... } - focus-metavariable: $PROP pattern-sinks: - patterns: - pattern-either: - pattern: location.href = $SINK - pattern: window.location.href = $SINK - pattern: this.window.location.href = $SINK - pattern: this.location.href = $SINK - pattern: location.replace($SINK) - pattern: window.location.replace($SINK) - pattern: this.window.location.replace($SINK) - pattern: this.location.replace($SINK) - focus-metavariable: $SINK - metavariable-pattern: patterns: - pattern-not: | "..." + $VALUE - pattern-not: | `...${$VALUE}` metavariable: $SINK - id: javascript.browser.security.raw-html-concat.raw-html-concat message: User controlled data in a HTML string may result in XSS metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/www-community/attacks/xss/ category: security technology: - browser cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat shortlink: https://sg.run/4xAx semgrep.dev: rule: r_id: 9244 rv_id: 1263123 rule_id: 0oU5b5 version_id: 2KTv2wp url: https://semgrep.dev/playground/r/2KTv2wp/javascript.browser.security.raw-html-concat.raw-html-concat origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern: location.href - pattern: location.hash - pattern: location.search - pattern: $WINDOW. ... .location.href - pattern: $WINDOW. ... .location.hash - pattern: $WINDOW. ... .location.search pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: $STRING + $EXPR - pattern-not: $STRING + "..." - metavariable-pattern: patterns: - pattern: <$TAG ... - pattern-not: <$TAG ...>...... metavariable: $STRING language: generic - patterns: - pattern: $EXPR + $STRING - pattern-not: '"..." + $STRING' - metavariable-pattern: patterns: - pattern: '... \*\|\{\}\[\]\%\$]{1}|\\n|\\r|\\t|\\&)[\"\']$ - id: javascript.lang.security.audit.prototype-pollution.prototype-pollution-assignment.prototype-pollution-assignment message: 'Possibility of prototype polluting assignment detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.' metadata: cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures category: security references: - https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf technology: - javascript subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-assignment.prototype-pollution-assignment shortlink: https://sg.run/N8AA semgrep.dev: rule: r_id: 13371 rv_id: 1263202 rule_id: 8GUxpp version_id: 0bTKzQJ url: https://semgrep.dev/playground/r/0bTKzQJ/javascript.lang.security.audit.prototype-pollution.prototype-pollution-assignment.prototype-pollution-assignment origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern: | $X[$B] = ... - pattern-not: | $X[$B] = '...' - pattern-inside: | $X = $SMTH[$A] ... - pattern-not-inside: | if (<...'constructor' ...>) { ... } ... - pattern-not-inside: | if (<...'__proto__' ...>) { ... } ... - pattern-not-inside: | for(var $B = $S; ...; ...) {...} - pattern-not-inside: | for($B = $S; ...; ...) {...} - pattern-not-inside: | $X.forEach(function $NAME($OBJ, $B,...) {...}) - metavariable-pattern: patterns: - pattern-not: '"..."' - pattern-not: | `...${...}...` - pattern-not: | ($A: float) metavariable: $A - metavariable-pattern: patterns: - pattern-not: '"..."' - pattern-not: | `...${...}...` - pattern-not: | ($B: float) metavariable: $B - id: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop message: 'Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.' metadata: cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' category: security references: - https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf technology: - typescript owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop shortlink: https://sg.run/w1DB semgrep.dev: rule: r_id: 13373 rv_id: 1263203 rule_id: QrUpbJ version_id: K3TKkP7 url: https://semgrep.dev/playground/r/K3TKkP7/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop origin: community languages: - typescript - javascript severity: WARNING patterns: - pattern-either: - pattern: | $SMTH = $SMTH[$A] - pattern: | $SMTH = $SMTH[$A] = ... - pattern: | $SMTH = $SMTH[$A] && $Z - pattern: | $SMTH = $SMTH[$A] || $Z - pattern-either: - pattern-inside: | for(...) { ... } - pattern-inside: | while(...) { ... } - pattern-inside: | $X.forEach(function $NAME(...) { ... }) - pattern-not-inside: | for(var $A = $S; ...; ...) {...} - pattern-not-inside: | for($A = $S; ...; ...) {...} - pattern-not-inside: | $X.forEach(function $NAME($OBJ, $A,...) {...}) - metavariable-pattern: patterns: - pattern-not: '"..."' - pattern-not: | `...${...}...` - pattern-not: | ($A: float) metavariable: $A - id: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli message: Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. metadata: references: - https://www.npmjs.com/package/mysql2 - https://www.npmjs.com/package/mysql - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html category: security owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' confidence: LOW technology: - mysql - mysql2 - javascript - nodejs cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli shortlink: https://sg.run/Y0oy semgrep.dev: rule: r_id: 18258 rv_id: 1263207 rule_id: ZqUlWE version_id: JdTzx2D url: https://semgrep.dev/playground/r/JdTzx2D/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-inside: function ... (..., $Y,...) {...} - pattern: $Y - pattern-not-inside: | function ... (..., $Y: number,...) {...} - pattern-not-inside: $Y.query - pattern-not-inside: $Y.body - pattern-not-inside: $Y.params - pattern-not-inside: $Y.cookies - pattern-not-inside: $Y.headers pattern-sinks: - patterns: - focus-metavariable: $QUERY - pattern-either: - pattern-inside: $POOL.query($QUERY, ...) - pattern-inside: $POOL.execute($QUERY, ...) - pattern-either: - pattern-inside: | import $S from "$IMPORT" ... - pattern-inside: | import { ... } from "$IMPORT" ... - pattern-inside: | import * as $S from "$IMPORT" ... - pattern-inside: | require("$IMPORT") ... - metavariable-regex: metavariable: $IMPORT regex: (mysql|mysql2) pattern-sanitizers: - patterns: - pattern: parseInt(...) - id: javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli message: 'Detected string concatenation with a non-literal variable in a node-postgres JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `client.query(''SELECT $1 from table'', [userinput])`' metadata: owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' references: - https://node-postgres.com/features/queries category: security technology: - node-postgres subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli shortlink: https://sg.run/0n3v semgrep.dev: rule: r_id: 10710 rv_id: 1263208 rule_id: ReUPN9 version_id: 5PTo1BA url: https://semgrep.dev/playground/r/5PTo1BA/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-inside: | function ... (...,$FUNC,...) { ... } - focus-metavariable: $FUNC - pattern-not-inside: | $F. ... .$SOURCE(...) pattern-sinks: - patterns: - pattern-either: - pattern-inside: | const { $CLIENT } = require('pg') ... - pattern-inside: | var { $CLIENT } = require('pg') ... - pattern-inside: | let { $CLIENT } = require('pg') ... - pattern-either: - pattern-inside: | $DB = new $CLIENT(...) ... - pattern-inside: | $NEWPOOL = new $CLIENT(...) ... $NEWPOOL.connect((..., $DB, ...) => { ... }) - pattern: $DB.query($QUERY,...) - focus-metavariable: $QUERY - id: javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag message: Cannot determine what '$UNK' is and it is used with a ' - pattern-not: <%= j ... > - pattern-not: <%= escape_javascript ... > - pattern: <%= ... > - id: ruby.rails.security.brakeman.check-before-filter.check-before-filter mode: search patterns: - pattern-either: - pattern: | skip_filter ..., :except => $ARGS - pattern: | skip_before_filter ..., :except => $ARGS - pattern: | skip_before_action ..., :except => $ARGS message: 'Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`' languages: - ruby severity: ERROR metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_skip_before_filter.rb category: security cwe: - 'CWE-284: Improper Access Control' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control technology: - ruby - rails references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-before-filter.check-before-filter shortlink: https://sg.run/O4Zn semgrep.dev: rule: r_id: 20531 rv_id: 1263649 rule_id: wdUkBP version_id: 8KT5rDy url: https://semgrep.dev/playground/r/8KT5rDy/ruby.rails.security.brakeman.check-before-filter.check-before-filter origin: community - id: ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes patterns: - pattern-either: - patterns: - pattern: | :$KEY => false - pattern-inside: | ActionController::Base.session = {...} - pattern: | $MODULE::Application.config.session_store :cookie_store, ..., :$KEY => false, ... - pattern: | $CLASS.application.config.session_store :cookie_store, ..., $KEY: false, ... - metavariable-regex: metavariable: $KEY regex: ^(session_)?(http_?only|secure)$ message: Found a Rails `cookie_store` session configuration setting the `$KEY` attribute to `false`. If using a cookie-based session store, the HttpOnly and Secure flags should be set. languages: - ruby severity: WARNING metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb category: security cwe: - 'CWE-1004: Sensitive Cookie Without ''HttpOnly'' Flag' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration technology: - ruby - rails references: - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes shortlink: https://sg.run/WDYA semgrep.dev: rule: r_id: 20153 rv_id: 1263650 rule_id: KxUw3v version_id: gETB7KB url: https://semgrep.dev/playground/r/gETB7KB/ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes origin: community - id: ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include mode: search paths: include: - '*.erb' patterns: - pattern: | params[...] - pattern-inside: | render :file => ... message: Found request parameters in a call to `render` in a dynamic context. This can allow end users to request arbitrary local files which may result in leaking sensitive information persisted on disk. languages: - generic severity: WARNING metadata: technology: - ruby - rails category: security cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render.rb references: - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion - https://github.com/presidentbeef/brakeman/blob/f74cb53ead47f0af821d98b5b41e16d63100c240/test/apps/rails2/app/views/home/test_render.html.erb cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include shortlink: https://sg.run/3QWl semgrep.dev: rule: r_id: 20043 rv_id: 1263651 rule_id: JDUokO version_id: QkTGq9X url: https://semgrep.dev/playground/r/QkTGq9X/ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include origin: community - id: ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion mode: search patterns: - pattern: | if request.get? ... else ... end - pattern-not-inside: | if ... elsif ... ... end message: Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used. languages: - ruby severity: ERROR metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_verb_confusion.rb category: security cwe: - 'CWE-650: Trusting HTTP Permission Methods on the Server Side' owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design technology: - ruby - rails references: - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/accounts_controller.rb subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion shortlink: https://sg.run/eJ6y semgrep.dev: rule: r_id: 20532 rv_id: 1263652 rule_id: x8UdDE version_id: 3ZT4X82 url: https://semgrep.dev/playground/r/3ZT4X82/ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion origin: community - id: ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high patterns: - pattern: $P.permit($ATTRIBUTE) - metavariable-regex: metavariable: $ATTRIBUTE regex: .*(admin|account_id).* message: Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment. languages: - ruby severity: ERROR metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_permit_attributes.rb category: security cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures technology: - ruby - rails references: - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high shortlink: https://sg.run/4k0Z semgrep.dev: rule: r_id: 20044 rv_id: 1263653 rule_id: 5rUNql version_id: 44TEjD5 url: https://semgrep.dev/playground/r/44TEjD5/ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high origin: community - id: ai.ai-best-practices.hooks-path-traversal.hooks-path-traversal-bash.hooks-path-traversal-bash mode: taint languages: - bash severity: ERROR message: Hook input flows into a file path without validation. Claude Code and Cursor hooks receive JSON input that may contain user-controlled paths. An attacker could craft input with path traversal sequences (e.g., '../../etc/passwd') to read, modify, or delete arbitrary files. Use realpath or readlink -f to resolve and validate paths before file operations. metadata: cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/ai.ai-best-practices.hooks-path-traversal.hooks-path-traversal-bash.hooks-path-traversal-bash shortlink: https://sg.run/rZ0ye semgrep.dev: rule: r_id: 288825 rv_id: 1413383 rule_id: 9AUoqZJ version_id: GxTlKjq url: https://semgrep.dev/playground/r/GxTlKjq/ai.ai-best-practices.hooks-path-traversal.hooks-path-traversal-bash.hooks-path-traversal-bash origin: community pattern-sources: - pattern: | $VAR=$(... | jq ...) pattern-sinks: - patterns: - pattern-either: - pattern: cat $SINK - pattern: rm $SINK - pattern: cp $SINK ... - pattern: mv $SINK ... - pattern-not-inside: | $X=$(... | jq ...) pattern-sanitizers: - pattern: realpath ... - pattern: readlink -f ... - id: ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium patterns: - pattern: $P.permit($ATTRIBUTE) - metavariable-regex: metavariable: $ATTRIBUTE regex: .*(role|banned).* message: Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment. languages: - ruby severity: WARNING metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_permit_attributes.rb category: security cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures technology: - ruby - rails references: - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium shortlink: https://sg.run/PPLE semgrep.dev: rule: r_id: 20045 rv_id: 1263654 rule_id: GdUoq5 version_id: PkTR38b url: https://semgrep.dev/playground/r/PkTR38b/ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium origin: community - id: ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml paths: include: - '*secrets.*.yml' - '*secrets.*.yaml' patterns: - pattern: | secret_key_base: $VALUE - metavariable-pattern: metavariable: $VALUE language: generic patterns: - pattern-not: | <%= ... %> - pattern-inside: | production: ... message: $VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control. languages: - yaml severity: WARNING metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb category: security cwe: - 'CWE-540: Inclusion of Sensitive Information in Source Code' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control technology: - ruby - rails references: - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4/config/secrets.yml subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml shortlink: https://sg.run/0Wvb semgrep.dev: rule: r_id: 20154 rv_id: 1263655 rule_id: qNUpJ5 version_id: JdTzxXe url: https://semgrep.dev/playground/r/JdTzxXe/ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml origin: community - id: ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling patterns: - pattern-either: - patterns: - pattern: | :$KEY => "$LITERAL" - pattern-inside: | ActionController::Base.session = {...} - pattern: | $RAILS::Application.config.$KEY = "$LITERAL" - pattern: | Rails.application.config.$KEY = "$LITERAL" - metavariable-regex: metavariable: $KEY regex: ^secret(_(token|key_base))?$ message: Found a string literal assignment to a Rails session secret `$KEY`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control. languages: - ruby severity: WARNING metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_session_settings.rb category: security cwe: - 'CWE-540: Inclusion of Sensitive Information in Source Code' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control technology: - ruby - rails references: - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4_with_engines/config/initializers/secret_token.rb - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3/config/initializers/secret_token.rb subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling shortlink: https://sg.run/KyJd semgrep.dev: rule: r_id: 20155 rv_id: 1263656 rule_id: lBUX1r version_id: 5PTo1ZY url: https://semgrep.dev/playground/r/5PTo1ZY/ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling origin: community - id: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to mode: taint pattern-sources: - patterns: - pattern-either: - pattern: params - pattern: cookies - pattern: request.env - pattern: url_for(params[...],...,:only_path => false,...) pattern-sanitizers: - patterns: - pattern-either: - patterns: - pattern: | $F(...) - metavariable-pattern: metavariable: $F patterns: - pattern-not-regex: (params|url_for|cookies|request.env|permit|redirect_to) - pattern: | params.merge! :only_path => true ... - pattern: | params.slice(...) ... - pattern: | redirect_to [...] - patterns: - pattern: | $MODEL. ... .$M(...) ... - metavariable-regex: metavariable: $MODEL regex: '[A-Z]\w+' - metavariable-regex: metavariable: $M regex: (all|create|find|find_by|find_by_sql|first|last|new|from|group|having|joins|lock|order|reorder|select|where|take) - patterns: - pattern: | params.$UNSAFE_HASH.merge(...,:only_path => true,...) ... - metavariable-regex: metavariable: $UNSAFE_HASH regex: to_unsafe_h(ash)? - patterns: - pattern: params.permit(...,$X,...) - metavariable-pattern: metavariable: $X patterns: - pattern-not-regex: (host|port|(sub)?domain) pattern-sinks: - patterns: - pattern: $X - pattern-inside: | redirect_to $X, ... - pattern-not-regex: params\.\w+(? true` hash value. languages: - ruby severity: WARNING metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_redirect.rb category: security cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' technology: - ruby - rails references: - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to shortlink: https://sg.run/eJNX semgrep.dev: rule: r_id: 20732 rv_id: 1263657 rule_id: kxUOJ6 version_id: GxTke14 url: https://semgrep.dev/playground/r/GxTke14/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to origin: community - id: ruby.rails.security.brakeman.check-send-file.check-send-file mode: taint pattern-sources: - pattern-either: - pattern: | cookies[...] - patterns: - pattern: | cookies. ... .$PROPERTY[...] - metavariable-regex: metavariable: $PROPERTY regex: (?!signed|encrypted) - pattern: | params[...] - pattern: | request.env[...] pattern-sinks: - patterns: - pattern: | send_file ... message: Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)` languages: - ruby severity: ERROR metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send_file.rb category: security cwe: - 'CWE-73: External Control of File Name or Path' owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design technology: - ruby - rails references: - https://owasp.org/www-community/attacks/Path_Traversal - https://owasp.org/Top10/A01_2021-Broken_Access_Control/ subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file shortlink: https://sg.run/GbY1 semgrep.dev: rule: r_id: 20048 rv_id: 1263660 rule_id: BYUKbl version_id: BjTkZRj url: https://semgrep.dev/playground/r/BjTkZRj/ruby.rails.security.brakeman.check-send-file.check-send-file origin: community - id: ruby.rails.security.brakeman.check-sql.check-sql mode: taint pattern-sources: - pattern-either: - pattern: | cookies[...] - patterns: - pattern: | cookies. ... .$PROPERTY[...] - metavariable-regex: metavariable: $PROPERTY regex: (?!signed|encrypted) - pattern: | params[...] - pattern: | request.env[...] pattern-sanitizers: - patterns: - pattern-either: - patterns: - pattern: $X - pattern-either: - pattern-inside: | :$KEY => $X - pattern-inside: | ["...",$X,...] - pattern: | params[...].to_i - pattern: | params[...].to_f - patterns: - pattern: | params[...] ? $A : $B - metavariable-pattern: metavariable: $A patterns: - pattern-not: | params[...] - metavariable-pattern: metavariable: $B patterns: - pattern-not: | params[...] pattern-sinks: - patterns: - pattern: $X - pattern-not-inside: | $P.where("...",...) - pattern-not-inside: | $P.where(:$KEY => $VAL,...) - pattern-either: - pattern-inside: | $P.$M(...) - pattern-inside: | $P.$M("...",...) - pattern-inside: | class $P < ActiveRecord::Base ... end - metavariable-regex: metavariable: $M regex: (where|find|first|last|select|minimum|maximum|calculate|sum|average) message: Found potential SQL injection due to unsafe SQL query construction via $X. Where possible, prefer parameterized queries. languages: - ruby severity: ERROR metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_sql.rb category: security cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection technology: - ruby - rails references: - https://owasp.org/www-community/attacks/SQL_Injection - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/product.rb cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-sql.check-sql shortlink: https://sg.run/vpgb semgrep.dev: rule: r_id: 20533 rv_id: 1263661 rule_id: OrUv2z version_id: DkTRbE4 url: https://semgrep.dev/playground/r/DkTRbE4/ruby.rails.security.brakeman.check-sql.check-sql origin: community - id: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods mode: taint pattern-sources: - pattern-either: - pattern: | cookies[...] - patterns: - pattern: | cookies. ... .$PROPERTY[...] - metavariable-regex: metavariable: $PROPERTY regex: (?!signed|encrypted) - pattern: | params[...] - pattern: | request.env[...] pattern-sinks: - patterns: - pattern: $X - pattern-either: - pattern-inside: | $X. ... .to_proc - patterns: - pattern-inside: | $Y.method($Z) - focus-metavariable: $Z - patterns: - pattern-inside: | $Y.tap($Z) - focus-metavariable: $Z - patterns: - pattern-inside: | $Y.tap{ |$ANY| $Z } - focus-metavariable: $Z message: Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc` languages: - ruby severity: ERROR metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection_methods.rb category: security cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection technology: - ruby - rails references: - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb cwe2022-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods shortlink: https://sg.run/dPYd semgrep.dev: rule: r_id: 20534 rv_id: 1263662 rule_id: eqUZ2Q version_id: WrTqKLA url: https://semgrep.dev/playground/r/WrTqKLA/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods origin: community - id: ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection mode: taint pattern-sources: - pattern-either: - pattern: | cookies[...] - patterns: - pattern: | cookies. ... .$PROPERTY[...] - metavariable-regex: metavariable: $PROPERTY regex: (?!signed|encrypted) - pattern: | params[...] - pattern: | request.env[...] pattern-sinks: - patterns: - pattern: $X - pattern-either: - pattern-inside: | $X.constantize - pattern-inside: | $X. ... .safe_constantize - pattern-inside: | const_get(...) - pattern-inside: | qualified_const_get(...) message: Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input. languages: - ruby severity: ERROR metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unsafe_reflection.rb category: security cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection technology: - ruby - rails references: - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb cwe2022-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection shortlink: https://sg.run/vpEX semgrep.dev: rule: r_id: 20733 rv_id: 1263663 rule_id: wdUkYA version_id: 0bTKzn8 url: https://semgrep.dev/playground/r/0bTKzn8/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection origin: community - id: ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find mode: taint pattern-sources: - pattern-either: - pattern: | cookies[...] - patterns: - pattern: | cookies. ... .$PROPERTY[...] - metavariable-regex: metavariable: $PROPERTY regex: (?!signed|encrypted) - pattern: | params[...] - pattern: | request.env[...] pattern-sinks: - patterns: - pattern-either: - pattern: $MODEL.find(...) - pattern: $MODEL.find_by_id(...) - pattern: $MODEL.find_by_id!(...) - metavariable-regex: metavariable: $MODEL regex: '[A-Z]\S+' message: Found an unscoped `find(...)` with user-controllable input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. Scope the find to the current user, e.g. `current_user.accounts.find(params[:id])`. languages: - ruby severity: WARNING metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_unscoped_find.rb category: security cwe: - 'CWE-639: Authorization Bypass Through User-Controlled Key' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control technology: - ruby - rails references: - https://brakemanscanner.org/docs/warning_types/unscoped_find/ - https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/controllers/users_controller.rb subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find shortlink: https://sg.run/dPbP semgrep.dev: rule: r_id: 20734 rv_id: 1263664 rule_id: x8Ud6d version_id: K3TKkxZ url: https://semgrep.dev/playground/r/K3TKkxZ/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find origin: community - id: ruby.rails.security.injection.tainted-sql-string.tainted-sql-string languages: - ruby severity: ERROR message: Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection category: security technology: - rails references: - https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/Y85o semgrep.dev: rule: r_id: 14714 rv_id: 1263667 rule_id: bwU8gl version_id: YDTZeLL url: https://semgrep.dev/playground/r/YDTZeLL/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sources: - patterns: - pattern-either: - pattern: params - pattern: request pattern-sanitizers: - pattern: | $PARAMS.slice(...) pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - patterns: - pattern: | $RECORD.where($X,...) - pattern: | $RECORD.find(..., :conditions => $X,...) - focus-metavariable: $X - patterns: - pattern: | "$SQLVERB#{$EXPR}..." - pattern-not-inside: | $FUNC("...", "...#{$EXPR}...",...) - focus-metavariable: $SQLVERB - pattern-regex: (?i)(select|delete|insert|create|update|alter|drop)\b - patterns: - pattern-either: - pattern: Kernel::sprintf("$SQLSTR", $EXPR) - pattern: | "$SQLSTR" + $EXPR - pattern: | "$SQLSTR" % $EXPR - pattern-not-inside: | $FUNC("...", "...#{$EXPR}...",...) - focus-metavariable: $EXPR - metavariable-regex: metavariable: $SQLSTR regex: (?i)(select|delete|insert|create|update|alter|drop)\b - id: ruby.rails.security.injection.tainted-url-host.tainted-url-host languages: - ruby severity: WARNING message: User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - rails references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - https://github.com/arkadiyt/ssrf_filter cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/ruby.rails.security.injection.tainted-url-host.tainted-url-host shortlink: https://sg.run/RX3g semgrep.dev: rule: r_id: 14705 rv_id: 1263668 rule_id: zdUY0W version_id: 6xT29BN url: https://semgrep.dev/playground/r/6xT29BN/ruby.rails.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sanitizers: - pattern: SsrfFilter pattern-sources: - patterns: - pattern-either: - pattern: params - pattern: request pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: | $URLSTR - pattern-regex: \w+:\/\/#{.*} - patterns: - pattern-either: - pattern: Kernel::sprintf("$URLSTR", ...) - pattern: | "$URLSTR" + $EXPR - pattern: | "$URLSTR" % $EXPR - metavariable-pattern: metavariable: $URLSTR language: generic pattern: $SCHEME:// ... - id: ai.ai-best-practices.hooks-path-traversal.hooks-path-traversal-python.hooks-path-traversal-python mode: taint languages: - python severity: ERROR message: Hook input flows into a file path without validation. Claude Code and Cursor hooks receive JSON input that may contain user-controlled paths. An attacker could craft input with path traversal sequences (e.g., '../../etc/passwd') to read, modify, or delete arbitrary files. Use os.path.realpath() or os.path.abspath() to resolve and validate paths before file operations. metadata: cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/ai.ai-best-practices.hooks-path-traversal.hooks-path-traversal-python.hooks-path-traversal-python shortlink: https://sg.run/boKXW semgrep.dev: rule: r_id: 288826 rv_id: 1413384 rule_id: yyUBGAD version_id: RGTEZeE url: https://semgrep.dev/playground/r/RGTEZeE/ai.ai-best-practices.hooks-path-traversal.hooks-path-traversal-python.hooks-path-traversal-python origin: community pattern-sources: - pattern: json.loads(...) - pattern: json.load(...) pattern-sinks: - patterns: - pattern: open($SINK, ...) - focus-metavariable: $SINK - patterns: - pattern: os.remove($SINK) - focus-metavariable: $SINK - patterns: - pattern: os.unlink($SINK) - focus-metavariable: $SINK - patterns: - pattern: shutil.copy($SINK, ...) - focus-metavariable: $SINK - patterns: - pattern: shutil.move($SINK, ...) - focus-metavariable: $SINK - patterns: - pattern: pathlib.Path($SINK) - focus-metavariable: $SINK pattern-sanitizers: - pattern: os.path.realpath(...) - pattern: os.path.abspath(...) - id: scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode patterns: - pattern-inside: | import pdi.jwt.$DEPS ... - pattern-either: - pattern: $JWT.encode($X, "...", ...) - pattern: $JWT.decode($X, "...", ...) - pattern: $JWT.decodeRawAll($X, "...", ...) - pattern: $JWT.decodeRaw($X, "...", ...) - pattern: $JWT.decodeAll($X, "...", ...) - pattern: $JWT.validate($X, "...", ...) - pattern: $JWT.isValid($X, "...", ...) - pattern: $JWT.decodeJson($X, "...", ...) - pattern: $JWT.decodeJsonAll($X, "...", ...) - patterns: - pattern-either: - pattern: $JWT.encode($X, $KEY, ...) - pattern: $JWT.decode($X, $KEY, ...) - pattern: $JWT.decodeRawAll($X, $KEY, ...) - pattern: $JWT.decodeRaw($X, $KEY, ...) - pattern: $JWT.decodeAll($X, $KEY, ...) - pattern: $JWT.validate($X, $KEY, ...) - pattern: $JWT.isValid($X, $KEY, ...) - pattern: $JWT.decodeJson($X, $KEY, ...) - pattern: $JWT.decodeJsonAll($X, $KEY, ...) - pattern: $JWT.encode($X, this.$KEY, ...) - pattern: $JWT.decode($X, this.$KEY, ...) - pattern: $JWT.decodeRawAll($X, this.$KEY, ...) - pattern: $JWT.decodeRaw($X, this.$KEY, ...) - pattern: $JWT.decodeAll($X, this.$KEY, ...) - pattern: $JWT.validate($X, this.$KEY, ...) - pattern: $JWT.isValid($X, this.$KEY, ...) - pattern: $JWT.decodeJson($X, this.$KEY, ...) - pattern: $JWT.decodeJsonAll($X, this.$KEY, ...) - pattern-either: - pattern-inside: | class $CL { ... $KEY = "..." ... } - pattern-inside: | object $CL { ... $KEY = "..." ... } - metavariable-pattern: metavariable: $JWT patterns: - pattern-either: - pattern: Jwt - pattern: JwtArgonaut - pattern: JwtCirce - pattern: JwtJson4s - pattern: JwtJson - pattern: JwtUpickle message: 'Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)' languages: - scala severity: WARNING metadata: references: - https://jwt-scala.github.io/jwt-scala/ category: security cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design technology: - scala confidence: HIGH cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode shortlink: https://sg.run/8zE7 semgrep.dev: rule: r_id: 19040 rv_id: 1263669 rule_id: WAUdK0 version_id: o5TbDA8 url: https://semgrep.dev/playground/r/o5TbDA8/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode origin: community - id: scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run patterns: - pattern: Seq($CMD, ...) - pattern-not: Seq("...", ...) - pattern-inside: | import sys.process ... - pattern-not-inside: | $CMD = "..." ... - pattern-either: - pattern-inside: Seq(...).! - pattern-inside: Seq(...).!! - pattern-inside: Seq(...).lazyLines message: Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized. languages: - scala severity: ERROR metadata: category: security cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection technology: - scala confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run shortlink: https://sg.run/79b2 semgrep.dev: rule: r_id: 18282 rv_id: 1263670 rule_id: JDUle4 version_id: zyTb2zJ url: https://semgrep.dev/playground/r/zyTb2zJ/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run origin: community - id: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run patterns: - pattern: Seq($SH, "-c", $CMD, ...) - pattern-not: Seq($SH, "-c", "...", ...) - pattern-inside: | import sys.process ... - pattern-not-inside: | $CMD = "..." ... - pattern-either: - pattern-inside: Seq(...).! - pattern-inside: Seq(...).!! - pattern-inside: Seq(...).lazyLines - metavariable-regex: metavariable: $SH regex: '"(sh|bash|ksh|csh|tcsh|zsh)"' message: Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized. languages: - scala severity: ERROR metadata: category: security cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection technology: - scala confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run shortlink: https://sg.run/Lg76 semgrep.dev: rule: r_id: 18283 rv_id: 1263671 rule_id: 5rUy3K version_id: pZT03ED url: https://semgrep.dev/playground/r/pZT03ED/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run origin: community - id: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled patterns: - pattern-either: - pattern: | $DF = DocumentBuilderFactory.newInstance(...) ... $DB = $DF.newDocumentBuilder(...) - patterns: - pattern: $DB = DocumentBuilderFactory.newInstance(...) - pattern-not-inside: | ... $X = $DB.newDocumentBuilder(...) - pattern: $DB = DocumentBuilderFactory.newInstance(...).newDocumentBuilder(...) - pattern-not-inside: | ... $DB.setXIncludeAware(true) ... $DB.setNamespaceAware(true) ... $DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) ... $DB.setFeature("http://xml.org/sax/features/external-general-entities", false) ... $DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false) - pattern-not-inside: | ... $DB.setXIncludeAware(true) ... $DB.setNamespaceAware(true) ... $DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) ... $DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false) ... $DB.setFeature("http://xml.org/sax/features/external-general-entities", false) - pattern-not-inside: | ... $DB.setXIncludeAware(true) ... $DB.setNamespaceAware(true) ... $DB.setFeature("http://xml.org/sax/features/external-general-entities", false) ... $DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) ... $DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false) - pattern-not-inside: | ... $DB.setXIncludeAware(true) ... $DB.setNamespaceAware(true) ... $DB.setFeature("http://xml.org/sax/features/external-general-entities", false) ... $DB.setFeature("http://xml.org/sax/features/external-parameter-entities", false) ... $DB.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) message: Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality. languages: - scala severity: WARNING metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html category: security technology: - scala confidence: HIGH references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled shortlink: https://sg.run/gRQn semgrep.dev: rule: r_id: 19041 rv_id: 1263673 rule_id: 0oUwzP version_id: X0TzyRq url: https://semgrep.dev/playground/r/X0TzyRq/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled origin: community - id: scala.lang.security.audit.insecure-random.insecure-random metadata: cwe: - 'CWE-330: Use of Insufficiently Random Values' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security technology: - scala - cryptography resources: - https://find-sec-bugs.github.io/bugs.htm confidence: LOW references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/scala.lang.security.audit.insecure-random.insecure-random shortlink: https://sg.run/JxAw semgrep.dev: rule: r_id: 15190 rv_id: 1263674 rule_id: gxUgDk version_id: jQTn5Px url: https://semgrep.dev/playground/r/jQTn5Px/scala.lang.security.audit.insecure-random.insecure-random origin: community message: Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead. severity: WARNING languages: - scala patterns: - pattern: | import scala.util.Random - id: scala.lang.security.audit.io-source-ssrf.io-source-ssrf patterns: - pattern-either: - pattern: Source.fromURL($URL,...) - pattern: Source.fromURI($URL,...) - pattern-inside: | import scala.io.$SOURCE ... - pattern-either: - pattern-inside: | def $FUNC(..., $URL: $T, ...) = $A { ... } - pattern-inside: | def $FUNC(..., $URL: $T, ...) = { ... } message: A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - https://www.scala-lang.org/api/current/scala/io/Source$.html#fromURL(url:java.net.URL)(implicitcodec:scala.io.Codec):scala.io.BufferedSource category: security technology: - scala confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/scala.lang.security.audit.io-source-ssrf.io-source-ssrf shortlink: https://sg.run/Qbz4 semgrep.dev: rule: r_id: 18486 rv_id: 1263675 rule_id: GdUDOZ version_id: 1QTypG9 url: https://semgrep.dev/playground/r/1QTypG9/scala.lang.security.audit.io-source-ssrf.io-source-ssrf origin: community languages: - scala severity: WARNING - id: scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control category: security technology: - scala resources: - https://find-sec-bugs.github.io/bugs.htm confidence: LOW references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile shortlink: https://sg.run/5D1A semgrep.dev: rule: r_id: 15191 rv_id: 1263676 rule_id: QrUdOZ version_id: 9lT4bpj url: https://semgrep.dev/playground/r/9lT4bpj/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile origin: community message: Flags cases of possible path traversal. If an unfiltered parameter is passed into 'fromFile', file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation. severity: WARNING languages: - scala patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | $FILENAME = "..." + $VAR ... - pattern-inside: | $FILENAME = $VAR + "..." ... - pattern-inside: | $FILENAME = $STR.concat($VAR) ... - pattern-inside: | $FILENAME = "...".format(..., $VAR, ...) ... - pattern: Source.fromFile($FILENAME, ...) - patterns: - pattern-either: - pattern: Source.fromFile("..." + $VAR, ...) - pattern: Source.fromFile($VAR + "...", ...) - pattern: Source.fromFile($STR.concat($VAR), ...) - pattern: Source.fromFile("...".format(..., $VAR, ...), ...) - pattern-inside: | def $FUNC(..., $VAR: $TYPE, ...) = Action { ... } - id: scala.lang.security.audit.rsa-padding-set.rsa-padding-set metadata: cwe: - 'CWE-780: Use of RSA Algorithm without OAEP' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security technology: - scala - cryptography resources: - https://blog.codacy.com/9-scala-security-issues/ confidence: HIGH references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set shortlink: https://sg.run/GO5p semgrep.dev: rule: r_id: 15192 rv_id: 1263677 rule_id: 3qUj1Q version_id: yeTxpoX url: https://semgrep.dev/playground/r/yeTxpoX/scala.lang.security.audit.rsa-padding-set.rsa-padding-set origin: community message: Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead. severity: WARNING languages: - scala patterns: - pattern: | $VAR = $CIPHER.getInstance($MODE) - metavariable-regex: metavariable: $MODE regex: .*RSA/.*/NoPadding.* - id: scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled patterns: - pattern-either: - pattern: $SR = new SAXReader(...) - pattern: | $SF = SAXParserFactory.newInstance(...) ... $SR = $SF.newSAXParser(...) - patterns: - pattern: $SR = SAXParserFactory.newInstance(...) - pattern-not-inside: | ... $X = $SR.newSAXParser(...) - pattern: $SR = SAXParserFactory.newInstance(...).newSAXParser(...) - pattern: $SR = new SAXBuilder(...) - pattern-not-inside: | ... $SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) ... $SR.setFeature("http://xml.org/sax/features/external-general-entities", false) ... $SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false) - pattern-not-inside: | ... $SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) ... $SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false) ... $SR.setFeature("http://xml.org/sax/features/external-general-entities", false) - pattern-not-inside: | ... $SR.setFeature("http://xml.org/sax/features/external-general-entities", false) ... $SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) ... $SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false) - pattern-not-inside: | ... $SR.setFeature("http://xml.org/sax/features/external-general-entities", false) ... $SR.setFeature("http://xml.org/sax/features/external-parameter-entities", false) ... $SR.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) message: XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality. languages: - scala severity: WARNING metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html category: security technology: - scala confidence: HIGH references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled shortlink: https://sg.run/QbYP semgrep.dev: rule: r_id: 19042 rv_id: 1263678 rule_id: KxUrkq version_id: rxTAKWY url: https://semgrep.dev/playground/r/rxTAKWY/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled origin: community - id: scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run patterns: - pattern-either: - pattern: $X.! - pattern: $X.!! - pattern: $X.lazyLines - pattern-inside: | import sys.process ... - pattern-not: | "...".! - pattern-not: | "...".!! - pattern-not: | "...".lazyLines - pattern-not: | Seq(...).! - pattern-not: | Seq(...).!! - pattern-not: | Seq(...).lazyLines - pattern-not-inside: | val $X = "..." ... - pattern-not-inside: | val $X = Seq(...) ... message: Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands. languages: - scala severity: ERROR metadata: category: security cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection technology: - scala confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run shortlink: https://sg.run/wZBY semgrep.dev: rule: r_id: 17329 rv_id: 1263679 rule_id: 6JUEeo version_id: bZT53y0 url: https://semgrep.dev/playground/r/bZT53y0/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run origin: community - id: scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf patterns: - pattern: Http($URL) - pattern-inside: | import scalaj.http.$HTTP ... - pattern-either: - pattern-inside: | def $FUNC(..., $URL: $T, ...) = $A { ... } - pattern-inside: | def $FUNC(..., $URL: $T, ...) = { ... } message: A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - https://github.com/scalaj/scalaj-http#simplified-http category: security technology: - scala - scalaj-http confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf shortlink: https://sg.run/OgjB semgrep.dev: rule: r_id: 18431 rv_id: 1263680 rule_id: AbU3xA version_id: NdTzy7D url: https://semgrep.dev/playground/r/NdTzy7D/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf origin: community languages: - scala severity: WARNING - id: scala.lang.security.audit.scalajs-eval.scalajs-eval mode: taint pattern-sources: - patterns: - pattern: $PARAM - pattern-either: - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = $A { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = $A(...) { ... } pattern-sinks: - patterns: - pattern: $JS.eval(...) - pattern-inside: | import scala.scalajs.$X ... message: "`eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Do not use eval(). Alternatively: Ensure evaluated content is not definable by external sources. If it\u2019s not possible, strip everything except alphanumeric characters from an input provided for the command string and arguments." metadata: references: - https://www.scala-js.org/doc/ cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - scala - scala-js confidence: LOW cwe2022-top25: true subcategory: - vuln likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/scala.lang.security.audit.scalajs-eval.scalajs-eval shortlink: https://sg.run/R5L2 semgrep.dev: rule: r_id: 20049 rv_id: 1263681 rule_id: DbU2kJ version_id: kbTzG1d url: https://semgrep.dev/playground/r/kbTzG1d/scala.lang.security.audit.scalajs-eval.scalajs-eval origin: community languages: - scala severity: WARNING - id: scala.lang.security.audit.tainted-sql-string.tainted-sql-string languages: - scala severity: ERROR mode: taint message: User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html category: security technology: - scala confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/scala.lang.security.audit.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/ALD6 semgrep.dev: rule: r_id: 20050 rv_id: 1263682 rule_id: WAUY8B version_id: w8TRoO6 url: https://semgrep.dev/playground/r/w8TRoO6/scala.lang.security.audit.tainted-sql-string.tainted-sql-string origin: community pattern-sources: - patterns: - pattern: $PARAM - pattern-either: - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = $A { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = $A(...) { ... } pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: | "$SQLSTR" + ... - pattern: | "$SQLSTR".format(...) - patterns: - pattern-inside: | $SB = new StringBuilder("$SQLSTR"); ... - pattern: $SB.append(...) - patterns: - pattern-inside: | $VAR = "$SQLSTR" ... - pattern: $VAR += ... - metavariable-regex: metavariable: $SQLSTR regex: (?i)(select|delete|insert|create|update|alter|drop)\b - patterns: - pattern-either: - pattern: s"..." - pattern: f"..." - pattern-regex: | .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* - pattern-not-inside: println(...) - pattern-not-inside: throw new $EXCEPTION(...) pattern-sanitizers: - pattern-either: - patterns: - pattern-either: - pattern: $LOGGER.$METHOD(...) - pattern: $LOGGER(...) - metavariable-regex: metavariable: $LOGGER regex: (i?)log.* - patterns: - pattern: $LOGGER.$METHOD(...) - metavariable-regex: metavariable: $METHOD regex: (i?)(trace|info|warn|warning|warnToError|error|debug) - id: scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled patterns: - pattern-not-inside: | ... $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false) - pattern-either: - pattern: $XMLFACTORY = XMLInputFactory.newFactory(...) - pattern: $XMLFACTORY = XMLInputFactory.newInstance(...) - pattern: $XMLFACTORY = new XMLInputFactory(...) message: XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality. languages: - scala severity: WARNING metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html category: security technology: - scala confidence: HIGH references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled shortlink: https://sg.run/3BEb semgrep.dev: rule: r_id: 19043 rv_id: 1263683 rule_id: qNUQ7w version_id: xyTjzkA url: https://semgrep.dev/playground/r/xyTjzkA/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled origin: community - id: scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass patterns: - pattern-either: - pattern: X-Requested-With = "*" - pattern: Csrf-Token = "..." - pattern-inside: | bypassHeaders {... ... ...} - pattern-not-inside: | {... ... ...blackList = [..."application/x-www-form-urlencoded"..."multipart/form-data"..."text/plain"...] ... ...} - pattern-not-inside: | {... ... ...blackList = [..."application/x-www-form-urlencoded"..."text/plain"..."multipart/form-data"...] ... ...} - pattern-not-inside: | {... ... ...blackList = [..."multipart/form-data"..."application/x-www-form-urlencoded"..."text/plain"...] ... ...} - pattern-not-inside: | {... ... ...blackList = [..."multipart/form-data"..."text/plain"..."application/x-www-form-urlencoded"...] ... ...} - pattern-not-inside: | {... ... ...blackList = [..."text/plain"..."application/x-www-form-urlencoded"..."multipart/form-data"...] ... ...} - pattern-not-inside: | {... ... ...blackList = [..."text/plain"..."multipart/form-data"..."application/x-www-form-urlencoded"...] ... ...} message: "Possibly bypassable CSRF configuration found. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they\u2019re currently authenticated. Make sure that Content-Type black list is configured and CORS filter is turned on." languages: - generic severity: ERROR paths: include: - '*.conf' metadata: references: - https://www.playframework.com/documentation/2.8.x/Migration25#CSRF-changes - https://owasp.org/www-community/attacks/csrf cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control category: security technology: - scala - play confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass shortlink: https://sg.run/4DEE semgrep.dev: rule: r_id: 19044 rv_id: 1263684 rule_id: lBUyRR version_id: O9Tpx53 url: https://semgrep.dev/playground/r/O9Tpx53/scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass origin: community - id: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings patterns: - pattern: secure = false - pattern-inside: | session = { ... } message: Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file. languages: - generic severity: WARNING paths: include: - '*.conf' metadata: category: security references: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security - https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration technology: - play - scala cwe: - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration confidence: MEDIUM subcategory: - vuln likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cookie Security source: https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings shortlink: https://sg.run/8z8N semgrep.dev: rule: r_id: 18284 rv_id: 1263685 rule_id: GdUDJO version_id: e1TyjJv url: https://semgrep.dev/playground/r/e1TyjJv/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings origin: community - id: scala.play.security.tainted-html-response.tainted-html-response mode: taint metadata: category: security cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection technology: - scala - play confidence: MEDIUM references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response shortlink: https://sg.run/BG96 semgrep.dev: rule: r_id: 18795 rv_id: 1263686 rule_id: 0oUwn2 version_id: vdT06yj url: https://semgrep.dev/playground/r/vdT06yj/scala.play.security.tainted-html-response.tainted-html-response origin: community message: Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views. pattern-sources: - patterns: - pattern-either: - patterns: - pattern: $REQ - pattern-either: - pattern-inside: "Action {\n $REQ: Request[$T] => \n ...\n}\n" - pattern-inside: "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n" - pattern-inside: "Action.async {\n $REQ: Request[$T] => \n ...\n}\n" - pattern-inside: "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n" - patterns: - pattern: $PARAM - pattern-either: - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action.async { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) { ... } pattern-sanitizers: - pattern-either: - pattern: org.apache.commons.lang3.StringEscapeUtils.escapeHtml4(...) - pattern: org.owasp.encoder.Encode.forHtml(...) pattern-sinks: - pattern-either: - pattern: Html.apply(...) - pattern: Ok(...).as(HTML) - pattern: Ok(...).as(ContentTypes.HTML) - patterns: - pattern: Ok(...).as($CTYPE) - metavariable-regex: metavariable: $CTYPE regex: '"[tT][eE][xX][tT]/[hH][tT][mM][lL]"' - patterns: - pattern: Ok(...).as($CTYPE) - pattern-not: Ok(...).as("...") - pattern-either: - pattern-inside: | def $FUNC(..., $URL: $T, ...) = $A { ... } - pattern-inside: | def $FUNC(..., $URL: $T, ...) = { ... } severity: WARNING languages: - scala - id: scala.play.security.tainted-slick-sqli.tainted-slick-sqli mode: taint metadata: references: - https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values - https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code category: security cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection technology: - scala - slick - play confidence: HIGH cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli shortlink: https://sg.run/k9K2 semgrep.dev: rule: r_id: 18328 rv_id: 1263687 rule_id: GdUDWO version_id: d6TyxJe url: https://semgrep.dev/playground/r/d6TyxJe/scala.play.security.tainted-slick-sqli.tainted-slick-sqli origin: community message: Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings. pattern-sources: - patterns: - pattern-either: - patterns: - pattern: $REQ - pattern-either: - pattern-inside: "Action {\n $REQ: Request[$T] => \n ...\n}\n" - pattern-inside: "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n" - pattern-inside: "Action.async {\n $REQ: Request[$T] => \n ...\n}\n" - pattern-inside: "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n" - patterns: - pattern: $PARAM - pattern-either: - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action.async { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) { ... } pattern-sinks: - patterns: - pattern-either: - pattern: $MODEL.overrideSql(...) - pattern: sql"..." - pattern-inside: | import slick.$DEPS ... severity: ERROR languages: - scala - id: scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request languages: - scala severity: ERROR mode: taint message: User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html category: security technology: - scala - play confidence: HIGH cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request shortlink: https://sg.run/BeW9 semgrep.dev: rule: r_id: 20051 rv_id: 1263688 rule_id: 0oUpon version_id: ZRTKAoG url: https://semgrep.dev/playground/r/ZRTKAoG/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request origin: community pattern-sources: - patterns: - pattern-either: - patterns: - pattern: $REQ - pattern-either: - pattern-inside: "Action {\n $REQ: Request[$T] => \n ...\n}\n" - pattern-inside: "Action(...) {\n $REQ: Request[$T] => \n ...\n}\n" - pattern-inside: "Action.async {\n $REQ: Request[$T] => \n ...\n}\n" - pattern-inside: "Action.async(...) {\n $REQ: Request[$T] => \n ...\n}\n" - patterns: - pattern: $PARAM - pattern-either: - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action.async { ... } - pattern-inside: | def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...) { ... } pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: | "$SQLSTR" + ... - pattern: | "$SQLSTR".format(...) - patterns: - pattern-inside: | $SB = new StringBuilder("$SQLSTR"); ... - pattern: $SB.append(...) - patterns: - pattern-inside: | $VAR = "$SQLSTR" ... - pattern: $VAR += ... - metavariable-regex: metavariable: $SQLSTR regex: (?i)(select|delete|insert|create|update|alter|drop)\b - patterns: - pattern: s"..." - pattern-regex: | .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* - pattern-not-inside: println(...) - id: scala.play.security.twirl-html-var.twirl-html-var patterns: - pattern-either: - pattern: | @Html($VAL) - pattern: | @Html(...$VAL + ...) - pattern: | @Html(... + $VAL...) - metavariable-regex: metavariable: $VAL regex: \w* message: Raw html content controlled by a variable detected. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Try to avoid using `Html()` or consider properly sanitizing input data. languages: - generic severity: WARNING paths: include: - '*.html' metadata: category: security cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://www.playframework.com/documentation/2.8.x/ScalaTemplates#Escaping technology: - scala - play - twirl confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/scala.play.security.twirl-html-var.twirl-html-var shortlink: https://sg.run/DAry semgrep.dev: rule: r_id: 18796 rv_id: 1263689 rule_id: KxUrx5 version_id: nWT2Lvy url: https://semgrep.dev/playground/r/nWT2Lvy/scala.play.security.twirl-html-var.twirl-html-var origin: community - id: scala.play.security.webservice-ssrf.webservice-ssrf patterns: - pattern: $WS.url($URL) - pattern-either: - pattern-inside: | class $CLASS (..., $WS: WSClient, ...) { ... } - pattern-inside: | def $FUNC(..., $WS: WSClient, ...) = { ... } - pattern-inside: | $WS = AhcWSClient(...) ... - pattern-either: - pattern-inside: | def $FUNC(..., $URL: $T, ...) = $A { ... } - pattern-inside: | def $FUNC(..., $URL: $T, ...) = { ... } message: A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - https://www.playframework.com/documentation/2.8.x/ScalaWS category: security technology: - scala - play confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf shortlink: https://sg.run/reRR semgrep.dev: rule: r_id: 18369 rv_id: 1263690 rule_id: PeUxEE version_id: ExTExz1 url: https://semgrep.dev/playground/r/ExTExz1/scala.play.security.webservice-ssrf.webservice-ssrf origin: community languages: - scala severity: WARNING - id: scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret languages: - scala message: 'Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)' metadata: category: security cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ technology: - jwt confidence: HIGH references: - https://owasp.org/Top10/A04_2021-Insecure_Design cwe2021-top25: true subcategory: - audit likelihood: MEDIUM impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret shortlink: https://sg.run/Z40o semgrep.dev: rule: r_id: 15079 rv_id: 1263691 rule_id: OrU6W1 version_id: 7ZTE3kr url: https://semgrep.dev/playground/r/7ZTE3kr/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret origin: community pattern-either: - pattern: | com.auth0.jwt.algorithms.Algorithm.HMAC256("..."); - pattern: | $SECRET = "..."; ... com.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET); - pattern: | class $CLASS { ... $DECL $SECRET = "..."; ... def $FUNC (...): $RETURNTYPE = { ... com.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET); ... } ... } - pattern: | com.auth0.jwt.algorithms.Algorithm.HMAC384("..."); - pattern: | $SECRET = "..."; ... com.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET); - pattern: | class $CLASS { ... $DECL $SECRET = "..."; ... def $FUNC (...): $RETURNTYPE = { ... com.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET); ... } ... } - pattern: | com.auth0.jwt.algorithms.Algorithm.HMAC512("..."); - pattern: | $SECRET = "..."; ... com.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET); - pattern: | class $CLASS { ... $DECL $SECRET = "..."; ... def $FUNC (...): $RETURNTYPE = { ... com.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET); ... } ... } severity: ERROR - id: scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal patterns: - pattern: $MODEL.overrideSql($QUERY,...) - pattern-not: $MODEL.overrideSql("...",...) - pattern-not-inside: | $QUERY = "..." ... message: Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using non literal values in `overrideSql(...)`. languages: - scala severity: ERROR metadata: category: security cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection technology: - scala - slick confidence: LOW references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal shortlink: https://sg.run/PYe0 semgrep.dev: rule: r_id: 17501 rv_id: 1263692 rule_id: wdUA97 version_id: LjTkgvQ url: https://semgrep.dev/playground/r/LjTkgvQ/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal origin: community - id: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal patterns: - pattern: sql"..." - pattern-regex: \#\$ - pattern-inside: | import slick.$DEPS ... message: Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql"..."` strings instead. languages: - scala severity: ERROR metadata: source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCALA_SQL_INJECTION_SLICK references: - https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values category: security cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection technology: - scala - slick confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal shortlink: https://sg.run/JgDk semgrep.dev: rule: r_id: 17502 rv_id: 1263693 rule_id: x8UNKe version_id: 8KT5rwy url: https://semgrep.dev/playground/r/8KT5rwy/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal origin: community - id: ai.ai-best-practices.hooks-sensitive-file-access.hooks-sensitive-file-access-bash.hooks-sensitive-file-access-bash languages: - generic severity: WARNING message: Hook input from jq flows into a file operation without checking for sensitive files. Claude Code and Cursor hooks receive JSON input that may reference sensitive files such as ~/.ssh/*, ~/.aws/credentials, or .env files. Filter or block access to sensitive paths using realpath and a validation check before performing file operations. metadata: cwe: 'CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: MEDIUM technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/ai.ai-best-practices.hooks-sensitive-file-access.hooks-sensitive-file-access-bash.hooks-sensitive-file-access-bash shortlink: https://sg.run/Nxvwy semgrep.dev: rule: r_id: 288827 rv_id: 1413385 rule_id: r6Uol26 version_id: A8TEZk0 url: https://semgrep.dev/playground/r/A8TEZk0/ai.ai-best-practices.hooks-sensitive-file-access.hooks-sensitive-file-access-bash.hooks-sensitive-file-access-bash origin: community paths: include: - '*.sh' - '*.bash' pattern-regex: \$$.*\|\s*jq\b[^)]*$[\s\S]*?\n\s*(cat|rm|cp|mv)\s+\$ - id: swift.lang.crypto.insecure-random.insecure-random message: A random number generator was detected which is **not** *guaranteed* to be Cryptographically secure. If the source of entropy is used for security purposes (e.g. with other Cryptographic operations), make sure to use the `SecCopyRandomBytes` API explicitly. severity: WARNING metadata: likelihood: LOW impact: LOW confidence: LOW category: security cwe: - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' masvs: - 'MSTG-CRYPTO-6: All random values are generated using a sufficiently secure random number generator.' owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures references: - https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements - https://developer.apple.com/documentation/security/1399291-secrandomcopybytes - https://developer.apple.com/documentation/security/randomization_services?language=swift - https://github.com/apple/swift-evolution/blob/main/proposals/0202-random-unification.md subcategory: - audit technology: - ios - macos license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/swift.lang.crypto.insecure-random.insecure-random shortlink: https://sg.run/Lb76 semgrep.dev: rule: r_id: 58939 rv_id: 1263695 rule_id: lBUk23 version_id: QkTGqxX url: https://semgrep.dev/playground/r/QkTGqxX/swift.lang.crypto.insecure-random.insecure-random origin: community languages: - swift pattern-either: - pattern: random() - pattern: Int.random(...) - pattern: Bool.random(...) - pattern: Float.random(...) - pattern: Double.random(...) - pattern: arc4random() - pattern: arc4random_buf(...) - pattern: arc4random_uniform(...) - pattern: SystemRandomNumberGenerator(...) - pattern: rand() - id: swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults message: Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain. severity: WARNING metadata: likelihood: LOW impact: HIGH confidence: MEDIUM category: security cwe: - 'CWE-311: Missing Encryption of Sensitive Data' masvs: - 'MASVS-STORAGE-1: The app securely stores sensitive data' owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html - https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/ subcategory: - vuln technology: - ios - macos license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults shortlink: https://sg.run/qvoO semgrep.dev: rule: r_id: 66512 rv_id: 1263696 rule_id: KxUqoZ version_id: 3ZT4Xy2 url: https://semgrep.dev/playground/r/3ZT4Xy2/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults origin: community languages: - swift options: symbolic_propagation: true patterns: - pattern-either: - patterns: - pattern-either: - pattern: | UserDefaults.standard.set("$VALUE", forKey: "$KEY") - pattern: | UserDefaults.standard.set("$VALUE", forKey: $KEY) - pattern: | UserDefaults.standard.set($VALUE, forKey: "$KEY") - pattern: | UserDefaults.standard.set($VALUE, forKey: $KEY) - metavariable-regex: metavariable: $VALUE regex: (?i).*(passcode|password|pass_word|passphrase|pass_code|pass_word|pass_phrase)$ - focus-metavariable: $VALUE - patterns: - pattern-either: - pattern: | UserDefaults.standard.set("$VALUE", forKey: "$KEY") - pattern: | UserDefaults.standard.set("$VALUE", forKey: $KEY) - pattern: | UserDefaults.standard.set($VALUE, forKey: "$KEY") - pattern: | UserDefaults.standard.set($VALUE, forKey: $KEY) - metavariable-regex: metavariable: $KEY regex: (?i).*(passcode|password|pass_word|passphrase|pass_code|pass_word|pass_phrase)$ - focus-metavariable: $KEY - patterns: - pattern-either: - pattern: | UserDefaults.standard.set("$VALUE", forKey: "$KEY") - pattern: | UserDefaults.standard.set("$VALUE", forKey: $KEY) - pattern: | UserDefaults.standard.set($VALUE, forKey: "$KEY") - pattern: | UserDefaults.standard.set($VALUE, forKey: $KEY) - metavariable-regex: metavariable: $VALUE regex: (?i).*(api_key|apikey)$ - focus-metavariable: $VALUE - patterns: - pattern-either: - pattern: | UserDefaults.standard.set("$VALUE", forKey: "$KEY") - pattern: | UserDefaults.standard.set("$VALUE", forKey: $KEY) - pattern: | UserDefaults.standard.set($VALUE, forKey: "$KEY") - pattern: | UserDefaults.standard.set($VALUE, forKey: $KEY) - metavariable-regex: metavariable: $KEY regex: (?i).*(api_key|apikey)$ - focus-metavariable: $KEY - patterns: - pattern-either: - pattern: | UserDefaults.standard.set("$VALUE", forKey: "$KEY") - pattern: | UserDefaults.standard.set("$VALUE", forKey: $KEY) - pattern: | UserDefaults.standard.set($VALUE, forKey: "$KEY") - pattern: | UserDefaults.standard.set($VALUE, forKey: $KEY) - metavariable-regex: metavariable: $VALUE regex: (?i).*(secretkey|secret_key|secrettoken|secret_token|clientsecret|client_secret)$ - focus-metavariable: $VALUE - patterns: - pattern-either: - pattern: | UserDefaults.standard.set("$VALUE", forKey: "$KEY") - pattern: | UserDefaults.standard.set("$VALUE", forKey: $KEY) - pattern: | UserDefaults.standard.set($VALUE, forKey: "$KEY") - pattern: | UserDefaults.standard.set($VALUE, forKey: $KEY) - metavariable-regex: metavariable: $KEY regex: (?i).*(secretkey|secret_key|secrettoken|secret_token|clientsecret|client_secret)$ - focus-metavariable: $KEY - patterns: - pattern-either: - pattern: | UserDefaults.standard.set("$VALUE", forKey: "$KEY") - pattern: | UserDefaults.standard.set("$VALUE", forKey: $KEY) - pattern: | UserDefaults.standard.set($VALUE, forKey: "$KEY") - pattern: | UserDefaults.standard.set($VALUE, forKey: $KEY) - metavariable-regex: metavariable: $VALUE regex: (?i).*(cryptkey|cryptokey|crypto_key|cryptionkey|symmetrickey|privatekey|symmetric_key|private_key)$ - focus-metavariable: $VALUE - patterns: - pattern-either: - pattern: | UserDefaults.standard.set("$VALUE", forKey: "$KEY") - pattern: | UserDefaults.standard.set("$VALUE", forKey: $KEY) - pattern: | UserDefaults.standard.set($VALUE, forKey: "$KEY") - pattern: | UserDefaults.standard.set($VALUE, forKey: $KEY) - metavariable-regex: metavariable: $KEY regex: (?i).*(cryptkey|cryptokey|crypto_key|cryptionkey|symmetrickey|privatekey|symmetric_key|private_key)$ - focus-metavariable: $KEY - id: terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted patterns: - pattern: | resource "aws_athena_workgroup" $ANYTHING { ... configuration { ... result_configuration { ... } ... } ... } - pattern-not-inside: | resource "aws_athena_workgroup" $ANYTHING { ... configuration { ... result_configuration { ... encryption_configuration { ... } ... } ... } ... } message: The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted shortlink: https://sg.run/gX7J semgrep.dev: rule: r_id: 17341 rv_id: 1263699 rule_id: NbUXOA version_id: JdTzx8e url: https://semgrep.dev/playground/r/JdTzx8e/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted origin: community - id: terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version patterns: - pattern: | resource "aws_cloudfront_distribution" $ANYTHING { ... viewer_certificate { ... } ... } - pattern-not-inside: | resource "aws_cloudfront_distribution" $ANYTHING { ... viewer_certificate { ... minimum_protocol_version = "TLSv1.2_2018" ... } ... } - pattern-not-inside: | resource "aws_cloudfront_distribution" $ANYTHING { ... viewer_certificate { ... minimum_protocol_version = "TLSv1.2_2019" ... } ... } - pattern-not-inside: | resource "aws_cloudfront_distribution" $ANYTHING { ... viewer_certificate { ... minimum_protocol_version = "TLSv1.2_2021" ... } ... } - pattern-not-inside: | resource "aws_cloudfront_distribution" $ANYTHING { ... viewer_certificate { ... minimum_protocol_version = "TLSv1.2_2025" ... } ... } - pattern-not-inside: | resource "aws_cloudfront_distribution" $ANYTHING { ... viewer_certificate { ... minimum_protocol_version = "TLSv1.3_2025" ... } ... } message: Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `"TLSv1.2_2018", "TLSv1.2_2019", "TLSv1.2_2021", "TLSv1.2_2025" or "TLSv1.3_2025"`. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version shortlink: https://sg.run/Q6o4 semgrep.dev: rule: r_id: 17342 rv_id: 1263700 rule_id: kxU6A8 version_id: 5PTo1bY url: https://semgrep.dev/playground/r/5PTo1bY/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted patterns: - pattern: | resource "aws_cloudwatch_log_group" $ANYTHING { ... } - pattern-not-inside: | resource "aws_cloudwatch_log_group" $ANYTHING { ... kms_key_id = ... ... } message: By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so. languages: - hcl severity: WARNING metadata: owasp: - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' technology: - aws - terraform category: security references: - https://cwe.mitre.org/data/definitions/732.html cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted shortlink: https://sg.run/Pg6Y semgrep.dev: rule: r_id: 17345 rv_id: 1263701 rule_id: OrUl0J version_id: GxTkep4 url: https://semgrep.dev/playground/r/GxTkep4/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted origin: community - id: terraform.aws.security.aws-codebuild-artifacts-unencrypted.aws-codebuild-artifacts-unencrypted patterns: - pattern-inside: | resource "aws_codebuild_project" "$ANYTHING" { ... } - pattern: | $ARTIFACTS { ... type = "$TYPE" encryption_disabled = true ... } - metavariable-regex: metavariable: $ARTIFACTS regex: ^(artifacts|secondary_artifacts)$ - metavariable-regex: metavariable: $TYPE regex: ^(CODEPIPELINE|S3)$ message: The CodeBuild project artifacts are unencrypted. All artifacts produced by your CodeBuild project pipeline should be encrypted to prevent them from being read if compromised. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_disabled - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-artifacts.html - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-codebuild-artifacts-unencrypted.aws-codebuild-artifacts-unencrypted shortlink: https://sg.run/0wrB semgrep.dev: rule: r_id: 52198 rv_id: 1263702 rule_id: L1UoYk version_id: RGT0Ljd url: https://semgrep.dev/playground/r/RGT0Ljd/terraform.aws.security.aws-codebuild-artifacts-unencrypted.aws-codebuild-artifacts-unencrypted origin: community - id: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions pattern-either: - pattern: | resource "aws_config_configuration_aggregator" $ANYTHING { ... account_aggregation_source { ... regions = ... ... } ... } - pattern: | resource "aws_config_configuration_aggregator" $ANYTHING { ... organization_aggregation_source { ... regions = ... ... } ... } message: The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' references: - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/ subcategory: - audit likelihood: LOW impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions shortlink: https://sg.run/O6A7 semgrep.dev: rule: r_id: 47275 rv_id: 1263703 rule_id: DbUo7v version_id: A8Tgdwv url: https://semgrep.dev/playground/r/A8Tgdwv/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions origin: community - id: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging patterns: - pattern: | resource "aws_db_instance" $ANYTHING { ... } - pattern-not-inside: | resource "aws_db_instance" $ANYTHING { ... enabled_cloudwatch_logs_exports = [$SOMETHING, ...] ... } message: Database instance has no logging. Missing logs can cause missing important event information. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - vuln likelihood: MEDIUM impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging shortlink: https://sg.run/GyAp semgrep.dev: rule: r_id: 17348 rv_id: 1263704 rule_id: d8U4RA version_id: BjTkZ6j url: https://semgrep.dev/playground/r/BjTkZ6j/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging origin: community - id: terraform.aws.security.aws-documentdb-storage-unencrypted.aws-documentdb-storage-unencrypted patterns: - pattern: | resource "aws_docdb_cluster" $ANYTHING { ... } - pattern-not-inside: | resource "aws_docdb_cluster" $ANYTHING { ... storage_encrypted = true ... } message: The AWS DocumentDB cluster is unencrypted. The data could be read if the underlying disks are compromised. You should enable storage encryption. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-documentdb-storage-unencrypted.aws-documentdb-storage-unencrypted shortlink: https://sg.run/OE1b semgrep.dev: rule: r_id: 48631 rv_id: 1263706 rule_id: BYUOB1 version_id: WrTqK0A url: https://semgrep.dev/playground/r/WrTqK0A/terraform.aws.security.aws-documentdb-storage-unencrypted.aws-documentdb-storage-unencrypted origin: community - id: terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted patterns: - pattern: | resource "aws_dynamodb_table" $ANYTHING { ... } - pattern-not-inside: | resource "aws_dynamodb_table" $ANYTHING { ... server_side_encryption { enabled = true kms_key_arn = ... } ... } message: By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted shortlink: https://sg.run/Ay4p semgrep.dev: rule: r_id: 17350 rv_id: 1263707 rule_id: nJUGe2 version_id: 0bTKzj8 url: https://semgrep.dev/playground/r/0bTKzj8/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted origin: community - id: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted patterns: - pattern: | resource "aws_ebs_volume" $ANYTHING { ... } - pattern-not: | resource "aws_ebs_volume" $ANYTHING { ... encrypted = true ... } message: The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html subcategory: - audit likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted shortlink: https://sg.run/6ZbY semgrep.dev: rule: r_id: 50759 rv_id: 1263708 rule_id: YGUKl1 version_id: K3TKk1Z url: https://semgrep.dev/playground/r/K3TKk1Z/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted origin: community - id: terraform.aws.security.aws-sns-topic-unencrypted.aws-sns-topic-unencrypted patterns: - pattern: | resource "aws_sns_topic" $ANYTHING { ... } - pattern-not-inside: | resource "aws_sns_topic" $ANYTHING { ... kms_master_key_id = ... ... } message: The AWS SNS topic is unencrypted. The SNS topic messages could be read if compromised. The AWS KMS encryption key protects topic contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-sns-topic-unencrypted.aws-sns-topic-unencrypted shortlink: https://sg.run/b06p semgrep.dev: rule: r_id: 47070 rv_id: 1263739 rule_id: ReUWRG version_id: w8TRo7p url: https://semgrep.dev/playground/r/w8TRo7p/terraform.aws.security.aws-sns-topic-unencrypted.aws-sns-topic-unencrypted origin: community - id: terraform.aws.security.aws-sqs-queue-policy-wildcard-action.aws-sqs-queue-policy-wildcard-action patterns: - pattern-either: - pattern-inside: | resource "aws_sqs_queue_policy" $ANYTHING { ... } - pattern-inside: | resource "aws_sqs_queue" $ANYTHING { ... } - pattern-either: - patterns: - pattern: policy = "$JSONPOLICY" - metavariable-pattern: metavariable: $JSONPOLICY language: json patterns: - pattern-not-inside: | {..., "Effect": "Deny", ...} - pattern-either: - pattern: | {..., "Action": "*", ...} - pattern: | {..., "Action": "sqs:*", ...} - pattern: | {..., "Action": [..., "*", ...], ...} - pattern: | {..., "Action": [..., "sqs:*", ...], ...} - patterns: - pattern-inside: policy = jsonencode(...) - pattern-not-inside: | {..., Effect = "Deny", ...} - pattern-either: - pattern: | {..., Action = "*", ...} - pattern: | {..., Action = "sqs:*", ...} - pattern: | {..., Action = [..., "*", ...], ...} - pattern: | {..., Action = [..., "sqs:*", ...], ...} message: Wildcard used in your SQS queue policy action. SQS queue policies should always grant least privilege - that is, only grant the permissions required to perform a specific task. Implementing least privilege is important to reducing security risks and reducing the effect of errors or malicious intent. metadata: category: security technology: - aws - terraform owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: - https://cwe.mitre.org/data/definitions/732.html - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-least-privilege-policy.html subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-action.aws-sqs-queue-policy-wildcard-action shortlink: https://sg.run/ozdR semgrep.dev: rule: r_id: 53516 rv_id: 1263740 rule_id: 4bULBl version_id: xyTjz7R url: https://semgrep.dev/playground/r/xyTjz7R/terraform.aws.security.aws-sqs-queue-policy-wildcard-action.aws-sqs-queue-policy-wildcard-action origin: community languages: - hcl severity: INFO - id: terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal patterns: - pattern-either: - pattern-inside: | resource "aws_sqs_queue_policy" $ANYTHING { ... } - pattern-inside: | resource "aws_sqs_queue" $ANYTHING { ... } - pattern-either: - patterns: - pattern: policy = "$JSONPOLICY" - metavariable-pattern: metavariable: $JSONPOLICY language: json patterns: - pattern-not-inside: | {..., "Effect": "Deny", ...} - pattern-either: - pattern: | {..., "Principal": "*", ...} - pattern: | {..., "Principal": [..., "*", ...], ...} - pattern: | {..., "Principal": { "AWS": "*" }, ...} - pattern: | {..., "Principal": { "AWS": [..., "*", ...] }, ...} - pattern-not-inside: "{..., \n\"Condition\": {\n \"ArnNotLike\": {\n \"aws:SourceArn\": ...\n }\n},\n...}\n" - pattern-not-inside: "{..., \n\"Condition\": {\n \"ArnLike\": {\n \"aws:SourceArn\": ...\n }\n},\n...}\n" - pattern-not-inside: "{..., \n\"Condition\": {\n \"ArnEquals\": {\n \"aws:SourceArn\": ...\n }\n},\n...}\n" - pattern-not-inside: "{..., \n\"Condition\": {\n \"StringNotLike\": {\n \ \"aws:PrincipalARN\": ...\n }\n},\n...}\n" - patterns: - pattern-inside: policy = jsonencode(...) - pattern-not-inside: | {..., Effect = "Deny", ...} - pattern-not-inside: "{..., \nCondition = {\n ArnNotLike = {\n \"aws:SourceArn\" = ...\n }\n},\n...}\n" - pattern-not-inside: "{..., \nCondition = {\n ArnLike = {\n \"aws:SourceArn\" = ...\n }\n},\n...}\n" - pattern-not-inside: "{..., \nCondition = {\n ArnEquals = {\n \"aws:SourceArn\" = ...\n }\n}\n...}\n" - pattern-not-inside: "{..., \nCondition = {\n StringNotLike = {\n \"aws:PrincipalARN\" = ...\n }\n},\n...}\n" - pattern-either: - pattern: | {..., Principal = "*", ...} - pattern: | {..., Principal = [..., "*", ...], ...} - pattern: | {..., Principal = { AWS = "*" }, ...} - pattern: | {..., Principal = { AWS = [..., "*", ...] }, ...} message: Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege. metadata: category: security technology: - aws - terraform owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: - https://cwe.mitre.org/data/definitions/732.html - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM rule-origin-note: published from /src/aws-sqs-queue-policy-wildcard-principal.yml in None license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal shortlink: https://sg.run/z3eW semgrep.dev: rule: r_id: 53517 rv_id: 1263741 rule_id: PeUl9d version_id: O9TpxgE url: https://semgrep.dev/playground/r/O9TpxgE/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal origin: community languages: - hcl severity: ERROR - id: terraform.aws.security.aws-sqs-queue-unencrypted.aws-sqs-queue-unencrypted patterns: - pattern: | resource "aws_sqs_queue" $ANYTHING { ... } - pattern-not: | resource "aws_sqs_queue" $ANYTHING { ... sqs_managed_sse_enabled = true ... } - pattern-not: | resource "aws_sqs_queue" $ANYTHING { ... kms_master_key_id = ... ... } message: The AWS SQS queue contents are unencrypted. The data could be read if compromised. Enable server-side encryption for your queue using SQS-managed encryption keys (SSE-SQS), or using your own AWS KMS key (SSE-KMS). languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#server-side-encryption-sse - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-sqs-queue-unencrypted.aws-sqs-queue-unencrypted shortlink: https://sg.run/ppOL semgrep.dev: rule: r_id: 53518 rv_id: 1263742 rule_id: JDUBEz version_id: e1TyjNq url: https://semgrep.dev/playground/r/e1TyjNq/terraform.aws.security.aws-sqs-queue-unencrypted.aws-sqs-queue-unencrypted origin: community - id: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues patterns: - pattern-either: - patterns: - pattern-not-inside: | resource "aws_ssm_document" $ANYTHING { ... document_format = "YAML" ... } - pattern: content = "$STATEMENT" - metavariable-pattern: metavariable: $STATEMENT language: json patterns: - pattern-either: - pattern: '"s3EncryptionEnabled": false' - pattern: '"cloudWatchEncryptionEnabled": false' - pattern: '{..., "cloudWatchLogGroupName": "", ..., "s3BucketName": "", ...}' message: The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues shortlink: https://sg.run/EyWw semgrep.dev: rule: r_id: 17381 rv_id: 1263743 rule_id: 0oUrWL version_id: vdT067B url: https://semgrep.dev/playground/r/vdT067B/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues origin: community - id: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address patterns: - pattern-either: - pattern: | resource "aws_subnet" $ANYTHING { ... map_public_ip_on_launch = true ... } - pattern: | resource "aws_default_subnet" $ANYTHING { ... } - pattern-not: | resource "aws_default_subnet" $ANYTHING { ... map_public_ip_on_launch = false ... } message: Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control/ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses subcategory: - audit likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address shortlink: https://sg.run/XJZw semgrep.dev: rule: r_id: 50764 rv_id: 1263744 rule_id: 2ZUo79 version_id: d6Tyxdb url: https://semgrep.dev/playground/r/d6Tyxdb/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address origin: community - id: terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public patterns: - pattern: | resource "aws_transfer_server" $ANYTHING { ... } - pattern-not-inside: | resource "aws_transfer_server" $ANYTHING { ... endpoint_type = "VPC" ... } message: Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `"VPC"`. metadata: category: security technology: - terraform - aws owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public shortlink: https://sg.run/L39r semgrep.dev: rule: r_id: 17383 rv_id: 1263745 rule_id: qNUWl1 version_id: ZRTKAYB url: https://semgrep.dev/playground/r/ZRTKAYB/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted patterns: - pattern: | resource "aws_workspaces_workspace" $ANYTHING { ... } - pattern-not-inside: | resource "aws_workspaces_workspace" $ANYTHING { ... root_volume_encryption_enabled = true ... } message: The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted shortlink: https://sg.run/8gby semgrep.dev: rule: r_id: 17384 rv_id: 1263746 rule_id: lBUWB9 version_id: nWT2Lgl url: https://semgrep.dev/playground/r/nWT2Lgl/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted origin: community - id: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy metadata: category: security subcategory: - audit likelihood: MEDIUM impact: HIGH confidence: MEDIUM technology: - terraform - aws owasp: - A05:2017 - Sensitive Data Exposure - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy - https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy shortlink: https://sg.run/LWlY semgrep.dev: rule: r_id: 70983 rv_id: 1263748 rule_id: 7KU3dr version_id: 7ZTE346 url: https://semgrep.dev/playground/r/7ZTE346/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy origin: community message: '`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.' languages: - hcl severity: WARNING match: where: - metavariable: $IDENTIFIER regex: .*oidc-provider/token\.actions\.githubusercontent\.com all: - inside: | data "aws_iam_policy_document" $POLICY { ... } - | statement { ... principals { ... type = "Federated" identifiers = [..., $IDENTIFIER, ...] } } - not: | statement { ... condition { ... variable = "token.actions.githubusercontent.com:sub" } } - id: ai.ai-best-practices.hooks-sensitive-file-access.hooks-sensitive-file-access-python.hooks-sensitive-file-access-python mode: taint languages: - python severity: WARNING message: Hook input flows into a file operation without checking for sensitive files. Claude Code and Cursor hooks receive JSON input that may reference sensitive files such as ~/.ssh/*, ~/.aws/credentials, or .env files. Filter or block access to sensitive paths using a validation function like check_sensitive() or is_sensitive() before performing file operations. metadata: cwe: 'CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: MEDIUM technology: - claude-code - cursor references: - https://docs.anthropic.com/en/docs/claude-code/hooks - https://cursor.com/docs/agent/hooks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/ai.ai-best-practices.hooks-sensitive-file-access.hooks-sensitive-file-access-python.hooks-sensitive-file-access-python shortlink: https://sg.run/kW5zP semgrep.dev: rule: r_id: 288828 rv_id: 1413386 rule_id: bwUKQz1 version_id: BjTynxv url: https://semgrep.dev/playground/r/BjTynxv/ai.ai-best-practices.hooks-sensitive-file-access.hooks-sensitive-file-access-python.hooks-sensitive-file-access-python origin: community pattern-sources: - pattern: json.loads(...) - pattern: json.load(...) pattern-sinks: - patterns: - pattern: open($SINK, ...) - focus-metavariable: $SINK - patterns: - pattern: os.remove($SINK) - focus-metavariable: $SINK - patterns: - pattern: shutil.copy($SINK, ...) - focus-metavariable: $SINK - patterns: - pattern: shutil.move($SINK, ...) - focus-metavariable: $SINK pattern-sanitizers: - pattern: validate_path(...) - pattern: check_sensitive(...) - pattern: is_sensitive(...) - pattern: os.path.realpath(...) - id: ai.ai-best-practices.openai-missing-moderation.openai-missing-moderation.openai-missing-moderation languages: - python severity: WARNING message: OpenAI chat completion used without content moderation. Consider using the Moderations API (client.moderations.create()) to check user input for harmful content before sending to the model. metadata: cwe: 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - openai references: - https://developers.openai.com/api/docs/guides/moderation license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-moderation.openai-missing-moderation.openai-missing-moderation shortlink: https://sg.run/Okz1n semgrep.dev: rule: r_id: 286775 rv_id: 1409372 rule_id: EwUpe4L version_id: X0TYGBg url: https://semgrep.dev/playground/r/X0TYGBg/ai.ai-best-practices.openai-missing-moderation.openai-missing-moderation.openai-missing-moderation origin: community patterns: - pattern: $CLIENT.chat.completions.create(...) - pattern-inside: | def $FUNC(...): ... - pattern-not-inside: | def $FUNC(...): ... $CLIENT.moderations.create(...) ... - id: terraform.aws.security.wildcard-assume-role.wildcard-assume-role patterns: - pattern-inside: | resource "aws_iam_role" $NAME { ... } - pattern: assume_role_policy = "$STATEMENT" - metavariable-pattern: metavariable: $STATEMENT language: json patterns: - pattern-inside: | {..., "Effect": "Allow", ..., "Action": "sts:AssumeRole", ...} - pattern: | "Principal": {..., "AWS": "*", ...} message: 'Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`.' metadata: cwe: - 'CWE-250: Execution with Unnecessary Privileges' category: security technology: - aws references: - https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.aws.security.wildcard-assume-role.wildcard-assume-role shortlink: https://sg.run/LXWr semgrep.dev: rule: r_id: 15139 rv_id: 1263749 rule_id: 5rUL1P version_id: LjTkg8D url: https://semgrep.dev/playground/r/LjTkg8D/terraform.aws.security.wildcard-assume-role.wildcard-assume-role origin: community languages: - hcl severity: ERROR - id: terraform.azure.best-practice.azure-networkinterface-enable-ip-forwarding.azure-networkinterface-enable-ip-forwarding message: Ensure that Network Interfaces disable IP forwarding patterns: - pattern: resource - pattern-inside: | resource "azurerm_network_interface" "..." { ... enable_ip_forwarding = true ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.best-practice.azure-networkinterface-enable-ip-forwarding.azure-networkinterface-enable-ip-forwarding shortlink: https://sg.run/dNzZ semgrep.dev: rule: r_id: 23934 rv_id: 1263750 rule_id: KxUjoy version_id: 8KT5r87 url: https://semgrep.dev/playground/r/8KT5r87/terraform.azure.best-practice.azure-networkinterface-enable-ip-forwarding.azure-networkinterface-enable-ip-forwarding origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.aks.azure-aks-apiserver-auth-ip-ranges.azure-aks-apiserver-auth-ip-ranges message: "Ensure AKS has an API Server Authorized IP Ranges enabled\t" patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_kubernetes_cluster" "..." { ... api_server_authorized_ip_ranges = ["..."] ... } - pattern-inside: | resource "azurerm_kubernetes_cluster" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.aks.azure-aks-apiserver-auth-ip-ranges.azure-aks-apiserver-auth-ip-ranges shortlink: https://sg.run/qBez semgrep.dev: rule: r_id: 23956 rv_id: 1263751 rule_id: X5UxYJ version_id: gETB7QR url: https://semgrep.dev/playground/r/gETB7QR/terraform.azure.security.aks.azure-aks-apiserver-auth-ip-ranges.azure-aks-apiserver-auth-ip-ranges origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.aks.azure-aks-private-clusters-enabled.azure-aks-private-clusters-enabled message: "Ensure that AKS enables private clusters\t" patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_kubernetes_cluster" "..." { ... private_cluster_enabled = true ... } - pattern-inside: | resource "azurerm_kubernetes_cluster" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.aks.azure-aks-private-clusters-enabled.azure-aks-private-clusters-enabled shortlink: https://sg.run/lJby semgrep.dev: rule: r_id: 23957 rv_id: 1263752 rule_id: j2UY1L version_id: QkTGqe5 url: https://semgrep.dev/playground/r/QkTGqe5/terraform.azure.security.aks.azure-aks-private-clusters-enabled.azure-aks-private-clusters-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.apiservice.azure-apiservices-use-virtualnetwork.azure-apiservices-use-virtualnetwork message: Ensure that API management services use virtual networks patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_api_management" "..." { ... virtual_network_configuration { subnet_id = ... } ... } - pattern-inside: | resource "azurerm_api_management" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.apiservice.azure-apiservices-use-virtualnetwork.azure-apiservices-use-virtualnetwork shortlink: https://sg.run/684o semgrep.dev: rule: r_id: 23959 rv_id: 1263753 rule_id: 9AUW38 version_id: 3ZT4X0n url: https://semgrep.dev/playground/r/3ZT4X0n/terraform.azure.security.apiservice.azure-apiservices-use-virtualnetwork.azure-apiservices-use-virtualnetwork origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered message: Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice. patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... identity { type = "..." identity_ids = "..." } ... } - pattern-not-inside: | resource "azurerm_app_service" "..." { ... identity { type = "SystemAssigned" } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: category: security owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe: - 'CWE-287: Improper Authentication' technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered shortlink: https://sg.run/PbXY semgrep.dev: rule: r_id: 15101 rv_id: 1263754 rule_id: WAUynd version_id: 44TEj04 url: https://semgrep.dev/playground/r/44TEj04/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered origin: community languages: - hcl severity: INFO - id: terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled message: Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... auth_settings { ... enabled = true ... } ... } - pattern-either: - pattern-inside: | resource "azurerm_app_service" "..." { ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... auth_settings { ... enabled = false ... } ... } metadata: cwe: - 'CWE-287: Improper Authentication' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled shortlink: https://sg.run/JxYw semgrep.dev: rule: r_id: 15102 rv_id: 1263755 rule_id: 0oU23p version_id: PkTR3P8 url: https://semgrep.dev/playground/r/PkTR3P8/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled origin: community languages: - hcl severity: ERROR - id: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2 message: Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... site_config { ... http2_enabled = true ... } ... } - pattern-either: - pattern-inside: | resource "azurerm_app_service" "..." { ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... site_config { ... http2_enabled = false ... } ... } metadata: cwe: - 'CWE-444: Inconsistent Interpretation of HTTP Requests (''HTTP Request/Response Smuggling'')' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2 shortlink: https://sg.run/5DkA semgrep.dev: rule: r_id: 15103 rv_id: 1263756 rule_id: KxU7LJ version_id: JdTzx98 url: https://semgrep.dev/playground/r/JdTzx98/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2 origin: community languages: - hcl severity: INFO - id: terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only message: By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting. patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... https_only = true ... } - pattern-either: - pattern-inside: | resource "azurerm_app_service" "..." { ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... https_only = false ... } metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only - https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only shortlink: https://sg.run/GOKp semgrep.dev: rule: r_id: 15104 rv_id: 1263757 rule_id: qNUXwx version_id: 5PTo1gg url: https://semgrep.dev/playground/r/5PTo1gg/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only origin: community languages: - hcl severity: ERROR - id: terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert message: Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block. patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... client_cert_enabled = true ... } - pattern-either: - pattern-inside: | resource "azurerm_app_service" "..." { ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... client_cert_enabled = false ... } metadata: cwe: - 'CWE-295: Improper Certificate Validation' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert shortlink: https://sg.run/RX1O semgrep.dev: rule: r_id: 15105 rv_id: 1263758 rule_id: lBU8D6 version_id: GxTkedE url: https://semgrep.dev/playground/r/GxTkedE/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert origin: community languages: - hcl severity: INFO - id: terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy message: Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = "1.2"` in your resource block. patterns: - pattern: min_tls_version = $ANYTHING - pattern-inside: | resource "azurerm_app_service" "$NAME" { ... } - pattern-not-inside: min_tls_version = "1.2" metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy shortlink: https://sg.run/AXRp semgrep.dev: rule: r_id: 15106 rv_id: 1263759 rule_id: YGUDbZ version_id: RGT0L4x url: https://semgrep.dev/playground/r/RGT0L4x/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy origin: community languages: - hcl severity: ERROR - id: terraform.azure.security.appservice.azure-appservice-auth.azure-appservice-auth message: Ensure App Service Authentication is set on Azure App Service patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... auth_settings { ... enabled = true ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-auth.azure-appservice-auth shortlink: https://sg.run/oR19 semgrep.dev: rule: r_id: 23960 rv_id: 1263760 rule_id: yyU2qb version_id: A8Tgdod url: https://semgrep.dev/playground/r/A8Tgdod/terraform.azure.security.appservice.azure-appservice-auth.azure-appservice-auth origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.appservice.azure-appservice-client-certificate.azure-appservice-client-certificate message: Ensure the web app has Client Certificates patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... client_cert_enabled = true ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-client-certificate.azure-appservice-client-certificate shortlink: https://sg.run/zorG semgrep.dev: rule: r_id: 23961 rv_id: 1263761 rule_id: r6ULnR version_id: BjTkZ3A url: https://semgrep.dev/playground/r/BjTkZ3A/terraform.azure.security.appservice.azure-appservice-client-certificate.azure-appservice-client-certificate origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled message: Ensure that App service enables detailed error messages patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... logs { ... detailed_error_messages_enabled = true ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures subcategory: - vuln likelihood: LOW impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled shortlink: https://sg.run/pA1g semgrep.dev: rule: r_id: 23962 rv_id: 1263762 rule_id: bwU1Eg version_id: DkTRbr5 url: https://semgrep.dev/playground/r/DkTRbr5/terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.appservice.azure-appservice-disallowed-cors.azure-appservice-disallowed-cors patterns: - pattern: | ["*"] - pattern-inside: allowed_origins = ... - pattern-inside: | $RESOURCE "azurerm_app_service" "..." { ... } message: Ensure that CORS disallows every resource to access app services languages: - hcl severity: WARNING metadata: owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-disallowed-cors.azure-appservice-disallowed-cors shortlink: https://sg.run/2ne0 semgrep.dev: rule: r_id: 23963 rv_id: 1263763 rule_id: NbUd6K version_id: WrTqK4v url: https://semgrep.dev/playground/r/WrTqK4v/terraform.azure.security.appservice.azure-appservice-disallowed-cors.azure-appservice-disallowed-cors origin: community - id: terraform.azure.security.appservice.azure-appservice-enabled-failed-request.azure-appservice-enabled-failed-request message: Ensure that App service enables failed request tracing patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... logs { ... failed_request_tracing_enabled = true ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-enabled-failed-request.azure-appservice-enabled-failed-request shortlink: https://sg.run/XAbK semgrep.dev: rule: r_id: 23964 rv_id: 1263764 rule_id: kxUxWE version_id: 0bTKzP4 url: https://semgrep.dev/playground/r/0bTKzP4/terraform.azure.security.appservice.azure-appservice-enabled-failed-request.azure-appservice-enabled-failed-request origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.appservice.azure-appservice-http-logging-enabled.azure-appservice-http-logging-enabled message: Ensure that App service enables HTTP logging patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... logs { ... http_logs { ... } } ... } - pattern-not-inside: | resource "azurerm_app_service" "..." { ... logs { ... dynamic "http_logs" { ... } } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-http-logging-enabled.azure-appservice-http-logging-enabled shortlink: https://sg.run/j49Y semgrep.dev: rule: r_id: 23965 rv_id: 1263765 rule_id: wdUnWr version_id: K3TKkWl url: https://semgrep.dev/playground/r/K3TKkWl/terraform.azure.security.appservice.azure-appservice-http-logging-enabled.azure-appservice-http-logging-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only message: Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... https_only = true ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only shortlink: https://sg.run/1g9w semgrep.dev: rule: r_id: 23966 rv_id: 1263766 rule_id: x8UZRP version_id: qkTR78q url: https://semgrep.dev/playground/r/qkTR78q/terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.appservice.azure-appservice-identity.azure-appservice-identity message: Ensure App Service Authentication is set on Azure App Service patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... client_cert_enabled = true identity { ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-identity.azure-appservice-identity shortlink: https://sg.run/9n5Y semgrep.dev: rule: r_id: 23967 rv_id: 1263767 rule_id: OrUOQ1 version_id: l4TJRnB url: https://semgrep.dev/playground/r/l4TJRnB/terraform.azure.security.appservice.azure-appservice-identity.azure-appservice-identity origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.appservice.azure-appservice-identityprovider-enabled.azure-appservice-identityprovider-enabled message: Ensure that Managed identity provider is enabled for app services patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_app_service" "..." { ... identity { ... type = "SystemAssigned" ... } ... } - pattern-inside: | resource "azurerm_app_service" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-identityprovider-enabled.azure-appservice-identityprovider-enabled shortlink: https://sg.run/ykrx semgrep.dev: rule: r_id: 23968 rv_id: 1263768 rule_id: eqU14J version_id: YDTZe0q url: https://semgrep.dev/playground/r/YDTZe0q/terraform.azure.security.appservice.azure-appservice-identityprovider-enabled.azure-appservice-identityprovider-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version message: Ensure web app is using the latest version of TLS encryption patterns: - pattern-either: - pattern: | "1.0" - pattern: | "1.1" - pattern-inside: min_tls_version = ... - pattern-inside: | $RESOURCE "azurerm_app_service" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version shortlink: https://sg.run/rDwn semgrep.dev: rule: r_id: 23969 rv_id: 1263769 rule_id: v8UNL7 version_id: 6xT29gv url: https://semgrep.dev/playground/r/6xT29gv/terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version origin: community languages: - hcl severity: WARNING - id: ai.ai-best-practices.openai-missing-moderation-check.openai-missing-moderation-check.openai-missing-moderation-check languages: - python severity: WARNING message: OpenAI moderation response accessed without checking the 'flagged' field. Always check results[0].flagged before processing moderation categories to properly filter harmful content. See https://developers.openai.com/api/docs/guides/moderation metadata: cwe: 'CWE-252: Unchecked Return Value' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - openai references: - https://developers.openai.com/api/docs/guides/moderation license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-moderation-check.openai-missing-moderation-check.openai-missing-moderation-check shortlink: https://sg.run/er84y semgrep.dev: rule: r_id: 286776 rv_id: 1409373 rule_id: 7KU1KeG version_id: jQT1GOr url: https://semgrep.dev/playground/r/jQT1GOr/ai.ai-best-practices.openai-missing-moderation-check.openai-missing-moderation-check.openai-missing-moderation-check origin: community pattern-either: - patterns: - pattern: $RESP.results[0].categories - pattern-inside: | def $FUNC(...): ... - pattern-not-inside: | def $FUNC(...): ... if $RESP.results[0].flagged: ... ... - pattern-not-inside: | def $FUNC(...): ... if $RESP.results[0].flagged == True: ... ... - patterns: - pattern: $RESP.results[0].category_scores - pattern-inside: | def $FUNC(...): ... - pattern-not-inside: | def $FUNC(...): ... if $RESP.results[0].flagged: ... ... - pattern-not-inside: | def $FUNC(...): ... if $RESP.results[0].flagged == True: ... ... - id: terraform.azure.security.azure-containergroup-deployed-into-virtualnetwork.azure-containergroup-deployed-into-virtualnetwork message: Ensure that Azure Container group is deployed into virtual network patterns: - pattern: resource - pattern-not-inside: "resource \"azurerm_container_group\" \"...\" {\n...\ncontainer {\n ...\n}\nnetwork_profile_id = \"...\" \n...\n}\n" - pattern-inside: | resource "azurerm_container_group" "..." { ... container { ... } ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-containergroup-deployed-into-virtualnetwork.azure-containergroup-deployed-into-virtualnetwork shortlink: https://sg.run/w2wY semgrep.dev: rule: r_id: 23973 rv_id: 1263771 rule_id: EwUNew version_id: zyTb2JA url: https://semgrep.dev/playground/r/zyTb2JA/terraform.azure.security.azure-containergroup-deployed-into-virtualnetwork.azure-containergroup-deployed-into-virtualnetwork origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-cosmosdb-accounts-restricted-access.azure-cosmosdb-accounts-restricted-access message: Ensure Cosmos DB accounts have restricted access patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_cosmosdb_account" "..." { ... public_network_access_enabled = false ... } - pattern-not-inside: | resource "azurerm_cosmosdb_account" "..." { ... is_virtual_network_filter_enabled = true virtual_network_rule = ... ... } - pattern-not-inside: | resource "azurerm_cosmosdb_account" "..." { ... is_virtual_network_filter_enabled = true ip_range_filter = [...] ... } - pattern-inside: | resource "azurerm_cosmosdb_account" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-cosmosdb-accounts-restricted-access.azure-cosmosdb-accounts-restricted-access shortlink: https://sg.run/x2Zz semgrep.dev: rule: r_id: 23974 rv_id: 1263772 rule_id: 7KUoKA version_id: pZT03jO url: https://semgrep.dev/playground/r/pZT03jO/terraform.azure.security.azure-cosmosdb-accounts-restricted-access.azure-cosmosdb-accounts-restricted-access origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-cosmosdb-disable-access-key-write.azure-cosmosdb-disable-access-key-write message: Ensure that Cosmos DB accounts have access key write capability disabled patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_cosmosdb_account" "..." { ... access_key_metadata_writes_enabled = false ... } - pattern-inside: | resource "azurerm_cosmosdb_account" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-cosmosdb-disable-access-key-write.azure-cosmosdb-disable-access-key-write shortlink: https://sg.run/OxzB semgrep.dev: rule: r_id: 23975 rv_id: 1263773 rule_id: L1UQRw version_id: 2KTv2x4 url: https://semgrep.dev/playground/r/2KTv2x4/terraform.azure.security.azure-cosmosdb-disable-access-key-write.azure-cosmosdb-disable-access-key-write origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-cosmosdb-disables-public-network.azure-cosmosdb-disables-public-network message: Ensure that Azure Cosmos DB disables public network access patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_cosmosdb_account" "..." { ... public_network_access_enabled = false ... } - pattern-inside: | resource "azurerm_cosmosdb_account" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-cosmosdb-disables-public-network.azure-cosmosdb-disables-public-network shortlink: https://sg.run/eE8b semgrep.dev: rule: r_id: 23976 rv_id: 1263774 rule_id: 8GU93d version_id: X0TzyN7 url: https://semgrep.dev/playground/r/X0TzyN7/terraform.azure.security.azure-cosmosdb-disables-public-network.azure-cosmosdb-disables-public-network origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-customrole-definition-subscription-owner.azure-customrole-definition-subscription-owner message: Ensure that no custom subscription owner roles are created patterns: - pattern: | ["*"] - pattern-inside: | resource "azurerm_role_definition" "..." { permissions { ... } } - pattern-inside: actions = ... metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-customrole-definition-subscription-owner.azure-customrole-definition-subscription-owner shortlink: https://sg.run/dNOZ semgrep.dev: rule: r_id: 23978 rv_id: 1263775 rule_id: QrU0Ey version_id: jQTn5X3 url: https://semgrep.dev/playground/r/jQTn5X3/terraform.azure.security.azure-customrole-definition-subscription-owner.azure-customrole-definition-subscription-owner origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-datafactory-no-public-network-access.azure-datafactory-no-public-network-access message: Ensure that Azure Data factory public network access is disabled patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_data_factory" "..." { ... public_network_enabled = false ... } - pattern-inside: | resource "azurerm_data_factory" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-datafactory-no-public-network-access.azure-datafactory-no-public-network-access shortlink: https://sg.run/E1ow semgrep.dev: rule: r_id: 23981 rv_id: 1263776 rule_id: PeU12J version_id: 1QTypL5 url: https://semgrep.dev/playground/r/1QTypL5/terraform.azure.security.azure-datafactory-no-public-network-access.azure-datafactory-no-public-network-access origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-datafactory-uses-git-repository.azure-datafactory-uses-git-repository message: Ensure that Azure Data Factory uses Git repository for source control patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_data_factory" "..." { ... github_configuration { ... } ... } - pattern-not-inside: | resource "azurerm_data_factory" "..." { ... vsts_configuration { ... } ... } - pattern-inside: | resource "azurerm_data_factory" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-datafactory-uses-git-repository.azure-datafactory-uses-git-repository shortlink: https://sg.run/78JZ semgrep.dev: rule: r_id: 23982 rv_id: 1263777 rule_id: JDUpG5 version_id: 9lT4b0J url: https://semgrep.dev/playground/r/9lT4b0J/terraform.azure.security.azure-datafactory-uses-git-repository.azure-datafactory-uses-git-repository origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-eventgrid-domain-network-access.azure-eventgrid-domain-network-access message: Ensure that Azure Event Grid Domain public network access is disabled patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_eventgrid_domain" "..." { ... public_network_access_enabled = false ... } - pattern-inside: | resource "azurerm_eventgrid_domain" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-eventgrid-domain-network-access.azure-eventgrid-domain-network-access shortlink: https://sg.run/8Q5y semgrep.dev: rule: r_id: 23984 rv_id: 1263778 rule_id: GdU6Y7 version_id: yeTxp1D url: https://semgrep.dev/playground/r/yeTxp1D/terraform.azure.security.azure-eventgrid-domain-network-access.azure-eventgrid-domain-network-access origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-functionapp-disallow-cors.azure-functionapp-disallow-cors patterns: - pattern: | ["*"] - pattern-inside: allowed_origins = ... - pattern-inside: | $RESOURCE "azurerm_function_app" "..." { ... } message: ensure that CORS disallows all resources to access Function app languages: - hcl severity: WARNING metadata: owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A05_2021-Security_Misconfiguration subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/terraform.azure.security.azure-functionapp-disallow-cors.azure-functionapp-disallow-cors shortlink: https://sg.run/gNoJ semgrep.dev: rule: r_id: 23985 rv_id: 1263779 rule_id: ReUknP version_id: rxTAKz6 url: https://semgrep.dev/playground/r/rxTAKz6/terraform.azure.security.azure-functionapp-disallow-cors.azure-functionapp-disallow-cors origin: community - id: ai.ai-best-practices.huggingface-hardcoded-api-key.huggingface-hardcoded-api-key-javascript.huggingface-hardcoded-api-key-javascript languages: - javascript - typescript severity: ERROR message: Hugging Face API token is hardcoded in source code. Use environment variables or a secrets manager instead. See https://huggingface.co/docs/hub/en/security-tokens metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - huggingface references: - https://huggingface.co/docs/hub/en/security-tokens license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.huggingface-hardcoded-api-key.huggingface-hardcoded-api-key-javascript.huggingface-hardcoded-api-key-javascript shortlink: https://sg.run/wp6ZA semgrep.dev: rule: r_id: 288829 rv_id: 1413387 rule_id: NbU9GXo version_id: DkTwZqv url: https://semgrep.dev/playground/r/DkTwZqv/ai.ai-best-practices.huggingface-hardcoded-api-key.huggingface-hardcoded-api-key-javascript.huggingface-hardcoded-api-key-javascript origin: community patterns: - pattern: new InferenceClient("$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^hf_ - id: terraform.azure.security.azure-functionapps-enable-auth.azure-functionapps-enable-auth message: Ensure that function apps enables Authentication patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_function_app" "..." { ... auth_settings { ... enabled = true ... } ... } - pattern-inside: | resource "azurerm_function_app" "..." { ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-functionapps-enable-auth.azure-functionapps-enable-auth shortlink: https://sg.run/Q234 semgrep.dev: rule: r_id: 23986 rv_id: 1263780 rule_id: AbU50G version_id: bZT53e1 url: https://semgrep.dev/playground/r/bZT53e1/terraform.azure.security.azure-functionapps-enable-auth.azure-functionapps-enable-auth origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-instance-extensions.azure-instance-extensions message: Ensure Virtual Machine Extensions are not Installed patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "azurerm_linux_virtual_machine" "..." { ... } - pattern-inside: | resource "azurerm_windows_virtual_machine" "..." { ... } - pattern-not-inside: | resource "azurerm_linux_virtual_machine" "..." { ... allow_extension_operations = false ... } - pattern-not-inside: | resource "azurerm_windows_virtual_machine" "..." { ... allow_extension_operations = false ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-instance-extensions.azure-instance-extensions shortlink: https://sg.run/32nr semgrep.dev: rule: r_id: 23987 rv_id: 1263781 rule_id: BYUrJd version_id: NdTzy2o url: https://semgrep.dev/playground/r/NdTzy2o/terraform.azure.security.azure-instance-extensions.azure-instance-extensions origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-iot-no-public-network-access.azure-iot-no-public-network-access message: Ensure that Azure IoT Hub disables public network access patterns: - pattern: resource - pattern-inside: | resource "azurerm_iothub" "..." { ... public_network_access_enabled = true ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-iot-no-public-network-access.azure-iot-no-public-network-access shortlink: https://sg.run/4LXl semgrep.dev: rule: r_id: 23988 rv_id: 1263782 rule_id: DbUnXx version_id: kbTzGlz url: https://semgrep.dev/playground/r/kbTzGlz/terraform.azure.security.azure-iot-no-public-network-access.azure-iot-no-public-network-access origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-mariadb-public-access-disabled.azure-mariadb-public-access-disabled message: Ensure public network access enabled is set to False for MariaDB servers patterns: - pattern: resource - pattern-inside: | resource "azurerm_mariadb_server" "..." { ... } - pattern-not-inside: | resource "azurerm_mariadb_server" "..." { ... public_network_access_enabled = false ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-mariadb-public-access-disabled.azure-mariadb-public-access-disabled shortlink: https://sg.run/R4vO semgrep.dev: rule: r_id: 23993 rv_id: 1263783 rule_id: lBUvo6 version_id: w8TRoxp url: https://semgrep.dev/playground/r/w8TRoxp/terraform.azure.security.azure-mariadb-public-access-disabled.azure-mariadb-public-access-disabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version message: Ensure MSSQL is using the latest version of TLS encryption patterns: - pattern-either: - pattern: | "1.0" - pattern: | "1.1" - pattern-inside: minimum_tls_version = ... - pattern-inside: | $RESOURCE "azurerm_mssql_server" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version shortlink: https://sg.run/B1lW semgrep.dev: rule: r_id: 23995 rv_id: 1263784 rule_id: 6JUJG8 version_id: xyTjzeR url: https://semgrep.dev/playground/r/xyTjzeR/terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version message: Ensure MySQL is using the latest version of TLS encryption patterns: - pattern-either: - pattern: | "TLS1_0" - pattern: | "TLS1_1" - pattern-inside: ssl_minimal_tls_version_enforced = ... - pattern-inside: | $RESOURCE "azurerm_mysql_server" "..." { ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version shortlink: https://sg.run/WR44 semgrep.dev: rule: r_id: 23997 rv_id: 1263785 rule_id: zdU8NN version_id: O9TpxWE url: https://semgrep.dev/playground/r/O9TpxWE/terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-mysql-public-access-disabled.azure-mysql-public-access-disabled message: Ensure public network access enabled is set to False for MySQL servers patterns: - pattern: resource - pattern-inside: | resource "azurerm_mysql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_mysql_server" "..." { ... public_network_access_enabled = false ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-mysql-public-access-disabled.azure-mysql-public-access-disabled shortlink: https://sg.run/02Xv semgrep.dev: rule: r_id: 23998 rv_id: 1263786 rule_id: pKUyeA version_id: e1Tyjkq url: https://semgrep.dev/playground/r/e1Tyjkq/terraform.azure.security.azure-mysql-public-access-disabled.azure-mysql-public-access-disabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-postgresql-min-tls-version.azure-postgresql-min-tls-version message: Ensure PostgreSQL is using the latest version of TLS encryption patterns: - pattern-either: - pattern: | "TLS1_2" - pattern: | "TLS1_1" - pattern: | "TLS1_0" - pattern-inside: ssl_minimal_tls_version_enforced = ... - pattern-inside: | $RESOURCE "azurerm_postgresql_server" "..." { ... } - pattern-not-inside: | $RESOURCE "azurerm_postgresql_server" "..." { ... ssl_enforcement_enabled = true ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-postgresql-min-tls-version.azure-postgresql-min-tls-version shortlink: https://sg.run/PyvN semgrep.dev: rule: r_id: 24001 rv_id: 1263787 rule_id: j2UYDL version_id: vdT06zB url: https://semgrep.dev/playground/r/vdT06zB/terraform.azure.security.azure-postgresql-min-tls-version.azure-postgresql-min-tls-version origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-postgresql-server-public-access-disabled.azure-postgresql-server-public-access-disabled message: Ensure public network access enabled is set to False for PostgreSQL servers patterns: - pattern: resource - pattern-inside: | resource "azurerm_postgresql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_postgresql_server" "..." { ... public_network_access_enabled = false ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-postgresql-server-public-access-disabled.azure-postgresql-server-public-access-disabled shortlink: https://sg.run/J1vo semgrep.dev: rule: r_id: 24002 rv_id: 1263788 rule_id: 10UY3n version_id: d6TyxGb url: https://semgrep.dev/playground/r/d6TyxGb/terraform.azure.security.azure-postgresql-server-public-access-disabled.azure-postgresql-server-public-access-disabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-redis-cache-enable-non-ssl-port.azure-redis-cache-enable-non-ssl-port message: Ensure that only SSL are enabled for Cache for Redis patterns: - pattern: resource - pattern-inside: | resource "azurerm_redis_cache" "..." { ... enable_non_ssl_port = true ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.azure.security.azure-redis-cache-enable-non-ssl-port.azure-redis-cache-enable-non-ssl-port shortlink: https://sg.run/5e46 semgrep.dev: rule: r_id: 24003 rv_id: 1263789 rule_id: 9AUWq8 version_id: ZRTKAPB url: https://semgrep.dev/playground/r/ZRTKAPB/terraform.azure.security.azure-redis-cache-enable-non-ssl-port.azure-redis-cache-enable-non-ssl-port origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-redis-cache-public-network-access-enabled.azure-redis-cache-public-network-access-enabled message: Ensure that Azure Cache for Redis disables public network access patterns: - pattern: resource - pattern-inside: | resource "azurerm_redis_cache" "..." { ... } - pattern-not-inside: | resource "azurerm_redis_cache" "..." { ... public_network_access_enabled = false ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-redis-cache-public-network-access-enabled.azure-redis-cache-public-network-access-enabled shortlink: https://sg.run/GpvB semgrep.dev: rule: r_id: 24004 rv_id: 1263790 rule_id: yyU2Gb version_id: nWT2L4l url: https://semgrep.dev/playground/r/nWT2L4l/terraform.azure.security.azure-redis-cache-public-network-access-enabled.azure-redis-cache-public-network-access-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-remote-debugging-not-enabled.azure-remote-debugging-not-enabled message: Ensure that remote debugging is not enabled for app services patterns: - pattern: resource - pattern-inside: | resource "azurerm_app_service" "..." { ... remote_debugging_enabled = true ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-remote-debugging-not-enabled.azure-remote-debugging-not-enabled shortlink: https://sg.run/R4vE semgrep.dev: rule: r_id: 24005 rv_id: 1263791 rule_id: r6ULlR version_id: ExTExDy url: https://semgrep.dev/playground/r/ExTExDy/terraform.azure.security.azure-remote-debugging-not-enabled.azure-remote-debugging-not-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-scale-set-password.azure-scale-set-password message: Ensure that Virtual machine does not enable password authentication patterns: - pattern: resource - pattern-inside: | resource "azurerm_linux_virtual_machine_scale_set" "..." { ... } - pattern-not-inside: | resource "azurerm_linux_virtual_machine_scale_set" "..." { ... disable_password_authentication = true ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-scale-set-password.azure-scale-set-password shortlink: https://sg.run/ANqg semgrep.dev: rule: r_id: 24006 rv_id: 1263792 rule_id: bwU1Qg version_id: 7ZTE396 url: https://semgrep.dev/playground/r/7ZTE396/terraform.azure.security.azure-scale-set-password.azure-scale-set-password origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-search-publicnetwork-access-disabled.azure-search-publicnetwork-access-disabled message: Ensure that Azure Cognitive Search disables public network access patterns: - pattern: resource - pattern-inside: | resource "azurerm_search_service" "..." { ... } - pattern-not-inside: | resource "azurerm_search_service" "..." { ... public_network_access_enabled = false ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-search-publicnetwork-access-disabled.azure-search-publicnetwork-access-disabled shortlink: https://sg.run/B1lb semgrep.dev: rule: r_id: 24007 rv_id: 1263793 rule_id: NbUdGK version_id: LjTkgbD url: https://semgrep.dev/playground/r/LjTkgbD/terraform.azure.security.azure-search-publicnetwork-access-disabled.azure-search-publicnetwork-access-disabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-sqlserver-no-public-access.azure-sqlserver-no-public-access message: Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) patterns: - pattern: resource - pattern-inside: | resource "azurerm_mysql_firewall_rule" "..." { ... start_ip_address = "0.0.0.0" end_ip_address = "255.255.255.255" ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-sqlserver-no-public-access.azure-sqlserver-no-public-access shortlink: https://sg.run/WR4y semgrep.dev: rule: r_id: 24009 rv_id: 1263794 rule_id: wdUnNr version_id: 8KT5rk7 url: https://semgrep.dev/playground/r/8KT5rk7/terraform.azure.security.azure-sqlserver-no-public-access.azure-sqlserver-no-public-access origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-sqlserver-public-access-disabled.azure-sqlserver-public-access-disabled message: Ensure that SQL server disables public network access patterns: - pattern: resource - pattern-inside: | resource "azurerm_mssql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_mssql_server" "..." { ... public_network_access_enabled = false ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-sqlserver-public-access-disabled.azure-sqlserver-public-access-disabled shortlink: https://sg.run/02Xk semgrep.dev: rule: r_id: 24010 rv_id: 1263795 rule_id: x8UZ0P version_id: gETB72R url: https://semgrep.dev/playground/r/gETB72R/terraform.azure.security.azure-sqlserver-public-access-disabled.azure-sqlserver-public-access-disabled origin: community languages: - hcl severity: WARNING - id: ai.ai-best-practices.huggingface-hardcoded-api-key.huggingface-hardcoded-api-key-python.huggingface-hardcoded-api-key-python languages: - python severity: ERROR message: Hugging Face API token is hardcoded in source code. Use environment variables or a secrets manager instead. See https://huggingface.co/docs/hub/en/security-tokens metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - huggingface references: - https://huggingface.co/docs/hub/en/security-tokens license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.huggingface-hardcoded-api-key.huggingface-hardcoded-api-key-python.huggingface-hardcoded-api-key-python shortlink: https://sg.run/xxo4L semgrep.dev: rule: r_id: 288830 rv_id: 1413388 rule_id: kxUj36z version_id: WrT7AO6 url: https://semgrep.dev/playground/r/WrT7AO6/ai.ai-best-practices.huggingface-hardcoded-api-key.huggingface-hardcoded-api-key-python.huggingface-hardcoded-api-key-python origin: community pattern-either: - patterns: - pattern: InferenceClient(token="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^hf_ - patterns: - pattern: InferenceClient(api_key="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^hf_ - patterns: - pattern: AsyncInferenceClient(token="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^hf_ - patterns: - pattern: AsyncInferenceClient(api_key="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^hf_ - patterns: - pattern: AutoModel.from_pretrained(..., token="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^hf_ - id: terraform.azure.security.azure-storage-account-disable-public-access.azure-storage-account-disable-public-access message: Ensure default network access rule for Storage Accounts is set to deny patterns: - pattern: resource - pattern-inside: | resource "azurerm_storage_account" "..." { ... allow_blob_public_access = true ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-storage-account-disable-public-access.azure-storage-account-disable-public-access shortlink: https://sg.run/KevP semgrep.dev: rule: r_id: 24011 rv_id: 1263796 rule_id: OrUOE1 version_id: QkTGqr5 url: https://semgrep.dev/playground/r/QkTGqr5/terraform.azure.security.azure-storage-account-disable-public-access.azure-storage-account-disable-public-access origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-storage-account-minimum-tlsversion.azure-storage-account-minimum-tlsversion message: Ensure Storage Account is using the latest version of TLS encryption patterns: - pattern: resource - pattern-inside: | resource "azurerm_storage_account" "..." { ... } - pattern-not-inside: | resource "azurerm_storage_account" "..." { ... min_tls_version = "TLS1_2" ... } - pattern-not-inside: | resource "azurerm_storage_account" "..." { ... min_tls_version = "TLS1_3" ... } metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.azure.security.azure-storage-account-minimum-tlsversion.azure-storage-account-minimum-tlsversion shortlink: https://sg.run/qBW1 semgrep.dev: rule: r_id: 24012 rv_id: 1263797 rule_id: eqU1bJ version_id: 3ZT4XAn url: https://semgrep.dev/playground/r/3ZT4XAn/terraform.azure.security.azure-storage-account-minimum-tlsversion.azure-storage-account-minimum-tlsversion origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-storage-blob-service-container-private-access.azure-storage-blob-service-container-private-access message: Ensure that Public access level is set to Private for blob containers patterns: - pattern: resource - pattern-inside: | resource "azurerm_storage_container" "..." { ... } - pattern-not-inside: | resource "azurerm_storage_container" "..." { ... container_access_type = "private" ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-storage-blob-service-container-private-access.azure-storage-blob-service-container-private-access shortlink: https://sg.run/lJGL semgrep.dev: rule: r_id: 24013 rv_id: 1263798 rule_id: v8UNo7 version_id: 44TEjP4 url: https://semgrep.dev/playground/r/44TEjP4/terraform.azure.security.azure-storage-blob-service-container-private-access.azure-storage-blob-service-container-private-access origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.azure-storage-sync-public-access-disabled.azure-storage-sync-public-access-disabled message: Ensure that Azure File Sync disables public network access patterns: - pattern: resource - pattern-inside: | resource "azurerm_storage_sync" "..." { ... } - pattern-not-inside: | resource "azurerm_storage_sync" "..." { ... incoming_traffic_policy = AllowVirtualNetworksOnly ... } metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.azure-storage-sync-public-access-disabled.azure-storage-sync-public-access-disabled shortlink: https://sg.run/YBJW semgrep.dev: rule: r_id: 24014 rv_id: 1263799 rule_id: d8UA7G version_id: PkTR3r8 url: https://semgrep.dev/playground/r/PkTR3r8/terraform.azure.security.azure-storage-sync-public-access-disabled.azure-storage-sync-public-access-disabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled message: Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_function_app" "..." { ... auth_settings { ... enabled = true ... } ... } - pattern-either: - pattern-inside: | resource "azurerm_function_app" "..." { ... } - pattern-inside: | resource "azurerm_function_app" "..." { ... auth_settings { ... enabled = false ... } ... } metadata: cwe: - 'CWE-287: Improper Authentication' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled shortlink: https://sg.run/B6AW semgrep.dev: rule: r_id: 15107 rv_id: 1263800 rule_id: 6JU1X8 version_id: JdTzxr8 url: https://semgrep.dev/playground/r/JdTzxr8/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled origin: community languages: - hcl severity: INFO - id: terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2 message: Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_function_app" "..." { ... site_config { ... http2_enabled = true ... } ... } - pattern-either: - pattern-inside: | resource "azurerm_function_app" "..." { ... } - pattern-inside: | resource "azurerm_function_app" "..." { ... site_config { ... http2_enabled = false ... } ... } metadata: cwe: - 'CWE-444: Inconsistent Interpretation of HTTP Requests (''HTTP Request/Response Smuggling'')' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2 shortlink: https://sg.run/DzDY semgrep.dev: rule: r_id: 15108 rv_id: 1263801 rule_id: oqU41L version_id: 5PTo1Dg url: https://semgrep.dev/playground/r/5PTo1Dg/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2 origin: community languages: - hcl severity: INFO - id: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl message: Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass. patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_key_vault" "..." { ... network_acls { ... default_action = "Deny" ... } ... } - pattern-either: - pattern-inside: | resource "azurerm_key_vault" "..." { ... } - pattern-inside: | resource "azurerm_key_vault" "..." { ... network_acls { ... default_action = "Allow" ... } ... } metadata: cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls - https://docs.microsoft.com/en-us/azure/key-vault/general/network-security owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl shortlink: https://sg.run/nKgX semgrep.dev: rule: r_id: 15136 rv_id: 1263802 rule_id: 4bU1jy version_id: GxTkeEE url: https://semgrep.dev/playground/r/GxTkeEE/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl origin: community languages: - hcl severity: ERROR - id: terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass message: Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules patterns: - pattern-not-inside: | resource "azurerm_storage_account" "..." { ... network_rules { ... bypass = ["...", "AzureServices"] ... } ... } - pattern-not-inside: | resource "azurerm_storage_account_network_rules" "..." { ... bypass = ["...", "AzureServices"] ... } - pattern-either: - pattern-inside: | resource "azurerm_storage_account_network_rules" "..." { ... bypass = [$ANYTHING] ... } - pattern-inside: | resource "azurerm_storage_account" "..." { ... network_rules { ... bypass = [$ANYTHING] ... } ... } metadata: cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass - https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass shortlink: https://sg.run/WpX4 semgrep.dev: rule: r_id: 15153 rv_id: 1263803 rule_id: GdUreY version_id: RGT0LGx url: https://semgrep.dev/playground/r/RGT0LGx/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass origin: community languages: - hcl severity: WARNING - id: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny message: Detected a Storage that was not configured to deny action by default. Add `default_action = "Deny"` in your resource block. patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_storage_account_network_rules" "..." { ... default_action = "Deny" ... } - pattern-inside: | resource "azurerm_storage_account_network_rules" "..." { ... default_action = "Allow" ... } metadata: cwe: - 'CWE-16: CWE CATEGORY: Configuration' category: security technology: - terraform - azure references: - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action - https://docs.microsoft.com/en-us/azure/firewall/rule-processing owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny shortlink: https://sg.run/WpN4 semgrep.dev: rule: r_id: 15109 rv_id: 1263804 rule_id: zdUY3N version_id: A8Tgd7d url: https://semgrep.dev/playground/r/A8Tgd7d/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny origin: community languages: - hcl severity: ERROR - id: terraform.gcp.security.gcp-artifact-registry-private-repo-iam-binding.gcp-artifact-registry-private-repo-iam-binding patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_artifact_registry_repository_iam_binding" "..." { ... members = [ ..., "allAuthenticatedUsers", ...] ... } - pattern-inside: | resource "google_artifact_registry_repository_iam_binding" "..." { ... members = [ ..., "allUsers", ...] ... } message: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-artifact-registry-private-repo-iam-binding.gcp-artifact-registry-private-repo-iam-binding shortlink: https://sg.run/Bq35 semgrep.dev: rule: r_id: 32295 rv_id: 1263808 rule_id: v8ULgW version_id: 0bTKzb4 url: https://semgrep.dev/playground/r/0bTKzb4/terraform.gcp.security.gcp-artifact-registry-private-repo-iam-binding.gcp-artifact-registry-private-repo-iam-binding origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-artifact-registry-private-repo-iam-member.gcp-artifact-registry-private-repo-iam-member patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_artifact_registry_repository_iam_member" "..." { ... member = "allUsers" ... } - pattern-inside: | resource "google_artifact_registry_repository_iam_member" "..." { ... member = "allAuthenticatedUsers" ... } message: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-artifact-registry-private-repo-iam-member.gcp-artifact-registry-private-repo-iam-member shortlink: https://sg.run/DYpj semgrep.dev: rule: r_id: 32296 rv_id: 1263809 rule_id: d8U8Xw version_id: K3TKkql url: https://semgrep.dev/playground/r/K3TKkql/terraform.gcp.security.gcp-artifact-registry-private-repo-iam-member.gcp-artifact-registry-private-repo-iam-member origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-bigquery-private-table-iam-binding.gcp-bigquery-private-table-iam-binding patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_bigquery_table_iam_binding" "..." { ... members = [ ..., "allAuthenticatedUsers", ...] ... } - pattern-inside: | resource "google_bigquery_table_iam_binding" "..." { ... members = [ ..., "allUsers", ...] ... } message: "Ensure that BigQuery Tables are not anonymously or publicly accessible\t\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-bigquery-private-table-iam-binding.gcp-bigquery-private-table-iam-binding shortlink: https://sg.run/0Zkb semgrep.dev: rule: r_id: 32298 rv_id: 1263810 rule_id: nJUQXO version_id: qkTR7nq url: https://semgrep.dev/playground/r/qkTR7nq/terraform.gcp.security.gcp-bigquery-private-table-iam-binding.gcp-bigquery-private-table-iam-binding origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-bigquery-private-table-iam-member.gcp-bigquery-private-table-iam-member patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_bigquery_table_iam_member" "..." { ... member = "allAuthenticatedUsers" ... } - pattern-inside: | resource "google_bigquery_table_iam_member" "..." { ... member = "allUsers" ... } message: "Ensure that BigQuery Tables are not anonymously or publicly accessible\t\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-bigquery-private-table-iam-member.gcp-bigquery-private-table-iam-member shortlink: https://sg.run/K1rd semgrep.dev: rule: r_id: 32299 rv_id: 1263811 rule_id: EwUe7p version_id: l4TJROB url: https://semgrep.dev/playground/r/l4TJROB/terraform.gcp.security.gcp-bigquery-private-table-iam-member.gcp-bigquery-private-table-iam-member origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging patterns: - pattern: | resource "google_storage_bucket" $ANYTHING { ... } - pattern-not-inside: "resource \"google_storage_bucket\" $ANYTHING {\n ...\n logging {\n log_bucket = ...\n } \n ...\n}\n" message: Ensure bucket logs access. languages: - hcl severity: WARNING metadata: owasp: - A10:2017 - Insufficient Logging & Monitoring - A09:2021 - Security Logging and Monitoring Failures - A09:2025 - Security Logging & Alerting Failures cwe: - 'CWE-778: Insufficient Logging' technology: - terraform - gcp category: security references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - vuln likelihood: LOW impact: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging shortlink: https://sg.run/5g5D semgrep.dev: rule: r_id: 32303 rv_id: 1263813 rule_id: gxUrdg version_id: JdTzxRN url: https://semgrep.dev/playground/r/JdTzxRN/terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging origin: community - id: terraform.gcp.security.gcp-compute-disk-encryption.gcp-compute-disk-encryption patterns: - pattern: | resource "google_compute_disk" $ANYTHING { ... } - pattern-not-inside: | resource "google_compute_disk" $ANYTHING { ... disk_encryption_key { raw_key = ... } ... } - pattern-not-inside: | resource "google_compute_disk" $ANYTHING { ... disk_encryption_key { kms_key_self_link = ... } ... } message: Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' technology: - terraform - gcp category: security references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-disk-encryption.gcp-compute-disk-encryption shortlink: https://sg.run/Rwdg semgrep.dev: rule: r_id: 32305 rv_id: 1263815 rule_id: 3qU2q3 version_id: GxTkeXx url: https://semgrep.dev/playground/r/GxTkeXx/terraform.gcp.security.gcp-compute-disk-encryption.gcp-compute-disk-encryption origin: community - id: terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-20.gcp-compute-firewall-unrestricted-ingress-20 patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [20] } source_ranges = ["0.0.0.0/0"] ... } - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [..., "20", ...] } source_ranges = ["0.0.0.0/0"] ... } message: Ensure Google compute firewall ingress does not allow unrestricted FTP access metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-20.gcp-compute-firewall-unrestricted-ingress-20 shortlink: https://sg.run/AK6L semgrep.dev: rule: r_id: 32306 rv_id: 1263816 rule_id: 4bUb4e version_id: RGT0Lxg url: https://semgrep.dev/playground/r/RGT0Lxg/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-20.gcp-compute-firewall-unrestricted-ingress-20 origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-21.gcp-compute-firewall-unrestricted-ingress-21 patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [21] } source_ranges = ["0.0.0.0/0"] ... } - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [..., "21", ...] } source_ranges = ["0.0.0.0/0"] ... } message: Ensure Google compute firewall ingress does not allow unrestricted FTP access metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-21.gcp-compute-firewall-unrestricted-ingress-21 shortlink: https://sg.run/Bqox semgrep.dev: rule: r_id: 32307 rv_id: 1263817 rule_id: PeUe4Q version_id: A8TgdlW url: https://semgrep.dev/playground/r/A8TgdlW/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-21.gcp-compute-firewall-unrestricted-ingress-21 origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-22.gcp-compute-firewall-unrestricted-ingress-22 patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [22] } source_ranges = ["0.0.0.0/0"] ... } - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [..., "22", ...] } source_ranges = ["0.0.0.0/0"] ... } message: Ensure Google compute firewall ingress does not allow unrestricted SSH access metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-22.gcp-compute-firewall-unrestricted-ingress-22 shortlink: https://sg.run/DYpd semgrep.dev: rule: r_id: 32308 rv_id: 1263818 rule_id: JDUn0p version_id: BjTkZL7 url: https://semgrep.dev/playground/r/BjTkZL7/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-22.gcp-compute-firewall-unrestricted-ingress-22 origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-3306.gcp-compute-firewall-unrestricted-ingress-3306 patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [3306] } source_ranges = ["0.0.0.0/0"] ... } - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [..., "3306", ...] } source_ranges = ["0.0.0.0/0"] ... } message: Ensure Google compute firewall ingress does not allow unrestricted MySQL access metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-3306.gcp-compute-firewall-unrestricted-ingress-3306 shortlink: https://sg.run/WbdL semgrep.dev: rule: r_id: 32309 rv_id: 1263819 rule_id: 5rU7We version_id: DkTRby1 url: https://semgrep.dev/playground/r/DkTRby1/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-3306.gcp-compute-firewall-unrestricted-ingress-3306 origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-3389.gcp-compute-firewall-unrestricted-ingress-3389 patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [3389] } source_ranges = ["0.0.0.0/0"] ... } - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [..., "3389", ...] } source_ranges = ["0.0.0.0/0"] ... } message: Ensure Google compute firewall ingress does not allow unrestricted RDP access metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-3389.gcp-compute-firewall-unrestricted-ingress-3389 shortlink: https://sg.run/0ZkB semgrep.dev: rule: r_id: 32310 rv_id: 1263820 rule_id: GdUlNk version_id: WrTqKnN url: https://semgrep.dev/playground/r/WrTqKnN/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-3389.gcp-compute-firewall-unrestricted-ingress-3389 origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-80.gcp-compute-firewall-unrestricted-ingress-80 patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [80] } source_ranges = ["0.0.0.0/0"] ... } - pattern-inside: | resource "google_compute_firewall" "..." { ... allow { protocol = "tcp" ports = [..., "80", ...] } source_ranges = ["0.0.0.0/0"] ... } message: Ensure Google compute firewall ingress does not allow unrestricted HTTP access metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-80.gcp-compute-firewall-unrestricted-ingress-80 shortlink: https://sg.run/K1rL semgrep.dev: rule: r_id: 32311 rv_id: 1263821 rule_id: ReUEJp version_id: 0bTKz3w url: https://semgrep.dev/playground/r/0bTKz3w/terraform.gcp.security.gcp-compute-firewall-unrestricted-ingress-80.gcp-compute-firewall-unrestricted-ingress-80 origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-os-login.gcp-compute-os-login patterns: - pattern: resource - pattern-inside: | resource "google_compute_instance" "..." { ... metadata = { enable-oslogin = false } ... } message: "Ensure that no instance in the project overrides the project setting for enabling OSLogin (OSLogin needs to be enabled in project metadata for all instances)\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-os-login.gcp-compute-os-login shortlink: https://sg.run/lbdG semgrep.dev: rule: r_id: 32313 rv_id: 1263823 rule_id: BYUyqJ version_id: qkTR7w4 url: https://semgrep.dev/playground/r/qkTR7w4/terraform.gcp.security.gcp-compute-os-login.gcp-compute-os-login origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-project-os-login.gcp-compute-project-os-login patterns: - pattern: resource - pattern-inside: | resource "google_compute_project_metadata" "..." { ... } - pattern-not-inside: | resource "google_compute_project_metadata" "..." { ... metadata = { enable-oslogin = "True" } ... } - pattern-not-inside: | resource "google_compute_project_metadata" "..." { ... metadata = { enable-oslogin = True } ... } message: "Ensure oslogin is enabled for a Project\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-project-os-login.gcp-compute-project-os-login shortlink: https://sg.run/YZdo semgrep.dev: rule: r_id: 32314 rv_id: 1263824 rule_id: DbUwl7 version_id: l4TJRDv url: https://semgrep.dev/playground/r/l4TJRDv/terraform.gcp.security.gcp-compute-project-os-login.gcp-compute-project-os-login origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-public-ip.gcp-compute-public-ip patterns: - pattern: resource - pattern-inside: | resource "google_compute_instance" "..." { ... network_interface { ... network = "default" ... } ... } message: "Ensure that Compute instances do not have public IP addresses\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-public-ip.gcp-compute-public-ip shortlink: https://sg.run/64GL semgrep.dev: rule: r_id: 32315 rv_id: 1263825 rule_id: WAU7Bj version_id: YDTZebn url: https://semgrep.dev/playground/r/YDTZebn/terraform.gcp.security.gcp-compute-public-ip.gcp-compute-public-ip origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-serial-ports.gcp-compute-serial-ports patterns: - pattern: resource - pattern-inside: | resource "google_compute_instance" "..." { ... metadata = { serial-port-enable = true } ... } message: "Ensure 'Enable connecting to serial ports' is not enabled for VM Instance\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-serial-ports.gcp-compute-serial-ports shortlink: https://sg.run/o1P6 semgrep.dev: rule: r_id: 32316 rv_id: 1263826 rule_id: 0oUGN6 version_id: 6xT29X2 url: https://semgrep.dev/playground/r/6xT29X2/terraform.gcp.security.gcp-compute-serial-ports.gcp-compute-serial-ports origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-ssl-policy.gcp-compute-ssl-policy patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_compute_ssl_policy" "..." { ... profile = "MODERN" ... } - pattern-inside: | resource "google_compute_ssl_policy" "..." { ... profile = "CUSTOM" custom_features = [..., "TLS_RSA_WITH_AES_256_GCM_SHA384", ...] ... } - pattern-not-inside: | resource "google_compute_ssl_policy" "..." { ... profile = "MODERN" min_tls_version = "TLS_1_2" ... } - pattern-not-inside: | resource "google_compute_ssl_policy" "..." { ... profile = "CUSTOM" custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] ... } message: Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-ssl-policy.gcp-compute-ssl-policy shortlink: https://sg.run/zrql semgrep.dev: rule: r_id: 32317 rv_id: 1263827 rule_id: KxUgEP version_id: o5TbD1d url: https://semgrep.dev/playground/r/o5TbD1d/terraform.gcp.security.gcp-compute-ssl-policy.gcp-compute-ssl-policy origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-compute-template-ip-forward.gcp-compute-template-ip-forward patterns: - pattern: resource - pattern-inside: | resource "google_compute_instance_template" "..." { ... can_ip_forward = true ... } message: Ensure that IP forwarding is not enabled on Instances. This lets the instance act as a traffic router and receive traffic not intended for it, which may route traffic through unintended passages. metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security references: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/disable-ip-forwarding.html technology: - terraform - gcp subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-template-ip-forward.gcp-compute-template-ip-forward shortlink: https://sg.run/p1J0 semgrep.dev: rule: r_id: 32318 rv_id: 1263828 rule_id: qNUv6r version_id: zyTb23B url: https://semgrep.dev/playground/r/zyTb23B/terraform.gcp.security.gcp-compute-template-ip-forward.gcp-compute-template-ip-forward origin: community languages: - hcl severity: INFO - id: terraform.gcp.security.gcp-compute-template-public-ip.gcp-compute-template-public-ip patterns: - pattern: resource - pattern-inside: | resource "google_compute_instance_template" "..." { ... network_interface { ... network = "default" ... } ... } message: "Ensure that Compute instances do not have public IP addresses\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-template-public-ip.gcp-compute-template-public-ip shortlink: https://sg.run/2e4q semgrep.dev: rule: r_id: 32319 rv_id: 1263829 rule_id: lBUpk3 version_id: pZT03De url: https://semgrep.dev/playground/r/pZT03De/terraform.gcp.security.gcp-compute-template-public-ip.gcp-compute-template-public-ip origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-dataflow-private-job.gcp-dataflow-private-job patterns: - pattern: resource - pattern-inside: | resource "google_dataflow_job" "..." { ... } - pattern-not-inside: | resource "google_dataflow_job" "..." { ... ip_configuration = "WORKER_IP_PRIVATE" ... } message: Ensure Dataflow jobs are private metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-dataflow-private-job.gcp-dataflow-private-job shortlink: https://sg.run/j9Ll semgrep.dev: rule: r_id: 32321 rv_id: 1263830 rule_id: JDUn0A version_id: 2KTv2OE url: https://semgrep.dev/playground/r/2KTv2OE/terraform.gcp.security.gcp-dataflow-private-job.gcp-dataflow-private-job origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-datafusion-private-instance.gcp-datafusion-private-instance patterns: - pattern: resource - pattern-inside: | resource "google_data_fusion_instance" "..." { ... } - pattern-not-inside: | resource "google_data_fusion_instance" "..." { ... private_instance = true ... } message: Ensure Data fusion instances are private metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-datafusion-private-instance.gcp-datafusion-private-instance shortlink: https://sg.run/2ggL semgrep.dev: rule: r_id: 33663 rv_id: 1263831 rule_id: OrUEEn version_id: X0TzyKl url: https://semgrep.dev/playground/r/X0TzyKl/terraform.gcp.security.gcp-datafusion-private-instance.gcp-datafusion-private-instance origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-datafusion-stack-driver-logging.gcp-datafusion-stack-driver-logging patterns: - pattern-inside: | resource "google_data_fusion_instance" $ANYTHING { ... } - pattern-not-inside: "resource \"google_data_fusion_instance\" $ANYTHING {\n ...\n \ enable_stackdriver_logging = true \n ...\n}\n" message: Ensure Datafusion has stack driver logging enabled. languages: - hcl severity: WARNING metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: - terraform - gcp category: security references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-datafusion-stack-driver-logging.gcp-datafusion-stack-driver-logging shortlink: https://sg.run/XPPB semgrep.dev: rule: r_id: 33664 rv_id: 1263832 rule_id: eqUbb8 version_id: jQTn5j9 url: https://semgrep.dev/playground/r/jQTn5j9/terraform.gcp.security.gcp-datafusion-stack-driver-logging.gcp-datafusion-stack-driver-logging origin: community - id: terraform.gcp.security.gcp-datafusion-stack-driver-monitoring.gcp-datafusion-stack-driver-monitoring patterns: - pattern-inside: | resource "google_data_fusion_instance" $ANYTHING { ... } - pattern-not-inside: "resource \"google_data_fusion_instance\" $ANYTHING {\n ...\n \ enable_stackdriver_monitoring = true \n ...\n}\n" message: Ensure Datafusion has stack driver monitoring enabled. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: - terraform - gcp category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-datafusion-stack-driver-monitoring.gcp-datafusion-stack-driver-monitoring shortlink: https://sg.run/jJJN semgrep.dev: rule: r_id: 33665 rv_id: 1263833 rule_id: v8Uoo5 version_id: 1QTypN0 url: https://semgrep.dev/playground/r/1QTypN0/terraform.gcp.security.gcp-datafusion-stack-driver-monitoring.gcp-datafusion-stack-driver-monitoring origin: community - id: terraform.gcp.security.gcp-dataproc-cluster-public-ip.gcp-dataproc-cluster-public-ip patterns: - pattern: resource - pattern-inside: | resource "google_dataproc_cluster" "..." { ... } - pattern-not-inside: | resource "google_dataproc_cluster" "..." { ... cluster_config { gce_cluster_config { ... internal_ip_only = true ... } ... } } message: Ensure Dataproc Clusters do not have public IPs metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-dataproc-cluster-public-ip.gcp-dataproc-cluster-public-ip shortlink: https://sg.run/9GGr semgrep.dev: rule: r_id: 33667 rv_id: 1263834 rule_id: ZqUxxO version_id: 9lT4b7L url: https://semgrep.dev/playground/r/9lT4b7L/terraform.gcp.security.gcp-dataproc-cluster-public-ip.gcp-dataproc-cluster-public-ip origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-dataproc-private-cluster-iam-binding.gcp-dataproc-private-cluster-iam-binding patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_dataproc_cluster_iam_binding" "..." { ... members = [ ..., "allAuthenticatedUsers", ...] ... } - pattern-inside: | resource "google_dataproc_cluster_iam_binding" "..." { ... members = [ ..., "allUsers", ...] ... } message: Ensure that Dataproc clusters are not anonymously or publicly accessible metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-dataproc-private-cluster-iam-binding.gcp-dataproc-private-cluster-iam-binding shortlink: https://sg.run/y33P semgrep.dev: rule: r_id: 33668 rv_id: 1263835 rule_id: nJUJJG version_id: yeTxpgY url: https://semgrep.dev/playground/r/yeTxpgY/terraform.gcp.security.gcp-dataproc-private-cluster-iam-binding.gcp-dataproc-private-cluster-iam-binding origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-dataproc-private-cluster-iam-member.gcp-dataproc-private-cluster-iam-member patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_dataproc_cluster_iam_member" "..." { ... member = "allUsers" ... } - pattern-inside: | resource "google_dataproc_cluster_iam_member" "..." { ... member = "allAuthenticatedUsers" ... } message: Ensure that Dataproc clusters are not anonymously or publicly accessible metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-dataproc-private-cluster-iam-member.gcp-dataproc-private-cluster-iam-member shortlink: https://sg.run/r00e semgrep.dev: rule: r_id: 33669 rv_id: 1263836 rule_id: EwUvvr version_id: rxTAKvg url: https://semgrep.dev/playground/r/rxTAKvg/terraform.gcp.security.gcp-dataproc-private-cluster-iam-member.gcp-dataproc-private-cluster-iam-member origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-folder-impersonation-roles-iam-binding.gcp-folder-impersonation-roles-iam-binding patterns: - pattern: resource - pattern-inside: | resource "google_folder_iam_binding" "..." { ... role = "roles/editor" members = [ ... ] ... } message: "Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-folder-impersonation-roles-iam-binding.gcp-folder-impersonation-roles-iam-binding shortlink: https://sg.run/Nvvy semgrep.dev: rule: r_id: 33671 rv_id: 1263838 rule_id: L1U99X version_id: NdTzyRp url: https://semgrep.dev/playground/r/NdTzyRp/terraform.gcp.security.gcp-folder-impersonation-roles-iam-binding.gcp-folder-impersonation-roles-iam-binding origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-folder-impersonation-roles-iam-member.gcp-folder-impersonation-roles-iam-member patterns: - pattern: resource - pattern-inside: | resource "google_folder_iam_member" "..." { ... role = "roles/editor" member = ... ... } message: "Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-folder-impersonation-roles-iam-member.gcp-folder-impersonation-roles-iam-member shortlink: https://sg.run/k55P semgrep.dev: rule: r_id: 33672 rv_id: 1263839 rule_id: 8GUgg9 version_id: kbTzGPB url: https://semgrep.dev/playground/r/kbTzGPB/terraform.gcp.security.gcp-folder-impersonation-roles-iam-member.gcp-folder-impersonation-roles-iam-member origin: community languages: - hcl severity: WARNING - id: ai.ai-best-practices.llm-api-key-in-source.llm-api-key-in-source-go.llm-api-key-in-source-go languages: - go severity: ERROR message: AI/LLM API key found hardcoded in source code. Detected key prefix matches a known AI provider (OpenAI, Anthropic, Google, Hugging Face). Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - openai - anthropic - google - huggingface references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.llm-api-key-in-source.llm-api-key-in-source-go.llm-api-key-in-source-go shortlink: https://sg.run/OkdyL semgrep.dev: rule: r_id: 288831 rv_id: 1413389 rule_id: wdUzNlp version_id: 0bTGYyQ url: https://semgrep.dev/playground/r/0bTGYyQ/ai.ai-best-practices.llm-api-key-in-source.llm-api-key-in-source-go.llm-api-key-in-source-go origin: community pattern-either: - patterns: - pattern: $VAR := "$KEY" - metavariable-regex: metavariable: $KEY regex: ^(sk-[a-zA-Z0-9]{20,}|sk-ant-[a-zA-Z0-9-]{20,}|sk-proj-[a-zA-Z0-9-]{20,}|AIza[a-zA-Z0-9_-]{30,}|hf_[a-zA-Z0-9]{20,}) - patterns: - pattern: var $VAR = "$KEY" - metavariable-regex: metavariable: $KEY regex: ^(sk-[a-zA-Z0-9]{20,}|sk-ant-[a-zA-Z0-9-]{20,}|sk-proj-[a-zA-Z0-9-]{20,}|AIza[a-zA-Z0-9_-]{30,}|hf_[a-zA-Z0-9]{20,}) - id: terraform.gcp.security.gcp-folder-member-default-service-account-iam-binding.gcp-folder-member-default-service-account-iam-binding patterns: - pattern: resource - pattern-inside: | resource "google_folder_iam_binding" "..." { ... members = [..., $MEMBER, ...] ... } - metavariable-regex: metavariable: $MEMBER regex: ((.*)-compute@appspot.gserviceaccount.com) message: Ensure Default Service account is not used at a folder level metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-folder-member-default-service-account-iam-binding.gcp-folder-member-default-service-account-iam-binding shortlink: https://sg.run/w66A semgrep.dev: rule: r_id: 33673 rv_id: 1263840 rule_id: gxUEEO version_id: w8TRobE url: https://semgrep.dev/playground/r/w8TRobE/terraform.gcp.security.gcp-folder-member-default-service-account-iam-binding.gcp-folder-member-default-service-account-iam-binding origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-folder-member-default-service-account-iam-member.gcp-folder-member-default-service-account-iam-member patterns: - pattern: resource - pattern-inside: | resource "google_folder_iam_member" "..." { ... member = $MEMBER ... } - metavariable-regex: metavariable: $MEMBER regex: ((.*)-compute@developer.gserviceaccount.com) message: Ensure Default Service account is not used at a folder level metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-folder-member-default-service-account-iam-member.gcp-folder-member-default-service-account-iam-member shortlink: https://sg.run/xooL semgrep.dev: rule: r_id: 33674 rv_id: 1263841 rule_id: QrUAAG version_id: xyTjzrO url: https://semgrep.dev/playground/r/xyTjzrO/terraform.gcp.security.gcp-folder-member-default-service-account-iam-member.gcp-folder-member-default-service-account-iam-member origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-client-certificate-disabled.gcp-gke-client-certificate-disabled patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... master_auth { ... client_certificate_config { ... issue_client_certificate = false ... } ... } ... } message: Ensure client certificate authentication to Kubernetes Engine Clusters is disabled metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-client-certificate-disabled.gcp-gke-client-certificate-disabled shortlink: https://sg.run/eYY8 semgrep.dev: rule: r_id: 33676 rv_id: 1263843 rule_id: 4bU55b version_id: e1TyjKB url: https://semgrep.dev/playground/r/e1TyjKB/terraform.gcp.security.gcp-gke-client-certificate-disabled.gcp-gke-client-certificate-disabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-enabled-vpc-flow-logs.gcp-gke-enabled-vpc-flow-logs patterns: - pattern-inside: | resource "google_container_cluster" $ANYTHING { ... } - pattern-not-inside: | resource "google_container_cluster" $ANYTHING { ... enable_intranode_visibility = true ... } message: Enable VPC Flow Logs and Intranode Visibility languages: - hcl severity: WARNING metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: - terraform - gcp category: security references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-enabled-vpc-flow-logs.gcp-gke-enabled-vpc-flow-logs shortlink: https://sg.run/dllE semgrep.dev: rule: r_id: 33678 rv_id: 1263844 rule_id: JDUGGK version_id: vdT06Qy url: https://semgrep.dev/playground/r/vdT06Qy/terraform.gcp.security.gcp-gke-enabled-vpc-flow-logs.gcp-gke-enabled-vpc-flow-logs origin: community - id: terraform.gcp.security.gcp-gke-ensure-integrity-monitoring.gcp-gke-ensure-integrity-monitoring patterns: - pattern-inside: "resource \"google_container_cluster\" $ANYTHING {\n ...\n node_config {\n ...\n shielded_instance_config {\n enable_integrity_monitoring = false\n }\n ...\n } \n ...\n}\n" message: Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled languages: - hcl severity: WARNING metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: - terraform - gcp category: security references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-ensure-integrity-monitoring.gcp-gke-ensure-integrity-monitoring shortlink: https://sg.run/Z55w semgrep.dev: rule: r_id: 33679 rv_id: 1263845 rule_id: 5rUrr3 version_id: d6Tyxgd url: https://semgrep.dev/playground/r/d6Tyxgd/terraform.gcp.security.gcp-gke-ensure-integrity-monitoring.gcp-gke-ensure-integrity-monitoring origin: community - id: terraform.gcp.security.gcp-gke-kubernetes-rbac-google-groups.gcp-gke-kubernetes-rbac-google-groups patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... authenticator_groups_config { ... security_group = "..." ... } ... } message: Manage Kubernetes RBAC users with Google Groups for GKE metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-kubernetes-rbac-google-groups.gcp-gke-kubernetes-rbac-google-groups shortlink: https://sg.run/nAAY semgrep.dev: rule: r_id: 33680 rv_id: 1263846 rule_id: GdUYYW version_id: ZRTKAdP url: https://semgrep.dev/playground/r/ZRTKAdP/terraform.gcp.security.gcp-gke-kubernetes-rbac-google-groups.gcp-gke-kubernetes-rbac-google-groups origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-legacy-auth-enabled.gcp-gke-legacy-auth-enabled patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... enable_legacy_abac = true ... } message: Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-legacy-auth-enabled.gcp-gke-legacy-auth-enabled shortlink: https://sg.run/EooN semgrep.dev: rule: r_id: 33681 rv_id: 1263847 rule_id: ReUnnB version_id: nWT2LNN url: https://semgrep.dev/playground/r/nWT2LNN/terraform.gcp.security.gcp-gke-legacy-auth-enabled.gcp-gke-legacy-auth-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-legacy-instance-metadata-disabled.gcp-gke-legacy-instance-metadata-disabled patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... min_master_version = 1.12 ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... min_master_version = 1.13 ... } message: Ensure legacy Compute Engine instance metadata APIs are Disabled metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-legacy-instance-metadata-disabled.gcp-gke-legacy-instance-metadata-disabled shortlink: https://sg.run/7JJ2 semgrep.dev: rule: r_id: 33682 rv_id: 1263848 rule_id: AbU00x version_id: ExTExWx url: https://semgrep.dev/playground/r/ExTExWx/terraform.gcp.security.gcp-gke-legacy-instance-metadata-disabled.gcp-gke-legacy-instance-metadata-disabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-master-authz-networks-enabled.gcp-gke-master-authz-networks-enabled patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... master_authorized_networks_config { ... } ... } message: Ensure master authorized networks is set to enabled in GKE clusters metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-master-authz-networks-enabled.gcp-gke-master-authz-networks-enabled shortlink: https://sg.run/Lvv6 semgrep.dev: rule: r_id: 33683 rv_id: 1263849 rule_id: BYUJJ4 version_id: 7ZTE3Ry url: https://semgrep.dev/playground/r/7ZTE3Ry/terraform.gcp.security.gcp-gke-master-authz-networks-enabled.gcp-gke-master-authz-networks-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-monitoring-enabled.gcp-gke-monitoring-enabled patterns: - pattern-inside: "resource \"google_container_cluster\" $ANYTHING {\n ...\n monitoring_service = \"none\" \n ...\n}\n" message: Ensure monitoring is set to Enabled on Kubernetes Engine Clusters languages: - hcl severity: WARNING metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: - terraform - gcp category: security references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-monitoring-enabled.gcp-gke-monitoring-enabled shortlink: https://sg.run/855N semgrep.dev: rule: r_id: 33684 rv_id: 1263850 rule_id: DbUXXo version_id: LjTkgeK url: https://semgrep.dev/playground/r/LjTkgeK/terraform.gcp.security.gcp-gke-monitoring-enabled.gcp-gke-monitoring-enabled origin: community - id: terraform.gcp.security.gcp-gke-network-policy-enabled.gcp-gke-network-policy-enabled patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... network_policy { ... enabled = false ... } ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... datapath_provider = "ADVANCED_DATAPATH" network_policy { ... enabled = false ... } ... } message: Ensure Network Policy is enabled on Kubernetes Engine Clusters metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-network-policy-enabled.gcp-gke-network-policy-enabled shortlink: https://sg.run/goo0 semgrep.dev: rule: r_id: 33685 rv_id: 1263851 rule_id: WAUGG2 version_id: 8KT5rlp url: https://semgrep.dev/playground/r/8KT5rlp/terraform.gcp.security.gcp-gke-network-policy-enabled.gcp-gke-network-policy-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-nodepool-integrity-monitoring.gcp-gke-nodepool-integrity-monitoring patterns: - pattern-inside: "resource \"google_container_node_pool\" $ANYTHING {\n ...\n \ node_config {\n ...\n shielded_instance_config {\n enable_integrity_monitoring = false\n }\n ...\n } \n ...\n}\n" message: Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled languages: - hcl severity: WARNING metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: - terraform - gcp category: security references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-nodepool-integrity-monitoring.gcp-gke-nodepool-integrity-monitoring shortlink: https://sg.run/Q33Z semgrep.dev: rule: r_id: 33686 rv_id: 1263852 rule_id: 0oUggY version_id: gETB7Xb url: https://semgrep.dev/playground/r/gETB7Xb/terraform.gcp.security.gcp-gke-nodepool-integrity-monitoring.gcp-gke-nodepool-integrity-monitoring origin: community - id: terraform.gcp.security.gcp-gke-pod-security-policy-enabled.gcp-gke-pod-security-policy-enabled patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... pod_security_policy_config { ... enabled = true ... } ... } message: Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-pod-security-policy-enabled.gcp-gke-pod-security-policy-enabled shortlink: https://sg.run/3nnK semgrep.dev: rule: r_id: 33687 rv_id: 1263853 rule_id: KxU88D version_id: QkTGqNJ url: https://semgrep.dev/playground/r/QkTGqNJ/terraform.gcp.security.gcp-gke-pod-security-policy-enabled.gcp-gke-pod-security-policy-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-private-cluster-config.gcp-gke-private-cluster-config patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... private_cluster_config { ... } ... } message: Ensure Kubernetes Cluster is created with Private cluster enabled metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-private-cluster-config.gcp-gke-private-cluster-config shortlink: https://sg.run/4XX5 semgrep.dev: rule: r_id: 33688 rv_id: 1263854 rule_id: qNULLE version_id: 3ZT4XwJ url: https://semgrep.dev/playground/r/3ZT4XwJ/terraform.gcp.security.gcp-gke-private-cluster-config.gcp-gke-private-cluster-config origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-gke-public-control-plane.gcp-gke-public-control-plane patterns: - pattern: resource - pattern-inside: | resource "google_container_cluster" "..." { ... } - pattern-not-inside: | resource "google_container_cluster" "..." { ... master_authorized_networks_config { ... cidr_blocks { ... } ... } ... } message: Ensure GKE Control Plane is not public metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-public-control-plane.gcp-gke-public-control-plane shortlink: https://sg.run/Pvvz semgrep.dev: rule: r_id: 33689 rv_id: 1263855 rule_id: lBUoob version_id: 44TEjqv url: https://semgrep.dev/playground/r/44TEjqv/terraform.gcp.security.gcp-gke-public-control-plane.gcp-gke-public-control-plane origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-kms-prevent-destroy.gcp-kms-prevent-destroy patterns: - pattern: resource - pattern-inside: | resource "google_kms_crypto_key" "..." { ... } - pattern-not-inside: | resource "google_kms_crypto_key" "..." { ... lifecycle { prevent_destroy = true } ... } message: Ensure KMS keys are protected from deletion metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-kms-prevent-destroy.gcp-kms-prevent-destroy shortlink: https://sg.run/5440 semgrep.dev: rule: r_id: 33691 rv_id: 1263857 rule_id: 6JUGGB version_id: JdTzxxN url: https://semgrep.dev/playground/r/JdTzxxN/terraform.gcp.security.gcp-kms-prevent-destroy.gcp-kms-prevent-destroy origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-memory-store-for-redis-intransit-encryption.gcp-memory-store-for-redis-intransit-encryption patterns: - pattern: | resource "google_redis_instance" $ANYTHING { ... } - pattern-not-inside: | resource "google_redis_instance" $ANYTHING { ... transit_encryption_mode = "SERVER_AUTHENTICATION" ... } message: Ensure Memorystore for Redis uses intransit encryption languages: - hcl severity: WARNING metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: - terraform - gcp category: security references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-memory-store-for-redis-intransit-encryption.gcp-memory-store-for-redis-intransit-encryption shortlink: https://sg.run/Rvvq semgrep.dev: rule: r_id: 33693 rv_id: 1263859 rule_id: zdUNN7 version_id: GxTkeex url: https://semgrep.dev/playground/r/GxTkeex/terraform.gcp.security.gcp-memory-store-for-redis-intransit-encryption.gcp-memory-store-for-redis-intransit-encryption origin: community - id: terraform.gcp.security.gcp-org-impersonation-roles-iam-member.gcp-org-impersonation-roles-iam-member patterns: - pattern: resource - pattern-inside: | resource "google_organization_iam_member" "..." { ... role = "roles/editor" member = ... ... } message: "Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level\t" metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-org-impersonation-roles-iam-member.gcp-org-impersonation-roles-iam-member shortlink: https://sg.run/BllA semgrep.dev: rule: r_id: 33695 rv_id: 1263861 rule_id: 2ZU55O version_id: A8TgddW url: https://semgrep.dev/playground/r/A8TgddW/terraform.gcp.security.gcp-org-impersonation-roles-iam-member.gcp-org-impersonation-roles-iam-member origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-org-member-default-service-account-iam-binding.gcp-org-member-default-service-account-iam-binding patterns: - pattern: resource - pattern-inside: | resource "google_organization_iam_binding" "..." { ... members = [..., $MEMBER, ...] ... } - metavariable-regex: metavariable: $MEMBER regex: ((.*)-compute@developer.gserviceaccount.com) message: Ensure default service account is not used at an organization level metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-org-member-default-service-account-iam-binding.gcp-org-member-default-service-account-iam-binding shortlink: https://sg.run/D66P semgrep.dev: rule: r_id: 33696 rv_id: 1263862 rule_id: X5Ukky version_id: BjTkZZ7 url: https://semgrep.dev/playground/r/BjTkZZ7/terraform.gcp.security.gcp-org-member-default-service-account-iam-binding.gcp-org-member-default-service-account-iam-binding origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-org-member-default-service-account-iam-member.gcp-org-member-default-service-account-iam-member patterns: - pattern: resource - pattern-inside: | resource "google_organization_iam_member" "..." { ... member = $MEMBER ... } - metavariable-regex: metavariable: $MEMBER regex: ((.*)-compute@developer.gserviceaccount.com) message: Ensure default service account is not used at an organization level metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-org-member-default-service-account-iam-member.gcp-org-member-default-service-account-iam-member shortlink: https://sg.run/W442 semgrep.dev: rule: r_id: 33697 rv_id: 1263863 rule_id: j2UDD2 version_id: DkTRbb1 url: https://semgrep.dev/playground/r/DkTRbb1/terraform.gcp.security.gcp-org-member-default-service-account-iam-member.gcp-org-member-default-service-account-iam-member origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-project-default-network.gcp-project-default-network patterns: - pattern: resource - pattern-inside: | resource "google_project" "..." { ... } - pattern-not-inside: | resource "google_project" "..." { ... auto_create_network = false ... } message: Ensure that the default network does not exist in a project. Set auto_create_network to `false`. metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-project-default-network.gcp-project-default-network shortlink: https://sg.run/0XXj semgrep.dev: rule: r_id: 33698 rv_id: 1263864 rule_id: 10U33l version_id: WrTqKKN url: https://semgrep.dev/playground/r/WrTqKKN/terraform.gcp.security.gcp-project-default-network.gcp-project-default-network origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-pubsub-private-topic-iam-member.gcp-pubsub-private-topic-iam-member patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_pubsub_topic_iam_member" "..." { ... member = "allUsers" ... } - pattern-inside: | resource "google_pubsub_topic_iam_member" "..." { ... member = "allAuthenticatedUsers" ... } message: Ensure that Pub/Sub Topics are not anonymously or publicly accessible metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-pubsub-private-topic-iam-member.gcp-pubsub-private-topic-iam-member shortlink: https://sg.run/RvWe semgrep.dev: rule: r_id: 33705 rv_id: 1263870 rule_id: wdUN59 version_id: 6xT2992 url: https://semgrep.dev/playground/r/6xT2992/terraform.gcp.security.gcp-pubsub-private-topic-iam-member.gcp-pubsub-private-topic-iam-member origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-run-private-service-iam-binding.gcp-run-private-service-iam-binding patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_cloud_run_service_iam_binding" "..." { ... members = [ ..., "allAuthenticatedUsers", ...] ... } - pattern-inside: | resource "google_cloud_run_service_iam_binding" "..." { ... members = [ ..., "allUsers", ...] ... } message: Ensure that GCP Cloud Run services are not anonymously or publicly accessible metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-run-private-service-iam-binding.gcp-run-private-service-iam-binding shortlink: https://sg.run/Aq08 semgrep.dev: rule: r_id: 33706 rv_id: 1263871 rule_id: x8U0wv version_id: o5TbDDd url: https://semgrep.dev/playground/r/o5TbDDd/terraform.gcp.security.gcp-run-private-service-iam-binding.gcp-run-private-service-iam-binding origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-run-private-service-iam-member.gcp-run-private-service-iam-member patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_cloud_run_service_iam_member" "..." { ... member = "allAuthenticatedUsers" ... } - pattern-inside: | resource "google_cloud_run_service_iam_member" "..." { ... member = "allUsers" ... } message: Ensure that GCP Cloud Run services are not anonymously or publicly accessible metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-run-private-service-iam-member.gcp-run-private-service-iam-member shortlink: https://sg.run/BlK2 semgrep.dev: rule: r_id: 33707 rv_id: 1263872 rule_id: OrUEBn version_id: zyTb22B url: https://semgrep.dev/playground/r/zyTb22B/terraform.gcp.security.gcp-run-private-service-iam-member.gcp-run-private-service-iam-member origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database patterns: - pattern: resource - pattern-either: - pattern-inside: | resource "google_sql_database_instance" "..." { ... ip_configuration { ... authorized_networks { ... value = "0.0.0.0/0" ... } ... } ... } - pattern-inside: | resource "google_sql_database_instance" "..." { ... ip_configuration { ... dynamic "authorized_networks" { ... content { ... value = "0.0.0.0/0" ... } ... } ... } ... } message: Ensure that Cloud SQL database Instances are not open to the world metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database shortlink: https://sg.run/0Xv5 semgrep.dev: rule: r_id: 33710 rv_id: 1263876 rule_id: d8U7Ll version_id: jQTn559 url: https://semgrep.dev/playground/r/jQTn559/terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-sqlserver-no-public-ip.gcp-sqlserver-no-public-ip patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... ip_configuration { ... ipv4_enabled = true ... } ... } message: Ensure Cloud SQL database does not have public IP metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-sqlserver-no-public-ip.gcp-sqlserver-no-public-ip shortlink: https://sg.run/KvJX semgrep.dev: rule: r_id: 33711 rv_id: 1263877 rule_id: ZqUxWO version_id: 1QTypp0 url: https://semgrep.dev/playground/r/1QTypp0/terraform.gcp.security.gcp-sqlserver-no-public-ip.gcp-sqlserver-no-public-ip origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-storage-bucket-not-public-iam-binding.gcp-storage-bucket-not-public-iam-binding patterns: - pattern: resource - pattern-inside: | resource "google_storage_bucket_iam_binding" "..." { ... members = [ ..., "allAuthenticatedUsers", ...] ... } message: Ensure that Container Registry repositories are not anonymously or publicly accessible metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-storage-bucket-not-public-iam-binding.gcp-storage-bucket-not-public-iam-binding shortlink: https://sg.run/qWwy semgrep.dev: rule: r_id: 33712 rv_id: 1263878 rule_id: nJUJkG version_id: 9lT4bbL url: https://semgrep.dev/playground/r/9lT4bbL/terraform.gcp.security.gcp-storage-bucket-not-public-iam-binding.gcp-storage-bucket-not-public-iam-binding origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-storage-bucket-not-public-iam-member.gcp-storage-bucket-not-public-iam-member patterns: - pattern: resource - pattern-inside: | resource "google_storage_bucket_iam_member" "..." { ... member = "allUsers" ... } message: Ensure that Container Registry repositories are not anonymously or publicly accessible metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-storage-bucket-not-public-iam-member.gcp-storage-bucket-not-public-iam-member shortlink: https://sg.run/lGe9 semgrep.dev: rule: r_id: 33713 rv_id: 1263879 rule_id: EwUv6r version_id: yeTxppY url: https://semgrep.dev/playground/r/yeTxppY/terraform.gcp.security.gcp-storage-bucket-not-public-iam-member.gcp-storage-bucket-not-public-iam-member origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-sub-network-private-google-enabled.gcp-sub-network-private-google-enabled patterns: - pattern: resource - pattern-inside: | resource "google_compute_subnetwork" "..." { ... } - pattern-not-inside: | resource "google_compute_subnetwork" "..." { ... private_ip_google_access = true ... } message: Ensure that private_ip_google_access is enabled for Subnet metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-sub-network-private-google-enabled.gcp-sub-network-private-google-enabled shortlink: https://sg.run/o3jR semgrep.dev: rule: r_id: 33716 rv_id: 1263882 rule_id: 8GUgn9 version_id: NdTzyyp url: https://semgrep.dev/playground/r/NdTzyyp/terraform.gcp.security.gcp-sub-network-private-google-enabled.gcp-sub-network-private-google-enabled origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-vertexai-private-instance.gcp-vertexai-private-instance patterns: - pattern: resource - pattern-inside: | resource "google_notebooks_instance" "..." { ... } - pattern-not-inside: | resource "google_notebooks_instance" "..." { ... no_public_ip = true ... } message: Ensure Vertex AI instances are private metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-vertexai-private-instance.gcp-vertexai-private-instance shortlink: https://sg.run/2gvD semgrep.dev: rule: r_id: 33719 rv_id: 1263883 rule_id: 3qUWbR version_id: kbTzGGB url: https://semgrep.dev/playground/r/kbTzGGB/terraform.gcp.security.gcp-vertexai-private-instance.gcp-vertexai-private-instance origin: community languages: - hcl severity: WARNING - id: terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push patterns: - pattern: resource - pattern-not-inside: | resource "aws_ecr_repository" "..." { ... image_scanning_configuration { ... scan_on_push=true ... } ... } - pattern-inside: | resource "aws_ecr_repository" "..." { ... } languages: - hcl message: The ECR Repository isn't configured to scan images on push severity: WARNING metadata: cwe: - 'CWE-1104: Use of Unmaintained Third Party Components' category: security technology: - terraform - aws owasp: - A06:2021 - Vulnerable and Outdated Components - A03:2025 - Software Supply Chain Failures references: - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push shortlink: https://sg.run/R8eE semgrep.dev: rule: r_id: 9749 rv_id: 1263885 rule_id: 0oUELR version_id: xyTjzzO url: https://semgrep.dev/playground/r/xyTjzzO/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push origin: community - id: terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest patterns: - pattern: | resource - pattern-not-inside: | resource "aws_elasticsearch_domain" "..."{ ... encrypt_at_rest{ ... enabled = true ... } ... } - pattern-inside: | resource "aws_elasticsearch_domain" "..." {...} languages: - hcl message: Encryption at rest is not enabled for the elastic search domain resource severity: WARNING metadata: category: security cwe: - 'CWE-311: Missing Encryption of Sensitive Data' technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest shortlink: https://sg.run/B4Yb semgrep.dev: rule: r_id: 9751 rv_id: 1263888 rule_id: qNUo2d version_id: vdT066y url: https://semgrep.dev/playground/r/vdT066y/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest origin: community - id: terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges pattern-either: - patterns: - pattern-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ... ] ... }) ... } - pattern-not-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Effect = "Deny" ...}, ... ] ... }) ... } - patterns: - pattern: | {..., Action = "*", ...} - pattern: | {..., Resource = "*", ...} - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: | "aws_iam_role_policy" - pattern: | "aws_iam_policy" - pattern: | "aws_iam_user_policy" - pattern: | "aws_iam_group_policy" - patterns: - pattern-inside: | data aws_iam_policy_document "..." { ... statement { ... } ... } - pattern-not-inside: | data aws_iam_policy_document "..." { ... statement { ... effect = "Deny" ... } ... } - patterns: - pattern: | {..., resources = ["*"], ...} - pattern: | {..., actions = ["*"], ...} message: IAM policies that allow full "*-*" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE metadata: references: - https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py category: security cwe: - 'CWE-269: Improper Privilege Management' technology: - terraform - aws owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges shortlink: https://sg.run/oY0N semgrep.dev: rule: r_id: 13560 rv_id: 1263889 rule_id: NbUNDX version_id: d6Tyxxd url: https://semgrep.dev/playground/r/d6Tyxxd/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges origin: community languages: - hcl severity: WARNING - id: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure patterns: - pattern-either: - patterns: - pattern-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ... ] ... }) ... } - pattern-not-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Effect = "Deny" ...}, ... ] ... }) ... } - pattern: | Action = $ACTION - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: | "aws_iam_role_policy" - pattern: | "aws_iam_policy" - pattern: | "aws_iam_user_policy" - pattern: | "aws_iam_group_policy" - patterns: - pattern-inside: | data aws_iam_policy_document "..." { ... statement { ... } ... } - pattern-not-inside: | data aws_iam_policy_document "..." { ... statement { ... effect = "Deny" ... } ... } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: metavariable: $ACTION pattern-either: - pattern: | "chime:CreateApiKey" - pattern: | "codepipeline:PollForJobs" - pattern: | "cognito-identity:GetOpenIdToken" - pattern: | "cognito-identity:GetOpenIdTokenForDeveloperEdentity" - pattern: | "cognito-identity:GetCredentialsForIdentity" - pattern: | "connect:GetFederationToken" - pattern: | "connect:GetFederationTokens" - pattern: | "ec2:GetPasswordData" - pattern: | "ecr:GetAuthorizationToken" - pattern: | "gamelift:RequestUploadCredentials" - pattern: | "iam:CreateAccessKey" - pattern: | "iam:CreateLoginProfile" - pattern: | "iam:CreateServiceSpecificCredential" - pattern: | "iam:ResetServiceSpecificCredential" - pattern: | "iam:UpdateAccessKey" - pattern: | "lightsail:GetInstanceAccessDetails" - pattern: | "lightsail:GetRelationalDatabaseMasterUserPassword" - pattern: | "rds-db:Connect" - pattern: | "redshift:GetClusterCredentials" - pattern: | "sso:GetRoleCredentials" - pattern: | "mediapackage:RotateChannelCredentials" - pattern: | "mediapackage:RotateIngestEndpointCredentials" - pattern: | "sts:AssumeRole" - pattern: | "sts:AssumeRoleWithSaml" - pattern: | "sts:AssumeRoleWithWebIdentity" - pattern: | "sts:GetFederationToken" - pattern: | "sts:GetSessionToken" - pattern: | "ec2:*" - pattern: | "codepipeline:*" - pattern: | "rds-db:*" - pattern: | "connect:*" - pattern: | "iam:*" - pattern: | "ecr:*" - pattern: | "sts:*" - pattern: | "chime:*" - pattern: | "mediapackage:*" - pattern: | "redshift:*" - pattern: | "gamelift:*" - pattern: | "cognito-identity:*" - pattern: | "lightsail:*" - pattern: | "sso:*" message: Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response. metadata: references: - https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/ - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py category: security cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' technology: - terraform - aws owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure shortlink: https://sg.run/zxY1 semgrep.dev: rule: r_id: 13561 rv_id: 1263890 rule_id: kxUwK2 version_id: ZRTKAAP url: https://semgrep.dev/playground/r/ZRTKAAP/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure origin: community languages: - hcl severity: WARNING - id: terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration patterns: - pattern-either: - patterns: - pattern-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Resource = "*" ...}, ... ] ... }) ... } - pattern-not-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Effect = "Deny" ...}, ... ] ... }) ... } - pattern: | Action = $ACTION - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: | "aws_iam_role_policy" - pattern: | "aws_iam_policy" - pattern: | "aws_iam_user_policy" - pattern: | "aws_iam_group_policy" - patterns: - pattern-inside: | data aws_iam_policy_document "..." { ... statement { ... resources = ["*"] ... } ... } - pattern-not-inside: | data aws_iam_policy_document "..." { ... statement { ... effect = "Deny" ... } ... } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: metavariable: $ACTION pattern-either: - pattern: | "s3:GetObject" - pattern: | "ssm:GetParameter*" - pattern: | "secretsmanager:GetSecretValue" - pattern: | "rds:CopyDBSnapshot" - pattern: | "rds:CreateDBSnapshot" - pattern: | "ssm:*" - pattern: | "s3:*" - pattern: | "rds:*" - pattern: | "rn: secretsmanager:*" message: Ensure that IAM policies don't allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don't need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources. metadata: references: - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMDataExfiltration.py - https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/ category: security cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' technology: - terraform - aws owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration shortlink: https://sg.run/pYrN semgrep.dev: rule: r_id: 13562 rv_id: 1263891 rule_id: wdUj1k version_id: nWT2LLN url: https://semgrep.dev/playground/r/nWT2LLN/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration origin: community languages: - hcl severity: WARNING - id: terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users patterns: - pattern-either: - patterns: - pattern-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Resource = $RESOURCE ...}, ... ] ... }) ... } - pattern-not-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Effect = "Deny" ...}, ... ] ... }) ... } - pattern: | Action = $ACTION - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: | "aws_iam_role_policy" - pattern: | "aws_iam_policy" - pattern: | "aws_iam_user_policy" - pattern: | "aws_iam_group_policy" - patterns: - pattern-inside: | data aws_iam_policy_document "..." { ... statement { ... resources = $RESOURCE ... } ... } - pattern-not-inside: | data aws_iam_policy_document "..." { ... statement { ... effect = "Deny" ... } ... } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: metavariable: $RESOURCE pattern-either: - pattern-regex: .*\*.* - metavariable-pattern: metavariable: $ACTION pattern-either: - pattern: | "iam:CreateAccessKey" - pattern: | "iam:CreateLoginProfile" - pattern: | "iam:UpdateLoginProfile" - pattern: | "iam:*" message: Ensure that IAM policies with permissions on other users don't allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE metadata: references: - https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/ - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py category: security cwe: - 'CWE-269: Improper Privilege Management' technology: - terraform - aws owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users shortlink: https://sg.run/XOeA semgrep.dev: rule: r_id: 13564 rv_id: 1263892 rule_id: OrU6jO version_id: ExTExxx url: https://semgrep.dev/playground/r/ExTExxx/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users origin: community languages: - hcl severity: WARNING - id: terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles patterns: - pattern-either: - patterns: - pattern-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ... ] ... }) ... } - pattern-not-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Effect = "Deny" ...}, ... ] ... }) ... } - pattern: | Action = $ACTION - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: | "aws_iam_role_policy" - pattern: | "aws_iam_policy" - pattern: | "aws_iam_user_policy" - pattern: | "aws_iam_group_policy" - patterns: - pattern-inside: | data aws_iam_policy_document "..." { ... statement { ... } ... } - pattern-not-inside: | data aws_iam_policy_document "..." { ... statement { ... effect = "Deny" ... } ... } - pattern: | actions = $ACTION - metavariable-pattern: metavariable: $ACTION pattern-either: - patterns: - pattern: | [..., "sts:AssumeRole", ...] - pattern: | [..., "iam:UpdateAssumeRolePolicy", ...] - patterns: - pattern: | [..., "iam:PassRole", ...] - pattern: | [..., "lambda:CreateFunction", ...] - pattern: | [..., "lambda:InvokeFunction", ...] - patterns: - pattern: | [..., "iam:PassRole", ...] - pattern: | [..., "lambda:CreateFunction", ...] - pattern: | [..., "lambda:CreateEventSourceMapping", ...] - pattern: | "lambda:UpdateFunctionCode" - patterns: - pattern: | [..., "iam:PassRole", ...] - pattern: | [..., "glue:CreateDevEndpoint", ...] - patterns: - pattern: | [..., "iam:PassRole", ...] - pattern: | [..., "cloudformation:CreateStack", ...] - patterns: - pattern: | [..., "iam:PassRole", ...] - pattern: | [..., "datapipeline:CreatePipeline", ...] - pattern: | [..., "datapipeline:PutPipelineDefinition", ...] message: Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction. metadata: references: - https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/ - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ category: security cwe: - 'CWE-269: Improper Privilege Management' technology: - terraform - aws owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles shortlink: https://sg.run/jwrA semgrep.dev: rule: r_id: 13565 rv_id: 1263893 rule_id: eqUzR3 version_id: 7ZTE33y url: https://semgrep.dev/playground/r/7ZTE33y/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles origin: community languages: - hcl severity: WARNING - id: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure patterns: - pattern-either: - patterns: - pattern-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ... ] ... }) ... } - pattern-not-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Effect = "Deny" ...}, ... ] ... }) ... } - pattern: | Action = $ACTION - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: | "aws_iam_role_policy" - pattern: | "aws_iam_policy" - pattern: | "aws_iam_user_policy" - pattern: | "aws_iam_group_policy" - patterns: - pattern-inside: | data aws_iam_policy_document "..." { ... statement { ... } ... } - pattern-not-inside: | data aws_iam_policy_document "..." { ... statement { ... effect = "Deny" ... } ... } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: metavariable: $ACTION pattern-either: - pattern: | "acm-pca:CreatePermission" - pattern: | "acm-pca:DeletePermission" - pattern: | "acm-pca:DeletePolicy" - pattern: | "acm-pca:PutPolicy" - pattern: | "apigateway:UpdateRestApiPolicy" - pattern: | "backup:DeleteBackupVaultAccessPolicy" - pattern: | "backup:PutBackupVaultAccessPolicy" - pattern: | "chime:DeleteVoiceConnectorTerminationCredentials" - pattern: | "chime:PutVoiceConnectorTerminationCredentials" - pattern: | "cloudformation:SetStackPolicy" - pattern: | "cloudsearch:UpdateServiceAccessPolicies" - pattern: | "codeartifact:DeleteDomainPermissionsPolicy" - pattern: | "codeartifact:DeleteRepositoryPermissionsPolicy" - pattern: | "codebuild:DeleteResourcePolicy" - pattern: | "codebuild:DeleteSourceCredentials" - pattern: | "codebuild:ImportSourceCredentials" - pattern: | "codebuild:PutResourcePolicy" - pattern: | "codeguru-profiler:PutPermission" - pattern: | "codeguru-profiler:RemovePermission" - pattern: | "codestar:AssociateTeamMember" - pattern: | "codestar:CreateProject" - pattern: | "codestar:DeleteProject" - pattern: | "codestar:DisassociateTeamMember" - pattern: | "codestar:UpdateTeamMember" - pattern: | "cognito-identity:CreateIdentityPool" - pattern: | "cognito-identity:DeleteIdentities" - pattern: | "cognito-identity:DeleteIdentityPool" - pattern: | "cognito-identity:GetId" - pattern: | "cognito-identity:MergeDeveloperIdentities" - pattern: | "cognito-identity:SetIdentityPoolRoles" - pattern: | "cognito-identity:UnlinkDeveloperIdentity" - pattern: | "cognito-identity:UnlinkIdentity" - pattern: | "cognito-identity:UpdateIdentityPool" - pattern: | "deeplens:AssociateServiceRoleToAccount" - pattern: | "ds:CreateConditionalForwarder" - pattern: | "ds:CreateDirectory" - pattern: | "ds:CreateMicrosoftAD" - pattern: | "ds:CreateTrust" - pattern: | "ds:ShareDirectory" - pattern: | "ec2:CreateNetworkInterfacePermission" - pattern: | "ec2:DeleteNetworkInterfacePermission" - pattern: | "ec2:ModifySnapshotAttribute" - pattern: | "ec2:ModifyVpcEndpointServicePermissions" - pattern: | "ec2:ResetSnapshotAttribute" - pattern: | "ecr:DeleteRepositoryPolicy" - pattern: | "ecr:SetRepositoryPolicy" - pattern: | "elasticfilesystem:DeleteFileSystemPolicy" - pattern: | "elasticfilesystem:PutFileSystemPolicy" - pattern: | "elasticmapreduce:PutBlockPublicAccessConfiguration" - pattern: | "es:CreateElasticsearchDomain" - pattern: | "es:UpdateElasticsearchDomainConfig" - pattern: | "glacier:AbortVaultLock" - pattern: | "glacier:CompleteVaultLock" - pattern: | "glacier:DeleteVaultAccessPolicy" - pattern: | "glacier:InitiateVaultLock" - pattern: | "glacier:SetDataRetrievalPolicy" - pattern: | "glacier:SetVaultAccessPolicy" - pattern: | "glue:DeleteResourcePolicy" - pattern: | "glue:PutResourcePolicy" - pattern: | "greengrass:AssociateServiceRoleToAccount" - pattern: | "health:DisableHealthServiceAccessForOrganization" - pattern: | "health:EnableHealthServiceAccessForOrganization" - pattern: | "iam:AddClientIDToOpenIDConnectProvider" - pattern: | "iam:AddRoleToInstanceProfile" - pattern: | "iam:AddUserToGroup" - pattern: | "iam:AttachGroupPolicy" - pattern: | "iam:AttachRolePolicy" - pattern: | "iam:AttachUserPolicy" - pattern: | "iam:ChangePassword" - pattern: | "iam:CreateAccessKey" - pattern: | "iam:CreateAccountAlias" - pattern: | "iam:CreateGroup" - pattern: | "iam:CreateInstanceProfile" - pattern: | "iam:CreateLoginProfile" - pattern: | "iam:CreateOpenIDConnectProvider" - pattern: | "iam:CreatePolicy" - pattern: | "iam:CreatePolicyVersion" - pattern: | "iam:CreateRole" - pattern: | "iam:CreateSAMLProvider" - pattern: | "iam:CreateServiceLinkedRole" - pattern: | "iam:CreateServiceSpecificCredential" - pattern: | "iam:CreateUser" - pattern: | "iam:CreateVirtualMFADevice" - pattern: | "iam:DeactivateMFADevice" - pattern: | "iam:DeleteAccessKey" - pattern: | "iam:DeleteAccountAlias" - pattern: | "iam:DeleteAccountPasswordPolicy" - pattern: | "iam:DeleteGroup" - pattern: | "iam:DeleteGroupPolicy" - pattern: | "iam:DeleteInstanceProfile" - pattern: | "iam:DeleteLoginProfile" - pattern: | "iam:DeleteOpenIDConnectProvider" - pattern: | "iam:DeletePolicy" - pattern: | "iam:DeletePolicyVersion" - pattern: | "iam:DeleteRole" - pattern: | "iam:DeleteRolePermissionsBoundary" - pattern: | "iam:DeleteRolePolicy" - pattern: | "iam:DeleteSAMLProvider" - pattern: | "iam:DeleteSSHPublicKey" - pattern: | "iam:DeleteServerCertificate" - pattern: | "iam:DeleteServiceLinkedRole" - pattern: | "iam:DeleteServiceSpecificCredential" - pattern: | "iam:DeleteSigningCertificate" - pattern: | "iam:DeleteUser" - pattern: | "iam:DeleteUserPermissionsBoundary" - pattern: | "iam:DeleteUserPolicy" - pattern: | "iam:DeleteVirtualMFADevice" - pattern: | "iam:DetachGroupPolicy" - pattern: | "iam:DetachRolePolicy" - pattern: | "iam:DetachUserPolicy" - pattern: | "iam:EnableMFADevice" - pattern: | "iam:PassRole" - pattern: | "iam:PutGroupPolicy" - pattern: | "iam:PutRolePermissionsBoundary" - pattern: | "iam:PutRolePolicy" - pattern: | "iam:PutUserPermissionsBoundary" - pattern: | "iam:PutUserPolicy" - pattern: | "iam:RemoveClientIDFromOpenIDConnectProvider" - pattern: | "iam:RemoveRoleFromInstanceProfile" - pattern: | "iam:RemoveUserFromGroup" - pattern: | "iam:ResetServiceSpecificCredential" - pattern: | "iam:ResyncMFADevice" - pattern: | "iam:SetDefaultPolicyVersion" - pattern: | "iam:SetSecurityTokenServicePreferences" - pattern: | "iam:UpdateAccessKey" - pattern: | "iam:UpdateAccountPasswordPolicy" - pattern: | "iam:UpdateAssumeRolePolicy" - pattern: | "iam:UpdateGroup" - pattern: | "iam:UpdateLoginProfile" - pattern: | "iam:UpdateOpenIDConnectProviderThumbprint" - pattern: | "iam:UpdateRole" - pattern: | "iam:UpdateRoleDescription" - pattern: | "iam:UpdateSAMLProvider" - pattern: | "iam:UpdateSSHPublicKey" - pattern: | "iam:UpdateServerCertificate" - pattern: | "iam:UpdateServiceSpecificCredential" - pattern: | "iam:UpdateSigningCertificate" - pattern: | "iam:UpdateUser" - pattern: | "iam:UploadSSHPublicKey" - pattern: | "iam:UploadServerCertificate" - pattern: | "iam:UploadSigningCertificate" - pattern: | "imagebuilder:PutComponentPolicy" - pattern: | "imagebuilder:PutImagePolicy" - pattern: | "imagebuilder:PutImageRecipePolicy" - pattern: | "iot:AttachPolicy" - pattern: | "iot:AttachPrincipalPolicy" - pattern: | "iot:DetachPolicy" - pattern: | "iot:DetachPrincipalPolicy" - pattern: | "iot:SetDefaultAuthorizer" - pattern: | "iot:SetDefaultPolicyVersion" - pattern: | "iotsitewise:CreateAccessPolicy" - pattern: | "iotsitewise:DeleteAccessPolicy" - pattern: | "iotsitewise:UpdateAccessPolicy" - pattern: | "kms:CreateGrant" - pattern: | "kms:PutKeyPolicy" - pattern: | "kms:RetireGrant" - pattern: | "kms:RevokeGrant" - pattern: | "lakeformation:BatchGrantPermissions" - pattern: | "lakeformation:BatchRevokePermissions" - pattern: | "lakeformation:GrantPermissions" - pattern: | "lakeformation:PutDataLakeSettings" - pattern: | "lakeformation:RevokePermissions" - pattern: | "lambda:AddLayerVersionPermission" - pattern: | "lambda:AddPermission" - pattern: | "lambda:DisableReplication" - pattern: | "lambda:EnableReplication" - pattern: | "lambda:RemoveLayerVersionPermission" - pattern: | "lambda:RemovePermission" - pattern: | "license-manager:UpdateServiceSettings" - pattern: | "lightsail:GetRelationalDatabaseMasterUserPassword" - pattern: | "logs:DeleteResourcePolicy" - pattern: | "logs:PutResourcePolicy" - pattern: | "mediapackage:RotateIngestEndpointCredentials" - pattern: | "mediastore:DeleteContainerPolicy" - pattern: | "mediastore:PutContainerPolicy" - pattern: | "opsworks:SetPermission" - pattern: | "opsworks:UpdateUserProfile" - pattern: | "quicksight:CreateAdmin" - pattern: | "quicksight:CreateGroup" - pattern: | "quicksight:CreateGroupMembership" - pattern: | "quicksight:CreateIAMPolicyAssignment" - pattern: | "quicksight:CreateUser" - pattern: | "quicksight:DeleteGroup" - pattern: | "quicksight:DeleteGroupMembership" - pattern: | "quicksight:DeleteIAMPolicyAssignment" - pattern: | "quicksight:DeleteUser" - pattern: | "quicksight:DeleteUserByPrincipalId" - pattern: | "quicksight:RegisterUser" - pattern: | "quicksight:UpdateDashboardPermissions" - pattern: | "quicksight:UpdateGroup" - pattern: | "quicksight:UpdateIAMPolicyAssignment" - pattern: | "quicksight:UpdateTemplatePermissions" - pattern: | "quicksight:UpdateUser" - pattern: | "ram:AcceptResourceShareInvitation" - pattern: | "ram:AssociateResourceShare" - pattern: | "ram:CreateResourceShare" - pattern: | "ram:DeleteResourceShare" - pattern: | "ram:DisassociateResourceShare" - pattern: | "ram:EnableSharingWithAwsOrganization" - pattern: | "ram:RejectResourceShareInvitation" - pattern: | "ram:UpdateResourceShare" - pattern: | "rds:AuthorizeDBSecurityGroupIngress" - pattern: | "rds-db:connect" - pattern: | "redshift:AuthorizeSnapshotAccess" - pattern: | "redshift:CreateClusterUser" - pattern: | "redshift:CreateSnapshotCopyGrant" - pattern: | "redshift:JoinGroup" - pattern: | "redshift:ModifyClusterIamRoles" - pattern: | "redshift:RevokeSnapshotAccess" - pattern: | "route53resolver:PutResolverRulePolicy" - pattern: | "s3:BypassGovernanceRetention" - pattern: | "s3:DeleteAccessPointPolicy" - pattern: | "s3:DeleteBucketPolicy" - pattern: | "s3:ObjectOwnerOverrideToBucketOwner" - pattern: | "s3:PutAccessPointPolicy" - pattern: | "s3:PutAccountPublicAccessBlock" - pattern: | "s3:PutBucketAcl" - pattern: | "s3:PutBucketPolicy" - pattern: | "s3:PutBucketPublicAccessBlock" - pattern: | "s3:PutObjectAcl" - pattern: | "s3:PutObjectVersionAcl" - pattern: | "secretsmanager:DeleteResourcePolicy" - pattern: | "secretsmanager:PutResourcePolicy" - pattern: | "secretsmanager:ValidateResourcePolicy" - pattern: | "servicecatalog:CreatePortfolioShare" - pattern: | "servicecatalog:DeletePortfolioShare" - pattern: | "sns:AddPermission" - pattern: | "sns:CreateTopic" - pattern: | "sns:RemovePermission" - pattern: | "sns:SetTopicAttributes" - pattern: | "sqs:AddPermission" - pattern: | "sqs:CreateQueue" - pattern: | "sqs:RemovePermission" - pattern: | "sqs:SetQueueAttributes" - pattern: | "ssm:ModifyDocumentPermission" - pattern: | "sso:AssociateDirectory" - pattern: | "sso:AssociateProfile" - pattern: | "sso:CreateApplicationInstance" - pattern: | "sso:CreateApplicationInstanceCertificate" - pattern: | "sso:CreatePermissionSet" - pattern: | "sso:CreateProfile" - pattern: | "sso:CreateTrust" - pattern: | "sso:DeleteApplicationInstance" - pattern: | "sso:DeleteApplicationInstanceCertificate" - pattern: | "sso:DeletePermissionSet" - pattern: | "sso:DeletePermissionsPolicy" - pattern: | "sso:DeleteProfile" - pattern: | "sso:DisassociateDirectory" - pattern: | "sso:DisassociateProfile" - pattern: | "sso:ImportApplicationInstanceServiceProviderMetadata" - pattern: | "sso:PutPermissionsPolicy" - pattern: | "sso:StartSSO" - pattern: | "sso:UpdateApplicationInstanceActiveCertificate" - pattern: | "sso:UpdateApplicationInstanceDisplayData" - pattern: | "sso:UpdateApplicationInstanceResponseConfiguration" - pattern: | "sso:UpdateApplicationInstanceResponseSchemaConfiguration" - pattern: | "sso:UpdateApplicationInstanceSecurityConfiguration" - pattern: | "sso:UpdateApplicationInstanceServiceProviderConfiguration" - pattern: | "sso:UpdateApplicationInstanceStatus" - pattern: | "sso:UpdateDirectoryAssociation" - pattern: | "sso:UpdatePermissionSet" - pattern: | "sso:UpdateProfile" - pattern: | "sso:UpdateSSOConfiguration" - pattern: | "sso:UpdateTrust" - pattern: | "sso-directory:AddMemberToGroup" - pattern: | "sso-directory:CreateAlias" - pattern: | "sso-directory:CreateGroup" - pattern: | "sso-directory:CreateUser" - pattern: | "sso-directory:DeleteGroup" - pattern: | "sso-directory:DeleteUser" - pattern: | "sso-directory:DisableUser" - pattern: | "sso-directory:EnableUser" - pattern: | "sso-directory:RemoveMemberFromGroup" - pattern: | "sso-directory:UpdateGroup" - pattern: | "sso-directory:UpdatePassword" - pattern: | "sso-directory:UpdateUser" - pattern: | "sso-directory:VerifyEmail" - pattern: | "storagegateway:DeleteChapCredentials" - pattern: | "storagegateway:SetLocalConsolePassword" - pattern: | "storagegateway:SetSMBGuestPassword" - pattern: | "storagegateway:UpdateChapCredentials" - pattern: | "waf:DeletePermissionPolicy" - pattern: | "waf:PutPermissionPolicy" - pattern: | "waf-regional:DeletePermissionPolicy" - pattern: | "waf-regional:PutPermissionPolicy" - pattern: | "wafv2:CreateWebACL" - pattern: | "wafv2:DeletePermissionPolicy" - pattern: | "wafv2:DeleteWebACL" - pattern: | "wafv2:PutPermissionPolicy" - pattern: | "wafv2:UpdateWebACL" - pattern: | "worklink:UpdateDevicePolicyConfiguration" - pattern: | "workmail:ResetPassword" - pattern: | "workmail:ResetUserPassword" - pattern: | "xray:PutEncryptionConfig" - pattern: | "worklink:*" - pattern: | "route53resolver:*" - pattern: | "es:*" - pattern: | "greengrass:*" - pattern: | "redshift:*" - pattern: | "license-manager:*" - pattern: | "rds:*" - pattern: | "lambda:*" - pattern: | "elasticfilesystem:*" - pattern: | "logs:*" - pattern: | "sso:*" - pattern: | "waf:*" - pattern: | "mediastore:*" - pattern: | "acm-pca:*" - pattern: | "sso-directory:*" - pattern: | "imagebuilder:*" - pattern: | "sqs:*" - pattern: | "codeguru-profiler:*" - pattern: | "wafv2:*" - pattern: | "cloudformation:*" - pattern: | "xray:*" - pattern: | "codeartifact:*" - pattern: | "iotsitewise:*" - pattern: | "workmail:*" - pattern: | "glue:*" - pattern: | "deeplens:*" - pattern: | "chime:*" - pattern: | "mediapackage:*" - pattern: | "opsworks:*" - pattern: | "ds:*" - pattern: | "ram:*" - pattern: | "iam:*" - pattern: | "waf-regional:*" - pattern: | "glacier:*" - pattern: | "cloudsearch:*" - pattern: | "lakeformation:*" - pattern: | "elasticmapreduce:*" - pattern: | "quicksight:*" - pattern: | "sns:*" - pattern: | "ec2:*" - pattern: | "health:*" - pattern: | "lightsail:*" - pattern: | "codestar:*" - pattern: | "kms:*" - pattern: | "codebuild:*" - pattern: | "s3:*" - pattern: | "cognito-identity:*" - pattern: | "apigateway:*" - pattern: | "rds-db:*" - pattern: | "iot:*" - pattern: | "backup:*" - pattern: | "secretsmanager:*" - pattern: | "servicecatalog:*" - pattern: | "ssm:*" - pattern: | "storagegateway:*" - pattern: | "ecr:*" message: Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources. metadata: references: - https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/ - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py category: security cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' technology: - terraform - aws owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure shortlink: https://sg.run/18rD semgrep.dev: rule: r_id: 13566 rv_id: 1263894 rule_id: v8U9r0 version_id: LjTkggK url: https://semgrep.dev/playground/r/LjTkggK/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure origin: community languages: - hcl severity: WARNING - id: terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions patterns: - pattern-either: - patterns: - pattern-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ... ] ... }) ... } - pattern-not-inside: | resource $TYPE "..." { ... policy = jsonencode({ ... Statement = [ ..., {... Effect = "Deny" ...}, ... ] ... }) ... } - pattern-either: - pattern: Action = "*" - pattern: Action = ["*"] - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: | "aws_iam_role_policy" - pattern: | "aws_iam_policy" - pattern: | "aws_iam_user_policy" - pattern: | "aws_iam_group_policy" - patterns: - pattern-inside: | data aws_iam_policy_document "..." { ... statement { ... } ... } - pattern-not-inside: | data aws_iam_policy_document "..." { ... statement { ... effect = "Deny" ... } ... } - pattern: | actions = ["*"] message: Ensure that no IAM policies allow "*" as a statement's actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take. metadata: references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py category: security cwe: - 'CWE-269: Improper Privilege Management' technology: - terraform - aws owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions shortlink: https://sg.run/9rZ4 semgrep.dev: rule: r_id: 13567 rv_id: 1263895 rule_id: d8Uew3 version_id: 8KT5rrp url: https://semgrep.dev/playground/r/8KT5rrp/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions origin: community languages: - hcl severity: WARNING - id: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code pattern-either: - patterns: - pattern: password = "..." - pattern-inside: | resource "aws_db_instance" "..." { ... } - patterns: - pattern: master_password = "..." - pattern-inside: | resource "aws_rds_cluster" "..." { ... } languages: - hcl severity: WARNING message: RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource. metadata: references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password - https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password cwe: - 'CWE-522: Insufficiently Protected Credentials' category: security technology: - terraform - aws - secrets owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code shortlink: https://sg.run/x4qA semgrep.dev: rule: r_id: 15830 rv_id: 1263896 rule_id: OrUl6W version_id: gETB77b url: https://semgrep.dev/playground/r/gETB77b/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code origin: community - id: terraform.lang.security.rds-public-access.rds-public-access patterns: - pattern: publicly_accessible = true - pattern-inside: | resource "aws_db_instance" "..." { ... } languages: - hcl severity: WARNING message: RDS instance accessible from the Internet detected. metadata: references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - aws owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access shortlink: https://sg.run/Oye2 semgrep.dev: rule: r_id: 15831 rv_id: 1263897 rule_id: eqUrzK version_id: QkTGqqJ url: https://semgrep.dev/playground/r/QkTGqqJ/terraform.lang.security.rds-public-access.rds-public-access origin: community - id: terraform.lang.security.s3-cors-all-origins.all-origins-allowed patterns: - pattern-inside: cors_rule { ... } - pattern: allowed_origins = ["*"] languages: - hcl severity: WARNING message: CORS rule on bucket permits any origin metadata: references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#using-cors cwe: - 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' category: security technology: - terraform - aws owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed shortlink: https://sg.run/DJb2 semgrep.dev: rule: r_id: 9752 rv_id: 1263898 rule_id: lBUd4g version_id: 3ZT4XXJ url: https://semgrep.dev/playground/r/3ZT4XXJ/terraform.lang.security.s3-cors-all-origins.all-origins-allowed origin: community - id: terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket patterns: - pattern-either: - pattern: acl = "public-read" - pattern: acl = "authenticated-read" - pattern-not-inside: | resource "aws_s3_bucket" "..." { ... website { ... } ... } languages: - hcl severity: WARNING message: S3 bucket with public read access detected. metadata: cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl - https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl category: security technology: - terraform - aws owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket shortlink: https://sg.run/WgAy semgrep.dev: rule: r_id: 9753 rv_id: 1263899 rule_id: YGUrp5 version_id: 44TEjjv url: https://semgrep.dev/playground/r/44TEjjv/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket origin: community - id: terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket pattern: acl = "public-read-write" languages: - hcl severity: ERROR message: S3 bucket with public read-write access detected. metadata: references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl - https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' category: security technology: - terraform - aws owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket shortlink: https://sg.run/0nok semgrep.dev: rule: r_id: 9754 rv_id: 1263900 rule_id: 6JUqvn version_id: PkTR3y5 url: https://semgrep.dev/playground/r/PkTR3y5/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket origin: community - id: terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket patterns: - pattern: a - pattern: b languages: - hcl severity: INFO message: This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info. metadata: references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html cwe: - 'CWE-311: Missing Encryption of Sensitive Data' category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM deprecated: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket shortlink: https://sg.run/Jezw semgrep.dev: rule: r_id: 16202 rv_id: 1263901 rule_id: 3qU62L version_id: JdTzxjN url: https://semgrep.dev/playground/r/JdTzxjN/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket origin: community - id: typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust message: Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. If you have to use `$TRUST`, ensure it does not come from user-input or use the appropriate prevention mechanism e.g. input validation or sanitization depending on the context. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' references: - https://angular.io/api/platform-browser/DomSanitizer - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection confidence: MEDIUM category: security technology: - angular - browser cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust shortlink: https://sg.run/KWxP semgrep.dev: rule: r_id: 9755 rv_id: 1263902 rule_id: oqUzgA version_id: 5PTo1zk url: https://semgrep.dev/playground/r/5PTo1zk/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust origin: community languages: - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | function ...({..., $X: string, ...}) { ... } - pattern-inside: | function ...(..., $X: string, ...) { ... } - focus-metavariable: $X pattern-sinks: - patterns: - pattern-either: - pattern: $X.$TRUST($Y) - focus-metavariable: $Y - pattern-not: | $X.$TRUST(`...`) - pattern-not: | $X.$TRUST("...") - metavariable-regex: metavariable: $TRUST regex: (bypassSecurityTrustHtml|bypassSecurityTrustStyle|bypassSecurityTrustScript|bypassSecurityTrustUrl|bypassSecurityTrustResourceUrl) pattern-sanitizers: - patterns: - pattern-either: - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | import * as $S from "underscore.string" ... - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | $S = require("underscore.string") ... - pattern-either: - pattern: $S.escapeHTML(...) - patterns: - pattern-either: - pattern-inside: | import $S from "dompurify" ... - pattern-inside: | import { ..., $S,... } from "dompurify" ... - pattern-inside: | import * as $S from "dompurify" ... - pattern-inside: | $S = require("dompurify") ... - pattern-inside: | import $S from "isomorphic-dompurify" ... - pattern-inside: | import * as $S from "isomorphic-dompurify" ... - pattern-inside: | $S = require("isomorphic-dompurify") ... - pattern-either: - patterns: - pattern-inside: | $VALUE = $S(...) ... - pattern: $VALUE.sanitize(...) - patterns: - pattern-inside: | $VALUE = $S.sanitize ... - pattern: $S(...) - pattern: $S.sanitize(...) - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'xss'; ... - pattern-inside: | import * as $S from 'xss'; ... - pattern-inside: | $S = require("xss") ... - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'sanitize-html'; ... - pattern-inside: | import * as $S from "sanitize-html"; ... - pattern-inside: | $S = require("sanitize-html") ... - pattern: $S(...) - patterns: - pattern: sanitizer.sanitize(...) - pattern-not: sanitizer.sanitize(SecurityContext.NONE, ...); - id: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption message: 'Add "encryption: $Y.BucketEncryption.KMS_MANAGED" or "encryption: $Y.BucketEncryption.S3_MANAGED" to the bucket props for Bucket construct $X' metadata: cwe: - 'CWE-311: Missing Encryption of Sensitive Data' category: security technology: - AWS-CDK references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - vuln likelihood: LOW impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption shortlink: https://sg.run/eowX semgrep.dev: rule: r_id: 15276 rv_id: 1263903 rule_id: bwU8qz version_id: GxTkeRx url: https://semgrep.dev/playground/r/GxTkeRx/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption origin: community languages: - typescript severity: ERROR pattern-either: - patterns: - pattern-inside: | import {Bucket} from '@aws-cdk/aws-s3' ... - pattern: const $X = new Bucket(...) - pattern-not: | const $X = new Bucket(..., {..., encryption: BucketEncryption.KMS_MANAGED, ...}) - pattern-not: | const $X = new Bucket(..., {..., encryption: BucketEncryption.KMS, ...}) - pattern-not: | const $X = new Bucket(..., {..., encryption: BucketEncryption.S3_MANAGED, ...}) - patterns: - pattern-inside: | import * as $Y from '@aws-cdk/aws-s3' ... - pattern: const $X = new $Y.Bucket(...) - pattern-not: | const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.KMS_MANAGED, ...}) - pattern-not: | const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.KMS, ...}) - pattern-not: | const $X = new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.S3_MANAGED, ...}) - id: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl message: Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property "enforceSSL" should be set to true metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' category: security technology: - AWS-CDK references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl shortlink: https://sg.run/vqBX semgrep.dev: rule: r_id: 15277 rv_id: 1263904 rule_id: NbUN8B version_id: RGT0Llg url: https://semgrep.dev/playground/r/RGT0Llg/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl origin: community languages: - ts severity: ERROR pattern-either: - patterns: - pattern-inside: | import {Bucket} from '@aws-cdk/aws-s3'; ... - pattern: const $X = new Bucket(...) - pattern-not: | const $X = new Bucket(..., {enforceSSL: true}, ...) - patterns: - pattern-inside: | import * as $Y from '@aws-cdk/aws-s3'; ... - pattern: const $X = new $Y.Bucket(...) - pattern-not: | const $X = new $Y.Bucket(..., {..., enforceSSL: true, ...}) - id: typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue message: 'Queue $X is missing encryption at rest. Add "encryption: $Y.QueueEncryption.KMS" or "encryption: $Y.QueueEncryption.KMS_MANAGED" to the queue props to enable encryption at rest for the queue.' metadata: category: security cwe: - 'CWE-311: Missing Encryption of Sensitive Data' technology: - AWS-CDK references: - https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - vuln likelihood: LOW impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue shortlink: https://sg.run/d23P semgrep.dev: rule: r_id: 15278 rv_id: 1263905 rule_id: kxUwqO version_id: A8Tgd2W url: https://semgrep.dev/playground/r/A8Tgd2W/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue origin: community languages: - ts severity: WARNING pattern-either: - patterns: - pattern-inside: | import {Queue} from '@aws-cdk/aws-sqs' ... - pattern: const $X = new Queue(...) - pattern-not: | const $X = new Queue(..., {..., encryption: QueueEncryption.KMS_MANAGED, ...}) - pattern-not: | const $X = new Queue(..., {..., encryption: QueueEncryption.KMS, ...}) - patterns: - pattern-inside: | import * as $Y from '@aws-cdk/aws-sqs' ... - pattern: const $X = new $Y.Queue(...) - pattern-not: | const $X = new $Y.Queue(..., {..., encryption: $Y.QueueEncryption.KMS_MANAGED, ...}) - pattern-not: | const $X = new $Y.Queue(..., {..., encryption: $Y.QueueEncryption.KMS, ...}) - id: typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod message: Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional. metadata: cwe: - 'CWE-306: Missing Authentication for Critical Function' category: security technology: - AWS-CDK references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod shortlink: https://sg.run/Z4p7 semgrep.dev: rule: r_id: 15279 rv_id: 1263906 rule_id: wdUjZK version_id: BjTkZA7 url: https://semgrep.dev/playground/r/BjTkZA7/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod origin: community languages: - ts severity: WARNING pattern-either: - patterns: - pattern-inside: | import {Bucket} from '@aws-cdk/aws-s3' ... - pattern: | const $X = new Bucket(...) ... $X.grantPublicAccess(...) - patterns: - pattern-inside: | import * as $Y from '@aws-cdk/aws-s3' ... - pattern: | const $X = new $Y.Bucket(...) ... $X.grantPublicAccess(...) - id: typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public message: CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project. metadata: category: security cwe: - 'CWE-306: Missing Authentication for Critical Function' technology: - AWS-CDK references: - https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public shortlink: https://sg.run/nK7G semgrep.dev: rule: r_id: 15280 rv_id: 1263907 rule_id: x8UxXZ version_id: DkTRbj1 url: https://semgrep.dev/playground/r/DkTRbj1/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public origin: community languages: - ts severity: WARNING pattern-either: - patterns: - pattern-inside: | import {Project} from '@aws-cdk/aws-codebuild' ... - pattern: | const $X = new Project(..., {..., badge: true, ...}) - patterns: - pattern-inside: | import * as $Y from '@aws-cdk/aws-codebuild' ... - pattern: | const $X = new $Y.Project(..., {..., badge: true, ...}) - id: typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard message: 'Unescaped ''.'' character in CORS domain regex $CORS: $PATTERN' metadata: cwe: - 'CWE-183: Permissive List of Allowed Inputs' category: security technology: - cors owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard shortlink: https://sg.run/w13x semgrep.dev: rule: r_id: 11929 rv_id: 1263908 rule_id: qNUbXo version_id: WrTqKwN url: https://semgrep.dev/playground/r/WrTqKwN/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard origin: community languages: - ts severity: WARNING patterns: - pattern-either: - pattern: $CORS = [...,/$PATTERN/,...] - pattern: $CORS = /$PATTERN/ - focus-metavariable: $PATTERN - metavariable-regex: metavariable: $PATTERN regex: .+?(? - pattern-not: | <$Y ... dangerouslySetInnerHTML={{__html: "..."}} /> - pattern-not: | {...,dangerouslySetInnerHTML:{__html: "..."},...} - metavariable-pattern: patterns: - pattern-not: | {...} metavariable: $X - pattern-not: | <... {__html: "..."} ...> - pattern-not: | <... {__html: `...`} ...> pattern-sanitizers: - patterns: - pattern-either: - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | import * as $S from "underscore.string" ... - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | $S = require("underscore.string") ... - pattern-either: - pattern: $S.escapeHTML(...) - patterns: - pattern-either: - pattern-inside: | import $S from "dompurify" ... - pattern-inside: | import { ..., $S,... } from "dompurify" ... - pattern-inside: | import * as $S from "dompurify" ... - pattern-inside: | $S = require("dompurify") ... - pattern-inside: | import $S from "isomorphic-dompurify" ... - pattern-inside: | import * as $S from "isomorphic-dompurify" ... - pattern-inside: | $S = require("isomorphic-dompurify") ... - pattern-either: - patterns: - pattern-inside: | $VALUE = $S(...) ... - pattern: $VALUE.sanitize(...) - patterns: - pattern-inside: | $VALUE = $S.sanitize ... - pattern: $S(...) - pattern: $S.sanitize(...) - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'xss'; ... - pattern-inside: | import * as $S from 'xss'; ... - pattern-inside: | $S = require("xss") ... - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'sanitize-html'; ... - pattern-inside: | import * as $S from "sanitize-html"; ... - pattern-inside: | $S = require("sanitize-html") ... - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | $S = new Remarkable() ... - pattern: $S.render(...) - id: typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property message: Property decoded from JWT token without verifying and cannot be trustworthy. metadata: cwe: - 'CWE-922: Insecure Storage of Sensitive Information' references: - https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html category: security owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control technology: - react subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property shortlink: https://sg.run/wx8x semgrep.dev: rule: r_id: 9773 rv_id: 1263914 rule_id: d8Uzqz version_id: JdTzxjz url: https://semgrep.dev/playground/r/JdTzxjz/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property origin: community languages: - typescript - javascript severity: INFO patterns: - pattern-inside: | import jwt_decode from "jwt-decode"; ... - pattern-inside: | $DECODED = jwt_decode($TOKEN,...); ... - pattern: $DECODED.$PROPERTY - id: typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage message: Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie. metadata: cwe: - 'CWE-922: Insecure Storage of Sensitive Information' references: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies category: security owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control technology: - react subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage shortlink: https://sg.run/xYye semgrep.dev: rule: r_id: 9774 rv_id: 1263915 rule_id: ZqUq6g version_id: 5PTo1zq url: https://semgrep.dev/playground/r/5PTo1zq/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage origin: community languages: - typescript - javascript severity: INFO patterns: - pattern-inside: | import jwt_decode from "jwt-decode"; ... - pattern-either: - pattern: | $DECODED = jwt_decode($TOKEN,...); ... localStorage.setItem($NAME, <... $TOKEN ...>); - pattern: | $DECODED = jwt_decode(...); ... localStorage.setItem($NAME, <... $DECODED ...>); - id: typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method message: Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln - https://developer.mozilla.org/en-US/docs/Web/API/Document/write - https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML category: security confidence: MEDIUM technology: - react cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method shortlink: https://sg.run/E5x8 semgrep.dev: rule: r_id: 9781 rv_id: 1263916 rule_id: QrU68w version_id: GxTkeRl url: https://semgrep.dev/playground/r/GxTkeRl/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method origin: community languages: - typescript - javascript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | function ...({..., $X, ...}) { ... } - pattern-inside: | function ...(..., $X, ...) { ... } - focus-metavariable: $X - pattern-either: - pattern: $X.$Y - pattern: $X[...] pattern-sinks: - patterns: - pattern-either: - pattern: "this.window.document. ... .$HTML('...',$SINK) \n" - pattern: "window.document. ... .$HTML('...',$SINK) \n" - pattern: "document.$HTML($SINK) \n" - metavariable-regex: metavariable: $HTML regex: (writeln|write) - focus-metavariable: $SINK - patterns: - pattern-either: - pattern: "$PROP. ... .$HTML('...',$SINK) \n" - metavariable-regex: metavariable: $HTML regex: (insertAdjacentHTML) - focus-metavariable: $SINK pattern-sanitizers: - patterns: - pattern-either: - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | import * as $S from "underscore.string" ... - pattern-inside: | import $S from "underscore.string" ... - pattern-inside: | $S = require("underscore.string") ... - pattern-either: - pattern: $S.escapeHTML(...) - patterns: - pattern-either: - pattern-inside: | import $S from "dompurify" ... - pattern-inside: | import { ..., $S,... } from "dompurify" ... - pattern-inside: | import * as $S from "dompurify" ... - pattern-inside: | $S = require("dompurify") ... - pattern-inside: | import $S from "isomorphic-dompurify" ... - pattern-inside: | import * as $S from "isomorphic-dompurify" ... - pattern-inside: | $S = require("isomorphic-dompurify") ... - pattern-either: - patterns: - pattern-inside: | $VALUE = $S(...) ... - pattern: $VALUE.sanitize(...) - patterns: - pattern-inside: | $VALUE = $S.sanitize ... - pattern: $S(...) - pattern: $S.sanitize(...) - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'xss'; ... - pattern-inside: | import * as $S from 'xss'; ... - pattern-inside: | $S = require("xss") ... - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | import $S from 'sanitize-html'; ... - pattern-inside: | import * as $S from "sanitize-html"; ... - pattern-inside: | $S = require("sanitize-html") ... - pattern: $S(...) - patterns: - pattern-either: - pattern-inside: | $S = new Remarkable() ... - pattern: $S.render(...) - id: typescript.react.security.react-insecure-request.react-insecure-request message: Unencrypted request over HTTP detected. metadata: vulnerability: Insecure Transport owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: - https://www.npmjs.com/package/axios category: security technology: - react subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request shortlink: https://sg.run/1n0b semgrep.dev: rule: r_id: 9766 rv_id: 1263918 rule_id: NbUA3O version_id: A8Tgd2p url: https://semgrep.dev/playground/r/A8Tgd2p/typescript.react.security.react-insecure-request.react-insecure-request origin: community languages: - typescript - javascript severity: ERROR patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | import $AXIOS from 'axios'; ... $AXIOS.$METHOD(...) - pattern-inside: | $AXIOS = require('axios'); ... $AXIOS.$METHOD(...) - pattern: $AXIOS.$VERB("$URL",...) - metavariable-regex: metavariable: $VERB regex: ^(get|post|delete|head|patch|put|options) - patterns: - pattern-either: - pattern-inside: | import $AXIOS from 'axios'; ... $AXIOS(...) - pattern-inside: | $AXIOS = require('axios'); ... $AXIOS(...) - pattern-either: - pattern: '$AXIOS({url: "$URL"}, ...)' - pattern: | $OPTS = {url: "$URL"} ... $AXIOS($OPTS, ...) - pattern: fetch("$URL", ...) - metavariable-regex: metavariable: $URL regex: ^([Hh][Tt][Tt][Pp]:\/\/(?!localhost).*) - id: yaml.docker-compose.security.privileged-service.privileged-service patterns: - pattern-inside: | version: ... ... services: ... $SERVICE: ... privileged: $TRUE - focus-metavariable: $TRUE - metavariable-regex: metavariable: $TRUE regex: (true) fix: | false message: Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability. metadata: cwe: - 'CWE-250: Execution with Unnecessary Privileges' owasp: - A06:2017 - Security Misconfiguration - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html - https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/ category: security technology: - docker-compose subcategory: - vuln likelihood: HIGH impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service shortlink: https://sg.run/AlX0 semgrep.dev: rule: r_id: 10006 rv_id: 1263922 rule_id: DbUW17 version_id: 0bTKzXZ url: https://semgrep.dev/playground/r/0bTKzXZ/yaml.docker-compose.security.privileged-service.privileged-service origin: community languages: - yaml severity: WARNING - id: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled patterns: - pattern-inside: | version: ... ... services: ... - pattern: | $SERVICE: ... image: ... ... security_opt: - ... - seccomp:unconfined message: Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this. metadata: cwe: - 'CWE-284: Improper Access Control' references: - https://docs.docker.com/engine/security/seccomp/ category: security technology: - docker-compose owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled shortlink: https://sg.run/KWkY semgrep.dev: rule: r_id: 10055 rv_id: 1263923 rule_id: lBUdW3 version_id: K3TKkXA url: https://semgrep.dev/playground/r/K3TKkXA/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled origin: community languages: - yaml severity: WARNING - id: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled patterns: - pattern-inside: | version: ... ... services: ... - pattern: | $SERVICE: ... image: ... ... security_opt: - ... - label:disable message: Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this. metadata: cwe: - 'CWE-284: Improper Access Control' references: - https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/ - https://docs.docker.com/engine/reference/run/#security-configuration category: security technology: - docker-compose owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled shortlink: https://sg.run/qryb semgrep.dev: rule: r_id: 10056 rv_id: 1263924 rule_id: YGUrAG version_id: qkTR7yg url: https://semgrep.dev/playground/r/qkTR7yg/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled origin: community languages: - yaml severity: WARNING - id: yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service patterns: - pattern-inside: | version: ... ... services: ... - pattern: | $SERVICE: ... image: ... ... - pattern-not: | $SERVICE: ... image: ... ... read_only: true - focus-metavariable: $SERVICE message: 'Service ''$SERVICE'' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add ''read_only: true'' to this service to prevent this.' metadata: cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir - https://blog.atomist.com/security-of-docker-kubernetes/ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only category: security technology: - docker-compose cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service shortlink: https://sg.run/e4JE semgrep.dev: rule: r_id: 10132 rv_id: 1263925 rule_id: v8U5vN version_id: l4TJR0w url: https://semgrep.dev/playground/r/l4TJR0w/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service origin: community languages: - yaml severity: WARNING - id: yaml.github-actions.security.github-script-injection.github-script-injection languages: - yaml message: 'Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`''s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".' metadata: category: security cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections - https://securitylab.github.com/research/github-actions-untrusted-input/ - https://github.com/actions/github-script technology: - github-actions cwe2022-top25: true subcategory: - vuln likelihood: HIGH impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection shortlink: https://sg.run/g1G0 semgrep.dev: rule: r_id: 31441 rv_id: 1423394 rule_id: OrUQvK version_id: 5PT7Zyw url: https://semgrep.dev/playground/r/5PT7Zyw/yaml.github-actions.security.github-script-injection.github-script-injection origin: community patterns: - pattern-inside: 'steps: [...]' - pattern-inside: | uses: $ACTION ... - pattern-inside: | with: ... script: ... ... - pattern: 'script: $SHELL' - metavariable-regex: metavariable: $ACTION regex: actions/github-script@.* - metavariable-pattern: language: generic metavariable: $SHELL patterns: - pattern-either: - pattern: ${{ ... github.event.issue.title ... }} - pattern: ${{ ... github.event.issue.body ... }} - pattern: ${{ ... github.event.pull_request.title ... }} - pattern: ${{ ... github.event.pull_request.body ... }} - pattern: ${{ ... github.event.comment.body ... }} - pattern: ${{ ... github.event.review.body ... }} - pattern: ${{ ... github.event.review_comment.body ... }} - pattern: ${{ ... github.event.pages ... .page_name ... }} - pattern: ${{ ... github.event.head_commit.message ... }} - pattern: ${{ ... github.event.head_commit.author.email ... }} - pattern: ${{ ... github.event.head_commit.author.name ... }} - pattern: ${{ ... github.event.commits ... .author.email ... }} - pattern: ${{ ... github.event.commits ... .author.name ... }} - pattern: ${{ ... github.event.commits ... .message ... }} - pattern: ${{ ... github.event.pull_request.head.ref ... }} - pattern: ${{ ... github.event.pull_request.head.label ... }} - pattern: ${{ ... github.event.pull_request.head.repo.default_branch ... }} - pattern: ${{ ... github.ref ... }} - pattern: ${{ ... github.base_ref ... }} - pattern: ${{ ... github.head_ref ... }} - pattern: ${{ ... github.ref_name ... }} - pattern: ${{ ... github.workflow ... }} - pattern: ${{ ... github.event.inputs ... }} - pattern: ${{ ... github.event.discussion.title ... }} - pattern: ${{ ... github.event.discussion.body ... }} - pattern: ${{ ... github.event.workflow_run.head_branch ... }} - pattern: ${{ ... github.event.workflow_run.head_commit.message ... }} - pattern: ${{ ... github.event.milestone.title ... }} - pattern: ${{ ... github.event.milestone.description ... }} - pattern: ${{ ... github.event.project_card.note ... }} - pattern: ${{ ... github.event.project.name ... }} - pattern: ${{ ... github.event.project_column.name ... }} - pattern: ${{ ... github.event.release.name ... }} - pattern: ${{ ... github.event.release.body ... }} - pattern: ${{ ... github.event.deployment.ref ... }} - pattern: ${{ ... inputs ... }} - pattern-not: ${{ ... github.event.issue.title && ... }} - pattern-not: ${{ ... github.event.issue.body && ... }} - pattern-not: ${{ ... github.event.pull_request.title && ... }} - pattern-not: ${{ ... github.event.pull_request.body && ... }} - pattern-not: ${{ ... github.event.comment.body && ... }} - pattern-not: ${{ ... github.event.review.body && ... }} - pattern-not: ${{ ... github.event.review_comment.body && ... }} - pattern-not: ${{ ... github.event.pages ... .page_name && ... }} - pattern-not: ${{ ... github.event.head_commit.message && ... }} - pattern-not: ${{ ... github.event.head_commit.author.email && ... }} - pattern-not: ${{ ... github.event.head_commit.author.name && ... }} - pattern-not: ${{ ... github.event.commits ... .author.email && ... }} - pattern-not: ${{ ... github.event.commits ... .author.name && ... }} - pattern-not: ${{ ... github.event.commits ... .message && ... }} - pattern-not: ${{ ... github.event.pull_request.head.ref && ... }} - pattern-not: ${{ ... github.event.pull_request.head.label && ... }} - pattern-not: ${{ ... github.event.pull_request.head.repo.default_branch && ... }} - pattern-not: ${{ ... github.ref && ... }} - pattern-not: ${{ ... github.base_ref && ... }} - pattern-not: ${{ ... github.head_ref && ... }} - pattern-not: ${{ ... github.ref_name && ... }} - pattern-not: ${{ ... github.workflow && ... }} - pattern-not: ${{ ... github.event.inputs && ... }} - pattern-not: ${{ ... github.event.discussion.title && ... }} - pattern-not: ${{ ... github.event.discussion.body && ... }} - pattern-not: ${{ ... github.event.workflow_run.head_branch && ... }} - pattern-not: ${{ ... github.event.workflow_run.head_commit.message && ... }} - pattern-not: ${{ ... github.event.milestone.title && ... }} - pattern-not: ${{ ... github.event.milestone.description && ... }} - pattern-not: ${{ ... github.event.project_card.note && ... }} - pattern-not: ${{ ... github.event.project.name && ... }} - pattern-not: ${{ ... github.event.project_column.name && ... }} - pattern-not: ${{ ... github.event.release.name && ... }} - pattern-not: ${{ ... github.event.release.body && ... }} - pattern-not: ${{ ... github.event.deployment.ref && ... }} severity: ERROR - id: yaml.github-actions.security.run-shell-injection.run-shell-injection languages: - yaml message: 'Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".' metadata: category: security cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections - https://securitylab.github.com/research/github-actions-untrusted-input/ technology: - github-actions cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection shortlink: https://sg.run/pkzk semgrep.dev: rule: r_id: 13162 rv_id: 1423395 rule_id: v8UjQj version_id: GxTl1DQ url: https://semgrep.dev/playground/r/GxTl1DQ/yaml.github-actions.security.run-shell-injection.run-shell-injection origin: community patterns: - pattern-inside: 'steps: [...]' - pattern-inside: | - run: ... ... - pattern: 'run: $SHELL' - metavariable-pattern: language: generic metavariable: $SHELL patterns: - pattern-either: - pattern: ${{ ... github.event.issue.title ... }} - pattern: ${{ ... github.event.issue.body ... }} - pattern: ${{ ... github.event.pull_request.title ... }} - pattern: ${{ ... github.event.pull_request.body ... }} - pattern: ${{ ... github.event.comment.body ... }} - pattern: ${{ ... github.event.review.body ... }} - pattern: ${{ ... github.event.review_comment.body ... }} - pattern: ${{ ... github.event.pages ... .page_name ... }} - pattern: ${{ ... github.event.head_commit.message ... }} - pattern: ${{ ... github.event.head_commit.author.email ... }} - pattern: ${{ ... github.event.head_commit.author.name ... }} - pattern: ${{ ... github.event.commits ... .author.email ... }} - pattern: ${{ ... github.event.commits ... .author.name ... }} - pattern: ${{ ... github.event.commits ... .message ... }} - pattern: ${{ ... github.event.pull_request.head.ref ... }} - pattern: ${{ ... github.event.pull_request.head.label ... }} - pattern: ${{ ... github.event.pull_request.head.repo.default_branch ... }} - pattern: ${{ ... github.ref ... }} - pattern: ${{ ... github.base_ref ... }} - pattern: ${{ ... github.head_ref ... }} - pattern: ${{ ... github.ref_name ... }} - pattern: ${{ ... github.workflow ... }} - pattern: ${{ ... github.event.inputs ... }} - pattern: ${{ ... github.event.discussion.title ... }} - pattern: ${{ ... github.event.discussion.body ... }} - pattern: ${{ ... github.event.workflow_run.head_branch ... }} - pattern: ${{ ... github.event.workflow_run.head_commit.message ... }} - pattern: ${{ ... github.event.milestone.title ... }} - pattern: ${{ ... github.event.milestone.description ... }} - pattern: ${{ ... github.event.project_card.note ... }} - pattern: ${{ ... github.event.project.name ... }} - pattern: ${{ ... github.event.project_column.name ... }} - pattern: ${{ ... github.event.release.name ... }} - pattern: ${{ ... github.event.release.body ... }} - pattern: ${{ ... github.event.deployment.ref ... }} - pattern: ${{ ... inputs ... }} - pattern-not: ${{ ... github.event.issue.title && ... }} - pattern-not: ${{ ... github.event.issue.body && ... }} - pattern-not: ${{ ... github.event.pull_request.title && ... }} - pattern-not: ${{ ... github.event.pull_request.body && ... }} - pattern-not: ${{ ... github.event.comment.body && ... }} - pattern-not: ${{ ... github.event.review.body && ... }} - pattern-not: ${{ ... github.event.review_comment.body && ... }} - pattern-not: ${{ ... github.event.pages ... .page_name && ... }} - pattern-not: ${{ ... github.event.head_commit.message && ... }} - pattern-not: ${{ ... github.event.head_commit.author.email && ... }} - pattern-not: ${{ ... github.event.head_commit.author.name && ... }} - pattern-not: ${{ ... github.event.commits ... .author.email && ... }} - pattern-not: ${{ ... github.event.commits ... .author.name && ... }} - pattern-not: ${{ ... github.event.commits ... .message && ... }} - pattern-not: ${{ ... github.event.pull_request.head.ref && ... }} - pattern-not: ${{ ... github.event.pull_request.head.label && ... }} - pattern-not: ${{ ... github.event.pull_request.head.repo.default_branch && ... }} - pattern-not: ${{ ... github.event.workflow_run.head_commit.message && ... }} - pattern-not: ${{ ... github.ref && ... }} - pattern-not: ${{ ... github.base_ref && ... }} - pattern-not: ${{ ... github.head_ref && ... }} - pattern-not: ${{ ... github.ref_name && ... }} - pattern-not: ${{ ... github.workflow && ... }} - pattern-not: ${{ ... github.event.inputs && ... }} - pattern-not: ${{ ... github.event.discussion.title && ... }} - pattern-not: ${{ ... github.event.discussion.body && ... }} - pattern-not: ${{ ... github.event.workflow_run.head_branch && ... }} - pattern-not: ${{ ... github.event.milestone.title && ... }} - pattern-not: ${{ ... github.event.milestone.description && ... }} - pattern-not: ${{ ... github.event.project_card.note && ... }} - pattern-not: ${{ ... github.event.project.name && ... }} - pattern-not: ${{ ... github.event.project_column.name && ... }} - pattern-not: ${{ ... github.event.release.name && ... }} - pattern-not: ${{ ... github.event.release.body && ... }} - pattern-not: ${{ ... github.event.deployment.ref && ... }} severity: ERROR - id: yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext patterns: - pattern-inside: | containers: ... - pattern-inside: | - $NAME: $CONTAINER ... - pattern: | image: ... ... - pattern-not: | image: ... ... securityContext: ... - metavariable-regex: metavariable: $NAME regex: name - focus-metavariable: $NAME fix: | securityContext: allowPrivilegeEscalation: false $NAME message: In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag category: security technology: - kubernetes cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext shortlink: https://sg.run/eleR semgrep.dev: rule: r_id: 47276 rv_id: 1263931 rule_id: WAU5J6 version_id: 2KTv2j8 url: https://semgrep.dev/playground/r/2KTv2j8/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext origin: community languages: - yaml severity: WARNING - id: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true patterns: - pattern-inside: | containers: ... - pattern-inside: | - name: $CONTAINER ... - pattern-inside: | image: ... ... - pattern-inside: | securityContext: ... - pattern: | allowPrivilegeEscalation: $TRUE - metavariable-pattern: metavariable: $TRUE pattern: | true - focus-metavariable: $TRUE fix: | false message: In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks. metadata: cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag category: security technology: - kubernetes cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true shortlink: https://sg.run/vw3W semgrep.dev: rule: r_id: 47277 rv_id: 1263932 rule_id: 0oUkqQ version_id: X0Tzyqr url: https://semgrep.dev/playground/r/X0Tzyqr/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true origin: community languages: - yaml severity: WARNING - id: yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation patterns: - pattern-inside: | containers: ... - pattern-inside: | - name: $CONTAINER ... - pattern: | image: ... ... - pattern-inside: | image: ... ... $SC: ... - metavariable-regex: metavariable: $SC regex: ^(securityContext)$ - pattern-not-inside: | image: ... ... securityContext: ... allowPrivilegeEscalation: $VAL - focus-metavariable: $SC fix: | securityContext: allowPrivilegeEscalation: false # message: In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag category: security technology: - kubernetes cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation shortlink: https://sg.run/ljp6 semgrep.dev: rule: r_id: 10057 rv_id: 1263933 rule_id: 6JUqEO version_id: jQTn527 url: https://semgrep.dev/playground/r/jQTn527/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation origin: community languages: - yaml severity: WARNING - id: python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe message: Detected a segment of a Flask template where autoescaping is explicitly disabled with '| safe' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe shortlink: https://sg.run/W8og semgrep.dev: rule: r_id: 9553 rv_id: 1263446 rule_id: oqUenz version_id: LjTkgoZ url: https://semgrep.dev/playground/r/LjTkgoZ/python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe origin: community languages: - regex paths: include: - '*.html' severity: WARNING pattern-regex: '{{.*?\|\s*safe(\s*}})?' - id: python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var message: 'Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ $...VAR }}".' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var shortlink: https://sg.run/0Qp5 semgrep.dev: rule: r_id: 9554 rv_id: 1263447 rule_id: zdUk51 version_id: 8KT5r7D url: https://semgrep.dev/playground/r/8KT5r7D/python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var origin: community languages: - generic paths: include: - '*.html' - '*.py' severity: WARNING patterns: - pattern: ={{$...VAR}} - pattern-inside: | <$TAG ... > - metavariable-pattern: metavariable: $...VAR pattern-either: - pattern: | request.$VALUE.get(...) - pattern: | request.$VALUE['...'] - patterns: - pattern: $REQ - pattern-either: - pattern-inside: "$REQ = request.$VALUE.get(...)\n... \n" - pattern-inside: "$REQ = request.$VALUE['...']\n... \n" fix: | ="{{$...VAR}}" - id: python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled patterns: - pattern: jinja2.Environment(... , autoescape=$VAL, ...) - pattern-not: jinja2.Environment(... , autoescape=True, ...) - pattern-not: jinja2.Environment(... , autoescape=jinja2.select_autoescape(...), ...) - focus-metavariable: $VAL fix: | True message: Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions. metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html cwe: - 'CWE-116: Improper Encoding or Escaping of Output' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://jinja.palletsprojects.com/en/2.11.x/api/#basics category: security technology: - jinja2 subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Encoding source: https://semgrep.dev/r/python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled shortlink: https://sg.run/L2L7 semgrep.dev: rule: r_id: 20039 rv_id: 1263448 rule_id: QrU1Xg version_id: gETB7oN url: https://semgrep.dev/playground/r/gETB7oN/python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled origin: community languages: - python severity: WARNING - id: python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled patterns: - pattern-not: jinja2.Environment(..., autoescape=$VAL, ...) - pattern: jinja2.Environment(...) fix-regex: regex: (.*)\) replacement: \1, autoescape=True) message: Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions. metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html cwe: - 'CWE-116: Improper Encoding or Escaping of Output' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://jinja.palletsprojects.com/en/2.11.x/api/#basics category: security technology: - jinja2 subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Encoding source: https://semgrep.dev/r/python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled shortlink: https://sg.run/8kY4 semgrep.dev: rule: r_id: 20040 rv_id: 1263449 rule_id: 3qULRx version_id: QkTGqje url: https://semgrep.dev/playground/r/QkTGqje/python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled origin: community languages: - python severity: WARNING - id: python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data message: The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload. severity: WARNING metadata: owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-522: Insufficiently Protected Credentials' source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: - jwt references: - https://owasp.org/Top10/A04_2021-Insecure_Design cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data shortlink: https://sg.run/ox8R semgrep.dev: rule: r_id: 9560 rv_id: 1263450 rule_id: 9AU1zW version_id: 3ZT4XzA url: https://semgrep.dev/playground/r/3ZT4XzA/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data origin: community languages: - python patterns: - pattern-inside: | def $FUNC(...,$INPUT,...): ... - pattern: jwt.encode($INPUT,...) - id: ai.ai-best-practices.mistral-missing-moderation.mistral-missing-moderation.mistral-missing-moderation languages: - python severity: WARNING message: Mistral chat completion used without content moderation. Consider using the Moderation API (client.classifiers.moderate() or client.classifiers.moderate_chat()) to check content for harmful material. See https://docs.mistral.ai/capabilities/guardrailing/ metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - mistral references: - https://docs.mistral.ai/capabilities/guardrailing/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.mistral-missing-moderation.mistral-missing-moderation.mistral-missing-moderation shortlink: https://sg.run/pG1lL semgrep.dev: rule: r_id: 286762 rv_id: 1409359 rule_id: yyUBqvx version_id: BjTy4Yw url: https://semgrep.dev/playground/r/BjTy4Yw/ai.ai-best-practices.mistral-missing-moderation.mistral-missing-moderation.mistral-missing-moderation origin: community patterns: - pattern: $CLIENT.chat.complete(...) - pattern-inside: | def $FUNC(...): ... - pattern-not-inside: | def $FUNC(...): ... $CLIENT.classifiers.moderate(...) ... - pattern-not-inside: | def $FUNC(...): ... $CLIENT.classifiers.moderate_chat(...) ... - id: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials languages: - python metadata: cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ references: - https://cwe.mitre.org/data/definitions/522.html category: security technology: - jwt cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials shortlink: https://sg.run/qxPy semgrep.dev: rule: r_id: 9556 rv_id: 1263451 rule_id: 2ZUb1L version_id: 44TEjwq url: https://semgrep.dev/playground/r/44TEjwq/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials origin: community message: Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens. pattern-either: - pattern: | jwt.encode({...,"password":$P,...},...) - pattern: | $PAYLOAD = {...,"password":$P,...} ... jwt.encode($PAYLOAD,...) severity: ERROR - id: python.jwt.security.jwt-none-alg.jwt-python-none-alg message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: - jwt references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg shortlink: https://sg.run/Yvp4 semgrep.dev: rule: r_id: 9558 rv_id: 1263453 rule_id: j2UvKw version_id: JdTzxYj url: https://semgrep.dev/playground/r/JdTzxYj/python.jwt.security.jwt-none-alg.jwt-python-none-alg origin: community languages: - python severity: ERROR pattern-either: - pattern: | jwt.encode(...,algorithm="none",...) - pattern: jwt.decode(...,algorithms=[...,"none",...],...) - id: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode patterns: - pattern-either: - patterns: - pattern: | jwt.decode(..., options={..., "verify_signature": $BOOL, ...}, ...) - metavariable-pattern: metavariable: $BOOL pattern: | False - focus-metavariable: $BOOL - patterns: - pattern: | $OPTS = {..., "verify_signature": $BOOL, ...} ... jwt.decode(..., options=$OPTS, ...) - metavariable-pattern: metavariable: $BOOL pattern: | False - focus-metavariable: $BOOL message: Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified. metadata: owasp: - A02:2017 - Broken Authentication - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe: - 'CWE-287: Improper Authentication' references: - https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96 category: security technology: - jwt cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode shortlink: https://sg.run/6nyB semgrep.dev: rule: r_id: 9559 rv_id: 1263454 rule_id: 10UKjo version_id: 5PTo12w url: https://semgrep.dev/playground/r/5PTo12w/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode origin: community fix: | True severity: ERROR languages: - python - id: python.lang.security.audit.conn_recv.multiprocessing-recv languages: - python message: 'The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection' metadata: cwe: - 'CWE-502: Deserialization of Untrusted Data' owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures references: - https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection category: security technology: - python cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv shortlink: https://sg.run/x1lz semgrep.dev: rule: r_id: 9630 rv_id: 1263455 rule_id: nJUzeK version_id: GxTkeKQ url: https://semgrep.dev/playground/r/GxTkeKQ/python.lang.security.audit.conn_recv.multiprocessing-recv origin: community pattern-either: - pattern: multiprocessing.connection.Connection.recv(...) - pattern: multiprocessing.connection.Client.recv(...) - pattern: | $C = multiprocessing.connection.Client(...) ... $C.recv(...) severity: WARNING - id: python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage patterns: - pattern: | $C.__annotations__[$NAME] = $X - pattern-not: | $C.__annotations__[$NAME] = "..." - pattern-not: | $C.__annotations__[$NAME] = typing.$Y - metavariable-regex: metavariable: $X regex: (?!(int|float|complex|list|tuple|range|str|bytes|bytearray|memoryview|set|frozenset|dict)) message: Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function. severity: INFO metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security references: - https://docs.python.org/3/library/typing.html#typing.get_type_hints technology: - python subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage shortlink: https://sg.run/8R6J semgrep.dev: rule: r_id: 11940 rv_id: 1263456 rule_id: 9AUkR3 version_id: RGT0LZX url: https://semgrep.dev/playground/r/RGT0LZX/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage origin: community languages: - python - id: python.lang.security.audit.dangerous-asyncio-create-exec-audit.dangerous-asyncio-create-exec-audit pattern-either: - patterns: - pattern-not: asyncio.create_subprocess_exec($PROG, "...", ...) - pattern-not: asyncio.create_subprocess_exec($PROG, ["...",...], ...) - pattern: asyncio.create_subprocess_exec(...) - patterns: - pattern-not: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...) - pattern: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c",...) - patterns: - pattern-not: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...], ...) - pattern: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", ...], ...) - patterns: - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, "...", ...) - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, ["...",...], ...) - pattern: asyncio.subprocess.create_subprocess_exec(...) - patterns: - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c",...) - patterns: - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...], ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", ...], ...) message: Detected 'create_subprocess_exec' function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec - https://docs.python.org/3/library/shlex.html - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security technology: - python confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-create-exec-audit.dangerous-asyncio-create-exec-audit shortlink: https://sg.run/5qWA semgrep.dev: rule: r_id: 27247 rv_id: 1263457 rule_id: ZqUK73 version_id: A8TgdZR url: https://semgrep.dev/playground/r/A8TgdZR/python.lang.security.audit.dangerous-asyncio-create-exec-audit.dangerous-asyncio-create-exec-audit origin: community languages: - python severity: ERROR - id: python.lang.security.audit.dangerous-asyncio-create-exec-tainted-env-args.dangerous-asyncio-create-exec-tainted-env-args mode: taint options: symbolic_propagation: true pattern-sources: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: os.environ - pattern: os.environ.get('$FOO', ...) - pattern: os.environb - pattern: os.environb.get('$FOO', ...) - pattern: os.getenv('$ANYTHING', ...) - pattern: os.getenvb('$ANYTHING', ...) - patterns: - pattern-either: - patterns: - pattern-either: - pattern: sys.argv - pattern: sys.orig_argv - patterns: - pattern-inside: | $PARSER = argparse.ArgumentParser(...) ... - pattern-inside: | $ARGS = $PARSER.parse_args() - pattern: <... $ARGS ...> - patterns: - pattern-inside: | $PARSER = optparse.OptionParser(...) ... - pattern-inside: | $ARGS = $PARSER.parse_args() - pattern: <... $ARGS ...> - patterns: - pattern-either: - pattern-inside: | $OPTS, $ARGS = getopt.getopt(...) ... - pattern-inside: | $OPTS, $ARGS = getopt.gnu_getopt(...) ... - pattern-either: - patterns: - pattern-inside: | for $O, $A in $OPTS: ... - pattern: $A - pattern: $ARGS pattern-sinks: - pattern-either: - patterns: - pattern-not: asyncio.create_subprocess_exec($PROG, "...", ...) - pattern-not: asyncio.create_subprocess_exec($PROG, ["...",...], ...) - pattern: asyncio.create_subprocess_exec(...) - patterns: - pattern-not: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...) - pattern: asyncio.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c",...) - patterns: - pattern-not: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...], ...) - pattern: asyncio.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", ...], ...) - patterns: - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, "...", ...) - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, ["...",...], ...) - pattern: asyncio.subprocess.create_subprocess_exec(...) - patterns: - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c",...) - patterns: - pattern-not: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...], ...) - pattern: asyncio.subprocess.create_subprocess_exec($PROG, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", ...], ...) message: Detected 'create_subprocess_exec' function with user controlled data. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/asyncio-subprocess.html#asyncio.create_subprocess_exec - https://docs.python.org/3/library/shlex.html - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security technology: - python confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-create-exec-tainted-env-args.dangerous-asyncio-create-exec-tainted-env-args shortlink: https://sg.run/GJRp semgrep.dev: rule: r_id: 27248 rv_id: 1263458 rule_id: nJU28P version_id: BjTkZnY url: https://semgrep.dev/playground/r/BjTkZnY/python.lang.security.audit.dangerous-asyncio-create-exec-tainted-env-args.dangerous-asyncio-create-exec-tainted-env-args origin: community languages: - python severity: ERROR - id: python.lang.security.audit.dangerous-asyncio-exec-audit.dangerous-asyncio-exec-audit pattern-either: - patterns: - pattern-not: $LOOP.subprocess_exec($PROTOCOL, "...", ...) - pattern-not: $LOOP.subprocess_exec($PROTOCOL, ["...",...], ...) - pattern: $LOOP.subprocess_exec(...) - patterns: - pattern-not: $LOOP.subprocess_exec($PROTOCOL, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...) - pattern: $LOOP.subprocess_exec($PROTOCOL, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c",...) - patterns: - pattern-not: $LOOP.subprocess_exec($PROTOCOL, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...], ...) - pattern: $LOOP.subprocess_exec($PROTOCOL, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", ...], ...) message: Detected subprocess function '$LOOP.subprocess_exec' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec - https://docs.python.org/3/library/shlex.html - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security technology: - python confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-exec-audit.dangerous-asyncio-exec-audit shortlink: https://sg.run/RlrO semgrep.dev: rule: r_id: 27249 rv_id: 1263459 rule_id: EwUEpA version_id: DkTRbZz url: https://semgrep.dev/playground/r/DkTRbZz/python.lang.security.audit.dangerous-asyncio-exec-audit.dangerous-asyncio-exec-audit origin: community languages: - python severity: ERROR - id: python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args mode: taint options: symbolic_propagation: true pattern-sources: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: os.environ - pattern: os.environ.get('$FOO', ...) - pattern: os.environb - pattern: os.environb.get('$FOO', ...) - pattern: os.getenv('$ANYTHING', ...) - pattern: os.getenvb('$ANYTHING', ...) - patterns: - pattern-either: - patterns: - pattern-either: - pattern: sys.argv - pattern: sys.orig_argv - patterns: - pattern-inside: | $PARSER = argparse.ArgumentParser(...) ... - pattern-inside: | $ARGS = $PARSER.parse_args() - pattern: <... $ARGS ...> - patterns: - pattern-inside: | $PARSER = optparse.OptionParser(...) ... - pattern-inside: | $ARGS = $PARSER.parse_args() - pattern: <... $ARGS ...> - patterns: - pattern-either: - pattern-inside: | $OPTS, $ARGS = getopt.getopt(...) ... - pattern-inside: | $OPTS, $ARGS = getopt.gnu_getopt(...) ... - pattern-either: - patterns: - pattern-inside: | for $O, $A in $OPTS: ... - pattern: $A - pattern: $ARGS pattern-sinks: - pattern-either: - patterns: - pattern-not: $LOOP.subprocess_exec($PROTOCOL, "...", ...) - pattern-not: $LOOP.subprocess_exec($PROTOCOL, ["...",...], ...) - pattern: $LOOP.subprocess_exec(...) - patterns: - pattern-not: $LOOP.subprocess_exec($PROTOCOL, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...) - pattern: $LOOP.subprocess_exec($PROTOCOL, "=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c",...) - patterns: - pattern-not: $LOOP.subprocess_exec($PROTOCOL, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", "...", ...], ...) - pattern: $LOOP.subprocess_exec($PROTOCOL, ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", ...], ...) message: Detected subprocess function '$LOOP.subprocess_exec' with user controlled data. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec - https://docs.python.org/3/library/shlex.html - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security technology: - python confidence: MEDIUM cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args shortlink: https://sg.run/Apjp semgrep.dev: rule: r_id: 27250 rv_id: 1263460 rule_id: 7KUE1E version_id: WrTqKXz url: https://semgrep.dev/playground/r/WrTqKXz/python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args origin: community languages: - python severity: ERROR - id: python.lang.security.audit.dangerous-asyncio-shell-audit.dangerous-asyncio-shell-audit patterns: - pattern-either: - pattern: $LOOP.subprocess_shell($PROTOCOL, $CMD) - pattern: asyncio.subprocess.create_subprocess_shell($CMD, ...) - pattern: asyncio.create_subprocess_shell($CMD, ...) - pattern-not-inside: | $CMD = "..." ... - pattern-not: $LOOP.subprocess_shell($PROTOCOL, "...") - pattern-not: asyncio.subprocess.create_subprocess_shell("...", ...) - pattern-not: asyncio.create_subprocess_shell("...", ...) message: Detected asyncio subprocess function without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.8 OS Command Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' references: - https://docs.python.org/3/library/asyncio-subprocess.html - https://docs.python.org/3/library/shlex.html - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security technology: - python confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-shell-audit.dangerous-asyncio-shell-audit shortlink: https://sg.run/Bp2W semgrep.dev: rule: r_id: 27251 rv_id: 1263461 rule_id: L1Uk2G version_id: 0bTKz8L url: https://semgrep.dev/playground/r/0bTKz8L/python.lang.security.audit.dangerous-asyncio-shell-audit.dangerous-asyncio-shell-audit origin: community languages: - python severity: ERROR - id: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip patterns: - pattern-either: - pattern: | resource "aws_instance" $ANYTHING { ... associate_public_ip_address = true ... } - pattern: | resource "aws_launch_template" $ANYTHING { ... network_interfaces { ... associate_public_ip_address = true ... } ... } message: EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `"false"`. metadata: category: security technology: - terraform - aws owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip shortlink: https://sg.run/08rv semgrep.dev: rule: r_id: 17354 rv_id: 1263709 rule_id: 8GUA2n version_id: qkTR73G url: https://semgrep.dev/playground/r/qkTR73G/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-ec2-launch-configuration-ebs-block-device-unencrypted.aws-ec2-launch-configuration-ebs-block-device-unencrypted patterns: - pattern-inside: | resource "aws_launch_configuration" $ANYTHING { ... } - pattern: | ebs_block_device { ... } - pattern-not: | ebs_block_device { ... encrypted = true ... } message: The AWS launch configuration EBS block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#block-devices - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW rule-origin-note: published from /src/aws-ec2-launch-configuration-block-device-unencrypted.yml in None license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-configuration-ebs-block-device-unencrypted.aws-ec2-launch-configuration-ebs-block-device-unencrypted shortlink: https://sg.run/oryd semgrep.dev: rule: r_id: 50760 rv_id: 1263710 rule_id: 6JUwDr version_id: l4TJRGk url: https://semgrep.dev/playground/r/l4TJRGk/terraform.aws.security.aws-ec2-launch-configuration-ebs-block-device-unencrypted.aws-ec2-launch-configuration-ebs-block-device-unencrypted origin: community - id: terraform.aws.security.aws-ec2-launch-configuration-root-block-device-unencrypted.aws-ec2-launch-configuration-root-block-device-unencrypted patterns: - pattern: | resource "aws_launch_configuration" $ANYTHING { ... } - pattern-not-inside: | resource "aws_launch_configuration" $ANYTHING { ... root_block_device { ... encrypted = true ... } ... } message: The AWS launch configuration root block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#block-devices - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW rule-origin-note: published from /src/aws-ec2-launch-configuration-block-device-unencrypted.yml in None license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-configuration-root-block-device-unencrypted.aws-ec2-launch-configuration-root-block-device-unencrypted shortlink: https://sg.run/zg1P semgrep.dev: rule: r_id: 50761 rv_id: 1263711 rule_id: oqUpBv version_id: YDTZedL url: https://semgrep.dev/playground/r/YDTZedL/terraform.aws.security.aws-ec2-launch-configuration-root-block-device-unencrypted.aws-ec2-launch-configuration-root-block-device-unencrypted origin: community - id: terraform.aws.security.aws-ec2-security-group-allows-public-ingress.aws-ec2-security-group-allows-public-ingress patterns: - pattern-either: - pattern: | resource "aws_security_group_rule" $ANYTHING { ... type = "ingress" cidr_blocks = [..., "$PUBLIC_IPV4_CIDR", ...] ... } - pattern: | resource "aws_vpc_security_group_ingress_rule" $ANYTHING { ... cidr_ipv4 = "$PUBLIC_IPV4_CIDR" ... } - patterns: - pattern-inside: | resource "aws_security_group" $ANYTHING { ... } - pattern: | ingress { ... cidr_blocks = [..., "$PUBLIC_IPV4_CIDR", ...] ... } - metavariable-pattern: metavariable: $PUBLIC_IPV4_CIDR language: generic patterns: - pattern-not-regex: ^127\.\d{1,3}\.\d{1,3}\.\d{1,3}/(8|9|[1-3][0-9])$ - pattern-not-regex: ^10\.\d{1,3}\.\d{1,3}\.\d{1,3}/(8|9|[1-3][0-9])$ - pattern-not-regex: ^172\.(1[6-9]|2[0-9]|3[01])\.\d{1,3}\.\d{1,3}/(1[2-9]|[23][0-9])$ - pattern-not-regex: ^192\.168\.\d{1,3}\.\d{1,3}/(1[6-9]|[23][0-9])$ - pattern-not-regex: ^169\.254\.\d{1,3}\.\d{1,3}/(1[6-9]|[23][0-9])$ - pattern-not-regex: ^100\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.\d{1,3}\.\d{1,3}/[1-3][0-9]$ - pattern-not-regex: ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/32$ message: The security group rule allows ingress from public internet. Opening up ports to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. Set a more restrictive CIDR range. languages: - hcl severity: WARNING metadata: category: security technology: - terraform - aws owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control/ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule#cidr_ipv4 - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.aws.security.aws-ec2-security-group-allows-public-ingress.aws-ec2-security-group-allows-public-ingress shortlink: https://sg.run/JyWP semgrep.dev: rule: r_id: 59946 rv_id: 1263713 rule_id: 0oUNOq version_id: 5PTo1bg url: https://semgrep.dev/playground/r/5PTo1bg/terraform.aws.security.aws-ec2-security-group-allows-public-ingress.aws-ec2-security-group-allows-public-ingress origin: community - id: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal patterns: - pattern-inside: | resource "aws_ecr_repository_policy" $ANYTHING { ... } - pattern-either: - patterns: - pattern: policy = "$JSONPOLICY" - metavariable-pattern: metavariable: $JSONPOLICY language: json patterns: - pattern-not-inside: | {..., "Effect": "Deny", ...} - pattern-either: - pattern: | {..., "Principal": "*", ...} - pattern: | {..., "Principal": [..., "*", ...], ...} - pattern: | {..., "Principal": { "AWS": "*" }, ...} - pattern: | {..., "Principal": { "AWS": [..., "*", ...] }, ...} - patterns: - pattern-inside: policy = jsonencode(...) - pattern-not-inside: | {..., Effect = "Deny", ...} - pattern-either: - pattern: | {..., Principal = "*", ...} - pattern: | {..., Principal = [..., "*", ...], ...} - pattern: | {..., Principal = { AWS = "*" }, ...} - pattern: | {..., Principal = { AWS = [..., "*", ...] }, ...} message: Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege. metadata: category: security technology: - aws - terraform owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy - https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html - https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html - https://cwe.mitre.org/data/definitions/732.html cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal shortlink: https://sg.run/nzqb semgrep.dev: rule: r_id: 48636 rv_id: 1263717 rule_id: qNUzov version_id: BjTkZ6A url: https://semgrep.dev/playground/r/BjTkZ6A/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version pattern: | resource "aws_elasticsearch_domain" $ANYTHING { ... domain_endpoint_options { ... enforce_https = true tls_security_policy = "Policy-Min-TLS-1-0-2019-07" ... } ... } message: Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set "tls_security_policy" equal to "Policy-Min-TLS-1-2-2019-07". languages: - terraform severity: WARNING metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security technology: - aws - terraform references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version shortlink: https://sg.run/PYlq semgrep.dev: rule: r_id: 19045 rv_id: 1263718 rule_id: YGUle7 version_id: DkTRbA5 url: https://semgrep.dev/playground/r/DkTRbA5/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version origin: community - id: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk patterns: - pattern: | resource "aws_fsx_lustre_file_system" $ANYTHING { ... } - pattern-not-inside: | resource "aws_fsx_lustre_file_system" $ANYTHING { ... kms_key_id = ... ... } - pattern-regex: (^aws_kms_key\.(.*)) message: Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk shortlink: https://sg.run/oNG9 semgrep.dev: rule: r_id: 17360 rv_id: 1263721 rule_id: JDU6gw version_id: K3TKk1l url: https://semgrep.dev/playground/r/K3TKk1l/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk patterns: - pattern: | resource "aws_fsx_lustre_file_system" $ANYTHING { ... } - pattern-not-inside: | resource "aws_fsx_lustre_file_system" $ANYTHING { ... kms_key_id = ... ... } message: Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-311: Missing Encryption of Sensitive Data' references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk shortlink: https://sg.run/zJ6G semgrep.dev: rule: r_id: 17361 rv_id: 1263722 rule_id: 5rUp50 version_id: qkTR73q url: https://semgrep.dev/playground/r/qkTR73q/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal patterns: - pattern-inside: | resource "aws_glacier_vault" $ANYTHING { ... } - pattern: access_policy = "$STATEMENT" - metavariable-pattern: metavariable: $STATEMENT language: json patterns: - pattern-inside: | {..., "Effect": "Allow", ...} - pattern-either: - pattern: | "Principal": "*" - pattern: | "Principal": {..., "AWS": "*", ...} - pattern-inside: | "Principal": {..., "AWS": ..., ...} - pattern-regex: | (^\"arn:aws:iam::\*:(.*)\"$) message: 'Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`.' metadata: category: security technology: - aws owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: - https://cwe.mitre.org/data/definitions/732.html cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal shortlink: https://sg.run/XN9K semgrep.dev: rule: r_id: 17364 rv_id: 1263723 rule_id: AbUeYK version_id: l4TJRGB url: https://semgrep.dev/playground/r/l4TJRGB/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal origin: community languages: - hcl severity: ERROR - id: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin patterns: - pattern-inside: | resource "aws_ssoadmin_permission_set_inline_policy" $ANYTHING { ... } - pattern: inline_policy = "$STATEMENT" - metavariable-pattern: metavariable: $STATEMENT language: json patterns: - pattern-not-inside: | {..., "Effect": "Deny", ...} - pattern-either: - pattern: | {..., "Action": [..., "*", ...], "Resource": [..., "*", ...], ...} - pattern: | {..., "Action": "*", "Resource": "*", ...} - pattern: | {..., "Action": "*", "Resource": [...], ...} - pattern: | {..., "Action": [...], "Resource": "*", ...} message: Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege. metadata: category: security technology: - aws owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: - https://cwe.mitre.org/data/definitions/732.html cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin shortlink: https://sg.run/jzgY semgrep.dev: rule: r_id: 17365 rv_id: 1263724 rule_id: BYUzY5 version_id: YDTZe9q url: https://semgrep.dev/playground/r/YDTZe9q/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin origin: community languages: - hcl severity: ERROR - id: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy patterns: - pattern-inside: | resource "aws_iam_policy" $ANYTHING { ... } - pattern: policy = "$STATEMENT" - metavariable-pattern: metavariable: $STATEMENT language: json patterns: - pattern-not-inside: | {..., "Effect": "Deny", ...} - pattern-either: - pattern: | {..., "Action": [..., "*", ...], "Resource": [..., "*", ...], ...} - pattern: | {..., "Action": "*", "Resource": "*", ...} - pattern: | {..., "Action": "*", "Resource": [...], ...} - pattern: | {..., "Action": [...], "Resource": "*", ...} message: Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege. metadata: category: security technology: - aws - terraform owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: - https://cwe.mitre.org/data/definitions/732.html cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy shortlink: https://sg.run/1zbw semgrep.dev: rule: r_id: 17366 rv_id: 1263725 rule_id: DbUx8l version_id: 6xT29Pv url: https://semgrep.dev/playground/r/6xT29Pv/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy origin: community languages: - hcl severity: ERROR - id: terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version patterns: - pattern-either: - pattern: | resource "aws_api_gateway_domain_name" $ANYTHING { ... security_policy = "..." ... } - pattern: | resource "aws_apigatewayv2_domain_name" $ANYTHING { ... domain_name_configuration {...} ... } - pattern-not: | resource "aws_api_gateway_domain_name" $ANYTHING { ... security_policy = "TLS_1_2" ... } - pattern-not: | resource "aws_apigatewayv2_domain_name" $ANYTHING { ... domain_name_configuration { ... security_policy = "TLS_1_2" ... } } message: Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set "security_policy" equal to "TLS_1_2". languages: - terraform severity: WARNING metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures category: security technology: - aws - terraform references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version shortlink: https://sg.run/p98J semgrep.dev: rule: r_id: 18818 rv_id: 1263726 rule_id: v8UOle version_id: o5TbD8k url: https://semgrep.dev/playground/r/o5TbD8k/terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version origin: community - id: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration patterns: - pattern: | resource "aws_redshift_parameter_group" $ANYTHING { ... } - pattern-not-inside: | resource "aws_redshift_parameter_group" $ANYTHING { ... parameter { name = "require_ssl" value = "true" } ... } - pattern-not-inside: | resource "aws_redshift_parameter_group" $ANYTHING { ... parameter { name = "require_ssl" value = true } ... } message: Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `"true"`. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration shortlink: https://sg.run/yPYx semgrep.dev: rule: r_id: 17368 rv_id: 1263727 rule_id: 0oUrOj version_id: zyTb27A url: https://semgrep.dev/playground/r/zyTb27A/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration origin: community languages: - hcl severity: WARNING - id: terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal patterns: - pattern-inside: | resource "aws_kms_key" $ANYTHING { ... } - pattern: policy = "$STATEMENT" - metavariable-pattern: metavariable: $STATEMENT language: json patterns: - pattern-not-inside: | {..., "Effect": "Deny", ...} - pattern-either: - pattern: | {..., "Principal": "*", "Action": "kms:*", "Resource": "*", ...} - pattern: | {..., "Principal": [..., "*", ...], "Action": "kms:*", "Resource": "*", ...} - pattern: | {..., "Principal": { "AWS": "*" }, "Action": "kms:*", "Resource": "*", ...} - pattern: | {..., "Principal": { "AWS": [..., "*", ...] }, "Action": "kms:*", "Resource": "*", ...} message: Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege. metadata: category: security technology: - aws - terraform owasp: - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' references: - https://cwe.mitre.org/data/definitions/732.html cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal shortlink: https://sg.run/Nwlp semgrep.dev: rule: r_id: 17371 rv_id: 1263729 rule_id: lBUWPD version_id: 2KTv2J4 url: https://semgrep.dev/playground/r/2KTv2J4/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal origin: community languages: - hcl severity: ERROR - id: terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation patterns: - pattern-either: - pattern: | resource "aws_kms_key" $ANYTHING { ... enable_key_rotation = false ... } - pattern: | resource "aws_kms_key" $ANYTHING { ... customer_master_key_spec = "SYMMETRIC_DEFAULT" enable_key_rotation = false ... } - pattern: | resource "aws_kms_key" $ANYTHING { ... } - pattern-not-inside: | resource "aws_kms_key" $ANYTHING { ... enable_key_rotation = true ... } - pattern-not-inside: | resource "aws_kms_key" $ANYTHING { ... customer_master_key_spec = "RSA_2096" ... } message: The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation shortlink: https://sg.run/kz47 semgrep.dev: rule: r_id: 17372 rv_id: 1263730 rule_id: PeU0L3 version_id: X0Tzy67 url: https://semgrep.dev/playground/r/X0Tzy67/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation origin: community - id: terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials patterns: - pattern-inside: | resource "$ANYTING" $ANYTHING { ... environment { variables = { ... } } ... } - pattern-either: - pattern-inside: | AWS_ACCESS_KEY_ID = "$Y" - pattern-regex: | (?($PAYLOAD, ...) - pattern: new ResponseEntity<$ERROR>($PAYLOAD, ...) - pattern: ResponseEntity. ... .body($PAYLOAD) - patterns: - pattern: | ResponseEntity.$RESPFUNC($PAYLOAD). ... - metavariable-regex: metavariable: $RESPFUNC regex: ^(ok|of)$ - focus-metavariable: $PAYLOAD pattern-sanitizers: - pattern-either: - pattern: Encode.forHtml(...) - pattern: (PolicyFactory $POLICY).sanitize(...) - pattern: (AntiSamy $AS).scan(...) - pattern: JSoup.clean(...) - id: java.spring.security.injection.tainted-sql-string.tainted-sql-string languages: - java severity: ERROR message: User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library. metadata: cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html category: security technology: - spring cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/9rzz semgrep.dev: rule: r_id: 14767 rv_id: 1409396 rule_id: 10UdRR version_id: 44TbKvr url: https://semgrep.dev/playground/r/44TbKvr/java.spring.security.injection.tainted-sql-string.tainted-sql-string origin: community options: taint_assume_safe_numbers: true taint_assume_safe_booleans: true interfile: true mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) { ... } - pattern-inside: | $METHODNAME(..., @$REQ $TYPE $SOURCE,...) { ... } - metavariable-regex: metavariable: $REQ regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue) - metavariable-regex: metavariable: $TYPE regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean)) - focus-metavariable: $SOURCE pattern-sinks: - patterns: - pattern-either: - pattern: | "$SQLSTR" + ... - pattern: | "$SQLSTR".concat(...) - patterns: - pattern-inside: | StringBuilder $SB = new StringBuilder("$SQLSTR"); ... - pattern: $SB.append(...) - patterns: - pattern-inside: | $VAR = "$SQLSTR"; ... - pattern: $VAR += ... - pattern: String.format("$SQLSTR", ...) - patterns: - pattern-inside: | String $VAR = "$SQLSTR"; ... - pattern: String.format($VAR, ...) - pattern-not-inside: System.out.println(...) - pattern-not-inside: $LOG.info(...) - pattern-not-inside: $LOG.warn(...) - pattern-not-inside: $LOG.warning(...) - pattern-not-inside: $LOG.debug(...) - pattern-not-inside: $LOG.debugging(...) - pattern-not-inside: $LOG.error(...) - pattern-not-inside: new Exception(...) - pattern-not-inside: throw ...; - metavariable-regex: metavariable: $SQLSTR regex: (?i)(select|delete|insert|create|update|alter|drop)\b - id: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run message: Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability. metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection category: security technology: - deno references: - https://deno.land/manual/examples/subprocess#simple-example cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run shortlink: https://sg.run/Nrrn semgrep.dev: rule: r_id: 9927 rv_id: 1409397 rule_id: x8UWWg version_id: PkTe7AP url: https://semgrep.dev/playground/r/PkTe7AP/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-inside: function ... (..., $ARG,...) {...} - focus-metavariable: $ARG pattern-sinks: - patterns: - pattern-either: - pattern: | Deno.run({cmd: [$INPUT,...]},...) - pattern: | Deno.run({cmd: ["=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$INPUT,...]},...) - patterns: - pattern: | Deno.run({cmd: [$CMD,"-c",$INPUT,...]},...) - pattern-inside: | $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/" ... - focus-metavariable: $INPUT - id: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal message: Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' category: security references: - https://owasp.org/www-community/attacks/Path_Traversal technology: - javascript - node.js cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal shortlink: https://sg.run/OPqk semgrep.dev: rule: r_id: 9331 rv_id: 1409398 rule_id: 8GUjrq version_id: JdTnO7r url: https://semgrep.dev/playground/r/JdTnO7r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - focus-metavariable: $X - pattern-either: - pattern-inside: | function ... (...,$X,...) {...} - pattern-inside: | function ... (...,{...,$X,...},...) {...} pattern-sinks: - patterns: - focus-metavariable: $SINK - pattern-either: - pattern-inside: | $PATH = require('path'); ... - pattern-inside: | import $PATH from 'path'; ... - pattern-either: - pattern: $PATH.join(...,$SINK,...) - pattern: $PATH.resolve(...,$SINK,...) - patterns: - focus-metavariable: $SINK - pattern-inside: | import 'path'; ... - pattern-either: - pattern-inside: path.join(...,$SINK,...) - pattern-inside: path.resolve(...,$SINK,...) pattern-sanitizers: - pattern: $Y.replace(...) - pattern: $Y.indexOf(...) - pattern: | function ... (...) { ... <... $Y.indexOf(...) ...> ... } - patterns: - pattern: $FUNC(...) - metavariable-regex: metavariable: $FUNC regex: sanitize - id: javascript.lang.security.detect-child-process.detect-child-process message: 'Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. ' metadata: cwe: - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS Command Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js category: security technology: - javascript cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Command Injection source: https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process shortlink: https://sg.run/l2lo semgrep.dev: rule: r_id: 9313 rv_id: 1409399 rule_id: 10UKNB version_id: 5PT7KnG url: https://semgrep.dev/playground/r/5PT7KnG/javascript.lang.security.detect-child-process.detect-child-process origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-inside: | function ... (...,$FUNC,...) { ... } - focus-metavariable: $FUNC pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $CP = require('child_process') ... - pattern-inside: | import * as $CP from 'child_process' ... - pattern-inside: | import $CP from 'child_process' ... - pattern-either: - pattern: $CP.exec($CMD,...) - pattern: $CP.execSync($CMD,...) - pattern: $CP.spawn($CMD,...) - pattern: $CP.spawnSync($CMD,...) - pattern-not-inside: $CP.$EXEC("...",...) - pattern-not-inside: $CP.$EXEC(["...",...],...) - pattern-not-inside: | $CMD = "..." ... - pattern-not-inside: | $CMD = ["...",...] ... - focus-metavariable: $CMD - patterns: - pattern-either: - pattern: child_process.exec($CMD,...) - pattern: child_process.execSync($CMD,...) - pattern: child_process.spawn($CMD,...) - pattern: child_process.spawnSync($CMD,...) - pattern-not-inside: child_process.$EXEC("...",...) - pattern-not-inside: child_process.$EXEC(["...",...],...) - pattern-not-inside: | $CMD = "..." ... - pattern-not-inside: | $CMD = ["...",...] ... - focus-metavariable: $CMD - id: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization metadata: owasp: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures cwe: - 'CWE-502: Deserialization of Untrusted Data' references: - https://docs.python.org/3/library/pickle.html category: security technology: - django cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization shortlink: https://sg.run/9oyr semgrep.dev: rule: r_id: 9467 rv_id: 1409400 rule_id: OrU3e6 version_id: GxTlb9e url: https://semgrep.dev/playground/r/GxTlb9e/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization origin: community message: Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities. languages: - python severity: ERROR mode: taint pattern-sources: - pattern-either: - patterns: - pattern-inside: | def $INSIDE(..., $PARAM, ...): ... - pattern-either: - pattern: request.$REQFUNC(...) - pattern: request.$REQFUNC.get(...) - pattern: request.$REQFUNC[...] pattern-sinks: - pattern-either: - patterns: - pattern-either: - pattern: | pickle.$PICKLEFUNC(...) - pattern: | _pickle.$PICKLEFUNC(...) - pattern: | cPickle.$PICKLEFUNC(...) - pattern: | shelve.$PICKLEFUNC(...) - metavariable-regex: metavariable: $PICKLEFUNC regex: dumps|dump|load|loads - patterns: - pattern: dill.$DILLFUNC(...) - metavariable-regex: metavariable: $DILLFUNC regex: dump|dump_session|dumps|load|load_session|loads - patterns: - pattern: yaml.$YAMLFUNC(...) - pattern-not: yaml.$YAMLFUNC(..., Dumper=SafeDumper, ...) - pattern-not: yaml.$YAMLFUNC(..., Dumper=yaml.SafeDumper, ...) - pattern-not: yaml.$YAMLFUNC(..., Loader=SafeLoader, ...) - pattern-not: yaml.$YAMLFUNC(..., Loader=yaml.SafeLoader, ...) - metavariable-regex: metavariable: $YAMLFUNC regex: dump|dump_all|load|load_all - id: python.flask.security.injection.raw-html-concat.raw-html-format languages: - python severity: WARNING message: Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`flask.render_template`) which will safely render HTML instead. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - flask references: - https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/python.flask.security.injection.raw-html-concat.raw-html-format shortlink: https://sg.run/Pb7e semgrep.dev: rule: r_id: 14389 rv_id: 1409401 rule_id: GdUrJv version_id: RGTEN1l url: https://semgrep.dev/playground/r/RGTEN1l/python.flask.security.injection.raw-html-concat.raw-html-format origin: community mode: taint pattern-sanitizers: - pattern: jinja2.escape(...) - pattern: flask.escape(...) - patterns: - pattern: flask.render_template($TPL, ...) - metavariable-regex: metavariable: $TPL regex: .*\.html pattern-sources: - patterns: - pattern-either: - pattern: flask.request.$ANYTHING - patterns: - pattern-inside: | @$APP.route(...) def $FUNC(..., $ROUTEVAR, ...): ... - pattern: $ROUTEVAR pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: '"$HTMLSTR" % ...' - pattern: '"$HTMLSTR".format(...)' - pattern: '"$HTMLSTR" + ...' - pattern: f"$HTMLSTR{...}..." - patterns: - pattern-inside: | $HTML = "$HTMLSTR" ... - pattern-either: - pattern: $HTML % ... - pattern: $HTML.format(...) - pattern: $HTML + ... - metavariable-pattern: metavariable: $HTMLSTR language: generic pattern: <$TAG ... - id: python.flask.security.injection.tainted-sql-string.tainted-sql-string message: Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries. metadata: cwe: - 'CWE-704: Incorrect Type Conversion or Cast' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql - https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column category: security technology: - sqlalchemy - flask subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/JxZj semgrep.dev: rule: r_id: 14702 rv_id: 1409402 rule_id: YGUDKQ version_id: A8TEvb4 url: https://semgrep.dev/playground/r/A8TEvb4/python.flask.security.injection.tainted-sql-string.tainted-sql-string origin: community severity: ERROR languages: - python mode: taint pattern-sources: - patterns: - pattern-either: - pattern: flask.request.$ANYTHING - patterns: - pattern-inside: | @$APP.route(...) def $FUNC(..., $ROUTEVAR, ...): ... - pattern: $ROUTEVAR pattern-sinks: - patterns: - pattern-either: - pattern: | "$SQLSTR" + ... - pattern: | "$SQLSTR" % ... - pattern: | "$SQLSTR".format(...) - pattern: | f"$SQLSTR{...}..." - metavariable-regex: metavariable: $SQLSTR regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.* - id: python.flask.security.injection.tainted-url-host.tainted-url-host languages: - python message: User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: - A10:2021 - Server-Side Request Forgery (SSRF) - A01:2025 - Broken Access Control references: - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html category: security technology: - flask cwe2022-top25: true cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Server-Side Request Forgery (SSRF) source: https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host shortlink: https://sg.run/RXpK semgrep.dev: rule: r_id: 14649 rv_id: 1409403 rule_id: ReU3Wb version_id: BjTy42w url: https://semgrep.dev/playground/r/BjTy42w/python.flask.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: '"$URLSTR" % ...' - metavariable-pattern: metavariable: $URLSTR language: generic patterns: - pattern-either: - pattern: $SCHEME://%s - pattern: $SCHEME://%r - patterns: - pattern: '"$URLSTR".format(...)' - metavariable-pattern: metavariable: $URLSTR language: generic pattern: $SCHEME:// { ... } - patterns: - pattern: '"$URLSTR" + ...' - metavariable-regex: metavariable: $URLSTR regex: .*://$ - patterns: - pattern: f"$URLSTR{...}..." - metavariable-regex: metavariable: $URLSTR regex: .*://$ - patterns: - pattern-inside: | $URL = "$URLSTR" ... - pattern: $URL += ... - metavariable-regex: metavariable: $URLSTR regex: .*://$ pattern-sources: - patterns: - pattern-either: - pattern: flask.request.$ANYTHING - patterns: - pattern-inside: | @$APP.route(...) def $FUNC(..., $ROUTEVAR, ...): ... - pattern: $ROUTEVAR severity: WARNING - id: python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args mode: taint options: symbolic_propagation: true pattern-sources: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: os.environ - pattern: os.environ.get('$FOO', ...) - pattern: os.environb - pattern: os.environb.get('$FOO', ...) - pattern: os.getenv('$ANYTHING', ...) - pattern: os.getenvb('$ANYTHING', ...) - patterns: - pattern-either: - patterns: - pattern-either: - pattern: sys.argv - pattern: sys.orig_argv - patterns: - pattern-inside: | $PARSER = argparse.ArgumentParser(...) ... - pattern-inside: | $ARGS = $PARSER.parse_args() - pattern: <... $ARGS ...> - patterns: - pattern-inside: | $PARSER = optparse.OptionParser(...) ... - pattern-inside: | $ARGS = $PARSER.parse_args() - pattern: <... $ARGS ...> - patterns: - pattern-either: - pattern-inside: | $OPTS, $ARGS = getopt.getopt(...) ... - pattern-inside: | $OPTS, $ARGS = getopt.gnu_getopt(...) ... - pattern-either: - patterns: - pattern-inside: | for $O, $A in $OPTS: ... - pattern: $A - pattern: $ARGS pattern-sinks: - patterns: - pattern-inside: | _xxsubinterpreters.run_string($ID, $PAYLOAD, ...) - pattern-not: | _xxsubinterpreters.run_string($ID, "...", ...) - pattern: $PAYLOAD message: Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://bugs.python.org/issue43472 - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ category: security technology: - python confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args shortlink: https://sg.run/oLl9 semgrep.dev: rule: r_id: 27260 rv_id: 1409404 rule_id: GdUkxO version_id: DkTwBzO url: https://semgrep.dev/playground/r/DkTwBzO/python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args origin: community severity: WARNING languages: - python - id: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos mode: taint pattern-sources: - patterns: - pattern-either: - pattern: | cookies[...] - patterns: - pattern: | cookies. ... .$PROPERTY[...] - metavariable-regex: metavariable: $PROPERTY regex: (?!signed|encrypted) - pattern: | params[...] - pattern: | request.env[...] - patterns: - pattern: $Y - pattern-either: - pattern-inside: | $RECORD.read_attribute($Y) - pattern-inside: | $RECORD[$Y] - metavariable-regex: metavariable: $RECORD regex: '[A-Z][a-z]+' pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: $Y - pattern-inside: | /...#{...}.../ - patterns: - pattern: $Y - pattern-inside: | Regexp.new(...) message: Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking. languages: - ruby severity: ERROR metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_regex_dos.rb category: security cwe: - 'CWE-1333: Inefficient Regular Expression Complexity' owasp: - A03:2017 - Sensitive Data Exposure technology: - ruby - rails references: - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Denial-of-Service (DoS) source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos shortlink: https://sg.run/qZwx semgrep.dev: rule: r_id: 20156 rv_id: 1409406 rule_id: YGUY4R version_id: 0bTG0WO url: https://semgrep.dev/playground/r/0bTG0WO/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos origin: community - id: ruby.rails.security.injection.raw-html-format.raw-html-format languages: - ruby severity: WARNING message: Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection category: security technology: - rails references: - https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/ - https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format shortlink: https://sg.run/b2JQ semgrep.dev: rule: r_id: 14470 rv_id: 1409408 rule_id: kxUwZX version_id: qkTvgYY url: https://semgrep.dev/playground/r/qkTvgYY/ruby.rails.security.injection.raw-html-format.raw-html-format origin: community mode: taint pattern-sanitizers: - pattern-either: - pattern: sanitize(...) - pattern: strip_tags(...) pattern-sources: - patterns: - pattern-either: - pattern: params - pattern: request pattern-sinks: - patterns: - pattern-either: - patterns: - pattern: | $HTMLSTR - pattern-regex: <\w+.* - patterns: - pattern-either: - pattern: Kernel::sprintf("$HTMLSTR", ...) - pattern: | "$HTMLSTR" + $EXPR - pattern: | "$HTMLSTR" % $EXPR - metavariable-pattern: metavariable: $HTMLSTR language: generic pattern: <$TAG ... - id: typescript.react.security.audit.react-href-var.react-href-var message: Detected a variable used in an anchor tag with the 'href' attribute. A malicious actor may be able to input the 'javascript:' URI, which could cause cross-site scripting (XSS). It is recommended to disallow 'javascript:' URIs within your application. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://reactjs.org/blog/2019/08/08/react-v16.9.0.html#deprecating-javascript-urls - https://pragmaticwebsecurity.com/articles/spasecurity/react-xss-part1.html category: security confidence: LOW technology: - react cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/typescript.react.security.audit.react-href-var.react-href-var shortlink: https://sg.run/bDZZ semgrep.dev: rule: r_id: 9770 rv_id: 1409409 rule_id: OrUGkk version_id: l4TpqQ4 url: https://semgrep.dev/playground/r/l4TpqQ4/typescript.react.security.audit.react-href-var.react-href-var origin: community languages: - typescript - javascript severity: WARNING mode: taint pattern-sources: - label: TAINTED patterns: - pattern-either: - pattern-inside: | function ...({..., $X, ...}) { ... } - pattern-inside: | function ...(..., $X, ...) { ... } - focus-metavariable: $X - pattern-either: - pattern: $X.$Y - pattern: $X[...] - pattern-not-inside: | $F. ... .$SANITIZEUNC(...) - label: CONCAT requires: TAINTED patterns: - pattern-either: - pattern: | `...${$X}...` - pattern: | $SANITIZE + <... $X ...> - pattern-not: | `${$X}...` - pattern-not: | $X + ... - focus-metavariable: $X - label: CLEAN by-side-effect: true patterns: - pattern-either: - pattern: $A($SOURCE) - pattern: $SANITIZE. ... .$A($SOURCE) - pattern: $A. ... .$SANITIZE($SOURCE) - focus-metavariable: $SOURCE - metavariable-regex: metavariable: $A regex: (?i)(.*valid|.*sanitiz) pattern-sinks: - requires: TAINTED and not CONCAT and not CLEAN patterns: - focus-metavariable: $X - pattern-either: - pattern: | <$EL href={$X} /> - pattern: | React.createElement($EL, {href: $X}) - pattern-inside: | $PARAMS = {href: $X}; ... React.createElement($EL, $PARAMS); - metavariable-pattern: patterns: - pattern-not-regex: (?i)(button) metavariable: $EL - id: ai.ai-best-practices.llm-output-to-exec.llm-output-to-exec-python.llm-output-to-exec-python mode: taint languages: - python severity: ERROR message: LLM API response data flows into a dangerous code execution function (eval, exec, subprocess, os.system). This enables code injection attacks where a compromised or manipulated LLM response can execute arbitrary code on the host system. Validate and sandbox LLM outputs before execution. metadata: cwe: 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' category: security confidence: HIGH subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - openai - anthropic - gemini references: - https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/ai.ai-best-practices.llm-output-to-exec.llm-output-to-exec-python.llm-output-to-exec-python shortlink: https://sg.run/EroyN semgrep.dev: rule: r_id: 288837 rv_id: 1413395 rule_id: ZqU7xGB version_id: 5PT72kR url: https://semgrep.dev/playground/r/5PT72kR/ai.ai-best-practices.llm-output-to-exec.llm-output-to-exec-python.llm-output-to-exec-python origin: community pattern-sources: - pattern: $CLIENT.chat.completions.create(...) - pattern: $CLIENT.messages.create(...) - pattern: $MODEL.generate_content(...) - pattern: $CLIENT.chat(...) pattern-sinks: - patterns: - pattern: eval($SINK) - focus-metavariable: $SINK - patterns: - pattern: exec($SINK) - focus-metavariable: $SINK - patterns: - pattern: subprocess.run($SINK, ..., shell=True) - focus-metavariable: $SINK - patterns: - pattern: subprocess.call($SINK, ..., shell=True) - focus-metavariable: $SINK - patterns: - pattern: subprocess.Popen($SINK, ..., shell=True) - focus-metavariable: $SINK - patterns: - pattern: os.system($SINK) - focus-metavariable: $SINK - id: ai.ai-best-practices.mistral-hardcoded-api-key.mistral-hardcoded-api-key-javascript.mistral-hardcoded-api-key-javascript languages: - javascript - typescript severity: ERROR message: Mistral API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - mistral references: - https://docs.mistral.ai/getting-started/quickstart/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.mistral-hardcoded-api-key.mistral-hardcoded-api-key-javascript.mistral-hardcoded-api-key-javascript shortlink: https://sg.run/7gJn2 semgrep.dev: rule: r_id: 288838 rv_id: 1413396 rule_id: nJU8JGl version_id: GxTlKj3 url: https://semgrep.dev/playground/r/GxTlKj3/ai.ai-best-practices.mistral-hardcoded-api-key.mistral-hardcoded-api-key-javascript.mistral-hardcoded-api-key-javascript origin: community pattern: | new Mistral({apiKey: "$KEY", ...}) - id: ai.ai-best-practices.mistral-hardcoded-api-key.mistral-hardcoded-api-key-python.mistral-hardcoded-api-key-python languages: - python severity: ERROR message: Mistral API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - mistral references: - https://docs.mistral.ai/getting-started/quickstart/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.mistral-hardcoded-api-key.mistral-hardcoded-api-key-python.mistral-hardcoded-api-key-python shortlink: https://sg.run/Lrv36 semgrep.dev: rule: r_id: 288839 rv_id: 1413397 rule_id: EwUpvqy version_id: RGTEZe7 url: https://semgrep.dev/playground/r/RGTEZe7/ai.ai-best-practices.mistral-hardcoded-api-key.mistral-hardcoded-api-key-python.mistral-hardcoded-api-key-python origin: community pattern-either: - pattern: Mistral(api_key="$KEY", ...) - pattern: MistralClient(api_key="$KEY", ...) - id: ai.ai-best-practices.mistral-missing-safe-prompt.mistral-missing-safe-prompt-javascript.mistral-missing-safe-prompt-javascript languages: - javascript - typescript severity: WARNING message: Mistral chat completion called without 'safe_prompt' parameter. Setting safePrompt=true enables Mistral's built-in safety guardrailing. See https://docs.mistral.ai/capabilities/guardrailing/ metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - mistral references: - https://docs.mistral.ai/capabilities/guardrailing/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.mistral-missing-safe-prompt.mistral-missing-safe-prompt-javascript.mistral-missing-safe-prompt-javascript shortlink: https://sg.run/8x5gN semgrep.dev: rule: r_id: 288840 rv_id: 1413398 rule_id: 7KU1ZW6 version_id: A8TEZkD url: https://semgrep.dev/playground/r/A8TEZkD/ai.ai-best-practices.mistral-missing-safe-prompt.mistral-missing-safe-prompt-javascript.mistral-missing-safe-prompt-javascript origin: community patterns: - pattern: $CLIENT.chat.complete({...}) - pattern-not: '$CLIENT.chat.complete({..., safePrompt: $SP, ...})' - id: ai.ai-best-practices.mistral-missing-safe-prompt.mistral-missing-safe-prompt-python.mistral-missing-safe-prompt-python languages: - python severity: WARNING message: Mistral chat completion called without 'safe_prompt' parameter. Setting safe_prompt=True enables Mistral's built-in safety guardrailing. See https://docs.mistral.ai/capabilities/guardrailing/ metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - mistral references: - https://docs.mistral.ai/capabilities/guardrailing/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.mistral-missing-safe-prompt.mistral-missing-safe-prompt-python.mistral-missing-safe-prompt-python shortlink: https://sg.run/gpoX0 semgrep.dev: rule: r_id: 288841 rv_id: 1413399 rule_id: L1U29PD version_id: BjTynxR url: https://semgrep.dev/playground/r/BjTynxR/ai.ai-best-practices.mistral-missing-safe-prompt.mistral-missing-safe-prompt-python.mistral-missing-safe-prompt-python origin: community patterns: - pattern: $CLIENT.chat.complete(...) - pattern-not: $CLIENT.chat.complete(..., safe_prompt=$SP, ...) - id: ai.ai-best-practices.mistral-user-input-in-system-prompt.mistral-user-input-in-system-prompt-js.mistral-user-input-in-system-prompt-js mode: taint languages: - javascript - typescript severity: ERROR message: User input flows into the Mistral system prompt. This enables prompt injection attacks where users can override system instructions. Validate and sanitize user input, or move user input to the 'user' role message instead. metadata: cwe: 'CWE-77: Command Injection' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - mistral references: - https://docs.mistral.ai/capabilities/guardrailing/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.mistral-user-input-in-system-prompt.mistral-user-input-in-system-prompt-js.mistral-user-input-in-system-prompt-js shortlink: https://sg.run/Qw36Z semgrep.dev: rule: r_id: 288842 rv_id: 1413400 rule_id: 8GUqgA7 version_id: DkTwZqA url: https://semgrep.dev/playground/r/DkTwZqA/ai.ai-best-practices.mistral-user-input-in-system-prompt.mistral-user-input-in-system-prompt-js.mistral-user-input-in-system-prompt-js origin: community pattern-sources: - pattern: req.body.$F - pattern: req.query.$F - pattern: req.params.$F - pattern: req.body pattern-sinks: - patterns: - pattern: | {role: "system", content: $SINK} - focus-metavariable: $SINK - id: ai.ai-best-practices.mistral-user-input-in-system-prompt.mistral-user-input-in-system-prompt-python.mistral-user-input-in-system-prompt-python mode: taint languages: - python severity: ERROR message: User input flows into the Mistral system prompt. This enables prompt injection attacks where users can override system instructions. Validate and sanitize user input, or move user input to the 'user' role message instead. metadata: cwe: 'CWE-77: Command Injection' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - mistral references: - https://docs.mistral.ai/capabilities/guardrailing/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.mistral-user-input-in-system-prompt.mistral-user-input-in-system-prompt-python.mistral-user-input-in-system-prompt-python shortlink: https://sg.run/3en8K semgrep.dev: rule: r_id: 288843 rv_id: 1413401 rule_id: gxUAEJR version_id: WrT7AO4 url: https://semgrep.dev/playground/r/WrT7AO4/ai.ai-best-practices.mistral-user-input-in-system-prompt.mistral-user-input-in-system-prompt-python.mistral-user-input-in-system-prompt-python origin: community pattern-sources: - pattern: request.args.get(...) - pattern: request.form[...] - pattern: request.form.get(...) - pattern: request.json[...] - pattern: request.json.get(...) - pattern: request.data - pattern: request.GET[...] - pattern: request.GET.get(...) - pattern: request.POST[...] - pattern: request.POST.get(...) pattern-sinks: - patterns: - pattern: | {"role": "system", "content": $SINK} - focus-metavariable: $SINK - id: ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-go.openai-hardcoded-api-key-go languages: - go severity: ERROR message: OpenAI API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - openai references: - https://help.openai.com/en/articles/5112595-best-practices-for-api-key-safety license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-go.openai-hardcoded-api-key-go shortlink: https://sg.run/4BXl5 semgrep.dev: rule: r_id: 288844 rv_id: 1413402 rule_id: QrU7An5 version_id: 0bTGYyb url: https://semgrep.dev/playground/r/0bTGYyb/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-go.openai-hardcoded-api-key-go origin: community patterns: - pattern: openai.NewClient("$KEY") - metavariable-regex: metavariable: $KEY regex: ^sk- - id: ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-java.openai-hardcoded-api-key-java languages: - java severity: ERROR message: OpenAI API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - openai references: - https://help.openai.com/en/articles/5112595-best-practices-for-api-key-safety license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-java.openai-hardcoded-api-key-java shortlink: https://sg.run/P9vgz semgrep.dev: rule: r_id: 288845 rv_id: 1413403 rule_id: 3qUpW6n version_id: K3Tg6nL url: https://semgrep.dev/playground/r/K3Tg6nL/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-java.openai-hardcoded-api-key-java origin: community patterns: - pattern: new OpenAiService("$KEY") - metavariable-regex: metavariable: $KEY regex: ^sk- - id: ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-javascript.openai-hardcoded-api-key-javascript languages: - javascript - typescript severity: ERROR message: OpenAI API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - openai references: - https://help.openai.com/en/articles/5112595-best-practices-for-api-key-safety license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-javascript.openai-hardcoded-api-key-javascript shortlink: https://sg.run/Jqvey semgrep.dev: rule: r_id: 288846 rv_id: 1413404 rule_id: 4bUA5g4 version_id: qkTvP57 url: https://semgrep.dev/playground/r/qkTvP57/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-javascript.openai-hardcoded-api-key-javascript origin: community patterns: - pattern: | new OpenAI({apiKey: "$KEY", ...}) - metavariable-regex: metavariable: $KEY regex: ^sk- - id: trailofbits.yaml.ansible.dnf-unencrypted-url.dnf-unencrypted-url message: Found dnf download with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' subcategory: - audit technology: - ansible - dnf confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/dnf_module.html#parameter-name - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/dnf5_module.html#parameter-name license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.yaml.ansible.dnf-unencrypted-url.dnf-unencrypted-url shortlink: https://sg.run/kx0y1 semgrep.dev: rule: r_id: 113228 rv_id: 833317 rule_id: DbU6R3w version_id: rxTDzGy url: https://semgrep.dev/playground/r/rxTDzGy/trailofbits.yaml.ansible.dnf-unencrypted-url.dnf-unencrypted-url origin: community patterns: - pattern-inside: | $DNF: ... - metavariable-pattern: metavariable: $DNF pattern-either: - pattern: dnf - pattern: ansible.builtin.dnf - pattern: dnf5 - pattern: ansible.builtin.dnf5 - pattern: '$KEY: ''$VALUE''' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: name - pattern: pkg - metavariable-regex: metavariable: $VALUE regex: (?i)^(http|ftp)://.* - id: ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-python.openai-hardcoded-api-key-python languages: - python severity: ERROR message: OpenAI API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - openai references: - https://help.openai.com/en/articles/5112595-best-practices-for-api-key-safety license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-python.openai-hardcoded-api-key-python shortlink: https://sg.run/5W4y0 semgrep.dev: rule: r_id: 288847 rv_id: 1413405 rule_id: PeUW208 version_id: l4TpAl0 url: https://semgrep.dev/playground/r/l4TpAl0/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-python.openai-hardcoded-api-key-python origin: community pattern-either: - patterns: - pattern: OpenAI(api_key="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^sk- - patterns: - pattern: AsyncOpenAI(api_key="$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^sk- - id: csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override mode: taint pattern-sources: - patterns: - focus-metavariable: $ARG - pattern-inside: | public $T $M(...,string $ARG,...){...} pattern-sinks: - patterns: - pattern: | $XMLDOCUMENT.$METHOD(...) - pattern-inside: "XmlDocument $XMLDOCUMENT = new XmlDocument(...);\n...\n$XMLDOCUMENT.XmlResolver = new XmlUrlResolver(...);\n... \n" message: XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data. languages: - csharp severity: WARNING metadata: category: security references: - https://www.jardinesoftware.net/2016/05/26/xxe-and-net/ - https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks technology: - .net - xml cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe2022-top25: true cwe2021-top25: true subcategory: - vuln impact: MEDIUM likelihood: LOW confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override shortlink: https://sg.run/k98P semgrep.dev: rule: r_id: 18228 rv_id: 1262654 rule_id: ReUK9k version_id: K3TKk5E url: https://semgrep.dev/playground/r/K3TKk5E/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override origin: community - id: generic.secrets.gitleaks.sidekiq-sensitive-url.sidekiq-sensitive-url message: A gitleaks sidekiq-sensitive-url was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.sidekiq-sensitive-url.sidekiq-sensitive-url shortlink: https://sg.run/G0w2 semgrep.dev: rule: r_id: 44792 rv_id: 1262824 rule_id: AbUvGj version_id: 9lT4bWN url: https://semgrep.dev/playground/r/9lT4bWN/generic.secrets.gitleaks.sidekiq-sensitive-url.sidekiq-sensitive-url origin: community patterns: - pattern-regex: (?i)\b(http(?:s??):\/\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$) - id: ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-ruby.openai-hardcoded-api-key-ruby languages: - ruby severity: ERROR message: OpenAI API key is hardcoded in source code. Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - openai references: - https://help.openai.com/en/articles/5112595-best-practices-for-api-key-safety license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-ruby.openai-hardcoded-api-key-ruby shortlink: https://sg.run/GRvyq semgrep.dev: rule: r_id: 288848 rv_id: 1413406 rule_id: JDU3G68 version_id: YDTwKNy url: https://semgrep.dev/playground/r/YDTwKNy/ai.ai-best-practices.openai-hardcoded-api-key.openai-hardcoded-api-key-ruby.openai-hardcoded-api-key-ruby origin: community patterns: - pattern: | OpenAI::Client.new(access_token: "$KEY", ...) - metavariable-regex: metavariable: $KEY regex: ^sk- - id: ai.ai-best-practices.openai-missing-max-tokens.openai-missing-max-tokens-javascript.openai-missing-max-tokens-javascript languages: - javascript - typescript severity: WARNING message: OpenAI chat completion created without 'max_tokens' parameter. Setting max_tokens prevents unexpectedly long or expensive responses and limits potential abuse. See https://developers.openai.com/api/docs/guides/safety-best-practices metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-max-tokens.openai-missing-max-tokens-javascript.openai-missing-max-tokens-javascript shortlink: https://sg.run/Rrvyq semgrep.dev: rule: r_id: 288849 rv_id: 1413407 rule_id: 5rUPrpg version_id: 6xTRwZd url: https://semgrep.dev/playground/r/6xTRwZd/ai.ai-best-practices.openai-missing-max-tokens.openai-missing-max-tokens-javascript.openai-missing-max-tokens-javascript origin: community patterns: - pattern: $CLIENT.chat.completions.create({...}) - pattern-not: '$CLIENT.chat.completions.create({..., max_tokens: $MT, ...})' - id: ai.ai-best-practices.openai-missing-max-tokens.openai-missing-max-tokens-python.openai-missing-max-tokens-python languages: - python severity: WARNING message: OpenAI chat completion created without 'max_tokens' parameter. Setting max_tokens prevents unexpectedly long or expensive responses and limits potential abuse. See https://developers.openai.com/api/docs/guides/safety-best-practices metadata: cwe: 'CWE-1188: Initialization with an Insecure Default' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-max-tokens.openai-missing-max-tokens-python.openai-missing-max-tokens-python shortlink: https://sg.run/Ajqy2 semgrep.dev: rule: r_id: 288850 rv_id: 1413408 rule_id: GdUxYzE version_id: o5TLpk7 url: https://semgrep.dev/playground/r/o5TLpk7/ai.ai-best-practices.openai-missing-max-tokens.openai-missing-max-tokens-python.openai-missing-max-tokens-python origin: community patterns: - pattern: $CLIENT.chat.completions.create(...) - pattern-not: $CLIENT.chat.completions.create(..., max_tokens=$MT, ...) - id: ai.ai-best-practices.openai-missing-refusal-check.openai-missing-refusal-check-javascript.openai-missing-refusal-check-javascript languages: - javascript - typescript severity: WARNING message: OpenAI response content accessed without checking for refusal. The model may refuse requests, and accessing .content without checking .refusal first may lead to unexpected behavior. Check response.choices[0].message.refusal before accessing content. metadata: cwe: 'CWE-252: Unchecked Return Value' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-refusal-check.openai-missing-refusal-check-javascript.openai-missing-refusal-check-javascript shortlink: https://sg.run/B2lyA semgrep.dev: rule: r_id: 288851 rv_id: 1413409 rule_id: ReUQnqx version_id: zyTB0j5 url: https://semgrep.dev/playground/r/zyTB0j5/ai.ai-best-practices.openai-missing-refusal-check.openai-missing-refusal-check-javascript.openai-missing-refusal-check-javascript origin: community patterns: - pattern: $RESP.choices[0].message.content - pattern-not-inside: | if ($RESP.choices[0].message.refusal) { ... } else { ... } - pattern-not-inside: | if (!$RESP.choices[0].message.refusal) { ... } - id: generic.secrets.gitleaks.freshbooks-access-token.freshbooks-access-token message: A gitleaks freshbooks-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.freshbooks-access-token.freshbooks-access-token shortlink: https://sg.run/X3Bb semgrep.dev: rule: r_id: 44720 rv_id: 1262740 rule_id: ZqUk5D version_id: 8KT5rv6 url: https://semgrep.dev/playground/r/8KT5rv6/generic.secrets.gitleaks.freshbooks-access-token.freshbooks-access-token origin: community patterns: - pattern-regex: (?i)(?:freshbooks)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.frameio-api-token.frameio-api-token message: A gitleaks frameio-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.frameio-api-token.frameio-api-token shortlink: https://sg.run/2qxD semgrep.dev: rule: r_id: 44719 rv_id: 1262739 rule_id: d8UOj3 version_id: LjTkgzW url: https://semgrep.dev/playground/r/LjTkgzW/generic.secrets.gitleaks.frameio-api-token.frameio-api-token origin: community patterns: - pattern-regex: fio-u-(?i)[a-z0-9\-_=]{64} - id: trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex message: Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function languages: - go severity: ERROR metadata: category: security cwe: 'CWE-667: Improper Locking' subcategory: - vuln confidence: MEDIUM likelihood: HIGH impact: MEDIUM technology: - --no-technology-- description: Missing `RUnlock` on an `RWMutex` lock before returning from a function references: - https://pkg.go.dev/sync#RWMutex - https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/ license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex shortlink: https://sg.run/9r40 semgrep.dev: rule: r_id: 14223 rv_id: 937958 rule_id: 8GUzNK version_id: xyTqL9d url: https://semgrep.dev/playground/r/xyTqL9d/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex origin: community patterns: - pattern-either: - pattern: panic(...) - pattern: return ... - metavariable-pattern: metavariable: $T patterns: - pattern: | ($T : sync.RWMutex) - pattern-inside: | $T.RLock() ... - pattern-not-inside: | $T.RUnlock() ... - pattern-not-inside: | defer $T.RUnlock() ... - pattern-not-inside: | defer func(...) { ... $T.RUnlock() ... }(...) ... - pattern-not-inside: "$FOO(..., ..., func(...) { \n ... \n})\n" - pattern-not-inside: | return func(...) { ... $T.RUnlock() ... } - id: generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token message: A gitleaks finnhub-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token shortlink: https://sg.run/YRv4 semgrep.dev: rule: r_id: 44714 rv_id: 1262734 rule_id: wdUqJk version_id: d6Tyx6E url: https://semgrep.dev/playground/r/d6Tyx6E/generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token origin: community patterns: - pattern-regex: (?i)(?:finnhub)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: ruby.rails.security.audit.xxe.libxml-backend.libxml-backend languages: - ruby pattern: ActiveSupport::XmlMini.backend = "LibXML" severity: WARNING message: This application is using LibXML as the XML backend. LibXML can be vulnerable to XML External Entities (XXE) vulnerabilities. Use the built-in Rails XML parser, REXML, instead. metadata: references: - https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/ - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html technology: - rails - libxml category: security cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/ruby.rails.security.audit.xxe.libxml-backend.libxml-backend shortlink: https://sg.run/0AXq semgrep.dev: rule: r_id: 29810 rv_id: 1263647 rule_id: oqUdoP version_id: 7ZTE38r url: https://semgrep.dev/playground/r/7ZTE38r/ruby.rails.security.audit.xxe.libxml-backend.libxml-backend origin: community - id: ruby.rails.security.audit.xxe.xml-external-entities-enabled.xml-external-entities-enabled languages: - ruby patterns: - pattern-either: - pattern-inside: | LibXML::XML.class_eval do ... end - pattern-inside: | XML.class_eval do ... end - pattern: XML.default_substitute_entities = true severity: ERROR message: This application is explicitly enabling external entities enabling an attacker to inject malicious XML to exploit an XML External Entities (XXE) vulnerability. This could let the attacker cause a denial-of-service by forcing the parser to parse large files, or at worst, let the attacker download sensitive files or user data. Use the built-in Rails XML parser, REXML, instead. metadata: references: - https://www.stackhawk.com/blog/rails-xml-external-entities-xxe-guide-examples-and-prevention/ - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html technology: - rails - libxml category: security cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/ruby.rails.security.audit.xxe.xml-external-entities-enabled.xml-external-entities-enabled shortlink: https://sg.run/KLvY semgrep.dev: rule: r_id: 29811 rv_id: 1263648 rule_id: zdULN6 version_id: LjTkgjQ url: https://semgrep.dev/playground/r/LjTkgjQ/ruby.rails.security.audit.xxe.xml-external-entities-enabled.xml-external-entities-enabled origin: community - id: generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token message: A gitleaks shopify-custom-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token shortlink: https://sg.run/4Yyz semgrep.dev: rule: r_id: 44788 rv_id: 1262820 rule_id: JDUOPJ version_id: 2KTv2r6 url: https://semgrep.dev/playground/r/2KTv2r6/generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token origin: community patterns: - pattern-regex: shpca_[a-fA-F0-9]{32} - id: ai.ai-best-practices.openai-missing-refusal-check.openai-missing-refusal-check-python.openai-missing-refusal-check-python languages: - python severity: WARNING message: OpenAI response content accessed without checking for refusal. The model may refuse requests, and accessing .content without checking .refusal first may lead to unexpected behavior. Check response.choices[0].message.refusal before accessing content. metadata: cwe: 'CWE-252: Unchecked Return Value' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-refusal-check.openai-missing-refusal-check-python.openai-missing-refusal-check-python shortlink: https://sg.run/D86yP semgrep.dev: rule: r_id: 288852 rv_id: 1413410 rule_id: AbUr0ed version_id: pZT24kl url: https://semgrep.dev/playground/r/pZT24kl/ai.ai-best-practices.openai-missing-refusal-check.openai-missing-refusal-check-python.openai-missing-refusal-check-python origin: community patterns: - pattern: $RESP.choices[0].message.content - pattern-not-inside: | if $RESP.choices[0].message.refusal: ... else: ... - pattern-not-inside: | if $RESP.choices[0].message.refusal is not None: ... else: ... - pattern-not-inside: | if not $RESP.choices[0].message.refusal: ... - id: generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret message: A gitleaks finicity-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret shortlink: https://sg.run/lQ29 semgrep.dev: rule: r_id: 44713 rv_id: 1262733 rule_id: kxUQk2 version_id: vdT06vD url: https://semgrep.dev/playground/r/vdT06vD/generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret origin: community patterns: - pattern-regex: (?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: go.lang.correctness.overflow.overflow.integer-overflow-int16 message: Detected conversion of the result of a strconv.Atoi command to an int16. This could lead to an integer overflow, which could possibly result in unexpected behavior and even privilege escalation. Instead, use `strconv.ParseInt`. languages: - go severity: WARNING patterns: - pattern: | $F, $ERR := strconv.Atoi($NUM) ... int16($F) - metavariable-comparison: metavariable: $NUM comparison: $NUM > 32767 or $NUM < -32768 strip: true metadata: category: correctness technology: - go license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/go.lang.correctness.overflow.overflow.integer-overflow-int16 shortlink: https://sg.run/Klr6 semgrep.dev: rule: r_id: 9099 rv_id: 945552 rule_id: 0oU5N3 version_id: RGTAgnL url: https://semgrep.dev/playground/r/RGTAgnL/go.lang.correctness.overflow.overflow.integer-overflow-int16 origin: community - id: go.lang.correctness.overflow.overflow.integer-overflow-int32 message: Detected conversion of the result of a strconv.Atoi command to an int32. This could lead to an integer overflow, which could possibly result in unexpected behavior and even privilege escalation. Instead, use `strconv.ParseInt`. languages: - go severity: WARNING patterns: - pattern: | $F, $ERR := strconv.Atoi($NUM) ... int32($F) - metavariable-comparison: metavariable: $NUM comparison: $NUM > 2147483647 or $NUM < -2147483648 strip: true metadata: category: correctness technology: - go license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/go.lang.correctness.overflow.overflow.integer-overflow-int32 shortlink: https://sg.run/4xJE semgrep.dev: rule: r_id: 9100 rv_id: 945553 rule_id: KxUbEk version_id: A8TJz02 url: https://semgrep.dev/playground/r/A8TJz02/go.lang.correctness.overflow.overflow.integer-overflow-int32 origin: community - id: ai.ai-best-practices.openai-missing-safety-identifier.openai-missing-safety-identifier-javascript.openai-missing-safety-identifier-javascript languages: - javascript - typescript severity: WARNING message: OpenAI Responses API called without 'safety_identifier' parameter. Include a hashed user identifier to enable abuse monitoring and safety checks. See https://developers.openai.com/api/docs/guides/safety-checks metadata: cwe: 'CWE-778: Insufficient Logging' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-checks/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-safety-identifier.openai-missing-safety-identifier-javascript.openai-missing-safety-identifier-javascript shortlink: https://sg.run/We4W2 semgrep.dev: rule: r_id: 288853 rv_id: 1413411 rule_id: BYUDJzA version_id: 2KTRoGW url: https://semgrep.dev/playground/r/2KTRoGW/ai.ai-best-practices.openai-missing-safety-identifier.openai-missing-safety-identifier-javascript.openai-missing-safety-identifier-javascript origin: community patterns: - pattern: $CLIENT.responses.create({...}) - pattern-not: '$CLIENT.responses.create({..., safety_identifier: $SID, ...})' - id: go.lang.correctness.looppointer.exported_loop_pointer message: '`$VALUE` is a loop pointer that may be exported from the loop. This pointer is shared between loop iterations, so the exported reference will always point to the last loop value, which is likely unintentional. To fix, copy the pointer to a new pointer within the loop.' metadata: references: - https://github.com/kyoh86/looppointer category: correctness technology: - go license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/go.lang.correctness.looppointer.exported_loop_pointer shortlink: https://sg.run/709G semgrep.dev: rule: r_id: 10082 rv_id: 945551 rule_id: 8GUEGx version_id: GxTP7YX url: https://semgrep.dev/playground/r/GxTP7YX/go.lang.correctness.looppointer.exported_loop_pointer origin: community severity: WARNING languages: - go pattern-either: - pattern: | for _, $VALUE := range $SOURCE { <... &($VALUE) ...> } - pattern: | for _, $VALUE := range $SOURCE { <... func() { <... &$VALUE ...> } ...> } - pattern: | for _, $VALUE := range $SOURCE { <... $ANYTHING(..., <... &$VALUE ...>, ...) ...> } - id: dgryski.semgrep-go.hmac-hash.hmac-needs-new patterns: - pattern-either: - pattern: | $H := $HASH.New() ... $FUNC := func() hash.Hash { return $H } ... hmac.New($FUNC, ...) - pattern: | $H := $HASH.New() ... hmac.New(func() hash.Hash { return $H }, ...) - pattern: | hmac.New(func() hash.Hash { return ( $H : hash.Hash) }, ...) message: calling hmac.New with unchanging hash.New languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.hmac-hash.hmac-needs-new shortlink: https://sg.run/Bkdb semgrep.dev: rule: r_id: 8695 rv_id: 833042 rule_id: 0oU5Q8 version_id: WrTdpQp url: https://semgrep.dev/playground/r/WrTdpQp/dgryski.semgrep-go.hmac-hash.hmac-needs-new origin: community - id: ai.ai-best-practices.openai-missing-safety-identifier.openai-missing-safety-identifier-python.openai-missing-safety-identifier-python languages: - python severity: WARNING message: OpenAI Responses API called without 'safety_identifier' parameter. Include a hashed user identifier to enable abuse monitoring and safety checks. See https://developers.openai.com/api/docs/guides/safety-checks metadata: cwe: 'CWE-778: Insufficient Logging' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-checks/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-safety-identifier.openai-missing-safety-identifier-python.openai-missing-safety-identifier-python shortlink: https://sg.run/0gX8j semgrep.dev: rule: r_id: 288854 rv_id: 1413412 rule_id: DbU9Xx5 version_id: X0TY0wW url: https://semgrep.dev/playground/r/X0TY0wW/ai.ai-best-practices.openai-missing-safety-identifier.openai-missing-safety-identifier-python.openai-missing-safety-identifier-python origin: community patterns: - pattern: $CLIENT.responses.create(...) - pattern-not: $CLIENT.responses.create(..., safety_identifier=$SID, ...) - id: generic.secrets.gitleaks.linear-client-secret.linear-client-secret message: A gitleaks linear-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.linear-client-secret.linear-client-secret shortlink: https://sg.run/Jl9W semgrep.dev: rule: r_id: 44746 rv_id: 1262775 rule_id: GdUb7w version_id: O9TpxXR url: https://semgrep.dev/playground/r/O9TpxXR/generic.secrets.gitleaks.linear-client-secret.linear-client-secret origin: community patterns: - pattern-regex: (?i)(?:linear)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: ai.ai-best-practices.openai-missing-system-message.openai-missing-system-message-js.openai-missing-system-message-js languages: - javascript - typescript severity: WARNING message: OpenAI chat completion created without a system message. A system message helps establish behavioral guidelines and safety boundaries for the model. metadata: cwe: 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-system-message.openai-missing-system-message-js.openai-missing-system-message-js shortlink: https://sg.run/Kdvk5 semgrep.dev: rule: r_id: 288855 rv_id: 1413413 rule_id: WAUlGNv version_id: jQT106g url: https://semgrep.dev/playground/r/jQT106g/ai.ai-best-practices.openai-missing-system-message.openai-missing-system-message-js.openai-missing-system-message-js origin: community patterns: - pattern: | $CLIENT.chat.completions.create({..., messages: $MSGS, ...}) - metavariable-pattern: metavariable: $MSGS patterns: - pattern: '[..., {role: "user", ...}, ...]' - pattern-not: '[..., {role: "system", ...}, ...]' - id: dgryski.semgrep-go.hmac-bytes.use-hmac-equal patterns: - pattern-either: - pattern: | $MAC = hmac.New(...) ... $H = $MAC.Sum(...) ... bytes.Equal($H, ...) - pattern: | $MAC = hmac.New(...) ... $H = $MAC.Sum(...) ... bytes.Equal(..., $H) message: Comparing a MAC with bytes.Equal() languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.hmac-bytes.use-hmac-equal shortlink: https://sg.run/Avng semgrep.dev: rule: r_id: 8694 rv_id: 833041 rule_id: WAUokA version_id: DkTG0nr url: https://semgrep.dev/playground/r/DkTG0nr/dgryski.semgrep-go.hmac-bytes.use-hmac-equal origin: community - id: generic.secrets.gitleaks.linear-api-key.linear-api-key message: A gitleaks linear-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.linear-api-key.linear-api-key shortlink: https://sg.run/P2JW semgrep.dev: rule: r_id: 44745 rv_id: 1262774 rule_id: 5rUKO6 version_id: xyTjzqw url: https://semgrep.dev/playground/r/xyTjzqw/generic.secrets.gitleaks.linear-api-key.linear-api-key origin: community patterns: - pattern-regex: lin_api_(?i)[a-z0-9]{40} - id: ai.ai-best-practices.openai-missing-system-message.openai-missing-system-message-python.openai-missing-system-message-python languages: - python severity: WARNING message: OpenAI chat completion created without a system message. A system message helps establish behavioral guidelines and safety boundaries for the model. metadata: cwe: 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-system-message.openai-missing-system-message-python.openai-missing-system-message-python shortlink: https://sg.run/q6Wy7 semgrep.dev: rule: r_id: 288856 rv_id: 1413414 rule_id: 0oU7gr4 version_id: 1QTEwbz url: https://semgrep.dev/playground/r/1QTEwbz/ai.ai-best-practices.openai-missing-system-message.openai-missing-system-message-python.openai-missing-system-message-python origin: community patterns: - pattern: | $CLIENT.chat.completions.create(..., messages=$MSGS, ...) - metavariable-pattern: metavariable: $MSGS patterns: - pattern: '[..., {"role": "user", ...}, ...]' - pattern-not: '[..., {"role": "system", ...}, ...]' - id: ai.ai-best-practices.openai-missing-user-parameter.openai-missing-user-parameter-javascript.openai-missing-user-parameter-javascript languages: - javascript - typescript severity: WARNING message: OpenAI chat completion created without a 'user' parameter. Including a unique user identifier helps OpenAI detect and prevent abuse. See https://platform.openai.com/docs/guides/safety-best-practices metadata: cwe: 'CWE-778: Insufficient Logging' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-user-parameter.openai-missing-user-parameter-javascript.openai-missing-user-parameter-javascript shortlink: https://sg.run/l0GpE semgrep.dev: rule: r_id: 288857 rv_id: 1413415 rule_id: KxUz85l version_id: 9lT39oo url: https://semgrep.dev/playground/r/9lT39oo/ai.ai-best-practices.openai-missing-user-parameter.openai-missing-user-parameter-javascript.openai-missing-user-parameter-javascript origin: community patterns: - pattern: $CLIENT.chat.completions.create({...}) - pattern-not: '$CLIENT.chat.completions.create({..., user: $USER, ...})' - id: trailofbits.ruby.marshal-load-method.marshal-load-method message: | Found `marshal_load` class method. This implies custom Marshal deserialization is occuring. This can lead to RCE and other deserialization-type bugs. Usage should be audited and, at least, fuzzed. languages: - ruby severity: INFO metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - audit confidence: LOW likelihood: LOW impact: HIGH technology: - ruby references: - https://github.blog/2024-06-20-execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/ - https://github.com/GitHubSecurityLab/ruby-unsafe-deserialization/blob/main/marshal/3.4-rc/marshal-rce-ruby-3.4-rc.rb license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.ruby.marshal-load-method.marshal-load-method shortlink: https://sg.run/NdRrp semgrep.dev: rule: r_id: 205471 rv_id: 1130087 rule_id: 7KUDPeR version_id: l4T6xED url: https://semgrep.dev/playground/r/l4T6xED/trailofbits.ruby.marshal-load-method.marshal-load-method origin: community patterns: - pattern-inside: | class $CLS ... end - pattern: | def marshal_load(...) ... end - id: trailofbits.swift.insecure-url-host-hassuffix-check.insecure-url-host-hassuffix-check message: | Potentially insecure URL host suffix check. Using hasSuffix("domain.com") without a leading dot can match unintended domains like "fakedomain.com" languages: - swift severity: WARNING metadata: category: security cwe: CWE-697 technology: - swift - ios subcategory: - audit confidence: HIGH likelihood: HIGH impact: MEDIUM references: - https://developer.apple.com/documentation/foundation/url/host(percentencoded:) - https://developer.apple.com/documentation/foundation/nsstring/hassuffix(_:) - https://pentesterlab.com/blog/rust-cors-vulnerabilities license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.swift.insecure-url-host-hassuffix-check.insecure-url-host-hassuffix-check shortlink: https://sg.run/e1Rl0 semgrep.dev: rule: r_id: 210176 rv_id: 1142332 rule_id: WAUO650 version_id: yeTZe3n url: https://semgrep.dev/playground/r/yeTZe3n/trailofbits.swift.insecure-url-host-hassuffix-check.insecure-url-host-hassuffix-check origin: community pattern-either: - patterns: - pattern: $X.hasSuffix($SUFFIX) - metavariable-regex: metavariable: $SUFFIX regex: ^"(?!\.)[a-zA-Z0-9\-]+(\.[a-zA-Z0-9\-]+)+"$ - metavariable-regex: metavariable: $X regex: .*\.host - patterns: - pattern-either: - pattern: host?.hasSuffix($SUFFIX) - pattern: host.hasSuffix($SUFFIX) - pattern: self.host?.hasSuffix($SUFFIX) - pattern: self.host.hasSuffix($SUFFIX) - pattern: host?.hasSuffix($SUFFIX) ?? $D - metavariable-regex: metavariable: $SUFFIX regex: ^"(?!\.)[a-zA-Z0-9\-]+(\.[a-zA-Z0-9\-]+)+"$ - pattern-inside: | extension URL { ... } - patterns: - pattern: $VAR.hasSuffix($SUFFIX) - metavariable-regex: metavariable: $SUFFIX regex: ^"(?!\.)[a-zA-Z0-9\-]+(\.[a-zA-Z0-9\-]+)+"$ - pattern-either: - pattern-inside: | if let $VAR = $_.host { ... } - pattern-inside: | guard let $VAR = $_.host else { ... } ... - pattern-inside: | guard ..., let $VAR = $_.host, ... else { ... } ... - pattern-inside: | let $VAR = $_.host ... - pattern-inside: | var $VAR = $_.host ... - id: dgryski.semgrep-go.ioutil.deprecated-ioutil-nopcloser pattern: ioutil.NopCloser($R) fix: io.NopCloser($R) message: ioutil.NopCloser is deprecated languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.ioutil.deprecated-ioutil-nopcloser shortlink: https://sg.run/nKzO semgrep.dev: rule: r_id: 14680 rv_id: 833045 rule_id: nJUZAE version_id: qkTQnxy url: https://semgrep.dev/playground/r/qkTQnxy/dgryski.semgrep-go.ioutil.deprecated-ioutil-nopcloser origin: community - id: dgryski.semgrep-go.ioutil.deprecated-ioutil-readall pattern: ioutil.ReadAll($R) fix: io.ReadAll($R) message: ioutil.ReadAll is deprecated languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.ioutil.deprecated-ioutil-readall shortlink: https://sg.run/EvEA semgrep.dev: rule: r_id: 14681 rv_id: 833046 rule_id: EwUKPO version_id: l4TyOvj url: https://semgrep.dev/playground/r/l4TyOvj/dgryski.semgrep-go.ioutil.deprecated-ioutil-readall origin: community - id: dgryski.semgrep-go.joinpath.use-strings-join-path patterns: - pattern-either: - pattern: strings.Join(..., "/") - pattern: strings.Join(..., "\\") - pattern: strings.Join(..., `\`) - pattern: strings.Join(..., os.PathSeparator) message: did you want path.Join() or filepath.Join()? languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.joinpath.use-strings-join-path shortlink: https://sg.run/W8Zy semgrep.dev: rule: r_id: 8697 rv_id: 833053 rule_id: qNUj9G version_id: BjTe0pX url: https://semgrep.dev/playground/r/BjTe0pX/dgryski.semgrep-go.joinpath.use-strings-join-path origin: community - id: generic.secrets.gitleaks.new-relic-user-api-key.new-relic-user-api-key message: A gitleaks new-relic-user-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-user-api-key.new-relic-user-api-key shortlink: https://sg.run/2qbD semgrep.dev: rule: r_id: 44763 rv_id: 1262793 rule_id: j2UGqB version_id: RGT0LAl url: https://semgrep.dev/playground/r/RGT0LAl/generic.secrets.gitleaks.new-relic-user-api-key.new-relic-user-api-key origin: community patterns: - pattern-regex: (?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRAK-[a-z0-9]{27})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: dgryski.semgrep-go.http-ctx-goroutine.http-request-go-context patterns: - pattern-either: - pattern: | $CTX := ($R : *http.Request).Context() ... go $F($CTX, ...) - pattern: | go $F(($R : *http.Request).Context(), ...) message: passing an http-request scoped Context to a goroutine languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.http-ctx-goroutine.http-request-go-context shortlink: https://sg.run/Bq6R semgrep.dev: rule: r_id: 31307 rv_id: 833044 rule_id: KxUg7A version_id: K3Trqjk url: https://semgrep.dev/playground/r/K3Trqjk/dgryski.semgrep-go.http-ctx-goroutine.http-request-go-context origin: community - id: dgryski.semgrep-go.ioutil.deprecated-ioutil-discard pattern: ioutil.Discard fix: io.Discard message: ioutil.Discard is deprecated languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.ioutil.deprecated-ioutil-discard shortlink: https://sg.run/3rOb semgrep.dev: rule: r_id: 14687 rv_id: 833052 rule_id: 3qUjDw version_id: A8T37Xj url: https://semgrep.dev/playground/r/A8T37Xj/dgryski.semgrep-go.ioutil.deprecated-ioutil-discard origin: community - id: ai.ai-best-practices.openai-missing-user-parameter.openai-missing-user-parameter-python.openai-missing-user-parameter-python languages: - python severity: WARNING message: OpenAI chat completion created without a 'user' parameter. Including a unique user identifier helps OpenAI detect and prevent abuse. See https://platform.openai.com/docs/guides/safety-best-practices metadata: cwe: 'CWE-778: Insufficient Logging' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: HIGH technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Insufficient Logging source: https://semgrep.dev/r/ai.ai-best-practices.openai-missing-user-parameter.openai-missing-user-parameter-python.openai-missing-user-parameter-python shortlink: https://sg.run/YKJry semgrep.dev: rule: r_id: 288858 rv_id: 1413416 rule_id: qNU1LWq version_id: yeTqWBn url: https://semgrep.dev/playground/r/yeTqWBn/ai.ai-best-practices.openai-missing-user-parameter.openai-missing-user-parameter-python.openai-missing-user-parameter-python origin: community patterns: - pattern: $CLIENT.chat.completions.create(...) - pattern-not: $CLIENT.chat.completions.create(..., user=$USER, ...) - id: ai.ai-best-practices.openai-no-error-handling.openai-no-error-handling-javascript.openai-no-error-handling-javascript languages: - javascript - typescript severity: WARNING message: OpenAI API call without error handling. Wrap API calls in try/catch to handle rate limits, API errors, and network issues gracefully. metadata: cwe: 'CWE-252: Unchecked Return Value' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-no-error-handling.openai-no-error-handling-javascript.openai-no-error-handling-javascript shortlink: https://sg.run/6WPg1 semgrep.dev: rule: r_id: 288859 rv_id: 1413417 rule_id: lBUroWB version_id: rxTnJok url: https://semgrep.dev/playground/r/rxTnJok/ai.ai-best-practices.openai-no-error-handling.openai-no-error-handling-javascript.openai-no-error-handling-javascript origin: community patterns: - pattern-either: - pattern: await $CLIENT.chat.completions.create({...}) - pattern: $CLIENT.chat.completions.create({...}) - pattern-not-inside: | try { ... } catch ($ERR) { ... } - id: ai.ai-best-practices.openai-no-error-handling.openai-no-error-handling-python.openai-no-error-handling languages: - python severity: WARNING message: OpenAI API call without error handling. Wrap API calls in try/except to handle rate limits (RateLimitError), API errors (APIError), and network issues gracefully. metadata: cwe: 'CWE-252: Unchecked Return Value' category: security subcategory: - audit likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM technology: - openai references: - https://developers.openai.com/api/docs/guides/safety-best-practices/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-no-error-handling.openai-no-error-handling-python.openai-no-error-handling shortlink: https://sg.run/ol3y0 semgrep.dev: rule: r_id: 288860 rv_id: 1413418 rule_id: PeUW2x5 version_id: bZTEgKN url: https://semgrep.dev/playground/r/bZTEgKN/ai.ai-best-practices.openai-no-error-handling.openai-no-error-handling-python.openai-no-error-handling origin: community patterns: - pattern: $CLIENT.chat.completions.create(...) - pattern-not-inside: | try: ... except ...: ... - id: ai.ai-best-practices.openai-user-input-in-system-prompt.openai-user-input-in-system-prompt-js.openai-user-input-in-system-prompt-js mode: taint languages: - javascript - typescript severity: ERROR message: User input flows into the OpenAI system prompt. This enables prompt injection attacks where users can override system instructions. Validate and sanitize user input, or move user input to the 'user' role message instead. metadata: cwe: 'CWE-77: Command Injection' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - openai references: - https://platform.openai.com/docs license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-user-input-in-system-prompt.openai-user-input-in-system-prompt-js.openai-user-input-in-system-prompt-js shortlink: https://sg.run/z8Z1d semgrep.dev: rule: r_id: 288861 rv_id: 1413419 rule_id: JDU3GlN version_id: NdT6p9N url: https://semgrep.dev/playground/r/NdT6p9N/ai.ai-best-practices.openai-user-input-in-system-prompt.openai-user-input-in-system-prompt-js.openai-user-input-in-system-prompt-js origin: community pattern-sources: - pattern: req.body.$F - pattern: req.query.$F - pattern: req.params.$F - pattern: req.body pattern-sinks: - patterns: - pattern: | {role: "system", content: $SINK} - focus-metavariable: $SINK - id: ai.ai-best-practices.openai-user-input-in-system-prompt.openai-user-input-in-system-prompt-python.openai-user-input-in-system-prompt-python mode: taint languages: - python severity: ERROR message: User input flows into the OpenAI system prompt. This enables prompt injection attacks where users can override system instructions. Validate and sanitize user input, or move user input to the 'user' role message instead. metadata: cwe: 'CWE-77: Command Injection' category: security confidence: MEDIUM subcategory: - vuln likelihood: MEDIUM impact: HIGH technology: - openai references: - https://platform.openai.com/docs license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/ai.ai-best-practices.openai-user-input-in-system-prompt.openai-user-input-in-system-prompt-python.openai-user-input-in-system-prompt-python shortlink: https://sg.run/pGD9Z semgrep.dev: rule: r_id: 288862 rv_id: 1413420 rule_id: 5rUPryk version_id: kbTWyj6 url: https://semgrep.dev/playground/r/kbTWyj6/ai.ai-best-practices.openai-user-input-in-system-prompt.openai-user-input-in-system-prompt-python.openai-user-input-in-system-prompt-python origin: community pattern-sources: - pattern: request.args.get(...) - pattern: request.form[...] - pattern: request.form.get(...) - pattern: request.json[...] - pattern: request.json.get(...) - pattern: request.data - pattern: request.GET[...] - pattern: request.GET.get(...) - pattern: request.POST[...] - pattern: request.POST.get(...) pattern-sinks: - patterns: - pattern: | {"role": "system", "content": $SINK} - focus-metavariable: $SINK - id: kotlin.lang.security.unencrypted-socket.unencrypted-socket metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.5 Insecure Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' category: security technology: - kotlin references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket shortlink: https://sg.run/KXZd semgrep.dev: rule: r_id: 14699 rv_id: 1413421 rule_id: KxU76z version_id: w8TWBzA url: https://semgrep.dev/playground/r/w8TWBzA/kotlin.lang.security.unencrypted-socket.unencrypted-socket origin: community message: This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead severity: WARNING languages: - kt patterns: - pattern-either: - pattern: ServerSocket(...) - pattern: Socket(...) - pattern-not-inside: | fun $FN(...): Int { ... val $SS = ServerSocket(0) ... $SS.close() ... } - pattern-not-inside: | fun $FN(...): Int { ... val $SS = ServerSocket(0) ... $SS.localPort ... $SS.close() ... } - id: typescript.react.portability.i18next.jsx-not-internationalized.jsx-not-internationalized patterns: - pattern: <$ELEMENT>$MESSAGE - metavariable-regex: metavariable: $MESSAGE regex: ([A-Za-z\n ]+[A-Za-z]+[A-Za-z\n ]+) - pattern-not: <$ELEMENT>t('$KEY', ...) message: 'JSX element not internationalized: ''$MESSAGE''. You should support different languages in your website or app with internationalization. Instead, use packages such as `i18next` in order to internationalize your elements.' languages: - typescript - javascript severity: INFO metadata: category: portability technology: - react - mui - i18next references: - https://www.notion.so/hendyirawan/Internationalization-Localization-Policy-318c21674e5f44c48d6f136a6eb2e024 - https://mui.com/ - https://react.i18next.com/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.portability.i18next.jsx-not-internationalized.jsx-not-internationalized shortlink: https://sg.run/DeKW semgrep.dev: rule: r_id: 20052 rv_id: 1274400 rule_id: KxUwo1 version_id: gETB4ez url: https://semgrep.dev/playground/r/gETB4ez/typescript.react.portability.i18next.jsx-not-internationalized.jsx-not-internationalized origin: community - id: typescript.react.portability.i18next.mui-snackbar-message.mui-snackbar-message patterns: - pattern: enqueueSnackbar('$MESSAGE', $X2) - pattern-not: enqueueSnackbar(t($KEY), $X2) message: 'React MUI enqueueSnackbar() title is not internationalized: ''$MESSAGE''' languages: - typescript - javascript severity: WARNING metadata: category: portability technology: - react - mui - i18next references: - https://hendyirawan.notion.site/Internationalization-Localization-Policy-318c21674e5f44c48d6f136a6eb2e024 - https://mui.com/ - https://react.i18next.com/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/typescript.react.portability.i18next.mui-snackbar-message.mui-snackbar-message shortlink: https://sg.run/WDvz semgrep.dev: rule: r_id: 20053 rv_id: 947021 rule_id: qNUpO8 version_id: 5PT94Ly url: https://semgrep.dev/playground/r/5PT94Ly/typescript.react.portability.i18next.mui-snackbar-message.mui-snackbar-message origin: community - id: generic.secrets.gitleaks.npm-access-token.npm-access-token message: A gitleaks npm-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.npm-access-token.npm-access-token shortlink: https://sg.run/X3Lb semgrep.dev: rule: r_id: 44764 rv_id: 1262794 rule_id: 10UJZE version_id: A8TgdJ4 url: https://semgrep.dev/playground/r/A8TgdJ4/generic.secrets.gitleaks.npm-access-token.npm-access-token origin: community patterns: - pattern-regex: (?i)\b(npm_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag message: "GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks \u2014 as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`." severity: WARNING languages: - yaml metadata: category: security cwe: - 'CWE-1357: Reliance on Insufficiently Trustworthy Component' - 'CWE-353: Missing Support for Integrity Check' owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software and Data Integrity Failures references: - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions technology: - github-actions subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues - Other source: https://semgrep.dev/r/yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag shortlink: https://sg.run/2LgAL semgrep.dev: rule: r_id: 288863 rv_id: 1413422 rule_id: GdUxYDx version_id: xyTRDAd url: https://semgrep.dev/playground/r/xyTRDAd/yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag origin: community patterns: - pattern-inside: '{steps: ...}' - pattern: | uses: "$ACTION" - metavariable-pattern: metavariable: $ACTION language: generic patterns: - pattern-not-regex: ^\./ - pattern-not-regex: ^docker:// - pattern-not-regex: '@[0-9a-f]{40}(\s|$)' - id: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout languages: - yaml message: This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations. metadata: category: security owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software and Data Integrity Failures cwe: - 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere' references: - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target - https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md technology: - github-actions subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout shortlink: https://sg.run/jkdn semgrep.dev: rule: r_id: 13365 rv_id: 1413423 rule_id: d8Ulkd version_id: O9TQ2nX url: https://semgrep.dev/playground/r/O9TQ2nX/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout origin: community patterns: - pattern-either: - pattern-inside: | on: ... pull_request_target: ... ... ... - pattern-inside: | on: [..., pull_request_target, ...] ... - pattern-inside: | on: pull_request_target ... - pattern-inside: | jobs: ... $JOBNAME: ... steps: ... - pattern: | ... uses: "$ACTION" with: ... ref: $EXPR - metavariable-regex: metavariable: $ACTION regex: actions/checkout@.* - metavariable-pattern: language: generic metavariable: $EXPR patterns: - pattern-inside: ${{ ... }} - pattern-either: - pattern: github.event.pull_request ... - pattern: github.head_ref ... severity: ERROR - id: yaml.github-actions.security.secrets-inherit.secrets-inherit languages: - yaml severity: ERROR message: 'This workflow uses `secrets: inherit` to pass all of the calling workflow''s secrets to a reusable workflow. This violates the principle of least privilege because the called workflow receives access to every secret in the repository, not just the ones it needs. If the called workflow is compromised or sourced from a third party, an attacker gains access to all repository secrets. Instead, explicitly pass only the secrets that the called workflow requires using the `secrets:` map, e.g. `secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} }`.' metadata: category: security cwe: - 'CWE-250: Execution with Unnecessary Privileges' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions technology: - github-actions subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.github-actions.security.secrets-inherit.secrets-inherit shortlink: https://sg.run/X2PZB semgrep.dev: rule: r_id: 288864 rv_id: 1413424 rule_id: ReUQnKg version_id: e1T42L1 url: https://semgrep.dev/playground/r/e1T42L1/yaml.github-actions.security.secrets-inherit.secrets-inherit origin: community patterns: - pattern-inside: | jobs: ... - pattern: 'secrets: inherit' - id: generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id message: A gitleaks new-relic-user-api-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id shortlink: https://sg.run/pQlL semgrep.dev: rule: r_id: 44762 rv_id: 1262792 rule_id: X5UGZz version_id: GxTkePe url: https://semgrep.dev/playground/r/GxTkePe/generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id origin: community patterns: - pattern-regex: (?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token message: A gitleaks new-relic-browser-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token shortlink: https://sg.run/zQkW semgrep.dev: rule: r_id: 44761 rv_id: 1262790 rule_id: 2ZUn43 version_id: JdTzxDr url: https://semgrep.dev/playground/r/JdTzxDr/generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token origin: community patterns: - pattern-regex: (?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRJS-[a-f0-9]{19})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.new-relic-insert-key.new-relic-insert-key message: A gitleaks new-relic-insert-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-insert-key.new-relic-insert-key shortlink: https://sg.run/3qwdo semgrep.dev: rule: r_id: 136487 rv_id: 1262791 rule_id: EwUj3dB version_id: 5PTo19G url: https://semgrep.dev/playground/r/5PTo19G/generic.secrets.gitleaks.new-relic-insert-key.new-relic-insert-key origin: community patterns: - pattern-regex: (?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRII-[a-z0-9-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: terraform.aws.best-practice.missing-cloudwatch-log-group-retention.missing-cloudwatch-log-group-retention patterns: - patterns: - pattern: resource "aws_cloudwatch_log_group" $ANYTHING {...} - pattern-not-inside: | resource "aws_cloudwatch_log_group" $ANYTHING { ... retention_in_days = ... ... } message: The AWS CloudWatch Log group is missing log retention time. By default, logs are retained indefinitely. Add `retention_in_days = ` to your resource block. languages: - hcl severity: WARNING metadata: technology: - aws - terraform category: best-practice license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.missing-cloudwatch-log-group-retention.missing-cloudwatch-log-group-retention shortlink: https://sg.run/Nw1G semgrep.dev: rule: r_id: 15827 rv_id: 946654 rule_id: kxU6wJ version_id: 8KTKj21 url: https://semgrep.dev/playground/r/8KTKj21/terraform.aws.best-practice.missing-cloudwatch-log-group-retention.missing-cloudwatch-log-group-retention origin: community - id: yaml.kubernetes.security.hostpid-pod.hostpid-pod patterns: - pattern-inside: | spec: ... - pattern: | hostPID: true message: Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality. metadata: cwe: - 'CWE-269: Improper Privilege Management' references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces category: security technology: - kubernetes owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod shortlink: https://sg.run/708R semgrep.dev: rule: r_id: 10238 rv_id: 1263934 rule_id: 7KUeo0 version_id: 1QTypvL url: https://semgrep.dev/playground/r/1QTypvL/yaml.kubernetes.security.hostpid-pod.hostpid-pod origin: community languages: - yaml severity: WARNING - id: yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions patterns: - pattern: | "*" - pattern-inside: | resources: $A ... - pattern-inside: | verbs: $A ... - pattern-inside: | - apiGroups: [""] ... - pattern-inside: | apiVersion: rbac.authorization.k8s.io/v1 ... - pattern-inside: | kind: ClusterRole ... message: 'Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. ' languages: - yaml severity: WARNING metadata: cwe: - 'CWE-269: Improper Privilege Management' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole - https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups category: security technology: - kubernetes cwe2021-top25: false subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions shortlink: https://sg.run/x6Dz semgrep.dev: rule: r_id: 73474 rv_id: 1263935 rule_id: GdUR2A version_id: 9lT4bw7 url: https://semgrep.dev/playground/r/9lT4bw7/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions origin: community - id: yaml.kubernetes.security.run-as-non-root-container-level-missing-security-context.run-as-non-root-container-level-missing-security-context patterns: - pattern-inside: | spec: ... containers: ... ... - pattern-not-inside: | spec: ... securityContext: ... runAsNonRoot: $VAL ... - pattern-inside: | spec: ... containers: ... - pattern-inside: | spec: ... containers: ... - name: $NAME image: ... ... securityContext: ... runAsNonRoot: $VALUE - pattern: | - name: $CONTAINER $IMAGE: $IMAGEVAL ... - pattern-not: | - name: $CONTAINER image: $IMAGEVAL ... securityContext: ... - metavariable-regex: metavariable: $IMAGE regex: image - focus-metavariable: $IMAGE fix: | securityContext: runAsNonRoot: true $IMAGE message: When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: references: - https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/ - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user category: security cwe: - 'CWE-250: Execution with Unnecessary Privileges' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration technology: - kubernetes subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root-container-level-missing-security-context.run-as-non-root-container-level-missing-security-context shortlink: https://sg.run/dqEn semgrep.dev: rule: r_id: 47278 rv_id: 1263936 rule_id: KxU93R version_id: yeTxprp url: https://semgrep.dev/playground/r/yeTxprp/yaml.kubernetes.security.run-as-non-root-container-level-missing-security-context.run-as-non-root-container-level-missing-security-context origin: community languages: - yaml severity: INFO - id: yaml.kubernetes.security.run-as-non-root-container-level.run-as-non-root-container-level patterns: - pattern-inside: | spec: ... containers: ... ... - pattern-not-inside: | spec: ... securityContext: ... runAsNonRoot: $VAL ... - pattern-inside: | spec: ... containers: ... - pattern-inside: | spec: ... containers: ... - name: $NAME image: ... ... securityContext: ... runAsNonRoot: $VALUE - pattern: | - name: $CONTAINER image: ... ... $SC: ... - metavariable-regex: metavariable: $SC regex: ^(securityContext)$ - pattern-not: | - name: $CONTAINER image: ... ... securityContext: ... runAsNonRoot: $VALUE - focus-metavariable: $SC fix: | $SC: runAsNonRoot: true # message: When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: references: - https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/ - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user category: security cwe: - 'CWE-250: Execution with Unnecessary Privileges' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration technology: - kubernetes subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root-container-level.run-as-non-root-container-level shortlink: https://sg.run/ZJzA semgrep.dev: rule: r_id: 47279 rv_id: 1263937 rule_id: qNUgJA version_id: rxTAKee url: https://semgrep.dev/playground/r/rxTAKee/yaml.kubernetes.security.run-as-non-root-container-level.run-as-non-root-container-level origin: community languages: - yaml severity: INFO - id: ai.ai-best-practices.llm-api-key-in-source.llm-api-key-in-source-java.llm-api-key-in-source-java languages: - java severity: ERROR message: AI/LLM API key found hardcoded in source code. Detected key prefix matches a known AI provider (OpenAI, Anthropic, Google, Hugging Face). Use environment variables or a secrets manager instead. metadata: cwe: 'CWE-798: Use of Hard-coded Credentials' category: security subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH technology: - openai - anthropic - google - huggingface references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/ai.ai-best-practices.llm-api-key-in-source.llm-api-key-in-source-java.llm-api-key-in-source-java shortlink: https://sg.run/erYX8 semgrep.dev: rule: r_id: 288832 rv_id: 1413390 rule_id: x8UA0GR version_id: K3Tg6nR url: https://semgrep.dev/playground/r/K3Tg6nR/ai.ai-best-practices.llm-api-key-in-source.llm-api-key-in-source-java.llm-api-key-in-source-java origin: community pattern-either: - patterns: - pattern: String $VAR = "$KEY"; - metavariable-regex: metavariable: $KEY regex: ^(sk-[a-zA-Z0-9]{20,}|sk-ant-[a-zA-Z0-9-]{20,}|sk-proj-[a-zA-Z0-9-]{20,}|AIza[a-zA-Z0-9_-]{30,}|hf_[a-zA-Z0-9]{20,}) - patterns: - pattern: final String $VAR = "$KEY"; - metavariable-regex: metavariable: $KEY regex: ^(sk-[a-zA-Z0-9]{20,}|sk-ant-[a-zA-Z0-9-]{20,}|sk-proj-[a-zA-Z0-9-]{20,}|AIza[a-zA-Z0-9_-]{30,}|hf_[a-zA-Z0-9]{20,}) - id: yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value patterns: - pattern-either: - pattern: | spec: ... securityContext: ... runAsNonRoot: $VALUE - patterns: - pattern-inside: | containers: ... - pattern: | image: ... ... securityContext: ... runAsNonRoot: $VALUE - metavariable-pattern: metavariable: $VALUE pattern: | false - focus-metavariable: $VALUE fix: | true message: When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: references: - https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/ - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user cwe: - 'CWE-250: Execution with Unnecessary Privileges' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration category: security technology: - kubernetes subcategory: - audit likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value shortlink: https://sg.run/D9No semgrep.dev: rule: r_id: 26096 rv_id: 1263939 rule_id: L1UAxy version_id: NdTzyj8 url: https://semgrep.dev/playground/r/NdTzyj8/yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value origin: community languages: - yaml severity: INFO - id: yaml.kubernetes.security.run-as-non-root.run-as-non-root patterns: - pattern-inside: | $SPEC: ... containers: ... ... - metavariable-regex: metavariable: $SPEC regex: ^(spec)$ - pattern-not-inside: | spec: ... securityContext: ... ... - pattern-inside: | $SPEC: ... containers: ... - pattern-not-inside: | $SPEC: ... containers: ... - name: $NAME image: ... ... securityContext: ... runAsNonRoot: $VALUE - focus-metavariable: $SPEC fix: | $SPEC: securityContext: runAsNonRoot: true # message: When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: references: - https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/ - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user category: security cwe: - 'CWE-250: Execution with Unnecessary Privileges' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration technology: - kubernetes subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root shortlink: https://sg.run/dgP5 semgrep.dev: rule: r_id: 10134 rv_id: 1263940 rule_id: ZqUqeK version_id: kbTzGbo url: https://semgrep.dev/playground/r/kbTzGbo/yaml.kubernetes.security.run-as-non-root.run-as-non-root origin: community languages: - yaml severity: INFO - id: yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled patterns: - pattern-inside: | containers: ... - pattern: | image: ... ... securityContext: ... seccompProfile: unconfined message: 'Container is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove ''seccompProfile: unconfined'' to prevent this.' metadata: cwe: - 'CWE-284: Improper Access Control' references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ category: security technology: - kubernetes owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled shortlink: https://sg.run/6rgY semgrep.dev: rule: r_id: 10059 rv_id: 1263941 rule_id: zdUynw version_id: w8TRoL3 url: https://semgrep.dev/playground/r/w8TRoL3/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled origin: community languages: - yaml severity: WARNING - id: yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file patterns: - pattern: | $KEY: $VALUE - pattern-inside: | data: ... - pattern-inside: | kind: Secret ... - metavariable-regex: metavariable: $VALUE regex: (?i)^[aA-zZ0-9+/]+={0,2}$ - metavariable-analysis: analyzer: entropy metavariable: $VALUE message: 'Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets. ' metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' category: security technology: - kubernetes references: - https://kubernetes.io/docs/concepts/configuration/secret/ - https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF - https://docs.gitlab.com/ee/user/clusters/agent/gitops/secrets_management.html - https://www.cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets/ - https://github.com/bitnami-labs/sealed-secrets - https://www.cncf.io/blog/2022/01/25/secrets-management-essential-when-using-kubernetes/ - https://blog.oddbit.com/post/2021-03-09-getting-started-with-ksops/ owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file shortlink: https://sg.run/KyL6 semgrep.dev: rule: r_id: 20055 rv_id: 1263942 rule_id: YGUYEb version_id: xyTjz5B url: https://semgrep.dev/playground/r/xyTjz5B/yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file origin: community languages: - yaml severity: WARNING - id: yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster pattern: | cluster: ... insecure-skip-tls-verify: true message: 'Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the ''insecure-skip-tls-verify: true'' key to secure communication.' metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: - https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster category: security technology: - kubernetes owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster shortlink: https://sg.run/okyn semgrep.dev: rule: r_id: 10116 rv_id: 1263943 rule_id: zdUyWx version_id: O9Tpxbo url: https://semgrep.dev/playground/r/O9Tpxbo/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster origin: community languages: - yaml severity: WARNING - id: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service pattern: | spec: ... insecureSkipTLSVerify: true message: 'Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the ''insecureSkipTLSVerify: true'' key to secure communication.' metadata: cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io category: security technology: - kubernetes owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service shortlink: https://sg.run/zk10 semgrep.dev: rule: r_id: 10117 rv_id: 1263944 rule_id: pKUGXr version_id: e1TyjnR url: https://semgrep.dev/playground/r/e1TyjnR/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service origin: community languages: - yaml severity: WARNING - id: yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container patterns: - pattern-inside: | containers: ... - pattern-inside: | - name: $CONTAINER ... - pattern: | image: ... ... - pattern-not: | image: ... ... securityContext: ... readOnlyRootFilesystem: true - focus-metavariable: $CONTAINER message: 'Container $CONTAINER is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add ''readOnlyRootFilesystem: true'' to this container to prevent this.' metadata: cwe: - 'CWE-732: Incorrect Permission Assignment for Critical Resource' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration references: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - https://blog.atomist.com/security-of-docker-kubernetes/ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only category: security technology: - kubernetes cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container shortlink: https://sg.run/ZePL semgrep.dev: rule: r_id: 10135 rv_id: 1263945 rule_id: nJUYn9 version_id: vdT06PY url: https://semgrep.dev/playground/r/vdT06PY/yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container origin: community languages: - yaml severity: WARNING - id: yaml.semgrep.interfile-true-under-metadata-and-no-options.interfile-true-under-metadata-and-no-options message: '`interfile: true` should be under the `options` field, not the `metadata` field.' languages: - yaml severity: WARNING patterns: - pattern: | rules: - id: $ID ... $METADATA: ... $INTERFILE: true ... ... - pattern-not-inside: | rules: - id: $ID ... options: ... ... - metavariable-regex: metavariable: $INTERFILE regex: interfile - metavariable-regex: metavariable: $METADATA regex: metadata - focus-metavariable: $METADATA fix: | options: interfile: true metadata metadata: license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.interfile-true-under-metadata-and-no-options.interfile-true-under-metadata-and-no-options shortlink: https://sg.run/8E1Q semgrep.dev: rule: r_id: 70984 rv_id: 1263946 rule_id: L1UgOQ version_id: d6TyxZq url: https://semgrep.dev/playground/r/d6TyxZq/yaml.semgrep.interfile-true-under-metadata-and-no-options.interfile-true-under-metadata-and-no-options origin: community - id: yaml.semgrep.interfile-true-under-metadata-and-options-already-present.interfile-true-under-metadata-and-options-already-present message: '`interfile: true` should be under the `options` field, not the `metadata` field.' languages: - yaml severity: WARNING patterns: - pattern: | rules: - id: $ID ... $METADATA: ... $INTERFILE: true ... ... - pattern-inside: | rules: - id: $ID ... $OPTIONS: $FIRST_OPT: $VAL ... ... - pattern-not-inside: | rules: - id: $ID ... $OPTIONS: ... interfile: true ... ... - metavariable-regex: metavariable: $INTERFILE regex: interfile - metavariable-regex: metavariable: $METADATA regex: metadata - metavariable-regex: metavariable: $OPTIONS regex: options - focus-metavariable: $FIRST_OPT fix: | interfile: true $FIRST_OPT metadata: license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.interfile-true-under-metadata-and-options-already-present.interfile-true-under-metadata-and-options-already-present shortlink: https://sg.run/gQK5 semgrep.dev: rule: r_id: 70985 rv_id: 1263947 rule_id: 8GUrXy version_id: ZRTKAr7 url: https://semgrep.dev/playground/r/ZRTKAr7/yaml.semgrep.interfile-true-under-metadata-and-options-already-present.interfile-true-under-metadata-and-options-already-present origin: community - id: yaml.semgrep.metadata-deepsemgrep.metadata-deepsemgrep message: 'We no longer support `deepsemgrep: true`, please use `interfile:true`' severity: WARNING metadata: category: correctness references: - https://semgrep.dev/ technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-deepsemgrep.metadata-deepsemgrep shortlink: https://sg.run/4Yk7 semgrep.dev: rule: r_id: 45000 rv_id: 1263948 rule_id: qNUAp3 version_id: nWT2LKz url: https://semgrep.dev/playground/r/nWT2LKz/yaml.semgrep.metadata-deepsemgrep.metadata-deepsemgrep origin: community languages: - yaml fix-regex: regex: deepsemgrep replacement: interfile patterns: - pattern-inside: "rules: \n ...\n" - pattern-inside: "metadata: \n ...\n $DEEPSEMGREP: true\n ...\n" - focus-metavariable: $DEEPSEMGREP - metavariable-regex: metavariable: $DEEPSEMGREP regex: ^(deepsemgrep)$ - id: dgryski.semgrep-go.parseint-downcast.parseint-downcast patterns: - pattern-either: - pattern: | $X, ... = strconv.ParseInt(..., ..., 64) ... int32($X) - pattern: | $X, ... = strconv.ParseInt(..., ..., 64) ... uint32($X) - pattern: | $X, ... = strconv.ParseUint(..., ..., 64) ... int32($X) - pattern: | $X, ... = strconv.ParseUint(..., ..., 64) ... uint32($X) - pattern: | $X = strconv.Atoi(...) ... int32($X) - pattern: | $X = strconv.Atoi(...) ... uint32($X) message: 64-bit integer parsed and downcast to u/int32 languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.parseint-downcast.parseint-downcast shortlink: https://sg.run/W8Zo semgrep.dev: rule: r_id: 8709 rv_id: 833081 rule_id: yyUnQX version_id: ZRTlPpn url: https://semgrep.dev/playground/r/ZRTlPpn/dgryski.semgrep-go.parseint-downcast.parseint-downcast origin: community - id: solidity.security.arbitrary-send-erc20.arbitrary-send-erc20 patterns: - pattern: $FUNC.transferFrom(...) - pattern-not: $FUNC.transferFrom(..., msg.sender, ...) message: msg.sender is not being used when calling erc20.transferFrom. Example - Alice approves this contract to spend her ERC20 tokens. Bob can call function 'a' and specify Alice's address as the from parameter in transferFrom, allowing him to transfer Alice's tokens to himself. languages: - solidity severity: WARNING metadata: likelihood: LOW impact: HIGH confidence: LOW subcategory: - audit category: security technology: - solidity cwe: - 'CWE-285: Improper Authorization' references: - https://github.com/crytic/slither/wiki/Detector-Documentation#arbitrary-from-in-transferfrom - https://cwe.mitre.org/data/definitions/285.html owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.arbitrary-send-erc20.arbitrary-send-erc20 shortlink: https://sg.run/B72A semgrep.dev: rule: r_id: 36951 rv_id: 1263694 rule_id: 3qUepw version_id: gETB7NB url: https://semgrep.dev/playground/r/gETB7NB/solidity.security.arbitrary-send-erc20.arbitrary-send-erc20 origin: community - id: generic.nginx.security.alias-path-traversal.alias-path-traversal patterns: - pattern: | location $...LOCATION { ... alias .../; ... } - metavariable-pattern: metavariable: $...LOCATION pattern-regex: ^.*[^/]$ paths: include: - '*.conf' - '*.vhost' - '**/sites-available/*' - '**/sites-enabled/*' fix-regex: regex: location\s+([A-Za-z0-9/-_\.]+) replacement: location \1/ languages: - generic severity: WARNING message: The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path. metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' source-rule-url: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md category: security technology: - nginx confidence: LOW owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/ - https://www.youtube.com/watch?v=CIhHpkybYsY - https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal shortlink: https://sg.run/ZvNL semgrep.dev: rule: r_id: 9035 rv_id: 1262670 rule_id: 5rUOjq version_id: NdTzyBg url: https://semgrep.dev/playground/r/NdTzyBg/generic.nginx.security.alias-path-traversal.alias-path-traversal origin: community - id: generic.secrets.security.detected-sauce-token.detected-sauce-token pattern-regex: (?i)sauce.{0,50}(\\\"|'|`)?[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12}(\\\"|'|`)? languages: - regex message: Sauce Token detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go category: security technology: - secrets - sauce confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token shortlink: https://sg.run/N4k1 semgrep.dev: rule: r_id: 9071 rv_id: 1262889 rule_id: L1UyZ5 version_id: 44TEjER url: https://semgrep.dev/playground/r/44TEjER/generic.secrets.security.detected-sauce-token.detected-sauce-token origin: community - id: generic.secrets.gitleaks.nytimes-access-token.nytimes-access-token message: A gitleaks nytimes-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.nytimes-access-token.nytimes-access-token shortlink: https://sg.run/j1NJ semgrep.dev: rule: r_id: 44765 rv_id: 1262795 rule_id: 9AU8Oq version_id: BjTkZ1w url: https://semgrep.dev/playground/r/BjTkZ1w/generic.secrets.gitleaks.nytimes-access-token.nytimes-access-token origin: community patterns: - pattern-regex: (?i)(?:nytimes|new-york-times,|newyorktimes)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.dockerfile.correctness.multiple-cmd-instructions.multiple-cmd-instructions patterns: - pattern-either: - pattern: | CMD ... ... CMD ... - pattern: | CMD [...] ... CMD [...] - pattern: | CMD [...] ... CMD ... - pattern: | CMD ... ... CMD [...] - pattern-not-inside: | CMD ... ... FROM $IMAGE ... CMD ... - pattern-not: | HEALTHCHECK $CMD ... CMD ... - pattern-not: | HEALTHCHECK $CMD ... CMD [...] - pattern-not: | CMD ... ... HEALTHCHECK $CMD - pattern-not: | CMD [...] ... HEALTHCHECK $CMD message: Multiple CMD instructions were found. Only the last one will take effect. languages: - dockerfile severity: ERROR metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4003 references: - https://github.com/hadolint/hadolint/wiki/DL4003 - https://kapeli.com/cheat_sheets/Dockerfile.docset/Contents/Resources/Documents/index#//dash_ref_Instructions/Entry/CMD/0 category: correctness technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.dockerfile.correctness.multiple-cmd-instructions.multiple-cmd-instructions shortlink: https://sg.run/rd1A semgrep.dev: rule: r_id: 9025 rv_id: 945286 rule_id: EwU2O4 version_id: w8TKJKx url: https://semgrep.dev/playground/r/w8TKJKx/generic.dockerfile.correctness.multiple-cmd-instructions.multiple-cmd-instructions origin: community - id: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked message: No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option. metadata: cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design source-rule-url: https://github.com/goldbergyoni/nodebestpractices/blob/master/sections/security/expirejwt.md asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.3 Insecure Stateless Session Tokens control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management version: '4' category: security technology: - express cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM references: - https://owasp.org/Top10/A04_2021-Insecure_Design license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked shortlink: https://sg.run/kXNo semgrep.dev: rule: r_id: 9272 rv_id: 1263137 rule_id: 7KUQ9k version_id: vdT06Bg url: https://semgrep.dev/playground/r/vdT06Bg/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-inside: | $JWT = require('express-jwt'); ... - pattern: $JWT(...) - pattern-not-inside: $JWT(<... {isRevoked:...} ...>,...) - pattern-not-inside: |- $OPTS = <... {isRevoked:...} ...>; ... $JWT($OPTS,...); - id: python.requests.security.disabled-cert-validation.disabled-cert-validation message: Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation. metadata: cwe: - 'CWE-295: Improper Certificate Validation' owasp: - A03:2017 - Sensitive Data Exposure - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib category: security technology: - requests subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation shortlink: https://sg.run/AlYp semgrep.dev: rule: r_id: 9694 rv_id: 1263574 rule_id: qNUoYR version_id: 1QTypBw url: https://semgrep.dev/playground/r/1QTypBw/python.requests.security.disabled-cert-validation.disabled-cert-validation origin: community languages: - python severity: ERROR pattern-either: - pattern: requests.put(..., verify=False, ...) - pattern: requests.patch(..., verify=False, ...) - pattern: requests.delete(..., verify=False, ...) - pattern: requests.head(..., verify=False, ...) - pattern: requests.options(..., verify=False, ...) - pattern: requests.request(..., verify=False, ...) - pattern: requests.get(..., verify=False, ...) - pattern: requests.post(..., verify=False, ...) fix-regex: regex: verify(\s)*=(\s)*False replacement: verify=True - id: generic.secrets.gitleaks.slack-webhook-url.slack-webhook-url message: A gitleaks slack-webhook-url was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.slack-webhook-url.slack-webhook-url shortlink: https://sg.run/Lxko semgrep.dev: rule: r_id: 66783 rv_id: 1262833 rule_id: 9AU0E7 version_id: e1Tyj1N url: https://semgrep.dev/playground/r/e1Tyj1N/generic.secrets.gitleaks.slack-webhook-url.slack-webhook-url origin: community patterns: - pattern-regex: (https?:\/\/)?hooks.slack.com\/(services|workflows)\/[A-Za-z0-9+\/]{43,46} - id: terraform.azure.best-practice.azure-postgresql-threat-detection-enabled.azure-postgresql-threat-detection-enabled message: Ensure that PostgreSQL server enables Threat detection policy patterns: - pattern: resource - pattern-inside: | resource "azurerm_postgresql_server" "..." { ... } - pattern-not-inside: | resource "azurerm_postgresql_server" "..." { ... threat_detection_policy { ... enabled = true ... } ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-postgresql-threat-detection-enabled.azure-postgresql-threat-detection-enabled shortlink: https://sg.run/gN1J semgrep.dev: rule: r_id: 23941 rv_id: 946779 rule_id: ReUkEP version_id: BjT1BXR url: https://semgrep.dev/playground/r/BjT1BXR/terraform.azure.best-practice.azure-postgresql-threat-detection-enabled.azure-postgresql-threat-detection-enabled origin: community languages: - hcl severity: WARNING - id: terraform.azure.best-practice.azure-secret-content-type.azure-secret-content-type message: "Ensure that key vault secrets have \u201Ccontent_type\u201D set" patterns: - pattern: resource - pattern-inside: | resource "azurerm_key_vault_secret" "..." { ... } - pattern-not-inside: | resource "azurerm_key_vault_secret" "..." { ... content_type = "..." ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-secret-content-type.azure-secret-content-type shortlink: https://sg.run/Q2y4 semgrep.dev: rule: r_id: 23942 rv_id: 946780 rule_id: AbU5EG version_id: DkTNW6A url: https://semgrep.dev/playground/r/DkTNW6A/terraform.azure.best-practice.azure-secret-content-type.azure-secret-content-type origin: community languages: - hcl severity: WARNING - id: generic.secrets.gitleaks.lob-pub-api-key.lob-pub-api-key message: A gitleaks lob-pub-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.lob-pub-api-key.lob-pub-api-key shortlink: https://sg.run/AGl8 semgrep.dev: rule: r_id: 44750 rv_id: 1262779 rule_id: DbUBWq version_id: ZRTKA3k url: https://semgrep.dev/playground/r/ZRTKA3k/generic.secrets.gitleaks.lob-pub-api-key.lob-pub-api-key origin: community patterns: - pattern-regex: (?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}((test|live)_pub_[a-f0-9]{31})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.lob-api-key.lob-api-key message: A gitleaks lob-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.lob-api-key.lob-api-key shortlink: https://sg.run/Rj8e semgrep.dev: rule: r_id: 44749 rv_id: 1262778 rule_id: BYU4BX version_id: d6TyxPE url: https://semgrep.dev/playground/r/d6TyxPE/generic.secrets.gitleaks.lob-api-key.lob-api-key origin: community patterns: - pattern-regex: (?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}((live|test)_[a-f0-9]{35})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request message: Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data. metadata: cwe: - 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP Injection'')' owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection references: - https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection category: security technology: - java subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - LDAP Injection source: https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request shortlink: https://sg.run/gRg0 semgrep.dev: rule: r_id: 18241 rv_id: 1409392 rule_id: pKUXAv version_id: 8KT3Pe6 url: https://semgrep.dev/playground/r/8KT3Pe6/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request origin: community severity: WARNING languages: - java mode: taint pattern-sources: - patterns: - pattern: (HttpServletRequest $REQ) pattern-sinks: - patterns: - pattern-either: - pattern: | (javax.naming.directory.InitialDirContext $IDC).search(...) - pattern: | (javax.naming.directory.DirContext $CTX).search(...) - pattern-not: | (javax.naming.directory.InitialDirContext $IDC).search($Y, "...", ...) - pattern-not: | (javax.naming.directory.DirContext $CTX).search($Y, "...", ...) - id: java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request message: Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls. languages: - java severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - patterns: - pattern: | (HttpServletRequest $REQ).$FUNC(...) - pattern-not: | (HttpServletRequest $REQ).getSession() - patterns: - pattern-inside: | (javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...); ... for (javax.servlet.http.Cookie $COOKIE: $COOKIES) { ... } - pattern: | $COOKIE.getValue(...) - patterns: - pattern-inside: | $TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(... ); ... - pattern: | $PARAM = $VALS[$INDEX]; - patterns: - pattern-inside: | $HEADERS = (HttpServletRequest $REQ).getHeaders(...); ... $PARAM = $HEADERS.$FUNC(...); ... - pattern: | java.net.URLDecoder.decode($PARAM, ...) pattern-sinks: - patterns: - pattern: (HttpServletRequest $REQ).getSession().$FUNC($NAME, $VALUE); - metavariable-regex: metavariable: $FUNC regex: ^(putValue|setAttribute)$ - focus-metavariable: $VALUE options: interfile: true metadata: category: security technology: - java cwe: - 'CWE-501: Trust Boundary Violation' owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - vuln impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request shortlink: https://sg.run/QbDZ semgrep.dev: rule: r_id: 18242 rv_id: 1409393 rule_id: 2ZU7Eo version_id: gETrv9j url: https://semgrep.dev/playground/r/gETrv9j/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request origin: community - id: terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl patterns: - pattern: resource - pattern-inside: | resource "google_sql_database_instance" "..." { ... } - pattern-not-inside: | resource "google_sql_database_instance" "..." { ... ip_configuration { ... require_ssl = true ... } ... } - pattern-not-inside: | resource "google_sql_database_instance" "..." { ... ip_configuration { ... ssl_mode = ... ... } ... } message: Ensure all Cloud SQL database instance requires all incoming connections to use SSL metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - gcp references: - https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl shortlink: https://sg.run/W4Yg semgrep.dev: rule: r_id: 33709 rv_id: 1263873 rule_id: v8Uod5 version_id: pZT033e url: https://semgrep.dev/playground/r/pZT033e/terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl origin: community languages: - hcl severity: WARNING - id: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver patterns: - pattern-inside: | resource "google_sql_database_instance" "..." { ... database_version = "$DB" ... } - pattern-inside: | resource "google_sql_database_instance" "..." { ... ip_configuration { ... ssl_mode = $VALUE ... } ... } - pattern-not-inside: | resource "google_sql_database_instance" "..." { ... ip_configuration { ... ssl_mode = "ENCRYPTED_ONLY" ... } ... } - metavariable-regex: metavariable: $DB regex: .*(SQLSERVER).* - focus-metavariable: $VALUE fix: | "ENCRYPTED_ONLY" message: Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode="ENCRYPTED_ONLY"` is the most secure value that is supported. metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' category: security technology: - terraform - gcp references: - https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver shortlink: https://sg.run/0o92j semgrep.dev: rule: r_id: 153510 rv_id: 1263875 rule_id: GdUvX6A version_id: X0Tzyyl url: https://semgrep.dev/playground/r/X0Tzyyl/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver origin: community languages: - hcl severity: WARNING - id: generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token message: A gitleaks mapbox-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token shortlink: https://sg.run/KYWX semgrep.dev: rule: r_id: 44755 rv_id: 1262784 rule_id: lBU3d8 version_id: 8KT5rK6 url: https://semgrep.dev/playground/r/8KT5rK6/generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token origin: community patterns: - pattern-regex: (?i)(?:mapbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(pk\.[a-z0-9]{60}\.[a-z0-9]{22})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: python.lang.correctness.useless-comparison.no-strings-as-booleans message: Using strings as booleans in Python has unexpected results. `"one" and "two"` will return "two". `"one" or "two"` will return "one". In Python, strings are truthy, and strings with a non-zero length evaluate to True. languages: - python severity: ERROR pattern-either: - pattern: | if <... "..." and ... ...>: ... - pattern: | if <... "..." or ... ...>: ... - patterns: - pattern-not: | if $X in "...": ... - pattern: | if "...": ... metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.useless-comparison.no-strings-as-booleans shortlink: https://sg.run/5QxA semgrep.dev: rule: r_id: 9603 rv_id: 946305 rule_id: WAUoxE version_id: 7ZTrQ9O url: https://semgrep.dev/playground/r/7ZTrQ9O/python.lang.correctness.useless-comparison.no-strings-as-booleans origin: community - id: terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted patterns: - pattern-not-inside: | resource "aws_backup_vault" $BACKUP { ... kms_key_arn = ... ... } - pattern: resource "aws_backup_vault" $BACKUP {...} message: The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted shortlink: https://sg.run/18yw semgrep.dev: rule: r_id: 15122 rv_id: 946662 rule_id: x8UxrP version_id: GxTP79j url: https://semgrep.dev/playground/r/GxTP79j/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted origin: community - id: terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk patterns: - pattern: | resource "aws_cloudtrail" $ANYTHING { ... } - pattern-not-inside: | resource "aws_cloudtrail" $ANYTHING { ... kms_key_id = ... ... } message: Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation. metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk shortlink: https://sg.run/38kr semgrep.dev: rule: r_id: 17343 rv_id: 946664 rule_id: wdUl2j version_id: A8TJzbz url: https://semgrep.dev/playground/r/A8TJzbz/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn pattern-either: - pattern: strcat(...) - pattern: strncat(...) message: Finding triggers whenever there is a strcat or strncat used. This is an issue because strcat or strncat can lead to buffer overflow vulns. Fix this by using strcat_s instead. metadata: cwe: - 'CWE-676: Use of Potentially Dangerous Function' references: - https://nvd.nist.gov/vuln/detail/CVE-2019-12553 - https://techblog.mediaservice.net/2020/04/cve-2020-2851-stack-based-buffer-overflow-in-cde-libdtsvc/ category: security technology: - c confidence: LOW subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn shortlink: https://sg.run/EkRP semgrep.dev: rule: r_id: 8837 rv_id: 945174 rule_id: BYUNjA version_id: pZTNOXb url: https://semgrep.dev/playground/r/pZTNOXb/c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn origin: community languages: - c severity: WARNING - id: generic.secrets.gitleaks.shopify-access-token.shopify-access-token message: A gitleaks shopify-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.shopify-access-token.shopify-access-token shortlink: https://sg.run/3lAp semgrep.dev: rule: r_id: 44787 rv_id: 1262819 rule_id: PeU7kg version_id: pZT03yx url: https://semgrep.dev/playground/r/pZT03yx/generic.secrets.gitleaks.shopify-access-token.shopify-access-token origin: community patterns: - pattern-regex: shpat_[a-fA-F0-9]{32} - id: ruby.lang.security.model-attr-accessible.model-attr-accessible message: 'Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don''t allow admin, banned, role, and account_id using permit or attr_accessible.' metadata: cwe: - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' references: - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb category: security technology: - ruby owasp: - A08:2021 - Software and Data Integrity Failures - A08:2025 - Software or Data Integrity Failures subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mass Assignment source: https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible shortlink: https://sg.run/jNrZ semgrep.dev: rule: r_id: 9721 rv_id: 1263613 rule_id: bwUOAG version_id: GxTkeN4 url: https://semgrep.dev/playground/r/GxTkeN4/ruby.lang.security.model-attr-accessible.model-attr-accessible origin: community languages: - ruby severity: ERROR pattern-either: - pattern: | ....permit(..., :admin, ...) - pattern: | ....permit(..., :role, ...) - pattern: | ....permit(..., :banned, ...) - pattern: | ....permit(..., :account_id, ...) - pattern: | attr_accessible ..., :admin, ... - pattern: | attr_accessible ..., :role, ... - pattern: | attr_accessible ..., :banned, ... - pattern: | attr_accessible ..., :account_id, ... - pattern: | params.permit! - id: solidity.performance.non-optimal-variables-swap.non-optimal-variables-swap message: Consider swapping variables using `($VAR1, $VAR2) = ($VAR2, $VAR1)` to save gas languages: - solidity severity: INFO metadata: category: performance technology: - solidity references: - https://dev.to/oliverjumpertz/solidity-quick-tip-efficiently-swap-two-variables-1f8i license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.non-optimal-variables-swap.non-optimal-variables-swap shortlink: https://sg.run/kNnA semgrep.dev: rule: r_id: 67628 rv_id: 946589 rule_id: oqUEnX version_id: 2KTYb15 url: https://semgrep.dev/playground/r/2KTYb15/solidity.performance.non-optimal-variables-swap.non-optimal-variables-swap origin: community patterns: - pattern: | $TMP = $VAR1; ... $VAR1 = $VAR2; ... $VAR2 = $TMP; - id: generic.dockerfile.correctness.copy-from-own-alias.copy-from-own-alias severity: ERROR languages: - generic message: COPY instructions cannot copy from its own alias. The '$REF' alias is used before switching to a new image. If you meant to switch to a new image, include a new 'FROM' statement. Otherwise, remove the '--from=$REF' from the COPY statement. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3023 references: - https://github.com/hadolint/hadolint/wiki/DL3023 category: correctness technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.dockerfile.correctness.copy-from-own-alias.copy-from-own-alias shortlink: https://sg.run/1Z6Q semgrep.dev: rule: r_id: 9022 rv_id: 945285 rule_id: d8Uj1q version_id: kbTYkYn url: https://semgrep.dev/playground/r/kbTYkYn/generic.dockerfile.correctness.copy-from-own-alias.copy-from-own-alias origin: community paths: include: - '*dockerfile*' - '*Dockerfile*' pattern-either: - pattern: | FROM $IMAGE:$TAG as $REF ... COPY --from=$REF ... FROM - pattern: | FROM $IMAGE:$TAG AS $REF ... COPY --from=$REF ... FROM - id: java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT asvs: section: V9 Communications Verification Requirements control_id: 9.1.3 Weak TLS control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements version: '4' category: security technology: - java references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated shortlink: https://sg.run/J9Gj semgrep.dev: rule: r_id: 9202 rv_id: 1263005 rule_id: qNUj8b version_id: JdTzxnb url: https://semgrep.dev/playground/r/JdTzxnb/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated origin: community message: DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead. severity: WARNING languages: - java pattern: new DefaultHttpClient(...); fix-regex: regex: DefaultHttpClient replacement: HttpClientBuilder - id: java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled message: CSRF protection is disabled for this configuration. This is a security risk. metadata: cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_PROTECTION_DISABLED asvs: section: V4 Access Control control_id: 4.2.2 CSRF control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md#v42-operation-level-access-control version: '4' category: security technology: - spring references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled shortlink: https://sg.run/jRnl semgrep.dev: rule: r_id: 9221 rv_id: 1263080 rule_id: OrU3gK version_id: vdT06dL url: https://semgrep.dev/playground/r/vdT06dL/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled origin: community severity: WARNING languages: - java pattern: $OBJ.csrf(...).disable(...) - id: generic.dockerfile.correctness.alias-must-be-unique.alias-must-be-unique severity: ERROR languages: - generic patterns: - pattern-either: - pattern: | FROM ... as $REF ... ... FROM ... as $REF - pattern: | FROM ... AS $REF ... ... FROM ... AS $REF - pattern-not-inside: | FROM ... as $REF ... ... FROM ... as $REF- - pattern-not-inside: | FROM ... AS $REF ... ... FROM ... AS $REF- paths: include: - '*dockerfile*' - '*Dockerfile*' message: Image aliases must have a unique name, and '$REF' is used twice. Use another name for '$REF'. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3024 references: - https://github.com/hadolint/hadolint/wiki/DL3024 category: correctness technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.dockerfile.correctness.alias-must-be-unique.alias-must-be-unique shortlink: https://sg.run/jRY2 semgrep.dev: rule: r_id: 9021 rv_id: 945284 rule_id: v8UngY version_id: NdTqkq7 url: https://semgrep.dev/playground/r/NdTqkq7/generic.dockerfile.correctness.alias-must-be-unique.alias-must-be-unique origin: community - id: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer message: Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views. severity: WARNING options: interfile: true metadata: likelihood: HIGH impact: MEDIUM confidence: MEDIUM category: security cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html subcategory: - vuln technology: - java - servlets interfile: true license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer shortlink: https://sg.run/KlRL semgrep.dev: rule: r_id: 9211 rv_id: 1263055 rule_id: j2Uv7B version_id: DkTRbXy url: https://semgrep.dev/playground/r/DkTRbXy/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer origin: community languages: - java mode: taint pattern-sources: - patterns: - pattern-either: - pattern: | (HttpServletRequest $REQ).$REQFUNC(...) - pattern: "(ServletRequest $REQ).$REQFUNC(...) \n" - metavariable-regex: metavariable: $REQFUNC regex: (getInputStream|getParameter|getParameterMap|getParameterValues|getReader|getCookies|getHeader|getHeaderNames|getHeaders|getPart|getParts|getQueryString) pattern-sinks: - patterns: - pattern-either: - pattern: | (HttpServletResponse $RESPONSE).getWriter(...).$WRITE(...) - pattern: | (HttpServletResponse $RESPONSE).getOutputStream(...).$WRITE(...) - pattern: | (java.io.PrintWriter $WRITER).$WRITE(...) - pattern: | (PrintWriter $WRITER).$WRITE(...) - pattern: | (javax.servlet.ServletOutputStream $WRITER).$WRITE(...) - pattern: | (ServletOutputStream $WRITER).$WRITE(...) - pattern: | (java.io.OutputStream $WRITER).$WRITE(...) - pattern: | (OutputStream $WRITER).$WRITE(...) pattern-sanitizers: - pattern-either: - pattern: Encode.forHtml(...) - pattern: (PolicyFactory $POLICY).sanitize(...) - pattern: (AntiSamy $AS).scan(...) - pattern: JSoup.clean(...) - pattern: org.apache.commons.lang.StringEscapeUtils.escapeHtml(...) - pattern: org.springframework.web.util.HtmlUtils.htmlEscape(...) - pattern: org.owasp.esapi.ESAPI.encoder().encodeForHTML(...) - id: ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation metadata: shortDescription: Allowing an attacker to manipulate the session may lead to unintended behavior. tags: - security owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-276: Incorrect Default Permissions' references: - https://brakemanscanner.org/docs/warning_types/session_manipulation/ category: security technology: - rails help: | ## Remediation Session manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior. ## References [Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/) cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation shortlink: https://sg.run/86q7 semgrep.dev: rule: r_id: 13584 rv_id: 1263621 rule_id: BYUdW6 version_id: qkTR76G url: https://semgrep.dev/playground/r/qkTR76G/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation origin: community message: This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key. languages: - ruby severity: WARNING mode: taint pattern-sources: - pattern: params - pattern: cookies - pattern: request.env pattern-sinks: - pattern: session[...] - id: ai.generic.detect-generic-ai-oai.detect-generic-ai-oai languages: - generic severity: INFO message: 'Possibly found usage of AI: OpenAI' pattern-either: - pattern: openai - pattern: OpenAI metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.generic.detect-generic-ai-oai.detect-generic-ai-oai shortlink: https://sg.run/gxzOJ semgrep.dev: rule: r_id: 137241 rv_id: 945118 rule_id: 8GUQ7pE version_id: 2KTYbP0 url: https://semgrep.dev/playground/r/2KTYbP0/ai.generic.detect-generic-ai-oai.detect-generic-ai-oai origin: community - id: ai.go.detect-gemini.detect-gemini languages: - go severity: INFO message: 'Possibly found usage of AI: Gemini' pattern-either: - pattern: import "github.com/google/generative-ai-go" - pattern: genai.NewClient(...) metadata: references: - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI - LLMs confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/ai.go.detect-gemini.detect-gemini shortlink: https://sg.run/QrZW4 semgrep.dev: rule: r_id: 137242 rv_id: 945119 rule_id: gxU3owY version_id: X0TL8dB url: https://semgrep.dev/playground/r/X0TL8dB/ai.go.detect-gemini.detect-gemini origin: community - id: generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token message: A gitleaks gocardless-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token shortlink: https://sg.run/ezLy semgrep.dev: rule: r_id: 44732 rv_id: 1262752 rule_id: 5rUKOQ version_id: DkTRb2O url: https://semgrep.dev/playground/r/DkTRb2O/generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token origin: community patterns: - pattern-regex: (?i)(?:gocardless)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(live_(?i)[a-z0-9\-_=]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.gitter-access-token.gitter-access-token message: A gitleaks gitter-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.gitter-access-token.gitter-access-token shortlink: https://sg.run/OpPn semgrep.dev: rule: r_id: 44731 rv_id: 1262751 rule_id: JDUOyB version_id: BjTkZKw url: https://semgrep.dev/playground/r/BjTkZKw/generic.secrets.gitleaks.gitter-access-token.gitter-access-token origin: community patterns: - pattern-regex: (?i)(?:gitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: java.jjwt.security.jwt-none-alg.jjwt-none-alg message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ asvs: section: 'V3: Session Management Verification Requirements' control_id: 3.5.3 Insecue Stateless Session Tokens control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management version: '4' category: security technology: - jwt confidence: LOW references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg shortlink: https://sg.run/0Q7b semgrep.dev: rule: r_id: 9154 rv_id: 1262987 rule_id: j2Uvol version_id: gETB7re url: https://semgrep.dev/playground/r/gETB7re/java.jjwt.security.jwt-none-alg.jjwt-none-alg origin: community languages: - java severity: ERROR patterns: - pattern: | io.jsonwebtoken.Jwts.builder(); - pattern-not-inside: |- $RETURNTYPE $FUNC(...) { ... $JWTS.signWith(...); ... } - id: java.lang.correctness.assignment-comparison.assignment-comparison message: The value of `$X` is being ignored and will be used in the conditional test languages: - java severity: ERROR pattern-either: - pattern: if ($X=true) { ... } - pattern: if ($X=false) { ... } metadata: category: correctness technology: - java license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/java.lang.correctness.assignment-comparison.assignment-comparison shortlink: https://sg.run/Klod semgrep.dev: rule: r_id: 9155 rv_id: 945641 rule_id: 10UK1b version_id: ExTg2Xw url: https://semgrep.dev/playground/r/ExTg2Xw/java.lang.correctness.assignment-comparison.assignment-comparison origin: community - id: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn pattern: scanf(...) message: Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input. metadata: cwe: - 'CWE-676: Use of Potentially Dangerous Function' references: - http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html category: security technology: - c confidence: LOW subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn shortlink: https://sg.run/nd1g semgrep.dev: rule: r_id: 8836 rv_id: 945173 rule_id: AbUzPd version_id: zyTlkWW url: https://semgrep.dev/playground/r/zyTlkWW/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn origin: community languages: - c severity: WARNING - id: dockerfile.correctness.missing-assume-yes-switch.missing-assume-yes-switch patterns: - pattern: "RUN ... apt-get install ... $MULTIFLAG ... \n" - pattern-not: | RUN ... apt-get install ... --assume-yes ... - pattern-not: | RUN ... apt-get install ... --yes ... - pattern-not: | RUN ... apt-get install ... -y ... - metavariable-regex: metavariable: $MULTIFLAG regex: (^([^-])|(-[^y]+)$) languages: - dockerfile message: This 'apt-get install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch. severity: WARNING metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3014 references: - https://github.com/hadolint/hadolint/wiki/DL3014 category: correctness technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.correctness.missing-assume-yes-switch.missing-assume-yes-switch shortlink: https://sg.run/PPvq semgrep.dev: rule: r_id: 20145 rv_id: 945264 rule_id: 5rUNrz version_id: BjT1N1r url: https://semgrep.dev/playground/r/BjT1N1r/dockerfile.correctness.missing-assume-yes-switch.missing-assume-yes-switch origin: community - id: python.django.security.injection.code.user-eval.user-eval message: Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html - https://owasp.org/www-community/attacks/Code_Injection category: security technology: - django subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval shortlink: https://sg.run/PJDW semgrep.dev: rule: r_id: 9501 rv_id: 1263384 rule_id: DbUpDQ version_id: d6Tyx2A url: https://semgrep.dev/playground/r/d6Tyx2A/python.django.security.injection.code.user-eval.user-eval origin: community patterns: - pattern-inside: | def $F(...): ... - pattern-either: - pattern: eval(..., request.$W.get(...), ...) - pattern: | $V = request.$W.get(...) ... eval(..., $V, ...) - pattern: eval(..., request.$W(...), ...) - pattern: | $V = request.$W(...) ... eval(..., $V, ...) - pattern: eval(..., request.$W[...], ...) - pattern: | $V = request.$W[...] ... eval(..., $V, ...) languages: - python severity: WARNING - id: dockerfile.correctness.invalid-port.invalid-port message: Detected an invalid port number. Valid ports are 0 through 65535. severity: ERROR languages: - dockerfile metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3011 references: - https://github.com/hadolint/hadolint/wiki/DL3011 category: correctness technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/dockerfile.correctness.invalid-port.invalid-port shortlink: https://sg.run/w4Ex semgrep.dev: rule: r_id: 20729 rv_id: 945263 rule_id: r6UjWk version_id: A8TJzJJ url: https://semgrep.dev/playground/r/A8TJzJJ/dockerfile.correctness.invalid-port.invalid-port origin: community pattern-either: - patterns: - pattern: EXPOSE $PORT - metavariable-comparison: metavariable: $PORT comparison: int($PORT) > 65535 - id: python.django.security.injection.code.user-exec-format-string.user-exec-format-string message: Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need. metadata: cwe: - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - django references: - https://owasp.org/www-community/attacks/Code_Injection subcategory: - vuln likelihood: MEDIUM impact: HIGH confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string shortlink: https://sg.run/J9JW semgrep.dev: rule: r_id: 9502 rv_id: 1263385 rule_id: WAUovx version_id: ZRTKA1p url: https://semgrep.dev/playground/r/ZRTKA1p/python.django.security.injection.code.user-exec-format-string.user-exec-format-string origin: community patterns: - pattern-inside: | def $F(...): ... - pattern-either: - pattern: exec(..., $STR % request.$W.get(...), ...) - pattern: | $V = request.$W.get(...) ... exec(..., $STR % $V, ...) - pattern: | $V = request.$W.get(...) ... $S = $STR % $V ... exec(..., $S, ...) - pattern: exec(..., "..." % request.$W(...), ...) - pattern: | $V = request.$W(...) ... exec(..., $STR % $V, ...) - pattern: | $V = request.$W(...) ... $S = $STR % $V ... exec(..., $S, ...) - pattern: exec(..., $STR % request.$W[...], ...) - pattern: | $V = request.$W[...] ... exec(..., $STR % $V, ...) - pattern: | $V = request.$W[...] ... $S = $STR % $V ... exec(..., $S, ...) - pattern: exec(..., $STR.format(..., request.$W.get(...), ...), ...) - pattern: | $V = request.$W.get(...) ... exec(..., $STR.format(..., $V, ...), ...) - pattern: | $V = request.$W.get(...) ... $S = $STR.format(..., $V, ...) ... exec(..., $S, ...) - pattern: exec(..., $STR.format(..., request.$W(...), ...), ...) - pattern: | $V = request.$W(...) ... exec(..., $STR.format(..., $V, ...), ...) - pattern: | $V = request.$W(...) ... $S = $STR.format(..., $V, ...) ... exec(..., $S, ...) - pattern: exec(..., $STR.format(..., request.$W[...], ...), ...) - pattern: | $V = request.$W[...] ... exec(..., $STR.format(..., $V, ...), ...) - pattern: | $V = request.$W[...] ... $S = $STR.format(..., $V, ...) ... exec(..., $S, ...) - pattern: | $V = request.$W.get(...) ... exec(..., f"...{$V}...", ...) - pattern: | $V = request.$W.get(...) ... $S = f"...{$V}..." ... exec(..., $S, ...) - pattern: | $V = request.$W(...) ... exec(..., f"...{$V}...", ...) - pattern: | $V = request.$W(...) ... $S = f"...{$V}..." ... exec(..., $S, ...) - pattern: | $V = request.$W[...] ... exec(..., f"...{$V}...", ...) - pattern: | $V = request.$W[...] ... $S = f"...{$V}..." ... exec(..., $S, ...) - pattern: exec(..., base64.decodestring($S.format(..., request.$W.get(...), ...), ...), ...) - pattern: exec(..., base64.decodestring($S % request.$W.get(...), ...), ...) - pattern: exec(..., base64.decodestring(f"...{request.$W.get(...)}...", ...), ...) - pattern: exec(..., base64.decodestring(request.$W.get(...), ...), ...) - pattern: exec(..., base64.decodestring(bytes($S.format(..., request.$W.get(...), ...), ...), ...), ...) - pattern: exec(..., base64.decodestring(bytes($S % request.$W.get(...), ...), ...), ...) - pattern: exec(..., base64.decodestring(bytes(f"...{request.$W.get(...)}...", ...), ...), ...) - pattern: exec(..., base64.decodestring(bytes(request.$W.get(...), ...), ...), ...) - pattern: | $DATA = request.$W.get(...) ... exec(..., base64.decodestring($DATA, ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = base64.decodestring($DATA, ...) ... exec(..., $INTERM, ...) - pattern: | $DATA = request.$W.get(...) ... exec(..., base64.decodestring(bytes($DATA, ...), ...), ...) - pattern: | $DATA = request.$W.get(...) ... $INTERM = base64.decodestring(bytes($DATA, ...), ...) ... exec(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... exec(..., base64.decodestring($DATA, ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = base64.decodestring($DATA, ...) ... exec(..., $INTERM, ...) - pattern: | $DATA = request.$W(...) ... exec(..., base64.decodestring(bytes($DATA, ...), ...), ...) - pattern: | $DATA = request.$W(...) ... $INTERM = base64.decodestring(bytes($DATA, ...), ...) ... exec(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... exec(..., base64.decodestring($DATA, ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = base64.decodestring($DATA, ...) ... exec(..., $INTERM, ...) - pattern: | $DATA = request.$W[...] ... exec(..., base64.decodestring(bytes($DATA, ...), ...), ...) - pattern: | $DATA = request.$W[...] ... $INTERM = base64.decodestring(bytes($DATA, ...), ...) ... exec(..., $INTERM, ...) - pattern: | $DATA = request.$W ... exec(..., base64.decodestring($DATA, ...), ...) - pattern: | $DATA = request.$W ... $INTERM = base64.decodestring($DATA, ...) ... exec(..., $INTERM, ...) - pattern: | $DATA = request.$W ... exec(..., base64.decodestring(bytes($DATA, ...), ...), ...) - pattern: | $DATA = request.$W ... $INTERM = base64.decodestring(bytes($DATA, ...), ...) ... exec(..., $INTERM, ...) languages: - python severity: WARNING - id: dgryski.semgrep-go.hostport.sprintf-host-port pattern-either: - patterns: - pattern-either: - pattern: fmt.Sprintf("%s:%s", $NET, $XX) - pattern: fmt.Sprintf("%s:%d", $NET, $XX) - pattern: fmt.Sprintf("%s:%s", $XX, $NET) - pattern: fmt.Sprintf("%s:%d", $XX, $NET) - pattern: $NET = fmt.Sprintf("%s:%d", ..., ...) - pattern: $NET = fmt.Sprintf("%s:%s", ..., ...) - metavariable-regex: metavariable: $NET regex: ((?i).*(port|addr|host|listen|bind))|((?i)^ip$)|(ip[A-Z0-9].*|.*(Ip)$|.*(Ip)[A-Z0-9].*) - patterns: - pattern: fmt.Sprintf($XX, $NET) - metavariable-regex: metavariable: $XX regex: '"%s:[0-9]+"' - metavariable-regex: metavariable: $NET regex: ((?i).*(port|addr|host|listen|bind))|((?i)^ip$)|(ip[A-Z0-9].*|.*(Ip)$|.*(Ip)[A-Z0-9].*) message: | use net.JoinHostPort instead of fmt.Sprintf($XX, $NET) languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.hostport.sprintf-host-port shortlink: https://sg.run/DoN2 semgrep.dev: rule: r_id: 8696 rv_id: 833043 rule_id: KxUbPZ version_id: 0bTwbl3 url: https://semgrep.dev/playground/r/0bTwbl3/dgryski.semgrep-go.hostport.sprintf-host-port origin: community - id: generic.secrets.gitleaks.digitalocean-pat.digitalocean-pat message: A gitleaks digitalocean-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.digitalocean-pat.digitalocean-pat shortlink: https://sg.run/BR2A semgrep.dev: rule: r_id: 44695 rv_id: 1262712 rule_id: 0oU073 version_id: qkTR7pY url: https://semgrep.dev/playground/r/qkTR7pY/generic.secrets.gitleaks.digitalocean-pat.digitalocean-pat origin: community patterns: - pattern-regex: (?i)\b(dop_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token message: A gitleaks digitalocean-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token shortlink: https://sg.run/D38P semgrep.dev: rule: r_id: 44696 rv_id: 1262713 rule_id: KxUAzk version_id: l4TJRX4 url: https://semgrep.dev/playground/r/l4TJRX4/generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token origin: community patterns: - pattern-regex: (?i)\b(dor_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: python.lang.best-practice.missing-hash-with-eq.missing-hash-with-eq patterns: - pattern-not-inside: | class A(...): ... def __hash__(self): ... ... def __eq__(self, $O): ... - pattern: | class A(...): ... def __eq__(self, $O): ... ... message: 'Class `$A` has defined `__eq__` which means it should also have defined `__hash__`; ' languages: - python severity: WARNING metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.missing-hash-with-eq.missing-hash-with-eq shortlink: https://sg.run/1Z2v semgrep.dev: rule: r_id: 9566 rv_id: 946255 rule_id: wdUJ35 version_id: PkTQZPG url: https://semgrep.dev/playground/r/PkTQZPG/python.lang.best-practice.missing-hash-with-eq.missing-hash-with-eq origin: community - id: python.lang.best-practice.open-never-closed.open-never-closed patterns: - pattern-not-inside: | $F = open(...) ... $F.close() - pattern-not-inside: | $F = io.open(...) ... $F.close() - pattern-not-inside: | $F = tarfile.open(...) ... $F.close() - pattern-not-inside: | $F = ZipFile.open(...) ... $F.close() - pattern-not-inside: | $F = tempfile.TemporaryFile(...) ... $F.close() - pattern-not-inside: | $F = tempfile.NamedTemporaryFile(...) ... $F.close() - pattern-not-inside: | $F = tempfile.SpooledTemporaryFile(...) ... $F.close() - pattern-not-inside: | $F = open(...) ... try: ... finally: $F.close() - pattern-not-inside: | $F = io.open(...) ... try: ... finally: $F.close() - pattern-not-inside: | $F = tarfile.open(...) ... try: ... finally: $F.close() - pattern-not-inside: | $F = ZipFile.open(...) ... try: ... finally: $F.close() - pattern-not-inside: | $F = tempfile.TemporaryFile(...) ... try: ... finally: $F.close() - pattern-not-inside: | $F = tempfile.NamedTemporaryFile(...) ... try: ... finally: $F.close() - pattern-not-inside: | $F = tempfile.SpooledTemporaryFile(...) ... try: ... finally: $F.close() - pattern-either: - pattern: $F = open(...) - pattern: $F = io.open(...) - pattern: $F = tarfile.open(...) - pattern: $F = ZipFile.open(...) - pattern: $F = tempfile.TemporaryFile(...) - pattern: $F = tempfile.NamedTemporaryFile(...) - pattern: $F = tempfile.SpooledTemporaryFile(...) message: file object opened without corresponding close languages: - python severity: ERROR metadata: category: best-practice technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.best-practice.open-never-closed.open-never-closed shortlink: https://sg.run/9oN8 semgrep.dev: rule: r_id: 9567 rv_id: 946256 rule_id: x8Un4Q version_id: JdTDy9x url: https://semgrep.dev/playground/r/JdTDy9x/python.lang.best-practice.open-never-closed.open-never-closed origin: community - id: c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn pattern: strtok(...) message: Avoid using 'strtok()'. This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use 'strtok_r()' instead. metadata: cwe: - 'CWE-676: Use of Potentially Dangerous Function' references: - https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged - https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS - https://stackoverflow.com/a/40335556 category: security technology: - c confidence: LOW subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn shortlink: https://sg.run/LwqG semgrep.dev: rule: r_id: 8839 rv_id: 1028278 rule_id: WAUo5v version_id: qkTx1oq url: https://semgrep.dev/playground/r/qkTx1oq/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn origin: community languages: - c severity: WARNING - id: trailofbits.jvm.gc-call.gc-call message: | Calling `gc` suggests to the JVM that the garbage collector should be run, and memory should be reclaimed. This is only a suggestion, and there is no guarantee that anything will happen. Relying on this behavior for correctness or memory management is an anti-pattern. languages: - java - kotlin severity: WARNING metadata: category: best-practice subcategory: - audit technology: - java - kotlin confidence: HIGH likelihood: HIGH impact: LOW references: - https://stackoverflow.com/questions/2414105/why-is-it-bad-practice-to-call-system-gc license: AGPL-3.0 license source: https://semgrep.dev/r/trailofbits.jvm.gc-call.gc-call shortlink: https://sg.run/9ApQ0 semgrep.dev: rule: r_id: 113223 rv_id: 833287 rule_id: 5rUdoB9 version_id: LjTEbBG url: https://semgrep.dev/playground/r/LjTEbBG/trailofbits.jvm.gc-call.gc-call origin: community pattern-either: - pattern: System.gc() - pattern: Runtime.getRuntime().gc() - id: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable message: Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference languages: - go severity: WARNING metadata: category: security cwe: 'CWE-665: Improper Initialization' subcategory: - audit confidence: HIGH likelihood: MEDIUM impact: MEDIUM technology: - --no-technology-- description: Possible unintentional assignment when an error occurs references: - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable shortlink: https://sg.run/WWQ2 semgrep.dev: rule: r_id: 17197 rv_id: 833265 rule_id: kxU6Xb version_id: zyTWJNZ url: https://semgrep.dev/playground/r/zyTWJNZ/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable origin: community patterns: - pattern: | ..., $X, ..., $ERR = ... if $ERR != nil { ... <... $X.$Y ...> } - pattern-not: | ..., $X, ..., $ERR = ... if $ERR != nil { ... $X, ... = ... ... <... $X.$Y ...> } - pattern-not: | ..., $X, ..., $ERR = ... if $ERR != nil { ... $X = ... ... <... $X.$Y ...> } - pattern-not: | ..., $X, ..., $ERR = ... if $ERR != nil { ... if $X != nil { <... $X.$Y ...> } ... } - pattern-not: | ..., $X, ..., $ERR := ... if $ERR != nil { ... if $X != nil && <... $X.$Y ...> { ... } ... } - id: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map message: Iteration over a possibly empty map `$C`. This is likely a bug or redundant code languages: - go severity: WARNING metadata: category: security cwe: 'CWE-665: Improper Initialization' subcategory: - audit confidence: MEDIUM likelihood: LOW impact: LOW technology: - --no-technology-- description: Probably redundant iteration over an empty map references: - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map shortlink: https://sg.run/08jj semgrep.dev: rule: r_id: 17198 rv_id: 1039527 rule_id: wdUlww version_id: ExTNqnL url: https://semgrep.dev/playground/r/ExTNqnL/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map origin: community patterns: - pattern: | $C = make(map[$T1] $T2) ... for $K := range $C { ... } - pattern-not: | $C = make(map[$T1] $T2, ...) ... $C[$X] = $V ... for $K := range $C { ... } - pattern-not: | $C = make(map[$T1] $T2, ...) ... $C[$X]++ ... for $K := range $C { ... } - pattern-not: | $C = make(map[$T1] $T2, ...) ... $C[$X]-- ... for $K := range $C { ... } - pattern-not: | $C = make(map[$T1] $T2, ...) ... $CODEC.Unmarshal($BYTES, &$C) ... for $K := range $C { ... } - id: trailofbits.go.racy-append-to-slice.racy-append-to-slice message: Appending `$SLICE` from multiple goroutines is not concurrency safe languages: - go severity: ERROR metadata: category: security cwe: 'CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (''Race Condition'')' subcategory: - vuln confidence: MEDIUM likelihood: HIGH impact: MEDIUM technology: - --no-technology-- description: Concurrent calls to `append` from multiple goroutines references: - https://go.dev/blog/maps#concurrency license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.racy-append-to-slice.racy-append-to-slice shortlink: https://sg.run/jkNY semgrep.dev: rule: r_id: 11865 rv_id: 833270 rule_id: ReUoP7 version_id: 1QTPL3x url: https://semgrep.dev/playground/r/1QTPL3x/trailofbits.go.racy-append-to-slice.racy-append-to-slice origin: community patterns: - pattern: | $SLICE = append($SLICE, $ITEM) - pattern-either: - pattern-inside: | var $SLICE []$TYPE ... for ... { ... go func(...) { ... $SLICE = append($SLICE, ...) ... }(...) ... } - pattern-inside: | $SLICE := make([]$TYPE, ...) ... for ... { ... go func(...) { ... $SLICE = append($SLICE, ...) ... }(...) ... } - pattern-not-inside: | $MUTEX.Lock() ... $MUTEX.Unlock() - pattern-not-inside: | $MUTEX.Lock() ... defer $MUTEX.Unlock() ... - id: ruby.rails.security.brakeman.check-secrets.check-secrets patterns: - pattern: $VAR = "$VALUE" - metavariable-regex: metavariable: $VAR regex: (?i)password|secret|(rest_auth_site|api)_key$ - metavariable-regex: metavariable: $VALUE regex: .+ message: Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value. languages: - ruby severity: WARNING metadata: technology: - ruby - rails category: security cwe: - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_secrets.rb references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - https://github.com/presidentbeef/brakeman/blob/3f5d5d5f00864cdf7769c50f5bd26f1769a4ba75/test/apps/rails3.1/app/controllers/users_controller.rb cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-secrets.check-secrets shortlink: https://sg.run/5ZKl semgrep.dev: rule: r_id: 20047 rv_id: 1263659 rule_id: AbUNqO version_id: A8TgdBv url: https://semgrep.dev/playground/r/A8TgdBv/ruby.rails.security.brakeman.check-secrets.check-secrets origin: community - id: ruby.rails.security.brakeman.check-reverse-tabnabbing.check-reverse-tabnabbing mode: search paths: include: - '*.erb' patterns: - pattern: | _blank - pattern-inside: | target: ... - pattern-not-inside: | <%= ... rel: 'noopener noreferrer' ...%> - pattern-either: - patterns: - pattern-inside: | <%= $...INLINERUBYDO do -%> ... <% end %> - metavariable-pattern: metavariable: $...INLINERUBYDO language: ruby patterns: - pattern: | link_to ... - pattern-not: | link_to "...", "...", ... - patterns: - pattern-not-inside: | <%= ... do - %> - pattern-inside: | <%= $...INLINERUBY %> - metavariable-pattern: metavariable: $...INLINERUBY language: ruby patterns: - pattern: | link_to ... - pattern-not: | link_to '...', '...', ... - pattern-not: | link_to '...', target: ... message: Setting an anchor target of `_blank` without the `noopener` or `noreferrer` attribute allows reverse tabnabbing on Internet Explorer, Opera, and Android Webview. languages: - generic severity: WARNING metadata: source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_reverse_tabnabbing.rb category: security cwe: - 'CWE-1022: Use of Web Link to Untrusted Target with window.opener Access' technology: - ruby - rails references: - https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#browser_compatibility - https://github.com/presidentbeef/brakeman/blob/3f5d5d5/test/apps/rails5/app/views/users/show.html.erb subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/ruby.rails.security.brakeman.check-reverse-tabnabbing.check-reverse-tabnabbing shortlink: https://sg.run/r30j semgrep.dev: rule: r_id: 22069 rv_id: 946536 rule_id: DbUNX4 version_id: 9lTy1jZ url: https://semgrep.dev/playground/r/9lTy1jZ/ruby.rails.security.brakeman.check-reverse-tabnabbing.check-reverse-tabnabbing origin: community - id: generic.secrets.gitleaks.doppler-api-token.doppler-api-token message: A gitleaks doppler-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.doppler-api-token.doppler-api-token shortlink: https://sg.run/4YBz semgrep.dev: rule: r_id: 44700 rv_id: 1262717 rule_id: 6JU45L version_id: zyTb2Gy url: https://semgrep.dev/playground/r/zyTb2Gy/generic.secrets.gitleaks.doppler-api-token.doppler-api-token origin: community patterns: - pattern-regex: (dp\.pt\.)(?i)[a-z0-9]{43} - id: trailofbits.go.racy-write-to-map.racy-write-to-map message: Writing `$MAP` from multiple goroutines is not concurrency safe languages: - go severity: ERROR metadata: category: security cwe: 'CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (''Race Condition'')' subcategory: - vuln confidence: MEDIUM likelihood: HIGH impact: MEDIUM technology: - --no-technology-- description: Concurrent writes to the same map in multiple goroutines references: - https://go.dev/blog/maps#concurrency license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map shortlink: https://sg.run/1Gnw semgrep.dev: rule: r_id: 11866 rv_id: 833271 rule_id: AbUGWD version_id: 9lTJ0qD url: https://semgrep.dev/playground/r/9lTJ0qD/trailofbits.go.racy-write-to-map.racy-write-to-map origin: community patterns: - pattern: | $MAP[$KEY] = $VALUE - pattern-inside: | $MAP = make(map[$KTYPE]$VTYPE) ... for ... { ... go func(...) { ... $MAP[$KEY] = $VALUE ... }(...) ... } - pattern-not-inside: | $MUTEX.Lock() ... $MUTEX.Unlock() - pattern-not-inside: | $MUTEX.Lock() ... defer $MUTEX.Unlock() ... - id: generic.secrets.security.detected-square-access-token.detected-square-access-token pattern-regex: sq0atp-[0-9A-Za-z\-_]{22} languages: - regex message: Square Access Token detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json category: security technology: - secrets - square confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token shortlink: https://sg.run/OP3b semgrep.dev: rule: r_id: 9075 rv_id: 1262896 rule_id: 3qUPqO version_id: BjTkZkz url: https://semgrep.dev/playground/r/BjTkZkz/generic.secrets.security.detected-square-access-token.detected-square-access-token origin: community - id: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret pattern-regex: sq0csp-[0-9A-Za-z\\\-_]{43} languages: - regex message: Square OAuth Secret detected severity: ERROR metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json references: - https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py category: security technology: - secrets - square confidence: LOW owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret shortlink: https://sg.run/eL7E semgrep.dev: rule: r_id: 9076 rv_id: 1262897 rule_id: 4bUk4l version_id: DkTRbRG url: https://semgrep.dev/playground/r/DkTRbRG/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret origin: community - id: c.lang.security.insecure-use-string-copy-fn.insecure-use-string-copy-fn pattern-either: - pattern: strcpy(...) - pattern: strncpy(...) message: Finding triggers whenever there is a strcpy or strncpy used. This is an issue because strcpy does not affirm the size of the destination array and strncpy will not automatically NULL-terminate strings. This can lead to buffer overflows, which can cause program crashes and potentially let an attacker inject code in the program. Fix this by using strcpy_s instead (although note that strcpy_s is an optional part of the C11 standard, and so may not be available). metadata: cwe: - 'CWE-676: Use of Potentially Dangerous Function' references: - https://cwe.mitre.org/data/definitions/676 - https://nvd.nist.gov/vuln/detail/CVE-2019-11365 category: security technology: - c confidence: LOW subcategory: - audit likelihood: LOW impact: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/c.lang.security.insecure-use-string-copy-fn.insecure-use-string-copy-fn shortlink: https://sg.run/7oNk semgrep.dev: rule: r_id: 8838 rv_id: 945175 rule_id: DbUpo5 version_id: 2KTYb7Y url: https://semgrep.dev/playground/r/2KTYb7Y/c.lang.security.insecure-use-string-copy-fn.insecure-use-string-copy-fn origin: community languages: - c severity: WARNING - id: generic.secrets.gitleaks.flickr-access-token.flickr-access-token message: A gitleaks flickr-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.flickr-access-token.flickr-access-token shortlink: https://sg.run/6onB semgrep.dev: rule: r_id: 44715 rv_id: 1262735 rule_id: x8Ulnq version_id: ZRTKAek url: https://semgrep.dev/playground/r/ZRTKAek/generic.secrets.gitleaks.flickr-access-token.flickr-access-token origin: community patterns: - pattern-regex: (?i)(?:flickr)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.duffel-api-token.duffel-api-token message: A gitleaks duffel-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.duffel-api-token.duffel-api-token shortlink: https://sg.run/Rjoe semgrep.dev: rule: r_id: 44705 rv_id: 1262722 rule_id: X5UG8Q version_id: 1QTyp44 url: https://semgrep.dev/playground/r/1QTyp44/generic.secrets.gitleaks.duffel-api-token.duffel-api-token origin: community patterns: - pattern-regex: duffel_(test|live)_(?i)[a-z0-9_\-=]{43} - id: trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil message: The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service languages: - go severity: WARNING metadata: category: security cwe: 'CWE-476: NULL Pointer Dereference' subcategory: - vuln confidence: HIGH likelihood: MEDIUM impact: LOW technology: - --no-technology-- description: Possible incorrect `ServerCodec` interface implementation references: - https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658 license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil shortlink: https://sg.run/lx09 semgrep.dev: rule: r_id: 11757 rv_id: 833272 rule_id: QrUp7k version_id: yeTN1ek url: https://semgrep.dev/playground/r/yeTN1ek/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil origin: community patterns: - pattern: | func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { ... } - pattern-not: | func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { ... if $ARG == nil { ... } ... } - pattern-not: | func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error { ... if $ARG != nil { ... } ... } - id: terraform.azure.best-practice.azure-mariadb-sslenforcement-enabled.azure-mariadb-sslenforcement-enabled message: Ensure Enforce SSL connection is set to Enabled for MariaDB servers patterns: - pattern: resource - pattern-not-inside: | resource "azurerm_mariadb_server" "..." { ... ssl_enforcement_enabled = true ... } - pattern-inside: | resource "azurerm_mariadb_server" "..." { ... } metadata: category: best-practice technology: - terraform - azure license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.azure.best-practice.azure-mariadb-sslenforcement-enabled.azure-mariadb-sslenforcement-enabled shortlink: https://sg.run/kPp7 semgrep.dev: rule: r_id: 23928 rv_id: 946766 rule_id: ReUkpL version_id: BjT1BXv url: https://semgrep.dev/playground/r/BjT1BXv/terraform.azure.best-practice.azure-mariadb-sslenforcement-enabled.azure-mariadb-sslenforcement-enabled origin: community languages: - hcl severity: WARNING - id: trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast message: Downcasting or changing sign of an integer with `$CAST_METHOD` method languages: - go severity: WARNING metadata: category: security cwe: 'CWE-681: Incorrect Conversion between Numeric Types' subcategory: - audit confidence: HIGH likelihood: LOW impact: MEDIUM technology: - --no-technology-- description: Integer underflows references: - https://github.com/golang/go/issues/30209 license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast shortlink: https://sg.run/65WB semgrep.dev: rule: r_id: 11759 rv_id: 833273 rule_id: 4bU2AZ version_id: rxTDzNy url: https://semgrep.dev/playground/r/rxTDzNy/trailofbits.go.string-to-int-signedness-cast.string-to-int-signedness-cast origin: community pattern-either: - patterns: - metavariable-pattern: metavariable: $CAST_METHOD pattern-either: - pattern: uint8 - pattern: uint16 - pattern: uint32 - pattern: int8 - pattern: int16 - pattern: int32 - pattern-either: - pattern: | $X, ... = strconv.Atoi(...) ... $CAST_METHOD($X) - pattern: | $X, ... = strconv.ParseInt(..., ..., 64) ... $CAST_METHOD($X) - pattern: | $X, ... = strconv.ParseUint(..., ..., 64) ... $CAST_METHOD($X) - pattern: | $X, ... = strconv.Atoi(...) ... uint64($X) - pattern: | $X, ... = strconv.ParseInt(..., ..., 64) ... uint64($X) - pattern: | $X, ... = strconv.ParseUint(..., ..., 64) ... int64($X) - patterns: - metavariable-pattern: metavariable: $CAST_METHOD pattern-either: - pattern: uint8 - pattern: uint16 - pattern: int8 - pattern: int16 - pattern-either: - pattern: | $X, ... = strconv.ParseInt(..., ..., 32) ... $CAST_METHOD($X) - pattern: | $X, ... = strconv.ParseUint(..., ..., 32) ... $CAST_METHOD($X) - pattern: | $X, ... = strconv.ParseInt(..., ..., 32) ... uint32($X) - pattern: | $X, ... = strconv.ParseUint(..., ..., 32) ... int32($X) - patterns: - metavariable-pattern: metavariable: $CAST_METHOD pattern-either: - pattern: uint8 - pattern: int8 - pattern-either: - pattern: | $X, ... = strconv.ParseInt(..., ..., 16) ... $CAST_METHOD($X) - pattern: | $X, ... = strconv.ParseUint(..., ..., 16) ... $CAST_METHOD($X) - pattern: | $X, ... = strconv.ParseInt(..., ..., 16) ... uint16($X) - pattern: | $X, ... = strconv.ParseUint(..., ..., 16) ... int16($X) - pattern: | $X, ... = strconv.ParseInt(..., ..., 8) ... uint8($X) - pattern: | $X, ... = strconv.ParseUint(..., ..., 8) ... int8($X) - id: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied message: A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended languages: - go severity: ERROR metadata: category: security cwe: 'CWE-688: Function Call With Incorrect Variable or Reference as Argument' subcategory: - vuln confidence: HIGH likelihood: HIGH impact: LOW technology: - --no-technology-- description: Copying of `sync.Mutex` via value receivers references: - https://go101.org/article/concurrent-common-mistakes.html license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied shortlink: https://sg.run/owlR semgrep.dev: rule: r_id: 11760 rv_id: 833274 rule_id: PeUBW1 version_id: bZTBelR url: https://semgrep.dev/playground/r/bZTBelR/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied origin: community patterns: - pattern-either: - pattern: | func ($T $TYPE) $FUNC(...){ ... $T.Lock() ... } - pattern: | func ($T $TYPE) $FUNC(...){ ... $T.RLock() ... } - pattern-not: | func ($T2 *$TYPE2) $FUNC(...){ ... } - id: generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret message: A gitleaks shopify-shared-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret shortlink: https://sg.run/Jl3W semgrep.dev: rule: r_id: 44790 rv_id: 1262822 rule_id: GdUb0w version_id: jQTn5Yp url: https://semgrep.dev/playground/r/jQTn5Yp/generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret origin: community patterns: - pattern-regex: shpss_[a-fA-F0-9]{32} - id: terraform.gcp.security.gcp-bigquery-table-encrypted-with-cmk.gcp-bigquery-table-encrypted-with-cmk patterns: - pattern: | resource "google_bigquery_table" $ANYTHING { ... } - pattern-not-inside: | resource "google_bigquery_table" $ANYTHING { ... encryption_configuration { ... kms_key_name = ... ... } ... } message: "Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)\t" metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-bigquery-table-encrypted-with-cmk.gcp-bigquery-table-encrypted-with-cmk shortlink: https://sg.run/49Jx semgrep.dev: rule: r_id: 32300 rv_id: 946902 rule_id: 7KUK0Q version_id: w8TK8Jv url: https://semgrep.dev/playground/r/w8TK8Jv/terraform.gcp.security.gcp-bigquery-table-encrypted-with-cmk.gcp-bigquery-table-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: trailofbits.generic.container-user-root.container-user-root message: Found container command running as root languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-250: Execution with Unnecessary Privileges' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://docs.docker.com/engine/reference/commandline/run/ license: AGPL-3.0 license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/trailofbits.generic.container-user-root.container-user-root shortlink: https://sg.run/lBKyB semgrep.dev: rule: r_id: 113213 rv_id: 833252 rule_id: AbU9gy9 version_id: GxTDEYO url: https://semgrep.dev/playground/r/GxTDEYO/trailofbits.generic.container-user-root.container-user-root origin: community pattern-either: - pattern: docker ... -u root - pattern: docker ... -u 0 - pattern: docker ... --user root - pattern: docker ... --user 0 - pattern: podman ... -u root - pattern: podman ... --u 0 - pattern: podman ... --user root - pattern: podman ... --user 0 - id: trailofbits.generic.curl-insecure.curl-insecure message: Found `curl` command disabling SSL verification languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-295: Improper Certificate Validation' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://curl.se/docs/manpage.html license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.generic.curl-insecure.curl-insecure shortlink: https://sg.run/YG37D semgrep.dev: rule: r_id: 113214 rv_id: 833253 rule_id: BYUXkQx version_id: RGTKGnY url: https://semgrep.dev/playground/r/RGTKGnY/trailofbits.generic.curl-insecure.curl-insecure origin: community pattern-either: - pattern: 'curl ... -k ' - pattern: curl ... --insecure - id: trailofbits.generic.curl-unencrypted-url.curl-unencrypted-url message: Found `curl` command with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://curl.se/docs/manpage.html license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.generic.curl-unencrypted-url.curl-unencrypted-url shortlink: https://sg.run/6JldW semgrep.dev: rule: r_id: 113215 rv_id: 975175 rule_id: DbU6R39 version_id: 1QTokGb url: https://semgrep.dev/playground/r/1QTokGb/trailofbits.generic.curl-unencrypted-url.curl-unencrypted-url origin: community patterns: - pattern-either: - pattern: curl ... http:// - pattern: curl ... ftp:// - pattern-not-inside: curl ... http://127.0.0.1 - pattern-not-inside: curl ... http://localhost - pattern-not-inside: curl ... http://169.254.169.254 - pattern-not-inside: curl ... http://[fd00:ec2::254] - pattern-not-inside: curl ... http://metadata.google.internal - id: trailofbits.generic.gpg-insecure-flags.gpg-insecure-flags message: Found `gpg` command using insecure flags languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-295: Improper Certificate Validation' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://www.gnupg.org/gph/de/manual/r1023.html license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.generic.gpg-insecure-flags.gpg-insecure-flags shortlink: https://sg.run/oqLJx semgrep.dev: rule: r_id: 113216 rv_id: 833255 rule_id: WAUWqko version_id: BjTe0Jg url: https://semgrep.dev/playground/r/BjTe0Jg/trailofbits.generic.gpg-insecure-flags.gpg-insecure-flags origin: community pattern-either: - pattern: gpg ... --allow-non-selfsigned-uid - pattern: gpg ... --allow-freeform-uid - pattern: gpg ... --allow-old-cipher-algos - pattern: gpg ... --allow-weak-digest-algos - pattern: gpg ... --allow-weak-key-signatures - pattern: gpg ... --ignore-time-conflict - pattern: gpg ... --ignore-valid-from - pattern: gpg ... --ignore-crc-error - pattern: gpg ... --ignore-mdc-error - pattern: gpg ... --skip-verify - pattern: gpg ... --no-require-cross-certification - id: trailofbits.generic.installer-allow-untrusted.installer-allow-untrusted message: Found `installer` command allowing untrusted installations languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-494: Download of Code Without Integrity Check' confidence: HIGH likelihood: HIGH impact: HIGH references: - https://ss64.com/mac/installer.html license: AGPL-3.0 license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/trailofbits.generic.installer-allow-untrusted.installer-allow-untrusted shortlink: https://sg.run/zdLlk semgrep.dev: rule: r_id: 113217 rv_id: 833256 rule_id: 0oULKQE version_id: DkTG0Xg url: https://semgrep.dev/playground/r/DkTG0Xg/trailofbits.generic.installer-allow-untrusted.installer-allow-untrusted origin: community pattern: installer ... -allowUntrusted - id: trailofbits.yaml.ansible.apt-key-validate-certs-disabled.apt-key-validate-certs-disabled message: Found apt key with SSL verification disabled languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit technology: - ansible - apt confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_key_module.html#parameter-validate_certs license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.yaml.ansible.apt-key-validate-certs-disabled.apt-key-validate-certs-disabled shortlink: https://sg.run/bwPnP semgrep.dev: rule: r_id: 113226 rv_id: 833315 rule_id: AbU9gyg version_id: 9lTJ06D url: https://semgrep.dev/playground/r/9lTJ06D/trailofbits.yaml.ansible.apt-key-validate-certs-disabled.apt-key-validate-certs-disabled origin: community patterns: - pattern-inside: | $APTKEY: ... url: ... ... - metavariable-pattern: metavariable: $APTKEY pattern-either: - pattern: apt_key - pattern: ansible.builtin.apt_key - pattern: '$KEY: $VALUE' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: validate_certs - metavariable-pattern: metavariable: $VALUE pattern-either: - pattern: 'false' - id: trailofbits.yaml.ansible.apt-unencrypted-url.apt-unencrypted-url message: Found apt deb with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' subcategory: - audit technology: - ansible - apt confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html#parameter-deb license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.yaml.ansible.apt-unencrypted-url.apt-unencrypted-url shortlink: https://sg.run/NbW3L semgrep.dev: rule: r_id: 113227 rv_id: 833316 rule_id: BYUXkQb version_id: yeTN15k url: https://semgrep.dev/playground/r/yeTN15k/trailofbits.yaml.ansible.apt-unencrypted-url.apt-unencrypted-url origin: community patterns: - pattern-inside: | $APT: ... - metavariable-pattern: metavariable: $APT pattern-either: - pattern: apt - pattern: ansible.builtin.apt - pattern: '$KEY: ''$VALUE''' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: deb - metavariable-regex: metavariable: $VALUE regex: (?i)^(http|ftp)://.* - id: trailofbits.generic.mongodb-insecure-transport.mongodb-insecure-transport message: | Found insecure MongoDB connection, prefer TLS encrypted transport by setting the `tls=true` connection option and ensuring proper verification languages: - regex severity: WARNING metadata: category: security subcategory: - audit cwe: 'CWE-295: Improper Certificate Validation' confidence: HIGH likelihood: HIGH impact: HIGH technology: - mongodb references: - https://www.mongodb.com/docs/manual/reference/connection-string/#connection-options license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.generic.mongodb-insecure-transport.mongodb-insecure-transport shortlink: https://sg.run/4b6q5 semgrep.dev: rule: r_id: 150288 rv_id: 943182 rule_id: PeUJPl9 version_id: JdTD3Lg url: https://semgrep.dev/playground/r/JdTD3Lg/trailofbits.generic.mongodb-insecure-transport.mongodb-insecure-transport origin: community pattern-either: - patterns: - pattern-regex: (?i)mongodb://.+$ - pattern-not-regex: (?i)(?:(.)?)?mongodb://.+[?&]tls=true(?:\g{1}|$|&).* - pattern-not-regex: (?i)(?:(.)?)?mongodb://.+[?&]ssl=true(?:\g{1}|$|&).* - pattern-regex: (?i)mongodb://.+[?&]tlsAllowInvalidCertificates=true.*$ - pattern-regex: (?i)mongodb://.+[?&]tlsAllowInvalidHostnames=true.*$ - pattern-regex: (?i)mongodb://.+[?&]tlsInsecure=true.*$ - id: trailofbits.generic.mysql-insecure-sslmode.mysql-insecure-sslmode message: | Found MySQL connection string disabling SSL verification languages: - regex severity: WARNING metadata: category: security subcategory: - audit cwe: 'CWE-295: Improper Certificate Validation' confidence: MEDIUM likelihood: HIGH impact: HIGH technology: - mysql references: - https://dev.mysql.com/doc/connector-net/en/connector-net-8-0-connection-options.html - https://dev.mysql.com/doc/connector-j/en/connector-j-connp-props-security.html license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.generic.mysql-insecure-sslmode.mysql-insecure-sslmode shortlink: https://sg.run/Pe0nz semgrep.dev: rule: r_id: 150289 rv_id: 943183 rule_id: JDUN9Bb version_id: 5PT9PLn url: https://semgrep.dev/playground/r/5PT9PLn/trailofbits.generic.mysql-insecure-sslmode.mysql-insecure-sslmode origin: community pattern-either: - pattern-regex: (?i)Ssl[ -]?Mode=(Disabled|None|Preferred) - pattern-regex: (?i)sslMode=(DISABLED|PREFERRED) - pattern-regex: (?i)useSSL=false - id: trailofbits.generic.node-disable-certificate-validation.node-disable-certificate-validation message: | Setting this environment variable disables TLS certificate validation. This makes TLS, and HTTPS by extension, insecure. The use of this environment variable is strongly discouraged. languages: - generic severity: WARNING metadata: category: security subcategory: - audit cwe: 'CWE-295: Improper Certificate Validation' confidence: HIGH likelihood: HIGH impact: HIGH technology: - nodejs references: - https://nodejs.org/api/cli.html#node_tls_reject_unauthorizedvalue license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.generic.node-disable-certificate-validation.node-disable-certificate-validation shortlink: https://sg.run/JDGny semgrep.dev: rule: r_id: 150290 rv_id: 943184 rule_id: 5rUdgRW version_id: GxTPxzL url: https://semgrep.dev/playground/r/GxTPxzL/trailofbits.generic.node-disable-certificate-validation.node-disable-certificate-validation origin: community pattern-either: - pattern: NODE_TLS_REJECT_UNAUTHORIZED=0 - pattern: NODE_TLS_REJECT_UNAUTHORIZED='0' - pattern: NODE_TLS_REJECT_UNAUTHORIZED="0" - id: trailofbits.python.pickles-in-keras.pickles-in-keras message: |- Keras' load_model function may result in arbitrary code execution: - It can load vulnerable pickled models - It can load an hdf5 model that contains a lambda layer with arbitrary code that will be executed every time the model is used (loading, training, eval) Note: Keras loading with the built-in file format should be safe as long as checks are not disabled. languages: - python severity: ERROR metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - keras description: Potential arbitrary code execution from Keras' load_model function references: - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.pickles-in-keras.pickles-in-keras shortlink: https://sg.run/kxK8o semgrep.dev: rule: r_id: 124728 rv_id: 833300 rule_id: BYUXGv6 version_id: DkTG07g url: https://semgrep.dev/playground/r/DkTG07g/trailofbits.python.pickles-in-keras.pickles-in-keras origin: community patterns: - pattern-either: - patterns: - pattern: keras.models.load_model(...) - pattern-not: keras.models.load_model("...", ...) - patterns: - pattern: tensorflow.keras.models.load_model(...) - pattern-not: tensorflow.keras.models.load_model("...", ...) - patterns: - pattern: keras.saving.load_model(...) - pattern-not: keras.saving.load_model("...", ...) - patterns: - pattern: tensorflow.keras.saving.load_model(...) - pattern-not: tensorflow.keras.saving.load_model("...", ...) - id: trailofbits.python.pickles-in-tensorflow.pickles-in-tensorflow message: Tensorflow's low-level load function may result in arbitrary code execution. languages: - python severity: ERROR metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - keras description: Potential arbitrary code execution from tensorflow's load function references: - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.pickles-in-tensorflow.pickles-in-tensorflow shortlink: https://sg.run/wd5jn semgrep.dev: rule: r_id: 124729 rv_id: 833305 rule_id: DbU6e7r version_id: l4TyO1n url: https://semgrep.dev/playground/r/l4TyO1n/trailofbits.python.pickles-in-tensorflow.pickles-in-tensorflow origin: community patterns: - pattern: tensorflow.saved_model.load(...) - pattern-not: tensorflow.saved_model.load("...", ...) - id: trailofbits.ruby.action-dispatch-insecure-ssl.action-dispatch-insecure-ssl message: | Found Rails application with insecure SSL setting. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - rails references: - https://api.rubyonrails.org/v7.1.3.4/classes/ActionDispatch/SSL.html license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.ruby.action-dispatch-insecure-ssl.action-dispatch-insecure-ssl shortlink: https://sg.run/JDGnW semgrep.dev: rule: r_id: 150302 rv_id: 943196 rule_id: 6JUvPlK version_id: o5TZy2l url: https://semgrep.dev/playground/r/o5TZy2l/trailofbits.ruby.action-dispatch-insecure-ssl.action-dispatch-insecure-ssl origin: community patterns: - pattern-inside: | Rails.application.configure do ... end - pattern-either: - pattern: config.force_ssl = false - pattern: 'config.ssl_options = { ..., secure_cookies: false, ... }' - pattern: 'config.ssl_options = { ..., hsts: false, ... }' - pattern: 'config.ssl_options = { ..., hsts: { ..., subdomains: false, ... }, ... }' - id: trailofbits.ruby.action-mailer-insecure-tls.action-mailer-insecure-tls message: | Found ActionMailer SMTP configuration with insecure TLS setting. These settings do not require a successful, encrypted, verified TLS connection is made. Set `enable_starttls: true` and `openssl_verify_mode` to verify peer languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - rails - actionmailer references: - https://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.ruby.action-mailer-insecure-tls.action-mailer-insecure-tls shortlink: https://sg.run/5rolX semgrep.dev: rule: r_id: 150303 rv_id: 943197 rule_id: oqUg83Y version_id: zyTlAnD url: https://semgrep.dev/playground/r/zyTlAnD/trailofbits.ruby.action-mailer-insecure-tls.action-mailer-insecure-tls origin: community pattern-either: - pattern: 'ActionMailer::Base.smtp_settings = { ..., openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE, ... }' - pattern: 'ActionMailer::Base.smtp_settings = { ..., openssl_verify_mode: ''none'', ... }' - pattern: 'ActionMailer::Base.smtp_settings = { ..., enable_starttls_auto: true, ... }' - id: trailofbits.ruby.active-record-encrypts-misorder.active-record-encrypts-misorder message: | Found an ActiveRecord value with encryption before serialization. The declaration of the serialized attribute should go before the encryption declaration. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-311: Missing Encryption of Sensitive Data' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - rails - activerecord references: - https://guides.rubyonrails.org/active_record_encryption.html#supported-types license: AGPL-3.0 license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/trailofbits.ruby.active-record-encrypts-misorder.active-record-encrypts-misorder shortlink: https://sg.run/GdP12 semgrep.dev: rule: r_id: 150304 rv_id: 943198 rule_id: zdUK7Oq version_id: pZTN6z0 url: https://semgrep.dev/playground/r/pZTN6z0/trailofbits.ruby.active-record-encrypts-misorder.active-record-encrypts-misorder origin: community patterns: - pattern-inside: | class $CLS < ApplicationRecord ... end - pattern: | encrypts($SYM, ...) ... serialize($SYM, ...) - id: trailofbits.ruby.faraday-disable-verification.faraday-disable-verification message: | Found Faraday HTTP request disabling SSL/TLS verification. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - faraday references: - https://lostisland.github.io/faraday/#/customization/ssl-options license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.ruby.faraday-disable-verification.faraday-disable-verification shortlink: https://sg.run/Abko8 semgrep.dev: rule: r_id: 150306 rv_id: 943200 rule_id: 2ZUzJZG version_id: X0TLwgY url: https://semgrep.dev/playground/r/X0TLwgY/trailofbits.ruby.faraday-disable-verification.faraday-disable-verification origin: community pattern-either: - pattern: 'Faraday.new(..., ssl: { ..., verify: false, ... }, ...)' - pattern: 'Faraday.new(..., ssl: { ..., verify_hostname: false, ... }, ...)' - pattern: 'Faraday.new(..., ssl: { ..., verify_mode: OpenSSL::SSL::VERIFY_NONE, ... }, ...)' - id: trailofbits.ruby.global-timeout.global-timeout message: | Found `Timeout::timeout` (or `timeout`) use. Setting a global timeout can cause an exception to be raised anywhere in the passed block of code. This precludes any possible clean up action typically associated with rescuing from exceptions. This can lead to denial-of-service, data integrity failure, and general availability concerns. Instead prefer to use the library's built in timeout functionality, if it has any, to ensure processing happens as expected. If it does not have built in timeout functionality, then consider implementing it. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-460: Improper Cleanup on Thrown Exception' subcategory: - audit confidence: HIGH likelihood: HIGH impact: LOW technology: - ruby references: - https://ruby-doc.org/3.3.2/stdlibs/timeout/Timeout.html - https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/ - https://www.mikeperham.com/2015/05/08/timeout-rubys-most-dangerous-api/ - http://blog.headius.com/2008/02/rubys-threadraise-threadkill-timeoutrb.html license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.ruby.global-timeout.global-timeout shortlink: https://sg.run/BYwz2 semgrep.dev: rule: r_id: 150307 rv_id: 943201 rule_id: X5UQ61w version_id: jQTz6QD url: https://semgrep.dev/playground/r/jQTz6QD/trailofbits.ruby.global-timeout.global-timeout origin: community pattern-either: - pattern: Timeout::timeout(...) - pattern: Timeout.timeout(...) - pattern: timeout(...) - id: trailofbits.yaml.ansible.dnf-validate-certs-disabled.dnf-validate-certs-disabled message: Found dnf with SSL verification disabled languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit technology: - ansible - dnf confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/dnf_module.html#parameter-validate_certs - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/dnf5_module.html#parameter-validate_certs license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.yaml.ansible.dnf-validate-certs-disabled.dnf-validate-certs-disabled shortlink: https://sg.run/wdL06 semgrep.dev: rule: r_id: 113229 rv_id: 833318 rule_id: WAUWqkG version_id: bZTBe6R url: https://semgrep.dev/playground/r/bZTBe6R/trailofbits.yaml.ansible.dnf-validate-certs-disabled.dnf-validate-certs-disabled origin: community patterns: - pattern-inside: | $DNF: ... - metavariable-pattern: metavariable: $DNF pattern-either: - pattern: dnf - pattern: ansible.builtin.dnf - pattern: dnf5 - pattern: ansible.builtin.dnf5 - pattern: '$KEY: $VALUE' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: validate_certs - metavariable-pattern: metavariable: $VALUE pattern-either: - pattern: 'false' - id: trailofbits.yaml.ansible.get-url-unencrypted-url.get-url-unencrypted-url message: Found file download with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - yaml severity: WARNING metadata: category: security cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' subcategory: - audit technology: - ansible confidence: HIGH likelihood: HIGH impact: HIGH references: - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-url - https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_get_url_module.html#parameter-url license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.yaml.ansible.get-url-unencrypted-url.get-url-unencrypted-url shortlink: https://sg.run/x8LKj semgrep.dev: rule: r_id: 113230 rv_id: 833319 rule_id: 0oULKQq version_id: NdTB2r9 url: https://semgrep.dev/playground/r/NdTB2r9/trailofbits.yaml.ansible.get-url-unencrypted-url.get-url-unencrypted-url origin: community patterns: - pattern-inside: | $GETURL: ... - pattern-not-inside: | $GETURL: ... checksum: ... ... - metavariable-pattern: metavariable: $GETURL pattern-either: - pattern: get_url - pattern: win_get_url - pattern: ansible.builtin.get_url - pattern: ansible.windows.win_get_url - pattern: '$KEY: ''$VALUE''' - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: url - metavariable-regex: metavariable: $VALUE regex: (?i)^(http|ftp)://.* - id: trailofbits.go.unmarshal_tag_is_dash.unmarshal-tag-is-dash message: Struct field can be decoded with the `-` key because the JSON tag starts with a `-` but is followed by a comma. languages: - go severity: WARNING metadata: cwe: 'CWE-172: Encoding Error' category: security subcategory: - vuln confidence: HIGH likelihood: MEDIUM impact: MEDIUM technology: - --no-technology-- references: - https://blog.trailofbits.com/ license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.unmarshal_tag_is_dash.unmarshal-tag-is-dash shortlink: https://sg.run/Bj1k7 semgrep.dev: rule: r_id: 193795 rv_id: 1028640 rule_id: d8UqAjp version_id: YDT26ZA url: https://semgrep.dev/playground/r/YDT26ZA/trailofbits.go.unmarshal_tag_is_dash.unmarshal-tag-is-dash origin: community patterns: - pattern: | type $T1 struct { ... $X $T2 `$TAG` ... } - focus-metavariable: $TAG - metavariable-regex: metavariable: $TAG regex: .*(json|yaml|xml):"-,[^"]*" - id: trailofbits.ruby.rails-params-json.rails-params-json message: | Found Rails parameters (`params`) using the `_json` parameter. This parameter is subject to parser juggling. This may allow an attacker to exploit differences in parameter processing at different points in the request processing lifecycle. For example, object ID processing during the authentication/authorization phase and action execution phase. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-843: Access of Resource Using Incompatible Type (''Type Confusion'')' subcategory: - audit confidence: LOW likelihood: MEDIUM impact: HIGH technology: - rails references: - https://nastystereo.com/security/rails-_json-juggling-attack.html - https://api.rubyonrails.org/v5.1.7/classes/ActionDispatch/Http/Parameters.html - https://api.rubyonrails.org/classes/ActionController/Parameters.html license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.ruby.rails-params-json.rails-params-json shortlink: https://sg.run/Reqz2 semgrep.dev: rule: r_id: 150949 rv_id: 973913 rule_id: qNU28qG version_id: w8TKy6N url: https://semgrep.dev/playground/r/w8TKy6N/trailofbits.ruby.rails-params-json.rails-params-json origin: community pattern-either: - pattern: params[:_json] - pattern: params['_json'] - pattern: params.require(:_json) - pattern: params.require('_json') - pattern: params.fetch(:_json, ...) - pattern: params.fetch('_json', ...) - pattern: params.dig(:_json, ...) - pattern: params.dig('_json', ...) - id: generic.secrets.gitleaks.airtable-api-key.airtable-api-key message: A gitleaks airtable-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.airtable-api-key.airtable-api-key shortlink: https://sg.run/wQpA semgrep.dev: rule: r_id: 44673 rv_id: 1262685 rule_id: eqUYL3 version_id: QkTGqkA url: https://semgrep.dev/playground/r/QkTGqkA/generic.secrets.gitleaks.airtable-api-key.airtable-api-key origin: community patterns: - pattern-regex: (?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: terraform.aws.best-practice.missing-api-gateway-cache-cluster.missing-api-gateway-cache-cluster severity: WARNING languages: - hcl message: Found a AWS API Gateway Stage without cache cluster enabled. Enabling the cache cluster feature enhances responsiveness of your API. Add `cache_cluster_enabled = true` to your resource block. metadata: category: best-practice technology: - aws - terraform license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.missing-api-gateway-cache-cluster.missing-api-gateway-cache-cluster shortlink: https://sg.run/GOkq semgrep.dev: rule: r_id: 14948 rv_id: 946647 rule_id: PeUo8N version_id: vdTGnkl url: https://semgrep.dev/playground/r/vdTGnkl/terraform.aws.best-practice.missing-api-gateway-cache-cluster.missing-api-gateway-cache-cluster origin: community patterns: - pattern: | resource "aws_api_gateway_stage" $ANYTHING { ... } - pattern-not-inside: | resource "aws_api_gateway_stage" $ANYTHING { ... cache_cluster_enabled = true ... } - id: generic.secrets.gitleaks.age-secret-key.age-secret-key message: A gitleaks age-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.age-secret-key.age-secret-key shortlink: https://sg.run/k3WP semgrep.dev: rule: r_id: 44672 rv_id: 1262684 rule_id: OrUAnO version_id: gETB7yr url: https://semgrep.dev/playground/r/gETB7yr/generic.secrets.gitleaks.age-secret-key.age-secret-key origin: community patterns: - pattern-regex: AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58} - id: terraform.aws.best-practice.missing-alb-drop-http-headers.missing-alb-drop-http-headers severity: WARNING languages: - hcl message: Detected a AWS load balancer that is not configured to drop invalid HTTP headers. Add `drop_invalid_header_fields = true` in your resource block. metadata: category: best-practice technology: - aws - terraform license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/terraform.aws.best-practice.missing-alb-drop-http-headers.missing-alb-drop-http-headers shortlink: https://sg.run/4eW5 semgrep.dev: rule: r_id: 14944 rv_id: 946646 rule_id: 0oU2nD version_id: e1T98dQ url: https://semgrep.dev/playground/r/e1T98dQ/terraform.aws.best-practice.missing-alb-drop-http-headers.missing-alb-drop-http-headers origin: community patterns: - pattern-either: - pattern: | resource "aws_lb" $ENABLED { ... } - pattern: | resource "aws_alb" $ENABLED { ... } - pattern-not-inside: | resource $ANYTHING $ENABLED { ... drop_invalid_header_fields = true ... } - id: generic.secrets.gitleaks.shippo-api-token.shippo-api-token message: A gitleaks shippo-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.shippo-api-token.shippo-api-token shortlink: https://sg.run/QX8Q semgrep.dev: rule: r_id: 44786 rv_id: 1262818 rule_id: 4bUKzO version_id: zyTb28r url: https://semgrep.dev/playground/r/zyTb28r/generic.secrets.gitleaks.shippo-api-token.shippo-api-token origin: community patterns: - pattern-regex: (?i)\b(shippo_(live|test)_[a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat message: A gitleaks github-fine-grained-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat shortlink: https://sg.run/yQdR semgrep.dev: rule: r_id: 44724 rv_id: 1262744 rule_id: L1ULyp version_id: 44TEjer url: https://semgrep.dev/playground/r/44TEjer/generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat origin: community patterns: - pattern-regex: github_pat_[0-9a-zA-Z_]{82} - id: elixir.lang.best-practice.deprecated-calendar-iso-day-of-week-3.deprecated_calendar_iso_day_of_week_3 message: '`Calendar.ISO.day_of_week/3` is already deprecated. Please use `Calendar.ISO.day_of_week/4` instead.' severity: WARNING languages: - elixir pattern: $VAR = Calendar.ISO.day_of_week($YEAR, $MONTH, $DAY) fix: | {$VAR, _, _} = Calendar.ISO.day_of_week($YEAR, $MONTH, $DAY, :default) metadata: references: - https://github.com/elixir-lang/elixir/releases/tag/v1.15.0 category: best-practice technology: - elixir license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/elixir.lang.best-practice.deprecated-calendar-iso-day-of-week-3.deprecated_calendar_iso_day_of_week_3 shortlink: https://sg.run/r470 semgrep.dev: rule: r_id: 67425 rv_id: 945274 rule_id: 6JUg9G version_id: zyTlkl9 url: https://semgrep.dev/playground/r/zyTlkl9/elixir.lang.best-practice.deprecated-calendar-iso-day-of-week-3.deprecated_calendar_iso_day_of_week_3 origin: community - id: solidity.security.msg-value-multicall.msg-value-multicall message: $F with constant msg.value can be called multiple times metadata: category: security technology: - solidity cwe: 'CWE-837: Improper Enforcement of a Single, Unique Action' confidence: LOW likelihood: MEDIUM impact: HIGH subcategory: - vuln references: - https://github.com/Uniswap/v3-periphery/issues/52 - https://www.paradigm.xyz/2021/08/two-rights-might-make-a-wrong license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/solidity.security.msg-value-multicall.msg-value-multicall shortlink: https://sg.run/YWpd semgrep.dev: rule: r_id: 67658 rv_id: 946621 rule_id: JDUrq0 version_id: BjT1NYB url: https://semgrep.dev/playground/r/BjT1NYB/solidity.security.msg-value-multicall.msg-value-multicall origin: community patterns: - pattern-either: - pattern-inside: | contract $C is ..., BoringBatchable, ... { ... } - pattern-inside: | contract $C is ..., Multicall, ... { ... } - pattern-inside: | function $F(...) { ... } - pattern: msg.value languages: - solidity severity: ERROR - id: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests metadata: cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST asvs: section: V6 Stored Cryptography Verification Requirements control_id: 6.2.2 Insecure Custom Algorithm control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms version: '4' references: - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms category: security technology: - java subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests shortlink: https://sg.run/PJ0p semgrep.dev: rule: r_id: 9201 rv_id: 1263004 rule_id: KxUbW4 version_id: YDTZewB url: https://semgrep.dev/playground/r/YDTZewB/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests origin: community message: 'Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance("SHA256");' severity: WARNING languages: - java pattern: |- class $CLASS extends MessageDigest { ... } - id: generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token message: A gitleaks telegram-bot-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token shortlink: https://sg.run/4YPl semgrep.dev: rule: r_id: 44800 rv_id: 1262840 rule_id: YGUgQA version_id: LjTkgQ1 url: https://semgrep.dev/playground/r/LjTkgQ1/generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token origin: community patterns: - pattern-regex: (?i:(?:telegr)(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$) - id: dgryski.semgrep-go.readfull.io-readfull-n patterns: - pattern-either: - pattern: | $N, $ERR = io.ReadFull($R, $SLICE) if $ERR != nil || $N != len($SLICE) { ... } - pattern: | $N, $ERR = io.ReadFull($R, $SLICE) if $N != len($SLICE) || $ERR != nil { ... } message: io.ReadFull() returns err == nil iff n == len(slice) languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.readfull.io-readfull-n shortlink: https://sg.run/0Qdr semgrep.dev: rule: r_id: 8710 rv_id: 833083 rule_id: r6UrbY version_id: ExTrDAZ url: https://semgrep.dev/playground/r/ExTrDAZ/dgryski.semgrep-go.readfull.io-readfull-n origin: community - id: trailofbits.ruby.rails-cache-store-marshal.rails-cache-store-marshal message: | Found Rails cache store configured to allow Marshaling. As of Rails 7.1 the default serializer is `:marshal_7_1`. If an attacker can inject data into the cache store (SSRF, etc.), then they can achieve code execution when the object is later deserialized. Consider using a custom serializer like JSON or MessagePack that does not fallback on Marshal. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - audit confidence: MEDIUM likelihood: LOW impact: LOW technology: - rails references: - https://github.com/rails/rails/blob/v7.1.4/activesupport/lib/active_support/cache.rb#L327 - https://github.com/rails/rails/blob/v7.1.4/activesupport/lib/active_support/cache/serializer_with_fallback.rb#L166-L172 - https://api.rubyonrails.org/v7.1.3.4/classes/ActiveSupport/Cache/MemCacheStore.html - https://api.rubyonrails.org/v7.1.3.4/classes/ActiveSupport/Cache/Store.html license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.ruby.rails-cache-store-marshal.rails-cache-store-marshal shortlink: https://sg.run/0oKN5 semgrep.dev: rule: r_id: 150310 rv_id: 943204 rule_id: 9AUdPvk version_id: yeT0BAd url: https://semgrep.dev/playground/r/yeT0BAd/trailofbits.ruby.rails-cache-store-marshal.rails-cache-store-marshal origin: community patterns: - pattern-inside: | Rails.application.configure do ... end - pattern-either: - patterns: - pattern: config.cache_store = $STORE - pattern-not: config.cache_store = $STORE2, ..., { ... } - patterns: - pattern: config.cache_store = $STORE, ..., { ... } - pattern-not: 'config.cache_store = $STORE, ..., { ..., serializer: ..., ... }' - patterns: - pattern: config.cache_store = $STORE, ..., $OPTIONS - metavariable-pattern: metavariable: $OPTIONS patterns: - pattern: '{ ..., serializer: :passthrough, ... }' - pattern: '{ ..., serializer: :marshal_6_1, ... }' - pattern: '{ ..., serializer: :marshal_7_0, ... }' - pattern: '{ ..., serializer: :marshal_7_1, ... }' - pattern: '{ ..., serializer: :message_pack, ... }' - metavariable-pattern: metavariable: $STORE pattern-either: - pattern: :file_store - pattern: :mem_cache_store - pattern: :redis_cache_store - id: trailofbits.ruby.rails-cookie-attributes.rails-cookie-attributes message: | Found Rails cookie set with insecure attribute. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-345: Insufficient Verification of Data Authenticity' subcategory: - audit confidence: HIGH likelihood: HIGH impact: LOW technology: - rails references: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie - https://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.ruby.rails-cookie-attributes.rails-cookie-attributes shortlink: https://sg.run/KxRbX semgrep.dev: rule: r_id: 150311 rv_id: 943205 rule_id: yyUR7EP version_id: rxT6o2b url: https://semgrep.dev/playground/r/rxT6o2b/trailofbits.ruby.rails-cookie-attributes.rails-cookie-attributes origin: community patterns: - pattern-either: - pattern-inside: cookies[$ANY] = ... - pattern-inside: cookies. ... .$ATTR[$ANY] = ... - pattern-either: - pattern: '{..., same_site: :none, ...}' - pattern: '{..., same_site: :lax, ...}' - pattern: '{..., httponly: false, ...}' - pattern: '{..., secure: false, ...}' - id: trailofbits.ruby.rest-client-disable-verification.rest-client-disable-verification message: | Found RestClient HTTP request disabling SSL/TLS verification. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - restclient references: - https://github.com/rest-client/rest-client#ssl-client-certificates license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.ruby.rest-client-disable-verification.rest-client-disable-verification shortlink: https://sg.run/qNnOy semgrep.dev: rule: r_id: 150312 rv_id: 943206 rule_id: r6Uy7E2 version_id: bZTXKzJ url: https://semgrep.dev/playground/r/bZTXKzJ/trailofbits.ruby.rest-client-disable-verification.rest-client-disable-verification origin: community patterns: - pattern-either: - pattern: $FUNC(..., :verify_ssl => false, ...) - pattern: $FUNC(..., :verify_ssl => OpenSSL::SSL::VERIFY_NONE, ...) - metavariable-pattern: metavariable: $FUNC pattern-either: - pattern: RestClient::Resource.new - pattern: RestClient::Request.new - pattern: RestClient::Request.execute - id: trailofbits.ruby.ruby-saml-skip-validation.ruby-saml-skip-validation message: | SAML response validation disabled for $KEY. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-345: Insufficient Verification of Data Authenticity' subcategory: - audit confidence: HIGH likelihood: MEDIUM impact: MEDIUM technology: - saml references: - https://github.com/SAML-Toolkits/ruby-saml/blob/v1.16.0/lib/onelogin/ruby-saml/response.rb license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.ruby.ruby-saml-skip-validation.ruby-saml-skip-validation shortlink: https://sg.run/lBLO9 semgrep.dev: rule: r_id: 150313 rv_id: 943207 rule_id: bwUbjnB version_id: NdTq9Xv url: https://semgrep.dev/playground/r/NdTq9Xv/trailofbits.ruby.ruby-saml-skip-validation.ruby-saml-skip-validation origin: community pattern-either: - pattern: 'OneLogin::RubySaml::Response.new($RESPONSE, {..., skip_audience: true, ...})' - pattern: 'OneLogin::RubySaml::Response.new($RESPONSE, {..., skip_authnstatement: true, ...})' - pattern: 'OneLogin::RubySaml::Response.new($RESPONSE, {..., skip_conditions: true, ...})' - pattern: 'OneLogin::RubySaml::Response.new($RESPONSE, {..., skip_destination: true, ...})' - pattern: 'OneLogin::RubySaml::Response.new($RESPONSE, {..., skip_recipient_check: true, ...})' - pattern: 'OneLogin::RubySaml::Response.new($RESPONSE, {..., skip_subject_confirmation: true, ...})' - patterns: - pattern-either: - pattern: | $SETTINGS = OneLogin::RubySaml::Settings.new(...) ... $SETTINGS.$KEY = true - pattern: | $SETTINGS = OneLogin::RubySaml::Settings.new ... $SETTINGS.$KEY = true - focus-metavariable: $KEY - metavariable-pattern: metavariable: $KEY pattern-either: - pattern: skip_audience - pattern: skip_authnstatement - pattern: skip_conditions - pattern: skip_destination - pattern: skip_recipient_check - pattern: skip_subject_confirmation - id: trailofbits.ruby.yaml-unsafe-load.yaml-unsafe-load message: | Found YAML call to `unsafe_load`. This can lead to deserialization bugs and RCE. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - audit confidence: HIGH likelihood: MEDIUM impact: HIGH technology: - yaml references: - https://bishopfox.com/blog/ruby-vulnerabilities-exploits - https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/bad-deserialization-yaml.yaml license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.ruby.yaml-unsafe-load.yaml-unsafe-load shortlink: https://sg.run/YG2q4 semgrep.dev: rule: r_id: 150314 rv_id: 943208 rule_id: NbU3wbe version_id: kbTYj6v url: https://semgrep.dev/playground/r/kbTYj6v/trailofbits.ruby.yaml-unsafe-load.yaml-unsafe-load origin: community patterns: - pattern-either: - pattern: YAML.unsafe_load(...) - pattern: Psych.unsafe_load(...) - pattern: 'serialize(..., yaml: { ..., unsafe_load: true, ... }, ...)' - pattern-not: YAML.unsafe_load("...") - pattern-not: Psych.unsafe_load("...") - id: generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token message: A gitleaks shopify-private-app-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token shortlink: https://sg.run/P2pW semgrep.dev: rule: r_id: 44789 rv_id: 1262821 rule_id: 5rUK46 version_id: X0Tzyxo url: https://semgrep.dev/playground/r/X0Tzyxo/generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token origin: community patterns: - pattern-regex: shppa_[a-fA-F0-9]{32} - id: dgryski.semgrep-go.contextcancelable.cancelable-context-not-systematically-cancelled patterns: - pattern: $_, $X := context.$CANCELABLE(...) - pattern-not-inside: | $_, $X := context.$CANCELABLE(...) ... defer $X() - pattern-not-inside: | $_, $X := context.$CANCELABLE(...) ... $X() - pattern-not-inside: | $_, $X := context.$CANCELABLE(...) ... t.Cleanup($X) - metavariable-regex: metavariable: $CANCELABLE regex: (WithDeadline|WithTimeout) message: it is good practice to call context cancellation function, $X(), in any case languages: - go severity: WARNING metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.contextcancelable.cancelable-context-not-systematically-cancelled shortlink: https://sg.run/4lZ8 semgrep.dev: rule: r_id: 16544 rv_id: 833033 rule_id: 7KUW6z version_id: 44TQPlW url: https://semgrep.dev/playground/r/44TQPlW/dgryski.semgrep-go.contextcancelable.cancelable-context-not-systematically-cancelled origin: community - id: dgryski.semgrep-go.gofuzz.go-fuzz-to-native-fuzzing patterns: - pattern: func Fuzz($DATA []byte) int { $...BODY } fix: | // remove gofuzz build tag // rename file to _test.go // convert corpus with file2fuzz func FuzzData(f *testing.F) { f.Fuzz(func(t *testing.T, $DATA []byte) { func() int { $...BODY }() }) } message: old-style go-fuzz fuzz function found languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.gofuzz.go-fuzz-to-native-fuzzing shortlink: https://sg.run/pD3e semgrep.dev: rule: r_id: 34618 rv_id: 833039 rule_id: v8UoPz version_id: A8T375B url: https://semgrep.dev/playground/r/A8T375B/dgryski.semgrep-go.gofuzz.go-fuzz-to-native-fuzzing origin: community - id: dgryski.semgrep-go.ioutil.deprecated-ioutil-tempdir pattern: ioutil.TempDir($D, $P) fix: os.MkdirTemp($D, $P) message: ioutil.TempDir is deprecated languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.ioutil.deprecated-ioutil-tempdir shortlink: https://sg.run/86Z7 semgrep.dev: rule: r_id: 14684 rv_id: 833049 rule_id: 8GUzOw version_id: 5PTyDA6 url: https://semgrep.dev/playground/r/5PTyDA6/dgryski.semgrep-go.ioutil.deprecated-ioutil-tempdir origin: community - id: dgryski.semgrep-go.ioutil.deprecated-ioutil-tempfile pattern: ioutil.TempFile($D, $P) fix: os.CreateTemp($D, $P) message: ioutil.TempFile is deprecated languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.ioutil.deprecated-ioutil-tempfile shortlink: https://sg.run/gY0n semgrep.dev: rule: r_id: 14685 rv_id: 833050 rule_id: gxUgGQ version_id: GxTDE6w url: https://semgrep.dev/playground/r/GxTDE6w/dgryski.semgrep-go.ioutil.deprecated-ioutil-tempfile origin: community - id: dgryski.semgrep-go.ioutil.deprecated-ioutil-writefile pattern: ioutil.WriteFile($F, $D, $P) fix: os.WriteFile($F, $D, $P) message: ioutil.WriteFile is deprecated languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.ioutil.deprecated-ioutil-writefile shortlink: https://sg.run/Q9EP semgrep.dev: rule: r_id: 14686 rv_id: 833051 rule_id: QrUdlr version_id: RGTKGk1 url: https://semgrep.dev/playground/r/RGTKGk1/dgryski.semgrep-go.ioutil.deprecated-ioutil-writefile origin: community - id: dgryski.semgrep-go.anon-struct-args.anonymous-struct-args patterns: - pattern-either: - pattern: func $FUNC(..., $NAME *struct { ... }, ...) - pattern: func $FUNC(..., $NAME struct { ... }, ...) - pattern: func ($T $TYPE) $FUNC(..., $NAME *struct { ... }, ...) - pattern: func ($T $TYPE) $FUNC(..., $NAME struct { ... }, ...) message: Odd use of anonymous structs for function arguments languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.anon-struct-args.anonymous-struct-args shortlink: https://sg.run/gLyo semgrep.dev: rule: r_id: 8685 rv_id: 833029 rule_id: lBU9eo version_id: 8KTGk9W url: https://semgrep.dev/playground/r/8KTGk9W/dgryski.semgrep-go.anon-struct-args.anonymous-struct-args origin: community - id: dgryski.semgrep-go.badexponentiation.bad-exponentiation patterns: - pattern-either: - pattern: 10 ^ $X - pattern: 2 ^ $X message: Caret (^) is not exponentiation languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.badexponentiation.bad-exponentiation shortlink: https://sg.run/Q5ND semgrep.dev: rule: r_id: 8686 rv_id: 833030 rule_id: PeUZEb version_id: gETy2xp url: https://semgrep.dev/playground/r/gETy2xp/dgryski.semgrep-go.badexponentiation.bad-exponentiation origin: community - id: dgryski.semgrep-go.badnilguard.bad-nil-guard patterns: - pattern-either: - pattern: $X == nil && <... $X.$F ...> - pattern: $X != nil || <... $X.$F ...> - pattern: $X == nil && <... len($X) > 0 ...> - pattern: <... $X.$F ...> && $X != nil - pattern: <... $X.$F ...> || $X == nil - pattern: <... $X.$F ...> && $X == nil - pattern: <... $X.$F ...> || $X != nil - pattern: <... len($X) > 0 ...> && $X == nil message: Bad nil guard languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.badnilguard.bad-nil-guard shortlink: https://sg.run/3xdg semgrep.dev: rule: r_id: 8687 rv_id: 833031 rule_id: JDUy2e version_id: QkTkr0R url: https://semgrep.dev/playground/r/QkTkr0R/dgryski.semgrep-go.badnilguard.bad-nil-guard origin: community - id: dgryski.semgrep-go.close-sql-query-rows.rows-not-closed patterns: - pattern: $Q.QueryxContext(...) - pattern-not-inside: return $X.QueryxContext(...) - pattern-not-inside: | $ROWS, $ERR = $Q.QueryxContext(...) ... $ROWS.Close() - pattern-not-inside: | $ROWS, $ERR = $Q.QueryxContext(...) ... defer $ROWS.Close() - pattern-not-inside: | $ROWS, $ERR = $Q.QueryxContext(...) ... $FUNC($ROWS) - pattern-not-inside: | if ... { ... $ROWS, $ERR = $Q.QueryxContext(...) ... } else { ... } $ROWS.Close() - pattern-not-inside: | if ... { ... $ROWS, $ERR = $Q.QueryxContext(...) ... } else { ... } ... defer $ROWS.Close() - pattern-not-inside: | if ... { ... } else { ... $ROWS, $ERR = $Q.QueryxContext(...) ... } ... $ROWS.Close() - pattern-not-inside: | if ... { ... } else { ... $ROWS, $ERR = $Q.QueryxContext(...) ... } ... defer $ROWS.Close() message: QueryxContext rows must be closed (or use ExecContext) languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.close-sql-query-rows.rows-not-closed shortlink: https://sg.run/4xdg semgrep.dev: rule: r_id: 8688 rv_id: 833032 rule_id: 5rUOBY version_id: 3ZT3AQK url: https://semgrep.dev/playground/r/3ZT3AQK/dgryski.semgrep-go.close-sql-query-rows.rows-not-closed origin: community - id: dgryski.semgrep-go.contexttodo.context-todo patterns: - pattern-either: - pattern: | context.TODO() message: Consider to use well-defined context languages: - go severity: WARNING metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.contexttodo.context-todo shortlink: https://sg.run/PJNN semgrep.dev: rule: r_id: 8689 rv_id: 833034 rule_id: GdU744 version_id: PkTxr1X url: https://semgrep.dev/playground/r/PkTxr1X/dgryski.semgrep-go.contexttodo.context-todo origin: community - id: dgryski.semgrep-go.errclosed.use-net-errclosed patterns: - pattern: strings.Contains($ERR.Error(), $X) - metavariable-regex: metavariable: $X regex: '".*closed network connection.*"' message: Use errors.Is($ERR, net.ErrClosed) instead languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.errclosed.use-net-errclosed shortlink: https://sg.run/J9No semgrep.dev: rule: r_id: 8690 rv_id: 833036 rule_id: ReUgBd version_id: 5PTyDAQ url: https://semgrep.dev/playground/r/5PTyDAQ/dgryski.semgrep-go.errclosed.use-net-errclosed origin: community - id: dgryski.semgrep-go.errtodo.err-todo patterns: - pattern-either: - patterns: - pattern-inside: if err != nil { ... } - pattern-regex: // ?(TODO|FIXME).* - pattern-either: - patterns: - pattern-inside: | if ... ; err != nil { ... } - pattern-regex: // ?(TODO|FIXME).* message: TODO in error handling code languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.errtodo.err-todo shortlink: https://sg.run/GeNB semgrep.dev: rule: r_id: 8692 rv_id: 833038 rule_id: BYUNQj version_id: RGTKGkJ url: https://semgrep.dev/playground/r/RGTKGkJ/dgryski.semgrep-go.errtodo.err-todo origin: community - id: dgryski.semgrep-go.hashsum.hash-sum-without-write patterns: - pattern-either: - pattern: | $HASH.New().Sum($SLICE) - pattern: | $H := $HASH.New() ... $H.Sum($SLICE) - pattern-not: | $H := $HASH.New() ... $H.Write(...) ... $H.Sum($SLICE) - pattern-not: | $H := $HASH.New() ... $FUNC(..., $H, ...) ... $H.Sum($SLICE) message: odd hash.Sum call flow languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.hashsum.hash-sum-without-write shortlink: https://sg.run/RoNE semgrep.dev: rule: r_id: 8693 rv_id: 833040 rule_id: DbUp34 version_id: BjTe0r6 url: https://semgrep.dev/playground/r/BjTe0r6/dgryski.semgrep-go.hashsum.hash-sum-without-write origin: community - id: dgryski.semgrep-go.ioutil.deprecated-ioutil-readdir pattern: ioutil.ReadDir($D) message: ioutil.ReadDir is deprecated languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.ioutil.deprecated-ioutil-readdir shortlink: https://sg.run/7YOR semgrep.dev: rule: r_id: 14682 rv_id: 833047 rule_id: 7KUvq0 version_id: YDTl02J url: https://semgrep.dev/playground/r/YDTl02J/dgryski.semgrep-go.ioutil.deprecated-ioutil-readdir origin: community - id: dgryski.semgrep-go.ioutil.deprecated-ioutil-readfile pattern: ioutil.ReadFile($F) fix: os.ReadFile($F) message: ioutil.ReadFile is deprecated languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.ioutil.deprecated-ioutil-readfile shortlink: https://sg.run/LXEJ semgrep.dev: rule: r_id: 14683 rv_id: 833048 rule_id: L1U5Dj version_id: JdTlrpJ url: https://semgrep.dev/playground/r/JdTlrpJ/dgryski.semgrep-go.ioutil.deprecated-ioutil-readfile origin: community - id: dgryski.semgrep-go.json-writer.json-encoder-needs-type patterns: - pattern: | $ENC := json.NewEncoder(($W: http.ResponseWriter)) ... $ENC.Encode(...) - pattern-not: | $ENC := json.NewEncoder(($W: http.ResponseWriter)) ... $W.Header().Set("=~/Content-Type/i", "=~/application/json/") ... $ENC.Encode(...) - pattern-not-inside: | $W.Header().Set("=~/Content-Type/i", "=~/application/json/") ... $ENC := json.NewEncoder($W) ... $ENC.Encode(...) - pattern-not: | $ENC := json.NewEncoder(($W: http.ResponseWriter)) ... $W.Header().Add("=~/Content-Type/i", "=~/application/json/") ... $ENC.Encode(...) - pattern-not-inside: | $W.Header().Add("=~/Content-Type/i", "=~/application/json/") ... $ENC := json.NewEncoder($W) ... $ENC.Encode(...) message: calling json.Encode() on an http.ResponseWriter will set Content-Type text/plain languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.json-writer.json-encoder-needs-type shortlink: https://sg.run/0Qdk semgrep.dev: rule: r_id: 8698 rv_id: 833054 rule_id: lBU9ek version_id: DkTG0Yq url: https://semgrep.dev/playground/r/DkTG0Yq/dgryski.semgrep-go.json-writer.json-encoder-needs-type origin: community - id: dgryski.semgrep-go.mail-address.sprintf-mail-address pattern-either: - pattern: fmt.Sprintf(`"%s" <%s>`, $NAME, $EMAIL) - pattern: fmt.Sprintf(`"%s"<%s>`, $NAME, $EMAIL) - pattern: fmt.Sprintf("\"%s\"<%s>", $NAME, $EMAIL) - pattern: fmt.Sprintf("\"%s\" <%s>", $NAME, $EMAIL) - pattern: fmt.Sprintf("%s<%s>", $NAME, $EMAIL) - pattern: fmt.Sprintf("%s <%s>", $NAME, $EMAIL) message: use net/mail Address.String() instead of fmt.Sprintf() fix: (&mail.Address{Name:$NAME, Address:$EMAIL}).String() languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.mail-address.sprintf-mail-address shortlink: https://sg.run/KlNP semgrep.dev: rule: r_id: 8699 rv_id: 833055 rule_id: YGURzL version_id: WrTdp3l url: https://semgrep.dev/playground/r/WrTdp3l/dgryski.semgrep-go.mail-address.sprintf-mail-address origin: community - id: dgryski.semgrep-go.marshaljson.marshal-json-misspell pattern-either: - patterns: - pattern-regex: (?i)func $(.+)$ marshal[l]?json$(.*)$ - pattern-not-regex: func $.+$ MarshalJSON\( fix: func ($1) MarshalJSON($2) message: | Misspelling of MarshalJSON. languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.marshaljson.marshal-json-misspell shortlink: https://sg.run/NjZz semgrep.dev: rule: r_id: 20527 rv_id: 833057 rule_id: r6UjJB version_id: K3TrqG4 url: https://semgrep.dev/playground/r/K3TrqG4/dgryski.semgrep-go.marshaljson.marshal-json-misspell origin: community - id: dgryski.semgrep-go.marshaljson.marshal-json-pointer-receiver patterns: - pattern-either: - pattern: func ($T *$TYPE) MarshalJSON() ($DATA []byte, $ERR error) - pattern: func ($T *$TYPE) MarshalJSON() ([]byte, error) message: 'MarshalJSON with a pointer receiver has surprising results: https://github.com/golang/go/issues/22967' languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.marshaljson.marshal-json-pointer-receiver shortlink: https://sg.run/L0po semgrep.dev: rule: r_id: 10683 rv_id: 833056 rule_id: ZqUqJd version_id: 0bTwbe5 url: https://semgrep.dev/playground/r/0bTwbe5/dgryski.semgrep-go.marshaljson.marshal-json-pointer-receiver origin: community - id: dgryski.semgrep-go.marshaljson.unmarshal-json-misspell pattern-either: - patterns: - pattern-regex: (?i)func $(.+)$ unmarshal[l]?json$(.*)$ - pattern-not-regex: func $.+$ UnmarshalJSON$ fix: func ($1) UnmarshalJSON($2) message: | Misspelling of UnmarshalJSON. languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.marshaljson.unmarshal-json-misspell shortlink: https://sg.run/kDj2 semgrep.dev: rule: r_id: 20528 rv_id: 833058 rule_id: bwULgW version_id: qkTQnBb url: https://semgrep.dev/playground/r/qkTQnBb/dgryski.semgrep-go.marshaljson.unmarshal-json-misspell origin: community - id: dgryski.semgrep-go.marshalyaml.marshal-yaml-misspell pattern-either: - patterns: - pattern-regex: (?i)func \((.+)$ marshal[l]?yaml$(.*)$ - pattern-not-regex: func $.+$ MarshalYAML$ fix: func ($1) MarshalYAML($2) message: | Misspelling of MarshalYAML. languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.marshalyaml.marshal-yaml-misspell shortlink: https://sg.run/w4gP semgrep.dev: rule: r_id: 20529 rv_id: 833059 rule_id: NbUep0 version_id: l4TyO68 url: https://semgrep.dev/playground/r/l4TyO68/dgryski.semgrep-go.marshalyaml.marshal-yaml-misspell origin: community - id: dgryski.semgrep-go.marshalyaml.unmarshal-yaml-misspell pattern-either: - patterns: - pattern-regex: (?i)func \((.+)$ unmarshal[l]?yaml$(.*)$ - pattern-not-regex: func $.+$ UnmarshalYAML\( fix: func ($1) UnmarshalYAML($2) message: | Misspelling of UnmarshalYAML. languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.marshalyaml.unmarshal-yaml-misspell shortlink: https://sg.run/xPgg semgrep.dev: rule: r_id: 20530 rv_id: 833060 rule_id: kxUOyy version_id: YDTl0nA url: https://semgrep.dev/playground/r/YDTl0nA/dgryski.semgrep-go.marshalyaml.unmarshal-yaml-misspell origin: community - id: dgryski.semgrep-go.mathbits.use-math-bits patterns: - pattern-either: - pattern: $X >> $N | $X << (8 - $N) - pattern: $X << $N | $X >> (8 - $N) - pattern: $X >> (8 - $N) | $X << $N - pattern: $X << (8 - $N) | $X >> $N - pattern: $X >> $N | $X << (16 - $N) - pattern: $X << $N | $X >> (16 - $N) - pattern: $X >> (16 - $N) | $X << $N - pattern: $X << (16 - $N) | $X >> $N - pattern: $X >> $N | $X << (32 - $N) - pattern: $X << $N | $X >> (32 - $N) - pattern: $X >> (32 - $N) | $X << $N - pattern: $X << (32 - $N) | $X >> $N - pattern: $X >> $N | $X << (64 - $N) - pattern: $X << $N | $X >> (64 - $N) - pattern: $X >> (64 - $N) | $X << $N - pattern: $X << (64 - $N) | $X >> $N message: Try using math/bits instead languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.mathbits.use-math-bits shortlink: https://sg.run/4xd7 semgrep.dev: rule: r_id: 8700 rv_id: 833061 rule_id: 6JUjAN version_id: 6xTDgQD url: https://semgrep.dev/playground/r/6xTDgQD/dgryski.semgrep-go.mathbits.use-math-bits origin: community - id: dgryski.semgrep-go.nilerr.return-nil-err patterns: - pattern-either: - pattern: | if err == nil { return err } - pattern: | if err == nil { return ..., err } message: return nil err instead of nil value languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.nilerr.return-nil-err shortlink: https://sg.run/84kN semgrep.dev: rule: r_id: 39184 rv_id: 833063 rule_id: 0oU6pk version_id: zyTWJDl url: https://semgrep.dev/playground/r/zyTWJDl/dgryski.semgrep-go.nilerr.return-nil-err origin: community - id: dgryski.semgrep-go.oddbitwise.odd-bitwise patterns: - pattern-either: - pattern: $X | $X - pattern: $X | ^$X - pattern: ^$X | $X - pattern: $X & $X - pattern: $X & ^$X - pattern: ^$X & $X - pattern: $X &^ $X message: Odd bitwise expression languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddbitwise.odd-bitwise shortlink: https://sg.run/5Qdk semgrep.dev: rule: r_id: 8703 rv_id: 833065 rule_id: pKUOqD version_id: 2KT7x33 url: https://semgrep.dev/playground/r/2KT7x33/dgryski.semgrep-go.oddbitwise.odd-bitwise origin: community - id: dgryski.semgrep-go.oddcompare.odd-comparison-subtract-eq-zero patterns: - pattern: $X - $Y == 0 fix: $X == $Y message: Odd comparison languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-eq-zero shortlink: https://sg.run/gBG0 semgrep.dev: rule: r_id: 39185 rv_id: 833066 rule_id: KxUOwB version_id: X0T5N2z url: https://semgrep.dev/playground/r/X0T5N2z/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-eq-zero origin: community - id: dgryski.semgrep-go.oddcompare.odd-comparison-subtract-gte-zero patterns: - pattern: $X - $Y >= 0 fix: $X >= $Y message: Odd comparison languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-gte-zero shortlink: https://sg.run/Jpwy semgrep.dev: rule: r_id: 39190 rv_id: 833071 rule_id: 5rUYNW version_id: rxTDz4G url: https://semgrep.dev/playground/r/rxTDz4G/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-gte-zero origin: community - id: dgryski.semgrep-go.oddcompare.odd-comparison-subtract-gt-zero patterns: - pattern: $X - $Y > 0 fix: $X > $Y message: Odd comparison languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-gt-zero shortlink: https://sg.run/PGPz semgrep.dev: rule: r_id: 39189 rv_id: 833070 rule_id: JDUZob version_id: yeTN1Ze url: https://semgrep.dev/playground/r/yeTN1Ze/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-gt-zero origin: community - id: dgryski.semgrep-go.oddcompare.odd-comparison-subtract-lte-zero patterns: - pattern: $X - $Y <= 0 fix: $Y >= $X message: Odd comparison languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-lte-zero shortlink: https://sg.run/4gk5 semgrep.dev: rule: r_id: 39188 rv_id: 833069 rule_id: PeUnj9 version_id: 9lTJ05q url: https://semgrep.dev/playground/r/9lTJ05q/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-lte-zero origin: community - id: dgryski.semgrep-go.oddcompare.odd-comparison-subtract-lt-zero patterns: - pattern: $X - $Y < 0 fix: $Y > $X message: Odd comparison languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-lt-zero shortlink: https://sg.run/31QK semgrep.dev: rule: r_id: 39187 rv_id: 833068 rule_id: lBUNXK version_id: 1QTPL7E url: https://semgrep.dev/playground/r/1QTPL7E/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-lt-zero origin: community - id: dgryski.semgrep-go.oddcompare.odd-comparison-subtract-neq-zero patterns: - pattern: $X - $Y != 0 fix: $X != $Y message: Odd comparison languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-neq-zero shortlink: https://sg.run/QRJZ semgrep.dev: rule: r_id: 39186 rv_id: 833067 rule_id: qNUKpP version_id: jQTrXyB url: https://semgrep.dev/playground/r/jQTrXyB/dgryski.semgrep-go.oddcompare.odd-comparison-subtract-neq-zero origin: community - id: dgryski.semgrep-go.oddcompare.odd-comparison-xor-eq-zero patterns: - pattern: $X ^ $Y == 0 fix: $X == $Y message: Odd comparison languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddcompare.odd-comparison-xor-eq-zero shortlink: https://sg.run/5nZ0 semgrep.dev: rule: r_id: 39191 rv_id: 833072 rule_id: GdUWo1 version_id: bZTBe94 url: https://semgrep.dev/playground/r/bZTBe94/dgryski.semgrep-go.oddcompare.odd-comparison-xor-eq-zero origin: community - id: dgryski.semgrep-go.oddcompare.odd-comparison-xor-neq-zero patterns: - pattern: $X ^ $Y != 0 fix: $X != $Y message: Odd comparison languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddcompare.odd-comparison-xor-neq-zero shortlink: https://sg.run/G6bq semgrep.dev: rule: r_id: 39192 rv_id: 833073 rule_id: ReUw2j version_id: NdTB2o5 url: https://semgrep.dev/playground/r/NdTB2o5/dgryski.semgrep-go.oddcompare.odd-comparison-xor-neq-zero origin: community - id: dgryski.semgrep-go.oddcompound.odd-compound-expression patterns: - pattern-either: - pattern: $X += $X + $Y - pattern: $X += $X - $Y - pattern: $X -= $X + $Y - pattern: $X -= $X - $Y message: Odd compound += or -= expression languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddcompound.odd-compound-expression shortlink: https://sg.run/RoNY semgrep.dev: rule: r_id: 8705 rv_id: 833074 rule_id: X5U8oq version_id: kbT2lL9 url: https://semgrep.dev/playground/r/kbT2lL9/dgryski.semgrep-go.oddcompound.odd-compound-expression origin: community - id: dgryski.semgrep-go.oddifsequence.odd-sequence-ifs patterns: - pattern-either: - pattern: | if $X { return ... } if $X { ... } - pattern: | if ! $X { return ... } if $X { ... } - pattern: | if $X { return ... } if ! $X { ... } - pattern: | if $X == $Y { return ... } if $X != $Y { ... } - pattern: | if $X != $Y { return ... } if $X == $Y { ... } - pattern: | if $X { return ... } for $X { ... } - pattern: | if $X { break } if $X { ... } - pattern: | if ! $X { break } if $X { ... } - pattern: | if $X { break } if ! $X { ... } - pattern: | if $X == $Y { break } if $X != $Y { ... } - pattern: | if $X != $Y { break } if $X == $Y { ... } - pattern: | if $X { break } for $X { ... } - pattern: | if $X { continue } if $X { ... } - pattern: | if ! $X { continue } if $X { ... } - pattern: | if $X { continue } if ! $X { ... } - pattern: | if $X == $Y { continue } if $X != $Y { ... } - pattern: | if $X != $Y { continue } if $X == $Y { ... } - pattern: | if $X { continue } for $X { ... } - pattern: | if $X { if $X { ... } ... } - pattern: | if $X { if ! $X { ... } ... } - pattern: | if ! $X { if $X { ... } ... } - pattern: | if $X == $Y { if $X != $Y { ... } ... } - pattern: | if $X != $Y { if $X == $Y { ... } ... } - pattern: | if $X { for ! $X { ... } ... } - pattern: | if ! $X { for $X { ... } ... } - pattern: | if $X == $Y { for $X != $Y { ... } ... } - pattern: | if $X != $Y { for $X == $Y { ... } ... } - pattern: | for $X { if $X { ... } ... } - pattern: | for $X { if ! $X { ... } ... } - pattern: | for ! $X { if $X { ... } ... } - pattern: | for $X == $Y { if $X != $Y { ... } ... } - pattern: | for $X != $Y { if $X == $Y { ... } ... } message: Odd sequence of ifs languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oddifsequence.odd-sequence-ifs shortlink: https://sg.run/AvnQ semgrep.dev: rule: r_id: 8706 rv_id: 833075 rule_id: j2UvLx version_id: w8TAxDq url: https://semgrep.dev/playground/r/w8TAxDq/dgryski.semgrep-go.oddifsequence.odd-sequence-ifs origin: community - id: dgryski.semgrep-go.oserrors.os-error-is-exist patterns: - pattern: os.IsExist($ERR) fix: errors.Is($ERR, fs.ErrExist) message: New code should use errors.Is with the appropriate error type languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oserrors.os-error-is-exist shortlink: https://sg.run/Rl2O semgrep.dev: rule: r_id: 28393 rv_id: 833077 rule_id: lBUJb6 version_id: O9TJWdK url: https://semgrep.dev/playground/r/O9TJWdK/dgryski.semgrep-go.oserrors.os-error-is-exist origin: community - id: dgryski.semgrep-go.oserrors.os-error-is-not-exist patterns: - pattern: os.IsNotExist($ERR) fix: errors.Is($ERR, fs.ErrNotExist) message: New code should use errors.Is with the appropriate error type languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oserrors.os-error-is-not-exist shortlink: https://sg.run/ApJp semgrep.dev: rule: r_id: 28394 rv_id: 833078 rule_id: YGUZ5Z version_id: e1TDk32 url: https://semgrep.dev/playground/r/e1TDk32/dgryski.semgrep-go.oserrors.os-error-is-not-exist origin: community - id: dgryski.semgrep-go.oserrors.os-error-is-permission patterns: - pattern: os.IsPermission($ERR) fix: errors.Is($ERR, fs.ErrPermission) message: New code should use errors.Is with the appropriate error type languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oserrors.os-error-is-permission shortlink: https://sg.run/Bp3W semgrep.dev: rule: r_id: 28395 rv_id: 833079 rule_id: 6JU238 version_id: vdTOz8w url: https://semgrep.dev/playground/r/vdTOz8w/dgryski.semgrep-go.oserrors.os-error-is-permission origin: community - id: dgryski.semgrep-go.oserrors.os-error-is-timeout patterns: - pattern: os.IsTimeout(...) message: New code should use errors.Is with the appropriate error type languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.oserrors.os-error-is-timeout shortlink: https://sg.run/DxRY semgrep.dev: rule: r_id: 28396 rv_id: 833080 rule_id: oqUbvL version_id: d6TKGvo url: https://semgrep.dev/playground/r/d6TKGvo/dgryski.semgrep-go.oserrors.os-error-is-timeout origin: community - id: dgryski.semgrep-go.unixnano.not-before patterns: - pattern: $T1.UnixNano() >= $T2.UnixNano() message: | unless checking for wall clock inconsistencies, use !$T1.Before($T2) languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.unixnano.not-before shortlink: https://sg.run/ZeNA semgrep.dev: rule: r_id: 10979 rv_id: 833089 rule_id: kxURpQ version_id: 3ZT3Ar1 url: https://semgrep.dev/playground/r/3ZT3Ar1/dgryski.semgrep-go.unixnano.not-before origin: community - id: generic.dockerfile.missing-zypper-no-confirm-switch.missing-zypper-no-confirm-switch severity: WARNING languages: - dockerfile patterns: - pattern: | RUN ... zypper install ... - pattern-not: | RUN ... zypper install ... -y ... - pattern-not: | RUN ... zypper install ... --no-confirm ... message: This 'zypper install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3034 references: - https://github.com/hadolint/hadolint/wiki/DL3034 category: best-practice technology: - dockerfile license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/generic.dockerfile.missing-zypper-no-confirm-switch.missing-zypper-no-confirm-switch shortlink: https://sg.run/R5vK semgrep.dev: rule: r_id: 20149 rv_id: 945287 rule_id: BYUKJE version_id: xyTqnqr url: https://semgrep.dev/playground/r/xyTqnqr/generic.dockerfile.missing-zypper-no-confirm-switch.missing-zypper-no-confirm-switch origin: community paths: include: - '*dockerfile*' - '*Dockerfile*' - id: dgryski.semgrep-go.ctx-time.ctx-done-and-timers patterns: - pattern-either: - pattern: | select { case <-ctx.Done(): $BODY case <-time.After(...): $BODY } - pattern: | $T := time.NewTicker(...) ... select { case <-ctx.Done(): $BODY case <-$T.C: $BODY } message: ctx.Done() and time.After/time.NewTicker languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.ctx-time.ctx-done-and-timers shortlink: https://sg.run/AKXB semgrep.dev: rule: r_id: 31306 rv_id: 833035 rule_id: 0oUG2Z version_id: JdTlrpB url: https://semgrep.dev/playground/r/JdTlrpB/dgryski.semgrep-go.ctx-time.ctx-done-and-timers origin: community - id: generic.secrets.gitleaks.dropbox-long-lived-api-token.dropbox-long-lived-api-token message: A gitleaks dropbox-long-lived-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.dropbox-long-lived-api-token.dropbox-long-lived-api-token shortlink: https://sg.run/56WX semgrep.dev: rule: r_id: 44703 rv_id: 1262720 rule_id: pKUR69 version_id: X0TzyAg url: https://semgrep.dev/playground/r/X0TzyAg/generic.secrets.gitleaks.dropbox-long-lived-api-token.dropbox-long-lived-api-token origin: community patterns: - pattern-regex: (?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token message: A gitleaks dropbox-short-lived-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token shortlink: https://sg.run/G0e2 semgrep.dev: rule: r_id: 44704 rv_id: 1262721 rule_id: 2ZUnbl version_id: jQTn5wr url: https://semgrep.dev/playground/r/jQTn5wr/generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token origin: community patterns: - pattern-regex: (?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(sl\.[a-z0-9\-=_]{135})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: gitlab.bandit.B101 languages: - python message: | The application was found using `assert` in non-test code. Usually reserved for debug and test code, the `assert` function is commonly used to test conditions before continuing execution. However, enclosed code will be removed when compiling Python code to optimized byte code. Depending on the assertion and subsequent logic, this could lead to undefined behavior of the application or application crashes. To remediate this issue, remove the `assert` calls. If necessary, replace them with either `if` conditions or `try/except` blocks. Example using `try/except` instead of `assert`: ``` # Below try/except is equal to the assert statement of: # assert user.is_authenticated(), "user must be authenticated" try: if not user.is_authenticated(): raise AuthError("user must be authenticated") except AuthError as e: # Handle error # ... # Return, do not continue processing return ``` metadata: cwe: CWE-754 category: security shortDescription: Improper check for unusual or exceptional conditions owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: Info primary_identifier: bandit.B101 secondary_identifiers: - name: Bandit Test ID B101 type: bandit_test_id value: B101 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B101 shortlink: https://sg.run/yzWA semgrep.dev: rule: r_id: 11524 rv_id: 920076 rule_id: KxU4lp version_id: rxTjvjK url: https://semgrep.dev/playground/r/rxTjvjK/gitlab.bandit.B101 origin: community patterns: - pattern: assert(...) - pattern-not-inside: | import pytest ... - pattern-not-inside: | import unittest ... severity: INFO - id: gitlab.find_sec_bugs_kotlin.BAD_HEXA_CONVERSION-1 languages: - kotlin message: | When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte. metadata: shortDescription: Incorrect type conversion or cast cwe: CWE-704 category: security confidence: HIGH owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: MEDIUM primary_identifier: find_sec_bugs.BAD_HEXA_CONVERSION-1 secondary_identifiers: - name: Find Security Bugs-BAD_HEXA_CONVERSION type: find_sec_bugs_type value: BAD_HEXA_CONVERSION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.BAD_HEXA_CONVERSION-1 shortlink: https://sg.run/5r5Nl semgrep.dev: rule: r_id: 144347 rv_id: 920438 rule_id: 2ZUzyNk version_id: NdTeRrg url: https://semgrep.dev/playground/r/NdTeRrg/gitlab.find_sec_bugs_kotlin.BAD_HEXA_CONVERSION-1 origin: community severity: WARNING patterns: - pattern-inside: | $B_ARR = ($MD: java.security.MessageDigest).digest(...); ... - pattern-either: - pattern: | for($B in $B_ARR) { ... $B_TOSTR } - pattern: | while(...) { ... $B_TOSTR } - pattern: | do { ... $B_TOSTR } while(...) - metavariable-pattern: metavariable: $B_TOSTR patterns: - pattern-either: - pattern: java.lang.Integer.toHexString($B_TOINT) - pattern: Integer.toHexString($B_TOINT) - pattern: $B_TOINT.toHexString(...) - metavariable-pattern: metavariable: $B_TOINT pattern-either: - pattern: $B_ARR[...].toInt() - pattern: $B_ARR[...] - pattern: $B.toInt() - pattern: $B - id: gitlab.find_sec_bugs_kotlin.DANGEROUS_PERMISSION_COMBINATION-1 languages: - kotlin message: | Do not grant dangerous combinations of permissions. metadata: shortDescription: Improper privilege management category: security cwe: CWE-269 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control confidence: HIGH security-severity: MEDIUM primary_identifier: find_sec_bugs.DANGEROUS_PERMISSION_COMBINATION-1 secondary_identifiers: - name: Find Security Bugs-DANGEROUS_PERMISSION_COMBINATION type: find_sec_bugs_type value: DANGEROUS_PERMISSION_COMBINATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.DANGEROUS_PERMISSION_COMBINATION-1 shortlink: https://sg.run/gx36y semgrep.dev: rule: r_id: 144341 rv_id: 920432 rule_id: lBU4kqe version_id: jQTwjJE url: https://semgrep.dev/playground/r/jQTwjJE/gitlab.find_sec_bugs_kotlin.DANGEROUS_PERMISSION_COMBINATION-1 origin: community severity: WARNING patterns: - pattern-either: - patterns: - pattern-inside: | $PC = $X.getPermissions(...) ... - pattern: $PC.add($PERMISSION) - pattern: | $REFVAR = $PERMISSION ...; ($PC: PermissionCollection).add($REFVAR) - pattern: '($PC: PermissionCollection).add($PERMISSION)' - metavariable-pattern: metavariable: $PERMISSION pattern-either: - pattern: ReflectPermission("suppressAccessChecks") - pattern: RuntimePermission("createClassLoader") - id: gitlab.find_sec_bugs_kotlin.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 pattern: java.sql.DriverManager.getConnection($URI, $USR, "...") message: | A potential hard-coded password was identified in a database connection string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation severity: ERROR metadata: shortDescription: Use of hard-coded password category: security cwe: CWE-259 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures technology: - kotlin security-severity: Critical primary_identifier: find_sec_bugs.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 secondary_identifiers: - name: Find Security Bugs-DMI_CONSTANT_DB_PASSWORD type: find_sec_bugs_type value: DMI_CONSTANT_DB_PASSWORD - name: Find Security Bugs-HARD_CODE_PASSWORD type: find_sec_bugs_type value: HARD_CODE_PASSWORD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 shortlink: https://sg.run/7KRN4 semgrep.dev: rule: r_id: 144338 rv_id: 920429 rule_id: 0oULNkq version_id: pZTbDAY url: https://semgrep.dev/playground/r/pZTbDAY/gitlab.find_sec_bugs_kotlin.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 origin: community languages: - kotlin - id: gitlab.find_sec_bugs_kotlin.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 pattern: java.sql.DriverManager.getConnection($URI, $USR, ""); message: | The application does not provide authentication when communicating a database server. It is strongly recommended that the database server be configured with authentication and restrict what queries users can execute. Please see your database server's documentation on how to configure a password. Additionally, passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation severity: ERROR metadata: shortDescription: Missing authentication for critical function (database) category: security cwe: CWE-306 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures technology: - kotlin security-severity: Critical primary_identifier: find_sec_bugs.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 secondary_identifiers: - name: Find Security Bugs-DMI_EMPTY_DB_PASSWORD type: find_sec_bugs_type value: DMI_EMPTY_DB_PASSWORD - name: Find Security Bugs-HARD_CODE_PASSWORD type: find_sec_bugs_type value: HARD_CODE_PASSWORD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 shortlink: https://sg.run/L1bq7 semgrep.dev: rule: r_id: 144339 rv_id: 920430 rule_id: KxUvE9Q version_id: 2KTdOEq url: https://semgrep.dev/playground/r/2KTdOEq/gitlab.find_sec_bugs_kotlin.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 origin: community languages: - kotlin - id: gitlab.find_sec_bugs_kotlin.EXTERNAL_CONFIG_CONTROL-1 languages: - kotlin message: | Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. severity: WARNING metadata: shortDescription: External control of system or configuration setting category: security cwe: CWE-15 owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.EXTERNAL_CONFIG_CONTROL-1 secondary_identifiers: - name: Find Security Bugs-EXTERNAL_CONFIG_CONTROL type: find_sec_bugs_type value: EXTERNAL_CONFIG_CONTROL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.EXTERNAL_CONFIG_CONTROL-1 shortlink: https://sg.run/DbpGW semgrep.dev: rule: r_id: 144352 rv_id: 920443 rule_id: yyURlbK version_id: e1TZKGz url: https://semgrep.dev/playground/r/e1TZKGz/gitlab.find_sec_bugs_kotlin.EXTERNAL_CONFIG_CONTROL-1 origin: community patterns: - metavariable-pattern: metavariable: $GET_PARAMETER pattern-either: - pattern: '($REQ: HttpServletRequest).getParameter' - pattern: '($REQ: HttpServletRequest?)?.getParameter' - metavariable-pattern: metavariable: $SET_CATALOG pattern-either: - pattern: '($CONN: java.sql.Connection).setCatalog' - pattern: '($CONN: java.sql.Connection?)?.setCatalog' - pattern: |- $TAINTED = $GET_PARAMETER(...) ... $SET_CATALOG($TAINTED) - id: gitlab.find_sec_bugs_kotlin.FORMAT_STRING_MANIPULATION-1 languages: - kotlin message: | Allowing user input to control format parameters could enable an attacker to cause exceptions to be thrown or leak information.Attackers may be able to modify the format string argument, such that an exception is thrown. If this exception is left uncaught, it may crash the application. Alternatively, if sensitive information is used within the unused arguments, attackers may change the format string to reveal this information. metadata: shortDescription: Use of externally-controlled format string cwe: CWE-134 category: security confidence: HIGH owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.FORMAT_STRING_MANIPULATION-1 secondary_identifiers: - name: Find Security Bugs-FORMAT_STRING_MANIPULATION type: find_sec_bugs_type value: FORMAT_STRING_MANIPULATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.FORMAT_STRING_MANIPULATION-1 shortlink: https://sg.run/GdjB1 semgrep.dev: rule: r_id: 144348 rv_id: 920439 rule_id: X5UQDe1 version_id: kbTOPej url: https://semgrep.dev/playground/r/kbTOPej/gitlab.find_sec_bugs_kotlin.FORMAT_STRING_MANIPULATION-1 origin: community severity: ERROR patterns: - pattern-either: - patterns: - pattern-inside: | $INPUT = ($REQ: HttpServletRequest).getParameter(...) ... - pattern-inside: | $FORMAT_STR = ... + $INPUT ... - patterns: - pattern-inside: | $INPUT = ($REQ: HttpServletRequest).getParameter(...) ... - pattern-inside: | $FORMAT_STR = ... + $INPUT + ... ... - pattern-inside: | $FORMAT_STR = ... + ($REQ: HttpServletRequest).getParameter(...) + ... ... - pattern-inside: | $FORMAT_STR = ... + ($REQ: HttpServletRequest).getParameter(...) ... - pattern-either: - pattern: String.format($FORMAT_STR, ...) - pattern: String.format(java.util.Locale.$LOCALE, $FORMAT_STR, ...) - patterns: - pattern-inside: | $F = java.util.Formatter(...) ... - pattern-either: - pattern: $F.format($FORMAT_STR, ...) - pattern: $F.format(java.util.Locale.$LOCALE, $FORMAT_STR, ...) - pattern: '($F: java.io.PrintStream).printf($FORMAT_STR, ...)' - pattern: '($F: java.io.PrintStream).printf(java.util.Locale.$LOCALE, $FORMAT_STR, ...)' - pattern: '($F: java.io.PrintStream).format($FORMAT_STR, ...)' - pattern: '($F: java.io.PrintStream).format(java.util.Locale.$LOCALE, $FORMAT_STR, ...)' - pattern: System.out.printf($FORMAT_STR, ...) - pattern: System.out.printf(java.util.Locale.$LOCALE, $FORMAT_STR, ...) - pattern: System.out.format($FORMAT_STR, ...) - pattern: System.out.format(java.util.Locale.$LOCALE, $FORMAT_STR, ...) - id: gitlab.find_sec_bugs_kotlin.HARD_CODE_PASSWORD-1 languages: - kotlin message: | A potential hard-coded password was identified in the source code. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation severity: ERROR metadata: shortDescription: Use of hard-coded password category: security cwe: CWE-259 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures technology: - kotlin security-severity: High primary_identifier: find_sec_bugs.HARD_CODE_PASSWORD-1 secondary_identifiers: - name: Find Security Bugs-HARD_CODE_PASSWORD type: find_sec_bugs_type value: HARD_CODE_PASSWORD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.HARD_CODE_PASSWORD-1 shortlink: https://sg.run/8GAN4 semgrep.dev: rule: r_id: 144340 rv_id: 920431 rule_id: qNU26gK version_id: X0TAKnb url: https://semgrep.dev/playground/r/X0TAKnb/gitlab.find_sec_bugs_kotlin.HARD_CODE_PASSWORD-1 origin: community pattern-either: - pattern: java.security.KeyStore.PasswordProtection("...".toCharArray()) - pattern: java.security.KeyStore.getInstance(...).load(..., "...".toCharArray()) - pattern: '($KS: java.security.KeyStore).load(..., "...".toCharArray())' - pattern: KeyManagerFactory.getInstance(...).init(..., "...".toCharArray()) - pattern: '($KMF: KeyManagerFactory).init(..., "...".toCharArray())' - pattern: PBEKeySpec("...", ...) - pattern: PasswordAuthentication("...", "...") - pattern: '($CB: PasswordCallback).setPassword("...")' - pattern: KerberosKey(...,"...",...) - pattern: java.sql.DriverManager.getConnection(..., "...") - pattern: io.vertx.ext.web.handler.CSRFHandler.create(..., "...") - pattern: $S.setPassword("...") - id: dgryski.semgrep-go.sortslice.bad-sort-slice-function patterns: - pattern-either: - pattern: | sort.Slice($SLICE, func($I, $J int) bool { return $SLICE[$I] < $SLICE[$I] }) - pattern: | sort.Slice($SLICE, func($I, $J int) bool { return $SLICE[$J] < $SLICE[$I] }) - pattern: | sort.Slice($SLICE, func($I, $J int) bool { return $SLICE[$I].$FIELD < $SLICE[$I].$FIELD }) - pattern: | sort.Slice($SLICE, func($I, $J int) bool { return $SLICE[$J].$FIELD < $SLICE[$J].$FIELD }) - pattern: | sort.Slice($SLICE, func($I, $J int) bool { return $SLICE[$I] > $SLICE[$I] }) - pattern: | sort.Slice($SLICE, func($I, $J int) bool { return $SLICE[$J] > $SLICE[$I] }) - pattern: | sort.Slice($SLICE, func($I, $J int) bool { return $SLICE[$I].$FIELD > $SLICE[$I].$FIELD }) - pattern: | sort.Slice($SLICE, func($I, $J int) bool { return $SLICE[$J].$FIELD > $SLICE[$J].$FIELD }) message: Maybe bad sort.Slice() less function languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.sortslice.bad-sort-slice-function shortlink: https://sg.run/qx3R semgrep.dev: rule: r_id: 8712 rv_id: 833085 rule_id: NbUkED version_id: LjTEbA8 url: https://semgrep.dev/playground/r/LjTEbA8/dgryski.semgrep-go.sortslice.bad-sort-slice-function origin: community - id: dgryski.semgrep-go.writestring.use-fprintf-not-write-fsprint patterns: - pattern: $W.Write([]byte(fmt.Sprintf($...VALS))) message: use fmt.Fprintf($W, $...VALS) instead of fmt.Sprintf and []byte conversion languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.writestring.use-fprintf-not-write-fsprint shortlink: https://sg.run/0BKr semgrep.dev: rule: r_id: 28598 rv_id: 833092 rule_id: oqUb8x version_id: JdTlrvJ url: https://semgrep.dev/playground/r/JdTlrvJ/dgryski.semgrep-go.writestring.use-fprintf-not-write-fsprint origin: community - id: dgryski.semgrep-go.writestring.use-writer-not-writestring patterns: - pattern: io.WriteString($W, string($VAR)) message: use $W.Write($VAR) instead of io.WriteString when $VAR is []byte languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.writestring.use-writer-not-writestring shortlink: https://sg.run/YveD semgrep.dev: rule: r_id: 8714 rv_id: 833090 rule_id: wdUJv6 version_id: 44TQP6O url: https://semgrep.dev/playground/r/44TQP6O/dgryski.semgrep-go.writestring.use-writer-not-writestring origin: community - id: dgryski.semgrep-go.wrongerrcall.maybe-wrong-err patterns: - pattern-either: - pattern: | if $F.Err() != nil { return ..., <... err ...> } - pattern: | if $F.Err() != nil { return <... err ...> } message: maybe returning wrong error languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.wrongerrcall.maybe-wrong-err shortlink: https://sg.run/6npW semgrep.dev: rule: r_id: 8715 rv_id: 833093 rule_id: x8Un1A version_id: 5PTyDe6 url: https://semgrep.dev/playground/r/5PTyDe6/dgryski.semgrep-go.wrongerrcall.maybe-wrong-err origin: community - id: dgryski.semgrep-go.wronglock.wrong-lock-unlock patterns: - pattern-either: - pattern: | $M.Lock() defer $M.RUnlock() - pattern: | $M.RLock() defer $M.Unlock() - pattern: | $M.Lock() defer $M.Lock() - pattern: | $M.RLock() defer $M.RLock() message: Wrong lock/unlock pair? languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.wronglock.wrong-lock-unlock shortlink: https://sg.run/oxWx semgrep.dev: rule: r_id: 8716 rv_id: 833094 rule_id: OrU3r3 version_id: GxTDE8w url: https://semgrep.dev/playground/r/GxTDE8w/dgryski.semgrep-go.wronglock.wrong-lock-unlock origin: community - id: generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id message: A gitleaks messagebird-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id shortlink: https://sg.run/YRg4 semgrep.dev: rule: r_id: 44758 rv_id: 1262787 rule_id: oqUGzK version_id: 3ZT4XO8 url: https://semgrep.dev/playground/r/3ZT4XO8/generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id origin: community patterns: - pattern-regex: (?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: gitlab.bandit.B102 languages: - python message: "The application was found calling the `exec` function with a non-literal variable. If the\nvariable comes from user-supplied input, an adversary could compromise the entire system by\nexecuting arbitrary python code.\n\nTo remediate this issue, remove all calls to `exec` and consider alternative methods for\nexecuting the necessary business logic. There is almost no safe method of calling `eval` \nwith user-supplied input.\n\nIf the application only needs to convert strings into objects, consider using `json.loads`.\nIn some cases `ast.literal_eval` is recommended, but this should be avoided as it can still\nsuffer from other issues such as the ability for malicious code to crash the python\ninterpreter or application.\n\nExample using `json.loads`` to load in arbitrary data to create data structures:\n```\n# User supplied data as a blob of JSON\nuser_supplied_data = \"\"\"{\"user\": \"test\", \"metadata\": [1,2,3]}\"\"\"\n# Load the JSON\nuser_object = json.loads(user_supplied_data)\n# Manually add protected properties _after_ loading, never before\nuser_object[\"is_admin\"] = False\n# Work with the object\n```\n" metadata: cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection category: security shortDescription: Improper neutralization of special elements used in an OS command ('OS Command Injection') security-severity: High primary_identifier: bandit.B102 secondary_identifiers: - name: Bandit Test ID B102 type: bandit_test_id value: B102 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B102 shortlink: https://sg.run/rAJJ semgrep.dev: rule: r_id: 11525 rv_id: 920109 rule_id: qNUoNN version_id: YDTYbvj url: https://semgrep.dev/playground/r/YDTYbvj/gitlab.bandit.B102 origin: community patterns: - pattern: exec(...) - pattern-not: exec("...") severity: WARNING - id: gitlab.bandit.B103 languages: - python message: | The application was found setting file permissions to overly permissive values. Consider using the following values if the application user is the only process to access the file: - 0400 - read only access to the file - 0200 - write only access to the file - 0600 - read/write access to the file Example creating a file with read/write permissions for the application user: ``` # Use octal values to set 0o600 (read/write access to the file) for the current # user os.chmod('somefile.txt', 0o600) ``` For all other values please see: https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation metadata: shortDescription: Incorrect permission assignment for critical resource cwe: CWE-732 category: security owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium primary_identifier: bandit.B103 secondary_identifiers: - name: Bandit Test ID B103 type: bandit_test_id value: B103 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B103 shortlink: https://sg.run/bDNv semgrep.dev: rule: r_id: 11526 rv_id: 920118 rule_id: lBUd5P version_id: 0bTp31b url: https://semgrep.dev/playground/r/0bTp31b/gitlab.bandit.B103 origin: community patterns: - pattern: os.chmod(...,$MASK) - metavariable-regex: metavariable: $MASK regex: (0x..f|0o..[2,3,7]|stat.S_IXGRP|stat.S_IWOTH) severity: WARNING - id: gitlab.bandit.B104 languages: - python message: | Binding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. By passing "0.0.0.0", "::" or an empty string as the address to the `socket.bind` function, the application will bind to all interfaces. Consider passing in the interface ip address through an environment variable, configuration file, or by determining the primary interface(s) IP address. Example getting the IP address from an environment variable `IP_ADDRESS`: ``` # Get the IP_ADDRESS env variable, or bind to # 127.0.0.1 if it is not set address = os.getenv("IP_ADDRESS", "127.0.0.1") # Create an internet socket sock = socket.socket(socket.AF_INET) # Set the port to listen on port = 9777 # Bind to the address and port combination sock.bind((address, port)) # Listen for connections sock.listen() # Handle the connection ``` patterns: - pattern-either: - pattern: | $S = socket.socket(...) ... $S.bind(("0.0.0.0", ...)) - pattern: | $S = socket.socket(...) ... $S.bind(("::", ...)) - pattern: | $S = socket.socket(...) ... $S.bind(("", ...)) metadata: cwe: CWE-200 category: security owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration shortDescription: Exposure of sensitive information to an unauthorized actor security-severity: Low primary_identifier: bandit.B104 secondary_identifiers: - name: Bandit Test ID B104 type: bandit_test_id value: B104 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B104 shortlink: https://sg.run/NrBN semgrep.dev: rule: r_id: 11527 rv_id: 920077 rule_id: YGUroX version_id: bZTLoLd url: https://semgrep.dev/playground/r/bZTLoLd/gitlab.bandit.B104 origin: community severity: INFO - id: gitlab.bandit.B201 languages: - python message: | The Flask application is running with `debug=True` configured. By enabling this option, certain exceptions or errors could cause sensitive information to be leaked in HTTP responses. Additionally, it is not recommended to run a Flask application using `Flask.run(...)` in production. Instead, a WSGI server such as [gunicorn](https://flask.palletsprojects.com/en/2.3.x/deploying/gunicorn/) or [waitress](https://flask.palletsprojects.com/en/2.3.x/deploying/waitress/) be used instead. For more information on deployment options for Flask applications see: - https://flask.palletsprojects.com/en/2.3.x/deploying/ metadata: cwe: CWE-489 category: security owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration shortDescription: Active debug code security-severity: Medium primary_identifier: bandit.B201 secondary_identifiers: - name: Bandit Test ID B201 type: bandit_test_id value: B201 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B201 shortlink: https://sg.run/eK4b semgrep.dev: rule: r_id: 11876 rv_id: 920120 rule_id: oqUrz7 version_id: qkTpw47 url: https://semgrep.dev/playground/r/qkTpw47/gitlab.bandit.B201 origin: community patterns: - pattern-inside: | import flask ... - pattern: $APP.run(..., debug=True, ...) severity: WARNING - id: gitlab.bandit.B301-1 languages: - python message: | The application was found using `pickle` which is vulnerable to deserialization attacks. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to: - Inject code that is executed upon object construction, which occurs during the deserialization process. - Exploit mass assignment by including fields that are not normally a part of the serialized data but are read in during deserialization. Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment: ``` import jsonschema # Create a schema to validate our user-supplied input against # an intermediary object intermediary_schema = { "type" : "object", "properties" : { "name": {"type" : "string"} }, "required": ["name"], # Protect against random properties being added to the object "additionalProperties": False, } # If a user attempted to add "'is_admin': True" it would cause a validation error intermediary_object = {'name': 'test user'} try: # Validate the user supplied intermediary object against our schema jsonschema.validate(instance=intermediary_object, schema=intermediary_schema) user_object = {'user': { # Assign the deserialized data from intermediary object 'name': intermediary_object['name'], # Add in protected data in object definition (or set it from a class constructor) 'is_admin': False, } } # Work with the user_object except jsonschema.exceptions.ValidationError as ex: # Gracefully handle validation errors # ... ``` For more details on deserialization attacks in general, see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html metadata: cwe: CWE-502 owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures category: security shortDescription: Deserialization of untrusted data security-severity: High primary_identifier: bandit.B301-1 secondary_identifiers: - name: Bandit Test ID B301 type: bandit_test_id value: B301 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B301-1 shortlink: https://sg.run/v20A semgrep.dev: rule: r_id: 11877 rv_id: 920102 rule_id: zdU1y5 version_id: BjTKL1v url: https://semgrep.dev/playground/r/BjTKL1v/gitlab.bandit.B301-1 origin: community patterns: - pattern-either: - patterns: - pattern: pickle.$METHOD(...) - pattern-not: pickle.$METHOD("...") - patterns: - pattern: _pickle.$METHOD(...) - pattern-not: _pickle.$METHOD("...") - metavariable-regex: metavariable: $METHOD regex: (load|loads|Unpickler) severity: WARNING - id: gitlab.bandit.B301-2 languages: - python message: | The application was found using `cPickle` which is vulnerable to deserialization attacks. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to: - Inject code that is executed upon object construction, which occurs during the deserialization process. - Exploit mass assignment by including fields that are not normally a part of the serialized data but are read in during deserialization. Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment: ``` import jsonschema # Create a schema to validate our user-supplied input against # an intermediary object intermediary_schema = { "type" : "object", "properties" : { "name": {"type" : "string"} }, "required": ["name"], # Protect against random properties being added to the object "additionalProperties": False, } # If a user attempted to add "'is_admin': True" it would cause a validation error intermediary_object = {'name': 'test user'} try: # Validate the user supplied intermediary object against our schema jsonschema.validate(instance=intermediary_object, schema=intermediary_schema) user_object = {'user': { # Assign the deserialized data from intermediary object 'name': intermediary_object['name'], # Add in protected data in object definition (or set it from a class constructor) 'is_admin': False, } } # Work with the user_object except jsonschema.exceptions.ValidationError as ex: # Gracefully handle validation errors # ... ``` For more details on deserialization attacks in general, see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html metadata: cwe: CWE-502 owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures category: security shortDescription: Deserialization of untrusted data security-severity: High primary_identifier: bandit.B301-2 secondary_identifiers: - name: Bandit Test ID B301 type: bandit_test_id value: B301 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B301-2 shortlink: https://sg.run/d0gZ semgrep.dev: rule: r_id: 11878 rv_id: 920099 rule_id: pKUwGl version_id: GxToXPq url: https://semgrep.dev/playground/r/GxToXPq/gitlab.bandit.B301-2 origin: community pattern: cPickle.$FUNC(...) severity: WARNING - id: gitlab.bandit.B301-3 languages: - python message: | The application was found using `dill` which is vulnerable to deserialization attacks. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to: - Inject code that is executed upon object construction, which occurs during the deserialization process. - Exploit mass assignment by including fields that are not normally a part of the serialized data but are read in during deserialization. Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment: ``` import jsonschema # Create a schema to validate our user-supplied input against # an intermediary object intermediary_schema = { "type" : "object", "properties" : { "name": {"type" : "string"} }, "required": ["name"], # Protect against random properties being added to the object "additionalProperties": False, } # If a user attempted to add "'is_admin': True" it would cause a validation error intermediary_object = {'name': 'test user'} try: # Validate the user supplied intermediary object against our schema jsonschema.validate(instance=intermediary_object, schema=intermediary_schema) user_object = {'user': { # Assign the deserialized data from intermediary object 'name': intermediary_object['name'], # Add in protected data in object definition (or set it from a class constructor) 'is_admin': False, } } # Work with the user_object except jsonschema.exceptions.ValidationError as ex: # Gracefully handle validation errors # ... ``` For more details on deserialization attacks in general, see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html metadata: cwe: CWE-502 owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures category: security shortDescription: Deserialization of untrusted data security-severity: High primary_identifier: bandit.B301-3 secondary_identifiers: - name: Bandit Test ID B301 type: bandit_test_id value: B301 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B301-3 shortlink: https://sg.run/dgZ0 semgrep.dev: rule: r_id: 11534 rv_id: 920100 rule_id: j2UqZR version_id: RGT2xAE url: https://semgrep.dev/playground/r/RGT2xAE/gitlab.bandit.B301-3 origin: community pattern-either: - pattern: dill.$FUNC(...) severity: WARNING - id: gitlab.bandit.B301-4 languages: - python message: | The application was found using `shelve` which is vulnerable to deserialization attacks as it calls `pickle` internally. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to: - Inject code that is executed upon object construction, which occurs during the deserialization process. - Exploit mass assignment by including fields that are not normally a part of the serialized data but are read in during deserialization. Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment: ``` import jsonschema # Create a schema to validate our user-supplied input against # an intermediary object intermediary_schema = { "type" : "object", "properties" : { "name": {"type" : "string"} }, "required": ["name"], # Protect against random properties being added to the object "additionalProperties": False, } # If a user attempted to add "'is_admin': True" it would cause a validation error intermediary_object = {'name': 'test user'} try: # Validate the user supplied intermediary object against our schema jsonschema.validate(instance=intermediary_object, schema=intermediary_schema) user_object = {'user': { # Assign the deserialized data from intermediary object 'name': intermediary_object['name'], # Add in protected data in object definition (or set it from a class constructor) 'is_admin': False, } } # Work with the user_object except jsonschema.exceptions.ValidationError as ex: # Gracefully handle validation errors # ... ``` For more details on deserialization attacks in general, see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html metadata: cwe: CWE-502 owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures category: security shortDescription: Deserialization of untrusted data security-severity: High primary_identifier: bandit.B301-4 secondary_identifiers: - name: Bandit Test ID B301 type: bandit_test_id value: B301 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B301-4 shortlink: https://sg.run/Zer4 semgrep.dev: rule: r_id: 11535 rv_id: 920103 rule_id: 10UZxd version_id: DkT2yNv url: https://semgrep.dev/playground/r/DkT2yNv/gitlab.bandit.B301-4 origin: community pattern-either: - pattern: shelve.$FUNC(...) severity: WARNING - id: gitlab.bandit.B302 languages: - python message: | The application was found using `dill` which is vulnerable to deserialization attacks. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to: - Inject code that is executed upon object construction, which occurs during the deserialization process. - Exploit mass assignment by including fields that are not normally a part of the serialized data but are read in during deserialization. Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Example JSON deserializer using an intermediary type that is validated against a schema to ensure it is safe from mass assignment: ``` import jsonschema # Create a schema to validate our user-supplied input against # an intermediary object intermediary_schema = { "type" : "object", "properties" : { "name": {"type" : "string"} }, "required": ["name"], # Protect against random properties being added to the object "additionalProperties": False, } # If a user attempted to add "'is_admin': True" it would cause a validation error intermediary_object = {'name': 'test user'} try: # Validate the user supplied intermediary object against our schema jsonschema.validate(instance=intermediary_object, schema=intermediary_schema) user_object = {'user': { # Assign the deserialized data from intermediary object 'name': intermediary_object['name'], # Add in protected data in object definition (or set it from a class constructor) 'is_admin': False, } } # Work with the user_object except jsonschema.exceptions.ValidationError as ex: # Gracefully handle validation errors # ... ``` For more details on deserialization attacks in general, see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html metadata: cwe: CWE-502 owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures category: security shortDescription: Deserialization of untrusted data security-severity: High primary_identifier: bandit.B302 secondary_identifiers: - name: Bandit Test ID B302 type: bandit_test_id value: B302 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B302 shortlink: https://sg.run/ZkeD semgrep.dev: rule: r_id: 11879 rv_id: 920101 rule_id: 2ZUK4W version_id: A8TNlJ0 url: https://semgrep.dev/playground/r/A8TNlJ0/gitlab.bandit.B302 origin: community pattern-either: - pattern: marshal.dump(...) - pattern: marshal.dumps(...) - pattern: marshal.load(...) - pattern: marshal.loads(...) severity: WARNING - id: gitlab.bandit.B304-5 languages: - python message: | DES, TripleDES, RC2 and RC4 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using `ChaCha20Poly1305` instead as it is easier and faster than the alternatives such as `AES-256-GCM`. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example using `ChaCha20Poly1305`: ``` import os # Import ChaCha20Poly1305 from cryptography from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = ChaCha20Poly1305.generate_key() # Create a new ChaCha20Poly1305 instance with our secure key chacha = ChaCha20Poly1305(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = chacha.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text chacha.decrypt(nonce, cipher_text, aad) ``` Example using `AESGCM`: ``` import os # Import AESGCM from cryptography from cryptography.hazmat.primitives.ciphers.aead import AESGCM # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = AESGCM.generate_key(bit_length=128) # Create a new AESGCM instance with our secure key aesgcm = AESGCM(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = aesgcm.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text aesgcm.decrypt(nonce, cipher_text, aad) ``` For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-5 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-5 shortlink: https://sg.run/8nvQ semgrep.dev: rule: r_id: 11540 rv_id: 920081 rule_id: NbUAOd version_id: xyTdrd4 url: https://semgrep.dev/playground/r/xyTdrd4/gitlab.bandit.B304-5 origin: community patterns: - pattern-either: - pattern: Cryptodome.Cipher.ARC2.new(...) - pattern: Crypto.Cipher.ARC2.new severity: WARNING - id: gitlab.bandit.B304-6 languages: - python message: | DES, TripleDES, RC2 and RC4 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using `ChaCha20Poly1305` instead as it is easier and faster than the alternatives such as `AES-256-GCM`. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example using `ChaCha20Poly1305`: ``` import os # Import ChaCha20Poly1305 from cryptography from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = ChaCha20Poly1305.generate_key() # Create a new ChaCha20Poly1305 instance with our secure key chacha = ChaCha20Poly1305(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = chacha.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text chacha.decrypt(nonce, cipher_text, aad) ``` Example using `AESGCM`: ``` import os # Import AESGCM from cryptography from cryptography.hazmat.primitives.ciphers.aead import AESGCM # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = AESGCM.generate_key(bit_length=128) # Create a new AESGCM instance with our secure key aesgcm = AESGCM(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = aesgcm.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text aesgcm.decrypt(nonce, cipher_text, aad) ``` For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-6 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-6 shortlink: https://sg.run/gJ75 semgrep.dev: rule: r_id: 11541 rv_id: 920082 rule_id: kxURAL version_id: O9Tv7v0 url: https://semgrep.dev/playground/r/O9Tv7v0/gitlab.bandit.B304-6 origin: community patterns: - pattern-either: - pattern: Cryptodome.Cipher.ARC4.new(...) - pattern: Crypto.Cipher.ARC4.new(...) severity: WARNING - id: gitlab.bandit.B304-7 languages: - python message: | The Blowfish encryption algorithm was meant as a drop-in replacement for DES and was created in 1993. Smaller key sizes may make the ciphertext vulnerable to [birthday attacks](https://en.wikipedia.org/wiki/Birthday_attack). While no known attacks against Blowfish exist, it should never be used to encrypt files over 4GB in size. If possible consider using ChaCha20Poly1305 or AES-GCM instead of Blowfish. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example using `ChaCha20Poly1305`: ``` import os # Import ChaCha20Poly1305 from cryptography from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = ChaCha20Poly1305.generate_key() # Create a new ChaCha20Poly1305 instance with our secure key chacha = ChaCha20Poly1305(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = chacha.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text chacha.decrypt(nonce, cipher_text, aad) ``` Example using `AESGCM`: ``` import os # Import AESGCM from cryptography from cryptography.hazmat.primitives.ciphers.aead import AESGCM # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = AESGCM.generate_key(bit_length=128) # Create a new AESGCM instance with our secure key aesgcm = AESGCM(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = aesgcm.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text aesgcm.decrypt(nonce, cipher_text, aad) ``` For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-7 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-7 shortlink: https://sg.run/Q8oq semgrep.dev: rule: r_id: 11542 rv_id: 920079 rule_id: wdU82R version_id: kbTOPOq url: https://semgrep.dev/playground/r/kbTOPOq/gitlab.bandit.B304-7 origin: community patterns: - pattern-either: - pattern: Cryptodome.Cipher.Blowfish.new(...) - pattern: Crypto.Cipher.Blowfish.new(...) severity: WARNING - id: gitlab.bandit.B304-8 languages: - python message: | DES, TripleDES, RC2 and RC4 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using `ChaCha20Poly1305` instead as it is easier and faster than the alternatives such as `AES-256-GCM`. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example using `ChaCha20Poly1305`: ``` import os # Import ChaCha20Poly1305 from cryptography from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = ChaCha20Poly1305.generate_key() # Create a new ChaCha20Poly1305 instance with our secure key chacha = ChaCha20Poly1305(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = chacha.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text chacha.decrypt(nonce, cipher_text, aad) ``` Example using `AESGCM`: ``` import os # Import AESGCM from cryptography from cryptography.hazmat.primitives.ciphers.aead import AESGCM # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = AESGCM.generate_key(bit_length=128) # Create a new AESGCM instance with our secure key aesgcm = AESGCM(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = aesgcm.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text aesgcm.decrypt(nonce, cipher_text, aad) ``` For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-8 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-8 shortlink: https://sg.run/3AkW semgrep.dev: rule: r_id: 11543 rv_id: 920080 rule_id: x8UWB8 version_id: w8Tkbke url: https://semgrep.dev/playground/r/w8Tkbke/gitlab.bandit.B304-8 origin: community patterns: - pattern-either: - pattern: Cryptodome.Cipher.DES.new(...) - pattern: Crypto.Cipher.DES.new(...) severity: WARNING - id: gitlab.bandit.B304-9 languages: - python message: | The application was found using the `xor` algorithm, which can be trivially decoded. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using `ChaCha20Poly1305` instead as it is easier and faster than the alternatives such as `AES-256-GCM`. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example using `ChaCha20Poly1305`: ``` import os # Import ChaCha20Poly1305 from cryptography from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = ChaCha20Poly1305.generate_key() # Create a new ChaCha20Poly1305 instance with our secure key chacha = ChaCha20Poly1305(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = chacha.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text chacha.decrypt(nonce, cipher_text, aad) ``` Example using `AESGCM`: ``` import os # Import AESGCM from cryptography from cryptography.hazmat.primitives.ciphers.aead import AESGCM # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = AESGCM.generate_key(bit_length=128) # Create a new AESGCM instance with our secure key aesgcm = AESGCM(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = aesgcm.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text aesgcm.decrypt(nonce, cipher_text, aad) ``` For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-9 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-9 shortlink: https://sg.run/4yw9 semgrep.dev: rule: r_id: 11544 rv_id: 920083 rule_id: OrUG0Q version_id: e1TZKZ7 url: https://semgrep.dev/playground/r/e1TZKZ7/gitlab.bandit.B304-9 origin: community patterns: - pattern-either: - pattern: Cryptodome.Cipher.XOR.new(...) - pattern: Crypto.Cipher.XOR.new(...) severity: WARNING - id: gitlab.bandit.B306 languages: - python message: | The application was found creating temporary files with the insecure `mktemp` method. Depending on how the application uses this temporary file, an attacker may be able to create symlinks that point to other files prior to the application creating or writing to the target file, leading to unintended files being created or overwritten. To remediate this issue consider using `tempfile.TemporaryFile` instead. Example using `tempfile.TemporaryFile` to write a file: ``` import tempfile # Open a new temporary file using a context manager with tempfile.TemporaryFile() as fp: # Write some data to the temporary file fp.write(b'Some data') # Seek back to beginning of file fp.seek(0) # Read it data = fp.read() # File is automatically closed/removed once we exit the with context ``` For more information on alternative tempfile functions see: - https://docs.python.org/3/library/tempfile.html metadata: cwe: CWE-377 category: security owasp: - A3:2017-Sensitive Data Exposure - A01:2021-Broken Access Control shortDescription: Insecure temporary file security-severity: Medium primary_identifier: bandit.B306 secondary_identifiers: - name: Bandit Test ID B306 type: bandit_test_id value: B306 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B306 shortlink: https://sg.run/Pp6v semgrep.dev: rule: r_id: 11545 rv_id: 920135 rule_id: eqUvdb version_id: NdTeRdN url: https://semgrep.dev/playground/r/NdTeRdN/gitlab.bandit.B306 origin: community pattern: tempfile.mktemp(...) severity: ERROR - id: gitlab.bandit.B307 languages: - python message: "The application was found calling the `eval` function with non-literal data. If the variable contains \nuser-controlled data, either partially or fully, an adversary could compromise the entire system by \nexecuting arbitrary Python code.\n\nTo remediate this issue, remove all calls to `eval` and consider alternative methods for executing \nthe necessary business logic. There is almost no safe method of calling `eval` with user-supplied input.\n\nIf the application only needs to convert strings into objects, consider using `json.loads`. In \nsome cases `ast.literal_eval` is recommended, but this should be avoided as it can still suffer \nfrom other issues such as the ability for malicious code to crash the python interpreter or application.\n\nExample using `json.loads`` to load in arbitrary data to create data structures:\n```\n# User supplied data as a blob of JSON\nuser_supplied_data = \"\"\"{\"user\": \"test\", \"metadata\": [1,2,3]}\"\"\"\n# Load the JSON\nuser_object = json.loads(user_supplied_data)\n# Manually add protected properties _after_ loading, never before\nuser_object[\"is_admin\"] = False\n# Work with the object\n```\n" patterns: - pattern: eval($X,...) - pattern-not: | eval("...") - pattern-not: | eval("..." % <... "..." ...>) - pattern-not: | eval(<... "...".format( "..." ) ...>) - pattern-not-inside: | def eval(...): ... ... metadata: cwe: CWE-95 owasp: - A1:2017-Injection - A03:2021-Injection category: security shortDescription: Improper neutralization of directives in dynamically evaluated code ('Eval Injection') security-severity: High primary_identifier: bandit.B307 secondary_identifiers: - name: Bandit Test ID B307 type: bandit_test_id value: B307 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B307 shortlink: https://sg.run/J3WP semgrep.dev: rule: r_id: 11546 rv_id: 920108 rule_id: v8U5kd version_id: l4TXDxq url: https://semgrep.dev/playground/r/l4TXDxq/gitlab.bandit.B307 origin: community severity: WARNING - id: gitlab.bandit.B310-1 languages: - python message: | The application was found passing in a non-literal value to the `urllib` methods which issue requests. `urllib` supports the `file://` scheme, which may allow an adversary who can control the URL value to read arbitrary files on the file system. To remediate this issue either hardcode the URLs being used in urllib or use the `requests` module instead. Example using the `requests` module to issue an HTTPS request: ``` import requests # Issue a GET request to https://example.com with a timeout of 10 seconds response = requests.get('https://example.com', timeout=10) # Work with the response object # ... ``` patterns: - pattern-either: - patterns: - pattern-either: - pattern: urllib.$METHOD(...) - pattern: urllib.request.$METHOD(...) - pattern-not: urllib.$METHOD("...") - pattern-not: urllib.request.$METHOD("...") - pattern-not: urllib.$METHOD("...", ...) - pattern-not: urllib.request.$METHOD("...", ...) - metavariable-regex: metavariable: $METHOD regex: (urlopen|urlretrieve) - patterns: - pattern-either: - pattern-inside: | $OPENER = urllib.URLopener(...) ... - pattern-inside: | $OPENER = urllib.request.URLopener(...) ... - pattern-inside: | $OPENER = urllib.FancyURLopener(...) ... - pattern-inside: | $OPENER = urllib.request.FancyURLopener(...) ... - pattern-either: - pattern: $OPENER.open(...) - pattern: $OPENER.retrieve(...) - pattern-not: $OPENER.open("...") - pattern-not: $OPENER.retrieve("...") metadata: cwe: CWE-939 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper authorization in handler for custom URL scheme security-severity: Medium category: security primary_identifier: bandit.B310-1 secondary_identifiers: - name: Bandit Test ID B310 type: bandit_test_id value: B310 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B310-1 shortlink: https://sg.run/R8zN semgrep.dev: rule: r_id: 11549 rv_id: 920136 rule_id: nJUYed version_id: kbTOPx6 url: https://semgrep.dev/playground/r/kbTOPx6/gitlab.bandit.B310-1 origin: community severity: WARNING - id: gitlab.bandit.B311 languages: - python message: | Depending on the context, generating weak random numbers may expose cryptographic functions, which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the `secrets` module be used instead. Example using the secrets module: ``` import secrets # Generate a secure random 64 byte array random_bytes = secrets.token_bytes(64) print(random_bytes) # Generate a secure random 64 byte array as a hex string random_bytes_hex = secrets.token_hex(64) # Generate a secure random 64 byte array base64 encoded for use in URLs random_string = secrets.token_urlsafe(64) ``` For more information on the `secrets` module see: - https://docs.python.org/3/library/secrets.html metadata: cwe: CWE-330 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of insufficiently random values security-severity: Medium primary_identifier: bandit.B311 secondary_identifiers: - name: Bandit Test ID B311 type: bandit_test_id value: B311 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B311 shortlink: https://sg.run/B4PR semgrep.dev: rule: r_id: 11551 rv_id: 920123 rule_id: 7KUe7J version_id: 6xTyXxd url: https://semgrep.dev/playground/r/6xTyXxd/gitlab.bandit.B311 origin: community pattern-either: - pattern: random.random(...) - pattern: random.randrange(...) - pattern: random.randint(...) - pattern: random.choice(...) - pattern: random.uniform(...) - pattern: random.triangular(...) severity: INFO - id: gitlab.bandit.B324 languages: - python message: | The application was found using an insecure or risky digest or signature algorithm. MD2, MD4, MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to errors. Example using `hashlib.sha384()` to create a SHA384 hash: ``` import hashlib # Create a SHA384 digest digest = hashlib.sha384() # Update the digest with some initial data digest.update(b"some data to hash") # Add more data to the digest digest.update(b"some more data") # Finalize the digest as bytes digest.digest() ``` metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B324 secondary_identifiers: - name: Bandit Test ID B324 type: bandit_test_id value: B324 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B324 shortlink: https://sg.run/Wg1E semgrep.dev: rule: r_id: 11553 rv_id: 920097 rule_id: 8GUE2O version_id: JdToRDv url: https://semgrep.dev/playground/r/JdToRDv/gitlab.bandit.B324 origin: community patterns: - pattern-either: - pattern: hashlib.new("=~/[M|m][D|d][4|5]/", ...) - pattern: hashlib.new(..., name="=~/[M|m][D|d][4|5]/", ...) - pattern: hashlib.new('sha1') - pattern: hashlib.new(..., name='SHA1') - pattern: hashlib.new('sha', string='test') - pattern: hashlib.new(name='SHA', string='test') severity: WARNING - id: gitlab.bandit.B401 languages: - python message: | The application was found using a telnet library. As telnet does not provide encryption, it is strongly recommended that communications use a more secure transport such as SSH. The [paramiko](https://www.paramiko.org/) library can be used to initiate SSH connections. Example using `paramiko` SSH client: ``` import paramiko import scp # Create an SSH client with paramiko.SSHClient() as ssh: # Load the system host keys so we can confirm the # host we are connecting to is legitimate ssh.load_system_host_keys('/home/appuser/.ssh/known_hosts') # Connect to the remote host using our SSH private key ssh.connect(hostname='example.org', port=22, username='appuser', key_filename='/home/appuser/.ssh/private_key') # Work with the connection ``` For more information on the paramiko module see: - https://www.paramiko.org/ metadata: cwe: CWE-319 category: security owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures shortDescription: Cleartext transmission of sensitive information security-severity: Medium primary_identifier: bandit.B401 secondary_identifiers: - name: Bandit Test ID B401 type: bandit_test_id value: B401 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B401 shortlink: https://sg.run/0nrw semgrep.dev: rule: r_id: 11554 rv_id: 920133 rule_id: gxUW4o version_id: rxTjvLk url: https://semgrep.dev/playground/r/rxTjvLk/gitlab.bandit.B401 origin: community patterns: - pattern: import telnetlib severity: ERROR - id: gitlab.bandit.B413 languages: - python message: | The application was detected importing `pycrypto`. This package has been deprecated as it contains security vulnerabilities. To remediate this issue, consider using the [cryptography](https://cryptography.io/) package instead. metadata: cwe: CWE-1104 owasp: - A9:2017-Using Components with Known Vulnerabilities - A02:2021-Cryptographic Failures category: security shortDescription: Use of unmaintained third party components security-severity: Medium primary_identifier: bandit.B413 secondary_identifiers: - name: Bandit Test ID B413 type: bandit_test_id value: B413 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B413 shortlink: https://sg.run/okGX semgrep.dev: rule: r_id: 11560 rv_id: 920098 rule_id: 5rU45b version_id: 5PTNG9o url: https://semgrep.dev/playground/r/5PTNG9o/gitlab.bandit.B413 origin: community pattern-either: - pattern: import pycryto - pattern: import Crypto.Cipher - pattern: import Crypto.Hash - pattern: import Crypto.IO - pattern: import Crypto.Protocol - pattern: import Crypto.PublicKey - pattern: import Crypto.Random - pattern: import Crypto.Signature - pattern: import Crypto.Util severity: ERROR - id: gitlab.bandit.B501 languages: - python message: | The application was found using the `requests` module without configuring a timeout value for connections. The `verify=False` argument has been set, which effectively disables the validation of server certificates. This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. To remediate this issue either remove the `verify=False` argument, or set `verify=True`to each `requests` call. Example verifying server certificates for an HTTP GET request: ``` # Issue a GET request to https://example.com with a timeout of 10 seconds and verify the # server certificate explicitly. response = requests.get('https://example.com', timeout=10, verify=True) # Work with the response object # ... ``` For more information on using the requests module see: - https://requests.readthedocs.io/en/latest/api/ metadata: cwe: CWE-295 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures category: security shortDescription: Improper certificate validation security-severity: Medium primary_identifier: bandit.B501 secondary_identifiers: - name: Bandit Test ID B501 type: bandit_test_id value: B501 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B501 shortlink: https://sg.run/zk6n semgrep.dev: rule: r_id: 11561 rv_id: 920129 rule_id: GdU0wd version_id: jQTwjYg url: https://semgrep.dev/playground/r/jQTwjYg/gitlab.bandit.B501 origin: community patterns: - pattern-either: - pattern: requests.put(..., verify=False, ...) - pattern: requests.patch(..., verify=False, ...) - pattern: requests.delete(..., verify=False, ...) - pattern: requests.head(..., verify=False, ...) - pattern: requests.options(..., verify=False, ...) - pattern: requests.request(..., verify=False, ...) - pattern: requests.get(..., verify=False, ...) - pattern: requests.post(..., verify=False, ...) severity: ERROR - id: gitlab.bandit.B504 languages: - python message: | The application was found calling `ssl.wrap_socket` without a TLS protocol version specified. Additionally, `ssl.wrap_socket` has been deprecated since Python 3.7. It is strongly recommended that newer applications use TLS 1.2 or 1.3 and `SSLContext.wrap_socket`. To remediate this issue, create a new TLS context and pass in `ssl.PROTOCOL_TLS_CLIENT` for clients or `ssl.PROTOCOL_TLS_SERVER` for servers to the `ssl.SSLContext(...)` `protocol=` argument. When converting the socket to a TLS socket, use the new `SSLContext.wrap_socket` method instead. Example creating a TLS 1.3 client socket connection by using a newer version of Python (3.11.4) and the SSL module: ``` import ssl import socket # Create our initial socket with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: # Connect the socket sock.connect(('www.example.org', 443)) # Create a new SSLContext with protocol set to ssl.PROTOCOL_TLS_CLIENT # This will auto-select the highest grade TLS protocol version (1.3) context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT) # Load our a certificates for server certificate authentication context.load_verify_locations('cert.pem') # Create our TLS socket, and validate the server hostname matches with context.wrap_socket(sock, server_hostname="www.example.org") as tls_sock: # Send some bytes over the socket (HTTP request in this case)\ data = bytes('GET / HTTP/1.1\r\nHost: example.org\r\n\r\n', 'utf-8') sent_bytes = tls_sock.send(data) # Validate number of sent bytes # ... # Read the response resp = tls_sock.recv() # Work with the response # ... ``` For more information on the ssl module see: - https://docs.python.org/3/library/ssl.html metadata: cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures shortDescription: Inadequate encryption strength security-severity: Medium category: security primary_identifier: bandit.B504 secondary_identifiers: - name: Bandit Test ID B504 type: bandit_test_id value: B504 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B504 shortlink: https://sg.run/2bNr semgrep.dev: rule: r_id: 11563 rv_id: 920130 rule_id: AbUWYl version_id: 1QT4NYz url: https://semgrep.dev/playground/r/1QT4NYz/gitlab.bandit.B504 origin: community patterns: - pattern: ssl.wrap_socket() severity: WARNING - id: gitlab.bandit.B505-1 languages: - python message: | The application is generating an RSA key that is less than the recommended 2048 bits. The National Institute of Standards and Technology (NIST) deprecated signing Digital Certificates that contained RSA Public Keys of 1024 bits in December 2010. While 1024-bit RSA keys have not been factored yet, advances in compute may make it possible in the near future. Consider upgrading to the newer asymmetric algorithm such as `X25519` which handles the complexities of generating key pairs and choosing correct key sizes for you: ``` from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey # Generate a private key for use in the exchange. private_key = X25519PrivateKey.generate() # Work with private key/exchange with a peer's # public key to created a shared and derived key # ... ``` Otherwise use a key size greater than 2048 when generating RSA keys: ``` from cryptography.hazmat.primitives.asymmetric import rsa # Generate a private key of 4096 bits private_key = rsa.generate_private_key( # do not change the exponent value from 65537 public_exponent=65537, key_size=4096, ) # Work with the private key to sign/encrypt data # ... ``` For more information on using the cryptography module see: - https://cryptography.io/en/latest metadata: cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Inadequate encryption strength security-severity: Medium primary_identifier: bandit.B505-1 secondary_identifiers: - name: Bandit Test ID B505 type: bandit_test_id value: B505 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B505-1 shortlink: https://sg.run/XL9j semgrep.dev: rule: r_id: 11564 rv_id: 920084 rule_id: BYUBYZ version_id: vdTvQGr url: https://semgrep.dev/playground/r/vdTvQGr/gitlab.bandit.B505-1 origin: community patterns: - pattern-either: - pattern: | cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key(...,key_size=$SIZE,...) - pattern: | cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key($EXP, $SIZE,...) - pattern: | cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key($SIZE, ...) - pattern: | cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key(...,key_size=$SIZE,...) - pattern: | cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key($EXP, $SIZE, ...) - pattern: cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key($SIZE,...) - pattern: Crypto.PublicKey.RSA.generate($SIZE, ...) - pattern: Crypto.PublicKey.DSA.generate($SIZE, ...) - pattern: Cryptodome.PublicKey.DSA.generate($SIZE, ...) - pattern: Cryptodome.PublicKey.RSA.generate($SIZE, ...) - pattern: Crypto.PublicKey.DSA.generate(bits=$SIZE, ...) - pattern: Cryptodome.PublicKey.DSA.generate(bits=$SIZE, ...) - pattern: pycrypto_rsa.generate(bits=$SIZE, ...) - pattern: pycrypto_dsa.generate(bits=$SIZE, ...) - pattern: pycryptodomex_rsa.generate(bits=$SIZE, ...) - pattern: pycryptodomex_rsa.generate($SIZE, ...) - pattern: pycryptodomex_dsa.generate(bits=$SIZE, ...) - pattern: pycryptodomex_dsa.generate($SIZE, ...) - metavariable-comparison: comparison: $SIZE < 2048 metavariable: $SIZE severity: ERROR - id: gitlab.bandit.B505-2 languages: - python message: | The application was found using an insufficient curve size for the Elliptical Cryptography (EC) asymmetric algorithm. NIST recommends using a key size of 224 or greater. To remediate this issue, replace the current key size with `ec.SECP384R1`, Example using `ec.SECP384R1`: ``` from cryptography.hazmat.primitives.asymmetric import ec # Generate an EC private key using SECP384R1 private_key = ec.generate_private_key( ec.SECP384R1() ) # Work with/sign data using the key # ... ``` For more information on the cryptography module's EC section see: - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/ metadata: cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Inadequate encryption strength security-severity: Medium primary_identifier: bandit.B505-2 secondary_identifiers: - name: Bandit Test ID B505 type: bandit_test_id value: B505 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B505-2 shortlink: https://sg.run/jNgP semgrep.dev: rule: r_id: 11565 rv_id: 920085 rule_id: DbUW8j version_id: d6T6gPr url: https://semgrep.dev/playground/r/d6T6gPr/gitlab.bandit.B505-2 origin: community patterns: - pattern-inside: cryptography.hazmat.primitives.asymmetric.ec.generate_private_key(...) - pattern: cryptography.hazmat.primitives.asymmetric.ec.$SIZE - metavariable-pattern: metavariable: $SIZE pattern-either: - pattern: SECP192R1 - pattern: SECT163K1 - pattern: SECT163R2 - focus-metavariable: $SIZE severity: ERROR - id: solidity.performance.init-variables-with-default-value.init-variables-with-default-value message: Uninitialized variables are assigned with the types default value. Explicitly initializing a variable with its default value costs unnecessary gas. metadata: references: - https://github.com/byterocket/c4-common-issues/blob/main/0-Gas-Optimizations.md/#g001---dont-initialize-variables-with-default-value category: performance technology: - solidity license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/solidity.performance.init-variables-with-default-value.init-variables-with-default-value shortlink: https://sg.run/Ne5N semgrep.dev: rule: r_id: 67627 rv_id: 946588 rule_id: 6JUgLp version_id: pZTNOr2 url: https://semgrep.dev/playground/r/pZTNOr2/solidity.performance.init-variables-with-default-value.init-variables-with-default-value origin: community patterns: - pattern-either: - pattern: $TYPE $VAR = 0; - pattern: $TYPE $VAR = false; - pattern: $TYPE $VAR = ""; - pattern: $TYPE $VAR = ''; - pattern-not: $TYPE constant $VAR = ...; - pattern-not-inside: | contract $C { ... $TYPE immutable $VAR = ...; ... } - pattern-not-inside: | function $F(...) { ... } languages: - solidity severity: INFO - id: generic.secrets.gitleaks.sumologic-access-token.sumologic-access-token message: A gitleaks sumologic-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.sumologic-access-token.sumologic-access-token shortlink: https://sg.run/KY8X semgrep.dev: rule: r_id: 44799 rv_id: 1262839 rule_id: lBU3z8 version_id: 7ZTE3o2 url: https://semgrep.dev/playground/r/7ZTE3o2/generic.secrets.gitleaks.sumologic-access-token.sumologic-access-token origin: community patterns: - pattern-regex: (?i)(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: ruby.lang.security.missing-csrf-protection.missing-csrf-protection patterns: - pattern: | class $CONTROLLER < ActionController::Base ... end - pattern-not: | class $CONTROLLER < ActionController::Base ... protect_from_forgery :with => :exception end - pattern-not: | class $CONTROLLER < ActionController::Base ... protect_from_forgery prepend: true, with: :exception end message: Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class. severity: ERROR metadata: cwe: - 'CWE-352: Cross-Site Request Forgery (CSRF)' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross-site_request_forgery/index.markdown category: security technology: - ruby references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection shortlink: https://sg.run/XLel semgrep.dev: rule: r_id: 9720 rv_id: 1263612 rule_id: r6UkO5 version_id: 5PTo1WY url: https://semgrep.dev/playground/r/5PTo1WY/ruby.lang.security.missing-csrf-protection.missing-csrf-protection origin: community languages: - ruby - id: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure metadata: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER category: security technology: - java references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure shortlink: https://sg.run/J96Q semgrep.dev: rule: r_id: 9190 rv_id: 1263056 rule_id: lBU9Gj version_id: WrTqKGK url: https://semgrep.dev/playground/r/WrTqKGK/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure origin: community message: It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself. severity: WARNING languages: - java pattern-either: - pattern: | class XSSRequestWrapper extends HttpServletRequestWrapper { ... } - pattern: |- $P = $X.compile("", $X.CASE_INSENSITIVE); $V = $P.matcher(...).replaceAll(""); - id: ruby.lang.security.md5-used-as-password.md5-used-as-password languages: - ruby severity: WARNING message: It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem. metadata: category: security technology: - md5 references: - https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords - https://github.com/returntocorp/semgrep-rules/issues/1609 owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password shortlink: https://sg.run/GOZy semgrep.dev: rule: r_id: 14704 rv_id: 1263611 rule_id: oqU4p2 version_id: JdTzx0e url: https://semgrep.dev/playground/r/JdTzx0e/ruby.lang.security.md5-used-as-password.md5-used-as-password origin: community mode: taint pattern-sources: - pattern: Digest::MD5 pattern-sinks: - patterns: - pattern: $FUNCTION(...); - metavariable-regex: metavariable: $FUNCTION regex: (?i)(.*password.*) - id: terraform.gcp.security.gcp-bigquery-dataset-encrypted-with-cmk.gcp-bigquery-dataset-encrypted-with-cmk patterns: - pattern: | resource "google_bigquery_dataset" $ANYTHING { ... } - pattern-not-inside: | resource "google_bigquery_dataset" $ANYTHING { ... default_encryption_configuration { ... kms_key_name = ... ... } ... } message: "Ensure that BigQuery datasets are not anonymously or publicly accessible\t" metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://docs.bridgecrew.io/docs/google-cloud-policy-index subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-bigquery-dataset-encrypted-with-cmk.gcp-bigquery-dataset-encrypted-with-cmk shortlink: https://sg.run/WbdA semgrep.dev: rule: r_id: 32297 rv_id: 946899 rule_id: ZqUD0Q version_id: bZTXOw6 url: https://semgrep.dev/playground/r/bZTXOw6/terraform.gcp.security.gcp-bigquery-dataset-encrypted-with-cmk.gcp-bigquery-dataset-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: trailofbits.ruby.active-record-hardcoded-encryption-key.active-record-hardcoded-encryption-key message: | Found hardcoded ActiveRecord encryption key languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - rails - activerecord references: - https://guides.rubyonrails.org/active_record_encryption.html#supported-types license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.ruby.active-record-hardcoded-encryption-key.active-record-hardcoded-encryption-key shortlink: https://sg.run/ReqRe semgrep.dev: rule: r_id: 150305 rv_id: 943199 rule_id: pKU1781 version_id: 2KTYQLp url: https://semgrep.dev/playground/r/2KTYQLp/trailofbits.ruby.active-record-hardcoded-encryption-key.active-record-hardcoded-encryption-key origin: community pattern-either: - pattern: config.active_record.encryption.primary_key = "..." - pattern: config.active_record.encryption.primary_key = [..., "...", ...] - pattern: config.active_record.encryption.deterministic_key = "..." - pattern: config.active_record.encryption.deterministic_key = [..., "...", ...] - id: gitlab.bandit.B506 languages: - python message: | The application was found using an unsafe version of `yaml` load which is vulnerable to deserialization attacks. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to: - Inject code that is executed upon object construction, which occurs during the deserialization process. - Exploit mass assignment by including fields that are not normally a part of the serialized data but are read in during deserialization. To remediate this issue, use `safe_load()` or call `yaml.load()` with the `Loader` argument set to `yaml.SafeLoader`. Example loading YAML using `safe_load`: ``` import yaml # Use safe_load to load data into an intermediary object intermediary_object = yaml.safe_load("""user: name: 'test user'""" ) # Create our real object, copying over only the necessary fields user_object = {'user': { # Assign the deserialized data from intermediary object 'name': intermediary_object['user']['name'], # Add in protected data in object definition (or set it from a class constructor) 'is_admin': False, } } # Work with user_object # ... ``` For more details on deserialization attacks in general, see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html patterns: - pattern-inside: | import yaml ... - pattern-not-inside: | from ruamel.yaml import YAML ... - pattern-either: - pattern: yaml.unsafe_load(...) - pattern: yaml.$LD(..., Loader=yaml.$LOADER, ...) - pattern: yaml.$LD($DATA) - metavariable-regex: metavariable: $LOADER regex: (Loader|UnsafeLoader|CLoader|FullLoader) - metavariable-regex: metavariable: $LD regex: (load|load_all) metadata: cwe: CWE-502 owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures category: security shortDescription: Deserialization of untrusted data security-severity: High primary_identifier: bandit.B506 secondary_identifiers: - name: Bandit Test ID B506 type: bandit_test_id value: B506 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B506 shortlink: https://sg.run/1nb1 semgrep.dev: rule: r_id: 11566 rv_id: 920104 rule_id: WAUZx1 version_id: WrTYnE6 url: https://semgrep.dev/playground/r/WrTYnE6/gitlab.bandit.B506 origin: community severity: ERROR - id: gitlab.bandit.B601 languages: - python message: | Unverified SSL context detected. This will permit insecure connections without `verifyingSSL` certificates. Use `ssl.create_default_context()` instead. patterns: - pattern-inside: | import paramiko ... - pattern: $CLIENT.exec_command(...) metadata: cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper neutralization of special elements used in an OS Command ('OS Command Injection') security-severity: High category: security primary_identifier: bandit.B601 secondary_identifiers: - name: Bandit Test ID B601 type: bandit_test_id value: B601 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B601 shortlink: https://sg.run/9qdy semgrep.dev: rule: r_id: 11567 rv_id: 920113 rule_id: 0oUEOA version_id: RGT2xA7 url: https://semgrep.dev/playground/r/RGT2xA7/gitlab.bandit.B601 origin: community severity: WARNING - id: gitlab.bandit.B602 languages: - python patterns: - patterns: - pattern-not-inside: | ... $ARG = '...'.format('...') ... - pattern: subprocess.$FUNC($ARG, ...) - pattern-not: subprocess.$FUNC('...', ...) - pattern-not: subprocess.$FUNC('...' % '...', ...) - pattern-not: subprocess.$FUNC('...'.format('...'), ...) - pattern-either: - pattern: subprocess.$FUNC(..., shell=True, ...) - pattern: subprocess.$FUNC(..., shell=[$V, ...], ...) - pattern: 'subprocess.$FUNC(..., shell={$K: $V, ...}, ...)' - patterns: - pattern: subprocess.$FUNC(..., shell=$INTVAL, ...) - pattern-not: subprocess.$FUNC(..., shell=0, ...) - metavariable-regex: metavariable: $INTVAL regex: ^[0-9]+$ - patterns: - pattern: subprocess.$FUNC(..., shell='$STRVAL', ...) - pattern-not: subprocess.$FUNC(..., shell='', ...) message: | Found `subprocess` function `$FUNC` with `shell=True`. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use `shell=False` instead. metadata: cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper neutralization of special elements used in an OS Command ('OS Command Injection') security-severity: High category: security primary_identifier: bandit.B602 secondary_identifiers: - name: Bandit Test ID B602 type: bandit_test_id value: B602 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B602 shortlink: https://sg.run/yzYA semgrep.dev: rule: r_id: 11568 rv_id: 920116 rule_id: KxU4yp version_id: DkT2yNA url: https://semgrep.dev/playground/r/DkT2yNA/gitlab.bandit.B602 origin: community severity: ERROR - id: gitlab.bandit.B603 languages: - python message: | Python possesses many mechanisms to invoke an external executable. However, doing so may present a security issue if appropriate care is not taken to sanitize any user provided or variable input. This plugin test is part of a family of tests built to check for process spawning and warn appropriately. Specifically, this test looks for the spawning of a subprocess without the use of a command shell. This type of subprocess invocation is not vulnerable to shell injection attacks, but care should still be taken to ensure validity of input. patterns: - pattern-not: subprocess.$FUNC($ARG, shell=<... True ...>) - pattern-not: subprocess.$FUNC($ARG, shell=<... 'True' ...>) - pattern-not: subprocess.$FUNC($ARG, shell=<... "True" ...>) - pattern-either: - pattern: | subprocess.$FUNC($ARG, shell=False) - pattern: | subprocess.$FUNC($ARG, shell=0) - pattern: | subprocess.$FUNC($ARG, shell={...}) - pattern: | subprocess.$FUNC($ARG, shell=[...]) - pattern: | subprocess.$FUNC($ARG) metadata: cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper neutralization of special elements used in an OS Command ('OS Command Injection') security-severity: High category: security primary_identifier: bandit.B603 secondary_identifiers: - name: Bandit Test ID B603 type: bandit_test_id value: B603 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B603 shortlink: https://sg.run/rABJ semgrep.dev: rule: r_id: 11569 rv_id: 920115 rule_id: qNUoqN version_id: BjTKL1R url: https://semgrep.dev/playground/r/BjTKL1R/gitlab.bandit.B603 origin: community severity: WARNING - id: gitlab.bandit.B604 languages: - python message: | subprocess call - check for execution of untrusted input patterns: - pattern-not: subprocess.$FUNC(..., shell=True, ...) - pattern: $FOO(..., shell=True, ...) metadata: cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper neutralization of special elements used in an OS Command ('OS Command Injection') security-severity: High category: security primary_identifier: bandit.B604 secondary_identifiers: - name: Bandit Test ID B604 type: bandit_test_id value: B604 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B604 shortlink: https://sg.run/bDvv semgrep.dev: rule: r_id: 11570 rv_id: 920117 rule_id: lBUdPP version_id: WrTYnE4 url: https://semgrep.dev/playground/r/WrTYnE4/gitlab.bandit.B604 origin: community severity: WARNING - id: gitlab.bandit.B605 languages: - python message: | Starting a process with a shell; seems safe, but may be changed in the future, consider rewriting without shell patterns: - pattern-either: - pattern: os.system(...) - pattern: os.popen(...) - pattern: os.popen2(...) - pattern: os.popen3(...) - pattern: os.popen4(...) - pattern: popen2.popen2(...) - pattern: popen2.popen3(...) - pattern: popen2.popen4(...) - pattern: popen2.Popen3(...) - pattern: popen2.Popen4(...) - pattern: commands.getoutput(...) - pattern: commands.getstatusoutput("") metadata: cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper neutralization of special elements used in an OS Command ('OS Command Injection') security-severity: High category: security primary_identifier: bandit.B605 secondary_identifiers: - name: Bandit Test ID B605 type: bandit_test_id value: B605 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B605 shortlink: https://sg.run/NrlN semgrep.dev: rule: r_id: 11571 rv_id: 920112 rule_id: YGUrPX version_id: GxToXP3 url: https://semgrep.dev/playground/r/GxToXP3/gitlab.bandit.B605 origin: community severity: INFO - id: gitlab.bandit.B606 languages: - python message: | Found dynamic content when spawning a process. This is dangerous if externaldata can reach this function call because it allows a malicious actor toexecute commands. Ensure no external data reaches here. patterns: - pattern-either: - patterns: - pattern-not: os.$W("...", ...) - pattern-either: - pattern: os.execl(...) - pattern: os.execle(...) - pattern: os.execlp(...) - pattern: os.execlpe(...) - pattern: os.execv(...) - pattern: os.execve(...) - pattern: os.execvp(...) - pattern: os.execvpe(...) - pattern: os.startfile(...) - patterns: - pattern-either: - pattern: os.spawnl(...) - pattern: os.spawnle(...) - pattern: os.spawnlp(...) - pattern: os.spawnlpe(...) - pattern: os.spawnv(...) - pattern: os.spawnve(...) - pattern: os.spawnvp(...) - pattern: os.spawnvpe(...) metadata: cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper neutralization of special elements used in an OS Command ('OS Command Injection') security-severity: High category: security primary_identifier: bandit.B606 secondary_identifiers: - name: Bandit Test ID B606 type: bandit_test_id value: B606 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B606 shortlink: https://sg.run/kLQA semgrep.dev: rule: r_id: 11572 rv_id: 920114 rule_id: 6JUqpb version_id: A8TNlJD url: https://semgrep.dev/playground/r/A8TNlJD/gitlab.bandit.B606 origin: community severity: WARNING - id: gitlab.bandit.B608 languages: - python message: | SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for `>` or `<` comparison operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<` values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized. Example using `PreparedStatement` queries: ``` import sqlite3 # Create a new database (in memory) con = sqlite3.connect(":memory:") # Get a cursor from the connection cur = con.cursor() # Create a tuple of the value to be used in the parameterized query params = ('user-input',) # execute the statement, passing in the params for the value cur.execute("select name from sqlite_master where name = ?", params) # work with the result result = cur.fetchall() ``` For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html metadata: cwe: CWE-89 owasp: - A1:2017-Injection - A03:2021-Injection category: security shortDescription: Improper neutralization of special elements used in an SQL Command ('SQL Injection') security-severity: High primary_identifier: bandit.B608 secondary_identifiers: - name: Bandit Test ID B608 type: bandit_test_id value: B608 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B608 shortlink: https://sg.run/xYry semgrep.dev: rule: r_id: 11574 rv_id: 920127 rule_id: zdUyPj version_id: 2KTdOYW url: https://semgrep.dev/playground/r/2KTdOYW/gitlab.bandit.B608 origin: community patterns: - metavariable-regex: metavariable: $QUERY regex: (?i)^(SELECT|INSERT|UPDATE|DELETE)\s - pattern-not: pattern-either: - pattern: $DB.execute("...") - pattern: $DB.execute("$QUERY" % "...") - pattern: $DB.execute("$QUERY" + "...") - pattern-either: - pattern: $DB.execute("$QUERY" % ...) - pattern: $DB.execute("$QUERY".format(...)) - pattern: $DB.execute(f"$QUERY") - pattern: $DB.execute("$QUERY" + ...) - patterns: - pattern-either: - pattern-inside: | ... $SQL = "$QUERY" % ... ... - pattern-inside: | ... $SQL = "$QUERY" + ... ... - pattern-inside: | ... $TMP = "$QUERY" ... $SQL = $TMP + "..." % ... ... - pattern-inside: | ... $SQL = "$QUERY" ... $SQL += ... ... - pattern-inside: | ... $SQL = "$QUERY".format(...) ... - pattern-inside: | ... $SQL = f"$QUERY" ... - pattern: $DB.execute($SQL) severity: WARNING - id: gitlab.bandit.B610 languages: - python message: | SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for `>` or `<` comparison operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<` values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized. The `QuerySet.extra` API method will be deprecated as it a source of SQL Injection vulnerabilities and other problems. This method is especially risky as callers will need to do their own escaping of any parameters that come from user-supplied information. To remediate this issue, do not use `extra` but use other `QuerySet` methods to achieve the same goals. If for some reason this is not feasible, consider using the `RawSQL` method and making sure that all arguments, including user-supplied ones, are only used in `params` While not recommended due to [potential SQL Injection](https://docs.djangoproject.com/en/4.2/ref/models/expressions/#raw-sql-expressions), below is an example using `RawSQL`, passing in user-supplied data as a `param` which will escape the input: ``` # If dealing with integer based user input, restrict the values to integers only using the # path configuration: path('/someview/', views.some_view, name='someview'), # views.py def some_view(request, user_supplied_id): # Never use string interpolation in the `sql` parameter. # Never quote the `%s` string format such as `... where id='%s'` as this could lead to SQL Injection. # Pass the user supplied data only in the `params` parameter. for obj in DBObject.objects.all().annotate( val=RawSQL(sql="select id from some_secondary_table where id=%s", params=[user_supplied_id])): # Work with the results from the query # ... ``` For more information on QuerySet see: - https://docs.djangoproject.com/en/4.2/ref/models/querysets/#queryset-api For more information on SQL Injection see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html patterns: - pattern: $X.objects. ... .extra(..., $K = $V, ...) - pattern-not-inside: | $V = ['...'] ... - metavariable-pattern: metavariable: $V patterns: - pattern: $V - pattern-not: '[..., ''...'', ...]' - pattern-not: '{..., ''...'': ''...'', ...}' - pattern-not: '"..."' - pattern-not: '[..., "..." % "...", ...]' - pattern-not: '{..., $L: "..." % "...", ...}' - pattern-not: '{..., $L: "...".format("..."), ...}' - pattern-not: '[..., "...".format("..."), ...]' metadata: cwe: CWE-89 owasp: - A1:2017-Injection - A03:2021-Injection category: security shortDescription: Improper neutralization of special elements used in an SQL Command ('SQL Injection') security-severity: High primary_identifier: bandit.B610 secondary_identifiers: - name: Bandit Test ID B610 type: bandit_test_id value: B610 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B610 shortlink: https://sg.run/O1wk semgrep.dev: rule: r_id: 11575 rv_id: 920105 rule_id: pKUG96 version_id: 0bTp31Q url: https://semgrep.dev/playground/r/0bTp31Q/gitlab.bandit.B610 origin: community severity: WARNING - id: gitlab.bandit.B701 languages: - python message: | The application was found using Jinja2 `Environment` without autoescaping enabled. If using in the context of HTML this could lead to Cross-Site Scripting (XSS) attacks when rendering with user-supplied input. Unfortunately, Jinja2 does not support context-aware escaping, meaning it is insufficient to protect against XSS for the various web contexts. It is important to encode the data depending on the specific context it is used in. There are at least six context types: - Inside HTML tags `
context 1
` - Inside attributes: `
` - Inside event attributes `` - Inside script blocks: `` - Unsafe element HTML assignment: `element.innerHTML = "context 5"` - Inside URLs: `link` Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 7*7 }} which may execute client-side templating features. It is _NOT_ advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. To handle different contexts, one approach would be to write custom Jinja2 filters. Below is an example that escapes or encodes links and potentially malicious script, note this does not include other contexts such as CSS or attributes: ``` from jinja2 import Environment, select_autoescape, FileSystemLoader from jinja2 import pass_eval_context from markupsafe import Markup, escape @pass_eval_context def escape_link(eval_ctx, value): bad_link = "#JinjatmplZ" # Block any values that start with // as that could be used to inject # links to third party pages see: https://en.wikipedia.org/wiki/Wikipedia:Protocol-relative_URL if value.startswith('//'): return bad_link # Only allow relative links # if you want to allow links that start with http or ws replace with below: # if not value.startswith('/'): and not value.startswith('http') and not value.startswith('ws') if not value.startswith('/'): return bad_link # Alternatively, you could only call escape if autoescape is true # if eval_ctx.autoescape: # return escape(value) # else # return value return escape(value) # Create a replacement table js_replacement = str.maketrans({ '"': "\\u0022", '`': "\\u0060", '&': "\\u0026", '\'': "\\u0027", '+': "\\u002b", '/': "\\/", '<': "\\u003c", '>': "\\u003e", '\\': "\\\\", '(': "\\u0028", ')': "\\u0029", }) @pass_eval_context def escape_js(eval_ctx, value): """ Escape the input for use in ", script_context="alert(1);alert`1`",) ) # Sample template: """ My Webpage
My Webpage
{{ html_context }} link """ ``` For more information on autoescape see: - https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping For more information on XSS see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html metadata: cwe: CWE-116 owasp: - A7:2017-Cross-Site Scripting (XSS) - A03:2021-Injection category: security shortDescription: Improper encoding or escaping of output security-severity: Medium primary_identifier: bandit.B701 secondary_identifiers: - name: Bandit Test ID B701 type: bandit_test_id value: B701 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B701 shortlink: https://sg.run/v0j0 semgrep.dev: rule: r_id: 11577 rv_id: 920106 rule_id: X5UZBZ version_id: K3TwLJR url: https://semgrep.dev/playground/r/K3TwLJR/gitlab.bandit.B701 origin: community patterns: - pattern-not: jinja2.Environment(..., autoescape=True, ...) - pattern-not: jinja2.Environment(..., autoescape=jinja2.select_autoescape(...), ...) - pattern: jinja2.Environment(...) severity: WARNING - id: gitlab.bandit.B703 languages: - python message: | Cross Site Scripting (XSS) is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types: - Inside HTML tags `
context 1
` - Inside attributes: `
` - Inside event attributes `` - Inside script blocks: `` - Unsafe element HTML assignment: `element.innerHTML = "context 5"` - Inside URLs: `link` Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 7*7 }} which may execute client-side templating features. It is _NOT_ advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Consider using [format_html](https://docs.djangoproject.com/en/4.2/ref/utils/#django.utils.html.format_html) instead of the `django.utils.safestring` methods. Example using `format_html`: ``` # Use format_html to create an HTML link, using href as the parameter # which will be encoded automatically format_html("
Some Link
", href) ``` For more information on XSS see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html metadata: cwe: CWE-79 owasp: - A7:2017-Cross-Site Scripting (XSS) - A03:2021-Injection category: security shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') security-severity: Medium primary_identifier: bandit.B703 secondary_identifiers: - name: Bandit Test ID B703 type: bandit_test_id value: B703 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B703 shortlink: https://sg.run/dgk0 semgrep.dev: rule: r_id: 11578 rv_id: 920146 rule_id: j2UqOR version_id: 7ZTbRoP url: https://semgrep.dev/playground/r/7ZTbRoP/gitlab.bandit.B703 origin: community patterns: - pattern-not-inside: django.utils.html.format_html(...) - pattern-either: - patterns: - pattern: django.utils.safestring.SafeText(...) - pattern-not: django.utils.safestring.SafeText("...") - patterns: - pattern: django.utils.safestring.SafeUnicode(...) - pattern-not: django.utils.safestring.SafeUnicode("...") - patterns: - pattern: django.utils.safestring.SafeString(...) - pattern-not: django.utils.safestring.SafeString("...") - patterns: - pattern: django.utils.safestring.SafeBytes(...) - pattern-not: django.utils.safestring.SafeBytes("...") - patterns: - pattern: django.utils.safestring.mark_safe(...) - pattern-not: django.utils.safestring.mark_safe("...") severity: WARNING - id: gitlab.eslint.detect-buffer-noassert languages: - javascript - typescript pattern-either: - pattern: $OBJ.readUInt8(..., true) - pattern: $OBJ.readUInt16LE(..., true) - pattern: $OBJ.readUInt16BE(..., true) - pattern: $OBJ.readUInt32LE(..., true) - pattern: $OBJ.readUInt32BE(..., true) - pattern: $OBJ.readInt8(..., true) - pattern: $OBJ.readInt16LE(..., true) - pattern: $OBJ.readInt16BE(..., true) - pattern: $OBJ.readInt32LE(..., true) - pattern: $OBJ.readInt32BE(..., true) - pattern: $OBJ.readFloatLE(..., true) - pattern: $OBJ.readFloatBE(..., true) - pattern: $OBJ.readDoubleLE(..., true) - pattern: $OBJ.readDoubleBE(..., true) - pattern: $OBJ.writeUInt8(..., true) - pattern: $OBJ.writeUInt16LE(..., true) - pattern: $OBJ.writeUInt16BE(..., true) - pattern: $OBJ.writeUInt32LE(..., true) - pattern: $OBJ.writeUInt32BE(..., true) - pattern: $OBJ.writeInt8(..., true) - pattern: $OBJ.writeInt16LE(..., true) - pattern: $OBJ.writeInt16BE(..., true) - pattern: $OBJ.writeInt32LE(..., true) - pattern: $OBJ.writeInt32BE(..., true) - pattern: $OBJ.writeFloatLE(..., true) - pattern: $OBJ.writeFloatBE(..., true) - pattern: $OBJ.writeDoubleLE(..., true) - pattern: $OBJ.writeDoubleBE(..., true) severity: WARNING message: | The application was found using `noAssert` when calling the Buffer API. The `noAssert` argument has been deprecated since Node 10. Calling the Buffer API with this argument allows the offset specified to be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer and cause a segmentation fault, leading to the application crashing. To remediate this issue, remove the `true` argument when calling any of the Buffer read or write methods. The application should still handle `RangeError` exception cases where the offset is beyond the end of the buffer. Example reading from a Buffer without the `noAssert` argument and gracefully handling errors: ``` // Create a new buffer const buf = Buffer.from([1, 2, 3, 4]); try { // Read a single byte from it, starting at offset 1 const b = buf.readInt8(1); // Work with b } catch (e) { if (e instanceof RangeError) { console.log('Invalid offset: %s', e.message); } // handle other errors } ``` metadata: shortDescription: Improper restriction of operations within the bounds of a memory buffer cwe: CWE-119 category: security owasp: - A9:2017-Using Components with Known Vulnerabilities - A06:2021-Vulnerable and Outdated Components source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-buffer-noassert.js security-severity: Medium primary_identifier: eslint.detect-buffer-noassert secondary_identifiers: - name: ESLint rule ID/detect-buffer-noassert type: eslint_rule_id value: detect-buffer-noassert license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-buffer-noassert shortlink: https://sg.run/E5WB semgrep.dev: rule: r_id: 11581 rv_id: 920147 rule_id: yyUvwN version_id: LjTzeQl url: https://semgrep.dev/playground/r/LjTzeQl/gitlab.eslint.detect-buffer-noassert origin: community - id: gitlab.eslint.detect-eval-with-expression languages: - javascript - typescript patterns: - pattern-either: - patterns: - pattern: | eval($OBJ) - pattern-not: | eval("...") - patterns: - pattern: | $A.eval($OBJ) - pattern-not: | $A.eval("...") - patterns: - pattern: | (..., eval)($OBJ) - pattern-not: | (..., eval)("...") - patterns: - pattern: | $ALIAS = eval; ... $ALIAS($OBJ) - pattern-not: | $ALIAS = eval; ... $ALIAS("...") - pattern: | new Function(..., "..." + $OBJ + "...") - pattern: | $BODY = "..." + $OBJ + "..." ... new Function(..., $BODY) - pattern: | new Function(..., `...${...}...`) - pattern: | $BODY = `...${...}...` ... new Function(..., $BODY) - pattern: | Function(..., "..." + $OBJ + "...") - pattern: | $BODY = "..." + $OBJ + "..." ... Function(..., $BODY) - pattern: | $BODY = `...${...}...` ... Function(..., $BODY) - pattern: | Function(..., `...${...}...`) - pattern: | setTimeout("..." + $OBJ + "...", ...) - pattern: | setTimeout(`...${...}...`, ...) - pattern: | setInterval("..." + $OBJ + "...", ...) - pattern: | setInterval(`...${...}...`, ...) - pattern-not: | setTimeout("...", ...) - pattern-not: | setInterval("...", ...) severity: WARNING message: | The application was found calling the `eval` function OR Function() constructor OR setTimeout() OR setInterval() methods. If the variables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary JavaScript code. This could lead to a full system compromise in Node applications or Cross-site Scripting (XSS) in web applications. To remediate this issue, remove all calls to above methods and consider alternative methods for executing the necessary business logic. There is almost no safe method of calling `eval` or other above stated sinks with user-supplied input. Instead, consider alternative methods such as using property accessors to dynamically access values. Example using property accessors to dynamically access an object's property: ``` // Define an object const obj = {key1: 'value1', key2: 'value2'}; // Get key dynamically from user input const key = getUserInput(); // Check if the key exists in our object and return it, or a default empty string const value = (obj.hasOwnProperty(key)) ? obj[key] : ''; // Work with the value ``` For more information on why not to use `eval`, and alternatives see: - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval! Other References: - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function - https://developer.mozilla.org/en-US/docs/Web/API/setTimeout - https://developer.mozilla.org/en-US/docs/Web/API/setInterval metadata: cwe: CWE-95 shortDescription: Improper neutralization of directives in dynamically evaluated code ('Eval Injection') category: security owasp: - A1:2017-Injection - A03:2021-Injection source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-eval-with-expression.js security-severity: High primary_identifier: eslint.detect-eval-with-expression secondary_identifiers: - name: ESLint rule ID/detect-eval-with-expression type: eslint_rule_id value: detect-eval-with-expression license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-eval-with-expression shortlink: https://sg.run/ZeD4 semgrep.dev: rule: r_id: 11579 rv_id: 920150 rule_id: 10UZgd version_id: QkT1N0L url: https://semgrep.dev/playground/r/QkT1N0L/gitlab.eslint.detect-eval-with-expression origin: community - id: gitlab.eslint.detect-non-literal-fs-filename languages: - typescript - javascript patterns: - pattern-either: - pattern-inside: | import $MOD from $IMP ... - pattern-inside: | $MOD = require($IMP) ... - metavariable-comparison: metavariable: $IMP comparison: $IMP in ['fs', 'node:fs', 'fs/promises', 'node:fs/promises', 'fs-extra'] - pattern-not: $MOD.appendFile("...", ...) - pattern-not: $MOD.appendFileSync("...", ...) - pattern-not: $MOD.chmod("...", ...) - pattern-not: $MOD.chmodSync("...", ...) - pattern-not: $MOD.chown("...", ...) - pattern-not: $MOD.chownSync("...", ...) - pattern-not: $MOD.createReadStream("...", ...) - pattern-not: $MOD.createWriteStream("...", ...) - pattern-not: $MOD.exists("...", ...) - pattern-not: $MOD.existsSync("...", ...) - pattern-not: $MOD.lchmod("...", ...) - pattern-not: $MOD.lchmodSync("...", ...) - pattern-not: $MOD.lchown("...", ...) - pattern-not: $MOD.lchownSync("...", ...) - pattern-not: $MOD.link("...", "...", ...) - pattern-not: $MOD.linkSync("...", "...", ...) - pattern-not: $MOD.lstat("...", ...) - pattern-not: $MOD.lstatSync("...", ...) - pattern-not: $MOD.mkdir("...", ...) - pattern-not: $MOD.mkdirSync("...", ...) - pattern-not: $MOD.open("...", ...) - pattern-not: $MOD.openSync("...", ...) - pattern-not: $MOD.readdir("...", ...) - pattern-not: $MOD.readdirSync("...", ...) - pattern-not: $MOD.readFile("...", ...) - pattern-not: $MOD.readFileSync("...", ...) - pattern-not: $MOD.readlink("...", ...) - pattern-not: $MOD.readlinkSync("...", ...) - pattern-not: $MOD.realpath("...", ...) - pattern-not: $MOD.realpathSync("...", ...) - pattern-not: $MOD.rename("...", "...", ...) - pattern-not: $MOD.renameSync("...", "...", ...) - pattern-not: $MOD.rmdir("...", ...) - pattern-not: $MOD.rmdirSync("...", ...) - pattern-not: $MOD.stat("...", ...) - pattern-not: $MOD.statSync("...", ...) - pattern-not: $MOD.symlink("...", "...", ...) - pattern-not: $MOD.symlinkSync("...", "...", ...) - pattern-not: $MOD.truncate("...", ...) - pattern-not: $MOD.truncateSync("...", ...) - pattern-not: $MOD.unlink("...", ...) - pattern-not: $MOD.unlinkSync("...", ...) - pattern-not: $MOD.unwatchFile("...", ...) - pattern-not: $MOD.utimes("...", ...) - pattern-not: $MOD.utimesSync("...", ...) - pattern-not: $MOD.watch("...", ...) - pattern-not: $MOD.watchFile("...", ...) - pattern-not: $MOD.writeFile("...", ...) - pattern-not: $MOD.writeFileSync("...", ...) - pattern-either: - pattern: $MOD.appendFile(...) - pattern: $MOD.appendFileSync(...) - pattern: $MOD.chmod(...) - pattern: $MOD.chmodSync(...) - pattern: $MOD.chown(...) - pattern: $MOD.chownSync(...) - pattern: $MOD.createReadStream(...) - pattern: $MOD.createWriteStream(...) - pattern: $MOD.exists(...) - pattern: $MOD.existsSync(...) - pattern: $MOD.lchmod(...) - pattern: $MOD.lchmodSync(...) - pattern: $MOD.lchown(...) - pattern: $MOD.lchownSync(...) - pattern: $MOD.link(...) - pattern: $MOD.linkSync(...) - pattern: $MOD.lstat(...) - pattern: $MOD.lstatSync(...) - pattern: $MOD.mkdir(...) - pattern: $MOD.mkdirSync(...) - pattern: $MOD.open(...) - pattern: $MOD.openSync(...) - pattern: $MOD.readdir(...) - pattern: $MOD.readdirSync(...) - pattern: $MOD.readFile(...) - pattern: $MOD.readFileSync(...) - pattern: $MOD.readlink(...) - pattern: $MOD.readlinkSync(...) - pattern: $MOD.realpath(...) - pattern: $MOD.realpathSync(...) - pattern: $MOD.rename(...) - pattern: $MOD.renameSync(...) - pattern: $MOD.rmdir(...) - pattern: $MOD.rmdirSync(...) - pattern: $MOD.stat(...) - pattern: $MOD.statSync(...) - pattern: $MOD.symlink(...) - pattern: $MOD.symlinkSync(...) - pattern: $MOD.truncate(...) - pattern: $MOD.truncateSync(...) - pattern: $MOD.unlink(...) - pattern: $MOD.unlinkSync(...) - pattern: $MOD.unwatchFile(...) - pattern: $MOD.utimes(...) - pattern: $MOD.utimesSync(...) - pattern: $MOD.watch(...) - pattern: $MOD.watchFile(...) - pattern: $MOD.writeFile(...) - pattern: $MOD.writeFileSync(...) message: | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. Example using `path.normalize` and not allowing direct user input: ``` // User input, saved only as a reference // id is a randomly generated UUID to be used as the filename const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()}; // Restrict all file processing to this directory only const basePath = '/app/restricted/'; // Create the full path, but only use our random generated id as the filename const joinedPath = path.join(basePath, userData.id); // Normalize path, removing any '..' const fullPath = path.normalize(joinedPath); // Verify the fullPath is contained within our basePath if (!fullPath.startsWith(basePath)) { console.log("Invalid path specified!"); } // Process / work with file // ... ``` For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal metadata: shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') cwe: CWE-22 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: eslint.detect-non-literal-fs-filename secondary_identifiers: - name: ESLint rule ID/detect-non-literal-fs-filename type: eslint_rule_id value: detect-non-literal-fs-filename license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-non-literal-fs-filename shortlink: https://sg.run/L09Y semgrep.dev: rule: r_id: 11583 rv_id: 920151 rule_id: bwUO0X version_id: 3ZTLwQ5 url: https://semgrep.dev/playground/r/3ZTLwQ5/gitlab.eslint.detect-non-literal-fs-filename origin: community severity: WARNING - id: gitlab.eslint.detect-non-literal-regexp languages: - javascript - typescript pattern-either: - patterns: - pattern: | new RegExp(...) - pattern-not: | new RegExp("...", ...) - pattern-not: | new RegExp(/.../, ...) - patterns: - pattern: | RegExp(...) - pattern-not: | RegExp("...", ...) - pattern-not: | RegExp(/.../, ...) - patterns: - pattern: | "...".$METHOD(...) - pattern-not: | "...".$METHOD("...") - pattern-not: | "...".$METHOD(/.../) - metavariable-regex: metavariable: $METHOD regex: ^(match|search)$ message: "The `RegExp` constructor was called with a non-literal value. If an adversary were able to\nsupply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)\nagainst the application. In Node applications, this could cause the entire application to no\nlonger be responsive to other users' requests.\n\nTo remediate this issue, never allow user-supplied regular expressions. Instead, the regular \nexpression should be hardcoded. If this is not possible, consider using an alternative regular\nexpression engine such as [node-re2](https://www.npmjs.com/package/re2). RE2 is a safe alternative \nthat does not support backtracking, which is what leads to ReDoS.\n\nExample using re2 which does not support backtracking (Note: it is still recommended to\nnever use user-supplied input):\n```\n// Import the re2 module\nconst RE2 = require('re2');\n\nfunction match(userSuppliedRegex, userInput) {\n // Create a RE2 object with the user supplied regex, this is relatively safe\n // due to RE2 not supporting backtracking which can be abused to cause long running\n // queries\n var re = new RE2(userSuppliedRegex);\n // Execute the regular expression against some userInput\n var result = re.exec(userInput);\n \ // Work with the result\n}\n```\n\nFor more information on Regular Expression DoS see:\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n" metadata: cwe: CWE-185 shortDescription: Regular expression with non-literal value category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: Medium primary_identifier: eslint.detect-non-literal-regexp secondary_identifiers: - name: ESLint rule ID/detect-non-literal-regexp type: eslint_rule_id value: detect-non-literal-regexp license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp shortlink: https://sg.run/70yQ semgrep.dev: rule: r_id: 11582 rv_id: 920149 rule_id: r6UkPj version_id: gETkXxL url: https://semgrep.dev/playground/r/gETkXxL/gitlab.eslint.detect-non-literal-regexp origin: community severity: WARNING - id: gitlab.find_sec_bugs.HTTP_RESPONSE_SPLITTING-1 languages: - java mode: taint pattern-sanitizers: - patterns: - pattern-inside: | $STR.replaceAll($REPLACER, "..."); ... - pattern: $STR - metavariable-regex: metavariable: $REPLACER regex: .*\[(?=.*\\r)(?=.*\\n).*\]\+ - pattern: org.apache.commons.text.StringEscapeUtils.escapeJava($STR); pattern-sinks: - pattern: new javax.servlet.http.Cookie("$KEY", ...); - patterns: - pattern-inside: | $C = new javax.servlet.http.Cookie("$KEY", ...); ... - pattern: $C.setValue(...); pattern-sources: - pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameter(...); - pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameterNames(); - pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameterValues(...); - pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameterMap(); - pattern: (javax.servlet.http.HttpServletRequest $REQ).getHeader(...); - pattern: (javax.servlet.http.HttpServletRequest $REQ).getPathInfo(); message: | HTTP Response Splitting is a vulnerability where Carriage Return (CR `\r`) and Line Feed (LF `\n`) characters are introduced into an HTTP header from user-supplied input. By injecting the `\r\n` character sequence, an adversary could potentially modify how the response is interpreted by the client or any downstream caching services. This could allow an adversary to poison the cache data or execute Cross-Site Scripting (XSS) attacks. Some Java application servers such as [Apache Tomcat](https://tomcat.apache.org/) as of version 8.0, newer versions of Jetty and other servers that implement the [RFC 6265 Standard](https://datatracker.ietf.org/doc/html/rfc6265) will disallow `\r' and '\n` characters characters from being set in cookies. If your application server does not automatically provide this functionality, user-supplied input that is used in cookie keys or values must be validated. Example of validating cookies to only allow valid characters: ``` // throws an IllegalArgumentException if the provided value contains invalid characters public void validateRfc6265CookieValue(String value) throws IllegalArgumentException { char[] chars = value.toCharArray(); // iterate over every character for (int i = 0; i < chars.length; i++) { char c = chars[i]; // check for any characters below 0x21 as well as: '"' ',' ';' '\' and 0x7f. if (c < 0x21 || c == '"' || c == ',' || c == ';' || c == '\\' || c == 0x7f) { throw new IllegalArgumentException("Invalid character in cookie detected: {0}".format(Integer.toString(c))); } } } ``` Alternatively, you could use a string escape package such as [Apache Commons Text](https://commons.apache.org/proper/commons-text/) to escape the input: ``` public String escapeValue(String value) { return StringEscapeUtils.escapeJava(value); } ``` For more information on response splitting attacks see OWASP: https://owasp.org/www-community/attacks/HTTP_Response_Splitting severity: WARNING metadata: shortDescription: Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') category: security cwe: CWE-113 owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: High primary_identifier: find_sec_bugs.HTTP_RESPONSE_SPLITTING-1 secondary_identifiers: - name: Find Security Bugs-HTTP_RESPONSE_SPLITTING type: find_sec_bugs_type value: HTTP_RESPONSE_SPLITTING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.HTTP_RESPONSE_SPLITTING-1 shortlink: https://sg.run/jBZ2 semgrep.dev: rule: r_id: 21165 rv_id: 920158 rule_id: lBUX54 version_id: A8TNl5D url: https://semgrep.dev/playground/r/A8TNl5D/gitlab.find_sec_bugs.HTTP_RESPONSE_SPLITTING-1 origin: community - id: trailofbits.python.pytorch-classes-load-library.pytorch-classes-load-library message: Loading custom operator libraries can result in arbitrary code execution languages: - python severity: ERROR metadata: category: security cwe: 'CWE-676: Use of Potentially Dangerous Function' subcategory: - audit confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - pytorch description: Potential arbitrary code execution from `PyTorch` library loading references: - https://pytorch.org/tutorials/advanced/torch_script_custom_classes.html license: AGPL-3.0 license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/trailofbits.python.pytorch-classes-load-library.pytorch-classes-load-library shortlink: https://sg.run/nD6d semgrep.dev: rule: r_id: 44136 rv_id: 833306 rule_id: lBUYD9 version_id: YDTl040 url: https://semgrep.dev/playground/r/YDTl040/trailofbits.python.pytorch-classes-load-library.pytorch-classes-load-library origin: community patterns: - pattern: torch.classes.load_library(...) - pattern-not: torch.classes.load_library("...") - id: trailofbits.python.pytorch-package.pytorch-package message: Avoid importing torch.package - it can result in arbitrary code execution via pickle languages: - python severity: WARNING metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - audit confidence: LOW likelihood: MEDIUM impact: HIGH technology: - pytorch description: Potential arbitrary code execution from `torch.package` references: - https://pytorch.org/docs/1.13/package.html#torch-package - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.pytorch-package.pytorch-package shortlink: https://sg.run/EK35 semgrep.dev: rule: r_id: 44137 rv_id: 833307 rule_id: PeUKGk version_id: 6xTDgWX url: https://semgrep.dev/playground/r/6xTDgWX/trailofbits.python.pytorch-package.pytorch-package origin: community pattern: import torch.package - id: trailofbits.python.pytorch-tensor.pytorch-tensor message: Avoid using `torch.Tensor()` to directly create a tensor for efficiency and proper parsing languages: - python severity: WARNING metadata: category: performance subcategory: - audit confidence: HIGH technology: - pytorch description: Possible parsing issues and inefficiency from improper tensor creation references: - https://pytorch.org/docs/stable/tensors.html license: AGPL-3.0 license source: https://semgrep.dev/r/trailofbits.python.pytorch-tensor.pytorch-tensor shortlink: https://sg.run/72xG semgrep.dev: rule: r_id: 44138 rv_id: 833308 rule_id: JDU4RQ version_id: o5TBEJD url: https://semgrep.dev/playground/r/o5TBEJD/trailofbits.python.pytorch-tensor.pytorch-tensor origin: community pattern: torch.Tensor(...) - id: gitlab.find_sec_bugs.BAD_HEXA_CONVERSION-1 languages: - java message: | The application is using `Integer.toHexString` on a digest array buffer which may lead to an incorrect version of values. Consider using the `java.util.HexFormat` object introduced in Java 17. For older Java applications consider using the `javax.xml.bind.DatatypeConverter`. Example using `HexFormat` to create a human-readable string: ``` // Create a MessageDigest using the SHA-384 algorithm MessageDigest sha384Digest = MessageDigest.getInstance("SHA-384"); // Call update with your data sha384Digest.update("some input".getBytes(StandardCharsets.UTF_8)); // Only call digest once all data has been fed into the update sha384digest instance byte[] output = sha384Digest.digest(); // Create a JDK 17 HexFormat object HexFormat hex = HexFormat.of(); // Use formatHex on the byte array to create a string (note that alphabet characters are lowercase) String hexString = hex.formatHex(output); ``` For more information on DatatypeConverter see: https://docs.oracle.com/javase/9/docs/api/javax/xml/bind/DatatypeConverter.html#printHexBinary-byte:A- patterns: - pattern-inside: | $B_ARR = (java.security.MessageDigest $MD).digest(...); ... - pattern-either: - pattern: | for(...) { ... $B = $B_ARR[...]; ... Integer.toHexString($B); } - pattern: | for(...) { ... Integer.toHexString($B_ARR[...]); } - pattern: | for(byte $B :$B_ARR) { ... Integer.toHexString($B); } - pattern: | while(...) { ... Integer.toHexString($B_ARR[...]) } - pattern: | do { ... Integer.toHexString($B_ARR[...]) } while(...) - pattern: | while(...) { ... $B = $B_ARR[...]; ... Integer.toHexString($B); } - pattern: | do { ... $B = $B_ARR[...]; ... Integer.toHexString($B); } while(...) metadata: shortDescription: Incorrect type conversion or cast cwe: CWE-704 category: security confidence: HIGH owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: Info primary_identifier: find_sec_bugs.BAD_HEXA_CONVERSION-1 secondary_identifiers: - name: Find Security Bugs-BAD_HEXA_CONVERSION type: find_sec_bugs_type value: BAD_HEXA_CONVERSION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.BAD_HEXA_CONVERSION-1 shortlink: https://sg.run/kD4K semgrep.dev: rule: r_id: 21228 rv_id: 920200 rule_id: 2ZUd06 version_id: GxToX83 url: https://semgrep.dev/playground/r/GxToX83/gitlab.find_sec_bugs.BAD_HEXA_CONVERSION-1 origin: community severity: WARNING - id: trailofbits.ruby.insecure-rails-cookie-session-store.insecure-rails-cookie-session-store message: | Found Rails session cookie missing SameSite=Secure. As of Rails 7.2, session cookies default to SameSite=Lax. languages: - ruby severity: WARNING metadata: category: security cwe: 'CWE-345: Insufficient Verification of Data Authenticity' subcategory: - audit confidence: HIGH likelihood: HIGH impact: LOW technology: - rails references: - https://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.ruby.insecure-rails-cookie-session-store.insecure-rails-cookie-session-store shortlink: https://sg.run/DbO2o semgrep.dev: rule: r_id: 150308 rv_id: 943202 rule_id: j2Ug78v version_id: 1QTob5Q url: https://semgrep.dev/playground/r/1QTob5Q/trailofbits.ruby.insecure-rails-cookie-session-store.insecure-rails-cookie-session-store origin: community patterns: - pattern: Rails.application.config.session_store(:cookie_store, ...) - pattern-not: 'Rails.application.config.session_store(:cookie_store, ..., same_site: :secure, ...)' - id: gitlab.bandit.B303-1 languages: - python message: | The application was found using an insecure or risky digest or signature algorithm. MD2, MD4, MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example of creating a SHA-384 hash using the `cryptography` package: ``` from cryptography.hazmat.primitives import hashes # Create a SHA384 digest digest = hashes.Hash(hashes.SHA384()) # Update the digest with some initial data digest.update(b"some data to hash") # Add more data to the digest digest.update(b"some more data") # Finalize the digest as bytes result = digest.finalize() ``` For more information on secure password storage see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B303-1 secondary_identifiers: - name: Bandit Test ID B303 type: bandit_test_id value: B303 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B303-1 shortlink: https://sg.run/nkkX semgrep.dev: rule: r_id: 11880 rv_id: 920095 rule_id: X5U77W version_id: 44TeqZZ url: https://semgrep.dev/playground/r/44TeqZZ/gitlab.bandit.B303-1 origin: community pattern: hashlib.md5(...) severity: WARNING - id: gitlab.bandit.B303-2 languages: - python message: | The application was found using an insecure or risky digest or signature algorithm. MD2, MD4, MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example of creating a SHA-384 hash using the `cryptography` package: ``` from cryptography.hazmat.primitives import hashes # Create a SHA384 digest digest = hashes.Hash(hashes.SHA384()) # Update the digest with some initial data digest.update(b"some data to hash") # Add more data to the digest digest.update(b"some more data") # Finalize the digest as bytes result = digest.finalize() ``` For more information on secure password storage see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B303-2 secondary_identifiers: - name: Bandit Test ID B303 type: bandit_test_id value: B303 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B303-2 shortlink: https://sg.run/EOOw semgrep.dev: rule: r_id: 11881 rv_id: 920096 rule_id: j2URRg version_id: PkTjGQ1 url: https://semgrep.dev/playground/r/PkTjGQ1/gitlab.bandit.B303-2 origin: community pattern: hashlib.sha1(...) severity: WARNING - id: gitlab.bandit.B303-7 languages: - python message: | The application was found using an insecure or risky digest or signature algorithm. MD2, MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to errors. Example of creating a SHA-384 hash using the `cryptography` package: ``` from cryptography.hazmat.primitives import hashes # Create a SHA384 digest digest = hashes.Hash(hashes.SHA384()) # Update the digest with some initial data digest.update(b"some data to hash") # Add more data to the digest digest.update(b"some more data") # Finalize the digest as bytes result = digest.finalize() ``` For more information on secure password storage see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium category: security primary_identifier: bandit.B303-7 secondary_identifiers: - name: Bandit Test ID B303 type: bandit_test_id value: B303 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B303-7 shortlink: https://sg.run/7GGZ semgrep.dev: rule: r_id: 11882 rv_id: 920091 rule_id: 10Ueez version_id: 8KTvlKz url: https://semgrep.dev/playground/r/8KTvlKz/gitlab.bandit.B303-7 origin: community pattern: cryptography.hazmat.primitives.hashes.MD5(...) severity: WARNING - id: gitlab.bandit.B303-8 languages: - python message: | The application was found using an insecure or risky digest or signature algorithm. MD2, MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to error. Example of creating a SHA-384 hash using the `cryptography` package: ``` from cryptography.hazmat.primitives import hashes # Create a SHA384 digest digest = hashes.Hash(hashes.SHA384()) # Update the digest with some initial data digest.update(b"some data to hash") # Add more data to the digest digest.update(b"some more data") # Finalize the digest as bytes result = digest.finalize() ``` For more information on secure password storage see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B303-8 secondary_identifiers: - name: Bandit Test ID B303 type: bandit_test_id value: B303 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B303-8 shortlink: https://sg.run/L88r semgrep.dev: rule: r_id: 11883 rv_id: 920092 rule_id: 9AUkko version_id: gETkXeJ url: https://semgrep.dev/playground/r/gETkXeJ/gitlab.bandit.B303-8 origin: community pattern: cryptography.hazmat.primitives.hashes.SHA1(...) severity: WARNING - id: gitlab.bandit.B304-1 languages: - python message: | The application was found using an insecure or risky digest or signature algorithm. MD2, MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example of creating a SHA-384 hash using the `cryptography` package: ``` from cryptography.hazmat.primitives import hashes # Create a SHA384 digest digest = hashes.Hash(hashes.SHA384()) # Update the digest with some initial data digest.update(b"some data to hash") # Add more data to the digest digest.update(b"some more data") # Finalize the digest as bytes result = digest.finalize() ``` For more information on secure password storage see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-1 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-1 shortlink: https://sg.run/8RRy semgrep.dev: rule: r_id: 11884 rv_id: 920093 rule_id: yyUyyn version_id: QkT1NZk url: https://semgrep.dev/playground/r/QkT1NZk/gitlab.bandit.B304-1 origin: community patterns: - pattern-either: - pattern: Crypto.Hash.MD2.new(...) - pattern: Cryptodome.Hash.MD2.new (...) severity: WARNING - id: gitlab.bandit.B304-10 languages: - python message: | DES, TripleDES, RC2 and RC4 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using `ChaCha20Poly1305` instead as it is easier and faster than the alternatives such as `AES-256-GCM`. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` import os # Import ChaCha20Poly1305 from cryptography from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = ChaCha20Poly1305.generate_key() # Create a new ChaCha20Poly1305 instance with our secure key chacha = ChaCha20Poly1305(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = chacha.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text chacha.decrypt(nonce, cipher_text, aad) ``` Example using `AESGCM`: ``` import os # Import AESGCM from cryptography from cryptography.hazmat.primitives.ciphers.aead import AESGCM # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = AESGCM.generate_key(bit_length=128) # Create a new AESGCM instance with our secure key aesgcm = AESGCM(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = aesgcm.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text aesgcm.decrypt(nonce, cipher_text, aad) ``` For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-10 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-10 shortlink: https://sg.run/4PPl semgrep.dev: rule: r_id: 11888 rv_id: 920088 rule_id: kxU886 version_id: ExT1Wg2 url: https://semgrep.dev/playground/r/ExT1Wg2/gitlab.bandit.B304-10 origin: community pattern: cryptography.hazmat.primitives.ciphers.algorithms.ARC4(...) severity: WARNING - id: gitlab.bandit.B304-11 languages: - python message: | The Blowfish encryption algorithm was meant as a drop-in replacement for DES and was created in 1993. Smaller key sizes may make the ciphertext vulnerable to [birthday attacks](https://en.wikipedia.org/wiki/Birthday_attack). While no known attacks against Blowfish exist, it should never be used to encrypt files over 4GB in size. If possible consider using ChaCha20Poly1305 or AES-GCM instead of Blowfish. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` import os # Import ChaCha20Poly1305 from cryptography from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = ChaCha20Poly1305.generate_key() # Create a new ChaCha20Poly1305 instance with our secure key chacha = ChaCha20Poly1305(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = chacha.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text chacha.decrypt(nonce, cipher_text, aad) ``` Example using `AESGCM`: ``` import os # Import AESGCM from cryptography from cryptography.hazmat.primitives.ciphers.aead import AESGCM # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = AESGCM.generate_key(bit_length=128) # Create a new AESGCM instance with our secure key aesgcm = AESGCM(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = aesgcm.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text aesgcm.decrypt(nonce, cipher_text, aad) ``` For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-11 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-11 shortlink: https://sg.run/P88Y semgrep.dev: rule: r_id: 11889 rv_id: 920089 rule_id: wdUGGA version_id: 7ZTbRre url: https://semgrep.dev/playground/r/7ZTbRre/gitlab.bandit.B304-11 origin: community pattern: cryptography.hazmat.primitives.ciphers.algorithms.Blowfish(...) severity: WARNING - id: python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls patterns: - pattern: ftplib.FTP(...) - pattern-not: ftplib.FTP_TLS(...) fix-regex: regex: FTP(.*)\) replacement: FTP_TLS\1, context=ssl.create_default_context()) message: The 'FTP' class sends information unencrypted. Consider using the 'FTP_TLS' class instead. metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' references: - https://docs.python.org/3/library/ftplib.html#ftplib.FTP_TLS category: security technology: - ftplib subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls shortlink: https://sg.run/AvPp semgrep.dev: rule: r_id: 9650 rv_id: 1263483 rule_id: qNUjlR version_id: e1TyjoY url: https://semgrep.dev/playground/r/e1TyjoY/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls origin: community severity: INFO languages: - python - id: gitlab.bandit.B304-2 languages: - python message: | The application was found using an insecure or risky digest or signature algorithm. MD2, MD4, MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example of creating a SHA-384 hash using the `cryptography` package: ``` from cryptography.hazmat.primitives import hashes # Create a SHA384 digest digest = hashes.Hash(hashes.SHA384()) # Update the digest with some initial data digest.update(b"some data to hash") # Add more data to the digest digest.update(b"some more data") # Finalize the digest as bytes result = digest.finalize() ``` For more information on secure password storage see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-2 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-2 shortlink: https://sg.run/grrJ semgrep.dev: rule: r_id: 11885 rv_id: 920094 rule_id: r6U99k version_id: 3ZTLwOL url: https://semgrep.dev/playground/r/3ZTLwOL/gitlab.bandit.B304-2 origin: community patterns: - pattern-either: - pattern: Crypto.Hash.MD4.new(...) - pattern: Cryptodome.Hash.MD4.new (...) severity: WARNING - id: gitlab.bandit.B304-3 languages: - python message: | The application was found using an insecure or risky digest or signature algorithm. MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to errors. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example of creating a SHA-384 hash using the `cryptography` package: ``` from cryptography.hazmat.primitives import hashes # Create a SHA384 digest digest = hashes.Hash(hashes.SHA384()) # Update the digest with some initial data digest.update(b"some data to hash") # Add more data to the digest digest.update(b"some more data") # Finalize the digest as bytes result = digest.finalize() ``` For more information on secure password storage see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-3 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-3 shortlink: https://sg.run/Q444 semgrep.dev: rule: r_id: 11886 rv_id: 920086 rule_id: bwUNNN version_id: ZRTed36 url: https://semgrep.dev/playground/r/ZRTed36/gitlab.bandit.B304-3 origin: community patterns: - pattern-either: - pattern: Crypto.Hash.MD5.new(...) - pattern: Cryptodome.Hash.MD5.new (...) severity: WARNING - id: gitlab.bandit.B304-4 languages: - python message: | The application was found using an insecure or risky digest or signature algorithm. MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. It is strongly recommended that a standard digest algorithm be chosen instead as implementing a custom algorithm is prone to errors. Note that the `Crypto` and `Cryptodome` Python packages are no longer recommended for new applications, instead consider using the [cryptography](https://cryptography.io/) package. Example of creating a SHA-384 hash using the `cryptography` package: ``` from cryptography.hazmat.primitives import hashes # Create a SHA384 digest digest = hashes.Hash(hashes.SHA384()) # Update the digest with some initial data digest.update(b"some data to hash") # Add more data to the digest digest.update(b"some more data") # Finalize the digest as bytes result = digest.finalize() ``` For more information on secure password storage see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B304-4 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-4 shortlink: https://sg.run/344r semgrep.dev: rule: r_id: 11887 rv_id: 920087 rule_id: NbUYYN version_id: nWTnNp8 url: https://semgrep.dev/playground/r/nWTnNp8/gitlab.bandit.B304-4 origin: community patterns: - pattern-either: - pattern: Crypto.Hash.SHA.new(...) - pattern: Cryptodome.Hash.SHA.new (...) severity: WARNING - id: gitlab.bandit.B305 languages: - python message: | Cryptographic algorithms provide many different modes of operation, only some of which provide message integrity. Without message integrity it could be possible for an adversary to attempt to tamper with the ciphertext which could lead to compromising the encryption key. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Instead of using an algorithm that requires configuring a cipher mode, an algorithm that has built-in message integrity should be used. Consider using `ChaCha20Poly1305` or `AES-256-GCM` instead. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` import os # Import ChaCha20Poly1305 from cryptography from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = ChaCha20Poly1305.generate_key() # Create a new ChaCha20Poly1305 instance with our secure key chacha = ChaCha20Poly1305(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = chacha.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text chacha.decrypt(nonce, cipher_text, aad) ``` Example using `AESGCM`: ``` import os # Import AESGCM from cryptography from cryptography.hazmat.primitives.ciphers.aead import AESGCM # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = AESGCM.generate_key(bit_length=128) # Create a new AESGCM instance with our secure key aesgcm = AESGCM(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = aesgcm.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text aesgcm.decrypt(nonce, cipher_text, aad) ``` For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security shortDescription: Use of a broken or risky cryptographic algorithm security-severity: Medium primary_identifier: bandit.B305 secondary_identifiers: - name: Bandit Test ID B305 type: bandit_test_id value: B305 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B305 shortlink: https://sg.run/5JJA semgrep.dev: rule: r_id: 11891 rv_id: 920078 rule_id: OrUDDX version_id: NdTeRel url: https://semgrep.dev/playground/r/NdTeRel/gitlab.bandit.B305 origin: community pattern: cryptography.hazmat.primitives.ciphers.modes.ECB(...) severity: WARNING - id: gitlab.bandit.B317 languages: - python message: | The application was found using the `xml.sax` package for processing XML. Python's default XML processors suffer from various XML parsing vulnerabilities and care must be taken when handling XML data. Additionally, depending on the version of Python, more critical vulnerabilities such as eXternal XML Entity injection maybe exploitable. The `xml.sax` package suffers from the following security risks as of Python 3.7.1: * Billion laughs / exponential entity expansion - May allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML. * Quadratic blowup entity expansion - Similar to above, but requires a larger input to cause the Denial of Service. To remediate the above issues, consider using the [defusedxml](https://pypi.org/project/defusedxml/) library when processing untrusted XML. Example parsing an XML document using defusedxml: ``` from defusedxml.ElementTree import parse # Parse the inventory.xml file et = parse('inventory.xml') # Get the root element root = et.getroot() # Work with the root element # ... ``` For more information on the various XML parsers and their vulnerabilities please see: - https://docs.python.org/3/library/xml.html#xml-vulnerabilities For more information on XML security see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python metadata: cwe: CWE-611 owasp: - A4:2017-XML External Entities (XXE) - A03:2021-Injection category: security shortDescription: Improper restriction of XML external entity reference security-severity: Medium primary_identifier: bandit.B317 secondary_identifiers: - name: Bandit Test ID B317 type: bandit_test_id value: B317 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B317 shortlink: https://sg.run/RPPO semgrep.dev: rule: r_id: 11893 rv_id: 920143 rule_id: v8Ujj8 version_id: ZRTedN2 url: https://semgrep.dev/playground/r/ZRTedN2/gitlab.bandit.B317 origin: community pattern-either: - pattern: xml.sax.parse(...) - patterns: - pattern: xml.sax.parseString(...) - pattern-not: xml.sax.parseString("...") - pattern: xml.sax.make_parser(...) severity: WARNING - id: gitlab.bandit.B323 languages: - python message: | The application was found creating a SSL context using the `_create_unverified_context`. This effectively disables the validation of server certificates. This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. To remediate this issue remove the call to `_create_unverified_context` and either create a default context using `ssl.create_default_context` or create a context with TLS 1.3. Example creating a TLS 1.3 client socket connection by using a newer version of Python (3.11.4) and the SSL module: ``` import ssl import socket # Create our initial socket with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: # Connect the socket sock.connect(('www.example.org', 443)) # Create a new SSLContext with protocol set to ssl.PROTOCOL_TLS_CLIENT # This will auto-select the highest grade TLS protocol version (1.3) context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT) # Load our a certificates for server certificate authentication context.load_verify_locations('cert.pem') # Create our TLS socket, and validate the server hostname matches with context.wrap_socket(sock, server_hostname="www.example.org") as tls_sock: # Send some bytes over the socket (HTTP request in this case)\ data = bytes('GET / HTTP/1.1\r\nHost: example.org\r\n\r\n', 'utf-8') sent_bytes = tls_sock.send(data) # Validate number of sent bytes # ... # Read the response resp = tls_sock.recv() # Work with the response # ... ``` Unverified SSL context detected. This will permit insecure connections without `verifyingSSL` certificates. Use `ssl.create_default_context()` instead. metadata: cwe: CWE-295 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures category: security shortDescription: Improper certificate validation security-severity: Medium primary_identifier: bandit.B323 secondary_identifiers: - name: Bandit Test ID B323 type: bandit_test_id value: B323 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B323 shortlink: https://sg.run/BLLW semgrep.dev: rule: r_id: 11895 rv_id: 920132 rule_id: ZqUgg2 version_id: yeTDg2n url: https://semgrep.dev/playground/r/yeTDg2n/gitlab.bandit.B323 origin: community pattern: ssl._create_unverified_context(...) severity: ERROR - id: gitlab.bandit.B507 languages: - python message: | The application was found to ignore host keys. Host keys are important as they provide assurance that the client can prove that the host is trusted. By ignoring these host keys, it is impossible for the client to validate the connection is to a trusted host. To remediate this issue, remove the call to `set_missing_host_key_policy(...)` which sets the host key policy. Instead, load key files using either `load_system_host_keys` or `load_host_keys` to only allow known good hosts. By not setting a host key policy for unknown hosts, `paramiko`'s default policy is to use `RejectPolicy`. Example configuration connecting to a known, trusted host, and not allowing connections to unknown hosts: ``` import paramiko # Create an SSH client with paramiko.SSHClient() as ssh: # Load the system host keys so we can confirm the # host we are connecting to is legitimate ssh.load_system_host_keys('/home/appuser/.ssh/known_hosts') # Connect to the remote host using our SSH private key ssh.connect(hostname='example.org', port=22, username='appuser', key_filename='/home/appuser/.ssh/private_key') ``` For more information on `set_missing_host_key_policy` see: - https://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.set_missing_host_key_policy metadata: cwe: CWE-322 category: security owasp: - A5:2017-Broken Access Control - A07:2021-Identification and Authentication Failures shortDescription: Key exchange without entity authentication security-severity: Medium primary_identifier: bandit.B507 secondary_identifiers: - name: Bandit Test ID B507 type: bandit_test_id value: B507 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B507 shortlink: https://sg.run/WOO4 semgrep.dev: rule: r_id: 11897 rv_id: 920128 rule_id: EwUQQv version_id: X0TAKxW url: https://semgrep.dev/playground/r/X0TAKxW/gitlab.bandit.B507 origin: community patterns: - pattern-inside: | $CLIENT = paramiko.client.SSHClient(...) ... $CLIENT.set_missing_host_key_policy(...) - pattern-either: - pattern: paramiko.client.AutoAddPolicy - pattern: paramiko.client.WarningPolicy severity: ERROR - id: gitlab.bandit.B609 languages: - python message: "Detected use of the wildcard character in a system call that spawns a shell. This subjects the\nwildcard to normal shell expansion, which can have unintended consequences if there exist any\nnon-standard file names. For instance, a file named `-e sh script.sh` could cause issues when \nexpanded by the shell and executed as a command. Consider using a different method to achieve \nthe same result, such as using the `glob` module to expand the wildcard before passing it to the\nsystem call. Or if the command is static, consider hardcoding the command instead of using a\nwildcard.\n\nFor example, the below code uses the glob module to expand the wildcard and get a list of all \nCSV files in the current directory. This list is then used in the subprocess.run call, instead of a \nwildcard. This avoids the potential issues that can arise from using a wildcard in a system call.\n```\nimport glob\nimport subprocess\n\n# Secure way to process all CSV files\nfiles = glob.glob('*.csv')\nfor file in files:\n subprocess.run(['process_data', file])\n```\n" metadata: category: security cwe: CWE-155 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper neutralization of wildcards or matching symbols security-severity: High primary_identifier: bandit.B609 secondary_identifiers: - name: Bandit Test ID B609 type: bandit_test_id value: B609 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B609 shortlink: https://sg.run/055v semgrep.dev: rule: r_id: 11898 rv_id: 920110 rule_id: 7KUppP version_id: JdToRDY url: https://semgrep.dev/playground/r/JdToRDY/gitlab.bandit.B609 origin: community patterns: - pattern-either: - pattern: os.$X("$CMD", ...) - pattern: subprocess.Popen("$CMD", shell=True, ...) - metavariable-regex: metavariable: $CMD regex: (.*?)(\*|\?) - pattern-not-inside: os.spawnvp(...) metavariable-regex: X: (system|popen|popen2|popen3|popen4) severity: WARNING - id: gitlab.bandit.B702 languages: - python message: "The application was found using mako templates without `default_filters`\nbeing passed to the `Template` or `TemplateLookup` constructors. If using \nin the context of HTML, this could lead to Cross-Site Scripting (XSS) attacks \nwhen rendering with user-supplied input.\n\nUnfortunately, Jinja2 does not support context-aware escaping, meaning it\nis insufficient to protect against XSS for the various web contexts. It is \nimportant to encode the data depending on the specific context it is used in. \nThere are at least six context types:\n\n- Inside HTML tags `
context 1
`\n- Inside attributes: `
`\n- Inside event attributes ``\n- Inside script blocks: ``\n- Unsafe element HTML assignment: `element.innerHTML = \"context 5\"`\n- Inside URLs: \n`link`\n\nScript blocks alone have multiple ways they need to be encoded. Extra care\nmust be taken if user input is ever output inside of script tags.\n\nUser input that is displayed within the application must be encoded,\nsanitized or validated to ensure it cannot be treated as HTML or executed \nas Javascript code. Care must also be taken to not mix server-side templating \nwith client-side templating, as the server-side templating will not encode things \nlike {{ 7*7 }} which may execute client-side templating features.\n\nIt is _NOT_ advised to encode user input prior to inserting into a data\nstore. The data will need to be encoded depending on context of where it is output. \nIt is much safer to force the displaying system to handle the encoding and \nnot attempt to guess how it should be encoded.\n\nTo handle different contexts, one approach would be to write custom mako\nfilters. Below is an example that escapes or encodes links and \npotentially malicious script, note this does not include other contexts \nsuch as CSS or attributes:\n```\n# filters.py module:\n\ndef escape_link(value):\n bad_link = \"#JinjatmplZ\"\n \ # Block any values that start with // as that could be used to inject\n # links to third party pages see:\nhttps://en.wikipedia.org/wiki/Wikipedia:Protocol-relative_URL\n \ if value.startswith('//'):\n return bad_link\n\n # Only allow relative links\n # if you want to allow links that start with http or ws replace with below:\n # if not value.startswith('/'): and not value.startswith('http') and not\nvalue.startswith('ws')\n if not value.startswith('/'):\n return bad_link\n\n return value\n\n# Create a replacement table\njs_replacement = str.maketrans({\n '\\0': \"\\\\u0000\",\n '\\t': \"\\\\t\",\n '\\n': \"\\\\n\",\n '\\v': \"\\\\u000b\",\n '\\f': \"\\\\f`\",\n '\\r': \"\\\\r\",\n \ '\"': \"\\\\u0022\",\n '`': \"\\\\u0060\",\n '&': \"\\\\u0026\",\n \ '\\'': \"\\\\u0027\",\n '+': \"\\\\u002b\",\n '/': \"\\\\/\",\n '<': \ \"\\\\u003c\",\n '>': \"\\\\u003e\",\n '\\\\': \"\\\\\\\\\",\n '(': \"\\\\u0028\",\n ')': \"\\\\u0029\",\n})\n\ndef escape_js(value):\n # Escape the input for use in \n\n\n\"\"\"\n\n# Load our template with default filters and our imported filters for\n# usage in template files\nt = Template(template_text,\n # By default enable the html filter with 'h'\n default_filters=['h'],\n # Import our custom filters\n imports=[\"from filters import escape_link, escape_js\"])\n\n# Render our template\nprint(t.render(html_context=\"\",\n \ link_context=\"/# onclick=alert(1)\",\n script_context=\"alert(1)\",)\n)\n```\n" metadata: cwe: CWE-79 category: security owasp: - A7:2017-Cross-Site Scripting (XSS) - A03:2021-Injection shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') security-severity: Medium primary_identifier: bandit.B702 secondary_identifiers: - name: Bandit Test ID B702 type: bandit_test_id value: B702 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B702 shortlink: https://sg.run/K887 semgrep.dev: rule: r_id: 11899 rv_id: 920107 rule_id: L1Urrl version_id: qkTpw4A url: https://semgrep.dev/playground/r/qkTpw4A/gitlab.bandit.B702 origin: community patterns: - pattern-either: - pattern: mako.template.Template(...) - pattern: mako.lookup.TemplateLookup(...) - pattern-not: mako.lookup.TemplateLookup(..., default_filters=["..."]) - pattern-not: mako.template.Template(..., default_filters=["..."]) severity: WARNING - id: gitlab.eslint.detect-disable-mustache-escape languages: - javascript - typescript patterns: - pattern-inside: | $OBJ = require('mustache') ... - pattern-either: - pattern: | $OBJ.escape = function($TEXT) { ... return $TEXT; } - patterns: - metavariable-regex: metavariable: $X regex: '"\{\{\{(.+?)\}\}\}"' - pattern: $OBJ.render($X, ... ) - patterns: - metavariable-regex: metavariable: $Y regex: '"\{\{\&(.+?)\}\}"' - pattern: $OBJ.render($Y, ... ) severity: WARNING message: | Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks. metadata: cwe: CWE-79 owasp: - A7:2017-Cross-Site Scripting (XSS) - A03:2021-Injection category: security shortDescription: Improper neutralization of input during web page generation (XSS) security-severity: Medium primary_identifier: eslint.detect-disable-mustache-escape secondary_identifiers: - name: ESLint rule ID/detect-disable-mustache-escape type: eslint_rule_id value: detect-disable-mustache-escape license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-disable-mustache-escape shortlink: https://sg.run/Jjjo semgrep.dev: rule: r_id: 11902 rv_id: 920156 rule_id: QrUppL version_id: GxToX63 url: https://semgrep.dev/playground/r/GxToX63/gitlab.eslint.detect-disable-mustache-escape origin: community - id: gitlab.eslint.detect-non-literal-require languages: - javascript - typescript patterns: - pattern: require($OBJ) - pattern-not: require('...') severity: WARNING message: | The application was found to dynamically import a module by calling `require` using a non-literal string. An adversary might be able to read the first line of arbitrary files. If they had write access to the file system, they may also be able to execute arbitrary code. To remediate this issue, use a hardcoded string literal when calling `require`. Never call it it with dynamically created variables or user-supplied data. metadata: cwe: CWE-95 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper neutralization of directives in dynamically evaluated code ('Eval Injection') category: security source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js security-severity: Low primary_identifier: eslint.detect-non-literal-require secondary_identifiers: - name: ESLint rule ID/detect-non-literal-require type: eslint_rule_id value: detect-non-literal-require license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-non-literal-require shortlink: https://sg.run/5JJ6 semgrep.dev: rule: r_id: 11903 rv_id: 920154 rule_id: 3qUEE5 version_id: JdToRpY url: https://semgrep.dev/playground/r/JdToRpY/gitlab.eslint.detect-non-literal-require origin: community - id: gitlab.eslint.detect-possible-timing-attacks languages: - javascript patterns: - pattern-not: if ($Z == null) { ... }; - pattern-not: if ($Z === null) { ... }; - pattern-not: if ($Z != null) { ... }; - pattern-not: if ($Z !== null) { ... }; - pattern-not: if ($Q != undefined) { ... }; - pattern-not: if ($Q !== undefined) { ... }; - pattern-not: if ($Q == undefined) { ... }; - pattern-not: if ($Q === undefined) { ... }; - pattern-not: return $Y == null; - pattern-not: return $Y === null; - pattern-not: return $Y != null; - pattern-not: return $Y !== null; - pattern-not: return $Y == undefined; - pattern-not: return $Y === undefined; - pattern-not: return $Y != undefined; - pattern-not: return $Y !== undefined; - pattern-either: - pattern: | if (password == $X) { ... } - pattern: | if ($X == password) { ... } - pattern: | if (password === $X) { ... } - pattern: | if ($X === password) { ... } - pattern: | if (pass == $X) { ... } - pattern: | if ($X == pass) { ... } - pattern: | if (pass === $X) { ... } - pattern: | if ($X === pass) { ... } - pattern: | if (secret == $X) { ... } - pattern: | if ($X == secret) { ... } - pattern: | if (secret === $X) { ... } - pattern: | if ($X === secret) { ... } - pattern: | if (api == $X) { ... } - pattern: | if ($X == api) { ... } - pattern: | if (api === $X) { ... } - pattern: | if ($X === api) { ... } - pattern: | if (apiKey == $X) { ... } - pattern: | if ($X == apiKey) { ... } - pattern: | if (apiKey === $X) { ... } - pattern: | if ($X === apiKey) { ... } - pattern: | if (apiSecret == $X) { ... } - pattern: | if ($X == apiSecret) { ... } - pattern: | if (apiSecret === $X) { ... } - pattern: | if ($X === apiSecret) { ... } - pattern: | if (token == $X) { ... } - pattern: | if ($X == token) { ... } - pattern: | if (token === $X) { ... } - pattern: | if ($X === token) { ... } - pattern: | if (hash == $X) { ... } - pattern: | if ($X == hash) { ... } - pattern: | if (hash === $X) { ... } - pattern: | if ($X === hash) { ... } - pattern: | if (auth_token == $X) { ... } - pattern: | if ($X == auth_token) { ... } - pattern: | if (auth_token === $X) { ... } - pattern: | if ($X === auth_token) { ... } - pattern: | if (password != $X) { ... } - pattern: | if ($X != password) { ... } - pattern: | if (password !== $X) { ... } - pattern: | if ($X !== password) { ... } - pattern: | if (pass != $X) { ... } - pattern: | if ($X != pass) { ... } - pattern: | if (pass !== $X) { ... } - pattern: | if ($X !== pass) { ... } - pattern: | if (secret != $X) { ... } - pattern: | if ($X != secret) { ... } - pattern: | if (secret !== $X) { ... } - pattern: | if ($X !== secret) { ... } - pattern: | if (api != $X) { ... } - pattern: | if ($X != api) { ... } - pattern: | if (api !== $X) { ... } - pattern: | if ($X !== api) { ... } - pattern: | if (apiKey != $X) { ... } - pattern: | if ($X != apiKey) { ... } - pattern: | if (apiKey !== $X) { ... } - pattern: | if ($X !== apiKey) { ... } - pattern: | if (apiSecret != $X) { ... } - pattern: | if ($X != apiSecret) { ... } - pattern: | if (apiSecret !== $X) { ... } - pattern: | if ($X !== apiSecret) { ... } - pattern: | if (token != $X) { ... } - pattern: | if ($X != token) { ... } - pattern: | if (token !== $X) { ... } - pattern: | if ($X !== token) { ... } - pattern: | if (hash != $X) { ... } - pattern: | if ($X != hash) { ... } - pattern: | if (hash !== $X) { ... } - pattern: | if ($X !== hash) { ... } - pattern: | if (auth_token != $X) { ... } - pattern: | if ($X != auth_token) { ... } - pattern: | if (auth_token !== $X) { ... } - pattern: | if ($X !== auth_token) { ... } - pattern: | return $X === auth_token; - pattern: | return auth_token === $X; - pattern: | return $X === token; - pattern: | return token === $X; - pattern: | return $X === hash; - pattern: | return hash === $X; - pattern: | return $X === password; - pattern: | return password === $X; - pattern: | return $X === pass; - pattern: | return pass === $X; - pattern: | return $X === apiKey; - pattern: | return apiKey === $X; - pattern: | return $X === apiSecret; - pattern: | return apiSecret === $X; - pattern: | return $X === api_key; - pattern: | return api_key === $X; - pattern: | return $X === api_secret; - pattern: | return api_secret === $X; - pattern: | return $X === secret; - pattern: | return secret === $X; - pattern: | return $X === api; - pattern: | return api === $X; - pattern: | return $X == auth_token; - pattern: | return auth_token == $X; - pattern: | return $X == token; - pattern: | return token == $X; - pattern: | return $X == hash; - pattern: | return hash == $X; - pattern: | return $X == password; - pattern: | return password == $X; - pattern: | return $X == pass; - pattern: | return pass == $X; - pattern: | return $X == apiKey; - pattern: | return apiKey == $X; - pattern: | return $X == apiSecret; - pattern: | return apiSecret == $X; - pattern: | return $X == api_key; - pattern: | return api_key == $X; - pattern: | return $X == api_secret; - pattern: | return api_secret == $X; - pattern: | return $X == secret; - pattern: | return secret == $X; - pattern: | return $X == api; - pattern: | return api == $X; - pattern: | return $X !== auth_token; - pattern: | return auth_token !== $X; - pattern: | return $X !== token; - pattern: | return token !== $X; - pattern: | return $X !== hash; - pattern: | return hash !== $X; - pattern: | return $X !== password; - pattern: | return password !== $X; - pattern: | return $X !== pass; - pattern: | return pass !== $X; - pattern: | return $X !== apiKey; - pattern: | return apiKey !== $X; - pattern: | return $X !== apiSecret; - pattern: | return apiSecret !== $X; - pattern: | return $X !== api_key; - pattern: | return api_key !== $X; - pattern: | return $X !== api_secret; - pattern: | return api_secret !== $X; - pattern: | return $X !== secret; - pattern: | return secret !== $X; - pattern: | return $X !== api; - pattern: | return api !== $X; - pattern: | return $X != auth_token; - pattern: | return auth_token != $X; - pattern: | return $X != token; - pattern: | return token != $X; - pattern: | return $X != hash; - pattern: | return hash != $X; - pattern: | return $X != password; - pattern: | return password != $X; - pattern: | return $X != pass; - pattern: | return pass != $X; - pattern: | return $X != apiKey; - pattern: | return apiKey != $X; - pattern: | return $X != apiSecret; - pattern: | return apiSecret != $X; - pattern: | return $X != api_key; - pattern: | return api_key != $X; - pattern: | return $X != api_secret; - pattern: | return api_secret != $X; - pattern: | return $X != secret; - pattern: | return secret != $X; - pattern: | return $X != api; - pattern: | return api != $X; severity: WARNING message: | The application was found executing string comparisons using one of `===`, `!==`, `==` or `!=` against security sensitive values. String comparisons like this are not constant time, meaning the first character found not to match in the two strings will immediately exit the conditional statement. This allows an adversary to calculate or observe small timing differences depending on the strings passed to this comparison. This potentially allows an adversary the ability to brute force a string that will match the expected value by monitoring different character values. To remediate this issue, use the `crypto.timingSafeEqual` method when comparing strings. Example using `crypto.timingSafeEqual` to safely compare strings: ``` function constantTimeIsPasswordEqual(userInput) { // Retrieve the password from a secure data store such as a KMS or Hashicorp's vault. const password = getPasswordFromSecureDataStore(); // Use crypto timingSafeEqual to ensure the comparison is done in constant time. return crypto.timingSafeEqual(Buffer.from(userInput, 'utf-8'), Buffer.from(password, 'utf-8')); } ``` For more information on constant time comparison see: - https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b metadata: cwe: CWE-208 shortDescription: Observable timing discrepancy category: security owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium primary_identifier: eslint.detect-possible-timing-attacks secondary_identifiers: - name: ESLint rule ID/detect-possible-timing-attacks type: eslint_rule_id value: detect-possible-timing-attacks license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-possible-timing-attacks shortlink: https://sg.run/GwwB semgrep.dev: rule: r_id: 11904 rv_id: 920155 rule_id: 4bU22N version_id: 5PTNGAR url: https://semgrep.dev/playground/r/5PTNGAR/gitlab.eslint.detect-possible-timing-attacks origin: community - id: gitlab.eslint.detect-pseudoRandomBytes languages: - javascript - typescript pattern: crypto.pseudoRandomBytes severity: WARNING message: | Depending on the context, generating weak random numbers may expose cryptographic functions, which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the `randomBytes` method of the `crypto` module be used instead of `pseudoRandomBytes`. Example using `randomBytes`: ``` // Generate 256 bytes of random data const randomBytes = crypto.randomBytes(256); ``` For more information on JavaScript Cryptography see: https://nodejs.org/api/crypto.html#cryptorandombytessize-callback metadata: cwe: CWE-338 shortDescription: Use of cryptographically weak pseudo-random number generator (PRNG) category: security owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js security-severity: Medium primary_identifier: eslint.detect-pseudoRandomBytes secondary_identifiers: - name: ESLint rule ID/detect-pseudoRandomBytes type: eslint_rule_id value: detect-pseudoRandomBytes license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-pseudoRandomBytes shortlink: https://sg.run/P88N semgrep.dev: rule: r_id: 11901 rv_id: 920152 rule_id: gxUYYL version_id: 44TeqlN url: https://semgrep.dev/playground/r/44TeqlN/gitlab.eslint.detect-pseudoRandomBytes origin: community - id: gitlab.eslint.react-dangerouslysetinnerhtml languages: - typescript - javascript pattern-either: - pattern: | <$X dangerouslySetInnerHTML=... /> - pattern: | {dangerouslySetInnerHTML: ...} severity: WARNING message: | The application was found calling `dangerouslySetInnerHTML` which may lead to Cross Site Scripting (XSS). By default, React components will encode the data properly before rendering. Calling `dangerouslySetInnerHTML` disables this encoding and allows raw markup and JavaScript to be executed. XSS is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data, depending on the specific context it is used in. There are at least six context types: - Inside HTML tags `
context 1
` - Inside attributes: `
` - Inside event attributes `` - Inside script blocks: `` - Unsafe element HTML assignment: `element.innerHTML = "context 5"` - Inside URLs: `link` Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 7*7 }} which may execute client-side templating features. It is _NOT_ advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Remove the call to `dangerouslySetInnerHTML` or ensure that the data used in this call does not come from user-supplied input. For more information on dangerously setting inner HTML see: - https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html metadata: cwe: CWE-79 owasp: - A7:2017-Cross-Site Scripting (XSS) - A03:2021-Injection shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') category: security security-severity: Medium primary_identifier: eslint.react-dangerouslysetinnerhtml secondary_identifiers: - name: ESLint rule ID/react-dangerouslysetinnerhtml type: eslint_rule_id value: react-dangerouslysetinnerhtml license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.react-dangerouslysetinnerhtml shortlink: https://sg.run/Awwg semgrep.dev: rule: r_id: 11906 rv_id: 920153 rule_id: JDUQQY version_id: PkTjG1q url: https://semgrep.dev/playground/r/PkTjG1q/gitlab.eslint.react-dangerouslysetinnerhtml origin: community - id: gitlab.find_sec_bugs.BLOWFISH_KEY_SIZE-1 languages: - java patterns: - pattern-inside: | $KEYGEN = javax.crypto.KeyGenerator.getInstance("Blowfish", ...); ... - pattern: $KEYGEN.init($KEY_SIZE) - metavariable-comparison: comparison: int($KEY_SIZE) < 128 metavariable: $KEY_SIZE message: | The Blowfish encryption algorithm was meant as a drop-in replacement for DES and was created in 1993. Smaller key sizes may make the ciphertext vulnerable to [birthday attacks](https://en.wikipedia.org/wiki/Birthday_attack). While no known attacks against Blowfish exist, it should never be used to encrypt files over 4GB in size. If possible consider using AES as the instance of `KeyGenerator` instead of Blowfish. To remediate the small key size, pass a value such as 256 to the `KeyGenerator.init(keySize)` method. Example setting a larger key size and changing to `KeyGenerator` to AES: ``` public static void aesKeyGenerator() throws java.security.NoSuchAlgorithmException { // Use the AES algorithm for key generation KeyGenerator keyGenerator = KeyGenerator.getInstance("AES"); // Set the key size here keyGenerator.init(256); // get the raw bytes of the key byte[] key = keyGenerator.generateKey().getEncoded(); // pass the key bytes to create a SecretKeySpec SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES"); } ``` Example setting a larger key size for Blowfish: ``` public static void blowFishKeyGenerator() throws java.security.NoSuchAlgorithmException { // Use the Blowfish algorithm for key generation KeyGenerator keyGenerator = KeyGenerator.getInstance("Blowfish"); // Set the key size here keyGenerator.init(256); // get the raw bytes of the key byte[] key = keyGenerator.generateKey().getEncoded(); // pass the key bytes to create a SecretKeySpec SecretKeySpec secretKeySpec = new SecretKeySpec(key, "Blowfish"); } ``` For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html severity: WARNING metadata: category: security shortDescription: Inadequate encryption strength owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-326 technology: - java security-severity: Medium primary_identifier: find_sec_bugs.BLOWFISH_KEY_SIZE-1 secondary_identifiers: - name: Find Security Bugs-BLOWFISH_KEY_SIZE type: find_sec_bugs_type value: BLOWFISH_KEY_SIZE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.BLOWFISH_KEY_SIZE-1 shortlink: https://sg.run/NjB1 semgrep.dev: rule: r_id: 21171 rv_id: 920161 rule_id: 2ZUd1P version_id: WrTYnQ4 url: https://semgrep.dev/playground/r/WrTYnQ4/gitlab.find_sec_bugs.BLOWFISH_KEY_SIZE-1 origin: community - id: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint patterns: - pattern: | ENTRYPOINT $...VARS - pattern-not-inside: | USER $USER ... fix: | USER non-root ENTRYPOINT $...VARS message: By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'. severity: ERROR languages: - dockerfile metadata: cwe: - 'CWE-269: Improper Privilege Management' category: security technology: - dockerfile confidence: MEDIUM owasp: - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://owasp.org/Top10/A04_2021-Insecure_Design subcategory: - audit likelihood: LOW impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint shortlink: https://sg.run/k281 semgrep.dev: rule: r_id: 47272 rv_id: 1262659 rule_id: ReUW9E version_id: o5TbD21 url: https://semgrep.dev/playground/r/o5TbD21/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint origin: community - id: gitlab.find_sec_bugs.CIPHER_INTEGRITY-1 languages: - java patterns: - pattern-either: - pattern: javax.crypto.Cipher.getInstance("$ALG", ...) - pattern: | $PROP = (java.util.Properties $P).getProperty(..., "$ALG"); ... javax.crypto.Cipher.getInstance($PROP, ...); - metavariable-comparison: metavariable: $ALG comparison: | $ALG in ( "AES" "AES/CBC/NoPadding" "AES/CBC/PKCS5Padding" "AES/CBC/PKCS7Padding" "AES/CFB/NoPadding" "AES/CFB/PKCS5Padding" "AES/CFB/PKCS7Padding" "AES/CTR/NoPadding" "AES/ECB/NoPadding" "AES/ECB/PKCS5Padding" "AES/ECB/PKCS7Padding" "AES/OFB/NoPadding" "AES/OFB/PKCS5Padding" "AES/OFB/PKCS7Padding" "ARCFOUR" "DES" "DES/CBC/NoPadding" "DES/CBC/PKCS5Padding" "DES/ECB/NoPadding" "DES/ECB/PKCS5Padding" "DESede" "DESede/CBC/NoPadding" "DESede/CBC/PKCS5Padding" "DESede/ECB/NoPadding" "DESede/ECB/PKCS5Padding" "RC4" ) message: | Cryptographic algorithms provide many different modes of operation, only some of which provide message integrity. Without message integrity it could be possible for an adversary to attempt to tamper with the ciphertext which could lead to compromising the encryption key. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Instead of using an algorithm that requires configuring a cipher mode, an algorithm that has built-in message integrity should be used. Consider using `ChaCha20Poly1305` or `AES-256-GCM` instead. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` public encrypt() throws Exception { chaChaEncryption("Secret text to encrypt".getBytes(StandardCharsets.UTF_8)); } public SecureRandom getSecureRandomDRBG() throws NoSuchAlgorithmException { // Use DRBG according to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf return SecureRandom.getInstance("DRBG", // Security strength in bits (default is 128) DrbgParameters.instantiation(256, // Set prediction resistance and re-seeding DrbgParameters.Capability.PR_AND_RESEED, // Set the personalization string (optional, not necessary) "some_personalization_string".getBytes() ) ); } public Cipher getChaCha20Poly1305(int mode, byte[] ivKey, byte[] secretKey) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create a ChaCha20-Poly1305 cipher instance Cipher chaChaCipher = Cipher.getInstance("ChaCha20-Poly1305/None/NoPadding"); // Create our parameterSpec using our ivKey AlgorithmParameterSpec parameterSpec = new IvParameterSpec(ivKey); // Create a SecretKeySpec using our secretKey SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, "ChaCha20"); // Initialize and return the cipher for the provided mode chaChaCipher.init(mode, secretKeySpec, parameterSpec, random); return chaChaCipher; } public void chaChaEncryption(byte[] plainText) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create secretKey byte[] secretKey = new byte[32]; random.nextBytes(secretKey); // Create an IV Key byte[] ivKey = new byte[12]; random.nextBytes(ivKey); // Create a chaCha encryption cipher instance Cipher chaChaEncryptor = getChaCha20Poly1305(Cipher.ENCRYPT_MODE, ivKey, secretKey); // Encrypt the text using ChaCha20Poly1305 byte[] cipherText = null; try { cipherText = chaChaEncryptor.doFinal(plainText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to encrypt text"); return; } System.out.println("encrypted: " + Base64.getEncoder().encodeToString(cipherText)); // Create a chaCha decryption cipher instance Cipher chaChaDecryptor = getChaCha20Poly1305(Cipher.DECRYPT_MODE, ivKey, secretKey); // Decrypt the text byte[] decryptedText = null; try { decryptedText = chaChaDecryptor.doFinal(cipherText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to decrypt text"); return; } System.out.println("decrypted: " + new String(decryptedText, StandardCharsets.UTF_8)); } ``` For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html severity: ERROR metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - java security-severity: Medium primary_identifier: find_sec_bugs.CIPHER_INTEGRITY-1 secondary_identifiers: - name: Find Security Bugs-CIPHER_INTEGRITY type: find_sec_bugs_type value: CIPHER_INTEGRITY license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.CIPHER_INTEGRITY-1 shortlink: https://sg.run/O4Db semgrep.dev: rule: r_id: 21175 rv_id: 920165 rule_id: 9AUAzy version_id: l4TXDv0 url: https://semgrep.dev/playground/r/l4TXDv0/gitlab.find_sec_bugs.CIPHER_INTEGRITY-1 origin: community - id: gitlab.find_sec_bugs.COMMAND_INJECTION-1 languages: - java mode: taint pattern-sources: - pattern: (javax.servlet.http.HttpServletRequest $R).$METHOD(...) - pattern: (java.util.Scanner $S).$METHOD(...) - pattern: (java.util.stream.Stream).$METHOD(...) - pattern: (java.util.StringJoiner $SJ).toString(...) - pattern: (java.sql.ResultSet.getString $R).$METHOD(...) - pattern: (java.lang.System $S).getProperty(...) - pattern: (java.lang.System $S).getenv(...) - pattern: (java.lang.StringBuilder $SB).toString(...) - pattern: (java.io.FileInputStream $F).read(...) - pattern: (java.io.FileReader $F).read(...) - pattern: (java.net.Socket $S).getInputStream(...) - pattern: (java.net.Socket $S).getOutputStream(...) - pattern: (java.net.DatagramSocket $S).receive(...) - pattern: (java.net.DatagramSocket $S).getInputStream(...) - pattern: java.nio.file.Files.readAllBytes(...) - pattern: java.nio.file.Files.readAllLines(...) - pattern: java.nio.file.Files.lines(...) - pattern: java.nio.file.Files.newBufferedReader(...) - pattern: org.apache.commons.io.IOUtils.toString(...) - pattern: org.apache.commons.io.IOUtils.readLines(...) - pattern: org.apache.commons.io.IOUtils.toByteArray(...) - pattern: (com.fasterxml.jackson.databind.ObjectMapper $OM).readValue(...) - pattern: (com.fasterxml.jackson.databind.ObjectMapper $OM).treeToValue(...) - pattern: $CLASS.$METHOD(..., (javax.servlet.http.HttpServletRequest $R), ...) - pattern: $FUNC(..., (javax.servlet.http.HttpServletRequest $R), ...) - patterns: - pattern-inside: $FUNC(..., String $X, ...) { ... } - focus-metavariable: $X pattern-propagators: - pattern: $LIST.add($X) from: $X to: $LIST - pattern: $MAP.put(..., $X) from: $X to: $MAP - pattern: $STR.concat($X) from: $X to: $STR - pattern: $STR = String.format(..., $X, ...) from: $X to: $STR - pattern: $STR = String.join(..., $X, ...) from: $X to: $STR pattern-sinks: - pattern: (ProcessBuilder $PB).command(...) - pattern: new ProcessBuilder(...) - pattern: (Runtime $R).exec(...) message: | OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands. This includes filenames supplied by user uploads or downloads. Ensure your application does not: - Use user-supplied information in the process name to execute. - Use user-supplied information in an OS command execution function which does not escape shell meta-characters. - Use user-supplied information in arguments to OS commands. The application should have a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, it is recommended that a hash of the filename be used instead, or some other unique identifier. It is strongly recommended that a native library that implements the same functionality be used instead of using OS system commands, due to the risk of unknown attacks against third party commands. When specifying the OS command, ensure the application uses the full path information, otherwise the OS may attempt to look up which process to execute and could be vulnerable to untrusted search path vulnerabilities (CWE-426). Example of safely executing an OS command: ``` public static void executeCommand(String userFileData) throws java.io.IOException { // Generate a random filename, do not use user input String fileName = UUID.randomUUID().toString(); // Create a Buffered/FileWriter BufferedWriter writer = new BufferedWriter(new FileWriter(fileName)); // Write the user content to our random file writer.write(userFileData); // Close the file to flush contents writer.close(); // Create the process builder with a hardcoded path to the binary, and our randomly generated filename ProcessBuilder processBuilder = new ProcessBuilder("/opt/app/path", fileName); // Start the process Process process = processBuilder.start(); // Handle/redirect output of process here // ... } ``` For more information on OS command injection, see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html severity: WARNING metadata: shortDescription: Improper neutralization of special elements used in an OS command ('OS Command Injection') category: security cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: High primary_identifier: find_sec_bugs.COMMAND_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-COMMAND_INJECTION type: find_sec_bugs_type value: COMMAND_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.COMMAND_INJECTION-1 shortlink: https://sg.run/WDoz semgrep.dev: rule: r_id: 21197 rv_id: 920181 rule_id: PeUjYP version_id: w8TkbDA url: https://semgrep.dev/playground/r/w8TkbDA/gitlab.find_sec_bugs.COMMAND_INJECTION-1 origin: community - id: gitlab.find_sec_bugs.CUSTOM_MESSAGE_DIGEST-1 languages: - java patterns: - pattern: | class $CLAZZ extends java.security.MessageDigest { ... } message: | The application was found implementing a custom `java.security.MessageDigest`. It is strongly recommended that a standard Digest algorithm be chosen instead as implementing a digest by hand is error-prone. The National Institute of Standards and Technology (NIST) recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256. Example of creating a SHA-384 hash: ``` // Create a MessageDigest using the SHA-384 algorithm MessageDigest sha384Digest = MessageDigest.getInstance("SHA-384"); // Call update with your data sha384Digest.update(input); // Only call digest once all data has been fed into the update sha384digest instance byte[] output = sha384Digest.digest(); // output base64 encoded version of the hash System.out.println("hash: " + Base64.getEncoder().encodeToString(output)); ``` severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A6:2017-Security Misconfiguration - A04:2021-Insecure Design technology: - java security-severity: Medium primary_identifier: find_sec_bugs.CUSTOM_MESSAGE_DIGEST-1 secondary_identifiers: - name: Find Security Bugs-CUSTOM_MESSAGE_DIGEST type: find_sec_bugs_type value: CUSTOM_MESSAGE_DIGEST license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.CUSTOM_MESSAGE_DIGEST-1 shortlink: https://sg.run/vpAR semgrep.dev: rule: r_id: 21177 rv_id: 920167 rule_id: r6Ujx4 version_id: 6xTyXJd url: https://semgrep.dev/playground/r/6xTyXJd/gitlab.find_sec_bugs.CUSTOM_MESSAGE_DIGEST-1 origin: community - id: gitlab.find_sec_bugs.DEFAULT_HTTP_CLIENT-1 languages: - java patterns: - pattern: new org.apache.http.impl.client.DefaultHttpClient(); message: | The `org.apache.http.impl.client.DefaultHttpClient` does not verify the hostnames upon connection. This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. Do not use the `org.apache.http.impl.client.DefaultHttpClient();` as it is deprecated. Instead use the new `java.net.http.HttpClient` that was introduced in Java 9. Example connecting to a host that will automatically do TLS validation: ``` // Create a new java.net.http.HttpClient HttpClient httpClient = HttpClient.newHttpClient(); // Create a HttpRequest builder HttpRequest request = HttpRequest.newBuilder() // Create a URI for a website which requires TLS .uri(URI.create("https://www.example.com/")) // Build the request .build(); // Use the httpClient to send the request and use an HttpResponse.BodyHandlers String type HttpResponse response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()); // Debug print System.out.println(response); ``` metadata: shortDescription: Improper certificate validation category: security cwe: CWE-295 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium primary_identifier: find_sec_bugs.DEFAULT_HTTP_CLIENT-1 secondary_identifiers: - name: Find Security Bugs-DEFAULT_HTTP_CLIENT type: find_sec_bugs_type value: DEFAULT_HTTP_CLIENT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.DEFAULT_HTTP_CLIENT-1 shortlink: https://sg.run/dPw5 semgrep.dev: rule: r_id: 21178 rv_id: 920173 rule_id: bwULG5 version_id: jQTwjyg url: https://semgrep.dev/playground/r/jQTwjyg/gitlab.find_sec_bugs.DEFAULT_HTTP_CLIENT-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.DES_USAGE-1 languages: - java patterns: - pattern-either: - pattern: javax.crypto.Cipher.getInstance("$ALG", ...) - pattern: | $PROP = (java.util.Properties $P).getProperty(..., "$ALG"); ... javax.crypto.Cipher.getInstance($PROP, ...); - metavariable-regex: metavariable: $ALG regex: ^DES(/|$) message: | DES, TripleDES and RC2 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using `ChaCha20Poly1305` instead as it is easier and faster than the alternatives such as `AES-256-GCM`. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` public encrypt() throws Exception { chaChaEncryption("Secret text to encrypt".getBytes(StandardCharsets.UTF_8)); } public SecureRandom getSecureRandomDRBG() throws NoSuchAlgorithmException { // Use DRBG according to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf return SecureRandom.getInstance("DRBG", // Security strength in bits (default is 128) DrbgParameters.instantiation(256, // Set prediction resistance and re-seeding DrbgParameters.Capability.PR_AND_RESEED, // Set the personalization string (optional, not necessary) "some_personalization_string".getBytes() ) ); } public Cipher getChaCha20Poly1305(int mode, byte[] ivKey, byte[] secretKey) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create a ChaCha20-Poly1305 cipher instance Cipher chaChaCipher = Cipher.getInstance("ChaCha20-Poly1305/None/NoPadding"); // Create our parameterSpec using our ivKey AlgorithmParameterSpec parameterSpec = new IvParameterSpec(ivKey); // Create a SecretKeySpec using our secretKey SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, "ChaCha20"); // Initialize and return the cipher for the provided mode chaChaCipher.init(mode, secretKeySpec, parameterSpec, random); return chaChaCipher; } public void chaChaEncryption(byte[] plainText) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create secretKey byte[] secretKey = new byte[32]; random.nextBytes(secretKey); // Create an IV Key byte[] ivKey = new byte[12]; random.nextBytes(ivKey); // Create a chaCha encryption cipher instance Cipher chaChaEncryptor = getChaCha20Poly1305(Cipher.ENCRYPT_MODE, ivKey, secretKey); // Encrypt the text using ChaCha20Poly1305 byte[] cipherText = null; try { cipherText = chaChaEncryptor.doFinal(plainText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to encrypt text"); return; } System.out.println("encrypted: " + Base64.getEncoder().encodeToString(cipherText)); // Create a chaCha decryption cipher instance Cipher chaChaDecryptor = getChaCha20Poly1305(Cipher.DECRYPT_MODE, ivKey, secretKey); // Decrypt the text byte[] decryptedText = null; try { decryptedText = chaChaDecryptor.doFinal(cipherText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to decrypt text"); return; } System.out.println("decrypted: " + new String(decryptedText, StandardCharsets.UTF_8)); } ``` For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html severity: WARNING metadata: shortDescription: Inadequate encryption strength category: security cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - java security-severity: Medium primary_identifier: find_sec_bugs.DES_USAGE-1 secondary_identifiers: - name: Find Security Bugs-DES_USAGE type: find_sec_bugs_type value: DES_USAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.DES_USAGE-1 shortlink: https://sg.run/kDnz semgrep.dev: rule: r_id: 21172 rv_id: 920162 rule_id: X5UAPg version_id: 0bTp3lb url: https://semgrep.dev/playground/r/0bTp3lb/gitlab.find_sec_bugs.DES_USAGE-1 origin: community - id: gitlab.find_sec_bugs.ECB_MODE-1 languages: - java patterns: - pattern-either: - pattern: javax.crypto.Cipher.getInstance("$ALG", ...) - pattern: | $PROP = (java.util.Properties $P).getProperty(..., "$ALG"); ... javax.crypto.Cipher.getInstance($PROP, ...); - metavariable-comparison: metavariable: $ALG comparison: | $ALG in ( "AES/ECB/NoPadding" "AES/ECB/PKCS5Padding" "DES/ECB/NoPadding" "DES/ECB/PKCS5Padding" "DESede/ECB/NoPadding" "DESede/ECB/PKCS5Padding" "AES/ECB/PKCS7Padding" ) message: | Cryptographic algorithms provide many different modes of operation, only some of which provide message integrity. Without message integrity it could be possible for an adversary to attempt to tamper with the ciphertext which could lead to compromising the encryption key. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Instead of using an algorithm that requires configuring a cipher mode, an algorithm that has built-in message integrity should be used. Consider using `ChaCha20Poly1305` or `AES-256-GCM` instead. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` public encrypt() throws Exception { chaChaEncryption("Secret text to encrypt".getBytes(StandardCharsets.UTF_8)); } public SecureRandom getSecureRandomDRBG() throws NoSuchAlgorithmException { // Use DRBG according to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf return SecureRandom.getInstance("DRBG", // Security strength in bits (default is 128) DrbgParameters.instantiation(256, // Set prediction resistance and re-seeding DrbgParameters.Capability.PR_AND_RESEED, // Set the personalization string (optional, not necessary) "some_personalization_string".getBytes() ) ); } public Cipher getChaCha20Poly1305(int mode, byte[] ivKey, byte[] secretKey) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create a ChaCha20-Poly1305 cipher instance Cipher chaChaCipher = Cipher.getInstance("ChaCha20-Poly1305/None/NoPadding"); // Create our parameterSpec using our ivKey AlgorithmParameterSpec parameterSpec = new IvParameterSpec(ivKey); // Create a SecretKeySpec using our secretKey SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, "ChaCha20"); // Initialize and return the cipher for the provided mode chaChaCipher.init(mode, secretKeySpec, parameterSpec, random); return chaChaCipher; } public void chaChaEncryption(byte[] plainText) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create secretKey byte[] secretKey = new byte[32]; random.nextBytes(secretKey); // Create an IV Key byte[] ivKey = new byte[12]; random.nextBytes(ivKey); // Create a chaCha encryption cipher instance Cipher chaChaEncryptor = getChaCha20Poly1305(Cipher.ENCRYPT_MODE, ivKey, secretKey); // Encrypt the text using ChaCha20Poly1305 byte[] cipherText = null; try { cipherText = chaChaEncryptor.doFinal(plainText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to encrypt text"); return; } System.out.println("encrypted: " + Base64.getEncoder().encodeToString(cipherText)); // Create a chaCha decryption cipher instance Cipher chaChaDecryptor = getChaCha20Poly1305(Cipher.DECRYPT_MODE, ivKey, secretKey); // Decrypt the text byte[] decryptedText = null; try { decryptedText = chaChaDecryptor.doFinal(cipherText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to decrypt text"); return; } System.out.println("decrypted: " + new String(decryptedText, StandardCharsets.UTF_8)); } ``` For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html severity: ERROR metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - java security-severity: Medium primary_identifier: find_sec_bugs.ECB_MODE-1 secondary_identifiers: - name: Find Security Bugs-ECB_MODE type: find_sec_bugs_type value: ECB_MODE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.ECB_MODE-1 shortlink: https://sg.run/xPDP semgrep.dev: rule: r_id: 21174 rv_id: 920164 rule_id: 10U4j4 version_id: qkTpwx7 url: https://semgrep.dev/playground/r/qkTpwx7/gitlab.find_sec_bugs.ECB_MODE-1 origin: community - id: gitlab.find_sec_bugs.EL_INJECTION-1 languages: - java message: "This rule identifies potential Expression Language (EL) injection vulnerabilities within Java applications. \nThe rule targets use of `createValueExpression`, `createMethodExpression`, `ELProcessor.eval`, `getValue`, \nand `setValue` methods, particularly when input to these methods is not a hardcoded string, indicating dynamic \nevaluation of potentially untrusted input. \n\n`createValueExpression` creates a `ValueExpression` object which gets evaluated upon calling methods like \n`getValue()` and `setValue()` or a Lambda `invoke()` i.e. it evaluates the expression passed to the \n`createValueExpression` method.\n\nSimilarly, `createMethodExpression` creates a `MethodExpression` object which gets evaluated upon calling \nmethods like `invoke()` and `getMethodInfo()`.\n`ELProcessor.eval`, `getValue()`, and `setValue()` methods all evaluate their expressions which are passed \nas parameters.\n\nCalling these method directly with user-supplied input may allow an adversary to execute arbitrary Java \ncode, including OS system commands. Never call these methods directly with user-supplied input. Consider \nalternate methods such as a lookup table to take user input and resolve hardcoded values.\n\nSecure example:\n\n```\nimport javax.el.ELProcessor;\nimport java.util.Set;\n\npublic class SafeELHandling {\n private static final Set ALLOWED_VALUES = Set.of(\"value1\", \"value2\", \"value3\");\n\n public void processInput(String userInput) {\n // Validate user input against the allowlist\n if (!ALLOWED_VALUES.contains(userInput)) {\n throw new IllegalArgumentException(\"Invalid input\");\n }\n \n ELProcessor elProcessor = new ELProcessor();\n \ elProcessor.defineBean(\"userInput\", userInput);\n \n // Example EL expression using the safe, predefined input\n String result = (String) elProcessor.eval(userInput);\n }\n}\n```\n" metadata: category: security cwe: CWE-917 shortDescription: Improper neutralization of special elements used in an expression language statement ('Expression Language Injection') owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: Info primary_identifier: find_sec_bugs.EL_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-EL_INJECTION type: find_sec_bugs_type value: EL_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.EL_INJECTION-1 shortlink: https://sg.run/4k1E semgrep.dev: rule: r_id: 21200 rv_id: 920182 rule_id: GdUo2e version_id: xyTdrpd url: https://semgrep.dev/playground/r/xyTdrpd/gitlab.find_sec_bugs.EL_INJECTION-1 origin: community pattern-either: - patterns: - pattern: | (ExpressionFactory $EXP).createValueExpression((ELContext $CTX), $EXPR, ...) - pattern-not: | (ExpressionFactory $EXP).createValueExpression((ELContext $CTX), "...", ...) - patterns: - pattern: | (ExpressionFactory $EXP).createMethodExpression((ELContext $CTX), $EXPR, ...) - pattern-not: | (ExpressionFactory $EXP).createMethodExpression((ELContext $CTX), "...", ...) - patterns: - pattern: | ($X.el.ELProcessor $P).eval(...) - pattern-not: | ($X.el.ELProcessor $P).eval("...", ...) - patterns: - pattern: | ($X.el.ELProcessor $P).getValue(...) - pattern-not: | ($X.el.ELProcessor $P).getValue("...", ...) - patterns: - pattern: | ($X.el.ELProcessor $P).setValue(...) - pattern-not: "($X.el.ELProcessor $P).setValue(\"...\", \"...\") \n" severity: WARNING - id: gitlab.find_sec_bugs.FILE_UPLOAD_FILENAME-1 languages: - java message: | The filename provided by the FileUpload API can be tampered with which could lead to unauthorized access or file inclusion vulnerabilities. To mitigate this risk, it is essential to conduct rigorous validation of the filenames provided by clients. This validation should ensure that the filename adheres to a predefined structure, is devoid of potentially dangerous characters (such as forward slashes / and backslashes \), and corresponds to an authorized file only. For example, as a remediation strategy, the application could: 1. Sanitize Filenames: Create a function to sanitize filenames by removing or replacing unauthorized characters, including path traversal sequences (../ or ..\). 2. Allowlist Validation: Implement a allowlist approach, allowing only filenames that match a specific pattern or are part of a predefined list. 3. Use Server-Generated Filenames: Rather than relying on client-provided filenames, generate unique names server-side for storing files. 4. Verify File Paths: Ensure files are being saved in the correct, intended directory, and prevent redirection to unauthorized directories. Example remediation: ``` public class FileUploadHandler { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { Part filePart = request.getPart("file"); String fileName = filePart.getSubmittedFileName(); // removes any path information from the filename String sanitizedFileName = sanitizeFileName(fileName); if (!isFileNameAllowed(sanitizedFileName)) { throw new SecurityException("Invalid file name"); } // Generate a unique file name for storage String storedFileName = UUID.randomUUID().toString() + ".txt"; Path targetPath = Paths.get("uploads").resolve(storedFileName); Files.copy(fileContent, targetPath, StandardCopyOption.REPLACE_EXISTING); } private String sanitizeFileName(String fileName) { return Paths.get(fileName).getFileName().toString(); } private boolean isFileNameAllowed(String fileName) { return fileName.matches("[a-zA-Z0-9._-]+"); } } ``` pattern-either: - patterns: - pattern-inside: | $FILES = (ServletFileUpload $SFU).parseRequest(($X.servlet.http.HttpServletRequest $REQ)); ... for(FileItem $ITEM : $FILES) { ... } - pattern: $ITEM.getName() - pattern: ($X.servlet.http.Part $PART).getSubmittedFileName() metadata: shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') cwe: CWE-22 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Info category: security technology: - java primary_identifier: find_sec_bugs.FILE_UPLOAD_FILENAME-1 secondary_identifiers: - name: Find Security Bugs-FILE_UPLOAD_FILENAME type: find_sec_bugs_type value: FILE_UPLOAD_FILENAME license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.FILE_UPLOAD_FILENAME-1 shortlink: https://sg.run/5Z9l semgrep.dev: rule: r_id: 21191 rv_id: 920179 rule_id: L1Uz0W version_id: NdTeRoN url: https://semgrep.dev/playground/r/NdTeRoN/gitlab.find_sec_bugs.FILE_UPLOAD_FILENAME-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.HAZELCAST_SYMMETRIC_ENCRYPTION-1 languages: - java patterns: - pattern: new com.hazelcast.config.SymmetricEncryptionConfig() message: | The network communications for Hazelcast is configured to use a deprecated symmetric cipher. Consider using TLS/SSL when establishing communications across the Hazelcast cluster. For more information on configuring TLS/SSL for Hazelcast see: https://docs.hazelcast.com/imdg/4.2/security/tls-ssl severity: WARNING metadata: shortDescription: Inadequate encryption strength category: security cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - java security-severity: Medium primary_identifier: find_sec_bugs.HAZELCAST_SYMMETRIC_ENCRYPTION-1 secondary_identifiers: - name: Find Security Bugs-HAZELCAST_SYMMETRIC_ENCRYPTION type: find_sec_bugs_type value: HAZELCAST_SYMMETRIC_ENCRYPTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.HAZELCAST_SYMMETRIC_ENCRYPTION-1 shortlink: https://sg.run/ZP2L semgrep.dev: rule: r_id: 21179 rv_id: 920168 rule_id: NbUe1Z version_id: o5TK1l7 url: https://semgrep.dev/playground/r/o5TK1l7/gitlab.find_sec_bugs.HAZELCAST_SYMMETRIC_ENCRYPTION-1 origin: community - id: gitlab.find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 languages: - java mode: taint pattern-sanitizers: - patterns: - pattern-inside: | $STR.replaceAll("$INPUT", "..."); ... - pattern: $STR - metavariable-regex: metavariable: $INPUT regex: .*\[(?=.*\\r)(?=.*\\n).*\]\+ - pattern: org.apache.commons.text.StringEscapeUtils.unescapeJava(...); pattern-sinks: - pattern: ($X.servlet.http.HttpServletResponse $RES).setHeader("$KEY", ...); - pattern: ($X.servlet.http.HttpServletResponse $RES).addHeader("$KEY", ...); - pattern: ($X.servlet.http.HttpServletResponseWrapper $WRP).setHeader("$KEY", ...); - pattern: ($X.servlet.http.HttpServletResponseWrapper $WRP).addHeader("$KEY", ...); pattern-sources: - pattern: ($X.servlet.http.HttpServletRequest $REQ).getParameter(...); - pattern: ($X.servlet.http.HttpServletRequest $REQ).getParameterNames(); - pattern: ($X.servlet.http.HttpServletRequest $REQ).getParameterValues(...); - pattern: ($X.servlet.http.HttpServletRequest $REQ).getParameterMap(); - pattern: ($X.servlet.http.HttpServletRequest $REQ).getHeader(...); - pattern: ($X.servlet.http.HttpServletRequest $REQ).getPathInfo(); message: | HTTP Response Splitting is a vulnerability where Carriage Return (CR `\r`) and Line Feed (LF `\n`) characters are introduced into an HTTP header from user-supplied input. By injecting the `\r\n` character sequence, an adversary could potentially modify how the response is interpreted by the client or any down stream caching services. This could allow an adversary to poison the cache data or execute Cross-Site Scripting (XSS) attacks. Some Java application servers such as [Apache Tomcat](https://tomcat.apache.org/) will automatically encode characters from being set in response headers as a space `0x20` character. If your application server does not automatically provide this functionality, user-supplied input that is used in header keys or values must be validated. Example of validating headers to only allow valid characters: ``` // throws an IllegalArgumentException if the provided value contains invalid characters public void validateHeader(String value) throws IllegalArgumentException { char[] chars = value.toCharArray(); // iterate over every character for (int i = 0; i < chars.length; i++) { char c = chars[i]; // check for any characters below 0x21 as well as: '"' ',' ';' '\' and 0x7f. if (c < 0x21 || c == '"' || c == ',' || c == ';' || c == '\\' || c == 0x7f) { throw new IllegalArgumentException("Invalid character in cookie detected: {0}".format(Integer.toString(c))); } } } ``` Alternatively, you could use a string escape package such as [Apache Commons Text](https://commons.apache.org/proper/commons-text/) to escape the input: ``` public String escapeValue(String value) { return StringEscapeUtils.escapeJava(value); } ``` For more information on response splitting attacks see OWASP: https://owasp.org/www-community/attacks/HTTP_Response_Splitting severity: ERROR metadata: shortDescription: Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') category: security cwe: CWE-113 owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: High primary_identifier: find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 secondary_identifiers: - name: Find Security Bugs-HRS_REQUEST_PARAMETER_TO_HTTP_HEADER type: find_sec_bugs_type value: HRS_REQUEST_PARAMETER_TO_HTTP_HEADER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 shortlink: https://sg.run/93NR semgrep.dev: rule: r_id: 21167 rv_id: 920159 rule_id: 6JUye5 version_id: BjTKLrR url: https://semgrep.dev/playground/r/BjTKLrR/gitlab.find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 origin: community - id: gitlab.find_sec_bugs.HTTP_PARAMETER_POLLUTION-1 languages: - java mode: taint pattern-sources: - pattern: (HttpServletRequest $REQ).getParameter(...) pattern-sanitizers: - pattern: java.net.URLEncoder.encode(...) - pattern: com.google.common.net.UrlEscapers.urlPathSegmentEscaper().escape(...) pattern-sinks: - pattern: new org.apache.http.client.methods.HttpGet(...) - pattern: new org.apache.commons.httpclient.methods.GetMethod(...) - pattern: (org.apache.commons.httpclient.methods.GetMethod $GM).setQueryString(...) message: | The application was found including unvalidated user input into a URL, which could lead to HTTP Parameter Pollution (HPP) or worse, Server Side Request Forgery (SSRF). This could allow an adversary to override the value of a URL or a request parameter. HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, an adversary may modify the logic of these requests to other applications. To remediate this issue, never allow user input directly into creation of a URL or URL parameter. Consider using a map to look up user-supplied information and return exact values to be used in the generation of requests. Example using a map to look up a key to be used in a HTTP request: ``` HashMap lookupTable = new HashMap<>(); lookupTable.put("key1", "value1"); lookupTable.put("key2", "value2"); String userInput = request.getParameter("key"); // Create a CloseableHttpClient, ideally any requests issued should be done // out-of-band from the servlet request itself (such as using a separate thread/scheduler system) try (final CloseableHttpClient httpClient = HttpClients.createDefault()) { // Lookup the value from our user input from our lookupTable String value = lookupTable.getOrDefault(userInput, "value1"); // Construct the url, with the hardcoded url and only pass in the value from the lookupTable, // not direct user input final HttpGet httpget = new HttpGet("https://example.com/getId?key="+value); // Execute the request CloseableHttpResponse clientResponse = httpClient.execute(httpget); // Read the response byte[] responseData = clientResponse.getEntity().getContent().readAllBytes(); // Handle the response // ... } ``` If using a map is not possible, the user-supplied input must be encoded prior to use, and never allow full URLs: ``` // Get user input String userInput = request.getParameter("key"); // Encode the string using java.net.URLEncoder with the UTF-8 character set String encodedString = java.net.URLEncoder.encode(userInput, StandardCharsets.UTF_8); // Create a CloseableHttpClient, ideally any requests issued should be done // out-of-band from the servlet request itself (such as using a separate thread/scheduler system) try (final CloseableHttpClient httpClient = HttpClients.createDefault()) { // Construct the url, with the hardcoded url and only pass in the encoded value, never a full URL final HttpGet httpget = new HttpGet("https://example.com/getId?key="+encodedString); // Execute the request CloseableHttpResponse clientResponse = httpClient.execute(httpget); // Read the response byte[] responseData = clientResponse.getEntity().getContent().readAllBytes(); // handle the response } ``` For more information on SSRF see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html For more information on HTTP Parameter Pollution see: https://en.wikipedia.org/wiki/HTTP_parameter_pollution severity: ERROR metadata: shortDescription: Improper neutralization of argument delimiters in a command ('Argument Injection') category: security cwe: CWE-88 owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: Medium primary_identifier: find_sec_bugs.HTTP_PARAMETER_POLLUTION-1 secondary_identifiers: - name: Find Security Bugs-HTTP_PARAMETER_POLLUTION type: find_sec_bugs_type value: HTTP_PARAMETER_POLLUTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.HTTP_PARAMETER_POLLUTION-1 shortlink: https://sg.run/Jw5Q semgrep.dev: rule: r_id: 21202 rv_id: 920185 rule_id: AbUNR4 version_id: vdTvQ88 url: https://semgrep.dev/playground/r/vdTvQ88/gitlab.find_sec_bugs.HTTP_PARAMETER_POLLUTION-1 origin: community - id: gitlab.find_sec_bugs.INSECURE_COOKIE-1 languages: - java patterns: - pattern: | $X.servlet.http.Cookie $C = new $X.servlet.http.Cookie(..., ...); ... ($X.servlet.http.HttpServletResponse $RESP).addCookie($C); - pattern-not-inside: | $X.servlet.http.Cookie $C = new $X.servlet.http.Cookie(..., ...); ... $C.setSecure(true); ... ($X.servlet.http.HttpServletResponse $RESP).addCookie($C); message: | The `Secure` attribute when set to `true` protects the cookie value from being being transmitted over clear text communication paths such as HTTP. By enabling this protection, the cookie will only be sent over HTTPS. Example of protecting a `Cookie`: ``` // Create an Secure cookie. Cookie someCookie = new Cookie("SomeCookieName", "SomeValue"); // Set Secure flag to true someCookie.setSecure(true); ``` For more information see: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie#setSecure-boolean- Session cookies should be configured with the following security directives: - [HTTPOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) - [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) - [Secure](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) severity: WARNING metadata: shortDescription: Sensitive cookie in HTTPS session without 'Secure' attribute category: security cwe: CWE-614 owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration technology: - java security-severity: Low primary_identifier: find_sec_bugs.INSECURE_COOKIE-1 secondary_identifiers: - name: Find Security Bugs-INSECURE_COOKIE type: find_sec_bugs_type value: INSECURE_COOKIE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.INSECURE_COOKIE-1 shortlink: https://sg.run/pNER semgrep.dev: rule: r_id: 21162 rv_id: 920157 rule_id: 0oUp4O version_id: RGT2xk7 url: https://semgrep.dev/playground/r/RGT2xk7/gitlab.find_sec_bugs.INSECURE_COOKIE-1 origin: community - id: gitlab.find_sec_bugs.LDAP_INJECTION-1 languages: - java mode: taint pattern-sinks: - pattern: javax.naming.ldap.LdapName(...) - pattern: (javax.naming.directory.Context $C).lookup(...) - pattern: (javax.naming.Context $C).lookup(...) - patterns: - pattern-inside: (com.unboundid.ldap.sdk.LDAPConnection $C).search($QUERY, ...) - pattern: $QUERY - patterns: - pattern-either: - pattern: $CTX.lookup(...) - patterns: - pattern-inside: $CTX.search($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.search($NAME, $FILTER, ...) - pattern: $FILTER - metavariable-pattern: metavariable: $CTX pattern-either: - pattern: (DirContext $C) - pattern: (InitialDirContext $IDC) - pattern: (LdapContext $LC) - pattern: (EventDirContext $EDC) - pattern: (LdapCtx $LC) - pattern: (javax.naming.directory.DirContext $C) - pattern: (javax.naming.directory.InitialDirContext $IDC) - pattern: (javax.naming.ldap.LdapContext $LC) - pattern: (javax.naming.event.EventDirContext $EDC) - pattern: (com.sun.jndi.ldap.LdapCtx $LC) - patterns: - pattern-either: - patterns: - pattern-inside: $CTX.list($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.lookup($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.search($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.search($NAME, $FILTER, ...) - pattern: $FILTER - metavariable-pattern: metavariable: $CTX pattern-either: - pattern: (LdapTemplate $LT) - pattern: (LdapOperations $LO) - pattern: (org.springframework.ldap.core.LdapTemplate $LT) - pattern: (org.springframework.ldap.core.LdapOperations $LO) pattern-sources: - patterns: - pattern-inside: | $FUNC(..., $VAR, ...) { ... } - pattern: $VAR - patterns: - pattern-inside: | $FUNC(..., $X, ...) { ... $VAR = ... + $X; ... } - pattern: $VAR message: "LDAP injection attacks exploit LDAP queries to influence how data is returned by\nthe LDAP server.\n\nLater versions of Java's `InitialDirContext.search` introduced a four argument method, one of\nwhich is the `filterArg` parameter. The `filterArg` will be automatically encoded when\nquerying\nthe LDAP server. If this method signature is not available, the application must encode the\nLDAP strings manually.\n\nMore details on the four argument `search` method can be found here:\nhttps://docs.oracle.com/en/java/javase/20/docs/api/java.naming/javax/naming/directory/InitialDirContext.html#search(javax.naming.Name,java.lang.String,java.lang.Object[],javax.naming.directory.SearchControls)\n\nTo encode the string manually, it is recommended that all input passed to LDAP querying\nsystems\nencode the following values:\n\n- Any occurrence of the null character must be escaped as \u201C\\00\u201D.\n- Any occurrence of the open parenthesis character must be escaped as \u201C\\28\u201D.\n- Any occurrence of the close parenthesis character must be escaped as \u201C\\29\u201D.\n- Any occurrence of the asterisk character must be escaped as \u201C\\2a\u201D.\n- Any occurrence of the backslash character must be escaped as \u201C\\5c\u201D.\n\nExample function that safely encodes user-supplied input to be used in an LDAP query.\n```\npublic static String encodeLDAPString(String input) {\n // Note the \\ character is replaced first\n CharSequence[] chars = new CharSequence[] { \"\\\\\", \"\\0\", \"(\", \")\", \"*\" };\n CharSequence[] encoded = new CharSequence[] { \"\\\\5c\", \"\\\\00\", \"\\\\28\", \"\\\\29\", \"\\\\2a\" };\n // Iterate over each character sequence, replacing the raw value with an encoded version of\nit\n for (int i = 0; i < chars.length; i++)\n {\n \ // re-assign to input\n input = input.replace(chars[i], encoded[i]);\n \ }\n // return our modified input string\n return input;\n}\n```\n\nExample code that using the `filterArgs` parameter which automatically encodes for us:\n```\n// Create a properties to hold the ldap connection details\nProperties props = new Properties();\n// Use the com.sun.jndi.ldap.LdapCtxFactory factory provider\nprops.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\n// The LDAP server URL\nprops.put(Context.PROVIDER_URL, \"ldap://ldap.example.org:3889\");\n// User details for the connection\nprops.put(Context.SECURITY_PRINCIPAL, \"cn=admin,dc=example,dc=org\");\n// LDAP account password\nString ldapAccountPassword = getAccountPasswordFromSecureStoreOrKMS();\n// Pass in the LDAP password\nprops.put(Context.SECURITY_CREDENTIALS, ldapAccountPassword);\n\n// Create the LDAPContext\nInitialDirContext ldapContext = new InitialDirContext(props);\n// Example using SUBTREE_SCOPE SearchControls\nSearchControls searchControls = new SearchControls();\nsearchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);\n\n// Get user input for query\nString userQuery = someUserInput;\n// Use searchArguments to hold the user-supplied input\nObject[] searchArguments = new Object[]{userQuery};\n// Hardcode the BaseDN, use the {0} format specifier to use the searchArguments array value,\nand pass in the search controls.\n// searchArguments automatically encode\nNamingEnumeration answer = ldapContext.search(\"dc=example,dc=org\", \"(cn={0})\",\nsearchArguments, searchControls);\n// Process the response answer\nwhile (answer.hasMoreElements()) {\n ...\n}\n```\n\nFor more information on LDAP Injection see OWASP:\nhttps://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html\n" severity: WARNING metadata: shortDescription: Improper neutralization of special elements used in an LDAP query ('LDAP Injection') category: security cwe: CWE-90 owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: Medium primary_identifier: find_sec_bugs.LDAP_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-LDAP_INJECTION type: find_sec_bugs_type value: LDAP_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.LDAP_INJECTION-1 shortlink: https://sg.run/5Z93 semgrep.dev: rule: r_id: 21203 rv_id: 920186 rule_id: BYUKEw version_id: d6T6gvy url: https://semgrep.dev/playground/r/d6T6gvy/gitlab.find_sec_bugs.LDAP_INJECTION-1 origin: community - id: gitlab.find_sec_bugs.NULL_CIPHER-1 languages: - java pattern: new javax.crypto.NullCipher() message: | The application was found creating a `NullCipher` instance. `NullCipher` implements the `Cipher` interface by returning ciphertext identical to the supplied plaintext. This means any data passed to the `doFinal(...)` or `update(...)` methods will not actually encrypt the input. Remove the NullCipher reference and replace with a legitimate `Cipher` instance such as `ChaCha20-Poly1305` Example using `ChaCha20Poly1305`: ``` public encrypt() throws Exception { chaChaEncryption("Secret text to encrypt".getBytes(StandardCharsets.UTF_8)); } public SecureRandom getSecureRandomDRBG() throws NoSuchAlgorithmException { // Use DRBG according to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf return SecureRandom.getInstance("DRBG", // Security strength in bits (default is 128) DrbgParameters.instantiation(256, // Set prediction resistance and re-seeding DrbgParameters.Capability.PR_AND_RESEED, // Set the personalization string (optional, not necessary) "some_personalization_string".getBytes() ) ); } public Cipher getChaCha20Poly1305(int mode, byte[] ivKey, byte[] secretKey) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create a ChaCha20-Poly1305 cipher instance Cipher chaChaCipher = Cipher.getInstance("ChaCha20-Poly1305/None/NoPadding"); // Create our parameterSpec using our ivKey AlgorithmParameterSpec parameterSpec = new IvParameterSpec(ivKey); // Create a SecretKeySpec using our secretKey SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, "ChaCha20"); // Initialize and return the cipher for the provided mode chaChaCipher.init(mode, secretKeySpec, parameterSpec, random); return chaChaCipher; } public void chaChaEncryption(byte[] plainText) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create secretKey byte[] secretKey = new byte[32]; random.nextBytes(secretKey); // Create an IV Key byte[] ivKey = new byte[12]; random.nextBytes(ivKey); // Create a chaCha encryption cipher instance Cipher chaChaEncryptor = getChaCha20Poly1305(Cipher.ENCRYPT_MODE, ivKey, secretKey); // Encrypt the text using ChaCha20Poly1305 byte[] cipherText = null; try { cipherText = chaChaEncryptor.doFinal(plainText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to encrypt text"); return; } System.out.println("encrypted: " + Base64.getEncoder().encodeToString(cipherText)); // Create a chaCha decryption cipher instance Cipher chaChaDecryptor = getChaCha20Poly1305(Cipher.DECRYPT_MODE, ivKey, secretKey); // Decrypt the text byte[] decryptedText = null; try { decryptedText = chaChaDecryptor.doFinal(cipherText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to decrypt text"); return; } System.out.println("decrypted: " + new String(decryptedText, StandardCharsets.UTF_8)); } ``` For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - java security-severity: Medium primary_identifier: find_sec_bugs.NULL_CIPHER-1 secondary_identifiers: - name: Find Security Bugs-NULL_CIPHER type: find_sec_bugs_type value: NULL_CIPHER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.NULL_CIPHER-1 shortlink: https://sg.run/EzLo semgrep.dev: rule: r_id: 21181 rv_id: 920170 rule_id: wdUk3N version_id: pZTbDyl url: https://semgrep.dev/playground/r/pZTbDyl/gitlab.find_sec_bugs.NULL_CIPHER-1 origin: community - id: gitlab.find_sec_bugs.OGNL_INJECTION-1 languages: - java mode: taint pattern-sources: - patterns: - pattern-inside: | $FUNC(..., $VAR, ...) { ... } - metavariable-pattern: metavariable: $VAR pattern-either: - pattern: (String $S) - pattern: (Map $M) - pattern: (Map $M) - pattern: (Map $M) - pattern: $VAR pattern-sinks: - patterns: - pattern-inside: com.opensymphony.xwork2.util.TextParseUtil.translateVariables($VAL, ...) - pattern: $VAL - patterns: - pattern-inside: com.opensymphony.xwork2.util.TextParseUtil.translateVariablesCollection($VAL, ...) - pattern: $VAL - pattern: com.opensymphony.xwork2.util.TextParseUtil.shallBeIncluded(...) - pattern: com.opensymphony.xwork2.util.TextParseUtil.commaDelimitedStringToSet(...) - patterns: - pattern-inside: (com.opensymphony.xwork2.util.TextParser $P).evaluate($VAR, $VAL, ...) - pattern: $VAL - patterns: - pattern-inside: (com.opensymphony.xwork2.util.OgnlTextParser $P).evaluate($VAR, $VAL, ...) - pattern: $VAL - pattern: (com.opensymphony.xwork2.ognl.OgnlReflectionProvider $P).getGetMethod($CLZ, ...) - pattern: (com.opensymphony.xwork2.ognl.OgnlReflectionProvider $P).getSetMethod($CLZ, ...) - pattern: (com.opensymphony.xwork2.ognl.OgnlReflectionProvider $P).getField($CLZ, ...) - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlReflectionProvider $P).setProperties($MAP, ...) - pattern: $MAP - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlReflectionProvider $P).setProperty($VAL, ...) - pattern: $VAL - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlReflectionProvider $P).getValue($VAL, ...) - pattern: $VAL - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlReflectionProvider $P).setValue($VAL, ...) - pattern: $VAL - pattern: (com.opensymphony.xwork2.util.reflection.ReflectionProvider $P).getGetMethod($CLZ, ...) - pattern: (com.opensymphony.xwork2.util.reflection.ReflectionProvider $P).getSetMethod($CLZ, ...) - pattern: (com.opensymphony.xwork2.util.reflection.ReflectionProvider $P).getField($CLZ, ...) - patterns: - pattern-inside: (com.opensymphony.xwork2.util.reflection.ReflectionProvider $P).setProperties($MAP, ...) - pattern: $MAP - patterns: - pattern-inside: (com.opensymphony.xwork2.util.reflection.ReflectionProvider $P).setProperty($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (com.opensymphony.xwork2.util.reflection.ReflectionProvider $P).getValue($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (com.opensymphony.xwork2.util.reflection.ReflectionProvider $P).setValue($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlUtil $P).setProperties($MAP, ...) - pattern: $MAP - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlUtil $P).setProperty($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlUtil $P).getValue($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlUtil $P).setValue($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlUtil $P).callMethod($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (com.opensymphony.xwork2.ognl.OgnlUtil $P).compile($VAR, ...) - pattern: $VAR - pattern: (org.apache.struts2.util.VelocityStrutsUtil $P).evaluate(...) - pattern: org.apache.struts2.util.StrutsUtil.findString(...) - pattern: org.apache.struts2.util.StrutsUtil.findValue(..., $VAL) - pattern: org.apache.struts2.util.StrutsUtil.getText(...) - pattern: org.apache.struts2.util.StrutsUtil.translateVariables(...) - patterns: - pattern-inside: org.apache.struts2.util.StrutsUtil.makeSelectList($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (org.apache.struts2.views.jsp.ui.OgnlTool $T).findValue($VAR, ...) - pattern: $VAR - pattern: (com.opensymphony.xwork2.util.ValueStack $V).findString(...) - patterns: - pattern-inside: (com.opensymphony.xwork2.util.ValueStack $V).findValue($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (com.opensymphony.xwork2.util.ValueStack $V).setValue($VAR, ...) - pattern: $VAR - patterns: - pattern-inside: (com.opensymphony.xwork2.util.ValueStack $V).setParameter($VAR, ...) - pattern: $VAR message: | The Object Graph Navigation Language (OGNL) is an expression language that allows access to Java objects and properties stored in an ActionContext. Usage of these low-level functions is discouraged because they can effectively execute strings as code, leading to remote code execution vulnerabilities. Consider using struts tags when processing user-supplied input and templates. Much like the Struts security guide recommending to not use raw `${}` EL expressions, do not call or use the following OGNL packages with user-supplied input: - `com.opensymphony.xwork2.ognl` - `com.opensymphony.xwork2.util` - `com.opensymphony.xwork2.util.reflection` - `org.apache.struts2.util.StrutsUtil` For more information on Struts2 security see: https://struts.apache.org/security/#do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation severity: WARNING metadata: shortDescription: Expression injection (OGNL) category: security cwe: CWE-917 owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: High primary_identifier: find_sec_bugs.OGNL_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-OGNL_INJECTION type: find_sec_bugs_type value: OGNL_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.OGNL_INJECTION-1 shortlink: https://sg.run/Gb4n semgrep.dev: rule: r_id: 21204 rv_id: 920187 rule_id: DbU2QO version_id: ZRTedp2 url: https://semgrep.dev/playground/r/ZRTedp2/gitlab.find_sec_bugs.OGNL_INJECTION-1 origin: community - id: gitlab.find_sec_bugs.PADDING_ORACLE-1 languages: - java patterns: - pattern-either: - pattern: javax.crypto.Cipher.getInstance("$ALG", ...) - pattern: | $PROP = (java.util.Properties $P).getProperty(..., "$ALG"); ... javax.crypto.Cipher.getInstance($PROP, ...); - metavariable-comparison: metavariable: $ALG comparison: | $ALG in ( "AES/CBC/PKCS5Padding" "DES/CBC/PKCS5Padding" "DESede/CBC/PKCS5Padding" "AES/CBC/PKCS7Padding" ) message: | Cryptographic block ciphers can be configured to pad individual blocks if there is not enough input data to match the size of the block. This specific mode of CBC used in combination with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding. The distinction between valid and invalid padding is usually revealed through distinct error messages being returned for each condition. Consider switching to a more secure cipher that doesn't require padding and builds in message authentication integrity directly into the algorithm. Consider using `ChaCha20Poly1305` or `AES-256-GCM` instead. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` public encrypt() throws Exception { chaChaEncryption("Secret text to encrypt".getBytes(StandardCharsets.UTF_8)); } public SecureRandom getSecureRandomDRBG() throws NoSuchAlgorithmException { // Use DRBG according to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf return SecureRandom.getInstance("DRBG", // Security strength in bits (default is 128) DrbgParameters.instantiation(256, // Set prediction resistance and re-seeding DrbgParameters.Capability.PR_AND_RESEED, // Set the personalization string (optional, not necessary) "some_personalization_string".getBytes() ) ); } public Cipher getChaCha20Poly1305(int mode, byte[] ivKey, byte[] secretKey) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create a ChaCha20-Poly1305 cipher instance Cipher chaChaCipher = Cipher.getInstance("ChaCha20-Poly1305/None/NoPadding"); // Create our parameterSpec using our ivKey AlgorithmParameterSpec parameterSpec = new IvParameterSpec(ivKey); // Create a SecretKeySpec using our secretKey SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, "ChaCha20"); // Initialize and return the cipher for the provided mode chaChaCipher.init(mode, secretKeySpec, parameterSpec, random); return chaChaCipher; } public void chaChaEncryption(byte[] plainText) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create secretKey byte[] secretKey = new byte[32]; random.nextBytes(secretKey); // Create an IV Key byte[] ivKey = new byte[12]; random.nextBytes(ivKey); // Create a chaCha encryption cipher instance Cipher chaChaEncryptor = getChaCha20Poly1305(Cipher.ENCRYPT_MODE, ivKey, secretKey); // Encrypt the text using ChaCha20Poly1305 byte[] cipherText = null; try { cipherText = chaChaEncryptor.doFinal(plainText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to encrypt text"); return; } System.out.println("encrypted: " + Base64.getEncoder().encodeToString(cipherText)); // Create a chaCha decryption cipher instance Cipher chaChaDecryptor = getChaCha20Poly1305(Cipher.DECRYPT_MODE, ivKey, secretKey); // Decrypt the text byte[] decryptedText = null; try { decryptedText = chaChaDecryptor.doFinal(cipherText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to decrypt text"); return; } System.out.println("decrypted: " + new String(decryptedText, StandardCharsets.UTF_8)); } ``` For more information on padding oracle attacks see: https://en.wikipedia.org/wiki/Padding_oracle_attack For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html severity: ERROR metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - java security-severity: Medium primary_identifier: find_sec_bugs.PADDING_ORACLE-1 secondary_identifiers: - name: Find Security Bugs-PADDING_ORACLE type: find_sec_bugs_type value: PADDING_ORACLE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.PADDING_ORACLE-1 shortlink: https://sg.run/eJ3E semgrep.dev: rule: r_id: 21176 rv_id: 920166 rule_id: yyUDX2 version_id: YDTYb2y url: https://semgrep.dev/playground/r/YDTYb2y/gitlab.find_sec_bugs.PADDING_ORACLE-1 origin: community - id: gitlab.find_sec_bugs.PERMISSIVE_CORS-2 languages: - java mode: taint pattern-sources: - pattern: (HttpServletRequest $REQ).getParameter(...) - pattern: (HttpServletRequest $REQ).getHeader(...) - pattern: (HttpServletRequest $REQ).getPathInfo() - pattern: (HttpServletRequest $REQ).getQueryString() - pattern: (HttpServletRequest $REQ).getAttribute(...) - pattern: (HttpServletRequest $REQ).getSession().getAttribute(...) - pattern: (HttpServletRequest $REQ).getServletContext().getAttribute(...) - pattern: (HttpServletRequest $REQ).getParameterValues(...) - pattern: (HttpServletRequest $REQ).getParameterNames() - pattern: (HttpServletRequest $REQ).getParameterMap() pattern-sinks: - patterns: - pattern-either: - pattern: (HttpServletResponse $RES).setHeader("$HEADER", ...) - pattern: (HttpServletResponse $RES).addHeader("$HEADER", ...) - metavariable-regex: metavariable: $HEADER regex: (?i)(Access-Control-Allow-Origin) message: | This application potentially allows user-supplied input into the value of the `Access-Control-Allow-Origin` response header. This header is part of the [Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) CORS specification. By allowing user input to specify which domains can communicate with this server, an adversary could exploit a weakness in this server to force clients to send credentials (such as session identifiers) to the adversary's server. For the above attack to work, the application would need to suffer from an additional vulnerability, such as Cross-Site Scripting (XSS). To remediate this issue, do not use user-supplied information when calling `HttpServletResponse.setHeader` or `HttpServletResponse.addHeader` for the `Access-Control-Allow-Origin` header's value. Instead, hardcode the allowed domain(s) and reference them in a lookup table: Example allowing dynamic but safe domains in `Access-Control-Allow-Origin`: ``` // this data should be in the class constructor or taken from a trusted datasource Map allowedDomains = new HashMap(); allowedDomains.put("sub1", "sub1.example.com"); allowedDomains.put("sub2", "sub2.example.com"); // extract the allowedDomain parameters value as a key to look up which domain to provide via the allowedDomains map // if not found, sets sub1 as the default String headerValue = allowedDomains.getOrDefault(request.getParameter("allowedDomain"), allowedDomains.get("sub1")); // add the header with our trusted sub1.example.com or sub2.example.com domains. response.addHeader("Access-Control-Allow-Origin", headerValue); } ``` For more information on `Access-Control-Allow-Origin` see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin severity: ERROR metadata: shortDescription: Permissive cross-domain policy with untrusted domains cwe: CWE-942 category: security owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: Low primary_identifier: find_sec_bugs.PERMISSIVE_CORS-2 secondary_identifiers: - name: Find Security Bugs-PERMISSIVE_CORS type: find_sec_bugs_type value: PERMISSIVE_CORS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.PERMISSIVE_CORS-2 shortlink: https://sg.run/bWNr semgrep.dev: rule: r_id: 21170 rv_id: 920160 rule_id: pKUbrw version_id: DkT2ynA url: https://semgrep.dev/playground/r/DkT2ynA/gitlab.find_sec_bugs.PERMISSIVE_CORS-2 origin: community - id: gitlab.find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1 languages: - java mode: taint pattern-sources: - pattern: (javax.servlet.http.HttpServletRequest $R).$METHOD(...) - pattern: (java.util.Scanner $S).$METHOD(...) - pattern: (java.util.stream.Stream).$METHOD(...) - pattern: (java.util.StringJoiner $SJ).toString(...) - pattern: (java.sql.ResultSet.getString $R).$METHOD(...) - pattern: (java.lang.System $S).getProperty(...) - pattern: (java.lang.System $S).getenv(...) - pattern: (java.lang.StringBuilder $SB).toString(...) - pattern: (java.io.FileInputStream $F).read(...) - pattern: (java.io.FileReader $F).read(...) - pattern: (java.net.Socket $S).getInputStream(...) - pattern: (java.net.Socket $S).getOutputStream(...) - pattern: (java.net.DatagramSocket $S).receive(...) - pattern: (java.net.DatagramSocket $S).getInputStream(...) - pattern: java.nio.file.Files.readAllBytes(...) - pattern: java.nio.file.Files.readAllLines(...) - pattern: java.nio.file.Files.lines(...) - pattern: java.nio.file.Files.newBufferedReader(...) - pattern: org.apache.commons.io.IOUtils.toString(...) - pattern: org.apache.commons.io.IOUtils.readLines(...) - pattern: org.apache.commons.io.IOUtils.toByteArray(...) - pattern: (com.fasterxml.jackson.databind.ObjectMapper $OM).readValue(...) - pattern: (com.fasterxml.jackson.databind.ObjectMapper $OM).treeToValue(...) - pattern: $CLASS.$METHOD(..., (javax.servlet.http.HttpServletRequest $R), ...) - pattern: $FUNC(..., (javax.servlet.http.HttpServletRequest $R), ...) - patterns: - pattern-inside: $FUNC(..., @RequestParam String $X, ...) { ... } - focus-metavariable: $X pattern-propagators: - pattern: $LIST.add($X) from: $X to: $LIST - pattern: $MAP.put(..., $X) from: $X to: $MAP - pattern: $STR.concat($X) from: $X to: $STR - pattern: $STR = String.format(..., $X, ...) from: $X to: $STR - pattern: $STR = String.join(..., $X, ...) from: $X to: $STR pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) pattern-sinks: - patterns: - pattern-inside: | $U = new java.net.URI($VAR) - pattern-either: - pattern-inside: new java.io.File($U) - pattern-inside: java.nio.file.Paths.get($U) - pattern: $VAR - patterns: - pattern-inside: new java.io.RandomAccessFile($INPUT,...) - pattern: $INPUT - pattern: new java.io.FileReader(...) - pattern: new javax.activation.FileDataSource(...) - pattern: new java.io.FileInputStream(...) - pattern: new java.io.FileOutputStream(...) - pattern: new java.io.File(...) - pattern: java.nio.file.Paths.get(...) - pattern: java.io.File.createTempFile(...) - pattern: java.io.File.createTempDirectory(...) - pattern: java.nio.file.Files.createTempFile(...) - pattern: java.nio.file.Files.createTempDirectory(...) - patterns: - pattern: $SRC.$METHOD(...) - metavariable-pattern: metavariable: $SRC pattern-either: - pattern: getClass() - pattern: getClass().getClassLoader() - pattern: (ClassLoader $C) - pattern: (Class $C) - pattern: $CLZ.getClassLoader() - metavariable-pattern: metavariable: $METHOD pattern-either: - pattern: getResourceAsStream - pattern: getResource - patterns: - pattern-inside: new java.io.FileWriter($PATH, ...) - pattern: $PATH - patterns: - pattern-inside: new java.io.FileOutputStream($PATH, ...) - pattern: $PATH message: | The application dynamically constructs file or path information. If the path information comes from user input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or replacing it with unique values and use `Path.resolve` to resolve and validate the path information prior to processing any file functionality. Example using `Path.resolve` and not allowing direct user input: ``` // Class to store our user data along with a randomly generated file name public static class UserData { private String userFileNameUnsafe; private String fileName; public UserData(String userFileName) { this.userFileNameUnsafe = userFileName; // Generate a random ID for the filename this.fileName = UUID.randomUUID().toString(); } public String getUserFileNameUnsafe() { return userFileNameUnsafe; }; public String getFileName() { return fileName; }; } public static void main(String[] args) throws Exception { // User input, saved only as a reference UserData userData = new UserData("..\\test.txt"); // Restrict all file processing to this directory only String base = "/var/app/restricted"; Path basePath = Paths.get(base); // Resolve the full path, but only use our random generated filename Path fullPath = basePath.resolve(userData.getFileName()); // verify the path is contained within our basePath if (!fullPath.startsWith(base)) { throw new Exception("Invalid path specified!"); } // process / work with file } ``` For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal metadata: shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') cwe: CWE-22 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium technology: - java category: security primary_identifier: find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1 secondary_identifiers: - name: Find Security Bugs-PT_ABSOLUTE_PATH_TRAVERSAL type: find_sec_bugs_type value: PT_ABSOLUTE_PATH_TRAVERSAL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1 shortlink: https://sg.run/Ben5 semgrep.dev: rule: r_id: 21207 rv_id: 920188 rule_id: KxUwlN version_id: nWTnNoQ url: https://semgrep.dev/playground/r/nWTnNoQ/gitlab.find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.RSA_KEY_SIZE-1 languages: - java patterns: - pattern-either: - patterns: - pattern-inside: | $GEN = KeyPairGenerator.getInstance($ALG, ...); ... - pattern-either: - pattern: $VAR.initialize($SIZE, ...); - pattern: new java.security.spec.RSAKeyGenParameterSpec($SIZE,...); - metavariable-comparison: comparison: $SIZE < 2048 metavariable: $SIZE - metavariable-regex: metavariable: $ALG regex: '"(RSA|DSA)"' message: | The application is generating an RSA key that is less than the recommended 2048 bits. The National Institute of Standards and Technology (NIST) deprecated signing Digital Certificates that contained RSA Public Keys of 1024 bits in December 2010. While 1024-bit RSA keys have not been factored yet, advances in compute may make it possible in the near future. Consider upgrading to the newer asymmetric algorithm such as `Ed25519` which handles the complexities of generating key pairs and choosing correct key sizes for you: ``` public static KeyPair generateEd25519() throws NoSuchAlgorithmException { // Choose Ed25519 for KeyPairGenerator Instance KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("Ed25519"); // Generate a KeyPair and return return keyPairGenerator.generateKeyPair(); } ``` Otherwise use a key size greater than 2048 when generating RSA keys: ``` public static KeyPair generateRSA() throws NoSuchAlgorithmException { // Choose RSA for KeyPairGenerator Instance KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); // Initialize with 2048 key size keyPairGenerator.initialize(2048); // Generate a KeyPair and return return keyPairGenerator.generateKeyPair(); } ``` For more information on Ed25519 see: http://ed25519.cr.yp.to/ For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html metadata: shortDescription: Inadequate encryption strength category: security cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium primary_identifier: find_sec_bugs.RSA_KEY_SIZE-1 secondary_identifiers: - name: Find Security Bugs-RSA_KEY_SIZE type: find_sec_bugs_type value: RSA_KEY_SIZE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.RSA_KEY_SIZE-1 shortlink: https://sg.run/nwLb semgrep.dev: rule: r_id: 21180 rv_id: 920169 rule_id: kxUO7W version_id: zyTG385 url: https://semgrep.dev/playground/r/zyTG385/gitlab.find_sec_bugs.RSA_KEY_SIZE-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.RSA_NO_PADDING-1 languages: - java patterns: - pattern-either: - pattern: javax.crypto.Cipher.getInstance("$ALG", ...) - pattern: | $PROP = (java.util.Properties $P).getProperty(..., "$ALG"); ... javax.crypto.Cipher.getInstance($PROP, ...); - metavariable-regex: metavariable: $ALG regex: (?i)^RSA/.*NoPadding$ message: | The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP). By not enabling padding, the algorithm maybe vulnerable to [chosen plaintext attacks](https://en.wikipedia.org/wiki/Chosen-plaintext_attack). To enable OAEP mode, pass `RSA/ECB/OAEPWithSHA-256AndMGF1Padding` to the `Cipher.getInstance` method. Example encrypting and decrypting a message using RSA with OAEP: ``` public static void encryptWithRSA() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException { // Generate an RSA Public and Private Key Pair KeyPair keyPair = generateRSAKeys(); // Create a Cipher instance using RSA, ECB with OAEP Cipher rsaEncryptor = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding"); // Initialize to ENCRYPT_MODE with the public key rsaEncryptor.init(Cipher.ENCRYPT_MODE, keyPair.getPublic()); // Encrypt our secret message byte[] cipherText = rsaEncryptor.doFinal("Some secret message".getBytes(StandardCharsets.UTF_8)); // Create a Cipher instance using RSA, ECB with OAEP Cipher rsaDecryptor = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding"); // Initialize to DECRYPT_MODE with the private key rsaDecryptor.init(Cipher.DECRYPT_MODE, keyPair.getPrivate()); // Decrypt the secret message byte[] plainText = rsaDecryptor.doFinal(cipherText); // Debug output System.out.println(new String(plainText)); } ``` More information on Optimal asymmetric encryption padding: https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html metadata: shortDescription: Use of RSA algorithm without OAEP category: security cwe: CWE-780 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium primary_identifier: find_sec_bugs.RSA_NO_PADDING-1 secondary_identifiers: - name: Find Security Bugs-RSA_NO_PADDING type: find_sec_bugs_type value: RSA_NO_PADDING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.RSA_NO_PADDING-1 shortlink: https://sg.run/7Qr4 semgrep.dev: rule: r_id: 21182 rv_id: 920171 rule_id: x8Ud4w version_id: 2KTdOrW url: https://semgrep.dev/playground/r/2KTdOrW/gitlab.find_sec_bugs.RSA_NO_PADDING-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.SSL_CONTEXT-1 languages: - java patterns: - pattern-either: - pattern: javax.net.ssl.SSLContext.getInstance("$PROTO", ...) - pattern: | $PROP = (java.util.Properties $P).getProperty(..., "$PROTO"); ... javax.net.ssl.SSLContext.getInstance($PROP, ...); - metavariable-comparison: metavariable: $PROTO comparison: | $PROTO not in ("TLS" "TLSv1.2" "TLSv1.3" "DTLSv1.2" "DTLSv1.3") message: | Avoid initializing SSLContext with insecure protocols like `SSL`, `SSLv2`, or `SSLv3`. These protocols are outdated and do not validate certificates by default. Additionally, these older `SSL` versions have many known security issues. Instead, use secure protocols like `TLSv1.2` or `TLSv1.3`. ``` SSLContext context = SSLContext.getInstance("TLSv1.3"); ``` For more information on see OWASP: - https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection metadata: shortDescription: Improper certificate validation category: security cwe: CWE-295 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: MEDIUM primary_identifier: find_sec_bugs.SSL_CONTEXT-1 secondary_identifiers: - name: Find Security Bugs-SSL_CONTEXT type: find_sec_bugs_type value: SSL_CONTEXT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SSL_CONTEXT-1 shortlink: https://sg.run/8k34 semgrep.dev: rule: r_id: 21184 rv_id: 920174 rule_id: eqUZxA version_id: 1QT4N7z url: https://semgrep.dev/playground/r/1QT4N7z/gitlab.find_sec_bugs.SSL_CONTEXT-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.TDES_USAGE-1 languages: - java patterns: - pattern-either: - pattern: javax.crypto.Cipher.getInstance("$ALG", ...) - pattern: | $PROP = (java.util.Properties $P).getProperty(..., "$ALG"); ... javax.crypto.Cipher.getInstance($PROP, ...); - metavariable-regex: metavariable: $ALG regex: DESede(/|$) message: | DES, TripleDES and RC2 are all considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext has not been tampered with. Consider using `ChaCha20Poly1305` instead as it is easier and faster than the alternatives such as `AES-256-GCM`. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` public encrypt() throws Exception { chaChaEncryption("Secret text to encrypt".getBytes(StandardCharsets.UTF_8)); } public SecureRandom getSecureRandomDRBG() throws NoSuchAlgorithmException { // Use DRBG according to http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf return SecureRandom.getInstance("DRBG", // Security strength in bits (default is 128) DrbgParameters.instantiation(256, // Set prediction resistance and re-seeding DrbgParameters.Capability.PR_AND_RESEED, // Set the personalization string (optional, not necessary) "some_personalization_string".getBytes() ) ); } public Cipher getChaCha20Poly1305(int mode, byte[] nonceKey, byte[] secretKey) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create a ChaCha20-Poly1305 cipher instance Cipher chaChaCipher = Cipher.getInstance("ChaCha20-Poly1305/None/NoPadding"); // Create our parameterSpec using our nonceKey AlgorithmParameterSpec parameterSpec = new IvParameterSpec(nonceKey); // Create a SecretKeySpec using our secretKey SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, "ChaCha20"); // Initialize and return the cipher for the provided mode chaChaCipher.init(mode, secretKeySpec, parameterSpec, random); return chaChaCipher; } public void chaChaEncryption(byte[] plainText) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException { // Get a DRBG random number generator instance SecureRandom random = getSecureRandomDRBG(); // Create secretKey byte[] secretKey = new byte[32]; random.nextBytes(secretKey); // Create an IV nonceKey byte[] nonceKey = new byte[12]; random.nextBytes(nonceKey); // Create a chaCha encryption cipher instance Cipher chaChaEncryptor = getChaCha20Poly1305(Cipher.ENCRYPT_MODE, nonceKey, secretKey); // Encrypt the text using ChaCha20Poly1305 byte[] cipherText = null; try { cipherText = chaChaEncryptor.doFinal(plainText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to encrypt text"); return; } System.out.println("encrypted: " + Base64.getEncoder().encodeToString(cipherText)); // Create a chaCha decryption cipher instance Cipher chaChaDecryptor = getChaCha20Poly1305(Cipher.DECRYPT_MODE, nonceKey, secretKey); // Decrypt the text byte[] decryptedText = null; try { decryptedText = chaChaDecryptor.doFinal(cipherText); } catch (IllegalBlockSizeException | BadPaddingException e) { System.out.println("failed to decrypt text"); return; } System.out.println("decrypted: " + new String(decryptedText, StandardCharsets.UTF_8)); } ``` For more information on Java Cryptography see: https://docs.oracle.com/en/java/javase/15/security/java-cryptography-architecture-jca-reference-guide.html severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - java security-severity: Medium primary_identifier: find_sec_bugs.TDES_USAGE-1 secondary_identifiers: - name: Find Security Bugs-TDES_USAGE type: find_sec_bugs_type value: TDES_USAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.TDES_USAGE-1 shortlink: https://sg.run/w4BX semgrep.dev: rule: r_id: 21173 rv_id: 920163 rule_id: j2UwKr version_id: K3TwLjL url: https://semgrep.dev/playground/r/K3TwLjL/gitlab.find_sec_bugs.TDES_USAGE-1 origin: community - id: gitlab.find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 languages: - java message: "Unvalidated redirects occur when an application redirects a user to a\ndestination URL specified by a user supplied parameter that is not validated.\nSuch vulnerabilities can be used to facilitate phishing attacks.\n\nTo avoid open redirect vulnerabilities in Java, one effective strategy is to\nonly allow redirection to URLs that are pre-defined in a safe list. This safe\nlist can be implemented using a collection like a Map, List, or Dictionary,\nwhere you store all the valid URLs or URL patterns. When a redirect request is\nmade, you can check if the requested URL is in this safe list before proceeding \nwith the redirection. For example:\n\n```\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n private List safeUrls = new ArrayList<>();\n safeUrls.add(\"/home\");\n \ safeUrls.add(\"/user/profile\");\n safeUrls.add(\"/dashboard\");\n \ \n String redirectUrl = request.getParameter(\"url\");\n\n if (safeUrls.contains(redirectUrl)) {\n response.sendRedirect(redirectUrl);\n \ } else {\n response.sendRedirect(\"/errorPage\");\n }\n }\"\n``` \ \n" mode: taint pattern-sources: - patterns: - pattern: | $URL = ($X.servlet.http.HttpServletRequest $REQ).$M(...); - metavariable-regex: metavariable: $M regex: (getParameter|getCookies|getHeader|getHeaders|getHeaderNames|getPathInfo|getPathTranslated|getContextPath|getQueryString|getRemoteUser|getRequestedSessionId|getRequestURI|getRequestURL|getServletPath|getParts|getPart|getReader) pattern-sinks: - pattern-either: - pattern: | ($X.servlet.http.HttpServletResponse $RES).sendRedirect($URL) - pattern: | ($X.servlet.http.HttpServletResponse $RES).addHeader("Location", $URL) pattern-sanitizers: - patterns: - pattern-inside: | if ($SAFE.contains($URL)){ ... } - pattern-either: - pattern: | ($X.servlet.http.HttpServletResponse $RES).sendRedirect($URL) - pattern: | ($X.servlet.http.HttpServletResponse $RES).addHeader("Location", $URL) metadata: category: security cwe: CWE-601 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: URL redirection to untrusted site ('Open Redirect') security-severity: Info primary_identifier: find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 secondary_identifiers: - name: Find Security Bugs-UNVALIDATED_REDIRECT type: find_sec_bugs_type value: UNVALIDATED_REDIRECT - name: Find Security Bugs-URL_REWRITING type: find_sec_bugs_type value: URL_REWRITING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 shortlink: https://sg.run/PPWE semgrep.dev: rule: r_id: 21189 rv_id: 920177 rule_id: EwU1nP version_id: rxTjv4k url: https://semgrep.dev/playground/r/rxTjv4k/gitlab.find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 origin: community severity: ERROR - id: gitlab.find_sec_bugs.WEAK_FILENAMEUTILS-1 languages: - java message: "The filename provided by the FileUpload API can be tampered with by the client to reference\nunauthorized files. The provided filename should be properly validated to ensure it's properly\nstructured, contains no unauthorized path characters (e.g., / \\), and refers to an authorized\nfile.\n\nThe application was found to take a parameter from user input to construct a path name. If an\nunfiltered parameter is passed to this file API, files from an arbitrary filesystem location\ncould be read. When data from an unstrusted source is untrusted source is used to construct\na file path, an attacker could potentially gain access to restrcited files locations outside\nthe relevant context.\n\nFor example, if the application tries to access the users profile picture based on their user\nname by concatenating the username to the filepath:\n\n\"images/userprofiles/\" + username\n\nThe expected result of this would be \"images/userprofiles/alice\", however an attacker could\nuse a malicious input such as \"../../../etc/passwd\" to gain access to and/or manipulate\nsensitive information\n\nAssume all input is malicious. Use an \"accept known good\" input validation strategy.\n\nInputs can be sanitized by using the getName() method with concat() method to remove the \npotentially malicious path traversal and limit the scope to a restricted directory. Or \ninput can also be sanitized by using resolve() method alongwith startsWith() method to \nverify that the base path of the file is safe and expected.\n\nExample of limiting path traversal using getName:\n\n```\nprotected void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {\n\n String input = req.getHeader(\"input\");\n\n \ input = getName(input);\n \n String safePath = concat(basePath, input);\n\n \ // Read the contents of the file\n File file = new File(safePath);\n}\n```\n" metadata: category: security cwe: CWE-22 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') security-severity: Info technology: - java primary_identifier: find_sec_bugs.WEAK_FILENAMEUTILS-1 secondary_identifiers: - name: Find Security Bugs-WEAK_FILENAMEUTILS type: find_sec_bugs_type value: WEAK_FILENAMEUTILS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.WEAK_FILENAMEUTILS-1 shortlink: https://sg.run/Gb41 semgrep.dev: rule: r_id: 21192 rv_id: 920180 rule_id: 8GUvb6 version_id: kbTOPL6 url: https://semgrep.dev/playground/r/kbTOPL6/gitlab.find_sec_bugs.WEAK_FILENAMEUTILS-1 origin: community mode: taint pattern-sanitizers: - pattern: | $NAME = org.apache.commons.io.FilenameUtils.getName(...); ... $SAFE = concat($BASE, $NAME); - pattern: | $RET $FUN(...){ ... $PATH = $BP.resolve(...); ... if(!$PATH.startsWith(...)) { throw new $EXC(...); } ... } pattern-sources: - pattern: (HttpServletRequest $REQ) pattern-sinks: - pattern: org.apache.commons.io.FilenameUtils.concat(...) - pattern: org.apache.commons.io.FilenameUtils.getFullPath(...) - pattern: org.apache.commons.io.FilenameUtils.getFullPathNoEndSeparator(...) - pattern: org.apache.commons.io.FilenameUtils.getPath(...) - pattern: org.apache.commons.io.FilenameUtils.getPathNoEndSeparator(...) - pattern: org.apache.commons.io.FilenameUtils.normalize(...) - pattern: org.apache.commons.io.FilenameUtils.normalizeNoEndSeparator(...) - pattern: org.apache.commons.io.FilenameUtils.normalizeNoEndSeparator(...) - pattern: org.apache.commons.io.FilenameUtils.removeExtension(...) - pattern: org.apache.commons.io.FilenameUtils.separatorsToSystem(...) - pattern: org.apache.commons.io.FilenameUtils.separatorsToUnix(...) - pattern: org.apache.commons.io.FilenameUtils.separatorsToWindows(...) severity: WARNING - id: gitlab.find_sec_bugs.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 languages: - java patterns: - pattern-either: - pattern: java.security.MessageDigest.getInstance("$ALG", ...) - pattern: java.security.Signature.getInstance("$ALG", ...) - pattern: | $PROP = (java.util.Properties $P).getProperty(..., "$ALG"); ... java.security.MessageDigest.getInstance("$ALG", ...); - pattern: | $PROP = (java.util.Properties $P).getProperty(..., "$ALG"); ... java.security.Signature.getInstance("$ALG", ...); - metavariable-comparison: metavariable: $ALG comparison: | $ALG in ( "MD2" "MD4" "MD5" "MD5withRSA" "SHA-1" "SHA1withRSA" "SHA1withDSA" ) message: | The application was found using an insecure or risky digest or signature algorithm. Both MD5 and SHA1 hash algorithms have been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. If the application is trying to use these hash methods for storing passwords, then it is recommended to switch to a password hashing algorithm such as Argon2id or PBKDF2. strongly recommended that a standard Digest algorithm be chosen instead as implementing a digest by hand is error-prone. Example of creating a SHA-384 hash: ``` // Create a MessageDigest using the SHA-384 algorithm MessageDigest sha384Digest = MessageDigest.getInstance("SHA-384"); // Call update with your data sha384Digest.update(input); // Only call digest once all data has been fed into the update sha384digest instance byte[] output = sha384Digest.digest(); // output base64 encoded version of the hash System.out.println("hash: " + Base64.getEncoder().encodeToString(output)); ``` For more information on secure password storage see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm (SHA1/MD5) category: security cwe: CWE-327 owasp: - A6:2017-Security Misconfiguration - A04:2021-Insecure Design technology: - java security-severity: Medium primary_identifier: find_sec_bugs.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 secondary_identifiers: - name: Find Security Bugs-WEAK_MESSAGE_DIGEST_MD5 type: find_sec_bugs_type value: WEAK_MESSAGE_DIGEST_MD5 - name: Find Security Bugs-WEAK_MESSAGE_DIGEST_SHA1 type: find_sec_bugs_type value: WEAK_MESSAGE_DIGEST_SHA1 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 shortlink: https://sg.run/L2R7 semgrep.dev: rule: r_id: 21183 rv_id: 920172 rule_id: OrUvyR version_id: X0TAK2W url: https://semgrep.dev/playground/r/X0TAK2W/gitlab.find_sec_bugs.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 origin: community - id: gitlab.flawfinder.access-1 languages: - c - cpp message: | Usage of the `access` function call hints at a potential Time Of Check Time Of Use (TOCTOU) vulnerability. Using the `access` function to check if a file exists and is readable before opening it, an attacker can create a race condition between the `access` call and opening the file. The attacker could replace the file with a different one or modify its content between the time the `access` function is called and the file is opened, thus bypassing the permission check. Call `setuid` to drop privileges on the process prior to opening any files. Instead of using `access`, use `lstat` prior to opening the file and confirm the attributes are correct. Then use `open` to get a file descriptor to this file. Call `fstat` on the `open` file descriptor to confirm that `st_dev` and `st_ino` are equal between the two. If they are, it is safe to read and operate on the file's contents. For more information please see: https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files metadata: shortDescription: Potential time of check time of use vulnerability (access) cwe: CWE-362 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.access-1 secondary_identifiers: - name: Flawfinder - access type: flawfinder_func_name value: access license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.access-1 shortlink: https://sg.run/ZkX7 semgrep.dev: rule: r_id: 13079 rv_id: 920347 rule_id: BYU731 version_id: ExT1WeB url: https://semgrep.dev/playground/r/ExT1WeB/gitlab.flawfinder.access-1 origin: community pattern: access(...) severity: ERROR - id: gitlab.flawfinder.AddAccessAllowedAce-1 languages: - c - cpp message: | Make sure that you set inheritance by hand if you wish it to inherit. metadata: cwe: CWE-732 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control shortDescription: This doesn't set the inheritance bits in the access control entry (ACE) header (CWE-732) security-severity: High category: security primary_identifier: flawfinder.AddAccessAllowedAce-1 secondary_identifiers: - name: Flawfinder - AddAccessAllowedAce type: flawfinder_func_name value: AddAccessAllowedAce license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.AddAccessAllowedAce-1 shortlink: https://sg.run/1G7b semgrep.dev: rule: r_id: 13066 rv_id: 920336 rule_id: 7KUpk7 version_id: bZTLoE2 url: https://semgrep.dev/playground/r/bZTLoE2/gitlab.flawfinder.AddAccessAllowedAce-1 origin: community pattern: AddAccessAllowedAce(...) severity: WARNING - id: gitlab.flawfinder.atoi-1.atol-1._wtoi-1._wtoi64-1 languages: - c - cpp message: | The `atoi` family of functions can potentially overflow or underflow integer values. Consider using `stroul` instead. For more information please see: https://wiki.sei.cmu.edu/confluence/display/c/ERR34-C.+Detect+errors+when+converting+a+string+to+a+number metadata: shortDescription: Possible integer overflow or underflow cwe: CWE-190 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: Medium category: security primary_identifier: flawfinder.atoi-1.atol-1._wtoi-1._wtoi64-1 secondary_identifiers: - name: Flawfinder - atoi type: flawfinder_func_name value: atoi - name: Flawfinder - atol type: flawfinder_func_name value: atol - name: Flawfinder - _wtoi type: flawfinder_func_name value: _wtoi - name: Flawfinder - _wtoi64 type: flawfinder_func_name value: _wtoi64 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.atoi-1.atol-1._wtoi-1._wtoi64-1 shortlink: https://sg.run/jk6Z semgrep.dev: rule: r_id: 13065 rv_id: 920335 rule_id: EwUQzn version_id: rxTjvnW url: https://semgrep.dev/playground/r/rxTjvnW/gitlab.flawfinder.atoi-1.atol-1._wtoi-1._wtoi64-1 origin: community pattern-either: - pattern: atoi(...) - pattern: atol(...) - pattern: _wtoi(...) - pattern: _wtoi64(...) severity: INFO - id: gitlab.flawfinder.chmod-1 languages: - c - cpp message: | Usage of the `chmod` function call hints at a potential Time Of Check Time Of Use (TOCTOU) vulnerability. An attacker may be able to modify the file being specified by the `chmod` function prior to the `chmod` function being called. Since `chmod` will resolve symbolic links, an attacker may be able to exploit this fact to have files outside of their control modified. It is recommended that the `fchmod` function be used instead since this function takes a file descriptor instead of a file. Ensure the opened file descriptor is pointing to the correct file or directory prior to executing `fchmod` or any other file based operations. For more information please see: https://wiki.sei.cmu.edu/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification metadata: shortDescription: Potential time of check time of use vulnerability (chmod) cwe: CWE-362 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.chmod-1 secondary_identifiers: - name: Flawfinder - chmod type: flawfinder_func_name value: chmod license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.chmod-1 shortlink: https://sg.run/EOe8 semgrep.dev: rule: r_id: 13081 rv_id: 920348 rule_id: WAUP43 version_id: 7ZTbRZz url: https://semgrep.dev/playground/r/7ZTbRZz/gitlab.flawfinder.chmod-1 origin: community pattern: chmod(...) severity: ERROR - id: gitlab.flawfinder.chown-1 languages: - c - cpp message: | Usage of the `chown` function call hints at a potential Time Of Check Time Of Use (TOCTOU) vulnerability. An attacker may be able to modify the file being specified by the `chmod` function prior to the `chown` function being called. Since `chown` will resolve symbolic links, an attacker may be able to exploit this fact to have files outside of their control modified. It is recommended that the `fchown` or the `lchown` functions be used instead. The `fchown` function takes a file descriptor instead of a file. The `lchown` function does not follow symbolic links. Ensure the opened file descriptor is pointing to the correct file or directory prior to executing `fchown` or any other file based operations. For more information please see: https://wiki.sei.cmu.edu/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification metadata: shortDescription: Potential time of check time of use vulnerability (chown) cwe: CWE-362 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.chown-1 secondary_identifiers: - name: Flawfinder - chown type: flawfinder_func_name value: chown license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.chown-1 shortlink: https://sg.run/7Gpv semgrep.dev: rule: r_id: 13082 rv_id: 920349 rule_id: 0oUJPK version_id: LjTze9q url: https://semgrep.dev/playground/r/LjTze9q/gitlab.flawfinder.chown-1 origin: community pattern: chown(...) severity: ERROR - id: gitlab.flawfinder.CreateProcessAsUser-1.CreateProcessWithLogon-1 languages: - c - cpp message: | Due to how `CreateProcess` parses spaces, an attacker may be able to exploit this function by creating a binary with the same name that is loaded first, depending on the search path order. Ensure that quotation marks around the executable path are used, such as: ``` CreateProcessAsUser(hToken, NULL, "\"C:\\Program Files\\MyApp.exe\"", ...) ``` For more information, please see MSDNs documentation at: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera#security-remarks metadata: shortDescription: Possible executable path hijacking (CreateProcessAsUser/CreateProcessWithLogon) cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.CreateProcessAsUser-1.CreateProcessWithLogon-1 secondary_identifiers: - name: Flawfinder - CreateProcessAsUser type: flawfinder_func_name value: CreateProcessAsUser - name: Flawfinder - CreateProcessWithLogon type: flawfinder_func_name value: CreateProcessWithLogon license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.CreateProcessAsUser-1.CreateProcessWithLogon-1 shortlink: https://sg.run/34Yg semgrep.dev: rule: r_id: 13087 rv_id: 920354 rule_id: 6JU6Pz version_id: 44Teq52 url: https://semgrep.dev/playground/r/44Teq52/gitlab.flawfinder.CreateProcessAsUser-1.CreateProcessWithLogon-1 origin: community pattern-either: - pattern: CreateProcessAsUser(...) - pattern: CreateProcessWithLogon(...) severity: WARNING - id: gitlab.flawfinder.crypt-1.crypt_r-1 languages: - c - cpp message: | The crypt functions are not recommended due to the significantly small key space. Modern hardware can crack crypt produced passwords relatively quickly. Consider using the Argon2id password hashing algorithm provided by libsodium. For more information please see: https://libsodium.gitbook.io/doc/password_hashing. metadata: shortDescription: Insecure hashing algorithm cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: flawfinder.crypt-1.crypt_r-1 secondary_identifiers: - name: Flawfinder - crypt type: flawfinder_func_name value: crypt - name: Flawfinder - crypt_r type: flawfinder_func_name value: crypt_r license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.crypt-1.crypt_r-1 shortlink: https://sg.run/657w semgrep.dev: rule: r_id: 13059 rv_id: 920329 rule_id: OrUD57 version_id: 2KTdORB url: https://semgrep.dev/playground/r/2KTdORB/gitlab.flawfinder.crypt-1.crypt_r-1 origin: community pattern-either: - pattern: crypt(...) - pattern: crypt_r(...) severity: ERROR - id: gitlab.flawfinder.cuserid-1 languages: - c - cpp message: | `cuserid()` is poorly defined (e.g., some systems use the effective UID, like Linux, while others like System V use the real UID). Therefore, you can't trust what it does. The cuserid function was included in the 1988 version of POSIX, but removed from the 1990 version. Also, if passed a non-null parameter, there's a risk of a buffer overflow if the passed-in buffer is not at least `L_cuserid` characters long. Use `getpwuid(geteuid())` and extract the desired information instead. For more information please see: https://linux.die.net/man/3/getpwuid metadata: shortDescription: Usage of deprecated function (cuserid) cwe: CWE-120 owasp: - A9:2017-Using Components with Known Vulnerabilities - A06:2021-Vulnerable and Outdated Components security-severity: Low category: security primary_identifier: flawfinder.cuserid-1 secondary_identifiers: - name: Flawfinder - cuserid type: flawfinder_func_name value: cuserid license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.cuserid-1 shortlink: https://sg.run/kkgX semgrep.dev: rule: r_id: 13072 rv_id: 920340 rule_id: 4bU20k version_id: xyTdrRz url: https://semgrep.dev/playground/r/xyTdrRz/gitlab.flawfinder.cuserid-1 origin: community pattern: cuserid(...) severity: ERROR - id: gitlab.flawfinder.drand48-1.erand48-1.jrand48-1.lcong48-1.lrand48-1.mrand48-1.nrand48-1.random-1.seed48-1.setstate-1.srand-1.strfry-1.srandom-1.g_rand_boolean-1.g_rand_int-1.g_rand_int_range-1.g_rand_double-1.g_rand_double_range-1.g_random_boolean-1.g_random_int-1.g_random_int_range-1.g_random_double-1.g_random_double_range-1 languages: - c - cpp message: | The detected function is not sufficient at generating security-related random numbers, such as those used in key and nonce creation. Consider using the libsodium library's `randombytes_random` function instead. More information on libsodium's random number generators can be found here: https://libsodium.gitbook.io/doc/generating_random_data. If FIPS validation is required, consider using OpenSSLs `RAND_bytes` family of functions after enabling the `FIPS_mode_set`. For more information on OpenSSL random numbers please see: https://wiki.openssl.org/index.php/Random_Numbers metadata: shortDescription: Usage of insufficient random number generators cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: flawfinder.drand48-1.erand48-1.jrand48-1.lcong48-1.lrand48-1.mrand48-1.nrand48-1.random-1.seed48-1.setstate-1.srand-1.strfry-1.srandom-1.g_rand_boolean-1.g_rand_int-1.g_rand_int_range-1.g_rand_double-1.g_rand_double_range-1.g_random_boolean-1.g_random_int-1.g_random_int_range-1.g_random_double-1.g_random_double_range-1 secondary_identifiers: - name: Flawfinder - drand48 type: flawfinder_func_name value: drand48 - name: Flawfinder - erand48 type: flawfinder_func_name value: erand48 - name: Flawfinder - jrand48 type: flawfinder_func_name value: jrand48 - name: Flawfinder - lcong48 type: flawfinder_func_name value: lcong48 - name: Flawfinder - lrand48 type: flawfinder_func_name value: lrand48 - name: Flawfinder - mrand48 type: flawfinder_func_name value: mrand48 - name: Flawfinder - nrand48 type: flawfinder_func_name value: nrand48 - name: Flawfinder - random type: flawfinder_func_name value: random - name: Flawfinder - seed48 type: flawfinder_func_name value: seed48 - name: Flawfinder - setstate type: flawfinder_func_name value: setstate - name: Flawfinder - srand type: flawfinder_func_name value: srand - name: Flawfinder - strfry type: flawfinder_func_name value: strfry - name: Flawfinder - srandom type: flawfinder_func_name value: srandom - name: Flawfinder - g_rand_boolean type: flawfinder_func_name value: g_rand_boolean - name: Flawfinder - g_rand_int type: flawfinder_func_name value: g_rand_int - name: Flawfinder - g_rand_int_range type: flawfinder_func_name value: g_rand_int_range - name: Flawfinder - g_rand_double type: flawfinder_func_name value: g_rand_double - name: Flawfinder - g_rand_double_range type: flawfinder_func_name value: g_rand_double_range - name: Flawfinder - g_random_boolean type: flawfinder_func_name value: g_random_boolean - name: Flawfinder - g_random_int type: flawfinder_func_name value: g_random_int - name: Flawfinder - g_random_int_range type: flawfinder_func_name value: g_random_int_range - name: Flawfinder - g_random_double type: flawfinder_func_name value: g_random_double - name: Flawfinder - g_random_double_range type: flawfinder_func_name value: g_random_double_range license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.drand48-1.erand48-1.jrand48-1.lcong48-1.lrand48-1.mrand48-1.nrand48-1.random-1.seed48-1.setstate-1.srand-1.strfry-1.srandom-1.g_rand_boolean-1.g_rand_int-1.g_rand_int_range-1.g_rand_double-1.g_rand_double_range-1.g_random_boolean-1.g_random_int-1.g_random_int_range-1.g_random_double-1.g_random_double_range-1 shortlink: https://sg.run/grno semgrep.dev: rule: r_id: 13085 rv_id: 920352 rule_id: lBUzno version_id: QkT1NAz url: https://semgrep.dev/playground/r/QkT1NAz/gitlab.flawfinder.drand48-1.erand48-1.jrand48-1.lcong48-1.lrand48-1.mrand48-1.nrand48-1.random-1.seed48-1.setstate-1.srand-1.strfry-1.srandom-1.g_rand_boolean-1.g_rand_int-1.g_rand_int_range-1.g_rand_double-1.g_rand_double_range-1.g_random_boolean-1.g_random_int-1.g_random_int_range-1.g_random_double-1.g_random_double_range-1 origin: community pattern-either: - pattern: drand48(...) - pattern: erand48(...) - pattern: jrand48(...) - pattern: lcong48(...) - pattern: lrand48(...) - pattern: mrand48(...) - pattern: nrand48(...) - pattern: random(...) - pattern: seed48(...) - pattern: setstate(...) - pattern: srand(...) - pattern: strfry(...) - pattern: srandom(...) - pattern: g_rand_boolean(...) - pattern: g_rand_int(...) - pattern: g_rand_int_range(...) - pattern: g_rand_double(...) - pattern: g_rand_double_range(...) - pattern: g_random_boolean(...) - pattern: g_random_int(...) - pattern: g_random_int_range(...) - pattern: g_random_double(...) - pattern: g_random_double_range(...) - pattern-regex: (long|short|double|int|float|void)\s(\*|)(\s|)(seed48|lcong48)($.*$)\; severity: WARNING - id: gitlab.flawfinder.EVP_des_ecb-1.EVP_des_cbc-1.EVP_des_cfb-1.EVP_des_ofb-1.EVP_desx_cbc-1 languages: - c - cpp message: | The DES algorithm has not been recommended for over 15 years and was withdrawn from NIST (FIPS 46-3) in 2005. Consider using libsodium's `crypto_secretbox_easy` authenticated encryption functions instead. For more information please see: https://libsodium.gitbook.io/doc/secret-key_cryptography/secretbox. If you must be FIPS compliant, consider using OpenSSLs AES or 3DES ciphers. metadata: shortDescription: Insecure encryption algorithm (DES) cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: flawfinder.EVP_des_ecb-1.EVP_des_cbc-1.EVP_des_cfb-1.EVP_des_ofb-1.EVP_desx_cbc-1 secondary_identifiers: - name: Flawfinder - EVP_des_ecb type: flawfinder_func_name value: EVP_des_ecb - name: Flawfinder - EVP_des_cbc type: flawfinder_func_name value: EVP_des_cbc - name: Flawfinder - EVP_des_cfb type: flawfinder_func_name value: EVP_des_cfb - name: Flawfinder - EVP_des_ofb type: flawfinder_func_name value: EVP_des_ofb - name: Flawfinder - EVP_desx_cbc type: flawfinder_func_name value: EVP_desx_cbc license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.EVP_des_ecb-1.EVP_des_cbc-1.EVP_des_cfb-1.EVP_des_ofb-1.EVP_desx_cbc-1 shortlink: https://sg.run/lxzL semgrep.dev: rule: r_id: 13057 rv_id: 920327 rule_id: wdUGO7 version_id: zyTG3B6 url: https://semgrep.dev/playground/r/zyTG3B6/gitlab.flawfinder.EVP_des_ecb-1.EVP_des_cbc-1.EVP_des_cfb-1.EVP_des_ofb-1.EVP_desx_cbc-1 origin: community pattern-either: - pattern: EVP_des_ecb(...) - pattern: EVP_des_cbc(...) - pattern: EVP_des_cfb(...) - pattern: EVP_des_ofb(...) - pattern: EVP_desx_cbc(...) severity: ERROR - id: gitlab.flawfinder.EVP_rc4_40-1.EVP_rc2_40_cbc-1.EVP_rc2_64_cbc-1 languages: - c - cpp message: | The RC4 algorithm is vulnerable to many attacks and should no longer be used for encrypting data streams. Consider using libsodium's `crypto_secretstream_xchacha20poly1305` stream cipher encryption functions instead. For more information please see: https://libsodium.gitbook.io/doc/secret-key_cryptography/secretstream If you must be FIPS compliant, consider using OpenSSLs AES or 3DES ciphers. metadata: shortDescription: Insecure stream cipher (RC4) cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: flawfinder.EVP_rc4_40-1.EVP_rc2_40_cbc-1.EVP_rc2_64_cbc-1 secondary_identifiers: - name: Flawfinder - EVP_rc4_40 type: flawfinder_func_name value: EVP_rc4_40 - name: Flawfinder - EVP_rc2_40_cbc type: flawfinder_func_name value: EVP_rc2_40_cbc - name: Flawfinder - EVP_rc2_64_cbc type: flawfinder_func_name value: EVP_rc2_64_cbc license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.EVP_rc4_40-1.EVP_rc2_40_cbc-1.EVP_rc2_64_cbc-1 shortlink: https://sg.run/YXxW semgrep.dev: rule: r_id: 13058 rv_id: 920328 rule_id: x8U2ke version_id: pZTbD2g url: https://semgrep.dev/playground/r/pZTbD2g/gitlab.flawfinder.EVP_rc4_40-1.EVP_rc2_40_cbc-1.EVP_rc2_64_cbc-1 origin: community pattern-either: - pattern: EVP_rc4_40(...) - pattern: EVP_rc2_40_cbc(...) - pattern: EVP_rc2_64_cbc(...) severity: ERROR - id: gitlab.flawfinder.execl-1.execlp-1.execle-1.execv-1.execvp-1.popen-1.WinExec-1.ShellExecute-1 languages: - c - cpp message: | It is generally not recommended to call out to the operating system to execute commands. When the application is executing file system based commands, user input should never be used in constructing commands or command arguments. If possible, determine if a library can be used instead to provide the same functionality. Otherwise, consider hard coding both the command and arguments to be used, or at the very least restricting which arguments can be passed to the command execution function. Please see the compliant solutions in the following page: https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177 metadata: shortDescription: Potential for OS command injection cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.execl-1.execlp-1.execle-1.execv-1.execvp-1.popen-1.WinExec-1.ShellExecute-1 secondary_identifiers: - name: Flawfinder - execl type: flawfinder_func_name value: execl - name: Flawfinder - execlp type: flawfinder_func_name value: execlp - name: Flawfinder - execle type: flawfinder_func_name value: execle - name: Flawfinder - execv type: flawfinder_func_name value: execv - name: Flawfinder - execvp type: flawfinder_func_name value: execvp - name: Flawfinder - popen type: flawfinder_func_name value: popen - name: Flawfinder - WinExec type: flawfinder_func_name value: WinExec - name: Flawfinder - ShellExecute type: flawfinder_func_name value: ShellExecute license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.execl-1.execlp-1.execle-1.execv-1.execvp-1.popen-1.WinExec-1.ShellExecute-1 shortlink: https://sg.run/4P6g semgrep.dev: rule: r_id: 13088 rv_id: 920355 rule_id: oqUr85 version_id: PkTjG2o url: https://semgrep.dev/playground/r/PkTjG2o/gitlab.flawfinder.execl-1.execlp-1.execle-1.execv-1.execvp-1.popen-1.WinExec-1.ShellExecute-1 origin: community pattern-either: - pattern: execl(...) - pattern: execlp(...) - pattern: execle(...) - pattern: execv(...) - pattern: execvp(...) - pattern: popen(...) - pattern: WinExec(...) - pattern: ShellExecute(...) severity: ERROR - id: gitlab.flawfinder.fopen-1.open-1 languages: - c - cpp message: | Usage of the `open` family of functions may hint at a potential Time Of Check Time Of Use (TOCTOU) vulnerability. An attacker may be able to modify the file being specified by the `open` function prior to the `open` function being called. Prior to calling `open`, use `lstat` to open the file and confirm the attributes are correct. Then use `open` to get a file descriptor to this file. Call `fstat` on the `open` file descriptor to confirm that `st_dev` and `st_ino` are equal between the two. If they are, it is safe to read and operate on the file's contents. For more information please see: https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files metadata: shortDescription: Potential time of check time of use vulnerability (open/fopen) cwe: CWE-362 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.fopen-1.open-1 secondary_identifiers: - name: Flawfinder - fopen type: flawfinder_func_name value: fopen - name: Flawfinder - open type: flawfinder_func_name value: open license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.fopen-1.open-1 shortlink: https://sg.run/w1nx semgrep.dev: rule: r_id: 13073 rv_id: 920341 rule_id: PeUBPk version_id: O9Tv7Qb url: https://semgrep.dev/playground/r/O9Tv7Qb/gitlab.flawfinder.fopen-1.open-1 origin: community pattern-either: - pattern: fopen(...) - pattern: open(...) severity: INFO - id: gitlab.flawfinder.fprintf-1.vfprintf-1._ftprintf-1._vftprintf-1.fwprintf-1.fvwprintf-1 languages: - c - cpp message: | Format string vulnerabilities allow an attacker to read or in some cases, potentially write data to and from locations in the processes' memory. To prevent against format string attacks, do not allow users or un-validated input to provide the format specification. Consider using a constant for the format specification, or only allow specific characters to be provided to the format argument for the `fprintf` family of functions. For more information please see: https://linux.die.net/man/3/fprintf For more information on format string attacks please see OWASP's attack guide: https://owasp.org/www-community/attacks/Format_string_attack metadata: shortDescription: Potential format string vulnerability cwe: CWE-134 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.fprintf-1.vfprintf-1._ftprintf-1._vftprintf-1.fwprintf-1.fvwprintf-1 secondary_identifiers: - name: Flawfinder - fprintf type: flawfinder_func_name value: fprintf - name: Flawfinder - vfprintf type: flawfinder_func_name value: vfprintf - name: Flawfinder - _ftprintf type: flawfinder_func_name value: _ftprintf - name: Flawfinder - _vftprintf type: flawfinder_func_name value: _vftprintf - name: Flawfinder - fwprintf type: flawfinder_func_name value: fwprintf - name: Flawfinder - fvwprintf type: flawfinder_func_name value: fvwprintf license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.fprintf-1.vfprintf-1._ftprintf-1._vftprintf-1.fwprintf-1.fvwprintf-1 shortlink: https://sg.run/owX7 semgrep.dev: rule: r_id: 13060 rv_id: 920330 rule_id: eqUpJj version_id: X0TAKY0 url: https://semgrep.dev/playground/r/X0TAKY0/gitlab.flawfinder.fprintf-1.vfprintf-1._ftprintf-1._vftprintf-1.fwprintf-1.fvwprintf-1 origin: community pattern-either: - patterns: - pattern: fprintf($FD, $FMT, ...) - pattern-not: fprintf($FD, "...", ...) - patterns: - pattern: vfprintf($FMT, $ARGS, ...) - pattern-not: vfprintf("...", $ARGS, ...) - patterns: - pattern: _ftprintf($FD, $FMT, ...) - pattern-not: _ftprintf($FD, "...", ...) - patterns: - pattern: fwprintf($FD, $FMT, ...) - pattern-not: fwprintf($FD, "...", ...) - patterns: - pattern: fvwprintf($FD, $FMT, ...) - pattern-not: fvwprintf($FD, "...", ...) severity: ERROR - id: gitlab.flawfinder.fscanf-1.sscanf-1.vsscanf-1.vfscanf-1._ftscanf-1.fwscanf-1.vfwscanf-1.vswscanf-1 languages: - c - cpp message: | Format specifiers can take optional field widths, which should be used to limit how many characters are copied into the target buffer. Example: ``` const char str[20] = "AAAAAAAAAAAAAAAAAAA"; char buf[11] = {0}; sscanf(str, "%10s", &buf); // buf = AAAAAAAAAA\0 ``` metadata: shortDescription: sscanf() functions may allow format string based overflows cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.fscanf-1.sscanf-1.vsscanf-1.vfscanf-1._ftscanf-1.fwscanf-1.vfwscanf-1.vswscanf-1 secondary_identifiers: - name: Flawfinder - fscanf type: flawfinder_func_name value: fscanf - name: Flawfinder - sscanf type: flawfinder_func_name value: sscanf - name: Flawfinder - vsscanf type: flawfinder_func_name value: vsscanf - name: Flawfinder - vfscanf type: flawfinder_func_name value: vfscanf - name: Flawfinder - _ftscanf type: flawfinder_func_name value: _ftscanf - name: Flawfinder - fwscanf type: flawfinder_func_name value: fwscanf - name: Flawfinder - vfwscanf type: flawfinder_func_name value: vfwscanf - name: Flawfinder - vswscanf type: flawfinder_func_name value: vswscanf license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.fscanf-1.sscanf-1.vsscanf-1.vfscanf-1._ftscanf-1.fwscanf-1.vfwscanf-1.vswscanf-1 shortlink: https://sg.run/O8Xe semgrep.dev: rule: r_id: 13031 rv_id: 920304 rule_id: 5rU8bL version_id: BjTKLyW url: https://semgrep.dev/playground/r/BjTKLyW/gitlab.flawfinder.fscanf-1.sscanf-1.vsscanf-1.vfscanf-1._ftscanf-1.fwscanf-1.vfwscanf-1.vswscanf-1 origin: community pattern-either: - pattern: fscanf(...) - pattern: sscanf(...) - pattern: vsscanf(...) - pattern: vfscanf(...) - pattern: _ftscanf(...) - pattern: fwscanf(...) - pattern: vfwscanf(...) - pattern: vswscanf(...) severity: ERROR - id: gitlab.flawfinder.getenv-1.curl_getenv-1 languages: - c - cpp message: | This function's return value should be treated as untrusted input as it could be modified by an attacker. Possible risks include: - The value being too large and causing buffer overflows - Files under the attacker's control being used maliciously - Files outside of an attacker's control becoming accessible, depending on access privileges. metadata: shortDescription: Possible use of untrusted environment variable cwe: CWE-20 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.getenv-1.curl_getenv-1 secondary_identifiers: - name: Flawfinder - getenv type: flawfinder_func_name value: getenv - name: Flawfinder - curl_getenv type: flawfinder_func_name value: curl_getenv license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.getenv-1.curl_getenv-1 shortlink: https://sg.run/ZkO7 semgrep.dev: rule: r_id: 13035 rv_id: 920307 rule_id: BYU761 version_id: 0bTp3G7 url: https://semgrep.dev/playground/r/0bTp3G7/gitlab.flawfinder.getenv-1.curl_getenv-1 origin: community pattern-either: - pattern: getenv(...) - pattern: curl_getenv(...) severity: WARNING - id: gitlab.flawfinder.getpass-1 languages: - c - cpp message: | This function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data. Some systems will write to stderr instead of stdout. Some will read from stdin if it can not be read from /dev/tty. In some systems the buffer is static and limited to 127 characters, meaning the full password may not be returned properly. If you want to read input without terminal echoing enabled, see the description of the ECHO flag in the termios manual pager. If you ever read passwords from a terminal, be sure to zero the password as soon as possible, to avoid leaving the cleartext password visible in the process' address space. metadata: shortDescription: Usage of deprecated function (getpass) cwe: CWE-20 owasp: - A9:2017-Using Components with Known Vulnerabilities - A06:2021-Vulnerable and Outdated Components security-severity: Low category: security primary_identifier: flawfinder.getpass-1 secondary_identifiers: - name: Flawfinder - getpass type: flawfinder_func_name value: getpass license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.getpass-1 shortlink: https://sg.run/O8We semgrep.dev: rule: r_id: 13075 rv_id: 920343 rule_id: 5rU8gL version_id: vdTvQLq url: https://semgrep.dev/playground/r/vdTvQLq/gitlab.flawfinder.getpass-1 origin: community pattern: getpass(...) severity: ERROR - id: gitlab.flawfinder.gets-1._getts-1 languages: - c - cpp message: | The gets() function reads a line from stdin into the provided buffer until either a terminating newline or EOF. This terminating newline or EOF is replaced with a null byte `'\0'`. No check for buffer overruns are performed so it is recommended to use `fgets()` instead. Do note that some platforms will continue reading data after a `'\0'` is encountered. Usage of `fgets()` is not recommended for reading binary based files or inputs, instead the `read` or `fread` functions should be used. For more information please see: https://linux.die.net/man/3/fgets metadata: shortDescription: Use of deprecated function (gets) cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.gets-1._getts-1 secondary_identifiers: - name: Flawfinder - gets type: flawfinder_func_name value: gets - name: Flawfinder - _getts type: flawfinder_func_name value: _getts license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.gets-1._getts-1 shortlink: https://sg.run/7G7v semgrep.dev: rule: r_id: 13038 rv_id: 920308 rule_id: 0oUJjK version_id: K3TwLgb url: https://semgrep.dev/playground/r/K3TwLgb/gitlab.flawfinder.gets-1._getts-1 origin: community pattern-either: - pattern: gets(...) - pattern: _getts(...) - pattern: _getws(...) severity: ERROR - id: gitlab.flawfinder.GetTempFileName-1 languages: - c - cpp message: | The `GetTempFileName` function works by generating a randomly named file, creating the file (if it does not exist) and then closing it. An application wishing to use this temporary file will need to reopen this file to begin working with it. This leads to a potential Time Of Check Time Of Use (TOCTOU) vulnerability, as an attacker could replace or modify the contents of the file prior to it being used by the application. Consider generating a random filename and opening the file directly in a single `CreateFile` or `OpenFile` call. metadata: shortDescription: Potential time of check time of use vulnerability (GetTempFileName) cwe: CWE-377 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.GetTempFileName-1 secondary_identifiers: - name: Flawfinder - GetTempFileName type: flawfinder_func_name value: GetTempFileName license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.GetTempFileName-1 shortlink: https://sg.run/JjGo semgrep.dev: rule: r_id: 13090 rv_id: 920357 rule_id: pKUw7J version_id: 5PTNGry url: https://semgrep.dev/playground/r/5PTNGry/gitlab.flawfinder.GetTempFileName-1 origin: community pattern: GetTempFileName(...) severity: WARNING - id: gitlab.flawfinder.getwd-1 languages: - c - cpp message: | `getwd` does not contain a parameter to limit how many characters can be copied into the destination buffer. For portability and security reasons `getwd` has been deprecated in favor of `getcwd`. For more information please see: https://linux.die.net/man/3/getcwd metadata: shortDescription: Insufficient protection against buffer overflow (getwd) cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.getwd-1 secondary_identifiers: - name: Flawfinder - getwd type: flawfinder_func_name value: getwd license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.getwd-1 shortlink: https://sg.run/L8zL semgrep.dev: rule: r_id: 13039 rv_id: 920309 rule_id: KxUY1o version_id: qkTpwvo url: https://semgrep.dev/playground/r/qkTpwvo/gitlab.flawfinder.getwd-1 origin: community pattern: getwd(...) severity: WARNING - id: gitlab.flawfinder.g_get_home_dir-1 languages: - c - cpp message: | This function is synonymous with `getenv("HOME")` and should be treated as untrusted input as it could be modified by an attacker. Possible risks include: - The value being too large and causing buffer overflows - Files under the attacker's control being used maliciously - Files outside of an attacker's control becoming accessible, depending on access privileges. metadata: shortDescription: Possible use of untrusted environment variable cwe: CWE-20 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.g_get_home_dir-1 secondary_identifiers: - name: Flawfinder - g_get_home_dir type: flawfinder_func_name value: g_get_home_dir license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.g_get_home_dir-1 shortlink: https://sg.run/eK0X semgrep.dev: rule: r_id: 13032 rv_id: 920305 rule_id: GdUZpz version_id: DkT2yw6 url: https://semgrep.dev/playground/r/DkT2yw6/gitlab.flawfinder.g_get_home_dir-1 origin: community pattern: g_get_home_dir(...) severity: WARNING - id: gitlab.flawfinder.g_get_tmp_dir-1 languages: - c - cpp message: | This function is synonymous with `getenv("TMP")` and should be treated as untrusted input as it could be modified by an attacker. Possible risks include: - The value being too large and causing buffer overflows - Files under the attacker's control being used maliciously - Files outside of an attacker's control becoming accessible, depending on access privileges. metadata: shortDescription: Possible use of untrusted environment variable cwe: CWE-20 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.g_get_tmp_dir-1 secondary_identifiers: - name: Flawfinder - g_get_tmp_dir type: flawfinder_func_name value: g_get_tmp_dir license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.g_get_tmp_dir-1 shortlink: https://sg.run/v2NX semgrep.dev: rule: r_id: 13033 rv_id: 920306 rule_id: ReUojK version_id: WrTYn7O url: https://semgrep.dev/playground/r/WrTYn7O/gitlab.flawfinder.g_get_tmp_dir-1 origin: community pattern: g_get_tmp_dir(...) severity: WARNING - id: gitlab.flawfinder.gsignal-1.ssignal-1 languages: - c - cpp message: | The `gsignal` and `ssignal` functions are obsolete and no longer recommended. Consider using the `raise` or `sigaction` functions instead for process signaling. For more information please see: https://linux.die.net/man/3/sigaction metadata: shortDescription: Deprecated function calls (ssignal/gsignal) cwe: CWE-676 owasp: - A9:2017-Using Components with Known Vulnerabilities - A06:2021-Vulnerable and Outdated Components security-severity: Info category: security primary_identifier: flawfinder.gsignal-1.ssignal-1 secondary_identifiers: - name: Flawfinder - gsignal type: flawfinder_func_name value: gsignal - name: Flawfinder - ssignal type: flawfinder_func_name value: ssignal license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.gsignal-1.ssignal-1 shortlink: https://sg.run/eKOX semgrep.dev: rule: r_id: 13076 rv_id: 920344 rule_id: GdUZdz version_id: d6T6g8B url: https://semgrep.dev/playground/r/d6T6g8B/gitlab.flawfinder.gsignal-1.ssignal-1 origin: community pattern-either: - pattern: gsignal(...) - pattern: ssignal(...) severity: INFO - id: gitlab.flawfinder.LoadLibrary-1 languages: - c - cpp message: | The `LoadLibrary` function is used to load DLLs dynamically. Depending on the filepath parameter, the OS version, and the modes set for the process prior to calling LoadLibrary, DLL hijacking may be possible. Attackers can exploit this by placing DLL files with the same name in directories that are searched before the legitimate DLL is. To assist in preventing against this class of vulnerability consider: - Specifying a fully qualified path when using LoadLibraryEx. - Use the `LOAD_LIBRARY_SEARCH` flags with LoadLibraryEx or with SetDefaultDllDirectories. - If you use SetDefaultDllDirectories, be sure to use the AddDllDirectory or SetDllDirectory functions to modify the list of directories. - Only use `SearchPath` if the `SetSearchPathMode` function is called with `BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE`. (Note: this only moves the current directory to the end of the SearchPath search list.) For more information see the security remarks section of the MSDN documentation: https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya#security-remarks For general information securely loading dynamic link libraries, see the MSDN documentation: https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security metadata: shortDescription: Potential for DLL hijacking (LoadLibrary) cwe: CWE-20 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.LoadLibrary-1 secondary_identifiers: - name: Flawfinder - LoadLibrary type: flawfinder_func_name value: LoadLibrary license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.LoadLibrary-1 shortlink: https://sg.run/y6n8 semgrep.dev: rule: r_id: 13068 rv_id: 920337 rule_id: 8GUx8Y version_id: NdTeR6w url: https://semgrep.dev/playground/r/NdTeR6w/gitlab.flawfinder.LoadLibrary-1 origin: community pattern: LoadLibrary(...) severity: WARNING - id: gitlab.flawfinder.LoadLibraryEx-1 languages: - c - cpp message: | The `LoadLibraryEx` function is used to load DLLs dynamically. Depending on the filepath parameter, the OS version, and the modes set for the process prior to calling LoadLibrary, DLL hijacking may be possible. Attackers can exploit this by placing DLL files with the same name in directories that are searched before the legitimate DLL is. To assist in preventing against this class of vulnerability consider: - Specifying a fully qualified path when using LoadLibraryEx. - Use the `LOAD_LIBRARY_SEARCH` flags with LoadLibraryEx or with SetDefaultDllDirectories. - If you use SetDefaultDllDirectories, be sure to use the AddDllDirectory or SetDllDirectory functions to modify the list of directories. - Only use `SearchPath` if the `SetSearchPathMode` function is called with `BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE`. (Note: this only moves the current directory to the end of the SearchPath search list.) For more information see the security remarks section of the MSDN documentation: https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya#security-remarks For general information securely loading dynamic link libraries, see the MSDN documentation: https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security metadata: shortDescription: Potential for DLL hijacking (LoadLibraryEx) cwe: CWE-20 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.LoadLibraryEx-1 secondary_identifiers: - name: Flawfinder - LoadLibraryEx type: flawfinder_func_name value: LoadLibraryEx license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.LoadLibraryEx-1 shortlink: https://sg.run/rkn6 semgrep.dev: rule: r_id: 13069 rv_id: 920338 rule_id: gxUYQ3 version_id: kbTOPWl url: https://semgrep.dev/playground/r/kbTOPWl/gitlab.flawfinder.LoadLibraryEx-1 origin: community pattern: LoadLibraryEx(...) severity: WARNING - id: gitlab.flawfinder.lstrcat-1.wcscat-1._tcscat-1._mbscat-1 languages: - c - cpp message: | The `strcat` family of functions are unable to limit how many bytes are copied to the destination buffer. It is recommended to use more secure alternatives such as `snprintf`. If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strcat-s-wcscat-s-mbscat-s?view=msvc-170 metadata: shortDescription: Insecure functions unable to limit / check buffer sizes cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.lstrcat-1.wcscat-1._tcscat-1._mbscat-1 secondary_identifiers: - name: Flawfinder - lstrcat type: flawfinder_func_name value: lstrcat - name: Flawfinder - wcscat type: flawfinder_func_name value: wcscat - name: Flawfinder - _tcscat type: flawfinder_func_name value: _tcscat - name: Flawfinder - _mbscat type: flawfinder_func_name value: _mbscat license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.lstrcat-1.wcscat-1._tcscat-1._mbscat-1 shortlink: https://sg.run/8R7J semgrep.dev: rule: r_id: 13040 rv_id: 920310 rule_id: qNUb3v version_id: l4TXDpz url: https://semgrep.dev/playground/r/l4TXDpz/gitlab.flawfinder.lstrcat-1.wcscat-1._tcscat-1._mbscat-1 origin: community pattern-either: - pattern: lstrcat(...) - pattern: wcscat(...) - pattern: _tcscat(...) - pattern: _mbscat(...) severity: ERROR - id: gitlab.flawfinder.lstrcatn-1.wcsncat-1._tcsncat-1._mbsnbcat-1 languages: - c - cpp message: | Consider using more secure alternatives such as `snprintf`, instead of the `wcsncat` family of functions. If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncat-strncat-l-wcsncat-wcsncat-l-mbsncat-mbsncat-l?view=msvc-170 metadata: shortDescription: Easily misused string processing functions cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.lstrcatn-1.wcsncat-1._tcsncat-1._mbsnbcat-1 secondary_identifiers: - name: Flawfinder - lstrcatn type: flawfinder_func_name value: lstrcatn - name: Flawfinder - wcsncat type: flawfinder_func_name value: wcsncat - name: Flawfinder - _tcsncat type: flawfinder_func_name value: _tcsncat - name: Flawfinder - _mbsnbcat type: flawfinder_func_name value: _mbsnbcat license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.lstrcatn-1.wcsncat-1._tcsncat-1._mbsnbcat-1 shortlink: https://sg.run/grqo semgrep.dev: rule: r_id: 13041 rv_id: 920311 rule_id: lBUzGo version_id: YDTYbwD url: https://semgrep.dev/playground/r/YDTYbwD/gitlab.flawfinder.lstrcatn-1.wcsncat-1._tcsncat-1._mbsnbcat-1 origin: community pattern-either: - pattern: lstrcatn(...) - pattern: wcsncat(...) - pattern: _tcsncat(...) - pattern: _mbsnbcat(...) severity: INFO - id: gitlab.flawfinder.lstrcpy-1.wcscpy-1._tcscpy-1._mbscpy-1 languages: - c - cpp message: | The `lstrcpy` family of functions do not provide the ability to limit or check buffer sizes before copying to a destination buffer. This can lead to buffer overflows. Consider using more secure alternatives such as `strncpy_s`. If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-l?view=msvc-170 metadata: shortDescription: Insecure functions unable to limit / check buffer sizes cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.lstrcpy-1.wcscpy-1._tcscpy-1._mbscpy-1 secondary_identifiers: - name: Flawfinder - lstrcpy type: flawfinder_func_name value: lstrcpy - name: Flawfinder - wcscpy type: flawfinder_func_name value: wcscpy - name: Flawfinder - _tcscpy type: flawfinder_func_name value: _tcscpy - name: Flawfinder - _mbscpy type: flawfinder_func_name value: _mbscpy license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.lstrcpy-1.wcscpy-1._tcscpy-1._mbscpy-1 shortlink: https://sg.run/Q41D semgrep.dev: rule: r_id: 13042 rv_id: 920312 rule_id: YGUQd4 version_id: JdToRn6 url: https://semgrep.dev/playground/r/JdToRn6/gitlab.flawfinder.lstrcpy-1.wcscpy-1._tcscpy-1._mbscpy-1 origin: community pattern-either: - pattern: lstrcpy(...) - pattern: wcscpy(...) - pattern: _tcscpy(...) - pattern: _mbscpy(...) severity: ERROR - id: gitlab.flawfinder.lstrcpyn-1.wcsncpy-1._tcsncpy-1._mbsnbcpy-1 languages: - c - cpp message: | The `lstrcpyn` family of functions do not always check for invalid pointers or check if there is sufficient space prior to copying. The count argument limits the number of characters copied but does validate if the count will fit within the size of the destination buffer, leading to potential overflows. If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-l?view=msvc-170 metadata: shortDescription: Insecure functions do not always null terminate or check invalid pointers cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.lstrcpyn-1.wcsncpy-1._tcsncpy-1._mbsnbcpy-1 secondary_identifiers: - name: Flawfinder - lstrcpyn type: flawfinder_func_name value: lstrcpyn - name: Flawfinder - wcsncpy type: flawfinder_func_name value: wcsncpy - name: Flawfinder - _tcsncpy type: flawfinder_func_name value: _tcsncpy - name: Flawfinder - _mbsnbcpy type: flawfinder_func_name value: _mbsnbcpy license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.lstrcpyn-1.wcsncpy-1._tcsncpy-1._mbsnbcpy-1 shortlink: https://sg.run/347g semgrep.dev: rule: r_id: 13043 rv_id: 920313 rule_id: 6JU6Nz version_id: 5PTNG7y url: https://semgrep.dev/playground/r/5PTNG7y/gitlab.flawfinder.lstrcpyn-1.wcsncpy-1._tcsncpy-1._mbsnbcpy-1 origin: community pattern-either: - pattern: lstrcpyn(...) - pattern: wcsncpy(...) - pattern: _tcsncpy(...) - pattern: _mbsnbcpy(...) severity: INFO - id: gitlab.flawfinder.memalign-1 languages: - c - cpp message: | The `memalign` function may not check that the alignment argument is correct. Calling free (on non Linux-based systems) may fail and in certain circumstances this failure may be exploitable. This function has been deprecated in favor of `posix_memalign`. For more information please see: https://linux.die.net/man/3/memalign metadata: shortDescription: Use of deprecated function (memalign) cwe: CWE-676 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.memalign-1 secondary_identifiers: - name: Flawfinder - memalign type: flawfinder_func_name value: memalign license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.memalign-1 shortlink: https://sg.run/X8wl semgrep.dev: rule: r_id: 13064 rv_id: 920334 rule_id: nJUrv6 version_id: yeTDgql url: https://semgrep.dev/playground/r/yeTDgql/gitlab.flawfinder.memalign-1 origin: community pattern-either: - pattern: memalign(...) - pattern-regex: (void)\s\*(\s|)(memalign)\; severity: INFO - id: gitlab.flawfinder.memcpy-1.CopyMemory-1.bcopy-1 languages: - c - cpp message: | The `memcpy` family of functions require the developer to validate that the destination buffer is the same size or larger than the source buffer. Buffer overflows could be introduced if care is not taken to validate buffer sizes. If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/memcpy-s-wmemcpy-s?view=msvc-170 metadata: shortDescription: Function does not check for buffer overflows when copying cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.memcpy-1.CopyMemory-1.bcopy-1 secondary_identifiers: - name: Flawfinder - memcpy type: flawfinder_func_name value: memcpy - name: Flawfinder - CopyMemory type: flawfinder_func_name value: CopyMemory - name: Flawfinder - bcopy type: flawfinder_func_name value: bcopy license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.memcpy-1.CopyMemory-1.bcopy-1 shortlink: https://sg.run/4P7g semgrep.dev: rule: r_id: 13044 rv_id: 920314 rule_id: oqUr65 version_id: GxToXlo url: https://semgrep.dev/playground/r/GxToXlo/gitlab.flawfinder.memcpy-1.CopyMemory-1.bcopy-1 origin: community pattern-either: - pattern: memcpy(...) - pattern: CopyMemory(...) - pattern: bcopy(...) severity: INFO - id: gitlab.flawfinder.mkstemp-1 languages: - c - cpp message: | Some older Unix-like systems, `mkstemp` would create temp files with 0666 permissions, meaning the file created would be read/write access for all users. Ensure the process has called the `umask` function with restricted permissions prior to calling `mkstemp` and validate the permissions prior to using the file descriptor. For more information on temporary files please see: https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152425 metadata: shortDescription: Potential file permissions issue (mkstemp) cwe: CWE-377 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.mkstemp-1 secondary_identifiers: - name: Flawfinder - mkstemp type: flawfinder_func_name value: mkstemp license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.mkstemp-1 shortlink: https://sg.run/5Jo6 semgrep.dev: rule: r_id: 13091 rv_id: 920358 rule_id: 2ZUKJn version_id: GxToXYo url: https://semgrep.dev/playground/r/GxToXYo/gitlab.flawfinder.mkstemp-1 origin: community pattern: mkstemp(...) severity: INFO - id: gitlab.flawfinder.mktemp-1 languages: - c - cpp message: | The `mktemp` function should no longer be used due to multiple flaws. Some implementations created random files by using known information like the process ID and a single letter. This allows for possible race conditions where an attacker could guess or manipulate these files prior to them being used. Consider using the `mkstemp` function instead, but be aware it also contains possible risks. Ensure the process has called the `umask` function with restricted permissions prior to calling `mkstemp` and validate the permissions prior to using the file descriptor. For more information on temporary files please see: https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152425 metadata: shortDescription: Use of deprecated function (mktemp) cwe: CWE-377 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.mktemp-1 secondary_identifiers: - name: Flawfinder - mktemp type: flawfinder_func_name value: mktemp license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.mktemp-1 shortlink: https://sg.run/GwPB semgrep.dev: rule: r_id: 13092 rv_id: 920359 rule_id: X5U76e version_id: RGT2xnA url: https://semgrep.dev/playground/r/RGT2xnA/gitlab.flawfinder.mktemp-1 origin: community pattern: mktemp(...) severity: ERROR - id: gitlab.flawfinder.MultiByteToWideChar-1 languages: - c - cpp message: | The input buffer is the number of bytes in the string, but the size of the output buffer is the number of characters. To avoid overflows, the application must determine the correct buffer size which depends on the data type the buffer receives. For more information see: https://learn.microsoft.com/en-us/windows/win32/intl/security-considerations--international-features metadata: shortDescription: Easily misused function may lead to buffer overflows cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.MultiByteToWideChar-1 secondary_identifiers: - name: Flawfinder - MultiByteToWideChar type: flawfinder_func_name value: MultiByteToWideChar license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.MultiByteToWideChar-1 shortlink: https://sg.run/N82x semgrep.dev: rule: r_id: 13027 rv_id: 920302 rule_id: qNUb31 version_id: RGT2xpv url: https://semgrep.dev/playground/r/RGT2xpv/gitlab.flawfinder.MultiByteToWideChar-1 origin: community pattern: MultiByteToWideChar(...) severity: INFO - id: gitlab.flawfinder.printf-1.vprintf-1.vwprintf-1.vfwprintf-1._vtprintf-1.wprintf-1 languages: - c - cpp message: | Format string vulnerabilities allow an attacker to read or in some cases, potentially write data to and from locations in the processes' memory. To prevent against format string attacks, do not allow users or un-validated input to provide the format specification. Consider using a constant for the format specification, or only allow specific characters to be provided to the format argument for the `printf` family of functions. For more information please see: https://linux.die.net/man/3/fprintf For more information on format string attacks please see OWASP's attack guide: https://owasp.org/www-community/attacks/Format_string_attack metadata: shortDescription: Potential format string vulnerability cwe: CWE-134 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.printf-1.vprintf-1.vwprintf-1.vfwprintf-1._vtprintf-1.wprintf-1 secondary_identifiers: - name: Flawfinder - printf type: flawfinder_func_name value: printf - name: Flawfinder - vprintf type: flawfinder_func_name value: vprintf - name: Flawfinder - vwprintf type: flawfinder_func_name value: vwprintf - name: Flawfinder - vfwprintf type: flawfinder_func_name value: vfwprintf - name: Flawfinder - _vtprintf type: flawfinder_func_name value: _vtprintf - name: Flawfinder - wprintf type: flawfinder_func_name value: wprintf license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.printf-1.vprintf-1.vwprintf-1.vfwprintf-1._vtprintf-1.wprintf-1 shortlink: https://sg.run/z9Oz semgrep.dev: rule: r_id: 13061 rv_id: 920331 rule_id: v8UjyR version_id: jQTwj14 url: https://semgrep.dev/playground/r/jQTwj14/gitlab.flawfinder.printf-1.vprintf-1.vwprintf-1.vfwprintf-1._vtprintf-1.wprintf-1 origin: community pattern-either: - patterns: - pattern: printf(...) - pattern-not: printf("...",...) - patterns: - pattern: vprintf($FMT, ...) - pattern-not: vprintf("...", ...) - patterns: - pattern: vwprintf($FMT, ...) - pattern-not: vwprintf("...", ...) - patterns: - pattern: vfwprintf($FILE, $FMT, ...) - pattern-not: vfwprintf($FILE, "...", ...) - patterns: - pattern: _vtprintf($FILE, $FMT, ...) - pattern-not: _vtprintf($FILE, "...", ...) - patterns: - pattern: wprintf($FMT, ...) - pattern-not: wprintf("...", ...) severity: ERROR - id: gitlab.flawfinder.readlink-1 languages: - c - cpp message: | Usage of the `readlink` function call hints at a potential Time Of Check Time Of Use (TOCTOU) vulnerability. An attacker may be able to modify the file being specified by the `readlink` function prior to the `readlink` function being called. Additionally, care must be taken that the buffer provided is large enough to hold the contents of the file. Instead of using `readlink`, use `lstat` prior to opening the file and confirm the attributes are correct. Then use `open` to get a file descriptor to this file. Call `fstat` on the `open` file descriptor to confirm that `st_dev` and `st_ino` are equal between the two. If they are, it is safe to read and operate on the file's contents. For more information please see: https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files metadata: shortDescription: Potential time of check time of use vulnerability (readlink) cwe: CWE-20 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.readlink-1 secondary_identifiers: - name: Flawfinder - readlink type: flawfinder_func_name value: readlink license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.readlink-1 shortlink: https://sg.run/L8AL semgrep.dev: rule: r_id: 13083 rv_id: 920350 rule_id: KxUYWo version_id: 8KTvlg4 url: https://semgrep.dev/playground/r/8KTvlg4/gitlab.flawfinder.readlink-1 origin: community pattern: readlink(...) severity: ERROR - id: gitlab.flawfinder.realpath-1 languages: - c - cpp message: | The `realpath` function should not be called with a destination buffer as it could lead to overflowing if the path is greater than PATH_LEN. It is instead recommended to call `realpath` with the destination buffer set to NULL and use the return value as the resolved path. Be sure to free the returned pointer as realpath will allocate the buffer internally using `malloc`. For more information see: https://linux.die.net/man/3/realpath Example: ``` char const *symlink_path = "/tmp/symlink"; char *resolved_path = NULL; resolved_path = realpath(symlink_path, NULL); if (errno == 0) { // ... use resolved_path... free(resolved_path); } ``` metadata: shortDescription: Function does not ensure destination buffer length is sufficient before copying cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.realpath-1 secondary_identifiers: - name: Flawfinder - realpath type: flawfinder_func_name value: realpath license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.realpath-1 shortlink: https://sg.run/P8jN semgrep.dev: rule: r_id: 13045 rv_id: 920315 rule_id: zdU1EX version_id: RGT2xEA url: https://semgrep.dev/playground/r/RGT2xEA/gitlab.flawfinder.realpath-1 origin: community pattern: realpath(...) severity: WARNING - id: gitlab.flawfinder.RpcImpersonateClient-1.ImpersonateLoggedOnUser-1.CoImpersonateClient-1.ImpersonateNamedPipeClient-1.ImpersonateDdeClientWindow-1.ImpersonateSecurityContext-1.SetThreadToken-1 languages: - c - cpp message: | These functions may be used to either drop or change account privileges. If the calls fail, the process will continue to run with the privileges assigned to it on start. Depending on the logic of the application, this may allow attackers to abuse the system due to privileges never being changed to a different access level. Always ensure return values of this function are checked to determine if the application should continue to operate. metadata: shortDescription: Ensure return values are checked when attempting to drop privileges cwe: CWE-250 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: High category: security primary_identifier: flawfinder.RpcImpersonateClient-1.ImpersonateLoggedOnUser-1.CoImpersonateClient-1.ImpersonateNamedPipeClient-1.ImpersonateDdeClientWindow-1.ImpersonateSecurityContext-1.SetThreadToken-1 secondary_identifiers: - name: Flawfinder - RpcImpersonateClient type: flawfinder_func_name value: RpcImpersonateClient - name: Flawfinder - ImpersonateLoggedOnUser type: flawfinder_func_name value: ImpersonateLoggedOnUser - name: Flawfinder - CoImpersonateClient type: flawfinder_func_name value: CoImpersonateClient - name: Flawfinder - ImpersonateNamedPipeClient type: flawfinder_func_name value: ImpersonateNamedPipeClient - name: Flawfinder - ImpersonateDdeClientWindow type: flawfinder_func_name value: ImpersonateDdeClientWindow - name: Flawfinder - ImpersonateSecurityContext type: flawfinder_func_name value: ImpersonateSecurityContext - name: Flawfinder - SetThreadToken type: flawfinder_func_name value: SetThreadToken license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.RpcImpersonateClient-1.ImpersonateLoggedOnUser-1.CoImpersonateClient-1.ImpersonateNamedPipeClient-1.ImpersonateDdeClientWindow-1.ImpersonateSecurityContext-1.SetThreadToken-1 shortlink: https://sg.run/rk96 semgrep.dev: rule: r_id: 13025 rv_id: 920300 rule_id: 0oUJjL version_id: 5PTNGqv url: https://semgrep.dev/playground/r/5PTNGqv/gitlab.flawfinder.RpcImpersonateClient-1.ImpersonateLoggedOnUser-1.CoImpersonateClient-1.ImpersonateNamedPipeClient-1.ImpersonateDdeClientWindow-1.ImpersonateSecurityContext-1.SetThreadToken-1 origin: community pattern-either: - pattern: RpcImpersonateClient(...) - pattern: ImpersonateLoggedOnUser(...) - pattern: CoImpersonateClient(...) - pattern: ImpersonateNamedPipeClient(...) - pattern: ImpersonateDdeClientWindow(...) - pattern: ImpersonateSecurityContext(...) - pattern: SetThreadToken(...) severity: ERROR - id: gitlab.flawfinder.scanf-1.vscanf-1.wscanf-1._tscanf-1.vwscanf-1 languages: - c - cpp message: | Format specifiers can take optional field widths, which should be used to limit how many characters are copied into the target buffer. For more information please see: https://linux.die.net/man/3/scanf Example: ``` char buf[11] = {0}; scanf("%10s", &buf); // buf = AAAAAAAAAA\0 ``` If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/scanf-s-scanf-s-l-wscanf-s-wscanf-s-l?view=msvc-170 metadata: shortDescription: scanf() functions may allow format string based overflows cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.scanf-1.vscanf-1.wscanf-1._tscanf-1.vwscanf-1 secondary_identifiers: - name: Flawfinder - scanf type: flawfinder_func_name value: scanf - name: Flawfinder - vscanf type: flawfinder_func_name value: vscanf - name: Flawfinder - wscanf type: flawfinder_func_name value: wscanf - name: Flawfinder - _tscanf type: flawfinder_func_name value: _tscanf - name: Flawfinder - vwscanf type: flawfinder_func_name value: vwscanf license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.scanf-1.vscanf-1.wscanf-1._tscanf-1.vwscanf-1 shortlink: https://sg.run/Jj6o semgrep.dev: rule: r_id: 13046 rv_id: 920316 rule_id: pKUw5J version_id: A8TNlE5 url: https://semgrep.dev/playground/r/A8TNlE5/gitlab.flawfinder.scanf-1.vscanf-1.wscanf-1._tscanf-1.vwscanf-1 origin: community pattern-either: - patterns: - pattern: scanf($FMT, ...) - pattern-not: scanf("...", ...) - patterns: - pattern: vscanf($FMT, ...) - pattern-not: vscanf("...", ...) - patterns: - pattern: wscanf($FMT, ...) - pattern-not: wscanf("...", ...) - patterns: - pattern: _tscanf($FMT, ...) - pattern-not: _tscanf(_T("..."), ...) - patterns: - pattern: vwscanf(FMT, ...) - pattern-not: vwscanf("...", ...) severity: ERROR - id: gitlab.flawfinder.SetSecurityDescriptorDacl-1 languages: - c - cpp message: | When `SetSecurityDescriptorDacl` is called with a null `pDacl` parameter and the `bDaclPresent` flag is `TRUE`, all access to the object is allowed. An attacker could set the object to Deny all, which would include even the Administrator user(s). Either call `SetSecurityDescriptorDacl` with bDaclPresent as `FALSE`, or supply a valid non-null `pDacl` parameter value. For more information please see: https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-setsecuritydescriptordacl#remarks metadata: shortDescription: Null ACL when calling SetSecurityDescriptorDacl may allow all access to objects cwe: CWE-732 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.SetSecurityDescriptorDacl-1 secondary_identifiers: - name: Flawfinder - SetSecurityDescriptorDacl type: flawfinder_func_name value: SetSecurityDescriptorDacl license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.SetSecurityDescriptorDacl-1 shortlink: https://sg.run/brkZ semgrep.dev: rule: r_id: 13070 rv_id: 920339 rule_id: QrUpe8 version_id: w8TkbWb url: https://semgrep.dev/playground/r/w8TkbWb/gitlab.flawfinder.SetSecurityDescriptorDacl-1 origin: community pattern: SetSecurityDescriptorDacl(...) severity: ERROR - id: gitlab.flawfinder.snprintf-1.vsnprintf-1._snprintf-1._sntprintf-1._vsntprintf-1 languages: - c - cpp message: | Format string vulnerabilities allow an attacker to read or in some cases, potentially write data to and from locations in the processes' memory. To prevent against format string attacks, do not allow users or un-validated input to provide the format specification. Consider using a constant for the format specification, or strip all format specifiers from the input prior to calling the `snprintf` family of functions. Note that some variations of this function do not always null terminate the strings. For more information on using snprintf please see: https://linux.die.net/man/3/snprintf For more information on format string attacks please see OWASP's attack guide: https://owasp.org/www-community/attacks/Format_string_attack metadata: shortDescription: Potential format string vulnerability cwe: CWE-134 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.snprintf-1.vsnprintf-1._snprintf-1._sntprintf-1._vsntprintf-1 secondary_identifiers: - name: Flawfinder - snprintf type: flawfinder_func_name value: snprintf - name: Flawfinder - vsnprintf type: flawfinder_func_name value: vsnprintf - name: Flawfinder - _snprintf type: flawfinder_func_name value: _snprintf - name: Flawfinder - _sntprintf type: flawfinder_func_name value: _sntprintf - name: Flawfinder - _vsntprintf type: flawfinder_func_name value: _vsntprintf license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.snprintf-1.vsnprintf-1._snprintf-1._sntprintf-1._vsntprintf-1 shortlink: https://sg.run/pkj3 semgrep.dev: rule: r_id: 13062 rv_id: 920332 rule_id: d8UlJZ version_id: 1QT4NEr url: https://semgrep.dev/playground/r/1QT4NEr/gitlab.flawfinder.snprintf-1.vsnprintf-1._snprintf-1._sntprintf-1._vsntprintf-1 origin: community pattern-either: - patterns: - pattern: snprintf($BUF,$SIZE,$FMT,...) - pattern-not: snprintf($BUF,$SIZE,"...",...) - patterns: - pattern: vsnprintf($BUF,$SIZE,$FMT) - pattern-not: vsnprintf($BUF,$SIZE,"...",...) - patterns: - pattern: _snprintf($BUF,$SIZE,$FMT,...) - pattern-not: _snprintf($BUF,$SIZE,$FMT,"...",...) - patterns: - pattern: _sntprintf($VAR,$FMT,...) - pattern-not: sntprintf($VAR,"...",...) - patterns: - pattern: _vsntprintf($VAR,$FMT,...) - pattern-not: _vsntprintf($VAR,"...",...) severity: ERROR - id: gitlab.flawfinder.sprintf-1.vsprintf-1.swprintf-1.vswprintf-1._stprintf-1._vstprintf-1 languages: - c - cpp message: | Use sprintf_s, snprintf, or vsnprintf instead. The `sprintf` family of functions do not allow callers to set limits on how many bytes the destination buffer can hold. Consider using more secure alternatives such as `snprintf`. For more information please see: https://linux.die.net/man/3/snprintf If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/sprintf-s-sprintf-s-l-swprintf-s-swprintf-s-l?view=msvc-170 metadata: shortDescription: Insecure function unable to limit / check buffer sizes cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.sprintf-1.vsprintf-1.swprintf-1.vswprintf-1._stprintf-1._vstprintf-1 secondary_identifiers: - name: Flawfinder - sprintf type: flawfinder_func_name value: sprintf - name: Flawfinder - vsprintf type: flawfinder_func_name value: vsprintf - name: Flawfinder - swprintf type: flawfinder_func_name value: swprintf - name: Flawfinder - vswprintf type: flawfinder_func_name value: vswprintf - name: Flawfinder - _stprintf type: flawfinder_func_name value: _stprintf - name: Flawfinder - _vstprintf type: flawfinder_func_name value: _vstprintf license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.sprintf-1.vsprintf-1.swprintf-1.vswprintf-1._stprintf-1._vstprintf-1 shortlink: https://sg.run/5J76 semgrep.dev: rule: r_id: 13047 rv_id: 920317 rule_id: 2ZUK9n version_id: BjTKLyp url: https://semgrep.dev/playground/r/BjTKLyp/gitlab.flawfinder.sprintf-1.vsprintf-1.swprintf-1.vswprintf-1._stprintf-1._vstprintf-1 origin: community pattern-either: - pattern: sprintf(...) - pattern: vsprintf(...) - pattern: swprintf(...) - pattern: vswprintf(...) - pattern: _stprintf(...) - pattern: _vstprintf(...) severity: ERROR - id: gitlab.flawfinder.StrCat-1.StrCatA-1.StrcatW-1.lstrcatA-1.lstrcatW-1.strCatBuff-1.StrCatBuffA-1.StrCatBuffW-1.StrCatChainW-1._tccat-1._mbccat-1._ftcscat-1.StrCatN-1.StrCatNA-1.StrCatNW-1.StrNCat-1.StrNCatA-1.StrNCatW-1.lstrncat-1.lstrcatnA-1.lstrcatnW-1 languages: - c - cpp message: | The `StrCat` family of functions do not guarantee the final string to be null terminated. Consider using one of the following alternatives: `StringCbCat`, `StringCbCatEx`, `StringCbCatN`, `StringCbCatNEx`, `StringCchCat`, `StringCchCatEx`, `StringCchCatN`, or `StringCchCatNEx`. For more information please see: https://learn.microsoft.com/en-us/windows/win32/api/strsafe/ metadata: shortDescription: Insecure string processing function cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.StrCat-1.StrCatA-1.StrcatW-1.lstrcatA-1.lstrcatW-1.strCatBuff-1.StrCatBuffA-1.StrCatBuffW-1.StrCatChainW-1._tccat-1._mbccat-1._ftcscat-1.StrCatN-1.StrCatNA-1.StrCatNW-1.StrNCat-1.StrNCatA-1.StrNCatW-1.lstrncat-1.lstrcatnA-1.lstrcatnW-1 secondary_identifiers: - name: Flawfinder - StrCat type: flawfinder_func_name value: StrCat - name: Flawfinder - StrCatA type: flawfinder_func_name value: StrCatA - name: Flawfinder - StrcatW type: flawfinder_func_name value: StrcatW - name: Flawfinder - lstrcatA type: flawfinder_func_name value: lstrcatA - name: Flawfinder - lstrcatW type: flawfinder_func_name value: lstrcatW - name: Flawfinder - strCatBuff type: flawfinder_func_name value: strCatBuff - name: Flawfinder - StrCatBuffA type: flawfinder_func_name value: StrCatBuffA - name: Flawfinder - StrCatBuffW type: flawfinder_func_name value: StrCatBuffW - name: Flawfinder - StrCatChainW type: flawfinder_func_name value: StrCatChainW - name: Flawfinder - _tccat type: flawfinder_func_name value: _tccat - name: Flawfinder - _mbccat type: flawfinder_func_name value: _mbccat - name: Flawfinder - _ftcscat type: flawfinder_func_name value: _ftcscat - name: Flawfinder - StrCatN type: flawfinder_func_name value: StrCatN - name: Flawfinder - StrCatNA type: flawfinder_func_name value: StrCatNA - name: Flawfinder - StrCatNW type: flawfinder_func_name value: StrCatNW - name: Flawfinder - StrNCat type: flawfinder_func_name value: StrNCat - name: Flawfinder - StrNCatA type: flawfinder_func_name value: StrNCatA - name: Flawfinder - StrNCatW type: flawfinder_func_name value: StrNCatW - name: Flawfinder - lstrncat type: flawfinder_func_name value: lstrncat - name: Flawfinder - lstrcatnA type: flawfinder_func_name value: lstrcatnA - name: Flawfinder - lstrcatnW type: flawfinder_func_name value: lstrcatnW license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.StrCat-1.StrCatA-1.StrcatW-1.lstrcatA-1.lstrcatW-1.strCatBuff-1.StrCatBuffA-1.StrCatBuffW-1.StrCatChainW-1._tccat-1._mbccat-1._ftcscat-1.StrCatN-1.StrCatNA-1.StrCatNW-1.StrNCat-1.StrNCatA-1.StrNCatW-1.lstrncat-1.lstrcatnA-1.lstrcatnW-1 shortlink: https://sg.run/kkoX semgrep.dev: rule: r_id: 13028 rv_id: 920303 rule_id: lBUzG9 version_id: A8TNlqb url: https://semgrep.dev/playground/r/A8TNlqb/gitlab.flawfinder.StrCat-1.StrCatA-1.StrcatW-1.lstrcatA-1.lstrcatW-1.strCatBuff-1.StrCatBuffA-1.StrCatBuffW-1.StrCatChainW-1._tccat-1._mbccat-1._ftcscat-1.StrCatN-1.StrCatNA-1.StrCatNW-1.StrNCat-1.StrNCatA-1.StrNCatW-1.lstrncat-1.lstrcatnA-1.lstrcatnW-1 origin: community pattern-either: - pattern: strcat(...) - pattern: strcatA(...) - pattern: StrcatW(...) - pattern: lstrcatA(...) - pattern: lstrcatW(...) - pattern: strCatBuff(...) - pattern: StrCatBuffA(...) - pattern: StrCatBuffW(...) - pattern: StrCatChainW(...) - pattern: _tccat(...) - pattern: _mbccat(...) - pattern: _ftcscat(...) - pattern: StrCatN(...) - pattern: StrCatNA(...) - pattern: StrCatNW(...) - pattern: StrNCat(...) - pattern: StrNCatA(...) - pattern: StrNCatW(...) - pattern: lstrncat(...) - pattern: lstrcatnA(...) - pattern: lstrcatnW(...) severity: ERROR - id: gitlab.flawfinder.strccpy-1.strcadd-1 languages: - c - cpp message: | The `strccpy` and `strcadd` functions do not allow the caller to check that the destination size of the buffer will fit the input buffer prior to copying. For more information please see: https://docs.oracle.com/cd/E18752_01/html/816-5172/streadd-3gen.html metadata: shortDescription: Insecure string processing functions cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.strccpy-1.strcadd-1 secondary_identifiers: - name: Flawfinder - strccpy type: flawfinder_func_name value: strccpy - name: Flawfinder - strcadd type: flawfinder_func_name value: strcadd license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.strccpy-1.strcadd-1 shortlink: https://sg.run/RP9E semgrep.dev: rule: r_id: 13049 rv_id: 920319 rule_id: j2URoA version_id: WrTYn78 url: https://semgrep.dev/playground/r/WrTYn78/gitlab.flawfinder.strccpy-1.strcadd-1 origin: community pattern-either: - pattern: strccpy(...) - pattern: strcadd(...) severity: INFO - id: gitlab.flawfinder.strcpy-1 languages: - c - cpp message: | The `strcpy` family of functions do not provide the ability to limit or check buffer sizes before copying to a destination buffer. This can lead to buffer overflows. Consider using more secure alternatives such as `strncpy` and provide the correct limit to the destination buffer and ensure the string is null terminated. For more information please see: https://linux.die.net/man/3/strncpy If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-l?view=msvc-170 metadata: shortDescription: Insecure string processing function (strcpy) cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.strcpy-1 secondary_identifiers: - name: Flawfinder - strcpy type: flawfinder_func_name value: strcpy license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.strcpy-1 shortlink: https://sg.run/AwAg semgrep.dev: rule: r_id: 13050 rv_id: 920320 rule_id: 10Ue1w version_id: 0bTp3GG url: https://semgrep.dev/playground/r/0bTp3GG/gitlab.flawfinder.strcpy-1 origin: community pattern: strcpy(...) severity: ERROR - id: gitlab.flawfinder.strcpyA-1.strcpyW-1.StrCpy-1.StrCpyA-1.lstrcpyA-1.lstrcpyW-1._tccpy-1._mbccpy-1._ftcscpy-1._mbsncpy-1.StrCpyN-1.StrCpyNA-1.StrCpyNW-1.StrNCpy-1.strcpynA-1.StrNCpyA-1.StrNCpyW-1.lstrcpynA-1.lstrcpynW-1 languages: - c - cpp message: | The `StrCpy` family of functions do not guarantee the final string to be null terminated. Consider using one of the following alternatives `StringCbCopy`, `StringCbCopyEx`, `StringCbCopyN`, `StringCbCopyNEx`, `StringCchCopy`, `StringCchCopyEx`, `StringCchCopyN`, or `StringCchCopyNEx`. If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-l?view=msvc-170 metadata: shortDescription: Insecure string processing function cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.strcpyA-1.strcpyW-1.StrCpy-1.StrCpyA-1.lstrcpyA-1.lstrcpyW-1._tccpy-1._mbccpy-1._ftcscpy-1._mbsncpy-1.StrCpyN-1.StrCpyNA-1.StrCpyNW-1.StrNCpy-1.strcpynA-1.StrNCpyA-1.StrNCpyW-1.lstrcpynA-1.lstrcpynW-1 secondary_identifiers: - name: Flawfinder - strcpyA type: flawfinder_func_name value: strcpyA - name: Flawfinder - strcpyW type: flawfinder_func_name value: strcpyW - name: Flawfinder - StrCpy type: flawfinder_func_name value: StrCpy - name: Flawfinder - StrCpyA type: flawfinder_func_name value: StrCpyA - name: Flawfinder - lstrcpyA type: flawfinder_func_name value: lstrcpyA - name: Flawfinder - lstrcpyW type: flawfinder_func_name value: lstrcpyW - name: Flawfinder - _tccpy type: flawfinder_func_name value: _tccpy - name: Flawfinder - _mbccpy type: flawfinder_func_name value: _mbccpy - name: Flawfinder - _ftcscpy type: flawfinder_func_name value: _ftcscpy - name: Flawfinder - _mbsncpy type: flawfinder_func_name value: _mbsncpy - name: Flawfinder - StrCpyN type: flawfinder_func_name value: StrCpyN - name: Flawfinder - StrCpyNA type: flawfinder_func_name value: StrCpyNA - name: Flawfinder - StrCpyNW type: flawfinder_func_name value: StrCpyNW - name: Flawfinder - StrNCpy type: flawfinder_func_name value: StrNCpy - name: Flawfinder - strcpynA type: flawfinder_func_name value: strcpynA - name: Flawfinder - StrNCpyA type: flawfinder_func_name value: StrNCpyA - name: Flawfinder - StrNCpyW type: flawfinder_func_name value: StrNCpyW - name: Flawfinder - lstrcpynA type: flawfinder_func_name value: lstrcpynA - name: Flawfinder - lstrcpynW type: flawfinder_func_name value: lstrcpynW license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.strcpyA-1.strcpyW-1.StrCpy-1.StrCpyA-1.lstrcpyA-1.lstrcpyW-1._tccpy-1._mbccpy-1._ftcscpy-1._mbsncpy-1.StrCpyN-1.StrCpyNA-1.StrCpyNW-1.StrNCpy-1.strcpynA-1.StrNCpyA-1.StrNCpyW-1.lstrcpynA-1.lstrcpynW-1 shortlink: https://sg.run/BLBb semgrep.dev: rule: r_id: 13051 rv_id: 920321 rule_id: 9AUkxG version_id: K3TwLg8 url: https://semgrep.dev/playground/r/K3TwLg8/gitlab.flawfinder.strcpyA-1.strcpyW-1.StrCpy-1.StrCpyA-1.lstrcpyA-1.lstrcpyW-1._tccpy-1._mbccpy-1._ftcscpy-1._mbsncpy-1.StrCpyN-1.StrCpyNA-1.StrCpyNW-1.StrNCpy-1.strcpynA-1.StrNCpyA-1.StrNCpyW-1.lstrcpynA-1.lstrcpynW-1 origin: community pattern-either: - pattern: strcpyA(...) - pattern: strcpyW(...) - pattern: StrCpy(...) - pattern: StrCpyA(...) - pattern: lstrcpyA(...) - pattern: lstrcpyW(...) - pattern: _tccpy(...) - pattern: _mbccpy(...) - pattern: _ftcscpy(...) - pattern: _mbsncpy(...) - pattern: StrCpyN(...) - pattern: StrCpyNA(...) - pattern: StrCpyNW(...) - pattern: StrNCpy(...) - pattern: strcpynA(...) - pattern: StrNCpyA(...) - pattern: StrNCpyW(...) - pattern: lstrcpynA(...) - pattern: lstrcpynW(...) severity: ERROR - id: gitlab.flawfinder.streadd-1.strecpy-1 languages: - c - cpp message: | The `strecpy` and `streadd` functions require that the destination buffer size be at least four times the size of the source due to each character potentially becoming a `\` and 3 digits. For more information please see: https://docs.oracle.com/cd/E18752_01/html/816-5172/streadd-3gen.html metadata: shortDescription: Insecure string processing functions cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.streadd-1.strecpy-1 secondary_identifiers: - name: Flawfinder - streadd type: flawfinder_func_name value: streadd - name: Flawfinder - strecpy type: flawfinder_func_name value: strecpy license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.streadd-1.strecpy-1 shortlink: https://sg.run/DwW2 semgrep.dev: rule: r_id: 13052 rv_id: 920322 rule_id: yyUyKE version_id: qkTpwvJ url: https://semgrep.dev/playground/r/qkTpwvJ/gitlab.flawfinder.streadd-1.strecpy-1 origin: community pattern-either: - pattern: streadd(...) - pattern: strecpy(...) severity: ERROR - id: gitlab.flawfinder.strlen-1.wcslen-1._tcslen-1._mbslen-1 languages: - c - cpp message: | The `strlen` family of functions does not handle strings that are not null terminated. This can lead to buffer over reads and cause the application to crash by accessing unintended memory locations. It is recommended that `strnlen` be used instead as a `maxlen` value can be provided. For more information please see: https://linux.die.net/man/3/strnlen If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strnlen-strnlen-s?view=msvc-170 metadata: shortDescription: Function does not handle null terminated strings properly cwe: CWE-126 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.strlen-1.wcslen-1._tcslen-1._mbslen-1 secondary_identifiers: - name: Flawfinder - strlen type: flawfinder_func_name value: strlen - name: Flawfinder - wcslen type: flawfinder_func_name value: wcslen - name: Flawfinder - _tcslen type: flawfinder_func_name value: _tcslen - name: Flawfinder - _mbslen type: flawfinder_func_name value: _mbslen license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.strlen-1.wcslen-1._tcslen-1._mbslen-1 shortlink: https://sg.run/WOky semgrep.dev: rule: r_id: 13053 rv_id: 920323 rule_id: r6U9Qq version_id: l4TXDp2 url: https://semgrep.dev/playground/r/l4TXDp2/gitlab.flawfinder.strlen-1.wcslen-1._tcslen-1._mbslen-1 origin: community pattern-either: - pattern: strlen(...) - pattern: wcslen(...) - pattern: _tcslen(...) - pattern: _mbslen(...) severity: INFO - id: gitlab.flawfinder.strncat-1 languages: - c - cpp message: | The `strncat` family of functions are easy to use incorrectly when calculating destination buffer sizes. It is recommended to use more secure alternatives such as `snprintf`. For more information please see: https://linux.die.net/man/3/snprintf If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncat-s-strncat-s-l-wcsncat-s-wcsncat-s-l-mbsncat-s-mbsncat-s-l?view=msvc-170 metadata: shortDescription: Function does not handle null terminated strings or invalid pointers properly cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.strncat-1 secondary_identifiers: - name: Flawfinder - strncat type: flawfinder_func_name value: strncat license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.strncat-1 shortlink: https://sg.run/057k semgrep.dev: rule: r_id: 13054 rv_id: 920324 rule_id: bwUN2p version_id: YDTYbw8 url: https://semgrep.dev/playground/r/YDTYbw8/gitlab.flawfinder.strncat-1 origin: community pattern: strncat(...) severity: INFO - id: gitlab.flawfinder.strncpy-1 languages: - c - cpp message: | The `strncpy` family of functions do not properly handle strings that are not null terminated. It is recommended to use more secure alternatives such as `snprintf`. For more information please see: https://linux.die.net/man/3/snprintf If developing for C Runtime Library (CRT), more secure versions of these functions should be used, see: https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-l?view=msvc-170 metadata: shortDescription: Function does not handle null terminated strings or invalid pointers properly cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.strncpy-1 secondary_identifiers: - name: Flawfinder - strncpy type: flawfinder_func_name value: strncpy license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.strncpy-1 shortlink: https://sg.run/K8oP semgrep.dev: rule: r_id: 13055 rv_id: 920325 rule_id: NbUY74 version_id: 6xTyXRA url: https://semgrep.dev/playground/r/6xTyXRA/gitlab.flawfinder.strncpy-1 origin: community pattern: strncpy(...) severity: INFO - id: gitlab.flawfinder.strtrns-1 languages: - c - cpp message: | This function is easy to misuse by not accounting for the space necessary when transforming strings. Ensure that the destination buffer is large enough to fit the transformed output. For more information please see: https://docs.oracle.com/cd/E36784_01/html/E36877/strtrns-3gen.html metadata: shortDescription: Insecure string processing function cwe: CWE-120 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.strtrns-1 secondary_identifiers: - name: Flawfinder - strtrns type: flawfinder_func_name value: strtrns license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.strtrns-1 shortlink: https://sg.run/qq11 semgrep.dev: rule: r_id: 13056 rv_id: 920326 rule_id: kxU811 version_id: o5TK1LP url: https://semgrep.dev/playground/r/o5TK1LP/gitlab.flawfinder.strtrns-1 origin: community pattern: strtrns(...) severity: WARNING - id: gitlab.flawfinder.syslog-1 languages: - c - cpp message: | Format string vulnerabilities allow an attacker to read or in some cases, potentially write data to and from locations in the processes' memory. To prevent against format string attacks, do not allow users or un-validated input to provide the format specification. Consider using a constant for the format specification, or strip all format specifiers from the input prior to calling the `syslog` function. For more information please see: https://capec.mitre.org/data/definitions/67.html metadata: shortDescription: Potential format string vulnerability in syslog call cwe: CWE-134 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.syslog-1 secondary_identifiers: - name: Flawfinder - syslog type: flawfinder_func_name value: syslog license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.syslog-1 shortlink: https://sg.run/2R7z semgrep.dev: rule: r_id: 13063 rv_id: 920333 rule_id: ZqUgoz version_id: 9lTA732 url: https://semgrep.dev/playground/r/9lTA732/gitlab.flawfinder.syslog-1 origin: community pattern-either: - patterns: - pattern: syslog($FUNC,...) - pattern-not: syslog($FUNC,"...",...) severity: ERROR - id: gitlab.flawfinder.system-1 languages: - c - cpp message: | It is generally not recommended to call out to the operating system to execute commands. When the application is executing file system based commands, user input should never be used in constructing commands or command arguments. If possible, determine if a library can be used instead to provide the same functionality. Otherwise, consider hard coding both the command and arguments to be used, or at the very least restricting which arguments can be passed to the command execution function. For more information please see: https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177 metadata: shortDescription: Potential for OS command injection cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: flawfinder.system-1 secondary_identifiers: - name: Flawfinder - system type: flawfinder_func_name value: system license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.system-1 shortlink: https://sg.run/P80N semgrep.dev: rule: r_id: 13089 rv_id: 920356 rule_id: zdU17X version_id: JdToRG6 url: https://semgrep.dev/playground/r/JdToRG6/gitlab.flawfinder.system-1 origin: community pattern: system(...) severity: ERROR - id: gitlab.flawfinder.tmpfile-1 languages: - c - cpp message: | There exists a possible race condition in between the time that `tmpfile` returns a pathname, and the time that the program opens it, another program might create that pathname using `open`, or create it as a symbolic link. Consider using the `mkstemp` function instead, but be aware it also contains possible risks. Ensure the process has called the `umask` function with restricted permissions prior to calling `mkstemp` and validate the permissions prior to using the file descriptor. For more information on temporary files please see: https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152425 metadata: shortDescription: Potential time of check time of use vulnerability (tmpfile) cwe: CWE-377 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.tmpfile-1 secondary_identifiers: - name: Flawfinder - tmpfile type: flawfinder_func_name value: tmpfile license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.tmpfile-1 shortlink: https://sg.run/RPqE semgrep.dev: rule: r_id: 13093 rv_id: 920360 rule_id: j2UR7A version_id: A8TNl05 url: https://semgrep.dev/playground/r/A8TNl05/gitlab.flawfinder.tmpfile-1 origin: community pattern: tmpfile(...) severity: INFO - id: gitlab.flawfinder.tmpnam-1.tempnam-1 languages: - c - cpp message: | There exists a possible race condition in between the time that `tempnam` or `tmpnam` returns a pathname, and the time that the program opens it, another program might create that pathname using `open`, or create it as a symbolic link. Consider using the `mkstemp` function instead, but be aware it also contains possible risks. Ensure the process has called the `umask` function with restricted permissions prior to calling `mkstemp` and validate the permissions prior to using the file descriptor. For more information on temporary files please see: https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152425 metadata: shortDescription: Potential time of check time of use vulnerability (tmpnam/tempnam) cwe: CWE-377 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.tmpnam-1.tempnam-1 secondary_identifiers: - name: Flawfinder - tmpnam type: flawfinder_func_name value: tmpnam - name: Flawfinder - tempnam type: flawfinder_func_name value: tempnam license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.tmpnam-1.tempnam-1 shortlink: https://sg.run/Awkg semgrep.dev: rule: r_id: 13094 rv_id: 920361 rule_id: 10Ueqw version_id: BjTKLJp url: https://semgrep.dev/playground/r/BjTKLJp/gitlab.flawfinder.tmpnam-1.tempnam-1 origin: community pattern-either: - pattern: tmpnam(...) - pattern: tempnam(...) severity: WARNING - id: gitlab.flawfinder.ulimit-1 languages: - c - cpp message: | The ulimit function is obsolete and no longer recommended. Use `getrlimit(2)`, `setrlimit`, or `sysconf` instead. For more information please see: https://linux.die.net/man/3/setrlimit metadata: shortDescription: Usage of deprecated function (ulimit) cwe: CWE-676 owasp: - A9:2017-Using Components with Known Vulnerabilities - A06:2021-Vulnerable and Outdated Components security-severity: Info category: security primary_identifier: flawfinder.ulimit-1 secondary_identifiers: - name: Flawfinder - ulimit type: flawfinder_func_name value: ulimit license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.ulimit-1 shortlink: https://sg.run/v2nX semgrep.dev: rule: r_id: 13077 rv_id: 920345 rule_id: ReUo4K version_id: ZRTedDw url: https://semgrep.dev/playground/r/ZRTedDw/gitlab.flawfinder.ulimit-1 origin: community pattern: ulimit(...) severity: INFO - id: gitlab.flawfinder.umask-1 languages: - c - cpp message: | The umask function call sets the process's file mode creation mask. umask values determine what permissions a file should be created with and who can read or write to these files. Ensure that umask is given most restrictive possible setting depending on the context, usually 066 or 077, for more information please see: https://en.wikipedia.org/wiki/Umask#Mask_effect. metadata: shortDescription: Ensure restrictive umask values cwe: CWE-732 owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: High category: security primary_identifier: flawfinder.umask-1 secondary_identifiers: - name: Flawfinder - umask type: flawfinder_func_name value: umask license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.umask-1 shortlink: https://sg.run/brBZ semgrep.dev: rule: r_id: 13026 rv_id: 920301 rule_id: KxUY1n version_id: GxToXq2 url: https://semgrep.dev/playground/r/GxToXq2/gitlab.flawfinder.umask-1 origin: community pattern: umask(...) severity: INFO - id: gitlab.flawfinder.usleep-1 languages: - c - cpp message: | The `usleep` function has been deprecated, use `nanosleep` or `setitimer` instead. For more information please see: https://linux.die.net/man/3/setitimer metadata: shortDescription: Usage of deprecated function (usleep) cwe: CWE-676 owasp: - A9:2017-Using Components with Known Vulnerabilities - A06:2021-Vulnerable and Outdated Components security-severity: Info category: security primary_identifier: flawfinder.usleep-1 secondary_identifiers: - name: Flawfinder - usleep type: flawfinder_func_name value: usleep license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.usleep-1 shortlink: https://sg.run/d0xP semgrep.dev: rule: r_id: 13078 rv_id: 920346 rule_id: AbUGoN version_id: nWTnNQe url: https://semgrep.dev/playground/r/nWTnNQe/gitlab.flawfinder.usleep-1 origin: community pattern: usleep(...) severity: INFO - id: gitlab.flawfinder.vfork-1 languages: - c - cpp message: | The `vfork` function is suffers from portability issues and is not recommended. In some Linux systems `vfork` is vulnerable to a race condition while the child process is running as the user's UID but hasn't executed `execve`. The user may be able to send signals to this process, which in `vfork` would not be sent to the parent process. As a result a user may be able to cause a denial of service against the privileged process. Use `fork` instead and be aware of other potential Time Of Check Time Of Use (TOCTOU) vulnerabilities. For more information please see: https://wiki.sei.cmu.edu/confluence/display/c/POS38-C.+Beware+of+race+conditions+when+using+fork+and+file+descriptors metadata: shortDescription: Potential time of check time of use vulnerability (vfork) cwe: CWE-362 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: flawfinder.vfork-1 secondary_identifiers: - name: Flawfinder - vfork type: flawfinder_func_name value: vfork license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.flawfinder.vfork-1 shortlink: https://sg.run/8R2J semgrep.dev: rule: r_id: 13084 rv_id: 920351 rule_id: qNUb8v version_id: gETkXEA url: https://semgrep.dev/playground/r/gETkXEA/gitlab.flawfinder.vfork-1 origin: community pattern: vfork(...) severity: INFO - id: gitlab.gosec.G102-1 languages: - go patterns: - pattern-either: - pattern: net.Listen(..., "$ADDR") - pattern: tls.Listen(..., "$ADDR", ...) - metavariable-regex: metavariable: $ADDR regex: ^(0\.0\.0\.0|\[::\])?(:[0-9]*)?$ message: | Binding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. By passing "0.0.0.0" as the address to the `Listen` family of functions, the application will bind to all interfaces. Consider passing in the interface ip address through an environment variable, configuration file, or by determining the primary interface(s) IP address. Example getting the IP address from an environment variable `IP_ADDRESS`: ``` addr := os.Getenv("IP_ADDRESS") listener, err := net.Listen("tcp", addr) if err != nil { log.Fatal(err) } ``` metadata: shortDescription: Exposure of sensitive information to an unauthorized actor cwe: CWE-200 owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: Low category: security primary_identifier: gosec.G102-1 secondary_identifiers: - name: Gosec Rule ID G102 type: gosec_rule_id value: G102 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G102-1 shortlink: https://sg.run/28xr semgrep.dev: rule: r_id: 13763 rv_id: 920392 rule_id: kxUwkP version_id: 7ZTbRPz url: https://semgrep.dev/playground/r/7ZTbRPz/gitlab.gosec.G102-1 origin: community severity: WARNING - id: gitlab.gosec.G103-1 languages: - go patterns: - pattern-either: - pattern: unsafe.Alignof(...) - pattern: unsafe.Offsetof(...) - pattern: unsafe.Sizeof(...) - pattern: unsafe.Pointer(...) message: | The `unsafe` package in Go allows low-level access to memory management features. This includes pointers and direct access to memory. The Go compiler will no longer be able to enforce type safety when working with the `unsafe` pointer types. While powerful, access to these functions can lead to many security related issues such as: - [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which can lead to code execution. - [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which can lead to code execution. - [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak) which can leak sensitive information, including data which can defeat other protection mechanisms or cause the system to run out of memory. Unless required, all calls to the `unsafe` package should be removed. metadata: shortDescription: Use of inherently dangerous function (unsafe package) cwe: CWE-242 owasp: - A9:2017-Using Components with Known Vulnerabilities - A06:2021-Vulnerable and Outdated Components security-severity: High category: security primary_identifier: gosec.G103-1 secondary_identifiers: - name: Gosec Rule ID G103 type: gosec_rule_id value: G103 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G103-1 shortlink: https://sg.run/y1dA semgrep.dev: rule: r_id: 13768 rv_id: 920395 rule_id: v8U9nZ version_id: gETkX0A url: https://semgrep.dev/playground/r/gETkX0A/gitlab.gosec.G103-1 origin: community severity: INFO - id: gitlab.gosec.G106-1 languages: - go patterns: - pattern: ssh.InsecureIgnoreHostKey(...) message: | The application was found to ignore host keys. Host keys are important as they provide assurance that the client can prove that the host is trusted. By ignoring these host keys, it is impossible for the client to validate the connection is to a trusted host. For the `ssh.ClientConfig` `HostKeyCallback` property, consider using the [knownhosts](https://pkg.go.dev/golang.org/x/crypto/ssh/knownhosts) package that parses OpenSSH's `known_hosts` key database. Example configuration connecting to a known, trusted host: ``` knownHostCallback, err := knownhosts.New("/home/user/.ssh/known_hosts") if err != nil { log.Fatal(err) } // Create client config using the knownHost callback function config := &ssh.ClientConfig{ ... HostKeyCallback: knownHostCallback, } // Connect to ssh server conn, err := ssh.Dial("tcp", "localhost:22", config) if err != nil { log.Fatal("unable to connect: ", err) } defer conn.Close() ``` metadata: shortDescription: Key exchange without entity authentication cwe: CWE-322 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures security-severity: Medium category: security primary_identifier: gosec.G106-1 secondary_identifiers: - name: Gosec Rule ID G106 type: gosec_rule_id value: G106 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G106-1 shortlink: https://sg.run/5DQj semgrep.dev: rule: r_id: 13747 rv_id: 920374 rule_id: qNUXje version_id: X0TAKk0 url: https://semgrep.dev/playground/r/X0TAKk0/gitlab.gosec.G106-1 origin: community severity: WARNING - id: gitlab.gosec.G108-1 languages: - go patterns: - pattern-inside: | import ( "net/http/pprof" ) ... - pattern-either: - pattern: http.ListenAndServe(...) - pattern: http.ListenAndServeTLS(...) - pattern: http.Serve(...) - pattern: http.ServeTLS(...) message: | Go has a built in profiling service that is enabled by starting an HTTP server with `net/http/pprof` imported. The `/debug/pprof` endpoint does not require any authentication and can be accessed by anonymous users. This profiling endpoint can leak sensitive information and should not be enabled in production. To remediate this, remove the `net/http/pprof` import from the file. metadata: shortDescription: Active debug code (pprof enabled) cwe: CWE-489 owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: Medium category: security primary_identifier: gosec.G108-1 secondary_identifiers: - name: Gosec Rule ID G108 type: gosec_rule_id value: G108 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G108-1 shortlink: https://sg.run/oYxX semgrep.dev: rule: r_id: 13760 rv_id: 920389 rule_id: r6UwrQ version_id: ZRTedxw url: https://semgrep.dev/playground/r/ZRTedxw/gitlab.gosec.G108-1 origin: community severity: ERROR - id: gitlab.gosec.G110-1 languages: - go mode: taint pattern-sources: - pattern: gzip.NewReader(...) - pattern: zlib.NewReader(...) - pattern: bzip2.NewReader(...) - pattern: flate.NewReader(...) - pattern: lzw.NewReader(...) - pattern: tar.NewReader(...) - pattern: zip.NewReader(...) - pattern: zlib.NewReaderDict(...) - pattern: flate.NewReaderDict(...) - pattern: zip.OpenReader(...) pattern-sanitizers: - patterns: - pattern: io.LimitReader($TAINTED, ...) - focus-metavariable: $TAINTED pattern-sinks: - patterns: - pattern: io.Copy($DST, $TAINTED) - focus-metavariable: $TAINTED - patterns: - pattern: io.CopyBuffer($DST, $TAINTED, $BUF) - focus-metavariable: $TAINTED message: | Directly decompressing files or buffers may lead to a potential Denial of Service (DoS) due to a decompression bomb. Decompression bombs are maliciously compressed files or data that decompresses to extremely large sizes. This can cause the process to run out of memory, or the disk to fill up. To protect against decompression bombs, an [io.LimitReader(...)](https://pkg.go.dev/io#LimitReader) should be used to limit how much can be read during the decompression routine. Example using `io.LimitReader` to protect against a decompression bomb: ``` f, err := os.Open("some.gz") if err != nil { log.Fatal(err) } r, err := gzip.NewReader(f) if err != nil { log.Fatal(err) } const oneMegabyte = 1024 * 1024 limitedReader := io.LimitReader(r, oneMegabyte) // use limitedReader to stop copying after 1 MB if _, err := io.Copy(os.Stdout, limitedReader); err != nil { log.Fatal(err) } ``` metadata: shortDescription: Improper handling of highly compressed data cwe: CWE-409 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: Medium category: security primary_identifier: gosec.G110-1 secondary_identifiers: - name: Gosec Rule ID G110 type: gosec_rule_id value: G110 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G110-1 shortlink: https://sg.run/Wp8E semgrep.dev: rule: r_id: 13753 rv_id: 920380 rule_id: pKUpOv version_id: bZTLoQ2 url: https://semgrep.dev/playground/r/bZTLoQ2/gitlab.gosec.G110-1 origin: community severity: WARNING - id: gitlab.gosec.G202-1 languages: - go mode: taint pattern-sources: - patterns: - pattern: fmt.Sprintf(...) - pattern-not: | fmt.Sprintf("...", "...") - patterns: - pattern: | "..." + $X - pattern-not: | "..." + "..." - pattern: | ($SB : strings.Builder).String() pattern-sinks: - patterns: - pattern: $DB.$METHOD(...) - metavariable-regex: metavariable: $METHOD regex: ^(Exec(Context)?|Query(Context)?|QueryRow(Context)?)$ message: | SQL Injection is a critical vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to or in some circumstances, being able to execute OS functionality or code. Replace all dynamically generated SQL queries with parameterized queries. In situations where dynamic queries must be created, never use direct user input, but instead use a map or dictionary of valid values and resolve them using a user supplied key. For example, some database drivers do not allow parameterized queries for `>` or `<` comparison operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the user supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<` values to be used in the construction of the dynamic query. The same goes for other queries where column or table names are required but cannot be parameterized. Example using parameterized queries with `sql.Query`: ``` rows, err := db.Query("SELECT * FROM users WHERE userName = ?", userName) if err != nil { return nil, err } defer rows.Close() for rows.Next() { // ... process rows } ``` For more information on SQL Injection see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html metadata: shortDescription: Improper neutralization of special elements used in an SQL command ('SQL Injection') cwe: CWE-89 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: gosec.G202-1 secondary_identifiers: - name: Gosec Rule ID G201 type: gosec_rule_id value: G201 - name: Gosec Rule ID G202 type: gosec_rule_id value: G202 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G202-1 shortlink: https://sg.run/jwRP semgrep.dev: rule: r_id: 13765 rv_id: 920393 rule_id: x8Uxn5 version_id: LjTzeBq url: https://semgrep.dev/playground/r/LjTzeBq/gitlab.gosec.G202-1 origin: community severity: WARNING - id: gitlab.gosec.G203-1 languages: - go patterns: - pattern-either: - patterns: - pattern: template.HTML($IN) - pattern-not: template.HTML("...") - patterns: - pattern: template.JS($IN) - pattern-not: template.JS("...") - patterns: - pattern: template.URL($IN) - pattern-not: template.URL("...") - patterns: - pattern: template.HTMLAttr($IN) - pattern-not: template.HTMLAttr("...") message: | Cross Site Scripting (XSS) is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types: - Inside HTML tags `
context 1
` - Inside attributes: `
` - Inside event attributes `` - Inside script blocks: `` - Unsafe element HTML assignment: `element.innerHTML = "context 5"` - Inside URLs: `link` Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 7*7 }} which may execute client-side templating features. It is _NOT_ advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Use of the following template types with user input denotes a security risk: - [template.HTML](https://pkg.go.dev/html/template#HTML) - [template.JS](https://pkg.go.dev/html/template#JS) - [template.URL](https://pkg.go.dev/html/template#URL) - [template.HTMLAttr](https://pkg.go.dev/html/template#HTMLAttr) Either remove these types from the application or hardcode as const strings prior to conversion: ``` testTemplate, err := template.New("testTemplate").Funcs(template.FuncMap{ "SafeHTML": func() template.HTML { const safeHTML = "
hardcoded, safe html
" return template.HTML(safeHTML) }, }).Parse(`{{ SafeHTML }}`) if err != nil { log.Fatal(err) } if err := testTemplate.Execute(os.Stdout, nil); err != nil { log.Fatal(err) } ``` metadata: shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') cwe: CWE-79 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: Medium category: security primary_identifier: gosec.G203-1 secondary_identifiers: - name: Gosec Rule ID G203 type: gosec_rule_id value: G203 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G203-1 shortlink: https://sg.run/66nK semgrep.dev: rule: r_id: 13759 rv_id: 920388 rule_id: yyUPno version_id: d6T6g7B url: https://semgrep.dev/playground/r/d6T6g7B/gitlab.gosec.G203-1 origin: community severity: WARNING - id: gitlab.gosec.G204-1 languages: - go patterns: - pattern-either: - patterns: - pattern: exec.CommandContext($CTX, $EXE, ...) - pattern-not: exec.CommandContext($CTX, "...", ...) - patterns: - pattern: exec.Command($EXE, ...) - pattern-not: exec.Command("...", ...) - patterns: - pattern: syscall.ForkExec($EXE, ...) - pattern-not: syscall.ForkExec("...", ...) - patterns: - pattern: syscall.StartProcess($EXE, ...) - pattern-not: syscall.StartProcess("...", ...) message: | OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed. User input should never be used in constructing commands or command arguments to functions which execute OS commands. This includes filenames supplied by user uploads or downloads. Ensure your application does not: - Use user-supplied information in the process name to execute. - Use user-supplied information in an OS command execution function which does not escape shell meta-characters. - Use user-supplied information in arguments to OS commands. The application should have a hardcoded set of arguments that are to be passed to OS commands. If filenames are being passed to these functions, it is recommended that a hash of the filename be used instead, or some other unique identifier. It is strongly recommended that a native library that implements the same functionality be used instead of using OS system commands, due to the risk of unknown attacks against third party commands. If operating in Windows environments, when specifying the OS command, ensure the application uses the full path information, otherwise the OS may attempt to look up which process to execute and could be vulnerable to untrusted search path vulnerabilities (CWE-426). Example of safely executing an OS command: ``` userData := []byte("user data") // create a temporary file in the application specific directory f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat") if err != nil { log.Fatal(err) } if _, err := f.Write(userData); err != nil { log.Fatal(err) } if err := f.Close(); err != nil { log.Fatal(err) } // pass the full path to the binary and the name of the temporary file // instead of any user supplied filename out, err := exec.Command("/bin/cat", f.Name()).Output() if err != nil { log.Fatal(err) } ``` For more information on OS command injection, see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html metadata: shortDescription: Improper neutralization of special elements used in an OS command ('OS Command Injection') cwe: CWE-78 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High category: security primary_identifier: gosec.G204-1 secondary_identifiers: - name: Gosec Rule ID G204 type: gosec_rule_id value: G204 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G204-1 shortlink: https://sg.run/9roy semgrep.dev: rule: r_id: 13767 rv_id: 920394 rule_id: eqUz8W version_id: 8KTvln4 url: https://semgrep.dev/playground/r/8KTvln4/gitlab.gosec.G204-1 origin: community severity: WARNING - id: gitlab.gosec.G301-1 languages: - go patterns: - pattern-either: - pattern: os.Mkdir(...,$MASK) - pattern: os.MkdirAll(...,$MASK) - metavariable-comparison: metavariable: $MASK comparison: $MASK > 0o750 base: 8 message: | The application was found setting directory permissions to overly permissive values. Consider using the following values if the application user is the only process to access files in the directory specified: - 0700 - read/write access to the files in the directory Another common value is `0750` which allows the application user read/write access and group users to read the files contained in the directory. Example creating a directory with read/write permissions for only the application user: ``` err := os.Mkdir("directory", 0700) if err != nil { log.Fatal(err) } ``` For all other values please see: https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation metadata: shortDescription: Incorrect permission assignment for critical resource cwe: CWE-732 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: gosec.G301-1 secondary_identifiers: - name: Gosec Rule ID G301 type: gosec_rule_id value: G301 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G301-1 shortlink: https://sg.run/DzoG semgrep.dev: rule: r_id: 13752 rv_id: 920379 rule_id: zdUYkg version_id: rxTjvlW url: https://semgrep.dev/playground/r/rxTjvlW/gitlab.gosec.G301-1 origin: community severity: WARNING - id: gitlab.gosec.G302-1 languages: - go patterns: - pattern-either: - pattern: os.Chmod(...,$MASK) - pattern: os.OpenFile(...,$MASK) - pattern: os.WriteFile(...,$MASK) - metavariable-comparison: metavariable: $MASK comparison: $MASK > 0o640 base: 8 message: | The application was found setting file permissions to overly permissive values. Consider using the following values if the application user is the only process to access the file: - 0400 - read only access to the file - 0200 - write only access to the file - 0600 - read/write access to the file Example creating a file with read/write permissions for the application user: ``` f, err := os.OpenFile("file.txt", os.O_CREATE, 0600) if err != nil { log.Fatal(err) } defer f.Close() // continue to work with file here ``` For all other values please see: https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation metadata: shortDescription: Incorrect permission assignment for critical resource cwe: CWE-732 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: gosec.G302-1 secondary_identifiers: - name: Gosec Rule ID G302 type: gosec_rule_id value: G302 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G302-1 shortlink: https://sg.run/B6kR semgrep.dev: rule: r_id: 13751 rv_id: 920378 rule_id: oqU4eG version_id: yeTDgGl url: https://semgrep.dev/playground/r/yeTDgGl/gitlab.gosec.G302-1 origin: community severity: WARNING - id: gitlab.gosec.G303-1 languages: - go patterns: - pattern-either: - pattern: | os.WriteFile("$ARG", ...) - pattern: | ioutil.WriteFile("$ARG", ...) - pattern: | os.OpenFile("$ARG", <... os.O_CREATE ...>, ...) - pattern: | os.Create("$ARG") - metavariable-regex: metavariable: $ARG regex: (/tmp/.*|/var/tmp/.*) message: | The application was found creating files in shared system temporary directories (`/tmp` or `/var/tmp`) without using the `os.CreateTemp` function. Depending on how the application uses this temporary file, an attacker may be able to create symlinks that point to other files prior to the application creating or writing to the target file, leading to unintended files being created or overwritten. Example using `os.CreateTemp` in an application restricted directory: ``` // assumes /opt/appdir/ is chown'd to the running application user if err := os.MkdirAll("/opt/appdir/restricted", 0700); err != nil { log.Fatal(err) } // create a temporary file in the restricted directory in the form of temp-952569059.txt f, err := os.CreateTemp("/opt/appdir/restricted", "temp-*.txt") if err != nil { log.Fatal(err) } defer f.Close() // clean up on exit defer os.Remove(f.Name()) // work with file ``` metadata: shortDescription: Creation of temporary file with insecure permissions cwe: CWE-378 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: gosec.G303-1 secondary_identifiers: - name: Gosec Rule ID G303 type: gosec_rule_id value: G303 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G303-1 shortlink: https://sg.run/qYxO semgrep.dev: rule: r_id: 13756 rv_id: 920384 rule_id: j2U3v8 version_id: xyTdr0z url: https://semgrep.dev/playground/r/xyTdr0z/gitlab.gosec.G303-1 origin: community severity: WARNING - id: gitlab.gosec.G304-1 languages: - go mode: taint pattern-sources: - pattern: os.Getenv(...) - pattern: fmt.Sprintf(...) - pattern: filepath.Join(...) - pattern: path.Join(...) - patterns: - pattern-either: - pattern: '... + $TAINTED' - pattern: '... + $TAINTED + ...' - pattern: $TAINTED + ... - pattern-not: '"..." + $TAINTED' - pattern-not: '"..." + $TAINTED + "..."' - pattern-not: $TAINTED + "..." - pattern-not: fmt.Sprintf("...", "...") - patterns: - pattern-either: - pattern: | ($REQUEST : *http.Request).$SOURCE_METHOD - pattern: | ($REQUEST : http.Request).$SOURCE_METHOD - metavariable-regex: metavariable: $SOURCE_METHOD regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ pattern-sanitizers: - patterns: - pattern-either: - pattern: | $CLEAN := $PKG.Clean(...) ... if !strings.HasPrefix($CLEAN, "...") {...} - pattern: | $CLEAN := $PKG.Clean(...) ... if strings.HasPrefix($CLEAN, "...") {...} - pattern: | $CLEAN := $PKG.Clean(...) ... if strings.HasPrefix($CLEAN, "...") == false {...} - metavariable-regex: metavariable: $PKG regex: ^((file)?path)$ pattern-sinks: - pattern: os.OpenFile(...) - pattern: os.Open(...) - pattern: os.ReadFile(...) - pattern: ioutil.ReadFile(...) message: | The application dynamically constructs file or path information. If the path information comes from user input, it could be abused to read sensitive files, access other users data or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or replacing it with unique values. Additionally, use `filepath.Base` to only use the filename and not path information. Always validate the full path prior to opening or writing to any file. Example using `filepath.Base`, generating a unique filename without using user input to construct filepath information: ``` type userData struct { id string userFilename string } func newUserData(userFilename string) userData { return userData{ id: randomFileID(), // random id as the filename userFilename: userFilename, } } // randomFileID generates a random id, to be used as a filename func randomFileID() string { id := make([]byte, 16) if _, err := io.ReadFull(rand.Reader, id); err != nil { log.Fatal(err) } return hex.EncodeToString(id) } func main() { // user input, saved only as a reference data := newUserData("../../possibly/malicious") // restrict all file access to this path const basePath = "/tmp/" // resolve the full path, but only use our random generated id resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id)) if err != nil { log.Fatal(err) } // verify the path is prefixed with our basePath if !strings.HasPrefix(resolvedPath, basePath) { log.Fatal("path does not start with basePath") } // process / work with file } ``` For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal metadata: shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') cwe: CWE-22 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: gosec.G304-1 secondary_identifiers: - name: Gosec Rule ID G304 type: gosec_rule_id value: G304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G304-1 shortlink: https://sg.run/0yQw semgrep.dev: rule: r_id: 13754 rv_id: 920381 rule_id: 2ZUPbo version_id: NdTeRGw url: https://semgrep.dev/playground/r/NdTeRGw/gitlab.gosec.G304-1 origin: community severity: WARNING - id: gitlab.gosec.G305-1 languages: - go mode: taint pattern-sources: - pattern: zip.OpenReader(...) - pattern: tar.OpenReader(...) pattern-sanitizers: - patterns: - pattern-either: - pattern: | $CLEAN := $PKG.Clean(...) ... if !strings.HasPrefix($CLEAN, "...") {...} - pattern: | $CLEAN := $PKG.Clean(...) ... if strings.HasPrefix($CLEAN, "...") {...} - pattern: | $CLEAN := $PKG.Clean(...) ... if strings.HasPrefix($CLEAN, "...") == false {...} - metavariable-regex: metavariable: $PKG regex: ^((file)?path)$ pattern-sinks: - pattern: filepath.Join(...) message: | The application may be vulnerable to a path traversal if it extracts untrusted archive files. This vulnerability is colloquially known as 'Zip Slip'. Archive files may contain folders which, when extracted, may write outside of the intended directory. This is exploited by including path traversal characters such as `../../other/directory` to overwrite or place files in system or application directories. Extra care must be taken when extracting archive files as there are numerous concerns: - Limit the size of the zip archive as it may contain "Zip Bombs", files that extract to extremely large sizes. - If possible, generate unique filenames instead of using the archives file names, as it may be possible for users to overwrite files if the filenames are the same. - Validate file paths are written with a prefixed, known trusted directory. - Only process regular files and not symbolic links, as some applications may attempt to read/follow the symbolic link, leading to arbitrary file read / write vulnerabilities. Example of securely processing an archive file: ``` r, err := zip.OpenReader("trusted.zip") if err != nil { log.Fatal(err) } // Ensure archive contains only the expected number of files const expectedFileCount = 10 if len(r.File) > expectedFileCount { log.Fatalf("too many files in archive: %d\n", len(r.File)) } // One approach is to sum up all files before attempting to process // them. const totalAllowedSize = 1024 * 1024 * 10 // 10MB var totalSize uint64 for _, f := range r.File { totalSize += f.UncompressedSize64 } if totalSize > totalAllowedSize { log.Fatalf("archive exceeds total allowed size: %d\n", totalSize) } // configure a max size per file allowed const maxFileSize = 1024 * 1024 // 1 MB // set restricted basePath const basePath = "/var/restricted/" // iterate over the files in the archive for _, f := range r.File { // Ensure uncompressed size does not exceed our allowed file size if f.UncompressedSize64 > maxFileSize { log.Printf("skipping file as it exceeds maxFileSize: %s\n", f.Name) continue } // Ensure file is a regular file and not a symbolic link or has other mode type // bits set if !f.Mode().IsRegular() { log.Printf("skipping non regular file: %s\n", f.Name) continue } // if possible consider not using the name at all, but generating a random id instead. // If the filename must be used, extract the base name and not folder path information name := filepath.Base(f.Name) // Join the file name to the basePath. resolvedPath := filepath.Join(basePath, name) // Application must still verify the path is prefixed by the basePath if !strings.HasPrefix(resolvedPath, basePath) { log.Fatal("path does not start with basePath") } // process / work with file } ``` If the application must process directory names as well, use the following code: ``` // Join the cleaned name to the basePath, note if 'name' starts with `../../` it // will still allow for traversal, so you _must_ verify the path prefix below resolvedPath := filepath.Join(basePath, filepath.Clean(name)) // Application must still verify the path is prefixed by the basePath if !strings.HasPrefix(resolvedPath, basePath) { log.Fatal("path does not start with basePath") } // process / work with file ``` metadata: shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') cwe: CWE-22 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: gosec.G305-1 secondary_identifiers: - name: Gosec Rule ID G305 type: gosec_rule_id value: G305 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G305-1 shortlink: https://sg.run/lZ2o semgrep.dev: rule: r_id: 13757 rv_id: 920385 rule_id: 10UdKB version_id: O9Tv7Eb url: https://semgrep.dev/playground/r/O9Tv7Eb/gitlab.gosec.G305-1 origin: community severity: WARNING - id: gitlab.gosec.G306-1 languages: - go patterns: - pattern-either: - pattern: | ioutil.WriteFile(..., ..., $ARG) - metavariable-comparison: metavariable: $ARG comparison: $ARG > 0o600 base: 8 message: | The application was found setting file permissions to overly permissive values. Consider using the following values if the application user is the only process to access the file: - 0400 - read only access to the file - 0200 - write only access to the file - 0600 - read/write access to the file Example writing file contents with read/write permissions for the application user: ``` dat := []byte("sensitive data") if err := os.WriteFile("file.txt", dat, 0600); err != nil { log.Fatal(err) } ``` For all other values please see: https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation metadata: shortDescription: Incorrect default permissions cwe: CWE-276 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium category: security primary_identifier: gosec.G306-1 secondary_identifiers: - name: Gosec Rule ID G306 type: gosec_rule_id value: G306 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G306-1 shortlink: https://sg.run/KXln semgrep.dev: rule: r_id: 13755 rv_id: 920383 rule_id: X5Ud8j version_id: w8TkbNb url: https://semgrep.dev/playground/r/w8TkbNb/gitlab.gosec.G306-1 origin: community severity: WARNING - id: gitlab.gosec.G402-1 languages: - go patterns: - pattern-either: - pattern: | tls.Config{..., CipherSuites: []$SLICE{..., $CIPHERS, ...}, ...} - pattern: | tls.CipherSuite{..., ID: $CIPHERS, ...} - metavariable-regex: metavariable: $CIPHERS regex: ((?!tls.TLS_AES_128_GCM_SHA256)|(?!tls.TLS_AES_256_GCM_SHA384)|(?!tls.TLS_CHACHA20_POLY1305_SHA256)| (?!tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)|(?!tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)| (?!tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)|(?!tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)| (?!tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305)|(?!tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)| (?!tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305)|(?!tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)| (?!tls.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)|(?!tls.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)) message: | Usage of a cryptographically insecure cipher suite has been detected. It is recommended that alternative ciphers be used instead. It is strongly recommended that all TLS connections use TLS 1.3 as Go will automatically choose the most secure cipher when negotiating the TLS handshake with client or servers. TLS 1.3 cipher suites are configured to require Perfect Forward Secrecy (PFS). PFS is an important property as it will ensure that past encrypted transmissions could not be decrypted if the TLS certificate was compromised. Example using TLS 1.3 for a Go server: ``` cert, err := tls.LoadX509KeyPair("server.crt", "server.key") if err != nil { log.Fatal(err) } cfg := &tls.Config{Certificates: []tls.Certificate{cert}, MinVersion: tls.VersionTLS13} srv := &http.Server{ Addr: ":8999", TLSConfig: cfg, ReadTimeout: time.Minute, WriteTimeout: time.Minute, } log.Fatal(srv.ListenAndServeTLS("", "")) ``` If TLS 1.0-1.2 must be used, then the following list of ciphers should be chosen as they support Perfect Forward Secrecy (PFS): - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 Example `tls.Config` using the recommended cipher suites: ``` cfg := &tls.Config{ MinVersion: tls.VersionTLS12, CipherSuites: []uint16{ tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, }, } ``` For more information on cipher suites in Go see: https://go.dev/blog/tls-cipher-suites metadata: shortDescription: Use of a broken or risky cryptographic algorithm cwe: CWE-327 category: security owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium primary_identifier: gosec.G402-1 secondary_identifiers: - name: Gosec Rule ID G402 type: gosec_rule_id value: G402 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G402-1 shortlink: https://sg.run/Jx9P semgrep.dev: rule: r_id: 13746 rv_id: 920373 rule_id: KxU7b3 version_id: 2KTdO5B url: https://semgrep.dev/playground/r/2KTdO5B/gitlab.gosec.G402-1 origin: community severity: WARNING - id: gitlab.gosec.G403-1 languages: - go patterns: - pattern-either: - pattern: | rsa.GenerateKey(..., $ARG) - metavariable-comparison: metavariable: $ARG comparison: $ARG < 2048 message: | The application is generating an RSA key that is less than the recommended 2048 bits. The National Institute of Standards and Technology (NIST) deprecated signing Digital Certificates that contained RSA Public Keys of 1024 bits in December 2010. While 1024-bit RSA keys have not been factored yet, advances in compute may make it possible in the near future. To generate an RSA key of 2048 pass the number of bits as the second parameter to the `rsa.GenerateKey` function: ``` import ( "crypto/rand" "crypto/rsa" ) func generate() { key, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { log.Fatal(err) } } ``` metadata: shortDescription: Inadequate encryption strength cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: gosec.G403-1 secondary_identifiers: - name: Gosec Rule ID G403 type: gosec_rule_id value: G403 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G403-1 shortlink: https://sg.run/RXoN semgrep.dev: rule: r_id: 13749 rv_id: 920376 rule_id: YGUDRz version_id: 1QT4N3r url: https://semgrep.dev/playground/r/1QT4N3r/gitlab.gosec.G403-1 origin: community severity: WARNING - id: gitlab.gosec.G404-1 languages: - go patterns: - patterns: - pattern-inside: | import $IMPORT "math/rand" ... - pattern-not-inside: | import "crypto/rand" - pattern-either: - pattern: $IMPORT.$METHOD(...) - pattern: rand.$METHOD(...) - metavariable-regex: metavariable: $METHOD regex: (Float32|Float64|Int31|Int31n|Int63|Int63n|NormalFloat64|Uint32|Uint64) message: | Go's `math/rand` is not meant for use in generating random numbers for any cryptographic or security sensitive context. This includes generating random numbers that could be used in user specific identifiers or where the random number that is generated is considered to be secret. Replace all imports of `math/rand` with `crypto/rand`. metadata: shortDescription: Use of cryptographically weak Pseudo-Random Number Generator (PRNG) cwe: CWE-338 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: gosec.G404-1 secondary_identifiers: - name: Gosec Rule ID G404 type: gosec_rule_id value: G404 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G404-1 shortlink: https://sg.run/AXvB semgrep.dev: rule: r_id: 13750 rv_id: 920377 rule_id: 6JU1jk version_id: 9lTA7q2 url: https://semgrep.dev/playground/r/9lTA7q2/gitlab.gosec.G404-1 origin: community severity: WARNING - id: gitlab.gosec.G501-1 languages: - go patterns: - pattern: | import "crypto/md5" message: | The MD5 message-digest algorithm has been cryptographically broken and is unsuitable for further use. The MD5 hash algorithm has been found to be vulnerable to producing collisions. This means that two different values, when hashed, can lead to the same hash value. It is recommended that the SHA-3 or BLAKE2 family of algorithms be used for non-password based cryptographic hashes instead. For password based cryptographic hashes, consider using the bcrypt or Argon2id family of cryptographic hashes. Hashing values using [BLAKE2](https://pkg.go.dev/golang.org/x/crypto/blake2b): ``` fileContents := []byte("some file contents to create hash for") blake2bHasher, err := blake2b.New512(nil) if err != nil { log.Fatal(err) } hashedValue := blake2bHasher.Sum(fileContents) fmt.Printf("%s\n", hex.EncodeToString(hashedValue)) ``` Hashing and securely comparing passwords using [Argon2id](https://pkg.go.dev/golang.org/x/crypto/argon2#hdr-Argon2id): ``` type argonParameters struct { variant string version int memory uint32 iterations uint32 parallelism uint8 saltLength uint32 keyLength uint32 } func (a argonParameters) StringFormat(salt, derivedKey []byte) string { encodedSalt := base64.RawStdEncoding.EncodeToString(salt) encodedKey := base64.RawStdEncoding.EncodeToString(derivedKey) return fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, a.memory, a.iterations, a.parallelism, encodedSalt, encodedKey, ) } func main() { // Initialize Argon2id parameters p := argonParameters{ memory: 64 * 1024, iterations: 3, parallelism: 2, saltLength: 16, keyLength: 32, } // Generate random salt (to be stored alongside derived hash key) salt := make([]byte, p.saltLength) if _, err := io.ReadFull(rand.Reader, salt); err != nil { log.Fatal(err) } usersPassword := []byte("User's Very S3cur3P4ss@rd@#$%") var derivedKey []byte // Create key hash derived from user's password { derivedKey = argon2.IDKey(usersPassword, salt, p.iterations, p.memory, p.parallelism, p.keyLength) // store p.StringFormat(...) result in a data store... fmt.Printf("%s\n", p.StringFormat(salt, derivedKey)) } // Verify a user's password against key { keyToCompare := argon2.IDKey(usersPassword, salt, p.iterations, p.memory, p.parallelism, p.keyLength) // Use subtle.ConstantTimeCompare(..., ...) to ensure no side channel leaks used in timing attacks if subtle.ConstantTimeCompare(derivedKey, keyToCompare) == 1 { fmt.Printf("Passwords match\n") } else { fmt.Printf("Passwords do not match\n") } } } ``` For more information on password storage see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html metadata: shortDescription: Use of a broken or risky cryptographic algorithm cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: gosec.G501-1 secondary_identifiers: - name: Gosec Rule ID G501 type: gosec_rule_id value: G501 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G501-1 shortlink: https://sg.run/3rxW semgrep.dev: rule: r_id: 13743 rv_id: 920370 rule_id: DbU1pk version_id: o5TK1oP url: https://semgrep.dev/playground/r/o5TK1oP/gitlab.gosec.G501-1 origin: community severity: WARNING - id: gitlab.gosec.G502-1 languages: - go patterns: - pattern: | import "crypto/des" message: | The DES algorithm has not been recommended for over 15 years and was withdrawn from NIST (FIPS 46-3) in 2005. It is recommended that an algorithm that provides message integrity be used instead. Consider using `XChaCha20Poly1305` or `AES-256-GCM`. For older applications, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `XChaCha20Poly1305` - Smaller nonce value size compared to `XChaCha20Poly1305` - Catastrophic failure if nonce values are re-used Example using [XChaCha20Poly1305](https://pkg.go.dev/golang.org/x/crypto/chacha20poly1305#NewX): ``` key := make([]byte, chacha20poly1305.KeySize) if _, err := io.ReadFull(rand.Reader, key); err != nil { log.Fatal(err) } // NewX is a variant that uses longer nonce values for better security aead, err := chacha20poly1305.NewX(key) if err != nil { log.Fatal(err) } var encrypted = []byte{} var nonce = []byte{} // Encryption routine { msg := []byte("Some secret message") nonce = make([]byte, aead.NonceSize()) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { log.Fatal("failed to generate nonce") } encrypted = aead.Seal(nil, nonce, msg, nil) } // Decryption routine { if len(encrypted) < aead.NonceSize() { log.Fatal("incorrect ciphertext length") } msg, err := aead.Open(nil, nonce, encrypted, nil) if err != nil { log.Fatal(err) } fmt.Printf("Decrypted: %s\n", msg) } ``` Example using [AES-256-GCM](https://pkg.go.dev/crypto/cipher#NewGCM): ``` // 32 byte keys will configure AES-256 key := make([]byte, 32) if _, err := io.ReadFull(rand.Reader, key); err != nil { log.Fatal(err) } blockCipher, err := aes.NewCipher(key) if err != nil { log.Fatal(err) } aead, err := cipher.NewGCM(blockCipher) if err != nil { log.Fatal(err) } var encrypted = []byte{} var nonce = []byte{} // Encryption routine { msg := []byte("Some secret message") // note that the key must be rotated every 2^32 random nonces used otherwise // cipher text could be repeated nonce = make([]byte, 12) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { log.Fatal(err) } encrypted = aead.Seal(nil, nonce, msg, nil) } // Decryption routine { msg, err := aead.Open(nil, nonce, encrypted, nil) if err != nil { log.Fatal(err) } fmt.Printf("Decrypted: %s\n", msg) } ``` metadata: shortDescription: Use of a broken or risky cryptographic algorithm cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: gosec.G502-1 secondary_identifiers: - name: Gosec Rule ID G502 type: gosec_rule_id value: G502 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G502-1 shortlink: https://sg.run/Q95q semgrep.dev: rule: r_id: 13742 rv_id: 920369 rule_id: BYUdNk version_id: 6xTyXGA url: https://semgrep.dev/playground/r/6xTyXGA/gitlab.gosec.G502-1 origin: community severity: WARNING - id: gitlab.gosec.G503-1 languages: - go patterns: - pattern: | import "crypto/rc4" message: | The RC4 stream-cipher has been cryptographically broken and is unsuitable for use in production. It is recommended that ChaCha20 or Advanced Encryption Standard (AES) be used instead. Consider using `XChaCha20Poly1305` or `AES-256-GCM`. For older applications, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `XChaCha20Poly1305` - Smaller nonce value size compared to `XChaCha20Poly1305` - Catastrophic failure if nonce values are re-used Example using [XChaCha20Poly1305](https://pkg.go.dev/golang.org/x/crypto/chacha20poly1305#NewX): ``` key := make([]byte, chacha20poly1305.KeySize) if _, err := io.ReadFull(rand.Reader, key); err != nil { log.Fatal(err) } // NewX is a variant that uses longer nonce values for better security aead, err := chacha20poly1305.NewX(key) if err != nil { log.Fatal(err) } var encrypted = []byte{} var nonce = []byte{} // Encryption routine { msg := []byte("Some secret message") nonce = make([]byte, aead.NonceSize()) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { log.Fatal("failed to generate nonce") } encrypted = aead.Seal(nil, nonce, msg, nil) } // Decryption routine { if len(encrypted) < aead.NonceSize() { log.Fatal("incorrect ciphertext length") } msg, err := aead.Open(nil, nonce, encrypted, nil) if err != nil { log.Fatal(err) } fmt.Printf("Decrypted: %s\n", msg) } ``` Example using [AES-256-GCM](https://pkg.go.dev/crypto/cipher#NewGCM): ``` // 32 byte keys will configure AES-256 key := make([]byte, 32) if _, err := io.ReadFull(rand.Reader, key); err != nil { log.Fatal(err) } blockCipher, err := aes.NewCipher(key) if err != nil { log.Fatal(err) } aead, err := cipher.NewGCM(blockCipher) if err != nil { log.Fatal(err) } var encrypted = []byte{} var nonce = []byte{} // Encryption routine { msg := []byte("Some secret message") // note that the key must be rotated every 2^32 random nonces used otherwise // cipher text could be repeated nonce = make([]byte, 12) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { log.Fatal(err) } encrypted = aead.Seal(nil, nonce, msg, nil) } // Decryption routine { msg, err := aead.Open(nil, nonce, encrypted, nil) if err != nil { log.Fatal(err) } fmt.Printf("Decrypted: %s\n", msg) } ``` metadata: shortDescription: Use of a broken or risky cryptographic algorithm cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: gosec.G503-1 secondary_identifiers: - name: Gosec Rule ID G503 type: gosec_rule_id value: G503 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G503-1 shortlink: https://sg.run/4ex9 semgrep.dev: rule: r_id: 13744 rv_id: 920371 rule_id: WAUyo7 version_id: zyTG3N6 url: https://semgrep.dev/playground/r/zyTG3N6/gitlab.gosec.G503-1 origin: community severity: WARNING - id: gitlab.gosec.G505-1 languages: - go patterns: - pattern: | import "crypto/sha1" message: | The SHA-1 message-digest algorithm has been cryptographically broken and is unsuitable for further use. It is recommended that the SHA-3, or BLAKE2 family of algorithms be used for non-password based cryptographic hashes instead. For password based cryptographic hashes, consider using the bcrypt or Argon2id family of cryptographic hashes. Hashing values using [BLAKE2](https://pkg.go.dev/golang.org/x/crypto/blake2b): ``` fileContents := []byte("some file contents to create hash for") blake2bHasher, err := blake2b.New512(nil) if err != nil { log.Fatal(err) } hashedValue := blake2bHasher.Sum(fileContents) fmt.Printf("%s\n", hex.EncodeToString(hashedValue)) ``` Hashing and securely comparing passwords using [Argon2id](https://pkg.go.dev/golang.org/x/crypto/argon2#hdr-Argon2id): ``` type argonParameters struct { variant string version int memory uint32 iterations uint32 parallelism uint8 saltLength uint32 keyLength uint32 } func (a argonParameters) StringFormat(salt, derivedKey []byte) string { encodedSalt := base64.RawStdEncoding.EncodeToString(salt) encodedKey := base64.RawStdEncoding.EncodeToString(derivedKey) return fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, a.memory, a.iterations, a.parallelism, encodedSalt, encodedKey, ) } func main() { // Initialize Argon2id parameters p := argonParameters{ memory: 64 * 1024, iterations: 3, parallelism: 2, saltLength: 16, keyLength: 32, } // Generate random salt (to be stored alongside derived hash key) salt := make([]byte, p.saltLength) if _, err := io.ReadFull(rand.Reader, salt); err != nil { log.Fatal(err) } usersPassword := []byte("User's Very S3cur3P4ss@rd@#$%") var derivedKey []byte // Create key hash derived from user's password { derivedKey = argon2.IDKey(usersPassword, salt, p.iterations, p.memory, p.parallelism, p.keyLength) // store p.StringFormat(...) result in a data store... fmt.Printf("%s\n", p.StringFormat(salt, derivedKey)) } // Verify a user's password against key { keyToCompare := argon2.IDKey(usersPassword, salt, p.iterations, p.memory, p.parallelism, p.keyLength) // Use subtle.ConstantTimeCompare(..., ...) to ensure no side channel leaks used in timing attacks if subtle.ConstantTimeCompare(derivedKey, keyToCompare) == 1 { fmt.Printf("Passwords match\n") } else { fmt.Printf("Passwords do not match\n") } } } ``` For more information on password storage see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html metadata: shortDescription: Use of a broken or risky cryptographic algorithm cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium category: security primary_identifier: gosec.G505-1 secondary_identifiers: - name: Gosec Rule ID G505 type: gosec_rule_id value: G505 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G505-1 shortlink: https://sg.run/PbJv semgrep.dev: rule: r_id: 13745 rv_id: 920372 rule_id: 0oU25g version_id: pZTbDeg url: https://semgrep.dev/playground/r/pZTbDeg/gitlab.gosec.G505-1 origin: community severity: WARNING - id: gitlab.gosec.G601-1 languages: - go patterns: - pattern-either: - pattern: | for ..., $ARG := range $SLICE { <... &($ARG) ...> } - pattern: | for ..., $ARG := range $SLICE { <... func() { <... &$ARG ...> } ...> } - pattern: | for ..., $ARG := range $SLICE { <... $X(..., <... &$ARG ...>, ...) ...> } - pattern-not: | for ..., $ARG := range $SLICE { <... *$ARG ...> } - pattern-not-inside: for ..., $ARG := range $SLICE { return ... } message: | Go's `for ... range` statements create an iteration variable for each iteration of the loop. By taking the address of this iteration variable, the value of the address will be re-used and always point to the same location in memory. This can have unexpected behavior if the address is stored or re-used. This can be fixed by: - Not referencing the address of the variable - Re-assigning the iteration variable to a new variable - Using the address of the indexed variable Example not referencing the address: ``` type someStruct struct { x int } for _, n := range []someStruct{{1}, {2}, {3}, {4}} { fmt.Printf("%d\n", n.x) } ``` Example reassigning the iteration variable to a new variable: ``` type someStruct struct { x int } for _, n := range []someStruct{{1}, {2}, {3}, {4}} { p := n fmt.Printf("%p\n", &p) } ``` Example using the address of the indexed variable: ``` type someStruct struct { x int } structData := []someStruct{{1}, {2}, {3}, {4}} for idx := range structData { fmt.Printf("%p\n", &structData[idx]) } ``` For more information on how the `for ... range` statement works see: https://go.dev/ref/spec#For_statements metadata: shortDescription: Incorrect access of indexable resource ('Range Error') cwe: CWE-118 owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: Info category: security primary_identifier: gosec.G601-1 secondary_identifiers: - name: Gosec Rule ID G601 type: gosec_rule_id value: G601 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.gosec.G601-1 shortlink: https://sg.run/pYxe semgrep.dev: rule: r_id: 13762 rv_id: 920391 rule_id: NbUNk2 version_id: ExT1WvB url: https://semgrep.dev/playground/r/ExT1WvB/gitlab.gosec.G601-1 origin: community severity: WARNING - id: generic.secrets.gitleaks.facebook-access-token.facebook-access-token message: A gitleaks facebook-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.facebook-access-token.facebook-access-token shortlink: https://sg.run/Ab0Pg semgrep.dev: rule: r_id: 121950 rv_id: 1262727 rule_id: 4bUR8vw version_id: NdTzyeZ url: https://semgrep.dev/playground/r/NdTzyeZ/generic.secrets.gitleaks.facebook-access-token.facebook-access-token origin: community patterns: - pattern-regex: (?i)\b(\d{15,16}(\||%)[0-9a-z\-_]{27,40})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.github-app-token.github-app-token message: A gitleaks github-app-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.github-app-token.github-app-token shortlink: https://sg.run/92o8 semgrep.dev: rule: r_id: 44723 rv_id: 1262743 rule_id: 7KUJQX version_id: 3ZT4XL8 url: https://semgrep.dev/playground/r/3ZT4XL8/generic.secrets.gitleaks.github-app-token.github-app-token origin: community patterns: - pattern-regex: (ghu|ghs)_[0-9a-zA-Z]{36} - id: terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled patterns: - pattern-either: - pattern: | resource "aws_lb" $ANYTHING { ... } - pattern: | resource "aws_alb" $ANYTHING { ... } - pattern-not-inside: | resource $ANYLB $ANYTHING { ... access_logs { ... enabled = true ... } ... } - pattern-not-inside: "resource $ANYLB $ANYTHING {\n ...\n subnet_mapping {\n \ ...\n }\n ...\n} \n" message: ELB has no logging. Missing logs can cause missing important event information. languages: - hcl severity: WARNING metadata: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' technology: - aws - terraform category: security references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled shortlink: https://sg.run/Yrye semgrep.dev: rule: r_id: 17358 rv_id: 1263720 rule_id: 4bUg3J version_id: 0bTKzj4 url: https://semgrep.dev/playground/r/0bTKzj4/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled origin: community - id: gitlab.find_sec_bugs_kotlin.EL_INJECTION-1 languages: - kotlin message: | An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. metadata: category: security cwe: CWE-917 shortDescription: Improper neutralization of special elements used in an expression language statement ('Expression Language Injection') owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.EL_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-EL_INJECTION type: find_sec_bugs_type value: EL_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.EL_INJECTION-1 shortlink: https://sg.run/x80NP semgrep.dev: rule: r_id: 144330 rv_id: 920421 rule_id: JDUN0wo version_id: 0bTp3qB url: https://semgrep.dev/playground/r/0bTp3qB/gitlab.find_sec_bugs_kotlin.EL_INJECTION-1 origin: community severity: WARNING pattern-either: - patterns: - metavariable-regex: metavariable: $METHOD regex: ^create(Method|Value)Expression$ - metavariable-pattern: metavariable: $EXPR patterns: - pattern-not: '"..."' - pattern: | ($EXP: ExpressionFactory ).$METHOD(($CTX: $X.el.ELContext), $EXPR, ...) - patterns: - pattern: | ($P: $X.el.ELProcessor).$METHOD(...) - pattern-not: | ($P: $X.el.ELProcessor).$METHOD("...", ...) - metavariable-regex: metavariable: $METHOD regex: ^(eval|(get|set)Value)$ - id: gitlab.find_sec_bugs_kotlin.FILE_UPLOAD_FILENAME-1 languages: - kotlin message: | The filename provided by the FileUpload API can be tampered with by the client to reference unauthorized files. The provided filename should be properly validated to ensure it's properly structured, contains no unauthorized path characters (e.g., / \), and refers to an authorized file. metadata: category: security cwe: CWE-22 shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: CRITICAL primary_identifier: find_sec_bugs.FILE_UPLOAD_FILENAME-1 secondary_identifiers: - name: Find Security Bugs-FILE_UPLOAD_FILENAME type: find_sec_bugs_type value: FILE_UPLOAD_FILENAME license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.FILE_UPLOAD_FILENAME-1 shortlink: https://sg.run/NbkY1 semgrep.dev: rule: r_id: 144327 rv_id: 920418 rule_id: qNU26gX version_id: BjTKLvn url: https://semgrep.dev/playground/r/BjTKLvn/gitlab.find_sec_bugs_kotlin.FILE_UPLOAD_FILENAME-1 origin: community severity: ERROR pattern-either: - patterns: - pattern-inside: | $FILES = ($SFU: ServletFileUpload).parseRequest(($REQ: $X.servlet.http.HttpServletRequest?)) ... for($ITEM in $FILES) { ... } - pattern: $ITEM.getName() - pattern: '($PART: $X.servlet.http.Part).getSubmittedFileName()' - id: gitlab.bandit.B108 languages: - python message: | The application was found creating files in shared system temporary directories (`/tmp` or `/var/tmp`) without using the `tempfile.TemporaryFile` function. Depending on how the application uses this temporary file, an attacker may be able to create symlinks that point to other files prior to the application creating or writing to the target file, leading to unintended files being created or overwritten. Example using `tempfile.TemporaryFile` to write a file: ``` import tempfile # Open a new temporary file using a context manager with tempfile.TemporaryFile() as fp: # Write some data to the temporary file fp.write(b'Some data') # Seek back to beginning of file fp.seek(0) # Read it data = fp.read() # File is automatically closed/removed once we exit the with context ``` For more information on alternative tempfile functions see: - https://docs.python.org/3/library/tempfile.html metadata: cwe: CWE-377 category: security shortDescription: Insecure temporary file owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium primary_identifier: bandit.B108 secondary_identifiers: - name: Bandit Test ID B108 type: bandit_test_id value: B108 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B108 shortlink: https://sg.run/QRL4 semgrep.dev: rule: r_id: 39386 rv_id: 920134 rule_id: 0oU6oJ version_id: bZTLo1N url: https://semgrep.dev/playground/r/bZTLo1N/gitlab.bandit.B108 origin: community pattern: $CALL("=~/^\/tmp.*/", ...) severity: WARNING - id: gitlab.bandit.B113 languages: - python message: | The application was found using the `requests` module without configuring a timeout value for connections. This could lead to uncontrolled resource consumption where the application could run out of socket descriptors, effectively causing a Denial of Service (DoS). To remediate this issue, pass in a `timeout=` argument to each `requests` call. Example using a timeout for an HTTP GET request: ``` # Issue a GET request to https://example.com with a timeout of 10 seconds response = requests.get('https://example.com', timeout=10) # Work with the response object # ... ``` For more information on using the requests module see: - https://requests.readthedocs.io/en/latest/api/ patterns: - pattern-either: - patterns: - pattern: requests.$METHOD(..., timeout=$VAL, ...) - metavariable-comparison: comparison: $VAL <= 0 metavariable: $VAL - patterns: - pattern: requests.$METHOD(..., timeout=$VAL, ...) - metavariable-regex: metavariable: $VAL regex: (^None) - patterns: - pattern-not: requests.$METHOD(..., timeout=$VAL, ...) - pattern-either: - pattern: requests.$METHOD(..., ...) - pattern: requests.$METHOD(...) - metavariable-regex: metavariable: $METHOD regex: (get|put|delete|post|options|head|patch) metadata: cwe: CWE-400 category: security shortDescription: Uncontrolled resource consumption owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: Medium primary_identifier: bandit.B113 secondary_identifiers: - name: Bandit Test ID B113 type: bandit_test_id value: B113 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B113 shortlink: https://sg.run/PoEq semgrep.dev: rule: r_id: 47601 rv_id: 920124 rule_id: OrULKb version_id: o5TK1Z7 url: https://semgrep.dev/playground/r/o5TK1Z7/gitlab.bandit.B113 origin: community severity: WARNING - id: gitlab.bandit.B202 languages: - python message: | The application may be vulnerable to a path traversal if it extracts untrusted archive files. This vulnerability is colloquially known as 'Zip Slip'. Archive files may contain folders which, when extracted, may write outside of the intended directory. This is exploited by including path traversal characters such as `../../other/directory` to overwrite or place files in system or application directories. Extra care must be taken when extracting archive files as there are numerous concerns: - If possible, generate unique filenames instead of using the archives file names, as it may be possible for users to overwrite files if the filenames are the same. - Validate file paths are written with a prefixed, known trusted directory. - Only process regular files and not symbolic links, as some applications may attempt to read/follow the symbolic link, leading to arbitrary file read / write vulnerabilities. Example of securely processing an archive file: ``` import tarfile import uuid # import os tar = tarfile.open('some.tar') # Max number of allowed files in our archive max_files = 10 # Max size for all files in archive max_size = 1024 * 1024 * 10 # 10MB # Max size per file in archive max_file_size = 1024 * 1024 # 1MB # Validate number of files in archive if len(tar.getmembers()) > max_files: raise Exception("Too many files in archive") total_size = 0 # Loop over all files to see if we exceed max size # if so, do not process any of them. for f in tar.getmembers(): total_size += f.size if total_size >= max_size: raise Exception("Archive files exceeded max file size") # Iterate over files now that we know the total size is within limits for f in tar.getmembers(): # Internally this calls TarInfo.isreg() which ensures # the file is a regular file and not a sym link or directory if not f.isfile(): continue # Optional, set a limit on each file size if f.size > max_file_size: raise Exception(f"File {f.name} too large: {f.size}") # If original names are required, ensure that only the # filename is used: # filename = os.path.basename(f.name) # More secure, generate a UUID4 value instead filename = uuid.uuid4().hex # Reset the archive filename to the basename # Newer versions of python (3.11.4+) should use: # new_tar = old_tar.replace(name=...new name...) f.name = filename # Extract the file into a restricted directory, with our # own user's attributes, not the file from the archive tar.extract(f, '/opt/app/restricted/', set_attrs=False) ``` For more information on tarfile see: - https://docs.python.org/3/library/tarfile.html metadata: cwe: CWE-22 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') security-severity: Medium category: security primary_identifier: bandit.B202 secondary_identifiers: - name: Bandit Test ID B202 type: bandit_test_id value: B202 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B202 shortlink: https://sg.run/J0EQ semgrep.dev: rule: r_id: 47602 rv_id: 920119 rule_id: eqUPXn version_id: K3TwLJL url: https://semgrep.dev/playground/r/K3TwLJL/gitlab.bandit.B202 origin: community patterns: - pattern-inside: | import tarfile ... - pattern-either: - patterns: - pattern-inside: | $TAR = tarfile.open(...) ... - pattern-either: - pattern: $TAR.extractall(...) - pattern: tarfile.extractall(..., members=$TAR) - pattern: $TAR.extractall(..., members=[]) - patterns: - pattern: tarfile.extractall(...) - pattern: tarfile.extractall(..., members=[]) severity: WARNING - id: gitlab.bandit.B313 languages: - python message: | The application was found using the `xml.etree` package for processing XML. Pythons default xml processors suffer from various XML parsing vulnerabilities and care must be taken when handling XML data. Additionally, depending on the version of Python, more critical vulnerabilities such as eXternal XML Entity injection maybe exploitable. The `etree` package suffers from the following security risks as of Python 3.7.1: * Billion laughs / exponential entity expansion - May allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML. * Quadratic blowup entity expansion - Similar to above, but requires a larger input to cause the Denial of Service. To remediate the above issues, consider using the [defusedxml](https://pypi.org/project/defusedxml/) library when processing untrusted XML. Example parsing an XML document using defusedxml: ``` from defusedxml.ElementTree import parse # Parse the inventory.xml file et = parse('inventory.xml') # Get the root element root = et.getroot() # Work with the root element # ... ``` For more information on the various XML parsers and their vulnerabilities please see: - https://docs.python.org/3/library/xml.html#xml-vulnerabilities For more information on XML security see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python metadata: cwe: CWE-611 owasp: - A4:2017-XML External Entities (XXE) - A03:2021-Injection category: security shortDescription: Improper restriction of XML external entity reference security-severity: Medium primary_identifier: bandit.B313 secondary_identifiers: - name: Bandit Test ID B313 type: bandit_test_id value: B313 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B313 shortlink: https://sg.run/31Wr semgrep.dev: rule: r_id: 39387 rv_id: 920137 rule_id: KxUOo7 version_id: w8TkbnA url: https://semgrep.dev/playground/r/w8TkbnA/gitlab.bandit.B313 origin: community pattern-either: - patterns: - pattern: xml.etree.cElementTree.fromstring(...) - pattern-not: xml.etree.cElementTree.fromstring("...") - pattern: xml.etree.cElementTree.parse(...) - pattern: xml.etree.cElementTree.iterparse(...) - pattern: xml.etree.cElementTree.XMLParser(...) severity: WARNING - id: gitlab.bandit.B314 languages: - python message: | The application was found using the `xml.etree` package for processing XML. Pythons default xml processors suffer from various XML parsing vulnerabilities and care must be taken when handling XML data. Additionally, depending on the version of Python, more critical vulnerabilities such as eXternal XML Entity injection maybe exploitable. The `etree` package suffers from the following security risks as of Python 3.7.1: * Billion laughs / exponential entity expansion - May allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML. * Quadratic blowup entity expansion - Similar to above, but requires a larger input to cause the Denial of Service. To remediate the above issues, consider using the [defusedxml](https://pypi.org/project/defusedxml/) library when processing untrusted XML. Example parsing an XML document using defusedxml: ``` from defusedxml.ElementTree import parse # Parse the inventory.xml file et = parse('inventory.xml') # Get the root element root = et.getroot() # Work with the root element # ... ``` For more information on the various XML parsers and their vulnerabilities please see: - https://docs.python.org/3/library/xml.html#xml-vulnerabilities For more information on XML security see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python metadata: cwe: CWE-611 owasp: - A4:2017-XML External Entities (XXE) - A03:2021-Injection category: security shortDescription: Improper restriction of XML external entity reference security-severity: Medium primary_identifier: bandit.B314 secondary_identifiers: - name: Bandit Test ID B314 type: bandit_test_id value: B314 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B314 shortlink: https://sg.run/4g0l semgrep.dev: rule: r_id: 39388 rv_id: 920138 rule_id: qNUKOW version_id: xyTdrZd url: https://semgrep.dev/playground/r/xyTdrZd/gitlab.bandit.B314 origin: community pattern-either: - patterns: - pattern: xml.etree.ElementTree.fromstring(...) - pattern-not: xml.etree.ElementTree.fromstring("...") - pattern: xml.etree.ElementTree.parse(...) - pattern: xml.etree.ElementTree.iterparse(...) - pattern: xml.etree.ElementTree.XMLParser(...) severity: WARNING - id: gitlab.bandit.B315 languages: - python message: | The application was found using the `xml.sax.expatreader` package for processing XML. Python's default XML processors suffer from various XML parsing vulnerabilities and care must be taken when handling XML data. Additionally, depending on the version of Python, more critical vulnerabilities such as eXternal XML Entity injection maybe exploitable. The `xml.sax` package suffers from the following security risks as of Python 3.7.1: * Billion laughs / exponential entity expansion - May allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML. * Quadratic blowup entity expansion - Similar to above, but requires a larger input to cause the Denial of Service. To remediate the above issues, consider using the [defusedxml](https://pypi.org/project/defusedxml/) library when processing untrusted XML. Example parsing an XML document using defusedxml: ``` from defusedxml.ElementTree import parse # Parse the inventory.xml file et = parse('inventory.xml') # Get the root element root = et.getroot() # Work with the root element # ... ``` For more information on the various XML parsers and their vulnerabilities please see: - https://docs.python.org/3/library/xml.html#xml-vulnerabilities For more information on XML security see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python metadata: cwe: CWE-611 owasp: - A4:2017-XML External Entities (XXE) - A03:2021-Injection category: security shortDescription: Improper restriction of XML external entity reference security-severity: Medium primary_identifier: bandit.B315 secondary_identifiers: - name: Bandit Test ID B315 type: bandit_test_id value: B315 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B315 shortlink: https://sg.run/5nKA semgrep.dev: rule: r_id: 39391 rv_id: 920140 rule_id: JDUZkD version_id: e1TZK11 url: https://semgrep.dev/playground/r/e1TZK11/gitlab.bandit.B315 origin: community pattern-either: - pattern: xml.dom.expatreader.parse(...) - patterns: - pattern: xml.dom.expatreader.parseString(...) - pattern-not: xml.dom.expatreader.parseString("...") - pattern: xml.dom.expatreader.parseString(...) - pattern: xml.dom.expatreader.create_parser(...) severity: WARNING - id: gitlab.bandit.B316 languages: - python message: | The application was found using the `xml.dom.expatbuilder` which calls the `xml.dom.minidom` package for processing XML. Python's default XML processors suffer from various XML parsing vulnerabilities and care must be taken when handling XML data. Additionally, depending on the version of Python, more critical vulnerabilities such as eXternal XML Entity injection maybe exploitable. The `xml.dom.minidom` package suffers from the following security risks as of Python 3.7.1: * Billion laughs / exponential entity expansion - May allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML. * Quadratic blowup entity expansion - Similar to above, but requires a larger input to cause the Denial of Service. To remediate the above issues, consider using the [defusedxml](https://pypi.org/project/defusedxml/) library when processing untrusted XML. Example parsing an XML document using defusedxml: ``` from defusedxml.ElementTree import parse # Parse the inventory.xml file et = parse('inventory.xml') # Get the root element root = et.getroot() # Work with the root element # ... ``` For more information on the various XML parsers and their vulnerabilities please see: - https://docs.python.org/3/library/xml.html#xml-vulnerabilities For more information on XML security see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python metadata: cwe: CWE-611 owasp: - A4:2017-XML External Entities (XXE) - A03:2021-Injection category: security shortDescription: Improper restriction of XML external entity reference security-severity: Medium primary_identifier: bandit.B316 secondary_identifiers: - name: Bandit Test ID B316 type: bandit_test_id value: B316 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B316 shortlink: https://sg.run/Jp8w semgrep.dev: rule: r_id: 39390 rv_id: 920139 rule_id: PeUnzj version_id: O9Tv7OX url: https://semgrep.dev/playground/r/O9Tv7OX/gitlab.bandit.B316 origin: community pattern-either: - patterns: - pattern: xml.dom.expatbuilder.parse(...) - pattern-not: xml.dom.expatbuilder.parse("...") - pattern: xml.dom.expatbuilder.parseString(...) severity: WARNING - id: gitlab.bandit.B318 languages: - python message: | The application was found using the `xml.dom.minidom` package for processing XML. Python's default XML processors suffer from various XML parsing vulnerabilities and care must be taken when handling XML data. Additionally, depending on the version of Python, more critical vulnerabilities such as eXternal XML Entity injection maybe exploitable. The `xml.dom.minidom` package suffers from the following security risks as of Python 3.7.1: * Billion laughs / exponential entity expansion - May allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML. * Quadratic blowup entity expansion - Similar to above, but requires a larger input to cause the Denial of Service. To remediate the above issues, consider using the [defusedxml](https://pypi.org/project/defusedxml/) library when processing untrusted XML. Example parsing an XML document using defusedxml: ``` from defusedxml.ElementTree import parse # Parse the inventory.xml file et = parse('inventory.xml') # Get the root element root = et.getroot() # Work with the root element # ... ``` For more information on the various XML parsers and their vulnerabilities please see: - https://docs.python.org/3/library/xml.html#xml-vulnerabilities For more information on XML security see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python metadata: cwe: CWE-611 owasp: - A4:2017-XML External Entities (XXE) - A03:2021-Injection category: security shortDescription: Improper restriction of XML external entity reference security-severity: Medium primary_identifier: bandit.B318 secondary_identifiers: - name: Bandit Test ID B318 type: bandit_test_id value: B318 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B318 shortlink: https://sg.run/01Av semgrep.dev: rule: r_id: 39398 rv_id: 920141 rule_id: WAU68J version_id: vdTvQN8 url: https://semgrep.dev/playground/r/vdTvQN8/gitlab.bandit.B318 origin: community pattern-either: - patterns: - pattern: xml.dom.minidom.parseString(...) - pattern-not: xml.dom.minidom.parseString("...") - pattern: xml.dom.minidom.parse(...) severity: WARNING - id: gitlab.bandit.B319 languages: - python message: | The application was found using the `xml.dom.pulldom` package for processing XML. Python's default XML processors suffer from various XML parsing vulnerabilities and care must be taken when handling XML data. Additionally, depending on the version of Python, more critical vulnerabilities such as eXternal XML Entity injection maybe exploitable. The `xml.dom.pulldom` package suffers from the following security risks as of Python 3.7.1: * Billion laughs / exponential entity expansion - May allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML. * Quadratic blowup entity expansion - Similar to above, but requires a larger input to cause the Denial of Service. To remediate the above issues, consider using the [defusedxml](https://pypi.org/project/defusedxml/) library when processing untrusted XML. Example parsing an XML document using defusedxml: ``` from defusedxml.ElementTree import parse # Parse the inventory.xml file et = parse('inventory.xml') # Get the root element root = et.getroot() # Work with the root element # ... ``` For more information on the various XML parsers and their vulnerabilities please see: - https://docs.python.org/3/library/xml.html#xml-vulnerabilities For more information on XML security see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python metadata: cwe: CWE-611 owasp: - A4:2017-XML External Entities (XXE) - A03:2021-Injection category: security shortDescription: Improper restriction of XML external entity reference security-severity: Medium primary_identifier: bandit.B319 secondary_identifiers: - name: Bandit Test ID B319 type: bandit_test_id value: B319 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B319 shortlink: https://sg.run/K2L7 semgrep.dev: rule: r_id: 39399 rv_id: 920142 rule_id: 0oU6o9 version_id: d6T6gAy url: https://semgrep.dev/playground/r/d6T6gAy/gitlab.bandit.B319 origin: community pattern-either: - patterns: - pattern: xml.dom.pulldom.parseString(...) - pattern-not: xml.dom.pulldom.parseString("...") - pattern: xml.dom.pulldom.parse(...) severity: WARNING - id: gitlab.bandit.B320 languages: - python message: | The application was found using the `lxml.etree` package for processing XML. Python's default XML processors suffer from various XML parsing vulnerabilities and care must be taken when handling XML data. Additionally, depending on the version of Python, more critical vulnerabilities such as eXternal XML Entity injection maybe exploitable. The `etree` package suffers from the following security risks as of Python 3.7.1: * Billion laughs / exponential entity expansion - May allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML. * Quadratic blowup entity expansion - Similar to above, but requires a larger input to cause the Denial of Service. To remediate the above issues, consider using the [defusedxml](https://pypi.org/project/defusedxml/) library when processing untrusted XML. Example parsing an XML document using defusedxml: ``` from defusedxml.ElementTree import parse # Parse the inventory.xml file et = parse('inventory.xml') # Get the root element root = et.getroot() # Work with the root element # ... ``` For more information on the various XML parsers and their vulnerabilities please see: - https://docs.python.org/3/library/xml.html#xml-vulnerabilities For more information on XML security see OWASP's guide: - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python metadata: cwe: CWE-611 owasp: - A4:2017-XML External Entities (XXE) - A03:2021-Injection category: security shortDescription: Improper restriction of XML external entity reference security-severity: Medium primary_identifier: bandit.B320 secondary_identifiers: - name: Bandit Test ID B320 type: bandit_test_id value: B320 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B320 shortlink: https://sg.run/PGLY semgrep.dev: rule: r_id: 39389 rv_id: 920121 rule_id: lBUNZy version_id: l4TXDx0 url: https://semgrep.dev/playground/r/l4TXDx0/gitlab.bandit.B320 origin: community pattern-either: - pattern: lxml.etree.parse(...) - patterns: - pattern: lxml.etree.fromstring(...) - pattern-not: lxml.etree.fromstring("...") - pattern: lxml.etree.RestrictedElement(...) - pattern: lxml.etree.GlobalParserTLS(...) - pattern: lxml.etree.getDefaultParser(...) - pattern: lxml.etree.check_docinfo(...) severity: WARNING - id: gitlab.bandit.B502 languages: - python message: | The application was found calling an SSL module with SSL or TLS protocols that have known deficiencies. It is strongly recommended that newer applications use TLS 1.2 or 1.3 and `SSLContext.wrap_socket`. If using the `pyOpenSSL` module, please note that it has been deprecated and the Python Cryptographic Authority strongly suggests moving to use the [pyca/cryptography](https://github.com/pyca/cryptography) module instead. To remediate this issue for the `ssl` module, create a new TLS context and pass in `ssl.PROTOCOL_TLS_CLIENT` for clients or `ssl.PROTOCOL_TLS_SERVER` for servers to the `ssl.SSLContext(...)` `protocol=` argument. When converting the socket to a TLS socket, use the new `SSLContext.wrap_socket` method instead. Example creating a TLS 1.3 client socket connection by using a newer version of Python (3.11.4) and the SSL module: ``` import ssl import socket # Create our initial socket with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: # Connect the socket sock.connect(('www.example.org', 443)) # Create a new SSLContext with protocol set to ssl.PROTOCOL_TLS_CLIENT # This will auto-select the highest grade TLS protocol version (1.3) context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT) # Load our a certificates for server certificate authentication context.load_verify_locations('cert.pem') # Create our TLS socket, and validate the server hostname matches with context.wrap_socket(sock, server_hostname="www.example.org") as tls_sock: # Send some bytes over the socket (HTTP request in this case)\ data = bytes('GET / HTTP/1.1\r\nHost: example.org\r\n\r\n', 'utf-8') sent_bytes = tls_sock.send(data) # Validate number of sent bytes # ... # Read the response resp = tls_sock.recv() # Work with the response # ... ``` For more information on the ssl module see: - https://docs.python.org/3/library/ssl.html For more information on pyca/cryptography and openssl see: - https://cryptography.io/en/latest/openssl/ metadata: cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures shortDescription: Inadequate Encryption Strength security-severity: Medium category: security primary_identifier: bandit.B502 secondary_identifiers: - name: Bandit Test ID B502 type: bandit_test_id value: B502 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B502 shortlink: https://sg.run/4g0g semgrep.dev: rule: r_id: 39400 rv_id: 920131 rule_id: KxUOoO version_id: 9lTA7Wo url: https://semgrep.dev/playground/r/9lTA7Wo/gitlab.bandit.B502 origin: community patterns: - pattern-either: - pattern: ssl.PROTOCOL_SSLv2 - pattern: ssl.PROTOCOL_SSLv3 - pattern: ssl.PROTOCOL_TLSv1 - pattern: ssl.PROTOCOL_TLSv1_1 - pattern: pyOpenSSL.SSL.SSLv2_METHOD - pattern: pyOpenSSL.SSL.SSLv23_METHOD - pattern: pyOpenSSL.SSL.SSLv3_METHOD - pattern: pyOpenSSL.SSL.TLSv1_METHOD - pattern: pyOpenSSL.SSL.TLSv1_1_METHOD severity: ERROR - id: gitlab.bandit.B508 languages: - python message: | Pysnmp was detected using versions SNMPv1 or SNMPv2. SNPMv1 and SNMPv2 are insecure and should no longer be used as they do not offer encryption. If possible, query SNMP devices using SNMPv3 instead. Example querying a device using SNMPv3 with SHA-AES: ``` from pysnmp.hlapi import * # Create the snpm iterator iterator = getCmd( SnmpEngine(), # Configure using SHA AES UsmUserData('usr-sha-aes', 'authkey1', 'privkey1', authProtocol=USM_AUTH_HMAC96_SHA, privProtocol=USM_PRIV_CFB128_AES), UdpTransportTarget(('demo.snmplabs.com', 161)), ContextData(), ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0)) ) ``` For more information on using SNMPv3 with `Pysnmp` see: - https://pysnmp.readthedocs.io/en/latest/examples/hlapi/v3arch/asyncore/sync/manager/cmdgen/snmp-versions.html#snmpv3-auth-sha-privacy-aes128 metadata: cwe: CWE-319 category: security shortDescription: Cleartext transmission of sensitive information owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium primary_identifier: bandit.B508 secondary_identifiers: - name: Bandit Test ID B508 type: bandit_test_id value: B508 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B508 shortlink: https://sg.run/RpEK semgrep.dev: rule: r_id: 47605 rv_id: 920125 rule_id: ZqUR1w version_id: zyTG3l5 url: https://semgrep.dev/playground/r/zyTG3l5/gitlab.bandit.B508 origin: community pattern-either: - pattern: pysnmp.hlapi.CommunityData(..., mpModel=0, ...) - pattern: pysnmp.hlapi.CommunityData(..., mpModel=1, ...) severity: WARNING - id: trailofbits.go.unmarshal_tag_is_omitempty.unmarshal-tag-is-omitempty message: Struct field can be unmarshaled with the `omitempty` key. The developer likely wanted to write ",omitempty" instead. languages: - go severity: WARNING metadata: cwe: 'CWE-172: Encoding Error' category: security subcategory: - vuln confidence: HIGH likelihood: MEDIUM impact: LOW technology: - --no-technology-- references: - https://blog.trailofbits.com/ license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.unmarshal_tag_is_omitempty.unmarshal-tag-is-omitempty shortlink: https://sg.run/Dkdoq semgrep.dev: rule: r_id: 193796 rv_id: 1028641 rule_id: ZqU6N5y version_id: 6xTJ52D url: https://semgrep.dev/playground/r/6xTJ52D/trailofbits.go.unmarshal_tag_is_omitempty.unmarshal-tag-is-omitempty origin: community patterns: - pattern: | type $T1 struct { ... $X $T2 `$TAG` ... } - focus-metavariable: $TAG - metavariable-regex: metavariable: $TAG regex: .*(json|yaml|xml):"omitempty - id: gitlab.find_sec_bugs.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 languages: - java patterns: - pattern: java.sql.DriverManager.getConnection($URI, $USR, ""); message: | The application does not provide authentication when communicating a database server. It is strongly recommended that the database server be configured with authentication and restrict what queries users can execute. Please see your database server's documentation on how to configure a password. Additionally, passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation severity: ERROR metadata: shortDescription: Missing authentication for critical function (database) category: security cwe: CWE-306 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures technology: - java security-severity: Critical primary_identifier: find_sec_bugs.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 secondary_identifiers: - name: Find Security Bugs-DMI_EMPTY_DB_PASSWORD type: find_sec_bugs_type value: DMI_EMPTY_DB_PASSWORD - name: Find Security Bugs-HARD_CODE_PASSWORD type: find_sec_bugs_type value: HARD_CODE_PASSWORD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 shortlink: https://sg.run/lW3j semgrep.dev: rule: r_id: 21213 rv_id: 920191 rule_id: GdUow0 version_id: LjTzeAl url: https://semgrep.dev/playground/r/LjTzeAl/gitlab.find_sec_bugs.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 origin: community - id: gitlab.find_sec_bugs.EXTERNAL_CONFIG_CONTROL-1 languages: - java patterns: - pattern: | $TAINTED = (HttpServletRequest $REQ).getParameter(...); ... (java.sql.Connection $CONN).setCatalog($TAINTED); message: | The application was found using user-supplied input in a `java.sql.Connection`'s `setCatalog` call. This could allow an adversary to supply a different database for the lifetime of the connection. Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. Most likely this would only cause an error by providing a nonexistent catalog name. It is recommended to not use user-supplied input when selecting the database for an applications database connection. severity: WARNING metadata: shortDescription: External control of system or configuration setting category: security cwe: CWE-15 owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: Low primary_identifier: find_sec_bugs.EXTERNAL_CONFIG_CONTROL-1 secondary_identifiers: - name: Find Security Bugs-EXTERNAL_CONFIG_CONTROL type: find_sec_bugs_type value: EXTERNAL_CONFIG_CONTROL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.EXTERNAL_CONFIG_CONTROL-1 shortlink: https://sg.run/dPZY semgrep.dev: rule: r_id: 21234 rv_id: 920205 rule_id: r6UjYJ version_id: WrTYn34 url: https://semgrep.dev/playground/r/WrTYn34/gitlab.find_sec_bugs.EXTERNAL_CONFIG_CONTROL-1 origin: community - id: gitlab.find_sec_bugs.HARD_CODE_PASSWORD-1 languages: - java pattern-either: - pattern: new java.security.KeyStore.PasswordProtection("...".toCharArray()) - pattern: java.security.KeyStore.getInstance(...).load(..., "...".toCharArray()) - pattern: (java.security.KeyStore $KS).load(..., "...".toCharArray()) - pattern: KeyManagerFactory.getInstance(...).init(..., "...".toCharArray()) - pattern: (KeyManagerFactory $KMF).init(..., "...".toCharArray()) - pattern: PBEKeySpec("...", ...) - pattern: PasswordAuthentication("...", "...") - pattern: (PasswordCallback $CB).setPassword("...") - pattern: KerberosKey(...,"...",...) - pattern: java.sql.DriverManager.getConnection(..., "...") - pattern: io.vertx.ext.web.handler.CSRFHandler.create(..., "...") - pattern: $S.setPassword("...") message: | A potential hard-coded password was identified in a hard-coded string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation severity: ERROR metadata: shortDescription: Use of hard-coded password category: security cwe: CWE-259 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures technology: - java security-severity: High primary_identifier: find_sec_bugs.HARD_CODE_PASSWORD-1 secondary_identifiers: - name: Find Security Bugs-HARD_CODE_PASSWORD type: find_sec_bugs_type value: HARD_CODE_PASSWORD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_PASSWORD-1 shortlink: https://sg.run/pNRN semgrep.dev: rule: r_id: 21218 rv_id: 920192 rule_id: WAUYxY version_id: 8KTvlyL url: https://semgrep.dev/playground/r/8KTvlyL/gitlab.find_sec_bugs.HARD_CODE_PASSWORD-1 origin: community - id: gitlab.find_sec_bugs.INSECURE_SMTP_SSL-1 languages: - java patterns: - pattern-either: - pattern-inside: | $E = new org.apache.commons.mail.SimpleEmail(...); ... - pattern-inside: | $E = new org.apache.commons.mail.Email(...); ... - pattern-inside: | $E = new org.apache.commons.mail.MultiPartEmail(...); ... - pattern-inside: | $E = new org.apache.commons.mail.HtmlEmail(...); ... - pattern-inside: | $E = new org.apache.commons.mail.ImageHtmlEmail(...); ... - pattern-not: | $E.setSSLOnConnect(true); ... $E.setSSLCheckServerIdentity(true); message: | The Apache commons mail client by default does not enable TLS server identity. This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data. Enable checking server identity by calling `Email.setSSLCheckServerIdentity(true)` Example email client that enables TLS and server identity: ``` // Create an email client Email email = new SimpleEmail(); // Configure the email hostname email.setHostName("smtp.mail.example.com"); // Set the port email.setSmtpPort(465); // Securely retrieve username and password values String username = getUserNameFromKMSorSecretStore(); String password = getPasswordFromKMSorSecretStore(); // Configure the Authenticator DefaultAuthenticator auth = new DefaultAuthenticator(username, password); // Set the authenticator email.setAuthenticator(auth); // Ensure we use SSL on connect email.setSSLOnConnect(true); // Ensure we validate server identity email.setSSLCheckServerIdentity(true); // configure the rest of the email email.setFrom("x@example.com"); email.setSubject("TestMail"); email.setMsg("This is a test mail ... :-)"); email.addTo("y@example.com"); email.send(); ``` metadata: shortDescription: Improper validation of certificate with host mismatch category: security cwe: CWE-297 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium primary_identifier: find_sec_bugs.INSECURE_SMTP_SSL-1 secondary_identifiers: - name: Find Security Bugs-INSECURE_SMTP_SSL type: find_sec_bugs_type value: INSECURE_SMTP_SSL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.INSECURE_SMTP_SSL-1 shortlink: https://sg.run/rNB0 semgrep.dev: rule: r_id: 21225 rv_id: 920197 rule_id: oqUKxo version_id: PkTjGdq url: https://semgrep.dev/playground/r/PkTjGdq/gitlab.find_sec_bugs.INSECURE_SMTP_SSL-1 origin: community severity: ERROR - id: gitlab.find_sec_bugs_kotlin.BLOWFISH_KEY_SIZE-1 languages: - kotlin message: | A small key size makes the ciphertext vulnerable to brute force attacks. At least 128 bits of entropy should be used when generating the key if use of Blowfish is required. severity: WARNING metadata: category: security shortDescription: Inadequate encryption strength owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-326 technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.BLOWFISH_KEY_SIZE-1 secondary_identifiers: - name: Find Security Bugs-BLOWFISH_KEY_SIZE type: find_sec_bugs_type value: BLOWFISH_KEY_SIZE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.BLOWFISH_KEY_SIZE-1 shortlink: https://sg.run/0ok3J semgrep.dev: rule: r_id: 144310 rv_id: 920401 rule_id: L1UqZLb version_id: 5PTNGEy url: https://semgrep.dev/playground/r/5PTNGEy/gitlab.find_sec_bugs_kotlin.BLOWFISH_KEY_SIZE-1 origin: community patterns: - pattern-inside: | $KEYGEN = javax.crypto.KeyGenerator.getInstance("Blowfish", ...); ... $KEYGEN.init($KEY_SIZE); - metavariable-comparison: comparison: $KEY_SIZE < 128 metavariable: $KEY_SIZE - id: gitlab.find_sec_bugs_kotlin.CIPHER_INTEGRITY-1 languages: - kotlin message: | The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. severity: ERROR metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - kotlin security-severity: CRITICAL primary_identifier: find_sec_bugs.CIPHER_INTEGRITY-1 secondary_identifiers: - name: Find Security Bugs-CIPHER_INTEGRITY type: find_sec_bugs_type value: CIPHER_INTEGRITY license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.CIPHER_INTEGRITY-1 shortlink: https://sg.run/YGdRQ semgrep.dev: rule: r_id: 144314 rv_id: 920405 rule_id: 3qUkq5N version_id: BjTKLvp url: https://semgrep.dev/playground/r/BjTKLvp/gitlab.find_sec_bugs_kotlin.CIPHER_INTEGRITY-1 origin: community patterns: - pattern: | javax.crypto.Cipher.getInstance($TRANSFORMATION, ...) - metavariable-pattern: metavariable: $TRANSFORMATION patterns: - pattern-regex: ^"[^/]*(/(CBC|OFB|CTR|ECB)(/.*)?)?"$ - pattern-not-regex: ^"(ECIES|RSA)(/|"$) - id: gitlab.find_sec_bugs_kotlin.CUSTOM_MESSAGE_DIGEST-1 languages: - kotlin message: | Implementing a custom MessageDigest is error-prone. National Institute of Standards and Technology(NIST) recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256. severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A6:2017-Security Misconfiguration - A04:2021-Insecure Design technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.CUSTOM_MESSAGE_DIGEST-1 secondary_identifiers: - name: Find Security Bugs-CUSTOM_MESSAGE_DIGEST type: find_sec_bugs_type value: CUSTOM_MESSAGE_DIGEST license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.CUSTOM_MESSAGE_DIGEST-1 shortlink: https://sg.run/oqPQn semgrep.dev: rule: r_id: 144316 rv_id: 920407 rule_id: PeUJ47p version_id: WrTYnJ8 url: https://semgrep.dev/playground/r/WrTYnJ8/gitlab.find_sec_bugs_kotlin.CUSTOM_MESSAGE_DIGEST-1 origin: community pattern: | class $CLAZZ : java.security.MessageDigest(...) { ... } - id: gitlab.find_sec_bugs_kotlin.DES_USAGE-1 languages: - kotlin message: | DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. severity: WARNING metadata: shortDescription: Inadequate encryption strength category: security cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.DES_USAGE-1 secondary_identifiers: - name: Find Security Bugs-DES_USAGE type: find_sec_bugs_type value: DES_USAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.DES_USAGE-1 shortlink: https://sg.run/KxrY6 semgrep.dev: rule: r_id: 144311 rv_id: 920402 rule_id: 8GUQRPl version_id: GxToXBo url: https://semgrep.dev/playground/r/GxToXBo/gitlab.find_sec_bugs_kotlin.DES_USAGE-1 origin: community patterns: - pattern-inside: javax.crypto.Cipher.getInstance($TRANSFORMATION, ...) - metavariable-regex: metavariable: $TRANSFORMATION regex: ^"DES(/|"$) - id: gitlab.find_sec_bugs_kotlin.ECB_MODE-1 languages: - kotlin message: | An authentication cipher mode which provides better confidentiality of the encrypted data should be used instead of Electronic Code Book (ECB) mode, which does not provide good confidentiality. Specifically, ECB mode produces the same output for the same input each time. This allows an attacker to intercept and replay the data. metadata: category: security cwe: CWE-326 shortDescription: Inadequate Encryption Strength technology: - kotlin security-severity: CRITICAL primary_identifier: find_sec_bugs.ECB_MODE-1 secondary_identifiers: - name: Find Security Bugs-ECB_MODE type: find_sec_bugs_type value: ECB_MODE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.ECB_MODE-1 shortlink: https://sg.run/lBdQ5 semgrep.dev: rule: r_id: 144313 rv_id: 920404 rule_id: QrUWPRO version_id: A8TNlp5 url: https://semgrep.dev/playground/r/A8TNlp5/gitlab.find_sec_bugs_kotlin.ECB_MODE-1 origin: community severity: ERROR patterns: - pattern: javax.crypto.Cipher.getInstance($TRANSFORMATION, ...) - metavariable-regex: metavariable: $TRANSFORMATION regex: ^"[^/]*/ECB(/.*)?"$ - id: gitlab.find_sec_bugs_kotlin.HAZELCAST_SYMMETRIC_ENCRYPTION-1 languages: - kotlin message: | The network communications for Hazelcast is configured to use a symmetric cipher (probably DES or Blowfish). Those ciphers alone do not provide integrity or secure authentication. The use of asymmetric encryption is preferred. severity: WARNING metadata: shortDescription: Inadequate encryption strength category: security cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.HAZELCAST_SYMMETRIC_ENCRYPTION-1 secondary_identifiers: - name: Find Security Bugs-HAZELCAST_SYMMETRIC_ENCRYPTION type: find_sec_bugs_type value: HAZELCAST_SYMMETRIC_ENCRYPTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.HAZELCAST_SYMMETRIC_ENCRYPTION-1 shortlink: https://sg.run/zdqQ0 semgrep.dev: rule: r_id: 144317 rv_id: 920408 rule_id: JDUN0Oq version_id: 0bTp3qG url: https://semgrep.dev/playground/r/0bTp3qG/gitlab.find_sec_bugs_kotlin.HAZELCAST_SYMMETRIC_ENCRYPTION-1 origin: community pattern: com.hazelcast.config.SymmetricEncryptionConfig() - id: gitlab.find_sec_bugs_kotlin.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 languages: - kotlin message: | This code directly writes an HTTP parameter to an HTTP header, which allows for a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information. severity: ERROR metadata: shortDescription: Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') category: security cwe: CWE-113 owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: CRITICAL primary_identifier: find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 secondary_identifiers: - name: Find Security Bugs-HRS_REQUEST_PARAMETER_TO_HTTP_HEADER type: find_sec_bugs_type value: HRS_REQUEST_PARAMETER_TO_HTTP_HEADER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 shortlink: https://sg.run/Dbp3W semgrep.dev: rule: r_id: 144308 rv_id: 920399 rule_id: EwUj7yz version_id: PkTjGbo url: https://semgrep.dev/playground/r/PkTjGbo/gitlab.find_sec_bugs_kotlin.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 origin: community mode: taint pattern-sanitizers: - patterns: - metavariable-pattern: metavariable: $S0 pattern-either: - pattern: '...' - pattern: '""' - metavariable-pattern: metavariable: $PATTERN patterns: - pattern: '...' - pattern-regex: .*\[\]?(?=[^]]*\\r)(?=[^]]*\\n)[^]]*\]\+ - pattern-inside: | $STR.replace($PATTERN, $S0); ... - pattern: org.apache.commons.text.StringEscapeUtils.unescapeJava(...); pattern-sinks: - pattern: '($RES: $X.servlet.http.HttpServletResponse).setHeader("$KEY", ...);' - pattern: '($RES: $X.servlet.http.HttpServletResponse).addHeader("$KEY", ...);' - pattern: '($WRP: $X.servlet.http.HttpServletResponseWrapper).setHeader("$KEY", ...);' - pattern: '($WRP: $X.servlet.http.HttpServletResponseWrapper).addHeader("$KEY", ...);' pattern-sources: - pattern: '($REQ: $X.servlet.http.HttpServletRequest).getParameter(...);' - pattern: '($REQ: $X.servlet.http.HttpServletRequest).getParameterNames();' - pattern: '($REQ: $X.servlet.http.HttpServletRequest).getParameterValues(...);' - pattern: '($REQ: $X.servlet.http.HttpServletRequest).getParameterMap();' - pattern: '($REQ: $X.servlet.http.HttpServletRequest).getHeader(...);' - pattern: '($REQ: $X.servlet.http.HttpServletRequest).getPathInfo();' - id: gitlab.find_sec_bugs_kotlin.HTTPONLY_COOKIE-1 languages: - kotlin message: | A new cookie is created without the HttpOnly flag set. The HttpOnly flag is a directive to the browser to make sure that the cookie can not be red by malicious script. When a user is the target of a "Cross-Site Scripting", the attacker would benefit greatly from getting the session id for example. severity: WARNING metadata: shortDescription: Sensitive cookie without 'HttpOnly' flag category: security owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-1004 technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.HTTPONLY_COOKIE-1 secondary_identifiers: - name: Find Security Bugs-HTTPONLY_COOKIE type: find_sec_bugs_type value: HTTPONLY_COOKIE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.HTTPONLY_COOKIE-1 shortlink: https://sg.run/Redj2 semgrep.dev: rule: r_id: 144305 rv_id: 920396 rule_id: d8UrXO1 version_id: QkT1N2z url: https://semgrep.dev/playground/r/QkT1N2z/gitlab.find_sec_bugs_kotlin.HTTPONLY_COOKIE-1 origin: community patterns: - pattern: | $C = $X.servlet.http.Cookie(..., ...) ...; ($RESP: $X.servlet.http.HttpServletResponse).addCookie($C) - pattern-not-inside: | $C = $X.servlet.http.Cookie(..., ...) ... $C.setHttpOnly(true) ...; ($RESP: $X.servlet.http.HttpServletResponse).addCookie($C) - id: gitlab.find_sec_bugs_kotlin.HTTP_RESPONSE_SPLITTING-1 languages: - kotlin message: | When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks. severity: WARNING metadata: shortDescription: Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') category: security cwe: CWE-113 owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.HTTP_RESPONSE_SPLITTING-1 secondary_identifiers: - name: Find Security Bugs-HTTP_RESPONSE_SPLITTING type: find_sec_bugs_type value: HTTP_RESPONSE_SPLITTING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.HTTP_RESPONSE_SPLITTING-1 shortlink: https://sg.run/BYoR9 semgrep.dev: rule: r_id: 144307 rv_id: 920398 rule_id: nJUxX53 version_id: 44Teq82 url: https://semgrep.dev/playground/r/44Teq82/gitlab.find_sec_bugs_kotlin.HTTP_RESPONSE_SPLITTING-1 origin: community mode: taint pattern-sanitizers: - patterns: - metavariable-pattern: metavariable: $S0 pattern-either: - pattern: '...' - pattern: '""' - metavariable-pattern: metavariable: $PATTERN patterns: - pattern: '...' - pattern-regex: .*\[\]?(?=[^]]*\\r)(?=[^]]*\\n)[^]]*\]\+ - pattern-inside: | $STR.replace($PATTERN, $S0) ... - pattern: org.apache.commons.text.StringEscapeUtils.escapeJava(...) pattern-sinks: - pattern: javax.servlet.http.Cookie("$KEY", ...) - patterns: - pattern-inside: | $C = javax.servlet.http.Cookie("$KEY", ...) ... - pattern: $C.setValue(...) pattern-sources: - pattern: '($REQ: javax.servlet.http.HttpServletRequest).getParameter(...)' - pattern: '($REQ: javax.servlet.http.HttpServletRequest).getParameterNames()' - pattern: '($REQ: javax.servlet.http.HttpServletRequest).getParameterValues(...)' - pattern: '($REQ: javax.servlet.http.HttpServletRequest).getParameterMap()' - pattern: '($REQ: javax.servlet.http.HttpServletRequest).getHeader(...)' - pattern: '($REQ: javax.servlet.http.HttpServletRequest).getPathInfo()' - id: gitlab.find_sec_bugs_kotlin.INSECURE_COOKIE-1 languages: - kotlin message: | "A new cookie is created without the Secure flag set. The Secure flag is a directive to the browser to make sure that the cookie is not sent for insecure communication (http://)" severity: WARNING metadata: shortDescription: Sensitive cookie in HTTPS session without 'Secure' attribute category: security cwe: CWE-614 owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.INSECURE_COOKIE-1 secondary_identifiers: - name: Find Security Bugs-INSECURE_COOKIE type: find_sec_bugs_type value: INSECURE_COOKIE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.INSECURE_COOKIE-1 shortlink: https://sg.run/Ab6G6 semgrep.dev: rule: r_id: 144306 rv_id: 920397 rule_id: ZqUQ0k0 version_id: 3ZTLwbB url: https://semgrep.dev/playground/r/3ZTLwbB/gitlab.find_sec_bugs_kotlin.INSECURE_COOKIE-1 origin: community patterns: - pattern: | $C = $X.servlet.http.Cookie(..., ...) ...; ($RESP: $X.servlet.http.HttpServletResponse).addCookie($C) - pattern-not-inside: | $C = $X.servlet.http.Cookie(..., ...) ... $C.setSecure(true) ...; ($RESP: $X.servlet.http.HttpServletResponse).addCookie($C) - id: gitlab.find_sec_bugs_kotlin.NULL_CIPHER-1 languages: - kotlin message: | The NullCipher implements the Cipher interface by returning ciphertext identical to the supplied plaintext. In a few contexts, such as testing, a NullCipher may be appropriate. Avoid using the NullCipher. Its accidental use can introduce a significant confidentiality risk. severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.NULL_CIPHER-1 secondary_identifiers: - name: Find Security Bugs-NULL_CIPHER type: find_sec_bugs_type value: NULL_CIPHER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.NULL_CIPHER-1 shortlink: https://sg.run/2Z4qY semgrep.dev: rule: r_id: 144319 rv_id: 920410 rule_id: GdUvNb9 version_id: qkTpwJJ url: https://semgrep.dev/playground/r/qkTpwJJ/gitlab.find_sec_bugs_kotlin.NULL_CIPHER-1 origin: community pattern: javax.crypto.NullCipher() - id: gitlab.find_sec_bugs_scala.COOKIE_PERSISTENT-1 languages: - scala message: | "Storing sensitive data in a persistent cookie for an extended period can lead to a breach of confidentiality or account compromise." metadata: category: security cwe: CWE-614 shortDescription: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute technology: - scala security-severity: Info primary_identifier: find_sec_bugs.COOKIE_PERSISTENT secondary_identifiers: - name: Find Security Bugs-COOKIE_PERSISTENT type: find_sec_bugs_type value: COOKIE_PERSISTENT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.COOKIE_PERSISTENT-1 shortlink: https://sg.run/Qj54 semgrep.dev: rule: r_id: 67942 rv_id: 920214 rule_id: NbURkY version_id: RGT2xRv url: https://semgrep.dev/playground/r/RGT2xRv/gitlab.find_sec_bugs_scala.COOKIE_PERSISTENT-1 origin: community patterns: - pattern: | ($C: Cookie).setMaxAge($AGE) - metavariable-comparison: comparison: $AGE >= 31536000 metavariable: $AGE severity: WARNING - id: gitlab.find_sec_bugs_scala.COOKIE_USAGE-1 languages: - scala message: | The information stored in a custom cookie should not be sensitive or related to the session. In most cases, sensitive data should only be stored in session and referenced by the user's session cookie. metadata: category: security cwe: CWE-614 shortDescription: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute technology: - scala security-severity: Info primary_identifier: find_sec_bugs.COOKIE_USAGE secondary_identifiers: - name: Find Security Bugs-COOKIE_USAGE type: find_sec_bugs_type value: COOKIE_USAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.COOKIE_USAGE-1 shortlink: https://sg.run/3bxr semgrep.dev: rule: r_id: 67943 rv_id: 920215 rule_id: kxUPkw version_id: A8TNlXb url: https://semgrep.dev/playground/r/A8TNlXb/gitlab.find_sec_bugs_scala.COOKIE_USAGE-1 origin: community patterns: - pattern-inside: | def $FUNC(..., $REQ: HttpServletRequest, ...): $TYPE = { ... } - pattern-either: - patterns: - pattern-inside: | for ($C <- $REQ.getCookies) { ... } - pattern-either: - pattern: $C.getName - pattern: $C.getValue - pattern: $C.getPath - pattern: '($C: Cookie).getName()' - pattern: '($C: Cookie).getValue' - pattern: '($C: Cookie).getPath' severity: WARNING - id: gitlab.find_sec_bugs_scala.CRLF_INJECTION_LOGS-1 languages: - scala message: | When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content. Inserted false entries could be used to skew statistics, distract the administrator or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may also inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility (e.g. command injection or XSS). metadata: category: security cwe: CWE-93 shortDescription: Improper Neutralization of CRLF Sequences ('CRLF Injection') technology: - scala security-severity: Info primary_identifier: find_sec_bugs.CRLF_INJECTION_LOGS secondary_identifiers: - name: Find Security Bugs-CRLF_INJECTION_LOGS type: find_sec_bugs_type value: CRLF_INJECTION_LOGS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.CRLF_INJECTION_LOGS-1 shortlink: https://sg.run/O2PB semgrep.dev: rule: r_id: 67975 rv_id: 920247 rule_id: 5rUGOX version_id: 7ZTbRE8 url: https://semgrep.dev/playground/r/7ZTbRE8/gitlab.find_sec_bugs_scala.CRLF_INJECTION_LOGS-1 origin: community mode: taint pattern-sanitizers: - patterns: - pattern-inside: $STR.replaceAll("$REPLACE_CHAR", "$REPLACE"); - pattern: $STR - metavariable-regex: metavariable: $REPLACE_CHAR regex: (.*\\r\\n.*) - metavariable-regex: metavariable: $REPLACE regex: (?!(\\r\\n)) - pattern: org.owasp.encoder.Encode.forUriComponent(...) - pattern: org.owasp.encoder.Encode.forUri(...) - pattern: java.net.URLEncoder.encode(..., $CHARSET) pattern-sinks: - patterns: - patterns: - pattern: $LOGGER.$METHOD(...,<...$TAINTED...>,...) - focus-metavariable: $TAINTED - metavariable-regex: metavariable: $METHOD regex: (log|logp|logrb|entering|exiting|fine|finer|finest|info|debug|trace|warn|warning|config|error|severe) - metavariable-pattern: metavariable: $LOGGER pattern-either: - pattern: Logger - pattern: log - pattern: logger - pattern: org.pmw.tinylog.Logger - pattern: org.apache.log4j.Logger - pattern: org.apache.logging.log4j.Logger - pattern: org.slf4j.Logger - pattern: org.apache.commons.logging.Log - pattern: java.util.logging.Logger pattern-sources: - patterns: - pattern-inside: | def $FUNC(..., $REQ: HttpServletRequest, ...) : $TYPE = { ... } - pattern: $REQ.getParameter(...) severity: ERROR - id: gitlab.find_sec_bugs_scala.CUSTOM_INJECTION-1 languages: - scala message: | The method identified is susceptible to injection. The input should be validated and properly escaped. metadata: category: security cwe: CWE-89 shortDescription: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') technology: - scala security-severity: Low primary_identifier: find_sec_bugs.CUSTOM_INJECTION secondary_identifiers: - name: Find Security Bugs-CUSTOM_INJECTION type: find_sec_bugs_type value: CUSTOM_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.CUSTOM_INJECTION-1 shortlink: https://sg.run/v9zA semgrep.dev: rule: r_id: 67977 rv_id: 920249 rule_id: ReUxgb version_id: 8KTvl58 url: https://semgrep.dev/playground/r/8KTvl58/gitlab.find_sec_bugs_scala.CUSTOM_INJECTION-1 origin: community patterns: - pattern-either: - pattern-inside: | val $ST = connection.createStatement ... - pattern-either: - pattern: | val $QUERY = ... + $VAR + ... ... $ST.executeQuery($QUERY) - pattern: | val $QUERY = ... + $VAR ... $ST.executeQuery($QUERY) - pattern: | val $QUERY = String.format("...",...,$VAR,...) ... $ST.executeQuery($QUERY) - pattern: '$ST.executeQuery(($SB: StringBuilder).toString())' - pattern: $ST.executeQuery(... + $VAR + ...) - pattern: $ST.executeQuery(... + $VAR) - pattern: $ST.executeQuery(...,String.format("...",...,$VAR,...), ...) severity: WARNING - id: gitlab.find_sec_bugs_scala.CUSTOM_INJECTION-2 languages: - scala message: | The method identified is susceptible to injection. The input should be validated and properly escaped. metadata: category: security cwe: CWE-89 shortDescription: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') technology: - scala security-severity: High primary_identifier: find_sec_bugs.CUSTOM_INJECTION-2 secondary_identifiers: - name: Find Security Bugs-CUSTOM_INJECTION type: find_sec_bugs_type value: CUSTOM_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.CUSTOM_INJECTION-2 shortlink: https://sg.run/dRKZ semgrep.dev: rule: r_id: 67978 rv_id: 920250 rule_id: AbUlzY version_id: gETkXB2 url: https://semgrep.dev/playground/r/gETkXB2/gitlab.find_sec_bugs_scala.CUSTOM_INJECTION-2 origin: community patterns: - pattern-inside: | def $FOO(..., $SQLIN: String, ...): $TYPE = { ... } - pattern-either: - pattern: | "$SQL_STR" + $SQLIN - pattern: String.format("$SQL_STR", ... + $SQLIN + ...) - pattern: | "$SQL_STR".concat(...) - pattern: (StringBuilder $BUILDER). ... .append("$SQL_STR") - patterns: - pattern-inside: | StringBuilder $BUILDER = new StringBuilder(... + "$SQL_STR" + ...); ... - pattern: $BUILDER.append(...) - pattern-not: $BUILDER.append("...") - patterns: - pattern-inside: | $QUERY = "$SQL_STR"; ... - pattern: $QUERY += ... - metavariable-regex: metavariable: $SQL_STR regex: (?i)(select|insert|create|update|alter|delete|drop)\b severity: WARNING - id: gitlab.find_sec_bugs_scala.CUSTOM_MESSAGE_DIGEST-1 languages: - scala message: | Implementing a custom MessageDigest is error-prone. National Institute of Standards and Technology(NIST) recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256. metadata: category: security cwe: CWE-327 shortDescription: Use of a Broken or Risky Cryptographic Algorithm technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.CUSTOM_MESSAGE_DIGEST secondary_identifiers: - name: Find Security Bugs-CUSTOM_MESSAGE_DIGEST type: find_sec_bugs_type value: CUSTOM_MESSAGE_DIGEST license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.CUSTOM_MESSAGE_DIGEST-1 shortlink: https://sg.run/qpxz semgrep.dev: rule: r_id: 67956 rv_id: 920228 rule_id: gxUX15 version_id: 2KTdOvr url: https://semgrep.dev/playground/r/2KTdOvr/gitlab.find_sec_bugs_scala.CUSTOM_MESSAGE_DIGEST-1 origin: community patterns: - pattern: | class $CLAZZ extends java.security.MessageDigest(...) { ... } severity: WARNING - id: gitlab.find_sec_bugs_scala.DANGEROUS_PERMISSION_COMBINATION-1 pattern-either: - pattern: | $RUNVAR = new RuntimePermission("createClassLoader"); ... ($PC: PermissionCollection).add($RUNVAR); - pattern: | $REFVAR = new ReflectPermission("suppressAccessChecks"); ... ($PC: PermissionCollection).add($REFVAR); - pattern: '($PC: PermissionCollection).add(new ReflectPermission ("suppressAccessChecks"))' - pattern: '($PC: PermissionCollection).add(new RuntimePermission("createClassLoader"))' languages: - scala message: | Do not grant dangerous combinations of permissions. metadata: shortDescription: Improper privilege management category: security cwe: CWE-269 confidence: HIGH security-severity: Info primary_identifier: find_sec_bugs.DANGEROUS_PERMISSION_COMBINATION secondary_identifiers: - name: Find Security Bugs-DANGEROUS_PERMISSION_COMBINATION type: find_sec_bugs_type value: DANGEROUS_PERMISSION_COMBINATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.DANGEROUS_PERMISSION_COMBINATION-1 shortlink: https://sg.run/ARlp semgrep.dev: rule: r_id: 67994 rv_id: 920266 rule_id: 10UNZy version_id: l4TXDZz url: https://semgrep.dev/playground/r/l4TXDZz/gitlab.find_sec_bugs_scala.DANGEROUS_PERMISSION_COMBINATION-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs_scala.DEFAULT_HTTP_CLIENT-1 patterns: - pattern: new org.apache.http.impl.client.DefaultHttpClient(...) message: | DefaultHttpClient with default constructor is not compatible with TLS 1.2 languages: - scala severity: WARNING metadata: shortDescription: Inadequate encryption strength category: security cwe: CWE-326 technology: - scala security-severity: Info primary_identifier: find_sec_bugs.DEFAULT_HTTP_CLIENT secondary_identifiers: - name: Find Security Bugs-DEFAULT_HTTP_CLIENT type: find_sec_bugs_type value: DEFAULT_HTTP_CLIENT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.DEFAULT_HTTP_CLIENT-1 shortlink: https://sg.run/ll2y semgrep.dev: rule: r_id: 67957 rv_id: 920229 rule_id: QrUNzB version_id: X0TAKz2 url: https://semgrep.dev/playground/r/X0TAKz2/gitlab.find_sec_bugs_scala.DEFAULT_HTTP_CLIENT-1 origin: community - id: gitlab.find_sec_bugs_scala.DES_USAGE-1 languages: - scala message: | DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. metadata: category: security cwe: CWE-326 shortDescription: Inadequate Encryption Strength technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.DES_USAGE secondary_identifiers: - name: Find Security Bugs-DES_USAGE type: find_sec_bugs_type value: DES_USAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.DES_USAGE-1 shortlink: https://sg.run/BAkW semgrep.dev: rule: r_id: 67951 rv_id: 920223 rule_id: nJUNz9 version_id: YDTYbZD url: https://semgrep.dev/playground/r/YDTYbZD/gitlab.find_sec_bugs_scala.DES_USAGE-1 origin: community patterns: - pattern-inside: javax.crypto.Cipher.getInstance("$ALG") - metavariable-regex: metavariable: $ALG regex: ^(DES)/.* severity: WARNING - id: gitlab.find_sec_bugs_scala.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 patterns: - pattern: java.sql.DriverManager.getConnection($URI, $USR, "..."); message: | A potential hard-coded password was identified in a database connection string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation metadata: category: security cwe: CWE-259 shortDescription: Use of Hard-coded Password technology: - scala security-severity: Critical primary_identifier: find_sec_bugs.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 secondary_identifiers: - name: Find Security Bugs-DMI_CONSTANT_DB_PASSWORD type: find_sec_bugs_type value: DMI_CONSTANT_DB_PASSWORD - name: Find Security Bugs-HARD_CODE_PASSWORD type: find_sec_bugs_type value: HARD_CODE_PASSWORD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 shortlink: https://sg.run/5k8A semgrep.dev: rule: r_id: 67991 rv_id: 920263 rule_id: 2ZUO4Y version_id: 0bTp3o7 url: https://semgrep.dev/playground/r/0bTp3o7/gitlab.find_sec_bugs_scala.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 origin: community severity: ERROR languages: - scala - id: gitlab.find_sec_bugs_scala.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 patterns: - pattern: java.sql.DriverManager.getConnection($URI, $USR, ""); message: | The application does not provide authentication when communicating a database server. It is strongly recommended that the database server be configured with authentication and restrict what queries users can execute. Please see your database server's documentation on how to configure a password. Additionally, passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation metadata: category: security cwe: CWE-259 shortDescription: Use of Hard-coded Password technology: - scala security-severity: Critical primary_identifier: find_sec_bugs.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 secondary_identifiers: - name: Find Security Bugs-DMI_EMPTY_DB_PASSWORD type: find_sec_bugs_type value: DMI_EMPTY_DB_PASSWORD - name: Find Security Bugs-HARD_CODE_PASSWORD type: find_sec_bugs_type value: HARD_CODE_PASSWORD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 shortlink: https://sg.run/GKWp semgrep.dev: rule: r_id: 67992 rv_id: 920264 rule_id: X5UKZx version_id: K3TwLob url: https://semgrep.dev/playground/r/K3TwLob/gitlab.find_sec_bugs_scala.DMI_EMPTY_DB_PASSWORD-1.HARD_CODE_PASSWORD-2 origin: community languages: - scala severity: ERROR - id: gitlab.find_sec_bugs_scala.ECB_MODE-1 languages: - scala message: | An authentication cipher mode which provides better confidentiality of the encrypted data should be used instead of Electronic Code Book (ECB) mode, which does not provide good confidentiality. Specifically, ECB mode produces the same output for the same input each time. This allows an attacker to intercept and replay the data. metadata: category: security cwe: CWE-326 shortDescription: Inadequate Encryption Strength technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.ECB_MODE secondary_identifiers: - name: Find Security Bugs-ECB_MODE type: find_sec_bugs_type value: ECB_MODE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.ECB_MODE-1 shortlink: https://sg.run/WN84 semgrep.dev: rule: r_id: 67953 rv_id: 920225 rule_id: 7KURQZ version_id: o5TK1bB url: https://semgrep.dev/playground/r/o5TK1bB/gitlab.find_sec_bugs_scala.ECB_MODE-1 origin: community patterns: - pattern-inside: javax.crypto.Cipher.getInstance("...") - pattern-regex: (AES|DES(ede)?)(/ECB/*) severity: ERROR - id: gitlab.find_sec_bugs_scala.EL_INJECTION-1 languages: - scala message: | An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. metadata: category: security cwe: CWE-94 shortDescription: Improper Control of Generation of Code ('Code Injection') technology: - scala security-severity: High primary_identifier: find_sec_bugs.EL_INJECTION secondary_identifiers: - name: Find Security Bugs-EL_INJECTION type: find_sec_bugs_type value: EL_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.EL_INJECTION-1 shortlink: https://sg.run/ZxvD semgrep.dev: rule: r_id: 67979 rv_id: 920251 rule_id: BYULN2 version_id: QkT1NGN url: https://semgrep.dev/playground/r/QkT1NGN/gitlab.find_sec_bugs_scala.EL_INJECTION-1 origin: community patterns: - pattern-inside: | import javax.el._ ... - pattern-either: - pattern-inside: | def $FUNC(..., $EXPR: String, ...) : $TYPE = { ... } - pattern-inside: | def $FUNC(..., $EXPR: String, ...) = { ... } - pattern-either: - pattern: $X.createValueExpression(..., $EXPR, ...) - pattern: $X.createMethodExpression(..., $EXPR, ...) severity: WARNING - id: gitlab.find_sec_bugs_scala.EXTERNAL_CONFIG_CONTROL-1 languages: - scala message: | Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. metadata: category: security cwe: CWE-15 shortDescription: External Control of System or Configuration Setting technology: - scala security-severity: High primary_identifier: find_sec_bugs.EXTERNAL_CONFIG_CONTROL secondary_identifiers: - name: Find Security Bugs-EXTERNAL_CONFIG_CONTROL type: find_sec_bugs_type value: EXTERNAL_CONFIG_CONTROL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.EXTERNAL_CONFIG_CONTROL-1 shortlink: https://sg.run/09nk semgrep.dev: rule: r_id: 68010 rv_id: 920281 rule_id: 7KURe0 version_id: kbTOPDr url: https://semgrep.dev/playground/r/kbTOPDr/gitlab.find_sec_bugs_scala.EXTERNAL_CONFIG_CONTROL-1 origin: community patterns: - pattern: | $TAINTED = ($REQ: HttpServletRequest).getParameter(...); ... ($CONN: java.sql.Connection).setCatalog($TAINTED); severity: WARNING - id: gitlab.find_sec_bugs_scala.FILE_UPLOAD_FILENAME-1 languages: - scala message: | The filename provided by the FileUpload API can be tampered with by the client to reference unauthorized files. The provided filename should be properly validated to ensure it's properly structured, contains no unauthorized path characters (e.g., / \), and refers to an authorized file. metadata: category: security cwe: CWE-22 shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') technology: - scala owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Info primary_identifier: find_sec_bugs.FILE_UPLOAD_FILENAME secondary_identifiers: - name: Find Security Bugs-FILE_UPLOAD_FILENAME type: find_sec_bugs_type value: FILE_UPLOAD_FILENAME license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.FILE_UPLOAD_FILENAME-1 shortlink: https://sg.run/b57p semgrep.dev: rule: r_id: 67970 rv_id: 920242 rule_id: KxULbq version_id: vdTvQ0A url: https://semgrep.dev/playground/r/vdTvQ0A/gitlab.find_sec_bugs_scala.FILE_UPLOAD_FILENAME-1 origin: community patterns: - pattern: | def $FUNC (..., $REQ: HttpServletRequest, ... ) = { ... val $FILES = ($SFU: ServletFileUpload).parseRequest($REQ) ... for ($FILE <- $FILES.asScala) { ... } } - pattern: $ITEM.getName() severity: WARNING - id: gitlab.find_sec_bugs_scala.FORMAT_STRING_MANIPULATION-1 languages: - scala message: | Allowing user input to control format parameters could enable an attacker to cause exceptions to be thrown or leak information.Attackers may be able to modify the format string argument, such that an exception is thrown. If this exception is left uncaught, it may crash the application. Alternatively, if sensitive information is used within the unused arguments, attackers may change the format string to reveal this information. metadata: category: security confidence: HIGH cwe: CWE-134 shortDescription: Use of Externally-Controlled Format String security-severity: Info primary_identifier: find_sec_bugs.FORMAT_STRING_MANIPULATION secondary_identifiers: - name: Find Security Bugs-FORMAT_STRING_MANIPULATION type: find_sec_bugs_type value: FORMAT_STRING_MANIPULATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.FORMAT_STRING_MANIPULATION-1 shortlink: https://sg.run/R18E semgrep.dev: rule: r_id: 68005 rv_id: 920276 rule_id: v8UQ5x version_id: 9lTA7l3 url: https://semgrep.dev/playground/r/9lTA7l3/gitlab.find_sec_bugs_scala.FORMAT_STRING_MANIPULATION-1 origin: community patterns: - pattern-either: - patterns: - pattern-inside: | $INPUT = ($REQ: javax.servlet.http.HttpServletRequest).getParameter(...); ... - pattern-inside: | $FORMAT_STR = <... $INPUT ...>; - patterns: - pattern-inside: | val $INPUT = ($REQ: javax.servlet.http.HttpServletRequest).getParameter(...); ... - pattern-inside: | val $FORMAT_STR = <... $INPUT ...>; ... - pattern-inside: | val $FORMAT_STR = ... + ($REQ: javax.servlet.http.HttpServletRequest).getParameter(...) + ...; ... - pattern-inside: | val $FORMAT_STR = ... + ($REQ: javax.servlet.http.HttpServletRequest).getParameter(...); ... - pattern-either: - pattern: $VAL = <... $INPUT ...> - pattern: String.format($FORMAT_STR, ...); - pattern: String.format(java.util.Locale.$LOCALE, $FORMAT_STR, ...); - pattern: '($F: java.util.Formatter).format($FORMAT_STR, ...);' - pattern: '($F: java.util.Formatter).format(java.util.Locale.$LOCALE, $FORMAT_STR, ...);' - pattern: '($F: java.io.PrintStream).printf($FORMAT_STR, ...);' - pattern: '($F: java.io.PrintStream).printf(java.util.Locale.$LOCALE, $FORMAT_STR, ...);' - pattern: '($F: java.io.PrintStream).format($FORMAT_STR, ...);' - pattern: '($F: java.io.PrintStream).format(java.util.Locale.$LOCALE, $FORMAT_STR, ...);' - pattern: System.out.printf($FORMAT_STR, ...); - pattern: System.out.printf(java.util.Locale.$LOCALE, $FORMAT_STR, ...); - pattern: System.out.format($FORMAT_STR, ...); - pattern: System.out.format(java.util.Locale.$LOCALE, $FORMAT_STR, ...); severity: ERROR - id: gitlab.find_sec_bugs_scala.HARD_CODE_PASSWORD-1 languages: - scala message: | A potential hard-coded password was identified in the source code. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation metadata: category: security cwe: CWE-259 shortDescription: Use of Hard-coded Password technology: - scala security-severity: High primary_identifier: find_sec_bugs.HARD_CODE_PASSWORD secondary_identifiers: - name: Find Security Bugs-HARD_CODE_PASSWORD type: find_sec_bugs_type value: HARD_CODE_PASSWORD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.HARD_CODE_PASSWORD-1 shortlink: https://sg.run/R18O semgrep.dev: rule: r_id: 67993 rv_id: 920265 rule_id: j2Ujqy version_id: qkTpwOo url: https://semgrep.dev/playground/r/qkTpwOo/gitlab.find_sec_bugs_scala.HARD_CODE_PASSWORD-1 origin: community pattern-either: - pattern: java.security.KeyStore.PasswordProtection("...".toCharArray()) - pattern: java.security.KeyStore.getInstance(...).load(..., "...".toCharArray()) - pattern: '($KS: java.security.KeyStore).load(..., "...".toCharArray())' - pattern: KeyManagerFactory.getInstance(...).init(..., "...".toCharArray()) - pattern: '($KMF: KeyManagerFactory).init(..., "...".toCharArray())' - pattern: PBEKeySpec("...", ...) - pattern: PasswordAuthentication("...", "...") - pattern: '($CB: PasswordCallback).setPassword("...")' - pattern: KerberosKey(...,"...",...) - pattern: java.sql.DriverManager.getConnection(..., "...") - pattern: io.vertx.ext.web.handler.CSRFHandler.create(..., "...") - pattern: $S.setPassword("...") severity: ERROR - id: gitlab.find_sec_bugs_scala.HAZELCAST_SYMMETRIC_ENCRYPTION-1 languages: - scala message: | The network communications for Hazelcast is configured to use a symmetric cipher (probably DES or Blowfish). Those ciphers alone do not provide integrity or secure authentication. The use of asymmetric encryption is preferred. metadata: category: security cwe: CWE-326 shortDescription: Inadequate Encryption Strength technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.HAZELCAST_SYMMETRIC_ENCRYPTION secondary_identifiers: - name: Find Security Bugs-HAZELCAST_SYMMETRIC_ENCRYPTION type: find_sec_bugs_type value: HAZELCAST_SYMMETRIC_ENCRYPTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.HAZELCAST_SYMMETRIC_ENCRYPTION-1 shortlink: https://sg.run/Ywve semgrep.dev: rule: r_id: 67958 rv_id: 920230 rule_id: 3qUwPg version_id: jQTwjnn url: https://semgrep.dev/playground/r/jQTwjnn/gitlab.find_sec_bugs_scala.HAZELCAST_SYMMETRIC_ENCRYPTION-1 origin: community patterns: - pattern: new com.hazelcast.config.SymmetricEncryptionConfig() severity: WARNING - id: gitlab.find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_COOKIE-1 languages: - scala message: | This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information. metadata: category: security cwe: CWE-113 shortDescription: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') technology: - scala security-severity: Info primary_identifier: find_sec_bugs.HRS_REQUEST_PARAMETER_TO_COOKIE secondary_identifiers: - name: Find Security Bugs-HRS_REQUEST_PARAMETER_TO_COOKIE type: find_sec_bugs_type value: HRS_REQUEST_PARAMETER_TO_COOKIE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_COOKIE-1 shortlink: https://sg.run/PXJY semgrep.dev: rule: r_id: 67945 rv_id: 920217 rule_id: x8UrnN version_id: DkT2yR6 url: https://semgrep.dev/playground/r/DkT2yR6/gitlab.find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_COOKIE-1 origin: community mode: taint pattern-sanitizers: - patterns: - pattern-inside: $STR.replaceAll("$REPLACE_CHAR", "$REPLACE"); - pattern: $STR - metavariable-regex: metavariable: $REPLACE_CHAR regex: (.*\\r\\n.*) - metavariable-regex: metavariable: $REPLACE regex: (?!(\\r\\n)) - pattern: org.owasp.encoder.Encode.forUriComponent(...) - pattern: org.owasp.encoder.Encode.forUri(...) - pattern: java.net.URLEncoder.encode(..., $CHARSET) pattern-sinks: - pattern: new javax.servlet.http.Cookie("$KEY", ...); - patterns: - pattern-inside: | $C = new javax.servlet.http.Cookie("$KEY", ...); ... - pattern: $C.setValue(...); pattern-sources: - pattern: '($REQ: HttpServletRequest).getParameter(...);' severity: ERROR - id: gitlab.find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 languages: - scala message: | This code directly writes an HTTP parameter to an HTTP header, which allows for a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information. metadata: category: security cwe: CWE-113 shortDescription: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') technology: - scala security-severity: High primary_identifier: find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER secondary_identifiers: - name: Find Security Bugs-HRS_REQUEST_PARAMETER_TO_HTTP_HEADER type: find_sec_bugs_type value: HRS_REQUEST_PARAMETER_TO_HTTP_HEADER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 shortlink: https://sg.run/JY9w semgrep.dev: rule: r_id: 67946 rv_id: 920218 rule_id: OrU73v version_id: WrTYnqO url: https://semgrep.dev/playground/r/WrTYnqO/gitlab.find_sec_bugs_scala.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1 origin: community mode: taint pattern-sanitizers: - patterns: - pattern-inside: $STR.replaceAll("$REPLACE_CHAR", "$REPLACE"); - pattern: $STR - metavariable-regex: metavariable: $REPLACE_CHAR regex: (.*\\r\\n.*) - metavariable-regex: metavariable: $REPLACE regex: (?!(\\r\\n)) - pattern: org.owasp.encoder.Encode.forUriComponent(...) - pattern: org.owasp.encoder.Encode.forUri(...) - pattern: java.net.URLEncoder.encode(..., $CHARSET) pattern-sinks: - pattern: '($RES: HttpServletResponse).setHeader("$KEY", ...);' - pattern: '($RES: HttpServletResponse).addHeader("$KEY", ...);' - pattern: '($WRP: HttpServletResponseWrapper).setHeader("$KEY", ...);' - pattern: '($WRP: HttpServletResponseWrapper).addHeader("$KEY", ...);' pattern-sources: - pattern: '($REQ: HttpServletRequest).getParameter(...);' severity: ERROR - id: gitlab.find_sec_bugs_scala.HTTPONLY_COOKIE-1 languages: - scala message: | A new cookie is created without the HttpOnly flag set. The HttpOnly flag is a directive to the browser to make sure that the cookie can not be red by malicious script. When a user is the target of a "Cross-Site Scripting", the attacker would benefit greatly from getting the session id for example. metadata: category: security cwe: CWE-1004 shortDescription: Sensitive Cookie Without 'HttpOnly' Flag technology: - scala security-severity: Low primary_identifier: find_sec_bugs.HTTPONLY_COOKIE secondary_identifiers: - name: Find Security Bugs-HTTPONLY_COOKIE type: find_sec_bugs_type value: HTTPONLY_COOKIE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.HTTPONLY_COOKIE-1 shortlink: https://sg.run/8Oyy semgrep.dev: rule: r_id: 67940 rv_id: 920212 rule_id: r6Uvrr version_id: 5PTNGev url: https://semgrep.dev/playground/r/5PTNGev/gitlab.find_sec_bugs_scala.HTTPONLY_COOKIE-1 origin: community pattern-either: - patterns: - pattern: | val $C = new javax.servlet.http.Cookie(..., ...); ... $RESP.addCookie($C); - pattern-not-inside: | val $C = new javax.servlet.http.Cookie(..., ...); ... $C.setHttpOnly(true); ... $RESP.addCookie($C); - pattern: (javax.servlet.http.Cookie $C).setHttpOnly(false); severity: WARNING - id: gitlab.find_sec_bugs_scala.HTTP_PARAMETER_POLLUTION-1 languages: - scala message: | Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach. HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks. metadata: category: security cwe: CWE-88 shortDescription: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') technology: - scala security-severity: Info primary_identifier: find_sec_bugs.HTTP_PARAMETER_POLLUTION secondary_identifiers: - name: Find Security Bugs-HTTP_PARAMETER_POLLUTION type: find_sec_bugs_type value: HTTP_PARAMETER_POLLUTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.HTTP_PARAMETER_POLLUTION-1 shortlink: https://sg.run/E35w semgrep.dev: rule: r_id: 67981 rv_id: 920253 rule_id: WAUnZW version_id: 44TeqEd url: https://semgrep.dev/playground/r/44TeqEd/gitlab.find_sec_bugs_scala.HTTP_PARAMETER_POLLUTION-1 origin: community mode: taint pattern-sanitizers: - pattern: java.net.URLEncoder.encode(...) - pattern: com.google.common.net.UrlEscapers.urlPathSegmentEscaper().escape(...) pattern-sinks: - pattern: new org.apache.http.client.methods.HttpGet(...) - pattern: new org.apache.commons.httpclient.methods.GetMethod(...) - pattern: '($GM: org.apache.commons.httpclient.methods.GetMethod).setQueryString(...)' pattern-sources: - pattern: '($REQ: HttpServletRequest ).getParameter(...)' severity: ERROR - id: gitlab.find_sec_bugs_scala.HTTP_RESPONSE_SPLITTING-1 languages: - scala message: | When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks. metadata: category: security cwe: CWE-113 shortDescription: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') technology: - scala security-severity: High primary_identifier: find_sec_bugs.HTTP_RESPONSE_SPLITTING secondary_identifiers: - name: Find Security Bugs-HTTP_RESPONSE_SPLITTING type: find_sec_bugs_type value: HTTP_RESPONSE_SPLITTING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.HTTP_RESPONSE_SPLITTING-1 shortlink: https://sg.run/4Nxl semgrep.dev: rule: r_id: 67944 rv_id: 920216 rule_id: wdUbJl version_id: BjTKLkW url: https://semgrep.dev/playground/r/BjTKLkW/gitlab.find_sec_bugs_scala.HTTP_RESPONSE_SPLITTING-1 origin: community mode: taint pattern-sanitizers: - patterns: - pattern-inside: $STR.replaceAll("$REPLACE_CHAR", "$REPLACE"); - pattern: $STR - metavariable-regex: metavariable: $REPLACE_CHAR regex: (.*\\r\\n.*) - metavariable-regex: metavariable: $REPLACE regex: (?!(\\r\\n)) - pattern: org.owasp.encoder.Encode.forUriComponent(...) - pattern: org.owasp.encoder.Encode.forUri(...) - pattern: java.net.URLEncoder.encode(..., $CHARSET) pattern-sinks: - pattern: new javax.servlet.http.Cookie("$KEY", ...) - pattern: ($C:javax.servlet.http.Cookie).setValue(...) pattern-sources: - pattern: '($REQ: javax.servlet.http.HttpServletRequest).getParameter(...)' severity: WARNING - id: javascript.express.security.injection.tainted-sql-string.tainted-sql-string message: Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries. metadata: owasp: - A01:2017 - Injection - A03:2021 - Injection - A05:2025 - Injection cwe: - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command (''SQL Injection'')' references: - https://owasp.org/www-community/attacks/SQL_Injection category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - SQL Injection source: https://semgrep.dev/r/javascript.express.security.injection.tainted-sql-string.tainted-sql-string shortlink: https://sg.run/66ZL semgrep.dev: rule: r_id: 14715 rv_id: 1263176 rule_id: NbUNpr version_id: kbTzGZv url: https://semgrep.dev/playground/r/kbTzGZv/javascript.express.security.injection.tainted-sql-string.tainted-sql-string origin: community languages: - javascript - typescript severity: ERROR mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: function ... (...,$REQ, ...) {...} - pattern-either: - pattern: $REQ.query - pattern: $REQ.body - pattern: $REQ.params - pattern: $REQ.cookies - pattern: $REQ.headers - patterns: - pattern-either: - pattern-inside: | (...,{ $REQ }: Request,...) => {...} - pattern-inside: | (...,{ $REQ }: $EXPRESS.Request,...) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params - pattern: query - pattern: cookies - pattern: headers - pattern: body pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern-inside: | "$SQLSTR" + $EXPR - pattern-inside: | "$SQLSTR".concat($EXPR) - pattern: util.format($SQLSTR, $EXPR) - pattern: | `$SQLSTR${$EXPR}...` - metavariable-regex: metavariable: $SQLSTR regex: .*\b(?i)(select|delete|insert|create|update\s+.+\sset|alter|drop)\b.* - focus-metavariable: $EXPR - id: gitlab.find_sec_bugs_scala.IMPROPER_UNICODE-1 languages: - scala message: | Improper Handling of Unicode Encoding metadata: category: security confidence: HIGH cwe: CWE-176 shortDescription: Improper Handling of Unicode Encoding security-severity: Medium primary_identifier: find_sec_bugs.IMPROPER_UNICODE secondary_identifiers: - name: Find Security Bugs-IMPROPER_UNICODE type: find_sec_bugs_type value: IMPROPER_UNICODE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.IMPROPER_UNICODE-1 shortlink: https://sg.run/ARlg semgrep.dev: rule: r_id: 68006 rv_id: 920277 rule_id: d8Ugz5 version_id: yeTDgOG url: https://semgrep.dev/playground/r/yeTDgOG/gitlab.find_sec_bugs_scala.IMPROPER_UNICODE-1 origin: community pattern-either: - patterns: - pattern-either: - pattern: | $S = ($INPUT: String).$TRANSFORM(...); ... $S.$METHOD(...); - pattern: '($INPUT: String).$TRANSFORM().$METHOD(...);' - metavariable-regex: metavariable: $METHOD regex: (equals|equalsIgnoreCase|indexOf) - metavariable-regex: metavariable: $TRANSFORM regex: (toLowerCase|toUpperCase) - pattern: java.text.Normalizer.normalize(...); - pattern: java.net.IDN.toASCII(...); - pattern: '($U: URI).toASCIIString()' severity: ERROR - id: gitlab.find_sec_bugs_scala.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1 languages: - scala message: | The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. metadata: category: security cwe: CWE-209 shortDescription: Information Exposure Through an Error Message technology: - scala security-severity: Low primary_identifier: find_sec_bugs.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE secondary_identifiers: - name: Find Security Bugs-INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE type: find_sec_bugs_type value: INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1 shortlink: https://sg.run/K6WP semgrep.dev: rule: r_id: 68011 rv_id: 920282 rule_id: L1Ue4j version_id: w8Tkbpv url: https://semgrep.dev/playground/r/w8Tkbpv/gitlab.find_sec_bugs_scala.INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE-1 origin: community patterns: - pattern: $E.printStackTrace(...) severity: WARNING - id: gitlab.find_sec_bugs_scala.INSECURE_COOKIE-1 languages: - scala message: | "A new cookie is created without the Secure flag set. The Secure flag is a directive to the browser to make sure that the cookie is not sent for insecure communication (http://)" metadata: category: security cwe: CWE-539 shortDescription: Information Exposure Through Persistent Cookies technology: - scala security-severity: Low primary_identifier: find_sec_bugs.INSECURE_COOKIE secondary_identifiers: - name: Find Security Bugs-INSECURE_COOKIE type: find_sec_bugs_type value: INSECURE_COOKIE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.INSECURE_COOKIE-1 shortlink: https://sg.run/gDLJ semgrep.dev: rule: r_id: 67941 rv_id: 920213 rule_id: bwUowO version_id: GxToX82 url: https://semgrep.dev/playground/r/GxToX82/gitlab.find_sec_bugs_scala.INSECURE_COOKIE-1 origin: community patterns: - pattern-not-inside: | val $C = new javax.servlet.http.Cookie(..., ...); ... $C.setSecure(true); ... $RESP.addCookie($C); - pattern-either: - pattern: | val $C = new javax.servlet.http.Cookie(..., ...); ... $RESP.addCookie($C); - pattern: ($C:javax.servlet.http.Cookie).setSecure(false); severity: WARNING - id: gitlab.find_sec_bugs_scala.INSECURE_SMTP_SSL-1 languages: - scala message: | Server identity verification is disabled when making SSL connections. metadata: cwe: CWE-297 shortDescription: Improper Validation of Certificate with Host Mismatch security-severity: High category: security owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures primary_identifier: find_sec_bugs.INSECURE_SMTP_SSL secondary_identifiers: - name: Find Security Bugs-INSECURE_SMTP_SSL type: find_sec_bugs_type value: INSECURE_SMTP_SSL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.INSECURE_SMTP_SSL-1 shortlink: https://sg.run/4Nyg semgrep.dev: rule: r_id: 68000 rv_id: 920271 rule_id: kxUPRZ version_id: pZTbDnN url: https://semgrep.dev/playground/r/pZTbDnN/gitlab.find_sec_bugs_scala.INSECURE_SMTP_SSL-1 origin: community patterns: - pattern-either: - pattern-inside: | $E = new org.apache.commons.mail.SimpleEmail(...); ... - pattern-inside: | $E = new org.apache.commons.mail.Email(...); ... - pattern-inside: | $E = new org.apache.commons.mail.MultiPartEmail(...); ... - pattern-inside: | $E = new org.apache.commons.mail.HtmlEmail(...); ... - pattern-inside: | $E = new org.apache.commons.mail.ImageHtmlEmail(...); ... - pattern-not: | $E.setSSLOnConnect(true); ... $E.setSSLCheckServerIdentity(true); severity: ERROR - id: gitlab.find_sec_bugs_scala.JAXRS_ENDPOINT-1 languages: - scala message: | This method is part of a REST Web Service (JSR311). The security of this web service should be analyzed. For example: - Authentication, if enforced, should be tested. - Access control, if enforced, should be tested. - The inputs should be tracked for potential vulnerabilities. - The communication should ideally be over SSL. - If the service supports writes (e.g., via POST), its vulnerability to CSRF should be investigated. metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.JAXRS_ENDPOINT secondary_identifiers: - name: Find Security Bugs-JAXRS_ENDPOINT type: find_sec_bugs_type value: JAXRS_ENDPOINT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.JAXRS_ENDPOINT-1 shortlink: https://sg.run/jKRY semgrep.dev: rule: r_id: 67965 rv_id: 920237 rule_id: AbUlz8 version_id: kbTOPzr url: https://semgrep.dev/playground/r/kbTOPzr/gitlab.find_sec_bugs_scala.JAXRS_ENDPOINT-1 origin: community mode: taint pattern-sinks: - pattern: <...$VAR...> pattern-sources: - patterns: - pattern-inside: | @javax.ws.rs.Path("...") def $FUNC(..., $VAR: $TYPE, ...) = ... - pattern: $VAR severity: INFO - id: gitlab.find_sec_bugs_scala.JAXWS_ENDPOINT-1 languages: - scala message: | This method is part of a SOAP Web Service (JSR224). The security of this web service should be analyzed. For example: - Authentication, if enforced, should be tested. - Access control, if enforced, should be tested. - The inputs should be tracked for potential vulnerabilities. - The communication should ideally be over SSL. metadata: category: security cwe: CWE-20 owasp: - A7:2017-Cross-Site Scripting (XSS) - A03:2021-Injection shortDescription: Improper Input Validation technology: - scala security-severity: Info primary_identifier: find_sec_bugs.JAXWS_ENDPOINT secondary_identifiers: - name: Find Security Bugs-JAXWS_ENDPOINT type: find_sec_bugs_type value: JAXWS_ENDPOINT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.JAXWS_ENDPOINT-1 shortlink: https://sg.run/1yZw semgrep.dev: rule: r_id: 67966 rv_id: 920238 rule_id: BYULNq version_id: w8TkbRv url: https://semgrep.dev/playground/r/w8TkbRv/gitlab.find_sec_bugs_scala.JAXWS_ENDPOINT-1 origin: community mode: taint pattern-sinks: - pattern: <...$VAR...> pattern-sources: - patterns: - pattern-inside: | @javax.jws.WebMethod(...) def $FUNC(..., $VAR: $TYPE, ...) = ... - pattern: $VAR severity: INFO - id: gitlab.find_sec_bugs_scala.LDAP_ANONYMOUS-1 languages: - scala message: | Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to abuse poorly configured LDAP context metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation security-severity: Info primary_identifier: find_sec_bugs.LDAP_ANONYMOUS secondary_identifiers: - name: Find Security Bugs-LDAP_ANONYMOUS type: find_sec_bugs_type value: LDAP_ANONYMOUS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.LDAP_ANONYMOUS-1 shortlink: https://sg.run/PXpY semgrep.dev: rule: r_id: 67989 rv_id: 920261 rule_id: zdU3yW version_id: DkT2yk6 url: https://semgrep.dev/playground/r/DkT2yk6/gitlab.find_sec_bugs_scala.LDAP_ANONYMOUS-1 origin: community patterns: - pattern-inside: | import javax.naming.Context; ... - pattern: $ENV.put(Context.SECURITY_AUTHENTICATION, "none"); severity: WARNING - id: gitlab.find_sec_bugs_scala.LDAP_ENTRY_POISONING-1 languages: - scala message: | Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to abuse poorly configured LDAP context metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation security-severity: High primary_identifier: find_sec_bugs.LDAP_ENTRY_POISONING secondary_identifiers: - name: Find Security Bugs-LDAP_ENTRY_POISONING type: find_sec_bugs_type value: LDAP_ENTRY_POISONING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.LDAP_ENTRY_POISONING-1 shortlink: https://sg.run/JY3w semgrep.dev: rule: r_id: 67990 rv_id: 920262 rule_id: pKUDGb version_id: WrTYn8O url: https://semgrep.dev/playground/r/WrTYn8O/gitlab.find_sec_bugs_scala.LDAP_ENTRY_POISONING-1 origin: community patterns: - pattern: new javax.naming.directory.SearchControls($SCOPE, $CLIMIT, $TLIMIT, $ATTR, true, $DEREF) severity: ERROR - id: gitlab.find_sec_bugs_scala.LDAP_INJECTION-1 languages: - scala message: | Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn't have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query. metadata: category: security cwe: CWE-90 shortDescription: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.LDAP_INJECTION secondary_identifiers: - name: Find Security Bugs-LDAP_INJECTION type: find_sec_bugs_type value: LDAP_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.LDAP_INJECTION-1 shortlink: https://sg.run/7x0Z semgrep.dev: rule: r_id: 67982 rv_id: 920254 rule_id: 0oU3Ey version_id: PkTjGR6 url: https://semgrep.dev/playground/r/PkTjGR6/gitlab.find_sec_bugs_scala.LDAP_INJECTION-1 origin: community patterns: - pattern-either: - pattern-inside: | def $FUNC(..., $VAR: String, ...): $TYPE = { ... } - pattern-inside: | def $FUNC(..., $X: String, ...): $TYPE = { ... $VAR = ... + $X; ... } - pattern-either: - pattern: '($P: java.util.Properties).put($KEY, $VAR)' - pattern: $CTX.lookup(..., $VAR, ...) - pattern: $CTX.search(..., $VAR, ...) - pattern: $CTX.list(..., $VAR, ...) - metavariable-pattern: metavariable: $CTX pattern-either: - pattern: '($CTX: javax.naming.directory.DirContext)' - pattern: '($CTX: javax.naming.directory.Context)' - pattern: '($CTX: javax.naming.Context)' - pattern: '($CTX: javax.naming.directory.InitialDirContext)' - pattern: '($CTX: javax.naming.ldap.LdapContext)' - pattern: '($CTX: com.unboundid.ldap.sdk.LDAPConnection)' - pattern: '($CTX: javax.naming.event.EventDirContext)' - pattern: '($CTX: com.sun.jndi.ldap.LdapCtx)' - pattern: '($CTX: org.springframework.ldap.core.LdapTemplate)' - pattern: '($CTX: org.springframework.ldap.core.LdapOperations)' severity: WARNING - id: gitlab.find_sec_bugs_scala.MALICIOUS_XSLT-1 mode: taint pattern-sources: - patterns: - pattern-either: - patterns: - pattern-inside: | $FUNC(...,String $VAR, ...) { ... } - pattern-either: - pattern: new FileInputStream(<... $VAR ...>); - pattern: getClass.getResourceAsStream(<... $VAR ...>) - patterns: - pattern-inside: | class $CLZ { String $X = "..."; ... } - pattern-inside: | $FUNC(...,String $Y, ...) { ... } - pattern-either: - pattern: new FileInputStream($X + $Y); - pattern: getClass.getResourceAsStream($X + $Y) pattern-sinks: - patterns: - pattern-either: - pattern-inside: (javax.xml.transform.TransformerFactory $T).newTransformer($SRC, ...) - pattern-inside: (javax.xml.transform.Transformer $T).transform($SRC, ...) - pattern: $SRC languages: - java message: | It is possible to attach malicious behavior to those style sheets. Therefore, if an attacker can control the content or the source of the style sheet, he might be able to trigger remote code execution. metadata: shortDescription: Improper neutralization of special elements in output used by a downstream component ('Injection') category: security cwe: CWE-74 security-severity: Medium primary_identifier: find_sec_bugs.MALICIOUS_XSLT secondary_identifiers: - name: Find Security Bugs-MALICIOUS_XSLT type: find_sec_bugs_type value: MALICIOUS_XSLT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.MALICIOUS_XSLT-1 shortlink: https://sg.run/ook7 semgrep.dev: rule: r_id: 68016 rv_id: 920287 rule_id: 4bUqzj version_id: d6T6g30 url: https://semgrep.dev/playground/r/d6T6g30/gitlab.find_sec_bugs_scala.MALICIOUS_XSLT-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs_scala.MODIFICATION_AFTER_VALIDATION-1 patterns: - pattern: | $Y.matcher($VAR); ... $VAR.$METHOD(...); - metavariable-regex: metavariable: $METHOD regex: (replace) languages: - scala message: | CERT: IDS11-J. Perform any string modifications before validation metadata: shortDescription: Collapse of data into unsafe value category: security cwe: CWE-182 confidence: HIGH security-severity: Info primary_identifier: find_sec_bugs.MODIFICATION_AFTER_VALIDATION secondary_identifiers: - name: Find Security Bugs-MODIFICATION_AFTER_VALIDATION type: find_sec_bugs_type value: MODIFICATION_AFTER_VALIDATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.MODIFICATION_AFTER_VALIDATION-1 shortlink: https://sg.run/BA4b semgrep.dev: rule: r_id: 68007 rv_id: 920278 rule_id: ZqUdq9 version_id: rxTjv1N url: https://semgrep.dev/playground/r/rxTjv1N/gitlab.find_sec_bugs_scala.MODIFICATION_AFTER_VALIDATION-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs_scala.NORMALIZATION_AFTER_VALIDATION-1 patterns: - pattern: | $Y = java.util.regex.Pattern.compile("[<>]"); ... $Y.matcher($VAR); ... java.text.Normalizer.normalize($VAR, ...); languages: - scala message: | IDS01-J. Normalize strings before validating them metadata: shortDescription: Collapse of data into unsafe value category: security cwe: CWE-182 confidence: HIGH security-severity: Info primary_identifier: find_sec_bugs.NORMALIZATION_AFTER_VALIDATION secondary_identifiers: - name: Find Security Bugs-NORMALIZATION_AFTER_VALIDATION type: find_sec_bugs_type value: NORMALIZATION_AFTER_VALIDATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.NORMALIZATION_AFTER_VALIDATION-1 shortlink: https://sg.run/DDJ2 semgrep.dev: rule: r_id: 68008 rv_id: 920279 rule_id: nJUNYE version_id: bZTLoZ6 url: https://semgrep.dev/playground/r/bZTLoZ6/gitlab.find_sec_bugs_scala.NORMALIZATION_AFTER_VALIDATION-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs_scala.NULL_CIPHER-1 languages: - scala message: | The NullCipher implements the Cipher interface by returning ciphertext identical to the supplied plaintext. In a few contexts, such as testing, a NullCipher may be appropriate. Avoid using the NullCipher. Its accidental use can introduce a significant confidentiality risk. metadata: category: security cwe: CWE-327 shortDescription: Use of a Broken or Risky Cryptographic Algorithm technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.NULL_CIPHER secondary_identifiers: - name: Find Security Bugs-NULL_CIPHER type: find_sec_bugs_type value: NULL_CIPHER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.NULL_CIPHER-1 shortlink: https://sg.run/oox9 semgrep.dev: rule: r_id: 67960 rv_id: 920232 rule_id: PeUGZw version_id: 9lTA743 url: https://semgrep.dev/playground/r/9lTA743/gitlab.find_sec_bugs_scala.NULL_CIPHER-1 origin: community pattern: new javax.crypto.NullCipher() severity: WARNING - id: gitlab.find_sec_bugs_scala.OGNL_INJECTION-1 patterns: - pattern-either: - pattern-inside: | def $FUNC(..., $VAR: String, ...): $TYPE = { ... } - pattern-inside: | def $FUNC(..., $VAR: Map[$K,$V], ...): $TYPE = { ... } - pattern-inside: | def $FUNC(..., $VAR: java.util.HashMap[$K,$V], ...): $TYPE = { ... } - pattern-either: - pattern: com.opensymphony.xwork2.util.TextParseUtil.translateVariables(..., $VAR, ...) - pattern: com.opensymphony.xwork2.util.TextParseUtil.translateVariablesCollection(..., $VAR, ...) - pattern: com.opensymphony.xwork2.util.TextParseUtil.shallBeIncluded(..., $VAR, ...) - pattern: com.opensymphony.xwork2.util.TextParseUtil.commaDelimitedStringToSet(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.TextParser).evaluate(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.OgnlTextParser).evaluate(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).getGetMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).getSetMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).getField(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).setProperties(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).setProperty(...,$VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).getValue(...,$VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).setValue(...,$VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).getGetMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).getSetMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).getField(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).setProperties(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).setProperty(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).getValue(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).setValue(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).setProperties(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).setProperty(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).getValue(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).setValue(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).callMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).compile(..., $VAR, ...) - pattern: ($P:org.apache.struts2.util.VelocityStrutsUtil).evaluate(...) - pattern: org.apache.struts2.util.StrutsUtil.findString(...) - pattern: org.apache.struts2.util.StrutsUtil.findValue(..., $VAL) - pattern: org.apache.struts2.util.StrutsUtil.getText(...) - pattern: org.apache.struts2.util.StrutsUtil.translateVariables(...) - pattern: org.apache.struts2.util.StrutsUtil.makeSelectList(..., $VAR, ...) - pattern: ($T:org.apache.struts2.views.jsp.ui.OgnlTool).findValue(..., $VAR, ...) - pattern: ($V:com.opensymphony.xwork2.util.ValueStack).findString(...) - pattern: ($V:com.opensymphony.xwork2.util.ValueStack).findValue(..., $VAR, ...) - pattern: ($V:com.opensymphony.xwork2.util.ValueStack).setValue(..., $VAR, ...) - pattern: ($V:com.opensymphony.xwork2.util.ValueStack).setParameter(..., $VAR, ...) message: | "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." languages: - scala severity: WARNING metadata: shortDescription: Expression injection (OGNL) category: security cwe: CWE-917 technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.OGNL_INJECTION secondary_identifiers: - name: Find Security Bugs-OGNL_INJECTION type: find_sec_bugs_type value: OGNL_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.OGNL_INJECTION-1 shortlink: https://sg.run/Lo0r semgrep.dev: rule: r_id: 67983 rv_id: 920255 rule_id: KxUL4z version_id: JdToRzd url: https://semgrep.dev/playground/r/JdToRzd/gitlab.find_sec_bugs_scala.OGNL_INJECTION-1 origin: community - id: gitlab.find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-1 languages: - scala message: | Overly permissive file permission metadata: category: security confidence: HIGH cwe: CWE-732 shortDescription: Incorrect Permission Assignment for Critical Resource security-severity: High primary_identifier: find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION secondary_identifiers: - name: Find Security Bugs-OVERLY_PERMISSIVE_FILE_PERMISSION type: find_sec_bugs_type value: OVERLY_PERMISSIVE_FILE_PERMISSION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-1 shortlink: https://sg.run/BA4W semgrep.dev: rule: r_id: 67995 rv_id: 920267 rule_id: 9AU7Ol version_id: YDTYbED url: https://semgrep.dev/playground/r/YDTYbED/gitlab.find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-1 origin: community patterns: - pattern-either: - pattern: java.nio.file.Files.setPosixFilePermissions(..., java.nio.file.attribute.PosixFilePermissions.fromString("$PERM_STRING")); - pattern: | $PERMISSIONS = java.nio.file.attribute.PosixFilePermissions.fromString("$PERM_STRING"); ... java.nio.file.Files.setPosixFilePermissions(..., $PERMISSIONS); - metavariable-regex: metavariable: $PERM_STRING regex: '[rwx-]{6}[rwx]{1,}' severity: WARNING - id: gitlab.find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-2 languages: - scala message: | Overly permissive file permission metadata: category: security confidence: HIGH cwe: CWE-732 shortDescription: Incorrect Permission Assignment for Critical Resource security-severity: Medium primary_identifier: find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-2 secondary_identifiers: - name: Find Security Bugs-OVERLY_PERMISSIVE_FILE_PERMISSION type: find_sec_bugs_type value: OVERLY_PERMISSIVE_FILE_PERMISSION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-2 shortlink: https://sg.run/DDJY semgrep.dev: rule: r_id: 67996 rv_id: 920268 rule_id: yyUgvq version_id: 6xTyX8E url: https://semgrep.dev/playground/r/6xTyX8E/gitlab.find_sec_bugs_scala.OVERLY_PERMISSIVE_FILE_PERMISSION-2 origin: community patterns: - pattern-inside: | ... java.nio.file.Files.setPosixFilePermissions(..., $PERMS); - pattern-either: - pattern: $PERMS.add($P); - pattern: $A = $B + $P; - metavariable-regex: metavariable: $P regex: (PosixFilePermission.){0,1}(OTHERS_) severity: WARNING - id: gitlab.find_sec_bugs_scala.PADDING_ORACLE-1 languages: - scala message: | This specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding. The distinction between valid and invalid padding is usually revealed through distinct error messages being returned for each condition. metadata: category: security cwe: CWE-696 shortDescription: Incorrect Behavior Order technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.PADDING_ORACLE secondary_identifiers: - name: Find Security Bugs-PADDING_ORACLE type: find_sec_bugs_type value: PADDING_ORACLE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.PADDING_ORACLE-1 shortlink: https://sg.run/K6l7 semgrep.dev: rule: r_id: 67955 rv_id: 920227 rule_id: 8GUljB version_id: pZTbD0N url: https://semgrep.dev/playground/r/pZTbD0N/gitlab.find_sec_bugs_scala.PADDING_ORACLE-1 origin: community patterns: - pattern-inside: javax.crypto.Cipher.getInstance("...") - pattern-regex: (/CBC/PKCS5Padding) - pattern-not-regex: ^(RSA)/.* - pattern-not-regex: ^(ECIES)$ severity: ERROR - id: gitlab.find_sec_bugs_scala.PATH_TRAVERSAL_IN-1.SCALA_PATH_TRAVERSAL_IN-1 languages: - scala message: | A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. metadata: owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control category: security cwe: CWE-22 shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.PATH_TRAVERSAL_IN-1.SCALA_PATH_TRAVERSAL_IN-1 secondary_identifiers: - name: Find Security Bugs-PATH_TRAVERSAL_IN type: find_sec_bugs_type value: PATH_TRAVERSAL_IN - name: Find Security Bugs-SCALA_PATH_TRAVERSAL_IN type: find_sec_bugs_type value: SCALA_PATH_TRAVERSAL_IN license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.PATH_TRAVERSAL_IN-1.SCALA_PATH_TRAVERSAL_IN-1 shortlink: https://sg.run/8Ony semgrep.dev: rule: r_id: 67984 rv_id: 920256 rule_id: qNUwoj version_id: 5PTNGov url: https://semgrep.dev/playground/r/5PTNGov/gitlab.find_sec_bugs_scala.PATH_TRAVERSAL_IN-1.SCALA_PATH_TRAVERSAL_IN-1 origin: community patterns: - pattern-either: - patterns: - pattern-inside: | def $FUNC(...,$ARGS: Array[String], ...): $TYPE = { ... } - pattern-inside: | $VAR = $ARGS($IDX) ... - pattern-inside: | def $FUNC(...,$VAR: String, ...): $TYPE = { ... } - pattern-not-inside: | ... org.apache.commons.io.FilenameUtils.getName($VAR) ... - pattern-either: - patterns: - pattern-inside: | $U = new java.net.URI($VAR) ... - pattern-either: - pattern: new java.io.File($U) - pattern: java.nio.file.Paths.get($U) - pattern: new java.io.RandomAccessFile(..., $VAR,...) - pattern: new java.io.FileReader(<...$VAR...>, ...) - pattern: new javax.activation.FileDataSource(..., $VAR, ...) - pattern: new java.io.FileInputStream(..., $VAR, ...) - pattern: new java.io.File(<...$VAR...>, ...) - pattern: java.nio.file.Paths.get(...,$VAR,...) - pattern: java.io.File.createTempFile(...,$VAR, ...) - pattern: java.io.File.createTempDirectory(...,$VAR,...) - pattern: java.nio.file.Files.createTempFile(..., $VAR, ...) - pattern: java.nio.file.Files.createTempDirectory(..., $VAR, ...) - pattern: scala.io.Source.from(<...$VAR...>) - pattern: scala.io.Source.fromFile(<...$VAR...>) - pattern: scala.io.Source.fromString(<...$VAR...>) severity: ERROR - id: gitlab.find_sec_bugs_scala.PATH_TRAVERSAL_OUT-1 languages: - scala message: | A file is opened to write to its contents. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files at an arbitrary filesystem location could be modified. This rule identifies potential path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. metadata: owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control category: security cwe: CWE-22 shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') technology: - scala security-severity: High primary_identifier: find_sec_bugs.PATH_TRAVERSAL_OUT secondary_identifiers: - name: Find Security Bugs-PATH_TRAVERSAL_OUT type: find_sec_bugs_type value: PATH_TRAVERSAL_OUT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.PATH_TRAVERSAL_OUT-1 shortlink: https://sg.run/gDJJ semgrep.dev: rule: r_id: 67985 rv_id: 920257 rule_id: lBUDdd version_id: GxToXk2 url: https://semgrep.dev/playground/r/GxToXk2/gitlab.find_sec_bugs_scala.PATH_TRAVERSAL_OUT-1 origin: community mode: taint pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) pattern-sinks: - patterns: - pattern-inside: new java.io.FileWriter($PATH, ...) - pattern: $PATH - patterns: - pattern-inside: new java.io.FileOutputStream($PATH, ...) - pattern: $PATH pattern-sources: - patterns: - pattern-inside: | def $FUNC(..., $ARGS: Array[String], ...): $TYPE = { ... } - pattern: $ARGS[$IDX] - patterns: - pattern-inside: | def $FUNC(..., $VAR: String, ...): $TYPE = { ... } - pattern: $VAR severity: WARNING - id: gitlab.find_sec_bugs_scala.PERMISSIVE_CORS-1 languages: - scala message: | Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. metadata: category: security cwe: CWE-942 shortDescription: Permissive Cross-domain Policy with Untrusted Domains technology: - scala security-severity: Info primary_identifier: find_sec_bugs.PERMISSIVE_CORS secondary_identifiers: - name: Find Security Bugs-PERMISSIVE_CORS type: find_sec_bugs_type value: PERMISSIVE_CORS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.PERMISSIVE_CORS-1 shortlink: https://sg.run/GKep semgrep.dev: rule: r_id: 67948 rv_id: 920220 rule_id: v8UQnN version_id: K3TwLKb url: https://semgrep.dev/playground/r/K3TwLKb/gitlab.find_sec_bugs_scala.PERMISSIVE_CORS-1 origin: community pattern-either: - patterns: - pattern-either: - pattern: ($RESP:javax.servlet.http.HttpServletResponse).setHeader("$HEADER", "$VAL") - pattern: ($RESP:javax.servlet.http.HttpServletResponse).addHeader("$HEADER", "$VAL") - metavariable-regex: metavariable: $HEADER regex: (?i)(Access-Control-Allow-Origin) - metavariable-regex: metavariable: $VAL regex: (\*|null) - patterns: - pattern-inside: | $REQVAL = ($REQ: javax.servlet.http.HttpServletRequest).getParameter(...) ... - pattern-either: - pattern-inside: ($RESP:javax.servlet.http.HttpServletResponse).setHeader("$HEADER", $REQVAL) - pattern-inside: ($RESP:javax.servlet.http.HttpServletResponse).addHeader("$HEADER", $REQVAL) - patterns: - pattern-either: - pattern-inside: '($RESP:javax.servlet.http.HttpServletResponse).setHeader("$HEADER",($REQ: javax.servlet.http.HttpServletRequest).getParameter(...))' - pattern-inside: '($RESP:javax.servlet.http.HttpServletResponse).addHeader("$HEADER",($REQ: javax.servlet.http.HttpServletRequest).getParameter(...))' severity: ERROR - id: gitlab.find_sec_bugs_scala.PERMISSIVE_CORS-2 languages: - java message: | Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. metadata: category: security cwe: CWE-942 shortDescription: Permissive Cross-domain Policy with Untrusted Domains technology: - java security-severity: Low primary_identifier: find_sec_bugs.PERMISSIVE_CORS-2 secondary_identifiers: - name: Find Security Bugs-PERMISSIVE_CORS type: find_sec_bugs_type value: PERMISSIVE_CORS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.PERMISSIVE_CORS-2 shortlink: https://sg.run/R1oO semgrep.dev: rule: r_id: 67949 rv_id: 920221 rule_id: d8Ugjv version_id: qkTpwRo url: https://semgrep.dev/playground/r/qkTpwRo/gitlab.find_sec_bugs_scala.PERMISSIVE_CORS-2 origin: community mode: taint pattern-sinks: - patterns: - pattern-either: - pattern: (HttpServletResponse $RES).setHeader("$HEADER", ...) - pattern: (HttpServletResponse $RES).addHeader("$HEADER", ...) - metavariable-regex: metavariable: $HEADER regex: (?i)(Access-Control-Allow-Origin) pattern-sources: - pattern: (HttpServletRequest $REQ).getParameter(...) severity: ERROR - id: gitlab.find_sec_bugs_scala.PT_ABSOLUTE_PATH_TRAVERSAL-1 languages: - scala message: | "The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. See http://cwe.mitre.org/data/definitions/36.html for more information." metadata: owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control category: security cwe: CWE-22 shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') technology: - scala security-severity: Info primary_identifier: find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL secondary_identifiers: - name: Find Security Bugs-PT_ABSOLUTE_PATH_TRAVERSAL type: find_sec_bugs_type value: PT_ABSOLUTE_PATH_TRAVERSAL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.PT_ABSOLUTE_PATH_TRAVERSAL-1 shortlink: https://sg.run/Qj84 semgrep.dev: rule: r_id: 67986 rv_id: 920258 rule_id: YGUbrQ version_id: RGT2x0v url: https://semgrep.dev/playground/r/RGT2x0v/gitlab.find_sec_bugs_scala.PT_ABSOLUTE_PATH_TRAVERSAL-1 origin: community mode: taint pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) pattern-sinks: - patterns: - pattern-inside: | $U = new java.net.URI($VAR) - pattern-either: - pattern-inside: new java.io.File($U) - pattern-inside: java.nio.file.Paths.get($U) - pattern: $VAR - patterns: - pattern-inside: new java.io.RandomAccessFile($INPUT,...) - pattern: $INPUT - pattern: new java.io.FileReader(...) - pattern: new javax.activation.FileDataSource(...) - pattern: new java.io.FileInputStream(...) - pattern: new java.io.File(...) - pattern: java.nio.file.Paths.get(...) - pattern: java.io.File.createTempFile(...) - pattern: java.io.File.createTempDirectory(...) - pattern: java.nio.file.Files.createTempFile(...) - pattern: java.nio.file.Files.createTempDirectory(...) - patterns: - pattern-inside: new java.io.FileWriter($PATH, ...) - pattern: $PATH - patterns: - pattern-inside: new java.io.FileOutputStream($PATH, ...) - pattern: $PATH pattern-sources: - pattern: '($REQ: HttpServletRequest ).getParameter(...)' severity: WARNING - id: gitlab.find_sec_bugs_scala.PT_RELATIVE_PATH_TRAVERSAL-1 languages: - scala message: | "The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. See http://cwe.mitre.org/data/definitions/23.html for more information." metadata: owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control category: security cwe: CWE-22 shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') technology: - scala security-severity: Info primary_identifier: find_sec_bugs.PT_RELATIVE_PATH_TRAVERSAL secondary_identifiers: - name: Find Security Bugs-PT_RELATIVE_PATH_TRAVERSAL type: find_sec_bugs_type value: PT_RELATIVE_PATH_TRAVERSAL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.PT_RELATIVE_PATH_TRAVERSAL-1 shortlink: https://sg.run/3bAr semgrep.dev: rule: r_id: 67987 rv_id: 920259 rule_id: 6JUXq1 version_id: A8TNlgb url: https://semgrep.dev/playground/r/A8TNlgb/gitlab.find_sec_bugs_scala.PT_RELATIVE_PATH_TRAVERSAL-1 origin: community mode: taint pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) pattern-sinks: - patterns: - pattern-inside: | $U = new java.net.URI($VAR) - pattern-either: - pattern-inside: new java.io.File($U) - pattern-inside: java.nio.file.Paths.get($U) - pattern: $VAR - patterns: - pattern-inside: new java.io.RandomAccessFile($INPUT,...) - pattern: $INPUT - pattern: new java.io.FileReader(...) - pattern: new javax.activation.FileDataSource(...) - pattern: new java.io.FileInputStream(...) - pattern: new java.io.File(...) - pattern: java.nio.file.Paths.get(...) - pattern: java.io.File.createTempFile(...) - pattern: java.io.File.createTempDirectory(...) - pattern: java.nio.file.Files.createTempFile(...) - pattern: java.nio.file.Files.createTempDirectory(...) - patterns: - pattern-inside: new java.io.FileWriter($PATH, ...) - pattern: $PATH - patterns: - pattern-inside: new java.io.FileOutputStream($PATH, ...) - pattern: $PATH pattern-sources: - patterns: - pattern-inside: | $P = ($REQ: HttpServletRequest ).getParameter(...); ... - pattern-either: - pattern: $P + ... - pattern: '... + $P' severity: WARNING - id: gitlab.find_sec_bugs_scala.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 languages: - scala message: | Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. metadata: category: security cwe: CWE-552 shortDescription: Files or Directories Accessible to External Parties security-severity: Info primary_identifier: find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 secondary_identifiers: - name: Find Security Bugs-REQUESTDISPATCHER_FILE_DISCLOSURE type: find_sec_bugs_type value: REQUESTDISPATCHER_FILE_DISCLOSURE - name: Find Security Bugs-STRUTS_FILE_DISCLOSURE type: find_sec_bugs_type value: STRUTS_FILE_DISCLOSURE - name: Find Security Bugs-SPRING_FILE_DISCLOSURE type: find_sec_bugs_type value: SPRING_FILE_DISCLOSURE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 shortlink: https://sg.run/n6qX semgrep.dev: rule: r_id: 67980 rv_id: 920252 rule_id: DbUyWd version_id: 3ZTLw4X url: https://semgrep.dev/playground/r/3ZTLw4X/gitlab.find_sec_bugs_scala.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 origin: community mode: taint pattern-sinks: - patterns: - pattern: new org.springframework.web.servlet.ModelAndView($FST) - pattern: $FST - patterns: - pattern: new org.springframework.web.servlet.ModelAndView($FST, $SND) - pattern: $FST - patterns: - pattern: new org.springframework.web.servlet.ModelAndView($FST, $SND, $TRD) - pattern: $FST - patterns: - pattern: new org.apache.struts.action.ActionForward($FST) - pattern: $FST - patterns: - pattern: new org.apache.struts.action.ActionForward($FST, $SND) - pattern: $FST - patterns: - pattern: new org.apache.struts.action.ActionForward($FST, $SND, $TRD) - pattern: $SND - patterns: - pattern: new org.apache.struts.action.ActionForward($FST, $SND, $TRD) - pattern: $TRD - patterns: - pattern-inside: | $ACTION = new org.apache.struts.action.ActionForward() ... - pattern: $ACTION.setPath(...) - patterns: - pattern-inside: | $MVC = new org.springframework.web.servlet.ModelAndView() ... - pattern: $MVC.setViewName(...); - patterns: - pattern-inside: | $REQ = $HTTP.getRequestDispatcher(...) ... - pattern-either: - pattern: $REQ.include($FST, $SND) - pattern: $REQ.forward($FST, $SND) pattern-sources: - pattern: '($VAR: javax.servlet.http.HttpServletRequest).getParameter(...)' severity: ERROR - id: gitlab.find_sec_bugs_scala.RPC_ENABLED_EXTENSIONS-1 languages: - scala message: | Enabling extensions in Apache XML RPC server or client can lead to deserialization vulnerability which would allow an attacker to execute arbitrary code. metadata: category: security cwe: CWE-502 shortDescription: Deserialization of Untrusted Data security-severity: Info primary_identifier: find_sec_bugs.RPC_ENABLED_EXTENSIONS secondary_identifiers: - name: Find Security Bugs-RPC_ENABLED_EXTENSIONS type: find_sec_bugs_type value: RPC_ENABLED_EXTENSIONS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.RPC_ENABLED_EXTENSIONS-1 shortlink: https://sg.run/lljL semgrep.dev: rule: r_id: 68013 rv_id: 920284 rule_id: gxUXWQ version_id: O9Tv78L url: https://semgrep.dev/playground/r/O9Tv78L/gitlab.find_sec_bugs_scala.RPC_ENABLED_EXTENSIONS-1 origin: community patterns: - pattern-either: - patterns: - pattern-inside: | val $VAR = new XmlRpcServerConfigImpl(); ... - pattern: $VAR.setEnabledForExtensions(true); - patterns: - pattern-inside: | val $VAR = new org.apache.xmlrpc.client.XmlRpcClientConfigImpl(); ... - pattern: $VAR.setEnabledForExtensions(true); severity: WARNING - id: python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config patterns: - pattern-not-inside: | REST_FRAMEWORK = { ..., "DEFAULT_THROTTLE_RATES": ... } - pattern-inside: | REST_FRAMEWORK = ... - pattern: REST_FRAMEWORK message: Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application. metadata: owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration cwe: - 'CWE-770: Allocation of Resources Without Limits or Throttling' references: - https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy category: security technology: - django cwe2022-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config shortlink: https://sg.run/vzBY semgrep.dev: rule: r_id: 9477 rv_id: 1263363 rule_id: gxU1wE version_id: l4TJRqD url: https://semgrep.dev/playground/r/l4TJRqD/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config origin: community severity: WARNING languages: - python - id: yaml.semgrep.metadata-cwe-prohibited-or-discouraged.metadata-cwe-prohibited-or-discouraged message: Vulnerability mapping for this CWE is discouraged or prohibited. severity: ERROR metadata: category: best-practice technology: - cwe - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-cwe-prohibited-or-discouraged.metadata-cwe-prohibited-or-discouraged shortlink: https://sg.run/l4r8D semgrep.dev: rule: r_id: 192513 rv_id: 1026332 rule_id: DbUqNvY version_id: w8Tn68O url: https://semgrep.dev/playground/r/w8Tn68O/yaml.semgrep.metadata-cwe-prohibited-or-discouraged.metadata-cwe-prohibited-or-discouraged origin: community languages: - yaml patterns: - pattern-inside: 'rules: ...' - pattern-inside: 'metadata: ...' - pattern: 'cwe: $CWE' - metavariable-regex: metavariable: $CWE regex: .*CWE-(1|2|3|4|10|16|17|18|19|20|21|60|63|68|70|71|74|75|92|100|101|114|118|119|132|133|136|137|138|139|169|171|189|199|200|216|217|218|225|227|234|247|249|251|254|255|264|265|269|274|275|284|285|287|292|300|310|311|320|330|345|355|361|365|371|372|373|376|380|381|387|388|389|391|398|399|400|411|417|418|423|429|435|438|442|443|445|452|458|461|465|485|490|503|504|505|513|516|517|518|519|533|534|542|545|557|559|569|592|596|604|610|629|630|631|632|633|634|635|657|658|659|660|661|662|664|665|666|668|677|678|679|680|682|690|691|692|693|697|699|700|701|702|703|707|709|710|711|712|713|714|715|716|717|718|719|720|721|722|723|724|725|726|727|728|729|730|731|734|735|736|737|738|739|740|741|742|743|744|745|746|747|748|750|751|752|753|755|769|786|788|800|801|802|803|808|809|810|811|812|813|814|815|816|817|818|819|834|840|844|845|846|847|848|849|850|851|852|853|854|855|856|857|858|859|860|861|864|865|866|867|868|869|870|871|872|873|874|875|876|877|878|879|880|881|882|883|884|885|886|887|888|889|890|891|892|893|894|895|896|897|898|899|900|901|902|903|904|905|906|907|919|928|929|930|931|932|933|934|935|936|937|938|944|945|946|947|948|949|950|951|952|953|954|955|956|957|958|959|960|961|962|963|964|965|966|967|968|969|970|971|972|973|974|975|976|977|978|979|980|981|982|983|984|985|986|987|988|989|990|991|992|993|994|995|996|997|998|999|1000|1001|1002|1003|1005|1006|1008|1009|1010|1011|1012|1013|1014|1015|1016|1017|1018|1019|1020|1026|1027|1028|1029|1030|1031|1032|1033|1034|1035|1036|1040|1041|1042|1043|1044|1047|1048|1051|1053|1054|1055|1056|1057|1059|1060|1062|1063|1064|1065|1066|1068|1069|1070|1072|1073|1074|1076|1078|1080|1081|1082|1083|1084|1085|1086|1090|1092|1094|1095|1097|1099|1101|1103|1105|1106|1107|1109|1110|1111|1112|1113|1114|1115|1117|1118|1119|1121|1122|1124|1125|1128|1129|1130|1131|1132|1133|1134|1135|1136|1137|1138|1139|1140|1141|1142|1143|1144|1145|1146|1147|1148|1149|1150|1151|1152|1153|1154|1155|1156|1157|1158|1159|1160|1161|1162|1163|1165|1166|1167|1168|1169|1170|1171|1172|1175|1178|1179|1180|1181|1182|1183|1184|1185|1186|1187|1194|1195|1196|1197|1198|1199|1200|1201|1202|1203|1205|1206|1207|1208|1210|1211|1212|1213|1214|1215|1216|1217|1218|1219|1225|1226|1227|1228|1237|1238|1305|1306|1307|1308|1309|1324|1337|1340|1343|1344|1345|1346|1347|1348|1349|1350|1352|1353|1354|1355|1356|1358|1359|1360|1361|1362|1363|1364|1365|1366|1367|1368|1369|1370|1371|1372|1373|1374|1375|1376|1377|1378|1379|1380|1381|1382|1383|1387|1388|1396|1397|1398|1399|1400):.* - id: gitlab.find_sec_bugs_scala.RSA_KEY_SIZE-1 languages: - scala message: | Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher. metadata: category: security cwe: CWE-326 shortDescription: Inadequate Encryption Strength security-severity: Medium primary_identifier: find_sec_bugs.RSA_KEY_SIZE secondary_identifiers: - name: Find Security Bugs-RSA_KEY_SIZE type: find_sec_bugs_type value: RSA_KEY_SIZE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.RSA_KEY_SIZE-1 shortlink: https://sg.run/6wno semgrep.dev: rule: r_id: 67959 rv_id: 920231 rule_id: 4bUqkK version_id: 1QT4Ny2 url: https://semgrep.dev/playground/r/1QT4Ny2/gitlab.find_sec_bugs_scala.RSA_KEY_SIZE-1 origin: community patterns: - pattern-either: - patterns: - pattern-inside: | $GEN = KeyPairGenerator.getInstance($ALG, ...); ... - pattern-either: - pattern: $VAR.initialize($SIZE, ...) - pattern: new java.security.spec.RSAKeyGenParameterSpec($SIZE, ...) - metavariable-comparison: comparison: $SIZE < 2048 metavariable: $SIZE - metavariable-regex: metavariable: $ALG regex: '"(RSA|DSA)"' severity: WARNING - id: gitlab.find_sec_bugs_scala.RSA_NO_PADDING-1 languages: - scala message: | The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. metadata: cwe: CWE-780 shortDescription: Use of RSA Algorithm without OAEP security-severity: Medium category: security owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures primary_identifier: find_sec_bugs.RSA_NO_PADDING secondary_identifiers: - name: Find Security Bugs-RSA_NO_PADDING type: find_sec_bugs_type value: RSA_NO_PADDING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.RSA_NO_PADDING-1 shortlink: https://sg.run/zNvG semgrep.dev: rule: r_id: 67961 rv_id: 920233 rule_id: JDURyA version_id: yeTDgxG url: https://semgrep.dev/playground/r/yeTDgxG/gitlab.find_sec_bugs_scala.RSA_NO_PADDING-1 origin: community patterns: - pattern: javax.crypto.Cipher.getInstance("$ALG",...) - metavariable-regex: metavariable: $ALG regex: .*NoPadding.* severity: WARNING - id: gitlab.find_sec_bugs_scala.SAML_IGNORE_COMMENTS-1 languages: - scala message: | Ignoring XML comments in SAML may lead to authentication bypass metadata: category: security cwe: CWE-287 shortDescription: Improper Authentication security-severity: Medium primary_identifier: find_sec_bugs.SAML_IGNORE_COMMENTS secondary_identifiers: - name: Find Security Bugs-SAML_IGNORE_COMMENTS type: find_sec_bugs_type value: SAML_IGNORE_COMMENTS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.SAML_IGNORE_COMMENTS-1 shortlink: https://sg.run/YwgW semgrep.dev: rule: r_id: 68014 rv_id: 920285 rule_id: QrUN6r version_id: e1TZKeX url: https://semgrep.dev/playground/r/e1TZKeX/gitlab.find_sec_bugs_scala.SAML_IGNORE_COMMENTS-1 origin: community pattern: '($POOL: BasicParserPool).setIgnoreComments(false);' severity: WARNING - id: gitlab.find_sec_bugs_scala.SCALA_SENSITIVE_DATA_EXPOSURE-1 languages: - scala message: | Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Pages that provide different responses based on the validity of the data can lead to Information Leakage; specifically when data deemed confidential is being revealed as a result of the web application's design. metadata: category: security cwe: CWE-200 shortDescription: Information Exposure technology: - scala - play security-severity: Info primary_identifier: find_sec_bugs.SCALA_SENSITIVE_DATA_EXPOSURE secondary_identifiers: - name: Find Security Bugs-SCALA_SENSITIVE_DATA_EXPOSURE type: find_sec_bugs_type value: SCALA_SENSITIVE_DATA_EXPOSURE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.SCALA_SENSITIVE_DATA_EXPOSURE-1 shortlink: https://sg.run/qpr1 semgrep.dev: rule: r_id: 68012 rv_id: 920283 rule_id: 8GUlEw version_id: xyTdr8l url: https://semgrep.dev/playground/r/xyTdr8l/gitlab.find_sec_bugs_scala.SCALA_SENSITIVE_DATA_EXPOSURE-1 origin: community patterns: - pattern-inside: | def $FUNC(..., $ARG: String, ...) = $TYPE { ... } - pattern-inside: | $VAL = ($C: play.api.Configuration).underlying.getString($ARG) ... - pattern: Ok(<...$VAL...>) severity: WARNING - id: gitlab.find_sec_bugs_scala.SCALA_XSS_MVC_API-1 languages: - scala message: | Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS). metadata: category: security cwe: CWE-79 shortDescription: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') security-severity: Info primary_identifier: find_sec_bugs.SCALA_XSS_MVC_API secondary_identifiers: - name: Find Security Bugs-SCALA_XSS_MVC_API type: find_sec_bugs_type value: SCALA_XSS_MVC_API license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.SCALA_XSS_MVC_API-1 shortlink: https://sg.run/pzl3 semgrep.dev: rule: r_id: 68018 rv_id: 920289 rule_id: JDURPW version_id: nWTnN9j url: https://semgrep.dev/playground/r/nWTnN9j/gitlab.find_sec_bugs_scala.SCALA_XSS_MVC_API-1 origin: community mode: taint pattern-sanitizers: - pattern: org.owasp.encoder.Encode.forHtml(...) pattern-sinks: - pattern: Ok(...) pattern-sources: - patterns: - pattern-inside: | def $FUNC(..., $ARG: String, ...) = Action { ... } - focus-metavariable: $ARG severity: WARNING - id: gitlab.find_sec_bugs_scala.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 languages: - scala message: | The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. metadata: cwe: CWE-94 shortDescription: Improper Control of Generation of Code ('Code Injection') security-severity: Info category: security owasp: - A1:2017-Injection - A03:2021-Injection primary_identifier: find_sec_bugs.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-SCRIPT_ENGINE_INJECTION type: find_sec_bugs_type value: SCRIPT_ENGINE_INJECTION - name: Find Security Bugs-SPEL_INJECTION type: find_sec_bugs_type value: SPEL_INJECTION - name: Find Security Bugs-EL_INJECTION type: find_sec_bugs_type value: EL_INJECTION - name: Find Security Bugs-SEAM_LOG_INJECTION type: find_sec_bugs_type value: SEAM_LOG_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 shortlink: https://sg.run/09nv semgrep.dev: rule: r_id: 67998 rv_id: 920269 rule_id: bwUoOl version_id: o5TK1dB url: https://semgrep.dev/playground/r/o5TK1dB/gitlab.find_sec_bugs_scala.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 origin: community patterns: - pattern: '($ENGINE: javax.script.ScriptEngine).eval($ARG)' - pattern-not: '($ENGINE: javax.script.ScriptEngine).eval("...")' severity: ERROR - id: gitlab.find_sec_bugs_scala.SCRIPT_ENGINE_INJECTION-2 languages: - scala message: | The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. metadata: cwe: CWE-94 shortDescription: Improper Control of Generation of Code ('Code Injection') security-severity: Medium category: security owasp: - A1:2017-Injection - A03:2021-Injection primary_identifier: find_sec_bugs.SCRIPT_ENGINE_INJECTION-2 secondary_identifiers: - name: Find Security Bugs-SCRIPT_ENGINE_INJECTION type: find_sec_bugs_type value: SCRIPT_ENGINE_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.SCRIPT_ENGINE_INJECTION-2 shortlink: https://sg.run/K6W7 semgrep.dev: rule: r_id: 67999 rv_id: 920270 rule_id: NbURAr version_id: zyTG3LG url: https://semgrep.dev/playground/r/zyTG3LG/gitlab.find_sec_bugs_scala.SCRIPT_ENGINE_INJECTION-2 origin: community patterns: - pattern: '($P: org.springframework.expression.spel.standard.SpelExpressionParser).parseExpression($ARG);' - pattern-not: '($P: org.springframework.expression.spel.standard.SpelExpressionParser ).parseExpression("...");' severity: ERROR - id: gitlab.find_sec_bugs_scala.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1 languages: - scala message: | The Servlet can read GET and POST parameters from various methods. The value obtained should be considered unsafe." metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation security-severity: Medium primary_identifier: find_sec_bugs.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1 secondary_identifiers: - name: Find Security Bugs-SERVLET_PARAMETER type: find_sec_bugs_type value: SERVLET_PARAMETER - name: Find Security Bugs-SERVLET_CONTENT_TYPE type: find_sec_bugs_type value: SERVLET_CONTENT_TYPE - name: Find Security Bugs-SERVLET_SERVER_NAME type: find_sec_bugs_type value: SERVLET_SERVER_NAME - name: Find Security Bugs-SERVLET_SESSION_ID type: find_sec_bugs_type value: SERVLET_SESSION_ID - name: Find Security Bugs-SERVLET_QUERY_STRING type: find_sec_bugs_type value: SERVLET_QUERY_STRING - name: Find Security Bugs-SERVLET_HEADER type: find_sec_bugs_type value: SERVLET_HEADER - name: Find Security Bugs-SERVLET_HEADER_REFERER type: find_sec_bugs_type value: SERVLET_HEADER_REFERER - name: Find Security Bugs-SERVLET_HEADER_USER_AGENT type: find_sec_bugs_type value: SERVLET_HEADER_USER_AGENT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1 shortlink: https://sg.run/XkBK semgrep.dev: rule: r_id: 67964 rv_id: 920236 rule_id: ReUxg8 version_id: NdTeRzQ url: https://semgrep.dev/playground/r/NdTeRzQ/gitlab.find_sec_bugs_scala.SERVLET_PARAMETER-1.SERVLET_CONTENT_TYPE-1.SERVLET_SERVER_NAME-1.SERVLET_SESSION_ID-1.SERVLET_QUERY_STRING-1.SERVLET_HEADER-1.SERVLET_HEADER_REFERER-1.SERVLET_HEADER_USER_AGENT-1 origin: community mode: taint pattern-sanitizers: - pattern: Encode.forHtml(...) - pattern: org.owasp.esapi.Encoder.encodeForSQL(...) pattern-sinks: - patterns: - pattern-either: - pattern: | ... + $PAR - pattern: | ... + $PAR + ... - pattern: | $PAR + ... - pattern: $PAR pattern-sources: - pattern-either: - pattern: '($REQ: HttpServletRequest).getContentType' - pattern: '($REQ: HttpServletRequest).getServerName' - pattern: '($REQ: HttpServletRequest).getRequestedSessionId' - pattern: '($REQ: HttpServletRequest).getParameterValues(...)' - pattern: '($REQ: HttpServletRequest).getParameterMap' - pattern: '($REQ: HttpServletRequest).getParameterNames' - pattern: '($REQ: HttpServletRequest).getParameter(...)' - patterns: - pattern-inside: | ($REQ: HttpServletRequest).getSession - pattern: $SESS.getAttribute("...") - pattern: | ($REQ: HttpServletRequest).getSession.getAttribute("...") severity: WARNING - id: gitlab.find_sec_bugs_scala.SMTP_HEADER_INJECTION-1 languages: - scala message: | Simple Mail Transfer Protocol (SMTP) is a the text based protocol used for email delivery. Like with HTTP, headers are separate by new line separator. If kuser input is place in a header line, the application should remove or replace new line characters (CR / LF). You should use a safe wrapper such as Apache Common Email and Simple Java Mail which filter special characters that can lead to header injection. metadata: category: security cwe: CWE-77 shortDescription: Improper Neutralization of Special Elements used in a Command security-severity: High primary_identifier: find_sec_bugs.SMTP_HEADER_INJECTION secondary_identifiers: - name: Find Security Bugs-SMTP_HEADER_INJECTION type: find_sec_bugs_type value: SMTP_HEADER_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.SMTP_HEADER_INJECTION-1 shortlink: https://sg.run/PXpN semgrep.dev: rule: r_id: 68001 rv_id: 920272 rule_id: wdUb84 version_id: 2KTdOpr url: https://semgrep.dev/playground/r/2KTdOpr/gitlab.find_sec_bugs_scala.SMTP_HEADER_INJECTION-1 origin: community patterns: - pattern-either: - patterns: - pattern-inside: | $M = new MimeMessage(...); ... - pattern: $M.setSubject($ARG); - pattern-not: $M.setSubject("...") - patterns: - pattern-inside: | $M = new MimeMessage(...); ... - pattern: $M.addHeader($ARG1, $ARG2) - pattern-not: $M.addHeader("...", "...") - patterns: - pattern-inside: | $M = new MimeMessage(...); ... - pattern: $M.setDescription($ARG) - pattern-not: $M.setDescription("...") - patterns: - pattern-inside: | $M = new MimeMessage(...); ... - pattern: $M.setDisposition($ARG) - pattern-not: $M.setDisposition("...") severity: ERROR - id: gitlab.find_sec_bugs_scala.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SCALA_SQL_INJECTION_SLICK-1 languages: - scala message: | The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. metadata: category: security cwe: CWE-89 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') security-severity: Medium primary_identifier: find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SCALA_SQL_INJECTION_SLICK-1 secondary_identifiers: - name: Find Security Bugs-SQL_INJECTION_SPRING_JDBC type: find_sec_bugs_type value: SQL_INJECTION_SPRING_JDBC - name: Find Security Bugs-SQL_INJECTION_JPA type: find_sec_bugs_type value: SQL_INJECTION_JPA - name: Find Security Bugs-SQL_INJECTION_JDO type: find_sec_bugs_type value: SQL_INJECTION_JDO - name: Find Security Bugs-SQL_INJECTION_JDBC type: find_sec_bugs_type value: SQL_INJECTION_JDBC - name: Find Security Bugs-SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE type: find_sec_bugs_type value: SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE - name: Find Security Bugs-SCALA_SQL_INJECTION_SLICK type: find_sec_bugs_type value: SCALA_SQL_INJECTION_SLICK license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SCALA_SQL_INJECTION_SLICK-1 shortlink: https://sg.run/4Nyl semgrep.dev: rule: r_id: 67988 rv_id: 920260 rule_id: oqU1z2 version_id: BjTKLbW url: https://semgrep.dev/playground/r/BjTKLbW/gitlab.find_sec_bugs_scala.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SCALA_SQL_INJECTION_SLICK-1 origin: community patterns: - pattern-not-inside: | $ARG = ... ... - pattern-not-inside: | object $CLAZZ { ... $ARG = ... ... } - pattern-not-inside: | class $CLAZZ { ... $ARG = ... ... } - pattern-either: - patterns: - pattern: ($PM:javax.jdo.PersistenceManager).newQuery(<...$ARG...>) - pattern-not: ($PM:javax.jdo.PersistenceManager).newQuery("...") - patterns: - pattern: ($PM:javax.jdo.PersistenceManager).newQuery(..., <...$ARG...>) - pattern-not: ($PM:javax.jdo.PersistenceManager).newQuery(..., "...") - patterns: - pattern: '($Q: javax.jdo.Query).setFilter(<...$ARG...>)' - pattern-not: '($Q: javax.jdo.Query).setFilter("...")' - patterns: - pattern: '($Q: javax.jdo.Query).setGrouping(<...$ARG...>)' - pattern-not: '($Q: javax.jdo.Query).setGrouping("...")' - patterns: - pattern: '($Q: javax.jdo.Query).setGrouping(<...$ARG...>)' - pattern-not: '($Q: javax.jdo.Query).setGrouping("...")' - patterns: - pattern: '($H: org.hibernate.criterion.Restrictions).sqlRestriction(<...$ARG...>, ...)' - pattern-not: '($H: org.hibernate.criterion.Restrictions).sqlRestriction("...", ...)' - patterns: - pattern: '($S: org.hibernate.Session).createQuery(<...$ARG...>, ...)' - pattern-not: '($S: org.hibernate.Session).createQuery("...", ...)' - patterns: - pattern: '($S: org.hibernate.Session).createSQLQuery(<...$ARG...>, ...)' - pattern-not: '($S: org.hibernate.Session).createSQLQuery("...", ...)' - patterns: - pattern: '($S: java.sql.Statement).executeQuery(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.Statement).createSQLQuery("...", ...)' - patterns: - pattern: '($S: java.sql.Statement).execute(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.Statement).execute("...", ...)' - patterns: - pattern: '($S: java.sql.Statement).executeUpdate(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.Statement).executeUpdate("...", ...)' - patterns: - pattern: '($S: java.sql.Statement).executeLargeUpdate(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.Statement).executeLargeUpdate("...", ...)' - patterns: - pattern: '($S: java.sql.Statement).addBatch(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.Statement).addBatch("...", ...)' - patterns: - pattern: '($S: java.sql.PreparedStatement).executeQuery(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.PreparedStatement).executeQuery("...", ...)' - patterns: - pattern: '($S: java.sql.PreparedStatement).execute(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.PreparedStatement).execute("...", ...)' - patterns: - pattern: '($S: java.sql.PreparedStatement).executeUpdate(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.PreparedStatement).executeUpdate("...", ...)' - patterns: - pattern: '($S: java.sql.PreparedStatement).executeLargeUpdate(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.PreparedStatement).executeLargeUpdate("...", ...)' - patterns: - pattern: '($S: java.sql.PreparedStatement).addBatch(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.PreparedStatement).addBatch("...", ...)' - patterns: - pattern: '($S: java.sql.Connection).prepareCall(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.Connection).prepareCall("...", ...)' - patterns: - pattern: '($S: java.sql.Connection).prepareStatement(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.Connection).prepareStatement("...", ...)' - patterns: - pattern: '($S: java.sql.Connection).nativeSQL(<...$ARG...>, ...)' - pattern-not: '($S: java.sql.Connection).nativeSQL("...", ...)' - patterns: - pattern: new org.springframework.jdbc.core.PreparedStatementCreatorFactory(<...$ARG...>, ...) - pattern-not: new org.springframework.jdbc.core.PreparedStatementCreatorFactory("...", ...) - patterns: - pattern: (org.springframework.jdbc.core.PreparedStatementCreatorFactory $F).newPreparedStatementCreator(<...$ARG...>, ...) - pattern-not: (org.springframework.jdbc.core.PreparedStatementCreatorFactory $F).newPreparedStatementCreator("...", ...) - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).batchUpdate(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).batchUpdate("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).execute(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).execute("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).query(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).query("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForList(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).queryForList("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForMap(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).queryForMap("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForObject(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).queryForObject("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForObject(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).queryForObject("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForRowSet(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).queryForRowSet("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForInt(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).queryForInt("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForLong(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).queryForLong("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).update(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcOperations).update("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).batchUpdate(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).batchUpdate("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).execute(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).execute("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).query(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).query("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForList(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForList("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForMap(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForMap("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForObject(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForObject("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForRowSet(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForRowSet("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForInt(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForInt("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForLong(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForLong("...", ...)' - patterns: - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).update(<...$ARG...>, ...)' - pattern-not: '($O: org.springframework.jdbc.core.JdbcTemplate).update("...", ...)' - patterns: - pattern: '($O: io.vertx.sqlclient.SqlClient).query(<...$ARG...>, ...)' - pattern-not: '($O: io.vertx.sqlclient.SqlClient).query("...", ...)' - patterns: - pattern: '($O: io.vertx.sqlclient.SqlClient).preparedQuery(<...$ARG...>, ...)' - pattern-not: '($O: io.vertx.sqlclient.SqlClient).preparedQuery("...", ...)' - patterns: - pattern: '($O: io.vertx.sqlclient.SqlConnection).prepare(<...$ARG...>, ...)' - pattern-not: '($O: io.vertx.sqlclient.SqlConnection).prepare("...", ...)' - patterns: - pattern: '($O: org.apache.turbine.om.peer.BasePeer).executeQuery(<...$ARG...>, ...)' - pattern-not: '($O: org.apache.turbine.om.peer.BasePeer).executeQuery("...", ...)' - patterns: - pattern: '($O: org.apache.torque.util.BasePeer).executeQuery(<...$ARG...>, ...)' - pattern-not: '($O: org.apache.torque.util.BasePeer).executeQuery("...", ...)' - patterns: - pattern: '($O: javax.persistence.EntityManager).createQuery(<...$ARG...>, ...)' - pattern-not: '($O: javax.persistence.EntityManager).createQuery("...", ...)' - patterns: - pattern: '($O: javax.persistence.EntityManager).createNativeQuery(<...$ARG...>, ...)' - pattern-not: '($O: javax.persistence.EntityManager).createNativeQuery("...", ...)' - patterns: - pattern: anorm.SQL(<...$ARG...>) - pattern-not: anorm.SQL("...") - patterns: - pattern-inside: | import anorm._ ... - pattern: SQL(<...$ARG...>) - pattern-not: SQL("...") severity: ERROR - id: gitlab.find_sec_bugs_scala.SSL_CONTEXT-1 languages: - scala message: | A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middleattacks attacks since the client will trust any certificate. metadata: category: security cwe: CWE-295 shortDescription: Improper Certificate Validation security-severity: Medium primary_identifier: find_sec_bugs.SSL_CONTEXT secondary_identifiers: - name: Find Security Bugs-SSL_CONTEXT type: find_sec_bugs_type value: SSL_CONTEXT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.SSL_CONTEXT-1 shortlink: https://sg.run/2rx0 semgrep.dev: rule: r_id: 67963 rv_id: 920235 rule_id: GdUX7n version_id: bZTLo56 url: https://semgrep.dev/playground/r/bZTLo56/gitlab.find_sec_bugs_scala.SSL_CONTEXT-1 origin: community patterns: - pattern-either: - pattern: new org.apache.http.impl.client.DefaultHttpClient() - pattern: javax.net.ssl.SSLContext.getInstance("SSL") - patterns: - pattern-inside: | import javax.net.ssl._ ... - pattern: SSLContext.getInstance("SSL") severity: WARNING - id: gitlab.find_sec_bugs_scala.STRUTS_FORM_VALIDATION-1 languages: - scala message: | Form inputs should have minimal input validation. Preventive validation helps provide defense in depth against a variety of risks. metadata: category: security cwe: CWE-20 shortDescription: Improper Input Validation security-severity: Info primary_identifier: find_sec_bugs.STRUTS_FORM_VALIDATION secondary_identifiers: - name: Find Security Bugs-STRUTS_FORM_VALIDATION type: find_sec_bugs_type value: STRUTS_FORM_VALIDATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.STRUTS_FORM_VALIDATION-1 shortlink: https://sg.run/kqX7 semgrep.dev: rule: r_id: 67972 rv_id: 920244 rule_id: lBUD9R version_id: ZRTedK8 url: https://semgrep.dev/playground/r/ZRTedK8/gitlab.find_sec_bugs_scala.STRUTS_FORM_VALIDATION-1 origin: community patterns: - pattern-inside: | class $CLASS extends $SC { ... } - metavariable-regex: metavariable: $SC regex: (ActionForm|ValidatorForm) - pattern-not: public void validate() { ... } severity: WARNING - id: gitlab.find_sec_bugs_scala.TDES_USAGE-1 languages: - scala message: | Triple DES (also known as 3DES or DESede) is considered strong ciphers for modern applications. NIST recommends the usage of AES block ciphers instead of 3DES. metadata: category: security cwe: CWE-326 shortDescription: Inadequate Encryption Strength technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.TDES_USAGE secondary_identifiers: - name: Find Security Bugs-TDES_USAGE type: find_sec_bugs_type value: TDES_USAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.TDES_USAGE-1 shortlink: https://sg.run/DDoY semgrep.dev: rule: r_id: 67952 rv_id: 920224 rule_id: EwUW2e version_id: 6xTyX2E url: https://semgrep.dev/playground/r/6xTyX2E/gitlab.find_sec_bugs_scala.TDES_USAGE-1 origin: community patterns: - pattern-inside: javax.crypto.Cipher.getInstance("$ALG") - metavariable-regex: metavariable: $ALG regex: ^(DESede)/.* severity: WARNING - id: dgryski.semgrep-go.readeof.read-io-eof patterns: - pattern: | $N, $ERR := $R.Read(($SLICE : []byte)) if $ERR != nil { return ... } - pattern-not: | $N, $ERR := rand.Read(($SLICE : []byte)) if $ERR != nil { return ... } message: Read() can return n bytes and io.EOF languages: - go severity: ERROR metadata: license: MIT source: https://semgrep.dev/r/dgryski.semgrep-go.readeof.read-io-eof shortlink: https://sg.run/y1R7 semgrep.dev: rule: r_id: 14468 rv_id: 833082 rule_id: bwU843 version_id: nWTy4oX url: https://semgrep.dev/playground/r/nWTy4oX/dgryski.semgrep-go.readeof.read-io-eof origin: community - id: gitlab.find_sec_bugs_scala.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 languages: - scala message: | A malicious user in control of a template can run malicious code on the server-side. Velocity templates should be seen as scripts. metadata: category: security cwe: CWE-94 shortDescription: Improper Control of Generation of Code ('Code Injection') security-severity: Info primary_identifier: find_sec_bugs.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 secondary_identifiers: - name: Find Security Bugs-TEMPLATE_INJECTION_PEBBLE type: find_sec_bugs_type value: TEMPLATE_INJECTION_PEBBLE - name: Find Security Bugs-TEMPLATE_INJECTION_FREEMARKER type: find_sec_bugs_type value: TEMPLATE_INJECTION_FREEMARKER - name: Find Security Bugs-TEMPLATE_INJECTION_VELOCITY type: find_sec_bugs_type value: TEMPLATE_INJECTION_VELOCITY license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 shortlink: https://sg.run/WNgy semgrep.dev: rule: r_id: 68009 rv_id: 920280 rule_id: EwUW4O version_id: NdTeRZQ url: https://semgrep.dev/playground/r/NdTeRZQ/gitlab.find_sec_bugs_scala.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 origin: community pattern-either: - patterns: - pattern: org.apache.velocity.app.Velocity.evaluate(..., $VAR) - pattern-not: org.apache.velocity.app.Velocity.evaluate(..., "...") - patterns: - pattern-not-inside: | $C = ($CFG: freemarker.template.Configuration).getTemplate("..."); ... - pattern-inside: | $C = ($CFG: freemarker.template.Configuration).getTemplate($IN); ... - pattern: $C.process(...) - patterns: - pattern-inside: | import com.mitchellbosecke.pebble.PebbleEngine; ... - pattern-inside: | $C = $T.getTemplate($IN); ... - pattern-not-inside: | $C = $T.getTemplate("..."); ... - pattern: $C.evaluate(...) severity: ERROR - id: gitlab.find_sec_bugs_scala.TRUST_BOUNDARY_VIOLATION-1 languages: - scala message: | A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data. metadata: category: security cwe: CWE-501 shortDescription: Trust Boundary Violation security-severity: Info primary_identifier: find_sec_bugs.TRUST_BOUNDARY_VIOLATION secondary_identifiers: - name: Find Security Bugs-TRUST_BOUNDARY_VIOLATION type: find_sec_bugs_type value: TRUST_BOUNDARY_VIOLATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.TRUST_BOUNDARY_VIOLATION-1 shortlink: https://sg.run/5kQA semgrep.dev: rule: r_id: 67947 rv_id: 920219 rule_id: eqUK89 version_id: 0bTp3K7 url: https://semgrep.dev/playground/r/0bTp3K7/gitlab.find_sec_bugs_scala.TRUST_BOUNDARY_VIOLATION-1 origin: community patterns: - pattern-either: - patterns: - pattern: '($H: HttpServletRequest). ... .setAttribute($ARG1, $ARG2)' - pattern-not: '($H: HttpServletRequest). ... .setAttribute("...", "...")' - patterns: - pattern: '($H: HttpServletRequest). ... .putValue($ARG1, $ARG2)' - pattern-not: '($H: HttpServletRequest). ... .putValue("...", "...")' severity: WARNING - id: gitlab.find_sec_bugs_scala.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1 languages: - scala message: | Beyond using an SSL socket, you need to make sure your use of SSLSocketFactory does all the appropriate certificate validation checks to make sure you are not subject to man-in-the-middle attacks. Please read the OWASP Transport Layer Protection Cheat Sheet for details on how to do this correctly. metadata: cwe: CWE-319 shortDescription: Cleartext transmission of sensitive information security-severity: Info owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures category: security primary_identifier: find_sec_bugs.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1 secondary_identifiers: - name: Find Security Bugs-UNENCRYPTED_SOCKET type: find_sec_bugs_type value: UNENCRYPTED_SOCKET - name: Find Security Bugs-UNENCRYPTED_SERVER_SOCKET type: find_sec_bugs_type value: UNENCRYPTED_SERVER_SOCKET license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1 shortlink: https://sg.run/9eoY semgrep.dev: rule: r_id: 67967 rv_id: 920239 rule_id: DbUypE version_id: xyTdrjl url: https://semgrep.dev/playground/r/xyTdrjl/gitlab.find_sec_bugs_scala.UNENCRYPTED_SOCKET-1.UNENCRYPTED_SERVER_SOCKET-1 origin: community patterns: - pattern: new java.net.Socket(...) severity: WARNING - id: gitlab.find_sec_bugs_scala.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 languages: - scala message: | Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks. metadata: category: security cwe: CWE-601 shortDescription: URL Redirection to Untrusted Site ('Open Redirect') security-severity: Info primary_identifier: find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 secondary_identifiers: - name: Find Security Bugs-UNVALIDATED_REDIRECT type: find_sec_bugs_type value: UNVALIDATED_REDIRECT - name: Find Security Bugs-URL_REWRITING type: find_sec_bugs_type value: URL_REWRITING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 shortlink: https://sg.run/ybdx semgrep.dev: rule: r_id: 67968 rv_id: 920240 rule_id: WAUno0 version_id: O9Tv7pL url: https://semgrep.dev/playground/r/O9Tv7pL/gitlab.find_sec_bugs_scala.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 origin: community patterns: - pattern-either: - patterns: - pattern: '($REQ: HttpServletResponse).sendRedirect(...)' - pattern-not: '($REQ: HttpServletResponse).sendRedirect("...")' - patterns: - pattern: '($REQ: HttpServletResponse).addHeader(...)' - pattern-not: '($REQ: HttpServletResponse).addHeader("...", "...")' - patterns: - pattern: '($REQ: HttpServletResponse).encodeURL(...)' - pattern-not: '($REQ: HttpServletResponse).encodeURL("...")' - patterns: - pattern: '($REQ: HttpServletResponse).encodeRedirectUrl(...)' - pattern-not: '($REQ: HttpServletResponse).encodeRedirectUrl("...")' severity: ERROR - id: gitlab.find_sec_bugs_scala.URLCONNECTION_SSRF_FD-1 languages: - scala message: | Server-Side Request Forgery occur when a web server executes a request to a user supplied destination parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services or to launch attacks from your web server. metadata: category: security cwe: CWE-918 shortDescription: Server-Side Request Forgery (SSRF) security-severity: Low primary_identifier: find_sec_bugs.URLCONNECTION_SSRF_FD secondary_identifiers: - name: Find Security Bugs-URLCONNECTION_SSRF_FD type: find_sec_bugs_type value: URLCONNECTION_SSRF_FD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.URLCONNECTION_SSRF_FD-1 shortlink: https://sg.run/5k86 semgrep.dev: rule: r_id: 68003 rv_id: 920274 rule_id: OrU7GA version_id: jQTwjBn url: https://semgrep.dev/playground/r/jQTwjBn/gitlab.find_sec_bugs_scala.URLCONNECTION_SSRF_FD-1 origin: community pattern-either: - patterns: - pattern-either: - pattern-inside: | import java.net._ ... - pattern-inside: | import java.net.URL ... - pattern-inside: | import java.net.URI ... - pattern: new $TYPE(...). ... .$FUNC - pattern-not: new $TYPE("..."). ... .$FUNC - metavariable-pattern: metavariable: $FUNC pattern-either: - pattern: connect - pattern: GetContent - pattern: openConnection - pattern: openStream - pattern: getContent - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: URL - pattern: java.net.URL - pattern: URI - pattern: java.net.URI - patterns: - pattern-either: - pattern-inside: | import java.net.*; ... - pattern-inside: | import java.net.InetSocketAddress; ... - pattern: | new InetSocketAddress(..., $PORT) - pattern-not: | new InetSocketAddress("...", $PORT) severity: ERROR - id: gitlab.find_sec_bugs_scala.WEAK_FILENAMEUTILS-1 languages: - scala message: | A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. metadata: category: security cwe: CWE-22 shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') technology: - scala owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium primary_identifier: find_sec_bugs.WEAK_FILENAMEUTILS secondary_identifiers: - name: Find Security Bugs-WEAK_FILENAMEUTILS type: find_sec_bugs_type value: WEAK_FILENAMEUTILS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.WEAK_FILENAMEUTILS-1 shortlink: https://sg.run/Np4p semgrep.dev: rule: r_id: 67971 rv_id: 920243 rule_id: qNUwjw version_id: d6T6gy0 url: https://semgrep.dev/playground/r/d6T6gy0/gitlab.find_sec_bugs_scala.WEAK_FILENAMEUTILS-1 origin: community pattern-either: - patterns: - pattern-inside: | import org.apache.commons.io.FilenameUtils._ ... - pattern-either: - pattern: normalize(...) - pattern: getExtension(...) - pattern: isExtensions(...) - pattern: isExtension(...) - pattern: getName(...) - pattern: getBaseName(...) - patterns: - pattern-either: - pattern: org.apache.commons.io.FilenameUtils.normalize(...) - pattern: org.apache.commons.io.FilenameUtils.getExtension(...) - pattern: org.apache.commons.io.FilenameUtils.isExtensions(...) - pattern: org.apache.commons.io.FilenameUtils.isExtension(...) - pattern: org.apache.commons.io.FilenameUtils.getName(...) - pattern: org.apache.commons.io.FilenameUtils.getBaseName(...) severity: WARNING - id: gitlab.find_sec_bugs_scala.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 languages: - scala message: | A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. metadata: category: security cwe: CWE-295 shortDescription: Improper Certificate Validation security-severity: Info primary_identifier: find_sec_bugs.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 secondary_identifiers: - name: Find Security Bugs-WEAK_HOSTNAME_VERIFIER type: find_sec_bugs_type value: WEAK_HOSTNAME_VERIFIER - name: Find Security Bugs-WEAK_TRUST_MANAGER type: find_sec_bugs_type value: WEAK_TRUST_MANAGER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 shortlink: https://sg.run/r2dn semgrep.dev: rule: r_id: 67969 rv_id: 920241 rule_id: 0oU35P version_id: e1TZKyX url: https://semgrep.dev/playground/r/e1TZKyX/gitlab.find_sec_bugs_scala.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 origin: community patterns: - pattern-either: - patterns: - pattern-inside: | class $V extends HostnameVerifier { ... } - pattern-either: - pattern: def verify(...) = true - pattern: | def verify(...) = { return true } - patterns: - pattern-inside: | class $V extends X509TrustManager { ... } - pattern-either: - pattern: 'def checkClientTrusted(...): Unit = {}' - pattern: 'def checkServerTrusted(...): Unit = {}' - pattern: def checkClientTrusted(...) = {} - pattern: def checkServerTrusted(...) = {} - pattern: 'def getAcceptedIssuers(): Array[X509Certificate] = null' - pattern: 'def getAcceptedIssuers(): Array[X509Certificate] = {}' severity: WARNING - id: gitlab.find_sec_bugs_scala.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 languages: - scala message: | DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. metadata: category: security cwe: CWE-326 shortDescription: Inadequate Encryption Strength technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 secondary_identifiers: - name: Find Security Bugs-WEAK_MESSAGE_DIGEST_MD5 type: find_sec_bugs_type value: WEAK_MESSAGE_DIGEST_MD5 - name: Find Security Bugs-WEAK_MESSAGE_DIGEST_SHA1 type: find_sec_bugs_type value: WEAK_MESSAGE_DIGEST_SHA1 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 shortlink: https://sg.run/pzxg semgrep.dev: rule: r_id: 67962 rv_id: 920234 rule_id: 5rUGO2 version_id: rxTjvAN url: https://semgrep.dev/playground/r/rxTjvAN/gitlab.find_sec_bugs_scala.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 origin: community patterns: - pattern-either: - pattern: MessageDigest.getInstance("$ALG", ...) - pattern: Signature.getInstance("$ALG", ...) - metavariable-regex: metavariable: $ALG regex: (.*(MD5|MD4|MD2|SHA1|SHA-1).*) severity: WARNING - id: gitlab.find_sec_bugs_scala.WICKET_XSS1-1 languages: - scala message: | Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS). metadata: category: security cwe: CWE-79 shortDescription: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') security-severity: Medium primary_identifier: find_sec_bugs.WICKET_XSS1 secondary_identifiers: - name: Find Security Bugs-WICKET_XSS1 type: find_sec_bugs_type value: WICKET_XSS1 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.WICKET_XSS1-1 shortlink: https://sg.run/XkLl semgrep.dev: rule: r_id: 68020 rv_id: 920291 rule_id: GdUX0G version_id: 7ZTbRB8 url: https://semgrep.dev/playground/r/7ZTbRB8/gitlab.find_sec_bugs_scala.WICKET_XSS1-1 origin: community patterns: - pattern: '($X: Label).setEscapeModelStrings(false);' severity: WARNING - id: gitlab.find_sec_bugs_scala.XML_DECODER-1 languages: - scala message: | Avoid using XMLDecoder to parse content from an untrusted source. metadata: category: security cwe: CWE-502 shortDescription: Deserialization of Untrusted Data security-severity: High primary_identifier: find_sec_bugs.XML_DECODER secondary_identifiers: - name: Find Security Bugs-XML_DECODER type: find_sec_bugs_type value: XML_DECODER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XML_DECODER-1 shortlink: https://sg.run/6wrw semgrep.dev: rule: r_id: 68015 rv_id: 920286 rule_id: 3qUwBw version_id: vdTvQXA url: https://semgrep.dev/playground/r/vdTvQXA/gitlab.find_sec_bugs_scala.XML_DECODER-1 origin: community patterns: - pattern-inside: | $D = new java.beans.XMLDecoder($IN); ... - pattern-not-inside: | $DX = new java.beans.XMLDecoder("..."); ... - pattern: $D.readObject severity: WARNING - id: gitlab.find_sec_bugs_scala.XPATH_INJECTION-1 languages: - scala message: | The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. metadata: category: security cwe: CWE-611 shortDescription: Improper Restriction of XML External Entity Reference ('XXE') security-severity: Medium primary_identifier: find_sec_bugs.XPATH_INJECTION secondary_identifiers: - name: Find Security Bugs-XPATH_INJECTION type: find_sec_bugs_type value: XPATH_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XPATH_INJECTION-1 shortlink: https://sg.run/zNkz semgrep.dev: rule: r_id: 68017 rv_id: 920288 rule_id: PeUGky version_id: ZRTed28 url: https://semgrep.dev/playground/r/ZRTed28/gitlab.find_sec_bugs_scala.XPATH_INJECTION-1 origin: community mode: taint pattern-sinks: - patterns: - pattern-either: - pattern-inside: |- import javax.xml.xpath._ ... - pattern-inside: |- import javax.xml.xpath.XPath ... - pattern-either: - pattern: $Y.compile(...) - pattern: $X.evaluate(..., $ARG2) pattern-sources: - patterns: - pattern-inside: | def $FUNC(..., $ARG: $TYPE,...): $RET = { ... } - pattern: $ARG severity: ERROR - id: gitlab.find_sec_bugs_scala.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 languages: - scala message: | Servlet reflected cross site scripting vulnerability metadata: category: security cwe: CWE-79 shortDescription: Improper Neutralization of Input During Web Page Generation technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER secondary_identifiers: - name: Find Security Bugs-XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER type: find_sec_bugs_type value: XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 shortlink: https://sg.run/jKNZ semgrep.dev: rule: r_id: 68021 rv_id: 920292 rule_id: ReUxPb version_id: LjTzeGv url: https://semgrep.dev/playground/r/LjTzeGv/gitlab.find_sec_bugs_scala.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 origin: community mode: taint pattern-sanitizers: - pattern: Encode.forHtml(...) - pattern: org.owasp.esapi.Encoder.encodeForSQL(...) pattern-sinks: - patterns: - pattern-inside: 'def $FUNC(..., $RES: HttpServletResponse, ...): $TYPE = {...}' - pattern-inside: | $WRITER = $RES.getWriter ... - pattern: $WRITER.write(...) - patterns: - pattern-inside: 'def $FUNC(..., $RES: HttpServletResponse, ...): $TYPE = {...}' - pattern: $RES.getWriter.write(...) - patterns: - pattern-inside: 'def $FUNC(..., $RES: HttpServletResponse, ...): $TYPE = {...}' - pattern: $RES.getWriter.print(...) pattern-sources: - patterns: - pattern-inside: 'def $FUNC(..., $REQ: HttpServletRequest, ...): $TYPE = {...}' - pattern-either: - pattern: $REQ.getParameter(...) - pattern: $REQ.getQueryString severity: WARNING - id: gitlab.find_sec_bugs_scala.XSS_REQUEST_WRAPPER-1 languages: - scala message: | Avoid using custom XSS filtering. Please use standard sanitization functions. metadata: category: security cwe: CWE-79 shortDescription: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') security-severity: Medium primary_identifier: find_sec_bugs.XSS_REQUEST_WRAPPER secondary_identifiers: - name: Find Security Bugs-XSS_REQUEST_WRAPPER type: find_sec_bugs_type value: XSS_REQUEST_WRAPPER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XSS_REQUEST_WRAPPER-1 shortlink: https://sg.run/2rbz semgrep.dev: rule: r_id: 68019 rv_id: 920290 rule_id: 5rUG4X version_id: ExT1Wo7 url: https://semgrep.dev/playground/r/ExT1Wo7/gitlab.find_sec_bugs_scala.XSS_REQUEST_WRAPPER-1 origin: community patterns: - pattern-inside: | class $CLASS(...) extends HttpServletRequestWrapper(...) { ... } - pattern: def stripXSS(...) = { ... } severity: INFO - id: gitlab.find_sec_bugs_scala.XSS_SERVLET-1 languages: - scala message: | A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. metadata: category: security cwe: CWE-79 shortDescription: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') security-severity: Info primary_identifier: find_sec_bugs.XSS_SERVLET secondary_identifiers: - name: Find Security Bugs-XSS_SERVLET type: find_sec_bugs_type value: XSS_SERVLET license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XSS_SERVLET-1 shortlink: https://sg.run/1ynb semgrep.dev: rule: r_id: 68022 rv_id: 920293 rule_id: AbUlWY version_id: 8KTvlN8 url: https://semgrep.dev/playground/r/8KTvlN8/gitlab.find_sec_bugs_scala.XSS_SERVLET-1 origin: community mode: taint pattern-sanitizers: - patterns: - pattern-inside: org.owasp.encoder.Encode.forHtml($TAINTED); - pattern: $TAINTED pattern-sinks: - patterns: - pattern-inside: 'def $FUNC(..., $RES: HttpServletResponse, ...): $TYPE = {...}' - pattern-inside: | $WRITER = $RES.getWriter; ... - pattern: $WRITER.write($DATA,...); - pattern: $DATA - patterns: - pattern-inside: 'def $FUNC(..., $RES: HttpServletResponse, ...): $TYPE = {...}' - pattern: $RES.getWriter.write($DATA,...); - pattern: $DATA pattern-sources: - patterns: - pattern-inside: 'def $FUNC(..., $REQ: HttpServletRequest, ...): $TYPE = {...}' - pattern: $REQ.getParameter(...); severity: WARNING - id: gitlab.find_sec_bugs_scala.XXE_DOCUMENT-1 languages: - scala message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: category: security cwe: CWE-611 shortDescription: Improper Restriction of XML External Entity Reference ('XXE') security-severity: Medium primary_identifier: find_sec_bugs.XXE_DOCUMENT secondary_identifiers: - name: Find Security Bugs-XXE_DOCUMENT type: find_sec_bugs_type value: XXE_DOCUMENT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XXE_DOCUMENT-1 shortlink: https://sg.run/9eqk semgrep.dev: rule: r_id: 68023 rv_id: 920294 rule_id: BYULB2 version_id: gETkXP2 url: https://semgrep.dev/playground/r/gETkXP2/gitlab.find_sec_bugs_scala.XXE_DOCUMENT-1 origin: community patterns: - pattern-inside: | $DF = DocumentBuilderFactory.newInstance ... - pattern-not-inside: | $DF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) ... - pattern-not-inside: | $DF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) ... - pattern: $DB.parse(...) severity: ERROR - id: gitlab.find_sec_bugs_scala.XXE_DTD_TRANSFORM_FACTORY-1.XXE_XSLT_TRANSFORM_FACTORY-1 languages: - scala message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: category: security cwe: CWE-611 shortDescription: Improper Restriction of XML External Entity Reference ('XXE') security-severity: Medium primary_identifier: find_sec_bugs.XXE_DTD_TRANSFORM_FACTORY-1.XXE_XSLT_TRANSFORM_FACTORY-1 secondary_identifiers: - name: Find Security Bugs-XXE_DTD_TRANSFORM_FACTORY type: find_sec_bugs_type value: XXE_DTD_TRANSFORM_FACTORY - name: Find Security Bugs-XXE_XSLT_TRANSFORM_FACTORY type: find_sec_bugs_type value: XXE_XSLT_TRANSFORM_FACTORY license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XXE_DTD_TRANSFORM_FACTORY-1.XXE_XSLT_TRANSFORM_FACTORY-1 shortlink: https://sg.run/r2k6 semgrep.dev: rule: r_id: 68025 rv_id: 920296 rule_id: WAUnPW version_id: 3ZTLwRX url: https://semgrep.dev/playground/r/3ZTLwRX/gitlab.find_sec_bugs_scala.XXE_DTD_TRANSFORM_FACTORY-1.XXE_XSLT_TRANSFORM_FACTORY-1 origin: community mode: taint pattern-sanitizers: - pattern: $T.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - pattern: $T.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - pattern: $T.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); pattern-sinks: - pattern: $T.transform(...) pattern-sources: - patterns: - pattern-either: - pattern-inside: |- import javax.xml.transform._ ... - pattern-inside: |- import javax.xml.transform.Transformer ... - pattern: $FACT.newTransformer severity: ERROR - id: gitlab.find_sec_bugs_scala.XXE_SAXPARSER-1 languages: - scala message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: category: security cwe: CWE-611 shortDescription: Improper Restriction of XML External Entity Reference ('XXE') security-severity: Info primary_identifier: find_sec_bugs.XXE_SAXPARSER secondary_identifiers: - name: Find Security Bugs-XXE_SAXPARSER type: find_sec_bugs_type value: XXE_SAXPARSER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XXE_SAXPARSER-1 shortlink: https://sg.run/yb68 semgrep.dev: rule: r_id: 68024 rv_id: 920295 rule_id: DbUyKd version_id: QkT1NXN url: https://semgrep.dev/playground/r/QkT1NXN/gitlab.find_sec_bugs_scala.XXE_SAXPARSER-1 origin: community patterns: - pattern-inside: | val $SF = SAXParserFactory.newInstance ... - pattern-not-inside: | $SF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) ... - pattern-not-inside: | $SF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) ... - pattern-inside: | val $P = $SFP.newSAXParser ... - pattern: $P.parse(...); severity: ERROR - id: gitlab.find_sec_bugs_scala.XXE_XMLREADER-1 languages: - scala message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: category: security cwe: CWE-611 shortDescription: Improper Restriction of XML External Entity Reference ('XXE') security-severity: Medium primary_identifier: find_sec_bugs.XXE_XMLREADER secondary_identifiers: - name: Find Security Bugs-XXE_XMLREADER type: find_sec_bugs_type value: XXE_XMLREADER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XXE_XMLREADER-1 shortlink: https://sg.run/b5rZ semgrep.dev: rule: r_id: 68026 rv_id: 920297 rule_id: 0oU3Jy version_id: 44Teq9d url: https://semgrep.dev/playground/r/44Teq9d/gitlab.find_sec_bugs_scala.XXE_XMLREADER-1 origin: community patterns: - pattern-inside: | val $R = XMLReaderFactory.createXMLReader ... - pattern-not-inside: | $R.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) ... - pattern: $R.parse(...) severity: ERROR - id: gitlab.find_sec_bugs_scala.XXE_XMLSTREAMREADER-1 languages: - scala message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: category: security cwe: CWE-611 shortDescription: Improper Restriction of XML External Entity Reference ('XXE') security-severity: Medium primary_identifier: find_sec_bugs.XXE_XMLSTREAMREADER secondary_identifiers: - name: Find Security Bugs-XXE_XMLSTREAMREADER type: find_sec_bugs_type value: XXE_XMLSTREAMREADER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XXE_XMLSTREAMREADER-1 shortlink: https://sg.run/Np8x semgrep.dev: rule: r_id: 68027 rv_id: 920298 rule_id: KxULYz version_id: PkTjGz6 url: https://semgrep.dev/playground/r/PkTjGz6/gitlab.find_sec_bugs_scala.XXE_XMLSTREAMREADER-1 origin: community patterns: - pattern-inside: | $SF = XMLInputFactory.newFactory ... - pattern-not-inside: | $SF.setProperty(XMLInputFactory.SUPPORT_DTD, false) ... - pattern-not-inside: | $SF.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false) ... - pattern: $SF.createXMLStreamReader(...) severity: ERROR - id: gitlab.find_sec_bugs_scala.XXE_XPATH-1 languages: - scala message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: category: security cwe: CWE-611 shortDescription: Improper Restriction of XML External Entity Reference ('XXE') security-severity: Medium primary_identifier: find_sec_bugs.XXE_XPATH secondary_identifiers: - name: Find Security Bugs-XXE_XPATH type: find_sec_bugs_type value: XXE_XPATH license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.XXE_XPATH-1 shortlink: https://sg.run/kqkX semgrep.dev: rule: r_id: 68028 rv_id: 920299 rule_id: qNUwbj version_id: JdToRkd url: https://semgrep.dev/playground/r/JdToRkd/gitlab.find_sec_bugs_scala.XXE_XPATH-1 origin: community patterns: - pattern-inside: | val $DF = DocumentBuilderFactory.newInstance ... - pattern-not-inside: | $DF.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "") ... - pattern-not-inside: | $DF.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "") ... - pattern-not-inside: | $DF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) ... - pattern-not-inside: | $DF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) ... - pattern-inside: | $B = $DF.newDocumentBuilder ... - pattern: $XPATH.evaluate(...) severity: ERROR - id: gitlab.find_sec_bugs.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 languages: - java mode: taint pattern-sinks: - patterns: - pattern: (javax.script.ScriptEngine $ENGINE).eval($ARG, ...); - pattern-not: (javax.script.ScriptEngine $ENGINE).eval("..."); - pattern-not: (javax.script.ScriptEngine $ENGINE).eval("...", (javax.script.Bindings $BINDING)); - patterns: - pattern-either: - pattern: (javax.script.Invocable $INVC).invokeFunction(..., $ARG) - pattern: (javax.script.Invocable $INVC).invokeMethod(..., $ARG) pattern-sources: - patterns: - pattern-inside: $FUNC(..., $VAR, ...) { ... } - pattern: $VAR message: | The application executes an argument using a `ScriptEngine`'s `eval` method. This may allow for direct OS commands to be executed as it's possible to pass in strings such as `java.lang.Runtime.getRuntime().exec('/bin/sh ...');`. Never pass user-supplied input directly to the `eval` function. If possible hardcode all JavasScript code or use a lookup table to resolve user input to known values. If none of these techniques are possible, use `javax.script.Bindings` to pass input to the script engine. Example using `Binding` to safely pass in string values: ``` // Get ECMAScript engine ScriptEngine engine = new ScriptEngineManager().getEngineByName("ECMAScript"); // User input, consisting of first and last name String userFirstName = "John"; String userLastName = "Snow"; // Create bindings to pass into our script, forcing the values to be String. Bindings bindings = engine.createBindings(); bindings.put("fname", new String(userFirstName)); bindings.put("lname", new String(userLastName)); // Example script that concatenates a greeting with the user-supplied input first/last name String script = "var greeting='Hello ';" + // fname and lname variables will be resolved by our bindings defined above "greeting += fname + ' ' + lname;" + // prints greeting "greeting"; try { // Execute the script, passing in the bindings Object bindingsResult = engine.eval(script, bindings); // Work with result // ... } catch (ScriptException e) { // Handle exception e.printStackTrace(); } ``` severity: ERROR metadata: shortDescription: Improper control of generation of code ('Code Injection') category: security cwe: CWE-94 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High primary_identifier: find_sec_bugs.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-SCRIPT_ENGINE_INJECTION type: find_sec_bugs_type value: SCRIPT_ENGINE_INJECTION - name: Find Security Bugs-SPEL_INJECTION type: find_sec_bugs_type value: SPEL_INJECTION - name: Find Security Bugs-EL_INJECTION type: find_sec_bugs_type value: EL_INJECTION - name: Find Security Bugs-SEAM_LOG_INJECTION type: find_sec_bugs_type value: SEAM_LOG_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 shortlink: https://sg.run/93d4 semgrep.dev: rule: r_id: 21223 rv_id: 920195 rule_id: YGUYPE version_id: 3ZTLwr5 url: https://semgrep.dev/playground/r/3ZTLwr5/gitlab.find_sec_bugs.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 origin: community - id: gitlab.find_sec_bugs.SCRIPT_ENGINE_INJECTION-2 languages: - java patterns: - pattern: ($PARSER $P).$METHOD($ARG); - pattern-not: ($PARSER $P).$METHOD("..."); - metavariable-pattern: metavariable: $PARSER pattern-either: - pattern: org.springframework.expression.spel.standard.SpelExpressionParser - pattern: org.springframework.expression.ExpressionParser - metavariable-regex: metavariable: $METHOD regex: (parseExpression|parseRaw) message: | The application was found calling SpringFramework's `SpelExpressionParser.parseExpression`. Calling this method directly with user-supplied input may allow an adversary to execute arbitrary Java code including OS system commands. Never call `parseExpression` or `parseRaw` directly with user-supplied input. Consider alternate methods such as a lookup table to take user input and resolve hardcoded values. Later versions of SpringFramework introduced a `SimpleEvaluationContext` which can be used to access bound data when calling the `getValue` result of `parseExpression`. This `SimpleEvaluationContext` has a reduced set of functionality and can restrict data binding to read-only or read-write contexts. An adversary could still access public properties or fields on custom types that have been provided to the evaluation context. Use with caution. Example using `SimpleEvaluationContext` with a read-write data binding context: ``` @RequestMapping(value="/spel", method=RequestMethod.POST) public String spel(@Validated User user, Model model) { // Create the Expression Parser SpelExpressionParser parser = new SpelExpressionParser(); // Parse the expression Expression parsedExpression = parser.parseExpression(model.getPossiblyUnsafeData()); // Create the read-write data binding context SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().build(); // Execute the expression, passing in the read-write context Object result = parsedExpression.getValue(context); // work with the result // ... return "user"; } ``` For more information on SimpleEvaluationContext see: https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/expression/spel/support/SimpleEvaluationContext.html severity: ERROR metadata: shortDescription: Improper neutralization of special elements used in an expression language statement ('Expression Language Injection') category: security cwe: CWE-917 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High primary_identifier: find_sec_bugs.SCRIPT_ENGINE_INJECTION-2 secondary_identifiers: - name: Find Security Bugs-SCRIPT_ENGINE_INJECTION type: find_sec_bugs_type value: SCRIPT_ENGINE_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SCRIPT_ENGINE_INJECTION-2 shortlink: https://sg.run/yJYr semgrep.dev: rule: r_id: 21224 rv_id: 920196 rule_id: 6JUyKR version_id: 44Teq6N url: https://semgrep.dev/playground/r/44Teq6N/gitlab.find_sec_bugs.SCRIPT_ENGINE_INJECTION-2 origin: community - id: gitlab.find_sec_bugs.SMTP_HEADER_INJECTION-1 languages: - java message: | The application was found calling `MimeMessage` methods without encoding new line characters. Much like HTTP, Simple Mail Transfer Protocol (SMTP) is a text based protocol that uses headers to convey additional directives for how email messages should be treated. An adversary could potentially cause email messages to be sent to unintended recipients by abusing the CC or BCC headers if they were able to inject them. To mitigate this issue, `\r\n` (CRLF) character sequences must be escaped or encoded prior to being used in any of the `MimeMessage` methods. Example that escapes values that come from user input with [Apache Commons Text](https://commons.apache.org/proper/commons-text/): ``` // Create a MimeMessage with a javax.mail.Session Message message = new MimeMessage(session); // Set the from address message.setFrom(new InternetAddress("source@example.com")); // Set the to address message.setRecipients(Message.RecipientType.TO,new InternetAddress[] {new InternetAddress("destination@example.com")}); // Example user input String subject = "potentially malicious data"; String headerValue = "potentially malicious data"; // Use Apache Commons Text StringEscapeUtils.escapeJava to encode \r\n to \\r\\n. message.setSubject(StringEscapeUtils.escapeJava(subject)); // Use Apache Commons Text StringEscapeUtils.escapeJava to encode \r\n to \\r\\n. message.addHeader("HeaderName", StringEscapeUtils.escapeJava(header)); // Use Apache Commons Text StringEscapeUtils.escapeJava to encode \r\n to \\r\\n. message.setDescription(StringEscapeUtils.escapeJava("some description")); // Use Apache Commons Text StringEscapeUtils.escapeJava to encode \r\n to \\r\\n. message.setDisposition(StringEscapeUtils.escapeJava("some disposition")); // Set the mail body text message.setText("Some email content."); // Send the message ``` patterns: - pattern-inside: | $M = new MimeMessage(...); ... - pattern-either: - patterns: - pattern-either: - pattern: $M.setSubject($VAR) - pattern: $M.addHeader($ARG, $VAR) - pattern: $M.addHeader($VAR, $ARG) - pattern: $M.setDescription($VAR) - pattern: $M.setDisposition($VAR) - metavariable-regex: metavariable: $VAR regex: ^[a-zA-Z_$][a-zA-Z0-9_$]*$ - patterns: - pattern-either: - pattern: $M.setSubject($OBJ.$GETTER(...)) - pattern: $M.setSubject($OBJ.$GETTER(...) + ...) - pattern: $M.setSubject(... + $OBJ.$GETTER(...)) - pattern: $M.setSubject(... + $OBJ.$GETTER(...) + ...) - pattern: $M.addHeader($ARG, $OBJ.$GETTER(...)) - pattern: $M.addHeader($ARG, $OBJ.$GETTER(...) + ...) - pattern: $M.addHeader($ARG, ... + $OBJ.$GETTER(...)) - pattern: $M.addHeader($ARG, ... + $OBJ.$GETTER(...) + ...) - pattern: $M.addHeader($OBJ.$GETTER(...), $ARG) - pattern: $M.addHeader($OBJ.$GETTER(...) + ..., $ARG) - pattern: $M.addHeader(... + $OBJ.$GETTER(...), $ARG) - pattern: $M.addHeader(... + $OBJ.$GETTER(...) + ..., $ARG) - pattern: $M.setDescription($OBJ.$GETTER(...)) - pattern: $M.setDisposition($OBJ.$GETTER(...) + ...) - pattern: $M.setDisposition(... + $OBJ.$GETTER(...)) - pattern: $M.setDisposition(... + $OBJ.$GETTER(...) + ...) - metavariable-regex: metavariable: $GETTER regex: ^get metadata: shortDescription: Improper neutralization of special elements used in a command category: security cwe: CWE-77 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: Low primary_identifier: find_sec_bugs.SMTP_HEADER_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-SMTP_HEADER_INJECTION type: find_sec_bugs_type value: SMTP_HEADER_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SMTP_HEADER_INJECTION-1 shortlink: https://sg.run/bWve semgrep.dev: rule: r_id: 21226 rv_id: 920198 rule_id: zdUGRr version_id: JdToRvY url: https://semgrep.dev/playground/r/JdToRvY/gitlab.find_sec_bugs.SMTP_HEADER_INJECTION-1 origin: community severity: ERROR - id: gitlab.find_sec_bugs.SPRING_FILE_DISCLOSURE-1 languages: - java mode: taint pattern-sources: - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameter(...) - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameterNames(); - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameterValues(...); - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameterMap(); - pattern: (javax.servlet.http.HttpServletRequest $VAR).getHeader(...); - pattern: (javax.servlet.http.HttpServletRequest $VAR).getPathInfo(); pattern-sinks: - patterns: - pattern-not-inside: | $FST = $MAP.getOrDefault(..., "..."); ... - pattern: new org.springframework.web.servlet.ModelAndView($FST, ...); - focus-metavariable: $FST - patterns: - pattern-not-inside: | $FST = $MAP.getOrDefault(..., "..."); ... - pattern-inside: | $MVC = new org.springframework.web.servlet.ModelAndView(); ... - pattern: $MVC.setViewName(...); message: | The `org.springframework.web.servlet.ModelAndView` class may potentially allow access to restricted files if called with user-supplied input. The ModelAndView class looks up a view by name to resolve a `.jsp` file. If this view name comes from user-supplied input, it could be abused to attempt to return a JSP view that the user should not have access to. Use a lookup table or hardcode which views or paths the user should be directed to. Example using a lookup table to resolve a view from a Spring MVC application: ``` @RequestMapping(value="/mvc", method=RequestMethod.GET) public ModelAndView mvc(HttpServletRequest request, HttpServletResponse response, Model model) { // Create a look up table or pull from a data source HashMap lookupTable = new HashMap<>(); lookupTable.put("key1", "view1"); lookupTable.put("key2", "view2"); // Get user input String userInput = request.getParameter("key"); // Look up view from the user input String viewValue = lookupTable.getOrDefault(userInput, "Resource1"); // return the new model and view return new ModelAndView(viewValue); } ``` Example using a redirect instead of a `RequestDispatcher` in Spring: ``` @RequestMapping(value="/mvc", method=RequestMethod.GET) public void mvc(HttpServletRequest request, HttpServletResponse response, Model model) { // Create a look up table or pull from a data source HashMap lookupTable = new HashMap<>(); lookupTable.put("key1", "view1"); lookupTable.put("key2", "view2"); // Get user input String userInput = request.getParameter("key"); // Look up resource to redirect to from the user input String redirectValue = lookupTable.getOrDefault(userInput, "/Resource1"); // return the new model and view response.sendRedirect(redirectValue); } ``` metadata: shortDescription: Files or directories accessible to external parties category: security cwe: CWE-552 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: HIGH primary_identifier: find_sec_bugs.SPRING_FILE_DISCLOSURE-1 secondary_identifiers: - name: Find Security Bugs-SPRING_FILE_DISCLOSURE type: find_sec_bugs_type value: SPRING_FILE_DISCLOSURE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SPRING_FILE_DISCLOSURE-1 shortlink: https://sg.run/WAd5Z semgrep.dev: rule: r_id: 144297 rv_id: 920184 rule_id: bwUbpPx version_id: e1TZK31 url: https://semgrep.dev/playground/r/e1TZK31/gitlab.find_sec_bugs.SPRING_FILE_DISCLOSURE-1 origin: community severity: ERROR - id: gitlab.find_sec_bugs.SSL_CONTEXT-2 languages: - java patterns: - pattern-either: - pattern-inside: | import javax.net.ssl.*; ... - pattern-inside: | import javax.net.ssl.SSLContext; ... - pattern-either: - pattern-inside: | SSLContext.getInstance("$UNSAFE_VERSION"); - pattern-inside: | SSLContext.getInstance(...); ... $ENGINE.setEnabledProtocols(new String[]{...,"$UNSAFE_VERSION",...}); - pattern-not-inside: | $C = SSLContext.getInstance(...); ... $ENGINE.setEnabledProtocols(new String[]{...,"TLSv1.2",...}); - pattern-not-inside: | $C = SSLContext.getInstance(...); ... $ENGINE.setEnabledProtocols(new String[]{...,"TLSv1.3",...}); - pattern-not-inside: | $C = SSLContext.getInstance(...); ... $ENGINE.setEnabledProtocols(new String[]{...,"DTLSv1.2",...}); - pattern-not-inside: | $C = SSLContext.getInstance(...); ... $ENGINE.setEnabledProtocols(new String[]{...,"DTLSv1.3",...}); - metavariable-regex: metavariable: $UNSAFE_VERSION regex: ^(TLS|(D)?TLSv1.(0|1))$ message: | The application was found enabling insecure TLS protocol versions. When enabling protocol versions for an `SSLContext`, only the following versions should be allowed: - TLSv1.2 - TLSv1.3 - DTLSv1.2 - DTLSv1.3 To mitigate potential security risks, it is strongly advised to enforce TLS 1.2 as the minimum protocol version and disallow older versions such as TLS 1.0. Do note that newer versions of Java do not even support TLS 1.0 and will throw `NoSuchAlgorithmException`. Versions of TLS prior to 1.2 could expose the connection to downgrade attacks, where an adversary intercepts the connection and alters the requested protocol version to be a less secure one. In many scenarios, relying on the default system configuration does not meet compliance standards. This is due to the application being deployed across diverse systems with varying configurations and Java versions. While the default value may be secure on modern and up-to-date systems, it may not hold true for older systems. Consequently, it is highly recommended to explicitly define a secure configuration in all cases. Example configuring an SSLContext with TLSv1.2: ``` // Create an SSLContext with TLSv1.2 explicitly SSLContext tlsContext = SSLContext.getInstance("TLSv1.2"); // or TLSv1.3, DTLSv1.2, DTLSv1.3 // Alternatively, set the enabled protocols SSLContext serverSslContext = SSLContext.getInstance("TLS"); SSLEngine serverEngine = serverSslContext.createSSLEngine(); // Calling setEnabledProtocols will override the original context's configured protocol version serverEngine.setEnabledProtocols(new String[]{ "TLSv1.2" }); ``` For more information on `SSLContext` see: - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/net/ssl/SSLContext.html For more information on MiTM attacks see: - https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack metadata: shortDescription: Inadequate encryption strength category: security cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium primary_identifier: find_sec_bugs.SSL_CONTEXT-2 secondary_identifiers: - name: Find Security Bugs-SSL_CONTEXT type: find_sec_bugs_type value: SSL_CONTEXT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SSL_CONTEXT-2 shortlink: https://sg.run/0JlB semgrep.dev: rule: r_id: 67598 rv_id: 920175 rule_id: x8UeYj version_id: 9lTA75o url: https://semgrep.dev/playground/r/9lTA75o/gitlab.find_sec_bugs.SSL_CONTEXT-2 origin: community severity: WARNING - id: gitlab.find_sec_bugs.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 languages: - java message: | The application may allow control over a template string. Providing user input directly in the template by dynamically creating template strings may allow an adversary to execute arbitrary Java code, including OS system commands. For Velocity, never call `evaluate` with user-supplied input in the template string. Use a `VelocityContext` object instead to data-bind user-supplied information as it will be treated as an underlying data type and not template code. Example using Apache Velocity's `VelocityContext` and escape tools to pass in user-supplied data to a template: ``` // Create a tool manager ToolManager manager = new ToolManager(true); // Create a context from the tool manager Context context = manager.createContext(); // For demonstration purposes, alternatively configure from a properties file context.put("esc", new EscapeTool()); // For demonstration purposes, create an output buffer StringWriter stringWriter = new StringWriter(); // Get userInput String userInput = "potentially malicious data"; // Use the context to pass in the userInput value context.put("userInput", userInput); // Pass in the context, the output buffer, a logtag (demo), and the template with userInput // making sure to escape it if in the context of HTML. Velocity.evaluate(context, stringWriter, "demo", "Hello $esc.html($userInput)"); // Work with the output buffer // ... ``` For other templating engines, please see your framework's documentation. pattern-either: - patterns: - pattern: org.apache.velocity.app.Velocity.evaluate(..., $VAR) - pattern-not: org.apache.velocity.app.Velocity.evaluate(..., "...") - patterns: - pattern-not-inside: | $C = (freemarker.template.Configuration $CFG).getTemplate("..."); ... - pattern-inside: | $C = (freemarker.template.Configuration $CFG).getTemplate($IN); ... - pattern: $C.process(...) - patterns: - pattern-inside: | import com.mitchellbosecke.pebble.PebbleEngine; ... - pattern-inside: | $C = $T.getTemplate($IN); ... - pattern-not-inside: | $C = $T.getTemplate("..."); ... - pattern: $C.evaluate(...) metadata: shortDescription: Improper control of generation of code ('Code Injection') category: security cwe: CWE-94 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High primary_identifier: find_sec_bugs.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 secondary_identifiers: - name: Find Security Bugs-TEMPLATE_INJECTION_PEBBLE type: find_sec_bugs_type value: TEMPLATE_INJECTION_PEBBLE - name: Find Security Bugs-TEMPLATE_INJECTION_FREEMARKER type: find_sec_bugs_type value: TEMPLATE_INJECTION_FREEMARKER - name: Find Security Bugs-TEMPLATE_INJECTION_VELOCITY type: find_sec_bugs_type value: TEMPLATE_INJECTION_VELOCITY license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 shortlink: https://sg.run/vpK4 semgrep.dev: rule: r_id: 21233 rv_id: 920204 rule_id: yyUDL9 version_id: DkT2yYA url: https://semgrep.dev/playground/r/DkT2yYA/gitlab.find_sec_bugs.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 origin: community severity: ERROR - id: gitlab.find_sec_bugs.URLCONNECTION_SSRF_FD-1 languages: - java message: | Server-Side-Request-Forgery (SSRF) exploits backend systems that initiate requests to third parties. If user input is used in constructing or sending these requests, an attacker could supply malicious data to force the request to other systems or modify request data to cause unwanted actions. Ensure user input is not used directly in constructing URLs or URIs when initiating requests to third party systems from back end systems. Care must also be taken when constructing payloads using user input. Where possible restrict to known URIs or payloads. Consider using a server-side map where keys are used to return URLs such as `https://site/goto?key=1` where `{key: 1, url: 'http://some.url/', key: 2, url: 'http://...'}`. If you must use user-supplied input for requesting URLs, it is strongly recommended that the HTTP client chosen allows you to customize and block certain IP ranges at the network level. By blocking RFC 1918 addresses or other network address ranges, you can limit the severity of a successful SSRF attack. Care must also be taken to block certain protocol or address formatting such as IPv6. If you cannot block address ranges at the client level, you may want to run the HTTP client as a protected user, or in a protected network where you can apply IP Table or firewall rules to block access to dangerous addresses. Finally, if none of the above protections are available, you could also run a custom HTTP proxy and force all requests through it to handle blocking dangerous addresses. Example using a map to look up a key to be used in a HTTP request: ``` HashMap lookupTable = new HashMap<>(); lookupTable.put("key1", "https://example.com/"); lookupTable.put("key2", "https://safeurl.com/"); String userInput = request.getParameter("key"); // Create a CloseableHttpClient, ideally any requests issued should be done // out-of-band from the servlet request itself (such as using a separate thread/scheduler system) try (final CloseableHttpClient httpClient = HttpClients.createDefault()) { // Lookup the value from our user input from our lookupTable String value = lookupTable.getOrDefault(userInput, "https://example.com/"); // Construct the url, with the hardcoded url and only pass in the value from the lookupTable, // not direct user input final HttpGet httpget = new HttpGet(value); // Execute the request CloseableHttpResponse clientResponse = httpClient.execute(httpget); // Read the response byte[] responseData = clientResponse.getEntity().getContent().readAllBytes(); // Handle the response // ... } ``` If using a map is not possible, the user-supplied input must be encoded prior to use, and never allow full URLs: ``` // Get user input String userInput = request.getParameter("key"); // Encode the string using java.net.URLEncoder with the UTF-8 character set String encodedString = java.net.URLEncoder.encode(userInput, StandardCharsets.UTF_8); // Create a CloseableHttpClient, ideally any requests issued should be done // out-of-band from the servlet request itself (such as using a separate thread/scheduler system) try (final CloseableHttpClient httpClient = HttpClients.createDefault()) { // Construct the url, with the hardcoded url and only pass in the encoded value, never a full URL final HttpGet httpget = new HttpGet("https://example.com/getId?key="+encodedString); // Execute the request CloseableHttpResponse clientResponse = httpClient.execute(httpget); // Read the response byte[] responseData = clientResponse.getEntity().getContent().readAllBytes(); // handle the response } ``` For more information on SSRF see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html pattern-either: - patterns: - pattern-either: - pattern-inside: | import java.net.*; ... - pattern-inside: | import java.net.URL; ... - pattern-inside: | import java.net.URI; ... - pattern: new $TYPE(...). ... .$FUNC - pattern-not: new $TYPE("..."). ... .$FUNC - metavariable-pattern: metavariable: $FUNC pattern-either: - pattern: connect - pattern: GetContent - pattern: openConnection - pattern: openStream - pattern: getContent - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: URL - pattern: java.net.URL - pattern: URI - pattern: java.net.URI - patterns: - pattern-either: - pattern-inside: | import java.net.*; ... - pattern-inside: | import java.net.InetSocketAddress; ... - pattern: | new InetSocketAddress(..., $PORT) - pattern-not: | new InetSocketAddress("...", $PORT) metadata: shortDescription: Server-Side Request Forgery (SSRF) category: security cwe: CWE-918 owasp: - A1:2017-Injection - A10:2021-Server-Side Request Forgery security-severity: Medium primary_identifier: find_sec_bugs.URLCONNECTION_SSRF_FD-1 secondary_identifiers: - name: Find Security Bugs-URLCONNECTION_SSRF_FD type: find_sec_bugs_type value: URLCONNECTION_SSRF_FD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.URLCONNECTION_SSRF_FD-1 shortlink: https://sg.run/Njl7 semgrep.dev: rule: r_id: 21227 rv_id: 920199 rule_id: pKUblx version_id: 5PTNGeR url: https://semgrep.dev/playground/r/5PTNGeR/gitlab.find_sec_bugs.URLCONNECTION_SSRF_FD-1 origin: community severity: ERROR - id: gitlab.find_sec_bugs.WEAK_HOSTNAME_VERIFIER languages: - java message: "The `HostnameVerifier` has been set to always return `true`. This effectively \ndisables the validation of server or client certificates. This could allow an \nadversary who is in between the application and the target host to launch a Man \nin the middle attack (MITM) i.e intercept potentially sensitive information or \ninject malicious content into the communication stream.\n\nTo mitigate this vulnerability and enhance the security of your application, it is \nstrongly advised to adhere to the default HostnameVerifier settings. This ensures \nthat the validation mechanism remains intact, providing a crucial layer of security \nagainst unauthorized interception and data manipulation.\n\nImplementing the default HostnameVerifier can be achieved with the following code \nsnippet:\n```\n// Use the default HostnameVerifier\nHttpsURLConnection connection = (HttpsURLConnection) url.openConnection();\nconnection.setHostnameVerifier(HttpsURLConnection.getDefaultHostnameVerifier());\n```\nFor more information on TLS security, refer the following OWASP documentation:\nhttps://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\n" metadata: shortDescription: Improper certificate validation category: security cwe: CWE-295 owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: MEDIUM primary_identifier: find_sec_bugs.WEAK_HOSTNAME_VERIFIER secondary_identifiers: - name: Find Security Bugs-WEAK_HOSTNAME_VERIFIER type: find_sec_bugs_type value: WEAK_HOSTNAME_VERIFIER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.WEAK_HOSTNAME_VERIFIER shortlink: https://sg.run/Ab6G0 semgrep.dev: rule: r_id: 144294 rv_id: 920176 rule_id: 9AUdr86 version_id: yeTDgZn url: https://semgrep.dev/playground/r/yeTDgZn/gitlab.find_sec_bugs.WEAK_HOSTNAME_VERIFIER origin: community patterns: - pattern-inside: | class $V implements HostnameVerifier { ... } - pattern-either: - pattern: | boolean verify(...) { ... return true; ... } - pattern-not: patterns: - pattern: | boolean verify(...) { ... return $VAR; ... } - metavariable-regex: metavariable: $VAR regex: ^((?!true).)*$ - pattern-not: | boolean verify(...) { $VAR = true; ... return $VAR; ... } severity: WARNING - id: gitlab.find_sec_bugs.WEAK_TRUST_MANAGER languages: - java message: "The `X509TrustManager` has been configured to return null. This effectively disables the\nvalidation of server or client certificates. This could allow an adversary who is in \nbetween the application and the target host to launch a Man in the middle attack (MITM) i.e \nintercept potentially sensitive information or inject malicious content into the \ncommunication stream.\n\nConsider using the \ndefault `TrustManager` instead of implementing a custom one. If you must override\nthe default verification process, implement proper TrustManager verification for\n`checkServerTrusted` and `checkClientTrusted` by throwing `CertificateException` if \nthe certificate is invalid.\n\nFor most applications, using the default TrustManager provided by the Java runtime is \nsufficient and recommended. Following is an example using the built in `TrustManagerFactory` \nto manage validating certificate chains:\n```\n// Use the default TrustManagerFactory\nTrustManagerFactory trustManagerFactory =\nTrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n// Use default system KeyStore, alternatively pass in your own keystore.\ntrustManagerFactory.init((KeyStore) null);\n// Create SSLContext for TLS connections\nSSLContext tlsContext = SSLContext.getInstance(\"TLS\");\n// Initialize the tlsContext with our trust manager and a SecureRandom number generator.\ntlsContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());\n```\nFor more information on TLS security, refer the following OWASP documentation:\nhttps://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\n" metadata: shortDescription: Improper certificate validation category: security cwe: CWE-295 owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: MEDIUM primary_identifier: find_sec_bugs.WEAK_TRUST_MANAGER secondary_identifiers: - name: Find Security Bugs-WEAK_TRUST_MANAGER type: find_sec_bugs_type value: WEAK_TRUST_MANAGER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.WEAK_TRUST_MANAGER shortlink: https://sg.run/BYoR7 semgrep.dev: rule: r_id: 144295 rv_id: 920178 rule_id: yyURlY5 version_id: bZTLo9N url: https://semgrep.dev/playground/r/bZTLo9N/gitlab.find_sec_bugs.WEAK_TRUST_MANAGER origin: community patterns: - pattern-inside: | class $V implements X509TrustManager { ... } - pattern-either: - pattern: public void checkClientTrusted(...) {} - pattern: public void checkServerTrusted(...) {} - patterns: - pattern-either: - pattern: | X509Certificate[] getAcceptedIssuers() { ... return null; ... } - pattern-not: patterns: - pattern: | X509Certificate[] getAcceptedIssuers() { ... return $VAR; ... } - metavariable-regex: metavariable: $VAR regex: ^((?!null).)*$ - pattern-not: | X509Certificate[] getAcceptedIssuers() { $VAR = null; ... return $VAR; ... } severity: WARNING - id: gitlab.find_sec_bugs.WICKET_XSS1-1 languages: - java patterns: - pattern-inside: | import org.apache.wicket.$A; ... - pattern: | $OBJ.setEscapeModelStrings(false); message: | The application is disabling Wicket's string escaping functionality by calling `setEscapeModelStrings(false)`. This could lead to Cross Site Scripting (XSS) if used with user-supplied input. XSS is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types: - Inside HTML tags `
context 1
` - Inside attributes: `
` - Inside event attributes `` - Inside script blocks: `` - Unsafe element HTML assignment: `element.innerHTML = "context 5"` - Inside URLs: `link` Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as JavaScript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 7*7 }} which may execute client-side templating features. It is _NOT_ advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. Use Wicket's built in escaping feature by calling `Component.setEscapeModelStrings(true);` For more information on Wicket components see: - https://nightlies.apache.org/wicket/apidocs/9.x/org/apache/wicket/Component.html For more information on XSS see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html metadata: shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') category: security cwe: CWE-79 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: Medium primary_identifier: find_sec_bugs.WICKET_XSS1-1 secondary_identifiers: - name: Find Security Bugs-WICKET_XSS1 type: find_sec_bugs_type value: WICKET_XSS1 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.WICKET_XSS1-1 shortlink: https://sg.run/QJoP semgrep.dev: rule: r_id: 21242 rv_id: 920209 rule_id: v8Uvkz version_id: l4TXD60 url: https://semgrep.dev/playground/r/l4TXD60/gitlab.find_sec_bugs.WICKET_XSS1-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.XML_DECODER-1 languages: - java message: | Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to: - Inject code that is executed upon object construction, which occurs during the deserialization process. - Exploit mass assignment by including fields that are not normally a part of the serialized data but are read in during deserialization. Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. Additionally, when deserializing, never deserialize to base object types like `Object` and only cast to the exact object type that is expected. To protect against mass assignment, only allow deserialization of the specific fields that are required. If this is not easily done, consider creating an intermediary type that can be serialized with only the necessary fields exposed. Do note that `XMLEncoder` and `XMLDecoder` are not recommended. If the application must use this serialization method, use a custom ClassLoader to prevent loading of arbitrary classes: ``` XMLDecoder decoder = new XMLDecoder(inputStream, null, null, new ClassLoader() { @Override protected Class loadClass(String name, boolean resolve) throws ClassNotFoundException { if (!name.equals(NameOfBeanHere.class.getName()) && !name.equals(XMLDecoder.class.getName())) { throw new RuntimeException("Unauthorized deserialization attempt: " + name); } return super.loadClass(name, resolve); } }); ``` For more information on XML security see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java For more details on deserialization attacks in general, see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html It should be noted that [tools exist](https://github.com/frohoff/ysoserial) to automatically create exploit code for these vulnerabilities. metadata: shortDescription: Deserialization of untrusted data category: security cwe: CWE-502 owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures security-severity: High primary_identifier: find_sec_bugs.XML_DECODER-1 secondary_identifiers: - name: Find Security Bugs-XML_DECODER type: find_sec_bugs_type value: XML_DECODER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.XML_DECODER-1 shortlink: https://sg.run/7QeR semgrep.dev: rule: r_id: 21238 rv_id: 920207 rule_id: wdUk2X version_id: K3TwLGL url: https://semgrep.dev/playground/r/K3TwLGL/gitlab.find_sec_bugs.XML_DECODER-1 origin: community patterns: - pattern: | (java.beans.XMLDecoder $D).readObject(); - pattern-not: pattern-either: - patterns: - pattern-inside: | java.beans.XMLDecoder $DEC = new java.beans.XMLDecoder(..., $CL); ... - pattern: $DEC.readObject(); - metavariable-pattern: metavariable: $CL patterns: - pattern: | new ClassLoader(){ ... $RET loadClass(String name, boolean resolve){ if($X){ throw ... } ... } ... } - metavariable-pattern: metavariable: $X pattern-either: - pattern: | !name.equals(...) - pattern: | !$LIST.contains(name) - patterns: - pattern-inside: | ClassLoader $CLASS_LOADER = $CL; ... java.beans.XMLDecoder $DEC = new java.beans.XMLDecoder(..., $CLASS_LOADER); ... - pattern: $DEC.readObject(); - metavariable-pattern: metavariable: $CL patterns: - pattern: | new ClassLoader(){ ... $RET loadClass(String name, boolean resolve){ if($X){ throw ... } ... } ... } - metavariable-pattern: metavariable: $X pattern-either: - pattern: | !name.equals(...) - pattern: | !$LIST.contains(name) severity: WARNING - id: gitlab.find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 languages: - java mode: taint pattern-sources: - pattern: (javax.servlet.http.HttpServletRequest $R).$METHOD(...) - pattern: (java.util.Scanner $S).$METHOD(...) - pattern: (java.util.stream.Stream).$METHOD(...) - pattern: (java.util.StringJoiner $SJ).toString(...) - pattern: (java.sql.ResultSet.getString $R).$METHOD(...) - pattern: (java.lang.System $S).getProperty(...) - pattern: (java.lang.System $S).getenv(...) - pattern: (java.lang.StringBuilder $SB).toString(...) - pattern: (java.io.FileInputStream $F).read(...) - pattern: (java.io.FileReader $F).read(...) - pattern: (java.net.Socket $S).getInputStream(...) - pattern: (java.net.Socket $S).getOutputStream(...) - pattern: (java.net.DatagramSocket $S).receive(...) - pattern: (java.net.DatagramSocket $S).getInputStream(...) - pattern: java.nio.file.Files.readAllBytes(...) - pattern: java.nio.file.Files.readAllLines(...) - pattern: java.nio.file.Files.lines(...) - pattern: java.nio.file.Files.newBufferedReader(...) - pattern: org.apache.commons.io.IOUtils.toString(...) - pattern: org.apache.commons.io.IOUtils.readLines(...) - pattern: org.apache.commons.io.IOUtils.toByteArray(...) - pattern: (com.fasterxml.jackson.databind.ObjectMapper $OM).readValue(...) - pattern: (com.fasterxml.jackson.databind.ObjectMapper $OM).treeToValue(...) - pattern: $CLASS.$METHOD(..., (javax.servlet.http.HttpServletRequest $R), ...) - pattern: $FUNC(..., (javax.servlet.http.HttpServletRequest $R), ...) - patterns: - pattern-inside: $FUNC(..., String $X, ...) { ... } - focus-metavariable: $X pattern-propagators: - pattern: $LIST.add($X) from: $X to: $LIST - pattern: $MAP.put(..., $X) from: $X to: $MAP - pattern: $STR.concat($X) from: $X to: $STR - pattern: $STR = String.format(..., $X, ...) from: $X to: $STR - pattern: $STR = String.join(..., $X, ...) from: $X to: $STR pattern-sanitizers: - pattern: org.owasp.encoder.Encode.forHtml(...) - pattern: org.owasp.esapi.ESAPI.encoder().encodeForHTML(...) - pattern: org.apache.commons.text.StringEscapeUtils.escapeHtml3(...) - pattern: org.apache.commons.text.StringEscapeUtils.escapeHtml4(...) - pattern: org.owasp.benchmark.helpers.Utils.encodeForHTML(...) pattern-sinks: - pattern: (javax.servlet.http.HttpServletResponse $R).getWriter().print(...) - patterns: - pattern-inside: | $W = (javax.servlet.http.HttpServletResponse $R).getWriter(); ... - pattern: $W.print(...); - pattern: (javax.servlet.http.HttpServletResponse $R).getWriter().println(...) - patterns: - pattern-inside: | $W = (javax.servlet.http.HttpServletResponse $R).getWriter(); ... - pattern: $W.println(...); - pattern: (javax.servlet.http.HttpServletResponse $R).getWriter().format(...) - patterns: - pattern-inside: | $W = (javax.servlet.http.HttpServletResponse $R).getWriter(); ... - pattern: $W.format(...); - pattern: (javax.servlet.http.HttpServletResponse $R).getWriter().append(...) - patterns: - pattern-inside: | $W = (javax.servlet.http.HttpServletResponse $R).getWriter(); ... - pattern: $W.append(...); - pattern: (javax.servlet.http.HttpServletResponse $R).getWriter().write(...) - patterns: - pattern-inside: | $W = (javax.servlet.http.HttpServletResponse $R).getWriter(); ... - pattern: $W.write(...); message: | The application is returning user-supplied data from an HTTP request directly into an HTTP response output writer. This could lead to Cross Site Scripting (XSS) if the input were malicious script code and the application server is not properly validating the output. XSS is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in. There are at least six context types: - Inside HTML tags `
context 1
` - Inside attributes: `
` - Inside event attributes `` - Inside script blocks: `` - Unsafe element HTML assignment: `element.innerHTML = "context 5"` - Inside URLs: `link` Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if user input is ever output inside of script tags. User input that is displayed within the application must be encoded, sanitized or validated to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be taken to not mix server-side templating with client-side templating, as the server-side templating will not encode things like {{ 7*7 }} which may execute client-side templating features. It is _NOT_ advised to encode user input prior to inserting into a data store. The data will need to be encoded depending on context of where it is output. It is much safer to force the displaying system to handle the encoding and not attempt to guess how it should be encoded. If possible do not use user input directly in the output to the response writer. If the application must output user-supplied input, it will need to encode the data depending on the output context. Consider using [Apache Commons Text](https://commons.apache.org/proper/commons-text/) `StringEscapeUtils` methods for various context. Please note there is no way to safely output script code in most circumstances, regardless of encoding. If calling the HTTP response writer directly, ensure that the `Content-Type` is set to `text/plain` so it will not be accidentally interpreted by HTML by modern browsers. ``` // Get user input String htmlInput = request.getParameter("userInput"); // Encode the input using the Html4 encoder String htmlEncoded = StringEscapeUtils.escapeHtml4(htmlInput); // Force the HTTP response to be content type of text/plain so it is not interpreted as HTML response.setContentType("text/plain"); // Ensure UTF-8 response.setCharacterEncoding("UTF-8"); // Write response response.getWriter().write(htmlEncoded); ``` For more information on XSS see OWASP: - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html severity: WARNING metadata: shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') category: security cwe: CWE-79 owasp: - A1:2017-Injection - A03:2021-Injection technology: - java security-severity: Medium primary_identifier: find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 secondary_identifiers: - name: Find Security Bugs-XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER type: find_sec_bugs_type value: XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 shortlink: https://sg.run/3Qkb semgrep.dev: rule: r_id: 21243 rv_id: 920210 rule_id: d8U6Rg version_id: YDTYbny url: https://semgrep.dev/playground/r/YDTYbny/gitlab.find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 origin: community - id: gitlab.find_sec_bugs.XXE_XMLREADER-1 languages: - java message: | External XML entities are a feature of XML parsers that allow documents to contain references to other documents or data. This feature can be abused to read files, communicate with external hosts, exfiltrate data, or cause a Denial of Service (DoS). The XMLReaderFactory has been deprecated. It is recommended that [SAXParserFactory](https://docs.oracle.com/javase/9/docs/api/javax/xml/parsers/SAXParserFactory.html) be used instead. Additionally when using the SAXParser it must be configured to disallow doctypes, which will protect against the majority of XXE attacks. Example creating a SAXParser with disallowing the doctypes feature enabled: ``` // Create a SAXParserFactory SAXParserFactory saxParserFactory = SAXParserFactory.newInstance(); // Enable the feature which disallows , ...) - pattern-either: - pattern: | $CON.query(<... $REQ.$QUERY ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY ...>; ... $CON.query(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $SQL = <... $INP ...>; ... $CON.query(<... $SQL ...>, ...) - pattern: | $CON.query(`...${...}...`, ...) - pattern: | $CON.query("..."+...+"...", ...) - pattern: | $SQL = <... $INP ...>; ... $CON.query(<... $SQL ...>, ...) message: | Untrusted input concatinated with raw SQL query can result in SQL Injection. languages: - javascript severity: ERROR metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-89 shortDescription: Improper neutralization of special elements used in an SQL command (SQL Injection) security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-database-rule-node_sqli_injection secondary_identifiers: - name: NodeJS Scan ID javascript-database-rule-node_sqli_injection type: njsscan_rule_type value: Untrusted input concatinated with raw SQL query can result in SQL Injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-database-rule-node_sqli_injection shortlink: https://sg.run/gx30y semgrep.dev: rule: r_id: 144385 rv_id: 920476 rule_id: lBU4kwe version_id: jQTwjNE url: https://semgrep.dev/playground/r/jQTwjNE/gitlab.nodejs_scan.javascript-database-rule-node_sqli_injection origin: community - id: terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled patterns: - pattern-either: - pattern: | resource "aws_elasticsearch_domain" $ANYTHING { ... node_to_node_encryption { ... enabled = false ... } ... } - pattern: | resource "aws_elasticsearch_domain" $ANYTHING { ... cluster_config { ... instance_count = $COUNT ... } } - pattern-not-inside: | resource "aws_elasticsearch_domain" $ANYTHING { ... cluster_config { ... instance_count = $COUNT ... } node_to_node_encryption { ... enabled = true ... } } - metavariable-comparison: metavariable: $COUNT comparison: $COUNT > 1 message: "Ensure all Elasticsearch has node-to-node encryption enabled.\t" metadata: category: security technology: - terraform - aws owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures cwe: - 'CWE-326: Inadequate Encryption Strength' references: - https://owasp.org/Top10/A02_2021-Cryptographic_Failures subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled shortlink: https://sg.run/lp3y semgrep.dev: rule: r_id: 17357 rv_id: 1263719 rule_id: 3qU6J7 version_id: WrTqK0v url: https://semgrep.dev/playground/r/WrTqK0v/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled origin: community languages: - hcl severity: WARNING - id: generic.secrets.gitleaks.hashicorp-tf-api-token.hashicorp-tf-api-token message: A gitleaks hashicorp-tf-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.hashicorp-tf-api-token.hashicorp-tf-api-token shortlink: https://sg.run/nQd2 semgrep.dev: rule: r_id: 44736 rv_id: 1262757 rule_id: BYU4N6 version_id: l4TJRx4 url: https://semgrep.dev/playground/r/l4TJRx4/generic.secrets.gitleaks.hashicorp-tf-api-token.hashicorp-tf-api-token origin: community patterns: - pattern-regex: (?i)[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70} - id: solidity.security.accessible-selfdestruct.accessible-selfdestruct severity: ERROR languages: - solidity message: Contract can be destructed by anyone in $FUNC metadata: category: security technology: - solidity cwe: 'CWE-284: Improper Access Control' confidence: LOW likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://www.parity.io/blog/a-postmortem-on-the-parity-multi-sig-library-self-destruct/ license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/solidity.security.accessible-selfdestruct.accessible-selfdestruct shortlink: https://sg.run/7WrQ semgrep.dev: rule: r_id: 67638 rv_id: 946599 rule_id: bwUeGL version_id: w8TKJ3P url: https://semgrep.dev/playground/r/w8TKJ3P/solidity.security.accessible-selfdestruct.accessible-selfdestruct origin: community mode: taint pattern-sources: - patterns: - focus-metavariable: - $ADDR - pattern-either: - pattern: function $FUNC(..., address $ADDR, ...) external { ... } - pattern: function $FUNC(..., address $ADDR, ...) public { ... } - pattern-not: function $FUNC(...) $MODIFIER { ... } - pattern-not: function $FUNC(...) $MODIFIER(...) { ... } - pattern-not: | function $FUNC(...) { ... require(<... msg.sender ...>, ...); ... } - pattern-not: | function $FUNC(...) { ... assert(<... msg.sender ...>, ...); ... } - pattern-not: | function $FUNC(...) { ... require(<... _msgSender ...>, ...); ... } - pattern-not: | function $FUNC(...) { ... assert(<... _msgSender ...>, ...); ... } - pattern-not: | function $FUNC(...) { ... if (<... msg.sender ...>) { ... } ... } - pattern-not: | function $FUNC(...) { ... if (<... _msgSender ...>) { ... } ... } - pattern-not: | function $FUNC(...) { ... onlyOwner(...); ... } - pattern-not: | function $FUNC(...) { ... requireOwner(...); ... } - pattern-not: | function $FUNC(...) { ... _requireOwnership(...); ... } - pattern-not: | function $FUNC(...) { ... $C._enforceIsContractOwner(...); ... } - pattern-not: | function $FUNC(...) { ... $C._enforceOwner(...); ... } - pattern-not: | function $FUNC(...) { ... $C.enforceIsContractOwner(...); ... } pattern-sinks: - pattern-either: - pattern: selfdestruct(...); - pattern: suicide(...); - id: generic.secrets.gitleaks.grafana-service-account-token.grafana-service-account-token message: A gitleaks grafana-service-account-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.grafana-service-account-token.grafana-service-account-token shortlink: https://sg.run/ZAvo semgrep.dev: rule: r_id: 44735 rv_id: 1262755 rule_id: AbUvzB version_id: K3TKkwN url: https://semgrep.dev/playground/r/K3TKkwN/generic.secrets.gitleaks.grafana-service-account-token.grafana-service-account-token origin: community patterns: - pattern-regex: (?i)\b(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: solidity.security.arbitrary-low-level-call.arbitrary-low-level-call message: An attacker may perform call() to an arbitrary address with controlled calldata metadata: category: security technology: - solidity cwe: 'CWE-20: Improper Input Validation' confidence: LOW likelihood: HIGH impact: HIGH subcategory: - vuln references: - https://twitter.com/CertiKAlert/status/1512198846343954445 - https://twitter.com/SlowMist_Team/status/1508787862791069700 - https://twitter.com/Beosin_com/status/1509099103401127942 - https://blocksecteam.medium.com/li-fi-attack-a-cross-chain-bridge-vulnerability-no-its-due-to-unchecked-external-call-c31e7dadf60f - https://etherscan.io/address/0xe7597f774fd0a15a617894dc39d45a28b97afa4f - https://etherscan.io/address/0x73a499e043b03fc047189ab1ba72eb595ff1fc8e license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/solidity.security.arbitrary-low-level-call.arbitrary-low-level-call shortlink: https://sg.run/LxRY semgrep.dev: rule: r_id: 67639 rv_id: 946600 rule_id: NbU21q version_id: xyTqn4E url: https://semgrep.dev/playground/r/xyTqn4E/solidity.security.arbitrary-low-level-call.arbitrary-low-level-call origin: community patterns: - pattern-either: - pattern-inside: | function $F(..., address $ADDR, ..., bytes calldata $DATA, ...) external { ... } - pattern-inside: | function $F(..., address $ADDR, ..., bytes calldata $DATA, ...) public { ... } - pattern-either: - pattern: $ADDR.call($DATA); - pattern: $ADDR.call{$VALUE:...}($DATA); - pattern: $ADDR.call{$VALUE:..., $GAS:...}($DATA); languages: - solidity severity: ERROR - id: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled severity: ERROR metadata: cwe: - 'CWE-611: Improper Restriction of XML External Entity Reference' owasp: - A04:2017 - XML External Entities (XXE) - A05:2021 - Security Misconfiguration - A02:2025 - Security Misconfiguration asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.2 Insecue XML Deserialization control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention version: '4' references: - https://semgrep.dev/blog/2022/xml-security-in-java - https://semgrep.dev/docs/cheat-sheets/java-xxe/ - https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf category: security technology: - java cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - XML Injection source: https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled shortlink: https://sg.run/2x75 semgrep.dev: rule: r_id: 9163 rv_id: 1263068 rule_id: x8Unkq version_id: jQTn5Jv url: https://semgrep.dev/playground/r/jQTn5Jv/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled origin: community message: XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false. patterns: - pattern-either: - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", true); - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true); - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, true); - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.TRUE); - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.TRUE); - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, Boolean.TRUE); languages: - java - id: javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag message: Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough - https://github.com/ESAPI/owasp-esapi-js category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag shortlink: https://sg.run/PJXp semgrep.dev: rule: r_id: 9289 rv_id: 1263161 rule_id: KxUbL4 version_id: l4TJRNy url: https://semgrep.dev/playground/r/l4TJRNy/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag origin: community languages: - regex severity: WARNING paths: include: - '*.pug' pattern-either: - pattern-regex: script\s*=[A-Za-z0-9]+ - pattern-regex: script\s*=.*["']\s*\+.* - pattern-regex: script\s*=[^'"]+\+.* - pattern-regex: script$.*?$\s*=\s*[A-Za-z0-9]+ - pattern-regex: script$.*?$\s*=\s*.*["']\s*\+.* - pattern-regex: script$.*?$\s*=\s*[^'"]+\+.* - id: ruby.lang.security.file-disclosure.file-disclosure message: Special requests can determine whether a file exists on a filesystem that's outside the Rails app's root directory. To fix this, set config.serve_static_assets = false. metadata: cwe: - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' references: - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb - https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ category: security technology: - ruby owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure shortlink: https://sg.run/qrR1 semgrep.dev: rule: r_id: 9712 rv_id: 1263603 rule_id: zdUyqE version_id: BjTkZq1 url: https://semgrep.dev/playground/r/BjTkZq1/ruby.lang.security.file-disclosure.file-disclosure origin: community languages: - ruby severity: ERROR pattern: config.serve_static_assets = true fix-regex: regex: =(\s)*true replacement: = false - id: csharp.lang.correctness.double.double-epsilon-equality.correctness-double-epsilon-equality patterns: - pattern: | $V1 - $V2 - pattern-either: - pattern-inside: | ... <= Double.Epsilon - pattern-inside: | Double.Epsilon <= ... - pattern-not-inside: | double $V1 = 0; ... - pattern-not-inside: | double $V2 = 0; ... - pattern-not-inside: | $V1 = 0; ... - pattern-not-inside: | $V2 = 0; ... message: Double.Epsilon is defined by .NET as the smallest value that can be added to or subtracted from a zero-value Double. It is unsuitable for equality comparisons of non-zero Double values. Furthermore, the value of Double.Epsilon is framework and processor architecture dependent. Wherever possible, developers should prefer the framework Equals() method over custom equality implementations. languages: - csharp severity: WARNING metadata: references: - https://docs.microsoft.com/en-us/dotnet/api/system.double?view=net-6.0#testing-for-equality - https://docs.microsoft.com/en-us/dotnet/api/system.double.epsilon?view=net-6.0#platform-notes category: correctness technology: - .net confidence: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/csharp.lang.correctness.double.double-epsilon-equality.correctness-double-epsilon-equality shortlink: https://sg.run/p9dZ semgrep.dev: rule: r_id: 18218 rv_id: 945201 rule_id: L1UEB7 version_id: PkTQZxy url: https://semgrep.dev/playground/r/PkTQZxy/csharp.lang.correctness.double.double-epsilon-equality.correctness-double-epsilon-equality origin: community - id: csharp.dotnet.security.razor-template-injection.razor-template-injection message: User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process. severity: WARNING metadata: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM category: security cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' cwe2022-top25: true owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/ subcategory: - vuln technology: - .net - razor - asp license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection shortlink: https://sg.run/oyj0 semgrep.dev: rule: r_id: 18216 rv_id: 1262621 rule_id: EwUr68 version_id: 1QTypdj url: https://semgrep.dev/playground/r/1QTypdj/csharp.dotnet.security.razor-template-injection.razor-template-injection origin: community languages: - csharp mode: taint pattern-sources: - patterns: - focus-metavariable: $ARG - pattern-inside: | public ActionResult $METHOD(..., string $ARG,...){...} pattern-sinks: - pattern: | Razor.Parse(...) pattern-sanitizers: - not_conflicting: true pattern: $F(...) - id: javascript.express.security.audit.xss.pug.var-in-href.var-in-href message: 'Detected a template variable used in an anchor tag with the ''href'' attribute. This allows a malicious actor to input the ''javascript:'' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: a(href=''/''+url). You may also consider setting the Content Security Policy (CSP) header.' metadata: cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://github.com/pugjs/pug/issues/2952 - https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI category: security technology: - express cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.express.security.audit.xss.pug.var-in-href.var-in-href shortlink: https://sg.run/4xNx semgrep.dev: rule: r_id: 9288 rv_id: 1263160 rule_id: 0oU535 version_id: qkTR7KW url: https://semgrep.dev/playground/r/qkTR7KW/javascript.express.security.audit.xss.pug.var-in-href.var-in-href origin: community languages: - regex severity: WARNING paths: include: - '*.pug' pattern-regex: a$.*href=[^'"].*$ - id: ruby.lang.security.no-send.bad-send message: Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this. metadata: cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' references: - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb - https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html category: security technology: - ruby owasp: - A03:2021 - Injection - A05:2025 - Injection cwe2022-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/ruby.lang.security.no-send.bad-send shortlink: https://sg.run/Nrbx semgrep.dev: rule: r_id: 9727 rv_id: 1263616 rule_id: eqUv0L version_id: BjTkZqj url: https://semgrep.dev/playground/r/BjTkZqj/ruby.lang.security.no-send.bad-send origin: community languages: - ruby severity: ERROR pattern-either: - pattern: | $PARAM = params[...] ... $RES = $MOD.send($PARAM.$FUNC) - pattern: | $PARAM = params[...] ... $RES = $MOD.try($PARAM.$FUNC) - pattern: | $PARAM = params[...] ... $RES = $MOD.__send__($PARAM.$FUNC) - pattern: |- $PARAM = params[...] ... $RES = $MOD.public_send($PARAM.$FUNC) - id: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled message: OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information. severity: WARNING metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-1323: Improper Management of Sensitive Trace Data' owasp: A05:2021 - Security Misconfiguration references: - https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance - https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx subcategory: - audit technology: - .net license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled shortlink: https://sg.run/6bP1 semgrep.dev: rule: r_id: 18215 rv_id: 945193 rule_id: nJUyJq version_id: ExTg2rO url: https://semgrep.dev/playground/r/ExTg2rO/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled origin: community languages: - generic paths: include: - '*web.config*' patterns: - pattern: | - pattern-inside: | ... - id: python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true message: Function `flask.url_for` with `_external=True` argument will generate URLs using the `Host` header of the HTTP request, which may lead to security risks such as Host header injection metadata: cwe: - 'CWE-673: External Influence of Sphere Definition' owasp: - A03:2021 - Injection - A05:2025 - Injection category: security technology: - flask references: - https://flask.palletsprojects.com/en/latest/api/#flask.url_for - https://portswigger.net/kb/issues/00500300_host-header-injection subcategory: - audit likelihood: MEDIUM impact: LOW confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true shortlink: https://sg.run/gEGeR semgrep.dev: rule: r_id: 191541 rv_id: 1263418 rule_id: JDU5oql version_id: K3TKk6n url: https://semgrep.dev/playground/r/K3TKk6n/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true origin: community languages: - python severity: WARNING patterns: - pattern-not: flask.url_for(..., _external=False, ...) - pattern-not: url_for(..., _external=False, ...) - pattern-either: - pattern: flask.url_for(..., _external=$VAR, ...) - pattern: url_for(..., _external=$VAR, ...) - id: yaml.kubernetes.security.run-as-non-root-security-context-pod-level.run-as-non-root-security-context-pod-level patterns: - pattern-inside: | spec: ... $SC: ... ... - metavariable-regex: metavariable: $SC regex: ^(securityContext)$ - pattern-not-inside: | spec: ... securityContext: ... runAsNonRoot: $VAL ... - pattern-inside: | $SPEC: ... containers: ... - pattern-not-inside: | $SPEC: ... containers: ... - name: $NAME image: ... ... securityContext: ... runAsNonRoot: $VALUE - focus-metavariable: $SC fix: | $SC: runAsNonRoot: true # message: When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: references: - https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/ - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user category: security cwe: - 'CWE-250: Execution with Unnecessary Privileges' owasp: - A05:2021 - Security Misconfiguration - A06:2017 - Security Misconfiguration - A02:2025 - Security Misconfiguration technology: - kubernetes subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root-security-context-pod-level.run-as-non-root-security-context-pod-level shortlink: https://sg.run/n1j1 semgrep.dev: rule: r_id: 47280 rv_id: 1263938 rule_id: lBUq1q version_id: bZT53dv url: https://semgrep.dev/playground/r/bZT53dv/yaml.kubernetes.security.run-as-non-root-security-context-pod-level.run-as-non-root-security-context-pod-level origin: community languages: - yaml severity: INFO - id: generic.secrets.gitleaks.netlify-access-token.netlify-access-token message: A gitleaks netlify-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.netlify-access-token.netlify-access-token shortlink: https://sg.run/oQkR semgrep.dev: rule: r_id: 44760 rv_id: 1262789 rule_id: pKURGy version_id: PkTR3QP url: https://semgrep.dev/playground/r/PkTR3QP/generic.secrets.gitleaks.netlify-access-token.netlify-access-token origin: community patterns: - pattern-regex: (?i)(?:netlify)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40,46})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: yaml.semgrep.duplicate-id.duplicate-id message: The 'id' field $X was used multiple times. The 'id' field needs to be unique. severity: ERROR metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.duplicate-id.duplicate-id shortlink: https://sg.run/wxEN semgrep.dev: rule: r_id: 11073 rv_id: 1028279 rule_id: j2UqPW version_id: l4TvrdB url: https://semgrep.dev/playground/r/l4TvrdB/yaml.semgrep.duplicate-id.duplicate-id origin: community languages: - yaml patterns: - pattern-inside: 'rules: [..., $RULE, ...]' - pattern-inside: | ... - id: $X ... ... - id: $X ... ... - pattern: | id: $X - id: yaml.semgrep.empty-message.empty-message message: This rule has an empty message field. Consider adding a message field that communicates why this rule is an issue and how to fix it. This will increase the chance that the finding gets addressed. severity: WARNING metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.empty-message.empty-message shortlink: https://sg.run/O1RR semgrep.dev: rule: r_id: 11075 rv_id: 1028281 rule_id: 9AUOpp version_id: JdTp3QN url: https://semgrep.dev/playground/r/JdTp3QN/yaml.semgrep.empty-message.empty-message origin: community languages: - yaml patterns: - pattern-inside: 'rules: [..., $RULE, ...]' - pattern: | message: "" - id: yaml.semgrep.duplicate-pattern.duplicate-pattern message: Two identical pattern clauses were detected. This will cause Semgrep to run the same pattern twice. Remove one of the duplicate pattern clauses. severity: ERROR metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.duplicate-pattern.duplicate-pattern shortlink: https://sg.run/xYE0 semgrep.dev: rule: r_id: 11074 rv_id: 1028280 rule_id: 10UZG6 version_id: YDT26Qq url: https://semgrep.dev/playground/r/YDT26Qq/yaml.semgrep.duplicate-pattern.duplicate-pattern origin: community languages: - yaml patterns: - pattern-inside: 'rules: [..., $RULE, ...]' - pattern-inside: | - pattern: $X ... - pattern: $X ... - pattern: | pattern: $X - id: yaml.semgrep.metadata-category.metadata-category message: This Semgrep rule is missing a valid 'category' field in the 'metadata'. 'category' must be one of 'security', 'correctness', 'best-practice', 'performance', 'maintainability', or 'portability'. severity: INFO metadata: category: best-practice technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-category.metadata-category shortlink: https://sg.run/N8wx semgrep.dev: rule: r_id: 11971 rv_id: 1028283 rule_id: 0oUJr7 version_id: GxT6xZx url: https://semgrep.dev/playground/r/GxT6xZx/yaml.semgrep.metadata-category.metadata-category origin: community languages: - yaml patterns: - pattern-inside: 'rules: [..., $RULE, ...]' - pattern: 'id: $RULEID' - pattern-not-inside: | - ... metadata: ... category: $CATEGORY - id: yaml.semgrep.metadata-confidence.metadata-confidence message: This Semgrep rule is missing a valid 'confidence' field in the 'metadata'. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-confidence.metadata-confidence shortlink: https://sg.run/B0x2 semgrep.dev: rule: r_id: 39207 rv_id: 1028285 rule_id: X5UJLw version_id: A8T5rGW url: https://semgrep.dev/playground/r/A8T5rGW/yaml.semgrep.metadata-confidence.metadata-confidence origin: community languages: - yaml patterns: - pattern-inside: "rules: \n ...\n" - pattern-inside: "metadata: \n ...\n category: security\n ...\n" - pattern-not-inside: "metadata: \n ...\n confidence: $VALUE\n" - id: yaml.semgrep.metadata-cwe.metadata-cwe message: '$...CWE The cwe tag in rule metadata should always be in the format "CWE-000: Title".' severity: ERROR metadata: category: best-practice technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-cwe.metadata-cwe shortlink: https://sg.run/e4N0 semgrep.dev: rule: r_id: 11076 rv_id: 1028286 rule_id: yyUvoK version_id: BjTrD77 url: https://semgrep.dev/playground/r/BjTrD77/yaml.semgrep.metadata-cwe.metadata-cwe origin: community languages: - yaml patterns: - pattern-inside: 'rules: ...' - pattern-inside: 'metadata: ...' - pattern: 'cwe: ...' - pattern-not-regex: CWE-[\d]+:\s+\w - id: yaml.semgrep.metadata-impact-incorrect-value.metadata-impact-incorrect-value message: 'Semgrep rule impact: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/' severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-impact-incorrect-value.metadata-impact-incorrect-value shortlink: https://sg.run/DqXo semgrep.dev: rule: r_id: 39208 rv_id: 1028288 rule_id: j2U9zv version_id: WrTQlPN url: https://semgrep.dev/playground/r/WrTQlPN/yaml.semgrep.metadata-impact-incorrect-value.metadata-impact-incorrect-value origin: community languages: - yaml patterns: - pattern-inside: "rules: \n ...\n" - pattern-inside: "metadata: \n ...\n category: security\n ...\n" - pattern: | impact: $VALUE - pattern-not: | impact: LOW - pattern-not: | impact: MEDIUM - pattern-not: | impact: HIGH - id: yaml.semgrep.metadata-likelihood-incorrect-value.metadata-likelihood-incorrect-value message: 'Semgrep rule likelihood: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/' severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-likelihood-incorrect-value.metadata-likelihood-incorrect-value shortlink: https://sg.run/01P5 semgrep.dev: rule: r_id: 39210 rv_id: 1028292 rule_id: 9AUnyk version_id: l4Tvrzv url: https://semgrep.dev/playground/r/l4Tvrzv/yaml.semgrep.metadata-likelihood-incorrect-value.metadata-likelihood-incorrect-value origin: community languages: - yaml patterns: - pattern-inside: "rules: \n ...\n" - pattern-inside: "metadata: \n ...\n category: security\n ...\n" - pattern: | likelihood: $VALUE - pattern-not: | likelihood: LOW - pattern-not: | likelihood: MEDIUM - pattern-not: | likelihood: HIGH - id: yaml.semgrep.metadata-owasp.metadata-owasp message: The `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY", where A00 is the OWASP top ten number and YYYY is the OWASP top ten year. severity: ERROR metadata: category: best-practice technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-owasp.metadata-owasp shortlink: https://sg.run/v0En semgrep.dev: rule: r_id: 11077 rv_id: 1028294 rule_id: r6UkW7 version_id: 6xTJ562 url: https://semgrep.dev/playground/r/6xTJ562/yaml.semgrep.metadata-owasp.metadata-owasp origin: community languages: - json - yaml patterns: - pattern-inside: 'rules: ...' - pattern-inside: 'metadata: ...' - pattern-either: - patterns: - pattern: 'owasp: "..."' - pattern-not: 'owasp: "=~/^A(0?[1-9]|10): .+$/"' - patterns: - pattern-inside: 'owasp: [...]' - pattern: '"$ANYTHING"' - pattern-not-regex: .*A[01][0-9]:[0-9]{4}\s+.* - pattern-not-regex: 'owasp:' - id: yaml.semgrep.metadata-subcategory-incorrect-value.metadata-subcategory-incorrect-value message: 'Semgrep rule likelihood: $VALUE detected, but the value must be vuln, audit, or secure default. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/' severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-subcategory-incorrect-value.metadata-subcategory-incorrect-value shortlink: https://sg.run/qzly semgrep.dev: rule: r_id: 39212 rv_id: 1028296 rule_id: r6U862 version_id: zyT8A1B url: https://semgrep.dev/playground/r/zyT8A1B/yaml.semgrep.metadata-subcategory-incorrect-value.metadata-subcategory-incorrect-value origin: community languages: - yaml patterns: - pattern-inside: "rules: \n ...\n" - pattern-inside: "metadata: \n ...\n category: security\n ...\n" - pattern: "subcategory: \n - $VALUE\n" - pattern-not: "subcategory: \n - vuln\n" - pattern-not: "subcategory: \n - audit\n" - pattern-not: "subcategory: \n - secure default\n" - id: yaml.semgrep.metadata-incorrect-option.metadata-incorrect-option message: It looks like $KEY is not in the default list of expected options, if this is a new key update this rule severity: INFO metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-incorrect-option.metadata-incorrect-option shortlink: https://sg.run/QYpq semgrep.dev: rule: r_id: 70986 rv_id: 1263949 rule_id: gxU7jB version_id: ExTExG4 url: https://semgrep.dev/playground/r/ExTExG4/yaml.semgrep.metadata-incorrect-option.metadata-incorrect-option origin: community languages: - yaml patterns: - pattern-inside: | rules: ... - pattern-inside: | options: $A - focus-metavariable: $A - pattern: | $KEY: $VALUE - metavariable-regex: metavariable: $KEY regex: (?!options|constant_propagation|symbolic_propagation|taint_unify_mvars|taint_assume_safe_functions|taint_assume_safe_indexes|taint_assume_safe_comparisons|taint_assume_safe_booleans|taint_assume_safe_numbers|ac_matching|commutative_boolop|flddef_assign|arrow_is_function|let_is_var|go_deeper_expr|go_deeper_stmt|implicit_deep_exprstmt|implicit_ellipsis|xml_singleton_loose_matching|xml_attrs_implicit_ellipsis|xml_children_ordered|generic_engine|generic_multiline|generic_braces|generic_extra_braces|generic_extra_word_characters|generic_caseless|generic_ellipsis_max_span|generic_comment_style|interfile|generic_engine|commutative_compop|symmetric_eq|taint_only_propagate_through_assignments|taint_match_on|taint_focus_on) - id: yaml.semgrep.message-whitespace.message-whitespace-check message: It looks like you have an additional space in your rule message, this can look awkward in the finding output, please remove the additional whitespace! severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.message-whitespace.message-whitespace-check shortlink: https://sg.run/5lqW semgrep.dev: rule: r_id: 52891 rv_id: 1028282 rule_id: r6UpAo version_id: 5PTAP8k url: https://semgrep.dev/playground/r/5PTAP8k/yaml.semgrep.message-whitespace.message-whitespace-check origin: community languages: - yaml fix-regex: regex: (?<=\S)\s(\s{1,}) replacement: ' ' patterns: - pattern-inside: | rules: ... - pattern: | message: >- $VALUE - focus-metavariable: - $VALUE - pattern-regex: \w.* - pattern-regex: \s{2,} - id: yaml.semgrep.metadata-confidence-incorrect-value.metadata-confidence-incorrect-value message: 'Semgrep rule confidence: $VALUE detected, but the value must be LOW, MEDIUM, or HIGH. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/' severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-confidence-incorrect-value.metadata-confidence-incorrect-value shortlink: https://sg.run/AWz8 semgrep.dev: rule: r_id: 39206 rv_id: 1028284 rule_id: 2ZU6YG version_id: RGTkQog url: https://semgrep.dev/playground/r/RGTkQog/yaml.semgrep.metadata-confidence-incorrect-value.metadata-confidence-incorrect-value origin: community languages: - yaml patterns: - pattern-inside: "rules: \n ...\n" - pattern-inside: "metadata: \n ...\n category: security\n ...\n" - pattern: | confidence: $VALUE - pattern-not: | confidence: LOW - pattern-not: | confidence: MEDIUM - pattern-not: | confidence: HIGH - id: yaml.semgrep.metadata-impact.metadata-impact message: This Semgrep rule is missing a valid 'impact' field in the 'metadata'. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/writing-rules/rule-syntax/#TODO technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-impact.metadata-impact shortlink: https://sg.run/WK7g semgrep.dev: rule: r_id: 39209 rv_id: 1028289 rule_id: 10UXoZ version_id: 0bTl7Jw url: https://semgrep.dev/playground/r/0bTl7Jw/yaml.semgrep.metadata-impact.metadata-impact origin: community languages: - yaml patterns: - pattern-inside: "rules: \n ...\n" - pattern-inside: "metadata: \n ...\n category: security\n ...\n" - pattern-not-inside: "metadata: \n ...\n impact: $VALUE\n" - id: yaml.semgrep.metadata-license.metadata-license message: The license should not be set in rule metadata, it gets added by Semgrep app at the registry level. severity: ERROR metadata: category: correctness license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license technology: - semgrep source: https://semgrep.dev/r/yaml.semgrep.metadata-license.metadata-license shortlink: https://sg.run/jQ42y semgrep.dev: rule: r_id: 193665 rv_id: 1028291 rule_id: ReUekDB version_id: qkTx1b4 url: https://semgrep.dev/playground/r/qkTx1b4/yaml.semgrep.metadata-license.metadata-license origin: community languages: - yaml patterns: - pattern-inside: | rules: ... - pattern-inside: | metadata: ... - pattern: | license: ... - id: yaml.semgrep.metadata-likelihood.metadata-likelihood message: This Semgrep rule is missing a valid 'likelihood' field in the 'metadata'. which should be either LOW, MEDIUM, or HIGH. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-likelihood.metadata-likelihood shortlink: https://sg.run/K29X semgrep.dev: rule: r_id: 39211 rv_id: 1028293 rule_id: yyUd0P version_id: YDT26Qn url: https://semgrep.dev/playground/r/YDT26Qn/yaml.semgrep.metadata-likelihood.metadata-likelihood origin: community languages: - yaml patterns: - pattern-inside: "rules: \n ...\n" - pattern-inside: "metadata: \n ...\n category: security\n ...\n" - pattern-not-inside: "metadata: \n ...\n likelihood: $VALUE\n" - id: yaml.semgrep.metadata-references.metadata-references message: The references in rule metadata should always be a list, even if there's only one. severity: ERROR metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-references.metadata-references shortlink: https://sg.run/dgbX semgrep.dev: rule: r_id: 11078 rv_id: 1028295 rule_id: bwUOye version_id: o5Tlyrd url: https://semgrep.dev/playground/r/o5Tlyrd/yaml.semgrep.metadata-references.metadata-references origin: community languages: - json - yaml patterns: - pattern-inside: | rules: ... - pattern-inside: | metadata: ... - pattern: | references: ... - pattern-not: | references: [...] - id: yaml.semgrep.metadata-subcategory.metadata-subcategory message: This Semgrep rule is missing a valid 'subcategory' field in the 'metadata'. which should be either audit, vuln, or secure default. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-subcategory.metadata-subcategory shortlink: https://sg.run/lqr9 semgrep.dev: rule: r_id: 39213 rv_id: 1028297 rule_id: bwU4XB version_id: pZTy6we url: https://semgrep.dev/playground/r/pZTy6we/yaml.semgrep.metadata-subcategory.metadata-subcategory origin: community languages: - yaml patterns: - pattern-inside: "rules: \n ...\n" - pattern-inside: "metadata: \n ...\n category: security\n ...\n" - pattern-not-inside: "metadata: \n ...\n subcategory: $VALUE\n" - id: yaml.semgrep.metadata-technology.metadata-technology message: This Semgrep rule is missing a 'technology' field in the 'metadata'. Consider adding a list of technologies based on the rule's associated library or framework, or another piece of relevant information. severity: INFO metadata: category: best-practice technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.metadata-technology.metadata-technology shortlink: https://sg.run/65oK semgrep.dev: rule: r_id: 12659 rv_id: 1028298 rule_id: ZqUgkb version_id: 2KTrQKE url: https://semgrep.dev/playground/r/2KTrQKE/yaml.semgrep.metadata-technology.metadata-technology origin: community languages: - yaml patterns: - pattern-inside: | rules: ... - pattern-inside: | metadata: ... - pattern-not-inside: | metadata: ... technology: $VALUE - id: yaml.semgrep.missing-language-field.missing-language-field message: Please include a 'languages' field for your rule! severity: WARNING metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.missing-language-field.missing-language-field shortlink: https://sg.run/Zeox semgrep.dev: rule: r_id: 11079 rv_id: 1028299 rule_id: NbUA4R version_id: X0Txw7l url: https://semgrep.dev/playground/r/X0Txw7l/yaml.semgrep.missing-language-field.missing-language-field origin: community languages: - yaml patterns: - pattern-inside: 'rules: [..., $RULE, ...]' - pattern: 'id: $RULEID' - pattern-not-inside: | - ... languages: ... - id: yaml.semgrep.missing-message-field.missing-message-field message: This rule does not have a message. Semgrep requires that rules have a message. Include a message to explain what the rule does. Consider writing a message that explains why this is an issue and how to fix it. severity: WARNING metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.missing-message-field.missing-message-field shortlink: https://sg.run/nqEg semgrep.dev: rule: r_id: 11080 rv_id: 1028300 rule_id: kxURJG version_id: jQTY6R9 url: https://semgrep.dev/playground/r/jQTY6R9/yaml.semgrep.missing-message-field.missing-message-field origin: community languages: - yaml patterns: - pattern-inside: 'rules: [..., $RULE, ...]' - pattern: 'id: $RULEID' - pattern-not-inside: | - ... message: ... - id: yaml.semgrep.multi-line-message.multi-line-message message: 'This rule has a multi-line message field, which may display poorly in a terminal. Consider ensuring it is on one line. For example, use `message: >-`, not `message: |`.' severity: WARNING metadata: category: correctness references: - https://github.com/semgrep/semgrep-rules/issues/1431 technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.multi-line-message.multi-line-message shortlink: https://sg.run/v2j4 semgrep.dev: rule: r_id: 13533 rv_id: 1028301 rule_id: lBUzBw version_id: 1QTYbe0 url: https://semgrep.dev/playground/r/1QTYbe0/yaml.semgrep.multi-line-message.multi-line-message origin: community languages: - yaml patterns: - pattern-inside: 'rules: [..., $RULE, ...]' - pattern: | message: "=~/[\\n\\r]/" - id: yaml.semgrep.slow-pattern-general-function.slow-pattern-general-func message: Using patterns like `function (...) {...}` is too general it will probably slow down the rule performance. severity: WARNING metadata: category: performance technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.slow-pattern-general-function.slow-pattern-general-func shortlink: https://sg.run/Al26 semgrep.dev: rule: r_id: 11206 rv_id: 1028303 rule_id: WAUZpB version_id: yeT2ByY url: https://semgrep.dev/playground/r/yeT2ByY/yaml.semgrep.slow-pattern-general-function.slow-pattern-general-func origin: community languages: - yaml patterns: - pattern-either: - pattern-inside: | pattern-inside: $X - pattern-inside: | pattern-not-inside: $X - pattern-inside: | pattern: $X - pattern-inside: | pattern-not: $X - pattern-regex: function[^{]*{[\s\n]*\.\.\.[\s\n]*} - pattern-either: - pattern-inside: | languages: [...,"javascript",...] ... - pattern-inside: | languages: [...,"typescript",...] ... - id: yaml.semgrep.rule-missing-deconstructed-value.missing-deconstructed-value message: Looks like this value is deconstructing a const/var/let you need to use all three `const {...} =` `var {...} =` and `let {...} =` to provide accurate coverage consider adding the missing patterns in a `pattern-inside` for better coverage. severity: WARNING metadata: category: correctness references: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.rule-missing-deconstructed-value.missing-deconstructed-value shortlink: https://sg.run/20PD semgrep.dev: rule: r_id: 53519 rv_id: 1028302 rule_id: 5rURQq version_id: 9lTWokL url: https://semgrep.dev/playground/r/9lTWokL/yaml.semgrep.rule-missing-deconstructed-value.missing-deconstructed-value origin: community languages: - yaml patterns: - pattern-either: - patterns: - pattern-inside: | rules: ... - pattern-not-inside: | - pattern-either: ... - pattern: | - pattern-inside: $VALUE - pattern-either: - pattern-regex: const {.*}.*= - pattern-regex: let {.*}.*= - pattern-regex: var {.*}.*= - patterns: - patterns: - pattern-inside: | rules: ... - pattern-inside: | - pattern-either: $VALUE - focus-metavariable: - $VALUE - pattern-inside: "- pattern-inside: \n $A\n" - metavariable-regex: metavariable: $A regex: .*\s.*(var|const|let)\s{.*}\s= - pattern-not: patterns: - pattern-inside: "...\n- pattern-inside: \n $Z\n...\n- pattern-inside: \n $B\n... \n- pattern-inside: \n $C\n...\n" - metavariable-regex: metavariable: $Z regex: .*\s.*(var|const|let).*{.*} - metavariable-regex: metavariable: $B regex: .*\s.*(var|const|let).*{.*} - metavariable-regex: metavariable: $C regex: .*\s.*(var|const|let).*{.*} - id: trailofbits.generic.postgres-insecure-sslmode.postgres-insecure-sslmode message: | Found PostgreSQL connection string disabling SSL verification languages: - regex severity: WARNING metadata: category: security subcategory: - audit cwe: 'CWE-295: Improper Certificate Validation' confidence: HIGH likelihood: HIGH impact: HIGH technology: - postgresql references: - https://www.postgresql.org/docs/current/libpq-connect.html license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.generic.postgres-insecure-sslmode.postgres-insecure-sslmode shortlink: https://sg.run/5rol0 semgrep.dev: rule: r_id: 150291 rv_id: 943185 rule_id: GdUvdn1 version_id: RGTAQqD url: https://semgrep.dev/playground/r/RGTAQqD/trailofbits.generic.postgres-insecure-sslmode.postgres-insecure-sslmode origin: community pattern-either: - pattern-regex: (?i)postgresql://.+[?&]sslmode=(disable|allow|prefer).*$ - pattern-regex: (?i)postgresql://.+[?&]requiressl=0.*$ - pattern-regex: (?i)postgresql://.+[?&]ssl=false.*$ - pattern-regex: (?i)postgres://.+[?&]sslmode=(disable|allow|prefer).*$ - pattern-regex: (?i)postgres://.+[?&]requiressl=0.*$ - pattern-regex: (?i)postgres://.+[?&]ssl=false.*$ - id: yaml.semgrep.slow-pattern-general-property.slow-pattern-general-property message: Using patterns like `$X.$Y` may be too general and may slow down the rule performance. severity: WARNING metadata: category: performance technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.slow-pattern-general-property.slow-pattern-general-property shortlink: https://sg.run/B4X9 semgrep.dev: rule: r_id: 11207 rv_id: 1028304 rule_id: 0oUEbn version_id: rxTLo9g url: https://semgrep.dev/playground/r/rxTLo9g/yaml.semgrep.slow-pattern-general-property.slow-pattern-general-property origin: community languages: - yaml patterns: - pattern-either: - pattern-inside: | pattern-inside: $X - pattern-inside: | pattern-not-inside: $X - pattern-inside: | pattern: $X - pattern-inside: | pattern-not: $X - pattern-regex: \$[A-Z]*\.\$[A-Z]* - id: yaml.semgrep.slow-pattern-top-ellipsis.slow-pattern-top-ellipsis message: Using the ellipsis operator `...` at the top of the pattern drastically slows down the rule performance. severity: WARNING metadata: category: performance technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.slow-pattern-top-ellipsis.slow-pattern-top-ellipsis shortlink: https://sg.run/WgBz semgrep.dev: rule: r_id: 11209 rv_id: 1028306 rule_id: qNUon8 version_id: NdTd9Yp url: https://semgrep.dev/playground/r/NdTd9Yp/yaml.semgrep.slow-pattern-top-ellipsis.slow-pattern-top-ellipsis origin: community languages: - yaml patterns: - pattern-either: - pattern-inside: | pattern-inside: $X - pattern-inside: | pattern-not-inside: $X - pattern-inside: | pattern: $X - pattern-inside: | pattern-not: $X - pattern-regex: \|\s*\n\s*\.\.\.\s*\n[^\n]*\n\s*\.\.\. - id: yaml.semgrep.unsatisfiable.unsatisfiable-rule message: You can not use 'pattern' $A and 'pattern-not' $A together; this will always be empty. severity: ERROR metadata: category: correctness technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.unsatisfiable.unsatisfiable-rule shortlink: https://sg.run/70qk semgrep.dev: rule: r_id: 11082 rv_id: 1028308 rule_id: x8UW6o version_id: w8TnzGE url: https://semgrep.dev/playground/r/w8TnzGE/yaml.semgrep.unsatisfiable.unsatisfiable-rule origin: community languages: - yaml patterns: - pattern-inside: 'patterns: [...]' - pattern-either: - patterns: - pattern-inside: | - pattern: $A ... - pattern: | - pattern-not: $A - patterns: - pattern-inside: | - pattern-not: $A ... - pattern: | - pattern: $A - id: ruby.lang.security.no-eval.ruby-eval message: Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval. severity: WARNING metadata: likelihood: HIGH impact: MEDIUM confidence: MEDIUM category: security cwe2022-top25: true cwe2021-top25: true cwe: - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' owasp: - A03:2021 - Injection - A05:2025 - Injection references: - https://owasp.org/Top10/A03_2021-Injection source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_evaluation.rb subcategory: - vuln technology: - ruby - rails license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Code Injection source: https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval shortlink: https://sg.run/bDwZ semgrep.dev: rule: r_id: 9726 rv_id: 1263615 rule_id: OrUGNk version_id: A8TgdDv url: https://semgrep.dev/playground/r/A8TgdDv/ruby.lang.security.no-eval.ruby-eval origin: community languages: - ruby mode: taint pattern-sources: - pattern-either: - pattern: params - pattern: cookies - patterns: - pattern: | RubyVM::InstructionSequence.compile(...) - pattern-not: | RubyVM::InstructionSequence.compile("...") pattern-sinks: - patterns: - pattern-either: - pattern: $X.eval - pattern: $X.class_eval - pattern: $X.instance_eval - pattern: $X.module_eval - pattern: $X.eval(...) - pattern: $X.class_eval(...) - pattern: $X.instance_eval(...) - pattern: $X.module_eval(...) - pattern: eval(...) - pattern: class_eval(...) - pattern: module_eval(...) - pattern: instance_eval(...) - pattern-not: $M("...",...) - id: yaml.semgrep.slow-pattern-single-metavariable.slow-pattern-single-metavariable message: Using a single metavariable as a pattern drastically slows down the rule performance because it will match every expression in a file. Instead, try to match something specific such as a function name, or anchor on a statement that may occur above or below the pattern. The more specific you can be, the faster the pattern will run. severity: WARNING metadata: category: performance technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.slow-pattern-single-metavariable.slow-pattern-single-metavariable shortlink: https://sg.run/DJ1W semgrep.dev: rule: r_id: 11208 rv_id: 1028305 rule_id: KxU4q1 version_id: bZT1KND url: https://semgrep.dev/playground/r/bZT1KND/yaml.semgrep.slow-pattern-single-metavariable.slow-pattern-single-metavariable origin: community languages: - yaml patterns: - pattern-either: - pattern-inside: | pattern-inside: $PATTERN - pattern-inside: | pattern-not-inside: $PATTERN - pattern-inside: | pattern: $PATTERN - pattern-inside: | pattern-not: $PATTERN - metavariable-regex: metavariable: $PATTERN regex: ^\$[A-Z_]*$ - id: trailofbits.generic.amqp-unencrypted-transport.amqp-unencrypted-transport message: | Found unencrypted AMQP connection, prefer TLS encrypted `amqps://` transport languages: - generic severity: WARNING metadata: category: security subcategory: - audit cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' confidence: HIGH likelihood: HIGH impact: HIGH technology: - amqp - rabbitmq references: - https://www.rabbitmq.com/docs/uri-spec#the-amqps-uri-scheme license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.generic.amqp-unencrypted-transport.amqp-unencrypted-transport shortlink: https://sg.run/3qYKK semgrep.dev: rule: r_id: 150287 rv_id: 943181 rule_id: lBU4nKK version_id: PkTQWoY url: https://semgrep.dev/playground/r/PkTQWoY/trailofbits.generic.amqp-unencrypted-transport.amqp-unencrypted-transport origin: community options: generic_ellipsis_max_span: 0 pattern: amqp://... - id: trailofbits.generic.container-privileged.container-privileged message: Found container command (docker, podman) with extended privileges languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-250: Execution with Unnecessary Privileges' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://docs.docker.com/engine/reference/commandline/run/ license: AGPL-3.0 license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/trailofbits.generic.container-privileged.container-privileged shortlink: https://sg.run/qNLGR semgrep.dev: rule: r_id: 113212 rv_id: 833251 rule_id: ReUD0BO version_id: 5PTyDrK url: https://semgrep.dev/playground/r/5PTyDrK/trailofbits.generic.container-privileged.container-privileged origin: community pattern-either: - pattern: docker ... --privileged - pattern: docker ... --cap-add=ALL - pattern: docker ... --cap-add=SYS_ADMIN - pattern: docker ... --cap-add=SYS_MODULE - pattern: docker ... --net=host - pattern: docker ... --userns=host - pattern: docker ... --pid=host - pattern: docker ... --ipc=host - pattern: docker ... --security-opt seccomp=unconfined - pattern: docker ... --security-opt apparmor=unconfined - pattern: podman ... --privileged - pattern: podman ... --cap-add=ALL - pattern: podman ... --cap-add=SYS_ADMIN - pattern: podman ... --cap-add=SYS_MODULE - pattern: podman ... --net=host - pattern: podman ... --userns=host - pattern: podman ... --pid=host - pattern: podman ... --ipc=host - pattern: podman ... --security-opt seccomp=unconfined - pattern: podman ... --security-opt apparmor=unconfined - id: gitlab.nodejs_scan.javascript-headers-rule-generic_cors patterns: - pattern: | $APP.options('*', cors(...)) message: | Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-346 shortDescription: Origin validation error security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-headers-rule-generic_cors secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-generic_cors type: njsscan_rule_type value: Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-generic_cors shortlink: https://sg.run/X5dJA semgrep.dev: rule: r_id: 144420 rv_id: 920511 rule_id: GdUvNK6 version_id: qkTpwKD url: https://semgrep.dev/playground/r/qkTpwKD/gitlab.nodejs_scan.javascript-headers-rule-generic_cors origin: community - id: yaml.semgrep.unnecessary-parent.unnecessary-parent-operator message: Unnecessary parent operator. Remove one to fix. severity: WARNING metadata: category: best-practice technology: - semgrep license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/yaml.semgrep.unnecessary-parent.unnecessary-parent-operator shortlink: https://sg.run/E5bP semgrep.dev: rule: r_id: 11081 rv_id: 1028307 rule_id: wdU8YL version_id: kbTxj8B url: https://semgrep.dev/playground/r/kbTxj8B/yaml.semgrep.unnecessary-parent.unnecessary-parent-operator origin: community languages: - yaml patterns: - pattern-inside: 'rules: [..., $RULE, ...]' - pattern-either: - patterns: - pattern: | pattern-either: - $THING1 - ... - pattern-not: | pattern-either: - $THING1 - $THING2 - ... - patterns: - pattern: | patterns: - $THING1 - ... - pattern-not: | patterns: - $THING1 - $THING2 - ... - pattern: | pattern-either: - ... - pattern-either: - ... - id: trailofbits.hcl.nomad.tls-hostname-verification-disabled.tls-hostname-verification-disabled message: | Found Nomad `tls` block with server hostname verification disabled languages: - hcl severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - terraform references: - https://developer.hashicorp.com/nomad/docs/configuration/tls - https://github.com/hashicorp/nomad/blob/v1.8.0/nomad/structs/config/tls.go#L25-L31 license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.hcl.nomad.tls-hostname-verification-disabled.tls-hostname-verification-disabled shortlink: https://sg.run/WAzn2 semgrep.dev: rule: r_id: 150297 rv_id: 943191 rule_id: 0oULP8X version_id: K3TJz57 url: https://semgrep.dev/playground/r/K3TJz57/trailofbits.hcl.nomad.tls-hostname-verification-disabled.tls-hostname-verification-disabled origin: community patterns: - pattern-inside: | tls { ... ca_file = ... ... } - pattern-inside: | tls { ... cert_file = ... ... } - pattern-inside: | tls { ... key_file = ... ... } - pattern-either: - patterns: - pattern-inside: tls { ... } - pattern: verify_server_hostname = false - patterns: - pattern: tls { ... } - pattern-not: | tls { ... verify_server_hostname = $ANY ... } - id: trailofbits.generic.openssl-insecure-flags.openssl-insecure-flags message: Found `openssl` command using insecure flags languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-295: Improper Certificate Validation' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://www.openssl.org/docs/manmaster/man1/ license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.generic.openssl-insecure-flags.openssl-insecure-flags shortlink: https://sg.run/pKL5k semgrep.dev: rule: r_id: 113218 rv_id: 833257 rule_id: KxUvKPY version_id: WrTdpG9 url: https://semgrep.dev/playground/r/WrTdpG9/trailofbits.generic.openssl-insecure-flags.openssl-insecure-flags origin: community pattern-either: - pattern: 'openssl ... -pass pass:' - pattern: 'openssl ... -passin pass:' - pattern: 'openssl ... -passout pass:' - pattern: 'openssl ... -nodes ' - pattern: 'openssl ... -noenc ' - pattern: 'openssl ... -sha1 ' - id: trailofbits.generic.ssh-disable-host-key-checking.ssh-disable-host-key-checking message: Found `ssh` command disabling host key checking languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-295: Improper Certificate Validation' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://man7.org/linux/man-pages/man1/ssh.1.html license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.generic.ssh-disable-host-key-checking.ssh-disable-host-key-checking shortlink: https://sg.run/2ZWd8 semgrep.dev: rule: r_id: 113219 rv_id: 833258 rule_id: qNU2R9X version_id: 0bTwbgN url: https://semgrep.dev/playground/r/0bTwbgN/trailofbits.generic.ssh-disable-host-key-checking.ssh-disable-host-key-checking origin: community pattern: ssh ... StrictHostKeyChecking=no - id: trailofbits.generic.tar-insecure-flags.tar-insecure-flags message: Found `tar` command using insecure flags languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-73: External Control of File Name or Path' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://man7.org/linux/man-pages/man1/tar.1.html license: AGPL-3.0 license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/trailofbits.generic.tar-insecure-flags.tar-insecure-flags shortlink: https://sg.run/X5RyN semgrep.dev: rule: r_id: 113220 rv_id: 833259 rule_id: lBU4JeW version_id: K3Trq8x url: https://semgrep.dev/playground/r/K3Trq8x/trailofbits.generic.tar-insecure-flags.tar-insecure-flags origin: community options: generic_ellipsis_max_span: 0 pattern-either: - pattern: 'tar ... -P ' - pattern: tar ... --absolute-paths - pattern: tar ... --absolute-names - pattern: 'tar ... --passphrase ' - id: trailofbits.generic.wget-no-check-certificate.wget-no-check-certificate message: Found `wget` command disabling SSL verification languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-295: Improper Certificate Validation' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://linux.die.net/man/1/wget license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.generic.wget-no-check-certificate.wget-no-check-certificate shortlink: https://sg.run/j2WyD semgrep.dev: rule: r_id: 113221 rv_id: 833260 rule_id: PeUJREx version_id: qkTQnL3 url: https://semgrep.dev/playground/r/qkTQnL3/trailofbits.generic.wget-no-check-certificate.wget-no-check-certificate origin: community pattern-either: - pattern: wget ... --no-check-certificate - pattern: wget ... --no-hsts - id: trailofbits.generic.wget-unencrypted-url.wget-unencrypted-url message: Found `wget` command with unencrypted URL (e.g. HTTP, FTP, etc.) languages: - generic severity: WARNING metadata: category: security subcategory: - audit technology: - shell cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' confidence: MEDIUM likelihood: MEDIUM impact: HIGH references: - https://linux.die.net/man/1/wget license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.generic.wget-unencrypted-url.wget-unencrypted-url shortlink: https://sg.run/10Ddk semgrep.dev: rule: r_id: 113222 rv_id: 833261 rule_id: JDUNz2o version_id: l4TyOon url: https://semgrep.dev/playground/r/l4TyOon/trailofbits.generic.wget-unencrypted-url.wget-unencrypted-url origin: community pattern-either: - pattern: wget ... http:// - pattern: wget ... ftp:// - id: trailofbits.go.eth-rpc-tracetransaction.eth-rpc-tracetransaction message: 'Using built-in transaction tracers can be dangerous if measures are not taken to filter out reverted call frames. Review the related code to ensure the following properties: 1. Reverted call frames and their associated subtraces are filtered out from any analysis. 2. The transaction being traced is from a finalized block.' severity: WARNING languages: - go metadata: category: security technology: - ethereum - blockchain - geth subcategory: - audit cwe: 'CWE-1284: Improper Validation of Specified Quantity in Input' confidence: LOW impact: HIGH likelihood: MEDIUM description: Detects attempts to extract trace information from an EVM transaction or block. In exchange or bridge applications, extra logic must be implemented encapsulating these endpoints to prevent the values transferred during reverted call frames from being counted. references: - https://blog.trailofbits.com/2023/08/23/the-engineers-guide-to-blockchain-finality/ license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.eth-rpc-tracetransaction.eth-rpc-tracetransaction shortlink: https://sg.run/r6XzP semgrep.dev: rule: r_id: 137469 rv_id: 833262 rule_id: WAUWXz3 version_id: YDTl0k0 url: https://semgrep.dev/playground/r/YDTl0k0/trailofbits.go.eth-rpc-tracetransaction.eth-rpc-tracetransaction origin: community pattern-either: - pattern: $RECEIVER.TraceTransaction($CTX, $FILTER, $TRACECONF) - pattern: $RECEIVER.TraceBlockByNumber($CTX, $FILTER, $TRACECONF) - pattern: $RECEIVER.TraceBlockByHash($CTX, $FILTER, $TRACECONF) - pattern: $RECEIVER.TraceBlock($CTX, $FILTER, $TRACECONF) - pattern: $RECEIVER.TraceChain($CTX, ...) - pattern-regex: .*debug_traceBlock.* - pattern-regex: .*debug_traceTransaction.* - pattern-regex: .*debug_traceCall.* - pattern-regex: .*debug_traceBlockByNumber.* - pattern-regex: .*debug_traceBlockByHash.* - pattern-regex: .*trace_block.* - pattern-regex: .*trace_transaction.* - pattern-regex: .*trace_replayBlockTransactions.* - pattern-regex: .*trace_replayTransaction.* - pattern-regex: .*trace_filter.* - pattern-regex: .*trace_call.* - pattern-regex: .*trace_callMany.* - pattern-regex: .*trace_get.* - id: trailofbits.go.eth-txreceipt-status.eth-txreceipt-status message: 'A transaction receipt''s status is inspected using `$RECEIVER.Status()`. For bridges and exchanges, this is a high-risk pattern because even though the transaction was successful, calls within the transaction may have failed. Review the related code to ensure the following properties: 1. The receipt''s success is not being used as a verification measure. 2. The transaction being inspected is from a finalized block.' severity: WARNING languages: - go metadata: category: security confidence: LOW impact: HIGH likelihood: MEDIUM technology: - ethereum - blockchain - geth subcategory: - audit cwe: 'CWE-437: Incomplete Model of Endpoint Features' description: Detects when a transaction receipt's status is read references: - https://blog.trailofbits.com/2023/08/23/the-engineers-guide-to-blockchain-finality/ license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.eth-txreceipt-status.eth-txreceipt-status shortlink: https://sg.run/bwGlP semgrep.dev: rule: r_id: 137470 rv_id: 833263 rule_id: 0oUL8xK version_id: 6xTDgGX url: https://semgrep.dev/playground/r/6xTDgGX/trailofbits.go.eth-txreceipt-status.eth-txreceipt-status origin: community patterns: - pattern-inside: | import "github.com/ethereum/go-ethereum/core/types" ... - pattern: | ($RECEIVER : Receipt).Status - id: trailofbits.go.hanging-goroutine.hanging-goroutine message: Potential goroutine leak due to unbuffered channel send inside loop or unbuffered channel receive in select block languages: - go severity: ERROR metadata: category: security cwe: 'CWE-833: Deadlock' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: LOW technology: - --no-technology-- description: Goroutine leaks references: - https://blog.trailofbits.com/2021/11/08/discovering-goroutine-leaks-with-semgrep license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.hanging-goroutine.hanging-goroutine shortlink: https://sg.run/Dw8o semgrep.dev: rule: r_id: 11752 rv_id: 833264 rule_id: EwUQp2 version_id: o5TBEoD url: https://semgrep.dev/playground/r/o5TBEoD/trailofbits.go.hanging-goroutine.hanging-goroutine origin: community patterns: - pattern-either: - pattern: | for ... { ... go func(...) { ... $CHANNEL <- $VAL ... }(...) } ... $Y = <- $CHANNEL ... - pattern: | for ... { ... go func(...) { ... $CHANNEL <- $VAL ... }(...) } ... return <- $CHANNEL - pattern: | for ... { ... go func(...) { ... select { case ... case $CHANNEL <- $VAL: ... case ... } ... }(...) ... } ... return <- $CHANNEL - pattern: "go func(...){\n ...\n $CHANNEL <- $X\n ...\n}(...)\n...\nselect {\ncase ...\ncase $Y = <- $CHANNEL: \n...\n}\n" - pattern: "go func(...){\n ...\n $CHANNEL <- $X\n ...\n}(...)\n...\nselect {\ncase ...\ncase <- $CHANNEL: \n...\n}\n" - pattern: "go func(...){\n ...\n $CHANNEL <- $X\n ...\n}(...)\n...\nselect {\ncase ...\ncase $Y <- $CHANNEL: \n...\n}\n" - pattern-inside: | $CHANNEL := make(...) ... - pattern-not-inside: | $CHANNEL := make(..., $T) ... - pattern-not: "go func(...){\n ...\n $CHANNEL <- $X\n ...\n}(...)\n...\nselect {\ncase ...\ncase ...: \n ...\n ... = <- $CHANNEL\n ...\n}\n" - pattern-not: "go func(...){\n ...\n $CHANNEL <- $X\n ...\n}(...)\n...\nselect {\ncase ...\ncase ...: \n ...\n <-$CHANNEL\n ...\n}\n" - id: trailofbits.go.nil-check-after-call.nil-check-after-call message: Potential `$FOO` nil dereference when `$BAR` is called languages: - go severity: WARNING metadata: category: security cwe: 'CWE-253: Incorrect Check of Function Return Value' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: MEDIUM technology: - --no-technology-- description: Possible nil dereferences references: - https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/ license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.nil-check-after-call.nil-check-after-call shortlink: https://sg.run/05g5 semgrep.dev: rule: r_id: 11754 rv_id: 833269 rule_id: L1Ur2r version_id: jQTrXDK url: https://semgrep.dev/playground/r/jQTrXDK/trailofbits.go.nil-check-after-call.nil-check-after-call origin: community patterns: - pattern-either: - pattern: | $FOO.$BAR(...) ... if $FOO != nil { ... } - pattern: | $FOO.$BAR(...) ... if $FOO == nil { ... } - pattern: | $FUNC(..., $FOO.$BAR(...), ...) ... if $FOO != nil { ... } - pattern: | $FUNC(..., $FOO.$BAR(...), ...) ... if $FOO == nil { ... } - pattern-not: | $FOO.$BAR(...) ... $FOO = ... ... if $FOO != nil { ... } - pattern-not: | $FOO.$BAR(...) ... ..., $FOO, ... = ... ... if $FOO == nil { ... } - pattern-not: | $FOO.$BAR(...) ... ..., $FOO, ... = ... ... if $FOO != nil { ... } - pattern-not: | $FOO.$BAR(...) ... $FOO = ... ... if $FOO == nil { ... } - pattern-not: | ..., $FOO = $FOO.$BAR(...) ... if $FOO == nil { ... } - pattern-not: | ..., $FOO = $FOO.$BAR(...) ... if $FOO != nil { ... } - pattern-not: | $FOO = $FOO.$BAR(...) ... if $FOO == nil { ... } - pattern-not: | $FOO = $FOO.$BAR(...) ... if $FOO != nil { ... } - id: trailofbits.go.unsafe-dll-loading.unsafe-dll-loading message: The function is vulnerable to DLL hijacking attacks. Use `windows.NewLazySystemDLL()` function to limit DLL search to the Windows directory languages: - go severity: ERROR metadata: category: security cwe: 'CWE-427: Uncontrolled Search Path Element' subcategory: - vuln confidence: HIGH likelihood: MEDIUM impact: HIGH technology: - --no-technology-- description: Use of function vulnerable to DLL hijacking attacks references: - https://pkg.go.dev/golang.org/x/sys/windows#LazyDLL license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.unsafe-dll-loading.unsafe-dll-loading shortlink: https://sg.run/poE3 semgrep.dev: rule: r_id: 40518 rv_id: 833275 rule_id: pKUQBW version_id: NdTB2J9 url: https://semgrep.dev/playground/r/NdTB2J9/trailofbits.go.unsafe-dll-loading.unsafe-dll-loading origin: community patterns: - pattern-either: - pattern: syscall.LoadDLL(...) - pattern: syscall.LoadLibrary(...) - pattern: windows.LoadDLL(...) - pattern: windows.MustLoadDLL(...) - pattern: syscall.NewLazyDLL(...) - pattern: | $X = windows.NewLazyDLL(...) ... $X.$Y() ... $X.System = true - pattern: | $X = windows.NewLazyDLL(...) ... $X.$Y() - pattern-not: | $X = windows.NewLazyDLL(...) ... $X.System = true ... $X.$Y() - id: trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine message: | Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait` waiting for more or less calls to `$WG.Done()` than expected languages: - go severity: ERROR metadata: category: security cwe: 'CWE-667: Improper Locking' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: MEDIUM technology: - --no-technology-- description: Calls to `sync.WaitGroup.Add` inside of anonymous goroutines references: - https://go101.org/article/concurrent-common-mistakes.html license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine shortlink: https://sg.run/z98W semgrep.dev: rule: r_id: 11761 rv_id: 833276 rule_id: JDUQ3v version_id: kbT2l5k url: https://semgrep.dev/playground/r/kbT2l5k/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine origin: community patterns: - pattern-either: - pattern: | $WG := &sync.WaitGroup{} ... go func(...) { ... $WG.Add(...) ... }(...) ... $WG.Wait() - pattern: | var $WG sync.WaitGroup ... go func(...) { ... $WG.Add(...) ... }(...) ... $WG.Wait() - pattern-not-inside: | for ... { ... $WG.Add(...) ... } - id: trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop message: Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()` languages: - go severity: WARNING metadata: category: security cwe: 'CWE-667: Improper Locking' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: MEDIUM technology: - --no-technology-- description: Calls to `sync.WaitGroup.Wait` inside a loop references: - https://go101.org/article/concurrent-common-mistakes.html license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop shortlink: https://sg.run/pkGL semgrep.dev: rule: r_id: 11762 rv_id: 833277 rule_id: 5rU8Po version_id: w8TAx58 url: https://semgrep.dev/playground/r/w8TAx58/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop origin: community patterns: - pattern-either: - pattern: | var $WG sync.WaitGroup ... for ... { ... go func(...){ ... defer $WG.Done() ... }() ... $WG.Wait() ... } - pattern: | $WG := &sync.WaitGroup{} ... for ... { ... go func(...){ ... defer $WG.Done() ... }() ... $WG.Wait() ... } - pattern: | var $WG sync.WaitGroup ... for ... { ... go func(...){ ... $WG.Done() ... }() ... $WG.Wait() ... } - pattern: | $WG := &sync.WaitGroup{} ... for ... { ... go func(...){ ... $WG.Done() ... }() ... $WG.Wait() ... } - id: trailofbits.javascript.apollo-graphql.schema-directives.schema-directives message: The Apollo GraphQL uses the 'schemaDirectives' option. This works in ApolloServer v2, but does nothing in version >=3. Depending on what the directives are used for, this can expose authenticated endpoints, disable rate limiting, and more. See the references on how to create custom directives in v3 and v4. languages: - js - ts severity: ERROR metadata: category: security cwe: 'CWE-686: Function Call With Incorrect Argument Type' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - graphql - apollo-graphql-server description: Use of outdated ApolloServer option 'schemaDirectives' references: - https://www.apollographql.com/docs/apollo-server/schema/directives/#custom-directives license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.javascript.apollo-graphql.schema-directives.schema-directives shortlink: https://sg.run/wE2N semgrep.dev: rule: r_id: 60573 rv_id: 833278 rule_id: OrU1Oz version_id: xyTNew2 url: https://semgrep.dev/playground/r/xyTNew2/trailofbits.javascript.apollo-graphql.schema-directives.schema-directives origin: community pattern-either: - pattern: | new ApolloServer({..., schemaDirectives: ..., ...}) - id: trailofbits.javascript.apollo-graphql.use-of-graphql-upload.use-of-graphql-upload languages: - js - ts message: 'The Apollo GraphQL server is using the graphql-upload library. This library allows file uploads using POSTs with content-type: multipart/form-data, which can enable to CSRF attacks. Ensure that you are enabling CSRF protection if you really need to use graphql-upload .' severity: WARNING metadata: category: security cwe: 'CWE-352: Cross-Site Request Forgery (CSRF)' subcategory: - vuln confidence: LOW likelihood: MEDIUM impact: MEDIUM technology: - graphql - apollo-graphql-server description: Use of the graphql-upload library references: - https://github.com/apollographql/apollo-server/security/advisories/GHSA-2p3c-p3qw-69r4 license: AGPL-3.0 license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/trailofbits.javascript.apollo-graphql.use-of-graphql-upload.use-of-graphql-upload shortlink: https://sg.run/xE20 semgrep.dev: rule: r_id: 60574 rv_id: 833279 rule_id: eqUB1Q version_id: O9TJWB6 url: https://semgrep.dev/playground/r/O9TJWB6/trailofbits.javascript.apollo-graphql.use-of-graphql-upload.use-of-graphql-upload origin: community patterns: - pattern: app.use(graphqlUploadExpress()); - id: trailofbits.javascript.apollo-graphql.v3-cors-audit.v3-potentially-bad-cors languages: - js - ts message: The Apollo GraphQL server is setup with a CORS policy that does not deny all origins. Carefully review the origins to see if any of them are incorrectly setup (third-party websites, bad regexes, functions that reflect every origin, etc.). severity: WARNING metadata: category: security cwe: 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' subcategory: - audit confidence: LOW likelihood: MEDIUM impact: MEDIUM technology: - graphql - apollo-graphql-server - apollo-graphql-server-v3 description: Potentially bad CORS policy references: - https://www.apollographql.com/docs/apollo-server/v3/security/cors#configuring-cors-options-for-apollo-server license: AGPL-3.0 license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/trailofbits.javascript.apollo-graphql.v3-cors-audit.v3-potentially-bad-cors shortlink: https://sg.run/ORxR semgrep.dev: rule: r_id: 60575 rv_id: 833280 rule_id: v8UlNl version_id: e1TDkqr url: https://semgrep.dev/playground/r/e1TDkqr/trailofbits.javascript.apollo-graphql.v3-cors-audit.v3-potentially-bad-cors origin: community mode: taint pattern-sources: - pattern: | { origin: function(...) {...} } - patterns: - pattern-inside: | { origin: $NOT_KNOWN_GOOD_CORS_ORIGIN } - metavariable-pattern: metavariable: $NOT_KNOWN_GOOD_CORS_ORIGIN patterns: - pattern-not: | false - pattern-not: | [] pattern-sinks: - patterns: - pattern: | {..., cors: $CORS_ORIGIN, ...} - focus-metavariable: $CORS_ORIGIN - id: trailofbits.javascript.apollo-graphql.v3-cors.v3-bad-cors languages: - js - ts message: The Apollo GraphQL server is setup with a CORS policy that reflects any origin, or with a regex that has known flaws. severity: ERROR metadata: category: security cwe: 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' subcategory: - vuln confidence: MEDIUM likelihood: HIGH impact: HIGH technology: - graphql - apollo-graphql-server description: Bad CORS policy references: - https://www.apollographql.com/docs/apollo-server/v3/security/cors#configuring-cors-options-for-apollo-server license: AGPL-3.0 license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/trailofbits.javascript.apollo-graphql.v3-cors.v3-bad-cors shortlink: https://sg.run/Zo3x semgrep.dev: rule: r_id: 60579 rv_id: 833284 rule_id: EwUZNW version_id: nWTy4kP url: https://semgrep.dev/playground/r/nWTy4kP/trailofbits.javascript.apollo-graphql.v3-cors.v3-bad-cors origin: community mode: taint pattern-sources: - patterns: - pattern-inside: | { origin: $BAD_CORS_ORIGIN } - metavariable-pattern: metavariable: $BAD_CORS_ORIGIN pattern-either: - pattern: | true - patterns: - pattern-either: - pattern: | $CORS_SINGLE_ORIGIN - pattern: | [..., $CORS_SINGLE_ORIGIN, ...] - metavariable-pattern: metavariable: $CORS_SINGLE_ORIGIN pattern-either: - pattern-regex: ^/.*[^\\]\..*/$ - pattern-regex: ^/.*[^$]/$ - pattern: | 'null' pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $X = require('apollo-server'); ... - pattern-inside: | import 'apollo-server'; ... - pattern: | new ApolloServer({..., cors: $CORS_ORIGIN, ...}) - focus-metavariable: $CORS_ORIGIN - id: trailofbits.javascript.apollo-graphql.v3-cors.v3-no-cors languages: - js - ts message: The Apollo GraphQL server lacks a CORS policy. By default, the batteries-included apollo-server package serves the Access-Control-Allow-Origin HTTP header with the wildcard value (*). severity: WARNING metadata: category: security cwe: 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' subcategory: - vuln confidence: HIGH likelihood: LOW impact: LOW technology: - graphql - apollo-graphql-server - apollo-graphql-server-v3 description: Lack of CORS policy references: - https://www.apollographql.com/docs/apollo-server/v3/security/cors#configuring-cors-options-for-apollo-server license: AGPL-3.0 license vulnerability_class: - Improper Validation source: https://semgrep.dev/r/trailofbits.javascript.apollo-graphql.v3-cors.v3-no-cors shortlink: https://sg.run/dbNX semgrep.dev: rule: r_id: 60578 rv_id: 833283 rule_id: nJU3P4 version_id: ZRTlPW3 url: https://semgrep.dev/playground/r/ZRTlPW3/trailofbits.javascript.apollo-graphql.v3-cors.v3-no-cors origin: community patterns: - pattern-either: - pattern-inside: | $X = require('apollo-server'); ... - pattern-inside: | import 'apollo-server'; ... - pattern: | new ApolloServer({...}) - pattern-not: | new ApolloServer({..., cors: ..., ...}) - id: trailofbits.javascript.apollo-graphql.v3-csrf-prevention.v3-csrf-prevention languages: - js - ts message: The Apollo GraphQL server lacks the 'csrfPrevention' option. This option is 'false' by the default in v3 of the Apollo GraphQL v3, which can enable CSRF attacks. severity: ERROR metadata: category: security cwe: 'CWE-352: Cross-Site Request Forgery (CSRF)' subcategory: - vuln confidence: HIGH likelihood: MEDIUM impact: MEDIUM technology: - graphql - apollo-graphql-server - apollo-graphql-server-v3 description: Lack of CSRF prevention references: - https://www.apollographql.com/docs/apollo-server/v3/security/cors/#preventing-cross-site-request-forgery-csrf license: AGPL-3.0 license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/trailofbits.javascript.apollo-graphql.v3-csrf-prevention.v3-csrf-prevention shortlink: https://sg.run/nEGg semgrep.dev: rule: r_id: 60580 rv_id: 833285 rule_id: 7KU8o3 version_id: ExTrD6A url: https://semgrep.dev/playground/r/ExTrD6A/trailofbits.javascript.apollo-graphql.v3-csrf-prevention.v3-csrf-prevention origin: community patterns: - pattern: new ApolloServer({...}) - pattern-not: | new ApolloServer({..., csrfPrevention: true, ...}) - id: gitlab.bandit.B509 languages: - python message: "Pysnmp was detected using SNMPv3 without authentication or encryption\nprotections enabled.\n\n- Use of `usmNoAuthProtocol` or `usmNoPrivProtocol` indicates that\neither authentication or privacy, respectively, is not being used. \n- The absence of \ `authKey` (or `authKey=None`) implies no authentication, \nwhich is equivalent to using `usmNoAuthProtocol`. \n- The absence of `privKey` (or `privKey=None`) implies no privacy (encryption), \nwhich is equivalent to using `usmNoPrivProtocol`.\n\nTo enhance the security of your SNMP communications, it is recommended to use both\nauthentication and privacy features in SNMPv3:\n\n- Use SHA for Authentication: SHA (Secure Hash Algorithm) is a more secure option \nfor SNMP message authentication. To use SHA, set the `authProtocol` to \n`usmHMACSHAAuthProtocol` and provide a strong `authKey`.\n- Use AES for Privacy: AES (Advanced Encryption Standard) is recommended for \nencrypting SNMP messages. Set the `privProtocol` to `usmAesCfb128Protocol`\nor a similar AES-based protocol and specify a strong `privKey`.\n\nExample of secure `UsmUserData` configuration:\n``` \n from pysnmp.hlapi import UsmUserData, usmHMACSHAAuthProtocol, usmAesCfb128Protocol\n \n user_data = UsmUserData('username','authKey', 'privKey', \n authProtocol=usmHMACSHAAuthProtocol,\n \ privProtocol=usmAesCfb128Protocol)\n```\n" metadata: cwe: CWE-319 category: security shortDescription: Cleartext transmission of sensitive information owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: Medium primary_identifier: bandit.B509 secondary_identifiers: - name: Bandit Test ID B509 type: bandit_test_id value: B509 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B509 shortlink: https://sg.run/A3O4 semgrep.dev: rule: r_id: 47606 rv_id: 920126 rule_id: nJUDAe version_id: pZTbDNl url: https://semgrep.dev/playground/r/pZTbDNl/gitlab.bandit.B509 origin: community pattern-either: - pattern-regex: UsmUserData(.*usmNoAuthProtocol.*) - pattern-regex: UsmUserData(.*usmNoPrivProtocol.*) - pattern: | UsmUserData(..., authKey=None, ...) - pattern: | UsmUserData(..., privKey=None, ...) - pattern: | UsmUserData(..., authProtocol=(1,3,6,1,6,3,10,1,1,1), ...) - pattern: | UsmUserData(..., privProtocol=(1,3,6,1,6,3,10,1,2,1), ...) - patterns: - pattern-not: | UsmUserData($NAME,$AUTHKEY,"...", ...) - pattern-not: | UsmUserData(..., privKey=$PRIVKEY, ...) - pattern-not: | UsmUserData(..., privProtocol=$PRIVPROT, ...) - pattern: | UsmUserData(...) severity: WARNING - id: gitlab.bandit.B611-1 message: "SQL Injections are a critical type of vulnerability that can lead to data \nor system compromise. By dynamically generating SQL query strings, user \ninput may be able to influence the logic of the SQL statement. \nThis could lead to an adversary accessing information they should not \nhave access to, or in some circumstances, being able to execute OS functionality\nor code.\n\nReplace all dynamically generated SQL queries with parameterized queries. \nIn situations where dynamic queries must be created, never use direct user input,\nbut instead use a map or dictionary of valid values and resolve them using a user \nsupplied key.\n\nFor example, some database drivers do not allow parameterized queries for \n`>` or `<` comparison operators. In these cases, do not use a user supplied \n`>` or `<` value, but rather have the user supply a `gt` or `lt` value. \nThe alphabetical values are then used to look up the `>` and `<` values to be used \nin the construction of the dynamic query. The same goes for other queries where \ncolumn or table names are required but cannot be parameterized.\n\nData that is possible user-controlled from a python request is passed\nto `raw()` function. To remediate this issue, use django's QuerySets, \nwhich are built with query parameterization and therefore not vulnerable \nto sql injection. For example, you could use `Entry.objects.filter(date=2006)`\n\nIf for some reason this is not feasible, ensure calls including user-supplied \ndata pass it in to the `params` parameter of the `raw()` method.\nBelow is an example using `raw()`, passing in user-supplied data as `params`. \nThis will treat the query as a parameterized query and `params` as strictly data, \npreventing any possibility of SQL Injection.\n\n```\ndef test(request):\n uname = request.GET[\"username\"] \n res = User.objects.raw('SELECT * FROM myapp_user WHERE username = %s', (uname,))\n```\n\nFor more information on QuerySet see:\n- https://docs.djangoproject.com/en/5.0/ref/models/querysets/\n\nFor more information on SQL Injection see OWASP:\n- https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html\n" metadata: cwe: CWE-89 owasp: - A1:2017-Injection - A03:2021-Injection category: security shortDescription: Improper neutralization of special elements used in an SQL Command ('SQL Injection') security-severity: High primary_identifier: bandit.B611 secondary_identifiers: - name: Bandit Test ID B611 type: bandit_test_id value: B611 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B611-1 shortlink: https://sg.run/Gdj0z semgrep.dev: rule: r_id: 144292 rv_id: 920144 rule_id: j2UgdG1 version_id: nWTnNPQ url: https://semgrep.dev/playground/r/nWTnNPQ/gitlab.bandit.B611-1 origin: community languages: - python severity: ERROR mode: taint pattern-sources: - patterns: - pattern: $PARAM - pattern-inside: "def $VIEW(...,$PARAM,...):\n ...\n return ... \n" pattern-sinks: - patterns: - pattern: $QUERY - pattern-inside: $MODEL.objects.raw($QUERY, ... ) - id: gitlab.bandit.B611-2 languages: - python message: "SQL Injections are a critical type of vulnerability that can lead to data or system compromise. By \ndynamically generating SQL query strings, user input may be able to influence the logic of the SQL \nstatement. This could lead to an adversary accessing information they should not have access to, or in\nsome circumstances, being able to execute OS functionality or code.\n\nReplace all dynamically generated SQL queries with parameterized queries. In situations where dynamic \nqueries must be created, never use direct user input, but instead use a map or dictionary of valid values \nand resolve them using a user supplied key.\n\nFor example, some database drivers do not allow parameterized queries for `>` or `<` comparison operators. \nIn these cases, do not use a user supplied `>` or `<` value, but rather have the user supply a `gt` or `lt` \nvalue. The alphabetical values are then used to look up the `>` and `<` values to be used in the \nconstruction of the dynamic query. The same goes for other queries where column or table names are required \nbut cannot be parameterized.\n\nTo remediate this issue, do not use `raw` or `RawSQL` but use other `QuerySet` methods to achieve the same\ngoals. If for some reason this is not feasible, ensure calls including user-supplied data pass it in to \nthe `params` parameter of the `RawSQL` method.\n\nWhile not recommended due to [potential SQL Injection](https://docs.djangoproject.com/en/5.0/ref/models/expressions/#raw-sql-expressions), below is an example using `RawSQL`.\nPassing in user-supplied data as a `param` which will escape the input:\n\n```\n# If dealing with integer based user input, restrict the values to integers only using the\n# path configuration: path('/someview/', views.some_view, name='someview'),\n\n# views.py\ndef some_view(request, user_supplied_id):\n \ # Never use string interpolation in the `sql` parameter.\n # Never quote the `%s` string format such as `... where id='%s'` as this could lead to SQL Injection.\n \ # Pass the user supplied data only in the `params` parameter.\n for obj in DBObject.objects.all().annotate(\n val=RawSQL(sql=\"select id from some_secondary_table where id=%s\", params=[user_supplied_id])):\n # Work with the results from the query\n # ...\n```\n\nFor more information on QuerySets see:\n- https://docs.djangoproject.com/en/4.2/ref/models/querysets/#queryset-api\n\nFor more information on SQL Injection see OWASP:\n- https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html\n" metadata: cwe: CWE-89 owasp: - A1:2017-Injection - A03:2021-Injection category: security shortDescription: Improper neutralization of special elements used in an SQL Command ('SQL Injection') security-severity: CRITICAL primary_identifier: bandit.B611 secondary_identifiers: - name: Bandit Test ID B611 type: bandit_test_id value: B611 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B611-2 shortlink: https://sg.run/Redjv semgrep.dev: rule: r_id: 144293 rv_id: 920145 rule_id: 10UO6J3 version_id: ExT1WNv url: https://semgrep.dev/playground/r/ExT1WNv/gitlab.bandit.B611-2 origin: community mode: taint pattern-sources: - patterns: - pattern: $PARAM - pattern-inside: | def $VIEW(...,$PARAM,...): ... return ... pattern-sinks: - patterns: - pattern: $QUERY - pattern-inside: django.db.models.expressions.RawSQL($QUERY, ... ) severity: ERROR - id: gitlab.bandit.B612 languages: - python message: | The application was found calling the `logging.config.listen`` function, which provides the ability to listen for external configuration files over a socket server. This listen socket parses part of the configuration and calls `eval` on the supplied configuration file. A local user, or an adversary who is able to exploit a Server Side Request Forgery (SSRF) attack to communicate over localhost, would be able to execute arbitrary code by passing in a logging config that contains python code. To remediate the issue, remove the call to `logging.config.listen` method. For more information on the listen functionality see: - https://docs.python.org/3/library/logging.config.html#logging.config.listen metadata: cwe: CWE-94 shortDescription: Improper control of generation of code ('Code Injection') category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: High primary_identifier: bandit.B612 secondary_identifiers: - name: Bandit Test ID B612 type: bandit_test_id value: B612 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B612 shortlink: https://sg.run/GBEn semgrep.dev: rule: r_id: 47604 rv_id: 920122 rule_id: d8UN2B version_id: YDTYbvy url: https://semgrep.dev/playground/r/YDTYbvy/gitlab.bandit.B612 origin: community patterns: - pattern: logging.config.listen(...) severity: WARNING - id: gitlab.eslint.detect-new-buffer languages: - javascript - typescript patterns: - patterns: - pattern-not-inside: |- require("safe-buffer") ... - pattern-not-inside: |- import { Buffer } from "safe-buffer" ... - pattern-inside: function $FUNC(..., $X, ...) { ... } - pattern: new Buffer($X,...) - pattern-not: | new Buffer("...",...) - pattern-not: | new Buffer([...] , ...) message: | The application was found calling the `new Buffer` constructor which has been deprecated since Node 8. By passing in a non-literal value, an adversary could allocate large amounts of memory. Other issues also exist with the `Buffer` constructor: - Older versions would return uninitialized memory, which could contain sensitive information - Unable to easily determine what a Buffer contained if passed a non-literal value To remediate this issue, use `Buffer.alloc` or `Buffer.from` instead to allocate a new `Buffer`. Example using `Buffer.alloc` instead of `new Buffer(...)`: ``` // Create a new buffer using Buffer.from const buf = Buffer.from([1, 2, 3, 4]); // Work with buf ``` For more information on migrating to `Buffer.from()`/`Buffer.alloc()` see: - https://nodejs.org/en/docs/guides/buffer-constructor-deprecation metadata: shortDescription: Allocation of resources without limits or throttling cwe: CWE-770 category: security owasp: - A9:2017-Using Components with Known Vulnerabilities - A06:2021-Vulnerable and Outdated Components source-rule-url: https://github.com/eslint-community/eslint-plugin-security/blob/main/rules/detect-new-buffer.js security-severity: Medium primary_identifier: eslint.detect-new-buffer secondary_identifiers: - name: ESLint rule ID/detect-new-buffer type: eslint_rule_id value: detect-new-buffer license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.eslint.detect-new-buffer shortlink: https://sg.run/BJ85 semgrep.dev: rule: r_id: 47607 rv_id: 920148 rule_id: EwU5PB version_id: 8KTvl9L url: https://semgrep.dev/playground/r/8KTvl9L/gitlab.eslint.detect-new-buffer origin: community severity: WARNING - id: gitlab.find_sec_bugs.DANGEROUS_PERMISSION_COMBINATION-1 pattern-either: - pattern: | $RUNVAR = new RuntimePermission("createClassLoader"); ... (PermissionCollection $PC).add($RUNVAR); - pattern: | $REFVAR = new ReflectPermission("suppressAccessChecks"); ... (PermissionCollection $PC).add($REFVAR); - pattern: (PermissionCollection $PC).add(new ReflectPermission("suppressAccessChecks")) - pattern: (PermissionCollection $PC).add(new RuntimePermission("createClassLoader")) languages: - java message: | The application was found to permit the `RuntimePermission` of `createClassLoader`, `ReflectPermission` of `suppressAccessChecks`, or both. By granting the `RuntimePermission` of `createClassLoader`, a compromised application could instantiate their own class loaders and load arbitrary classes. By granting the `ReflectPermission` of `suppressAccessChecks` an application will no longer check Java language access checks on fields and methods of a class. This will effectively grant access to protected and private members. For more information on `RuntimePermission` see: https://docs.oracle.com/javase/8/docs/api/java/lang/RuntimePermission.html For more information on `ReflectPermission` see: https://docs.oracle.com/javase/8/docs/api/java/lang/reflect/ReflectPermission.html metadata: shortDescription: Improper privilege management category: security cwe: CWE-269 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control confidence: HIGH security-severity: Medium primary_identifier: find_sec_bugs.DANGEROUS_PERMISSION_COMBINATION-1 secondary_identifiers: - name: Find Security Bugs-DANGEROUS_PERMISSION_COMBINATION type: find_sec_bugs_type value: DANGEROUS_PERMISSION_COMBINATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.DANGEROUS_PERMISSION_COMBINATION-1 shortlink: https://sg.run/2kN5 semgrep.dev: rule: r_id: 21219 rv_id: 920193 rule_id: 0oUpO1 version_id: gETkXOL url: https://semgrep.dev/playground/r/gETkXOL/gitlab.find_sec_bugs.DANGEROUS_PERMISSION_COMBINATION-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 languages: - java patterns: - pattern: java.sql.DriverManager.getConnection($URI, $USR, "..."); message: | A potential hard-coded password was identified in a database connection string. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised. The recommendation on which KMS to use depends on the environment the application is running in: - For Google Cloud Platform consider [Cloud Key Management](https://cloud.google.com/kms/docs) - For Amazon Web Services consider [AWS Key Management](https://aws.amazon.com/kms/) - For on premise or other alternatives to cloud providers, consider [Hashicorp's Vault](https://www.vaultproject.io/) - For other cloud providers, please see their documentation severity: ERROR metadata: shortDescription: Use of hard-coded password category: security cwe: CWE-259 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures technology: - java security-severity: Critical primary_identifier: find_sec_bugs.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 secondary_identifiers: - name: Find Security Bugs-DMI_CONSTANT_DB_PASSWORD type: find_sec_bugs_type value: DMI_CONSTANT_DB_PASSWORD - name: Find Security Bugs-HARD_CODE_PASSWORD type: find_sec_bugs_type value: HARD_CODE_PASSWORD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 shortlink: https://sg.run/qZAx semgrep.dev: rule: r_id: 21212 rv_id: 920190 rule_id: 5rUN5O version_id: 7ZTbRnP url: https://semgrep.dev/playground/r/7ZTbRnP/gitlab.find_sec_bugs.DMI_CONSTANT_DB_PASSWORD-1.HARD_CODE_PASSWORD-3 origin: community - id: gitlab.find_sec_bugs_kotlin.PADDING_ORACLE-1 languages: - kotlin message: | This specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding. The distinction between valid and invalid padding is usually revealed through distinct error messages being returned for each condition. severity: ERROR metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - java security-severity: CRITICAL primary_identifier: find_sec_bugs.PADDING_ORACLE-1 secondary_identifiers: - name: Find Security Bugs-PADDING_ORACLE type: find_sec_bugs_type value: PADDING_ORACLE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.PADDING_ORACLE-1 shortlink: https://sg.run/6JGoj semgrep.dev: rule: r_id: 144315 rv_id: 920406 rule_id: 4bUR4Kn version_id: DkT2y7R url: https://semgrep.dev/playground/r/DkT2y7R/gitlab.find_sec_bugs_kotlin.PADDING_ORACLE-1 origin: community patterns: - pattern: javax.crypto.Cipher.getInstance($TRANSFORMATION) - metavariable-regex: metavariable: $TRANSFORMATION regex: ^"[^/]*/CBC/PKCS5Padding - metavariable-pattern: metavariable: $TRANSFORMATION patterns: - pattern-not-regex: ^"(RSA|ECIES)/ - id: gitlab.find_sec_bugs_kotlin.PERMISSIVE_CORS-2 languages: - kotlin message: | Prior to HTML5, Web browsers enforced the Same Origin Policy which ensures that in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. HTML5 makes it possible for JavaScript to access data across domains if a new HTTP header called Access-Control-Allow-Origin is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. severity: ERROR metadata: shortDescription: Permissive cross-domain policy with untrusted domains cwe: CWE-942 category: security owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: CRITICAL primary_identifier: find_sec_bugs.PERMISSIVE_CORS-2 secondary_identifiers: - name: Find Security Bugs-PERMISSIVE_CORS type: find_sec_bugs_type value: PERMISSIVE_CORS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.PERMISSIVE_CORS-2 shortlink: https://sg.run/WAd5z semgrep.dev: rule: r_id: 144309 rv_id: 920400 rule_id: 7KUg0J4 version_id: JdToRK6 url: https://semgrep.dev/playground/r/JdToRK6/gitlab.find_sec_bugs_kotlin.PERMISSIVE_CORS-2 origin: community mode: taint pattern-sources: - pattern: '($REQ: HttpServletRequest).getParameter(...)' - pattern: '($REQ: HttpServletRequest).getHeader(...)' - pattern: '($REQ: HttpServletRequest).getPathInfo()' - pattern: '($REQ: HttpServletRequest).getQueryString()' - pattern: '($REQ: HttpServletRequest).getAttribute(...)' - pattern: '($REQ: HttpServletRequest).getSession().getAttribute(...)' - pattern: '($REQ: HttpServletRequest).getServletContext().getAttribute(...)' - pattern: '($REQ: HttpServletRequest).getParameterValues(...)' - pattern: '($REQ: HttpServletRequest).getParameterNames()' - pattern: '($REQ: HttpServletRequest).getParameterMap()' pattern-sinks: - patterns: - pattern-either: - pattern: '($RES: HttpServletResponse).setHeader("$HEADER", ...)' - pattern: '($RES: HttpServletResponse).addHeader("$HEADER", ...)' - metavariable-regex: metavariable: $HEADER regex: (?i)(Access-Control-Allow-Origin) - id: gitlab.find_sec_bugs_kotlin.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 languages: - kotlin message: | Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. metadata: shortDescription: Files or directories accessible to external parties category: security cwe: CWE-552 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 secondary_identifiers: - name: Find Security Bugs-REQUESTDISPATCHER_FILE_DISCLOSURE type: find_sec_bugs_type value: REQUESTDISPATCHER_FILE_DISCLOSURE - name: Find Security Bugs-STRUTS_FILE_DISCLOSURE type: find_sec_bugs_type value: STRUTS_FILE_DISCLOSURE - name: Find Security Bugs-SPRING_FILE_DISCLOSURE type: find_sec_bugs_type value: SPRING_FILE_DISCLOSURE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 shortlink: https://sg.run/Or36b semgrep.dev: rule: r_id: 144331 rv_id: 920422 rule_id: 5rUdWl9 version_id: K3TwL3E url: https://semgrep.dev/playground/r/K3TwL3E/gitlab.find_sec_bugs_kotlin.REQUESTDISPATCHER_FILE_DISCLOSURE-1.STRUTS_FILE_DISCLOSURE-1.SPRING_FILE_DISCLOSURE-1 origin: community severity: ERROR mode: taint pattern-sinks: - patterns: - pattern: org.springframework.web.servlet.ModelAndView($FST); - pattern: $FST - patterns: - pattern: org.springframework.web.servlet.ModelAndView($FST, $SND); - pattern: $FST - patterns: - pattern: org.springframework.web.servlet.ModelAndView($FST, $SND, $TRD); - pattern: $FST - patterns: - pattern: org.apache.struts.action.ActionForward($FST) - pattern: $FST - patterns: - pattern: org.apache.struts.action.ActionForward($FST, $SND) - pattern: $FST - patterns: - pattern: org.apache.struts.action.ActionForward($FST, $SND, $TRD) - pattern: $SND - patterns: - pattern: org.apache.struts.action.ActionForward($FST, $SND, $TRD) - pattern: $TRD - patterns: - pattern-inside: | $ACTION = org.apache.struts.action.ActionForward(); ... - pattern: $ACTION.setPath(...) - patterns: - pattern-inside: | $MVC = org.springframework.web.servlet.ModelAndView(); ... - pattern: $MVC.setViewName(...); - patterns: - pattern-inside: | $REQ = $HTTP.getRequestDispatcher(...); ... - pattern-either: - pattern: $REQ.include($FST, $SND) - pattern: $REQ.forward($FST, $SND) pattern-sources: - pattern: '($VAR: javax.servlet.http.HttpServletRequest).getParameter(...)' - id: gitlab.find_sec_bugs_kotlin.RSA_KEY_SIZE-1 languages: - kotlin message: | Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher. metadata: shortDescription: Inadequate encryption strength category: security cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: MEDIUM primary_identifier: find_sec_bugs.RSA_KEY_SIZE-1 secondary_identifiers: - name: Find Security Bugs-RSA_KEY_SIZE type: find_sec_bugs_type value: RSA_KEY_SIZE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.RSA_KEY_SIZE-1 shortlink: https://sg.run/pKJQR semgrep.dev: rule: r_id: 144318 rv_id: 920409 rule_id: 5rUdWK5 version_id: K3TwL38 url: https://semgrep.dev/playground/r/K3TwL38/gitlab.find_sec_bugs_kotlin.RSA_KEY_SIZE-1 origin: community severity: WARNING patterns: - pattern-either: - patterns: - pattern-inside: | $GEN = KeyPairGenerator.getInstance($ALG, ...); ... - pattern-either: - pattern: $VAR.initialize($SIZE, ...); - pattern: java.security.spec.RSAKeyGenParameterSpec($SIZE,...); - metavariable-comparison: comparison: $SIZE < 2048 metavariable: $SIZE - metavariable-regex: metavariable: $ALG regex: '"(RSA|DSA)"' - id: gitlab.find_sec_bugs_kotlin.RSA_NO_PADDING-1 languages: - kotlin message: | The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. metadata: shortDescription: Use of RSA algorithm without OAEP category: security cwe: CWE-780 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: MEDIUM primary_identifier: find_sec_bugs.RSA_NO_PADDING-1 secondary_identifiers: - name: Find Security Bugs-RSA_NO_PADDING type: find_sec_bugs_type value: RSA_NO_PADDING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.RSA_NO_PADDING-1 shortlink: https://sg.run/X5d4e semgrep.dev: rule: r_id: 144320 rv_id: 920411 rule_id: ReUDJWO version_id: l4TXD12 url: https://semgrep.dev/playground/r/l4TXD12/gitlab.find_sec_bugs_kotlin.RSA_NO_PADDING-1 origin: community severity: WARNING pattern-either: - patterns: - pattern: | $VAR = "$ALG"; ... javax.crypto.Cipher.getInstance($VAR); - metavariable-regex: metavariable: $ALG regex: .*RSA.*NoPadding.* - patterns: - pattern: javax.crypto.Cipher.getInstance($ALG,...); - metavariable-regex: metavariable: $ALG regex: .*RSA.*NoPadding.* - id: gitlab.find_sec_bugs_kotlin.SPRING_CSRF_PROTECTION_DISABLED-1 languages: - kotlin message: | The application fails to protect against Cross-Site Request Forgery (CSRF) due to disabling Spring's CSRF protection features. metadata: shortDescription: Cross-Site Request Forgery (CSRF) category: security cwe: CWE-352 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: MEDIUM primary_identifier: find_sec_bugs.SPRING_CSRF_PROTECTION_DISABLED-1 secondary_identifiers: - name: Find Security Bugs-SPRING_CSRF_PROTECTION_DISABLED type: find_sec_bugs_type value: SPRING_CSRF_PROTECTION_DISABLED license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.SPRING_CSRF_PROTECTION_DISABLED-1 shortlink: https://sg.run/yyKZd semgrep.dev: rule: r_id: 144324 rv_id: 920415 rule_id: WAUWB5o version_id: GxToXBb url: https://semgrep.dev/playground/r/GxToXBb/gitlab.find_sec_bugs_kotlin.SPRING_CSRF_PROTECTION_DISABLED-1 origin: community severity: WARNING pattern-either: - pattern: '($H: org.springframework.security.config.annotation.web.builders.HttpSecurity). ... .csrf().disable()' - pattern: '($C: CsrfConfigurer).disable()' - id: gitlab.find_sec_bugs_kotlin.SSL_CONTEXT-1 languages: - kotlin message: | A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middleattacks attacks since the client will trust any certificate. metadata: shortDescription: Improper certificate validation category: security cwe: CWE-295 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: MEDIUM primary_identifier: find_sec_bugs.SSL_CONTEXT-1 secondary_identifiers: - name: Find Security Bugs-SSL_CONTEXT type: find_sec_bugs_type value: SSL_CONTEXT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.SSL_CONTEXT-1 shortlink: https://sg.run/10wNQ semgrep.dev: rule: r_id: 144322 rv_id: 920413 rule_id: BYUXqjx version_id: JdToRK2 url: https://semgrep.dev/playground/r/JdToRK2/gitlab.find_sec_bugs_kotlin.SSL_CONTEXT-1 origin: community severity: WARNING patterns: - pattern-either: - pattern: org.apache.http.impl.client.DefaultHttpClient() - pattern: javax.net.ssl.SSLContext.getInstance("SSL") - id: gitlab.find_sec_bugs_kotlin.SSL_CONTEXT-2 languages: - kotlin message: | The application was found enabling insecure TLS protocol versions. When enabling protocol versions for an `SSLContext`, only the following versions should be allowed: - TLSv1.2 - TLSv1.3 - DTLSv1.2 - DTLSv1.3 To mitigate potential security risks, it is strongly advised to enforce TLS 1.2 as the minimum protocol version and disallow older versions such as TLS 1.0. Do note that newer versions of Java do not even support TLS 1.0 and will throw `NoSuchAlgorithmException`. Versions of TLS prior to 1.2 could expose the connection to downgrade attacks, where an adversary intercepts the connection and alters the requested protocol version to be a less secure one. In many scenarios, relying on the default system configuration does not meet compliance standards. This is due to the application being deployed across diverse systems with varying configurations and Java versions. While the default value may be secure on modern and up-to-date systems, it may not hold true for older systems. Consequently, it is highly recommended to explicitly define a secure configuration in all cases. Example configuring an SSLContext with TLSv1.2: ``` // Create an SSLContext with TLSv1.2 explicitly SSLContext tlsContext = SSLContext.getInstance("TLSv1.2"); // or TLSv1.3, DTLSv1.2, DTLSv1.3 // Alternatively, set the enabled protocols SSLContext serverSslContext = SSLContext.getInstance("TLS"); SSLEngine serverEngine = serverSslContext.createSSLEngine(); // Calling setEnabledProtocols will override the original context's configured protocol version serverEngine.setEnabledProtocols(new String[]{ "TLSv1.2" }); ``` For more information on `SSLContext` see: - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/net/ssl/SSLContext.html For more information on MiTM attacks see: - https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack metadata: shortDescription: Inadequate encryption strength category: security cwe: CWE-326 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: MEDIUM primary_identifier: find_sec_bugs.SSL_CONTEXT-2 secondary_identifiers: - name: Find Security Bugs-SSL_CONTEXT type: find_sec_bugs_type value: SSL_CONTEXT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.SSL_CONTEXT-2 shortlink: https://sg.run/9ABgR semgrep.dev: rule: r_id: 144323 rv_id: 920414 rule_id: DbU6lo9 version_id: 5PTNGEx url: https://semgrep.dev/playground/r/5PTNGEx/gitlab.find_sec_bugs_kotlin.SSL_CONTEXT-2 origin: community severity: WARNING patterns: - pattern-either: - pattern-inside: | import javax.net.ssl.*; ... - pattern-inside: | import javax.net.ssl.SSLContext; ... - pattern-either: - pattern-inside: | SSLContext.getInstance("$UNSAFE_VERSION"); - pattern-inside: | SSLContext.getInstance(...); ... $ENGINE.setEnabledProtocols(arrayOf(...,"$UNSAFE_VERSION",...)); - pattern-not: patterns: - pattern-inside: | $C = SSLContext.getInstance(...); ... $ENGINE.setEnabledProtocols(arrayOf(...,"$DT_GOODNESS",...)); - metavariable-regex: metavariable: $DT_GOODNESS regex: ^D?TLSv1\.[23]$ - pattern-not: patterns: - pattern-inside: | $C = SSLContext.getInstance(...); ... $E = $C.createSSLEngine() ... $E.enabledProtocols = arrayOf(...,"$DT_GOODNESS",...) - metavariable-regex: metavariable: $DT_GOODNESS regex: ^DTLSv1\.[23]$ - metavariable-regex: metavariable: $UNSAFE_VERSION regex: ^(TLS|(D)?TLSv1.(0|1))$ - id: gitlab.find_sec_bugs_kotlin.TDES_USAGE-1 languages: - kotlin message: | Triple DES (also known as 3DES or DESede) is considered strong ciphers for modern applications. NIST recommends the usage of AES block ciphers instead of 3DES. severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm category: security cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.TDES_USAGE-1 secondary_identifiers: - name: Find Security Bugs-TDES_USAGE type: find_sec_bugs_type value: TDES_USAGE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.TDES_USAGE-1 shortlink: https://sg.run/qN5Q8 semgrep.dev: rule: r_id: 144312 rv_id: 920403 rule_id: gxU3dv7 version_id: RGT2x9A url: https://semgrep.dev/playground/r/RGT2x9A/gitlab.find_sec_bugs_kotlin.TDES_USAGE-1 origin: community patterns: - pattern-inside: javax.crypto.Cipher.getInstance($ALG, ...) - metavariable-regex: metavariable: $ALG regex: (?i)^"DESede(/|"$) - id: gitlab.find_sec_bugs_kotlin.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 languages: - kotlin message: | Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks. metadata: category: security cwe: CWE-601 owasp: - A1:2017-Injection - A03:2021-Injection shortDescription: URL redirection to untrusted site ('Open Redirect') security-severity: CRITICAL primary_identifier: find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 secondary_identifiers: - name: Find Security Bugs-UNVALIDATED_REDIRECT type: find_sec_bugs_type value: UNVALIDATED_REDIRECT - name: Find Security Bugs-URL_REWRITING type: find_sec_bugs_type value: URL_REWRITING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 shortlink: https://sg.run/r6GbA semgrep.dev: rule: r_id: 144325 rv_id: 920416 rule_id: 0oULNkE version_id: RGT2x9W url: https://semgrep.dev/playground/r/RGT2x9W/gitlab.find_sec_bugs_kotlin.UNVALIDATED_REDIRECT-1.URL_REWRITING-1 origin: community severity: ERROR mode: taint pattern-sources: - patterns: - pattern: | $URL = ($REQ: $X.servlet.http.HttpServletRequest).$M(...); - metavariable-regex: metavariable: $M regex: (getParameter|getCookies|getHeader|getHeaders|getHeaderNames|getPathInfo|getPathTranslated|getContextPath|getQueryString|getRemoteUser|getRequestedSessionId|getRequestURI|getRequestURL|getServletPath|getParts|getPart|getReader) pattern-sinks: - pattern-either: - pattern: | ($RES: $X.servlet.http.HttpServletResponse).sendRedirect($URL) - pattern: | ($RES: $X.servlet.http.HttpServletResponse).addHeader("Location", $URL) pattern-sanitizers: - patterns: - pattern-inside: | if ($SAFE.contains($URL)){ ... } - pattern-either: - pattern: | ($RES: $X.servlet.http.HttpServletResponse).sendRedirect($URL) - pattern: | ($RES: $X.servlet.http.HttpServletResponse).addHeader("Location", $URL) - id: gitlab.find_sec_bugs_kotlin.WEAK_FILENAMEUTILS-1 languages: - kotlin message: | A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. metadata: shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') cwe: CWE-22 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: MEDIUM technology: - kotlin category: security primary_identifier: find_sec_bugs.WEAK_FILENAMEUTILS-1 secondary_identifiers: - name: Find Security Bugs-WEAK_FILENAMEUTILS type: find_sec_bugs_type value: WEAK_FILENAMEUTILS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.WEAK_FILENAMEUTILS-1 shortlink: https://sg.run/kxd2z semgrep.dev: rule: r_id: 144328 rv_id: 920419 rule_id: lBU4kqW version_id: DkT2y7P url: https://semgrep.dev/playground/r/DkT2y7P/gitlab.find_sec_bugs_kotlin.WEAK_FILENAMEUTILS-1 origin: community severity: WARNING patterns: - pattern-inside: | import org.apache.commons.io.FilenameUtils ... - pattern-either: - pattern: normalize(...) - pattern: getExtension(...) - pattern: isExtensions(...) - pattern: getName(...) - pattern: getBaseName(...) - pattern: org.apache.commons.io.FilenameUtils.normalize(...) - pattern: org.apache.commons.io.FilenameUtils.getExtension(...) - pattern: org.apache.commons.io.FilenameUtils.isExtensions(...) - pattern: org.apache.commons.io.FilenameUtils.getName(...) - pattern: org.apache.commons.io.FilenameUtils.getBaseName(...) - id: gitlab.find_sec_bugs_kotlin.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 languages: - kotlin message: | A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. metadata: category: security cwe: CWE-295 shortDescription: Improper Certificate Validation security-severity: MEDIUM primary_identifier: find_sec_bugs.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 secondary_identifiers: - name: Find Security Bugs-WEAK_HOSTNAME_VERIFIER type: find_sec_bugs_type value: WEAK_HOSTNAME_VERIFIER - name: Find Security Bugs-WEAK_TRUST_MANAGER type: find_sec_bugs_type value: WEAK_TRUST_MANAGER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 shortlink: https://sg.run/bwd0r semgrep.dev: rule: r_id: 144326 rv_id: 920417 rule_id: KxUvE9Y version_id: A8TNlp1 url: https://semgrep.dev/playground/r/A8TNlp1/gitlab.find_sec_bugs_kotlin.WEAK_HOSTNAME_VERIFIER-1.WEAK_TRUST_MANAGER-1 origin: community severity: WARNING patterns: - pattern-either: - patterns: - pattern-inside: | class $V : HostnameVerifier { ... } - pattern: | fun verify(...): Boolean { return true } - patterns: - pattern-inside: | class $V : X509TrustManager { ... } - pattern-either: - pattern: fun checkClientTrusted(...) {} - pattern: fun checkServerTrusted(...) {} - pattern: 'fun getAcceptedIssuers(): Array? {return null}' - id: gitlab.find_sec_bugs_kotlin.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 languages: - kotlin message: | DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. severity: WARNING metadata: shortDescription: Use of a broken or risky cryptographic algorithm (SHA1/MD5) category: security cwe: CWE-327 owasp: - A6:2017-Security Misconfiguration - A04:2021-Insecure Design technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 secondary_identifiers: - name: Find Security Bugs-WEAK_MESSAGE_DIGEST_MD5 type: find_sec_bugs_type value: WEAK_MESSAGE_DIGEST_MD5 - name: Find Security Bugs-WEAK_MESSAGE_DIGEST_SHA1 type: find_sec_bugs_type value: WEAK_MESSAGE_DIGEST_SHA1 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 shortlink: https://sg.run/j2Lp2 semgrep.dev: rule: r_id: 144321 rv_id: 920412 rule_id: AbU9DP9 version_id: YDTYb48 url: https://semgrep.dev/playground/r/YDTYb48/gitlab.find_sec_bugs_kotlin.WEAK_MESSAGE_DIGEST_MD5-1.WEAK_MESSAGE_DIGEST_SHA1-1 origin: community patterns: - pattern-either: - pattern: MessageDigest.getInstance($ALG, ...) - pattern: Signature.getInstance($ALG, ...) - metavariable-regex: metavariable: $ALG regex: .*(MD5|MD4|MD2|SHA1|SHA-1).* - id: gitlab.find_sec_bugs.MODIFICATION_AFTER_VALIDATION-1 languages: - java patterns: - pattern: | (java.util.regex.Pattern $Y).matcher($VAR); ... $VAR.$METHOD(...); - metavariable-regex: metavariable: $METHOD regex: (replace|replaceAll|replaceFirst|concat) message: |+ The application was found matching a variable during a regular expression pattern match, and then calling string modification functions after validation has occurred. This is usually indicative of a poor input validation strategy as an adversary may attempt to exploit the removal of characters. For example a common mistake in attempting to remove path characters to protect against path traversal is to match '../' and then remove any matches. However, if an adversary were to include in their input: '....//' then the `replace` method would replace the first `../` but cause the leading `..` and trailing `/` to join into the final string of `../`, effectively bypassing the check. To remediate this issue always perform string modifications before any validation of a string. It is strongly recommended that strings be encoded instead of replaced or removed prior to validation. Example replaces `..` before validation. Do note this is still not a recommended method for protecting against directory traversal, always use randomly generated IDs or filenames instead: ``` // This is ONLY for demonstration purpose, never use untrusted input // in paths, always use randomly generated filenames or IDs. String input = "test../....//dir"; // Use replaceAll _not_ replace input = input.replaceAll("\\.\\.", ""); // Input would be test///dir at this point // Create a pattern to match on Pattern pattern = Pattern.compile("\\.\\."); // Create a matcher Matcher match = pattern.matcher(input); // Call find to see if .. is still in our string if (match.find()) { throw new Exception(".. detected"); } // Use the input (but do not modify the string) System.out.println(input + " safe"); ``` For more information see Carnegie Mellon University's Secure Coding Guide: https://wiki.sei.cmu.edu/confluence/display/java/IDS11-J.+Perform+any+string+modifications+before+validation metadata: shortDescription: Collapse of data into unsafe value category: security cwe: CWE-182 confidence: HIGH owasp: - A1:2017-Injection - A03:2021-Injection security-severity: Info primary_identifier: find_sec_bugs.MODIFICATION_AFTER_VALIDATION-1 secondary_identifiers: - name: Find Security Bugs-MODIFICATION_AFTER_VALIDATION type: find_sec_bugs_type value: MODIFICATION_AFTER_VALIDATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.MODIFICATION_AFTER_VALIDATION-1 shortlink: https://sg.run/O4Yp semgrep.dev: rule: r_id: 21231 rv_id: 920202 rule_id: 10U4xJ version_id: A8TNlXD url: https://semgrep.dev/playground/r/A8TNlXD/gitlab.find_sec_bugs.MODIFICATION_AFTER_VALIDATION-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.NORMALIZATION_AFTER_VALIDATION-1 patterns: - pattern: | $Y = java.util.regex.Pattern.compile("[<>]"); ... $Y.matcher($VAR); ... java.text.Normalizer.normalize($VAR, ...); languages: - java message: | The application was found matching a variable during a regular expression pattern match, and then calling a Unicode normalize function after validation has occurred. This is usually indicative of a poor input validation strategy as an adversary may attempt to exploit the normalization process. To remediate this issue, always perform Unicode normalization before any validation of a string. Example of normalizing a string before validation: ``` // User input possibly containing malicious unicode String userInput = "\uFE64" + "tag" + "\uFE65"; // Normalize the input userInput = Normalizer.normalize(userInput, Normalizer.Form.NFKC); // Compile our regex pattern looking for < or > characters Pattern pattern = Pattern.compile("[<>]"); // Create a matcher from the userInput Matcher matcher = pattern.matcher(userInput); // See if the matcher matches if (matcher.find()) { // It did so throw an error throw new Exception("found banned characters in input"); } ``` For more information see Carnegie Mellon University's Secure Coding Guide: https://wiki.sei.cmu.edu/confluence/display/java/IDS01-J.+Normalize+strings+before+validating+them metadata: shortDescription: 'Incorrect behavior order: validate before canonicalize' category: security cwe: CWE-180 confidence: HIGH owasp: - A1:2017-Injection - A03:2021-Injection security-severity: Info primary_identifier: find_sec_bugs.NORMALIZATION_AFTER_VALIDATION-1 secondary_identifiers: - name: Find Security Bugs-NORMALIZATION_AFTER_VALIDATION type: find_sec_bugs_type value: NORMALIZATION_AFTER_VALIDATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.NORMALIZATION_AFTER_VALIDATION-1 shortlink: https://sg.run/eJnl semgrep.dev: rule: r_id: 21232 rv_id: 920203 rule_id: 9AUAKN version_id: BjTKLpR url: https://semgrep.dev/playground/r/BjTKLpR/gitlab.find_sec_bugs.NORMALIZATION_AFTER_VALIDATION-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-1 languages: - java patterns: - pattern-either: - pattern: java.nio.file.Files.setPosixFilePermissions(..., java.nio.file.attribute.PosixFilePermissions.fromString("$PERM_STRING")); - pattern: | $PERMISSIONS = java.nio.file.attribute.PosixFilePermissions.fromString("$PERM_STRING"); ... java.nio.file.Files.setPosixFilePermissions(..., $PERMISSIONS); - metavariable-regex: metavariable: $PERM_STRING regex: '[rwx-]{6}[rwx]{1,}' message: | The application was found setting file permissions to overly permissive values. Consider using the following values if the application user is the only process to access the file: - `r--` - read only access to the file - `w--` - write only access to the file - `rw-` - read/write access to the file Example setting read/write permissions for only the owner of a `Path`: ``` // Get a reference to the path Path path = Paths.get("/tmp/somefile"); // Create a PosixFilePermission set from java.nio.file.attribute Set permissions = java.nio.file.attribute.PosixFilePermissions.fromString("rw-------"); // Set the permissions java.nio.file.Files.setPosixFilePermissions(path, permissions); ``` For all other values please see: https://en.wikipedia.org/wiki/File-system_permissions#Symbolic_notation metadata: shortDescription: Incorrect permission assignment for critical resource cwe: CWE-732 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control category: security confidence: HIGH security-severity: Medium primary_identifier: find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-1 secondary_identifiers: - name: Find Security Bugs-OVERLY_PERMISSIVE_FILE_PERMISSION type: find_sec_bugs_type value: OVERLY_PERMISSIVE_FILE_PERMISSION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-1 shortlink: https://sg.run/XW9A semgrep.dev: rule: r_id: 21220 rv_id: 920194 rule_id: KxUwyj version_id: QkT1NwL url: https://semgrep.dev/playground/r/QkT1NwL/gitlab.find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-1 origin: community severity: WARNING - id: gitlab.find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1 languages: - java mode: taint pattern-sources: - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameter(...) - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameterNames(); - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameterValues(...); - pattern: (javax.servlet.http.HttpServletRequest $VAR).getParameterMap(); - pattern: (javax.servlet.http.HttpServletRequest $VAR).getHeader(...); - pattern: (javax.servlet.http.HttpServletRequest $VAR).getPathInfo(); pattern-sinks: - patterns: - pattern-not-inside: | $VAL = $MAP.getOrDefault(..., "..."); ... - pattern-inside: | $REQ = $HTTP.getRequestDispatcher(...); ... - pattern-either: - pattern: $REQ.include($FST, $SND) - pattern: $REQ.forward($FST, $SND) message: | The `HttpRequest.getRequestDispatcher()`'s `include` and `forward` methods will return any file that is resolvable within the web application context. This includes the `web.xml` file, any compiled classes, `jsp` files, and additional JAR or WAR libraries that are accessible. Never pass user-supplied input directly to any of these methods. Use a lookup table or hardcode which views or paths the user should be directed to. Another option is to use a simple HTTP redirect by returning an empty response body with a 301 status code and a `Location` redirect header. In Java servlets, this can be done by using the `response.sendRedirect(...)` method. Example using a redirect instead of a `RequestDispatcher`: ``` // Create a look up table or pull from a data source HashMap lookupTable = new HashMap<>(); lookupTable.put("key1", "/Resource1"); lookupTable.put("key2", "/Resource2"); // Get user input String userInput = request.getParameter("key"); // Look up resource to redirect to from the user input String redirectValue = lookupTable.getOrDefault(userInput, "/Resource1"); // Redirect the user response.sendRedirect(redirectValue); ``` metadata: shortDescription: Files or directories accessible to external parties category: security cwe: CWE-552 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: HIGH primary_identifier: find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1 secondary_identifiers: - name: Find Security Bugs-REQUESTDISPATCHER_FILE_DISCLOSURE type: find_sec_bugs_type value: REQUESTDISPATCHER_FILE_DISCLOSURE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1 shortlink: https://sg.run/Dbp3q semgrep.dev: rule: r_id: 144296 rv_id: 920183 rule_id: r6UydB8 version_id: O9Tv7dX url: https://semgrep.dev/playground/r/O9Tv7dX/gitlab.find_sec_bugs.REQUESTDISPATCHER_FILE_DISCLOSURE-1 origin: community severity: ERROR - id: gitlab.find_sec_bugs.SAML_IGNORE_COMMENTS-1 languages: - java message: "SAML parses attestations as an XML document. By processing XML comments, comment\nfields can end up modifying the interpretation of input fields. This could allow\nan adversary to insert an XML comment to break up the attestation's username\nor other fields, allowing an attacker to bypass authorization or authentication checks.\n\nTo remediate this issue, when using `org.opensaml.xml.parse.BasicParserPool` ensure\n`setIgnoreComments(false)` is not called.\n\nThe default value of `ignoreComments` is true, which is safe. \n\nRef:\n- https://javadoc.io/doc/org.opensaml/xmltooling/latest/org/opensaml/xml/parse/BasicParserPool.html#ignoreComments\n\nFor more information on how this issue can be exploited see:\nhttps://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability\n\nFor more information on SAML security see OWASP:\nhttps://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html\n" metadata: shortDescription: Improper authentication cwe: CWE-287 category: security owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: Medium primary_identifier: find_sec_bugs.SAML_IGNORE_COMMENTS-1 secondary_identifiers: - name: Find Security Bugs-SAML_IGNORE_COMMENTS type: find_sec_bugs_type value: SAML_IGNORE_COMMENTS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs.SAML_IGNORE_COMMENTS-1 shortlink: https://sg.run/EzGA semgrep.dev: rule: r_id: 21237 rv_id: 920206 rule_id: kxUOAp version_id: 0bTp3eb url: https://semgrep.dev/playground/r/0bTp3eb/gitlab.find_sec_bugs.SAML_IGNORE_COMMENTS-1 origin: community pattern: (org.opensaml.xml.parse.BasicParserPool $POOL).setIgnoreComments(false); severity: WARNING - id: gitlab.find_sec_bugs_scala.AWS_QUERY_INJECTION-1 languages: - scala message: | Constructing SimpleDB queries containing user input can allow an attacker to view unauthorized records. metadata: category: security cwe: CWE-943 shortDescription: Improper Neutralization of Special Elements in Data Query Logic technology: - scala security-severity: Info primary_identifier: find_sec_bugs.AWS_QUERY_INJECTION secondary_identifiers: - name: Find Security Bugs-AWS_QUERY_INJECTION type: find_sec_bugs_type value: AWS_QUERY_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.AWS_QUERY_INJECTION-1 shortlink: https://sg.run/wyeY semgrep.dev: rule: r_id: 67973 rv_id: 920245 rule_id: PeUGZy version_id: nWTnN2j url: https://semgrep.dev/playground/r/nWTnN2j/gitlab.find_sec_bugs_scala.AWS_QUERY_INJECTION-1 origin: community mode: taint pattern-sinks: - pattern: new com.amazonaws.services.simpledb.model.SelectRequest($QUERY, ...); - patterns: - pattern-inside: | $DB.select(($SR: com.amazonaws.services.simpledb.model.SelectRequest).withSelectExpression($QUERY,...)); - pattern: $QUERY - metavariable-pattern: metavariable: $DB pattern-either: - pattern: '($DB: com.amazonaws.services.simpledb.AmazonSimpleDB)' - pattern: '($DB: com.amazonaws.services.simpledb.AmazonSimpleDBClient)' pattern-sources: - patterns: - pattern-inside: | def $FUNC(..., $REQ: HttpServletRequest, ...): $TYPE = { ... } - pattern: $REQ - patterns: - pattern-inside: | def $FUNC(..., $X: $TYPE, ...): $RET_TYPE = { ... $QUERY = <...$X...> ... } - pattern: $QUERY severity: ERROR - id: gitlab.find_sec_bugs_scala.BAD_HEXA_CONVERSION-1 languages: - scala message: | When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte. metadata: category: security confidence: HIGH cwe: CWE-704 shortDescription: Incorrect Type Conversion or Cast security-severity: Medium primary_identifier: find_sec_bugs.BAD_HEXA_CONVERSION secondary_identifiers: - name: Find Security Bugs-BAD_HEXA_CONVERSION type: find_sec_bugs_type value: BAD_HEXA_CONVERSION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.BAD_HEXA_CONVERSION-1 shortlink: https://sg.run/GKWB semgrep.dev: rule: r_id: 68004 rv_id: 920275 rule_id: eqUKvP version_id: 1QT4N22 url: https://semgrep.dev/playground/r/1QT4N22/gitlab.find_sec_bugs_scala.BAD_HEXA_CONVERSION-1 origin: community pattern-either: - pattern: | $B_ARR = ($MD: java.security.MessageDigest).digest(...); ... for(...) { ... Integer.toHexString(...); } - pattern: | $B_ARR = ($MD: java.security.MessageDigest).digest(...); ... while(...) { ... Integer.toHexString(...); } severity: WARNING - id: gitlab.find_sec_bugs_scala.BEAN_PROPERTY_INJECTION-1 languages: - scala message: | An attacker can set arbitrary bean properties that can compromise system integrity. An attacker can leverage this functionality to access special bean properties like class.classLoader that will allow them to override system properties and potentially execute arbitrary code. metadata: category: security cwe: CWE-15 shortDescription: External Control of System or Configuration Setting technology: - scala security-severity: Info primary_identifier: find_sec_bugs.BEAN_PROPERTY_INJECTION secondary_identifiers: - name: Find Security Bugs-BEAN_PROPERTY_INJECTION type: find_sec_bugs_type value: BEAN_PROPERTY_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.BEAN_PROPERTY_INJECTION-1 shortlink: https://sg.run/x31z semgrep.dev: rule: r_id: 67974 rv_id: 920246 rule_id: JDURyW version_id: ExT1WE7 url: https://semgrep.dev/playground/r/ExT1WE7/gitlab.find_sec_bugs_scala.BEAN_PROPERTY_INJECTION-1 origin: community patterns: - pattern-inside: 'def $FUNC(..., $REQ: HttpServletRequest, ...): $TYPE = { ... }' - pattern-either: - pattern: | $MAP.put(..., $REQ.getParameter(...)) ... $BEAN_UTIL.populate(..., $MAP) - pattern: | while (...) { ... $MAP.put(..., $REQ.getParameterValues(...). ...) } ... $BEAN_UTIL.populate(..., $MAP) - metavariable-pattern: metavariable: $BEAN_UTIL pattern-either: - pattern: (BeanUtilsBean $B) - pattern: new BeanUtilsBean() - pattern: org.apache.commons.beanutils.BeanUtils severity: ERROR - id: gitlab.find_sec_bugs_scala.BLOWFISH_KEY_SIZE-1 languages: - scala message: | A small key size makes the ciphertext vulnerable to brute force attacks. At least 128 bits of entropy should be used when generating the key if use of Blowfish is required. metadata: category: security cwe: CWE-326 shortDescription: Inadequate Encryption Strength technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.BLOWFISH_KEY_SIZE secondary_identifiers: - name: Find Security Bugs-BLOWFISH_KEY_SIZE type: find_sec_bugs_type value: BLOWFISH_KEY_SIZE license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.BLOWFISH_KEY_SIZE-1 shortlink: https://sg.run/ARvp semgrep.dev: rule: r_id: 67950 rv_id: 920222 rule_id: ZqUd5K version_id: l4TXDJz url: https://semgrep.dev/playground/r/l4TXDJz/gitlab.find_sec_bugs_scala.BLOWFISH_KEY_SIZE-1 origin: community patterns: - pattern-inside: | $KEYGEN = javax.crypto.KeyGenerator.getInstance("Blowfish", ...); ... $KEYGEN.init($KEY_SIZE); - metavariable-comparison: comparison: $KEY_SIZE < 128 metavariable: $KEY_SIZE severity: WARNING - id: gitlab.find_sec_bugs_scala.CIPHER_INTEGRITY-1 languages: - scala message: | The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. metadata: category: security cwe: CWE-353 shortDescription: Missing Support for Integrity Check technology: - scala security-severity: Medium primary_identifier: find_sec_bugs.CIPHER_INTEGRITY secondary_identifiers: - name: Find Security Bugs-CIPHER_INTEGRITY type: find_sec_bugs_type value: CIPHER_INTEGRITY license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.CIPHER_INTEGRITY-1 shortlink: https://sg.run/09Qv semgrep.dev: rule: r_id: 67954 rv_id: 920226 rule_id: L1UeyB version_id: zyTG3bG url: https://semgrep.dev/playground/r/zyTG3bG/gitlab.find_sec_bugs_scala.CIPHER_INTEGRITY-1 origin: community patterns: - pattern-inside: javax.crypto.Cipher.getInstance("...") - pattern-either: - pattern-regex: (/CBC/PKCS5Padding) - pattern-regex: (AES|DES(ede)?)(/ECB/*) - pattern-regex: (AES|DES(ede)?)(/CBC/*) - pattern-regex: (AES|DES(ede)?)(/OFB/*) - pattern-regex: (AES|DES(ede)?)(/CTR/*) - pattern-not-regex: .*/(CCM|CWC|OCB|EAX|GCM)/.* - pattern-not-regex: ^(RSA)/.* - pattern-not-regex: ^(ECIES)$ severity: ERROR - id: gitlab.find_sec_bugs_scala.COMMAND_INJECTION-1.SCALA_COMMAND_INJECTION-1 languages: - scala message: | The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution. metadata: category: security cwe: CWE-78 shortDescription: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') technology: - scala security-severity: Info primary_identifier: find_sec_bugs.COMMAND_INJECTION-1.SCALA_COMMAND_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-COMMAND_INJECTION type: find_sec_bugs_type value: COMMAND_INJECTION - name: Find Security Bugs-SCALA_COMMAND_INJECTION type: find_sec_bugs_type value: SCALA_COMMAND_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_scala.COMMAND_INJECTION-1.SCALA_COMMAND_INJECTION-1 shortlink: https://sg.run/eALb semgrep.dev: rule: r_id: 67976 rv_id: 920248 rule_id: GdUX7G version_id: LjTzekv url: https://semgrep.dev/playground/r/LjTzekv/gitlab.find_sec_bugs_scala.COMMAND_INJECTION-1.SCALA_COMMAND_INJECTION-1 origin: community pattern-either: - patterns: - pattern-inside: | def $FUNC(..., $PARAM: String, ...): $TYPE = { ... } - pattern-inside: | val $RT = Runtime.getRuntime ... - pattern-either: - pattern: $RT.exec($PARAM) - pattern: | var $CMDARR = new Array[String]("$SHELL",...,$PARAM,...) ... $RT.exec($CMDARR,...) - pattern: $RT.exec(Array[String]("$SHELL",...,$PARAM,...), ...) - pattern: $RT.exec(java.util.String.format("...", ...,$PARAM,...)) - pattern: '$RT.exec(($A: String) + ($B: String))' - metavariable-regex: metavariable: $SHELL regex: (/.../)?(sh|bash|ksh|csh|tcsh|zsh)$ - pattern-not: $RT.exec("...","...","...",...) - pattern-not: $RT.exec(new Array[String]("...","...","...",...),...) - patterns: - pattern-inside: | def $FUNC(...,$PARAM: String, ...): $TYPE = { ... } - pattern-inside: | val $PB = new ProcessBuilder() ... - pattern-either: - pattern: $PB.command($PARAM,...) - patterns: - pattern-either: - pattern: $PB.command("$SHELL",...,$PARAM,...) - pattern: | var $CMDARR = java.util.Arrays.asList("$SHELL",...,$PARAM,...) ... $PB.command($CMDARR,...) - pattern: $PB.command(java.util.Arrays.asList("$SHELL",...,$PARAM,...),...) - pattern: $PB.command(java.util.String.format("...", ...,$PARAM,...)) - pattern: '$PB.command(($A: String) + ($B: String))' - metavariable-regex: metavariable: $SHELL regex: (/.../)?(sh|bash|ksh|csh|tcsh|zsh)$ - pattern-not: $PB.command("...","...","...",...) - pattern-not: | $PB.command(java.util.Arrays.asList("...","...","...",...)) severity: WARNING - id: trailofbits.jvm.mongo-hostname-verification-disabled.mongo-hostname-verification-disabled message: Found MongoDB client with SSL hostname verification disabled languages: - java - kotlin severity: WARNING metadata: category: security subcategory: - audit technology: - java - kotlin - mongodb cwe: 'CWE-295: Improper Certificate Validation' confidence: HIGH likelihood: HIGH impact: HIGH references: - https://www.mongodb.com/docs/drivers/java/sync/current/fundamentals/connection/tls/#disable-hostname-verification license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.jvm.mongo-hostname-verification-disabled.mongo-hostname-verification-disabled shortlink: https://sg.run/yyLqk semgrep.dev: rule: r_id: 113224 rv_id: 833288 rule_id: GdUvk46 version_id: 8KTGkn3 url: https://semgrep.dev/playground/r/8KTGkn3/trailofbits.jvm.mongo-hostname-verification-disabled.mongo-hostname-verification-disabled origin: community pattern: $SETTINGS.invalidHostNameAllowed(true) - id: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning message: If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency languages: - python severity: WARNING metadata: category: security cwe: 'CWE-676: Use of Potentially Dangerous Function' subcategory: - audit confidence: HIGH likelihood: LOW impact: LOW technology: - pytorch description: '`PyTorch` memory not automatically pinned' references: - https://pytorch.org/docs/stable/data.html#memory-pinning license: AGPL-3.0 license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning shortlink: https://sg.run/jz5N semgrep.dev: rule: r_id: 17165 rv_id: 833289 rule_id: WAUN1Z version_id: gETy20E url: https://semgrep.dev/playground/r/gETy20E/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning origin: community pattern-either: - patterns: - pattern: torch.utils.data.DataLoader(...) - pattern-not: torch.utils.data.DataLoader(..., pin_memory=$VALUE, ...) - pattern: torch.utils.data.DataLoader(..., pin_memory=False, ...) - id: trailofbits.python.lxml-in-pandas.lxml-in-pandas message: Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks languages: - python severity: ERROR metadata: category: security cwe: 'CWE-611: Improper Restriction of XML External Entity Reference' subcategory: - vuln confidence: HIGH likelihood: MEDIUM impact: MEDIUM technology: - pandas description: Potential XXE attacks from loading `lxml` in pandas references: - https://lxml.de/FAQ.html license: AGPL-3.0 license vulnerability_class: - XML Injection source: https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas shortlink: https://sg.run/1z1G semgrep.dev: rule: r_id: 17166 rv_id: 833290 rule_id: 0oUrdJ version_id: QkTkr22 url: https://semgrep.dev/playground/r/QkTkr22/trailofbits.python.lxml-in-pandas.lxml-in-pandas origin: community pattern-either: - patterns: - pattern: pandas.read_html($IO) - pattern-not: pandas.read_html(**$KWARGS) - patterns: - metavariable-pattern: metavariable: $FLAVOR patterns: - pattern: '...' - pattern-not: | "bs4" - pattern-not: | "html5lib" - pattern-either: - pattern: pandas.read_html(..., flavor=$FLAVOR, ...) - patterns: - pattern-inside: | $KWARGS = {..., "flavor": $FLAVOR, ...} ... - pattern: | pandas.read_html(**$KWARGS) - id: trailofbits.python.numpy-distutils.numpy-distutils message: NumPy distutils is deprecated, and will be removed in the future languages: - python severity: WARNING metadata: category: security cwe: 'CWE-676: Use of Potentially Dangerous Function' subcategory: - audit confidence: HIGH likelihood: MEDIUM impact: LOW technology: - numpy description: Use of deprecated `numpy.distutils` references: - https://numpy.org/doc/stable/reference/distutils.html license: AGPL-3.0 license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/trailofbits.python.numpy-distutils.numpy-distutils shortlink: https://sg.run/rqGP semgrep.dev: rule: r_id: 43925 rv_id: 833292 rule_id: GdUgN8 version_id: 44TQP8Y url: https://semgrep.dev/playground/r/44TQP8Y/trailofbits.python.numpy-distutils.numpy-distutils origin: community patterns: - pattern: | import numpy.distutils - id: trailofbits.python.numpy-f2py-compile.numpy-f2py-compile message: Compiling arbitrary code can result in code execution. Ensure the source code is from a trusted location languages: - python severity: ERROR metadata: category: security cwe: 'CWE-676: Use of Potentially Dangerous Function' subcategory: - audit confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - numpy description: Potential arbitrary code execution from `NumPy` `f2py` compilation references: - https://numpy.org/doc/stable/f2py/usage.html license: AGPL-3.0 license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/trailofbits.python.numpy-f2py-compile.numpy-f2py-compile shortlink: https://sg.run/bEdP semgrep.dev: rule: r_id: 43926 rv_id: 833293 rule_id: ReUdJ0 version_id: PkTxrbE url: https://semgrep.dev/playground/r/PkTxrbE/trailofbits.python.numpy-f2py-compile.numpy-f2py-compile origin: community patterns: - pattern: numpy.f2py.compile(...) - pattern-not: numpy.f2py.compile("...", ...) - id: trailofbits.python.msgpack-numpy.msgpack-numpy message: Found usage of msgpack-numpy unpacking, which relies on pickle to deserialize numpy arrays containing objects. Functions reliant on pickle can result in arbitrary code execution. Consider switching to a safer serialization method. languages: - python severity: ERROR metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - numpy description: Potential arbitrary code execution from functions reliant on pickling references: - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.msgpack-numpy.msgpack-numpy shortlink: https://sg.run/r6pr1 semgrep.dev: rule: r_id: 124725 rv_id: 833291 rule_id: GdUvWBy version_id: 3ZT3Abe url: https://semgrep.dev/playground/r/3ZT3Abe/trailofbits.python.msgpack-numpy.msgpack-numpy origin: community pattern-either: - patterns: - pattern: msgpack.$FN(...) - metavariable-regex: metavariable: $FN regex: (loads?|dumps?|packb?|unpackb?) - pattern-inside: | msgpack_numpy.patch() ... - patterns: - pattern: msgpack.$FN(..., object_hook=msgpack_numpy.decode, ...) - metavariable-regex: metavariable: $FN regex: unpackb? - patterns: - pattern: msgpack.$FN(..., default=msgpack_numpy.encode, ...) - metavariable-regex: metavariable: $FN regex: packb? - id: trailofbits.python.numpy-in-pytorch-datasets.numpy-in-pytorch-datasets message: Using the NumPy RNG inside of a PyTorch dataset can lead to a number of issues with loading data, including identical augmentations. Instead, use the random number generators built into Python and PyTorch languages: - python severity: WARNING metadata: category: security cwe: 'CWE-330: Use of Insufficiently Random Values' subcategory: - audit confidence: HIGH likelihood: MEDIUM impact: LOW technology: - pytorch - numpy description: Calls to the `NumPy` RNG inside of a `Torch` dataset references: - https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects license: AGPL-3.0 license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-datasets.numpy-in-pytorch-datasets shortlink: https://sg.run/dnR6 semgrep.dev: rule: r_id: 44134 rv_id: 833294 rule_id: KxURLn version_id: JdTlrK4 url: https://semgrep.dev/playground/r/JdTlrK4/trailofbits.python.numpy-in-pytorch-datasets.numpy-in-pytorch-datasets origin: community patterns: - pattern: | class $X(torch.utils.data.Dataset): ... def __getitem__(...): ... numpy.random.randint(...) ... - id: trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules message: Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading languages: - python severity: WARNING metadata: category: performance subcategory: - audit confidence: MEDIUM technology: - pytorch - numpy description: Uses of `NumPy` functions inside `PyTorch` modules references: - https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects license: AGPL-3.0 license source: https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules shortlink: https://sg.run/9vxr semgrep.dev: rule: r_id: 17167 rv_id: 833295 rule_id: KxU507 version_id: 5PTyDEK url: https://semgrep.dev/playground/r/5PTyDEK/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules origin: community patterns: - pattern-either: - pattern: numpy.$FN(...) - pattern: numpy. ... .$FN(...) - pattern-inside: | class $MODULE(torch.nn.Module): ... - id: trailofbits.python.numpy-load-library.numpy-load-library message: Loading custom operator libraries can result in arbitrary code execution languages: - python severity: ERROR metadata: category: security cwe: 'CWE-676: Use of Potentially Dangerous Function' subcategory: - audit confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - numpy description: Potential arbitrary code execution from `NumPy` library loading references: - https://numpy.org/doc/stable/reference/routines.ctypeslib.html#numpy.ctypeslib.load_library license: AGPL-3.0 license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/trailofbits.python.numpy-load-library.numpy-load-library shortlink: https://sg.run/NXkL semgrep.dev: rule: r_id: 43927 rv_id: 833296 rule_id: AbUxDq version_id: GxTDEBO url: https://semgrep.dev/playground/r/GxTDEBO/trailofbits.python.numpy-load-library.numpy-load-library origin: community patterns: - pattern: numpy.ctypeslib.load_library(...) - pattern-not: numpy.ctypeslib.load_library("...", "...") - id: trailofbits.python.onnx-session-options.onnx-session-options message: Loading custom operator libraries can result in arbitrary code execution languages: - python severity: ERROR metadata: category: security cwe: 'CWE-676: Use of Potentially Dangerous Function' subcategory: - audit confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - onnx description: Potential arbitrary code execution from `ONNX` library loading references: - https://onnxruntime.ai/docs/reference/operators/add-custom-op.html license: AGPL-3.0 license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/trailofbits.python.onnx-session-options.onnx-session-options shortlink: https://sg.run/kRd1 semgrep.dev: rule: r_id: 43928 rv_id: 833297 rule_id: BYUoqy version_id: RGTKG9Y url: https://semgrep.dev/playground/r/RGTKG9Y/trailofbits.python.onnx-session-options.onnx-session-options origin: community patterns: - pattern-inside: | $SESSION = onnxruntime.SessionOptions(...) ... - pattern: $SESSION.register_custom_ops_library(...) - pattern-not: $SESSION.register_custom_ops_library("...") - id: trailofbits.python.pandas-eval.pandas-eval message: Pandas eval() and query() may be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. languages: - python severity: ERROR metadata: category: security cwe: 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (''Eval Injection'')' subcategory: - audit confidence: LOW likelihood: LOW impact: HIGH technology: - pandas description: Potential arbitrary code execution from `pandas` functions that evaluate user-provided expressions references: - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - Code Injection source: https://semgrep.dev/r/trailofbits.python.pandas-eval.pandas-eval shortlink: https://sg.run/bwJed semgrep.dev: rule: r_id: 124726 rv_id: 1162801 rule_id: ReUDw9J version_id: 5PTeQRe url: https://semgrep.dev/playground/r/5PTeQRe/trailofbits.python.pandas-eval.pandas-eval origin: community patterns: - pattern-inside: | import pandas ... - pattern-either: - patterns: - pattern: pandas.DataFrame.$FN(...) - pattern-not: pandas.DataFrame.$FN("...", ...) - patterns: - pattern: pandas.$FN(...) - pattern-not: pandas.$FN("...", ...) - patterns: - pattern-inside: | $DF = pandas.DataFrame(...) ... - pattern: $DF.$FN(...) - pattern-not: $DF.$FN("...", ...) - metavariable-regex: metavariable: $FN regex: (eval|query) - id: trailofbits.python.pickles-in-keras-deprecation.pickles-in-keras-deprecation message: The usage of pickle and hdf5 formats for model files are deprecated in Keras. The keras.models.load_model function is deprecated as well. Keras is now embedded in Tensorflow 2 under tensorflow.keras. languages: - python severity: WARNING metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - keras description: Potential arbitrary code execution from Keras' load_model function references: - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.pickles-in-keras-deprecation.pickles-in-keras-deprecation shortlink: https://sg.run/NbJRG semgrep.dev: rule: r_id: 124727 rv_id: 833299 rule_id: AbU9npB version_id: BjTe0vg url: https://semgrep.dev/playground/r/BjTe0vg/trailofbits.python.pickles-in-keras-deprecation.pickles-in-keras-deprecation origin: community patterns: - pattern-either: - pattern: keras.models.load_model(...) - pattern: tensorflow.keras.models.load_model(...) - pattern: keras.saving.load_model(...) - pattern: tensorflow.keras.saving.load_model(...) - pattern-not: patterns: - pattern-either: - pattern: keras.models.load_model($FILE) - pattern: tensorflow.keras.models.load_model($FILE) - pattern: keras.saving.load_model($FILE) - pattern: tensorflow.keras.saving.load_model($FILE) - metavariable-regex: metavariable: $FILE regex: .*\.keras - id: trailofbits.python.pickles-in-numpy.pickles-in-numpy message: Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method languages: - python severity: ERROR metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - numpy description: Potential arbitrary code execution from `NumPy` functions reliant on pickling references: - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.pickles-in-numpy.pickles-in-numpy shortlink: https://sg.run/ryKe semgrep.dev: rule: r_id: 17169 rv_id: 833301 rule_id: lBUWjy version_id: WrTdpJ9 url: https://semgrep.dev/playground/r/WrTdpJ9/trailofbits.python.pickles-in-numpy.pickles-in-numpy origin: community patterns: - pattern: numpy.load(..., allow_pickle=$VALUE, ...) - pattern-not: numpy.load("...", ...) - pattern-not: numpy.load(..., file="...", ...) - metavariable-pattern: metavariable: $VALUE patterns: - pattern-not: | False - pattern-not: | [] - pattern-not: | None - pattern-not: | "" - id: trailofbits.python.pickles-in-pandas.pickles-in-pandas message: Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method languages: - python severity: ERROR metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - pandas description: Potential arbitrary code execution from `Pandas` functions reliant on pickling references: - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas shortlink: https://sg.run/bXQW semgrep.dev: rule: r_id: 17170 rv_id: 833302 rule_id: PeU06j version_id: 0bTwbqN url: https://semgrep.dev/playground/r/0bTwbqN/trailofbits.python.pickles-in-pandas.pickles-in-pandas origin: community patterns: - pattern-either: - pattern: pandas.read_pickle(...) - pattern: pandas.to_pickle(...) - patterns: - pattern-inside: | import pandas ... - pattern: $SMTH.to_pickle(...) - pattern-not: pandas.read_pickle("...") - pattern-not: pandas.to_pickle(..., "...") - pattern-not: $SMTH.to_pickle("...") - id: trailofbits.python.pickles-in-pytorch-distributed.pickles-in-pytorch-distributed message: Functions reliant on pickle can result in arbitrary code execution languages: - python severity: ERROR metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - pytorch description: Potential arbitrary code execution from `PyTorch.Distributed` functions reliant on pickling references: - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch-distributed.pickles-in-pytorch-distributed shortlink: https://sg.run/ZZxW semgrep.dev: rule: r_id: 44135 rv_id: 833303 rule_id: qNUrw1 version_id: K3Trq3x url: https://semgrep.dev/playground/r/K3Trq3x/trailofbits.python.pickles-in-pytorch-distributed.pickles-in-pytorch-distributed origin: community patterns: - pattern-either: - pattern: torch.distributed.broadcast_object_list(...) - pattern: torch.distributed.all_gather_object(...) - pattern: torch.distributed.gather_object(...) - pattern: torch.distributed.scatter_object_list(...) - id: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal message: Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker languages: - python severity: ERROR metadata: category: security cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: MEDIUM technology: - --no-technology-- description: Potential path traversal in call to `extractall` for a `tarfile` references: - https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall license: AGPL-3.0 license vulnerability_class: - Path Traversal source: https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal shortlink: https://sg.run/2RLD semgrep.dev: rule: r_id: 11763 rv_id: 833310 rule_id: GdUZxq version_id: pZTXjAW url: https://semgrep.dev/playground/r/pZTXjAW/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal origin: community patterns: - pattern-either: - pattern: | with tarfile.open(...) as $TAR: ... $TAR.extractall(...) - pattern: | tarfile.open(...).extractall(...) - pattern: | $TAR = tarfile.open(...) ... $TAR.extractall(...) - pattern-not: | with tarfile.open(...) as $TAR: ... $TAR.extractall(..., members=$MEMBERS, ...) - pattern-not: | tarfile.open(...).extractall(..., members=$MEMBERS, ...) - pattern-not: | $TAR = tarfile.open(...) ... $TAR.extractall(..., members=$MEMBERS, ...) - id: trailofbits.javascript.apollo-graphql.v4-csrf-prevention.v4-csrf-prevention languages: - js - ts message: The Apollo GraphQL server sets the 'csrfPrevention' option to false. This can enable CSRF attacks. severity: ERROR metadata: category: security cwe: 'CWE-352: Cross-Site Request Forgery (CSRF)' subcategory: - vuln confidence: HIGH likelihood: MEDIUM impact: MEDIUM technology: - graphql - apollo-graphql-server - apollo-graphql-server-v4 description: CSRF protection disabled references: - https://www.apollographql.com/docs/apollo-server/v3/security/cors/#preventing-cross-site-request-forgery-csrf fix-regex: regex: csrfPrevention:\s*false replacement: 'csrfPrevention: true' license: AGPL-3.0 license vulnerability_class: - Cross-Site Request Forgery (CSRF) source: https://semgrep.dev/r/trailofbits.javascript.apollo-graphql.v4-csrf-prevention.v4-csrf-prevention shortlink: https://sg.run/Eb1P semgrep.dev: rule: r_id: 60581 rv_id: 833286 rule_id: L1UjQ3 version_id: 7ZTx9PE url: https://semgrep.dev/playground/r/7ZTx9PE/trailofbits.javascript.apollo-graphql.v4-csrf-prevention.v4-csrf-prevention origin: community patterns: - pattern: | new ApolloServer({..., csrfPrevention: false, ...}) - id: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch message: Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX languages: - python severity: ERROR metadata: category: security cwe: 'CWE-502: Deserialization of Untrusted Data' subcategory: - vuln confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - pytorch description: Potential arbitrary code execution from `PyTorch` functions reliant on pickling references: - https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/ license: AGPL-3.0 license vulnerability_class: - 'Insecure Deserialization ' source: https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch shortlink: https://sg.run/NwQy semgrep.dev: rule: r_id: 17171 rv_id: 833304 rule_id: JDU6WD version_id: qkTQnJ3 url: https://semgrep.dev/playground/r/qkTQnJ3/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch origin: community patterns: - pattern-either: - pattern: torch.save(...) - pattern: torch.load(...) - pattern-not: torch.load("...") - pattern-not: torch.save(..., "...") - pattern-not: torch.save($M.state_dict(), ...) - pattern-not-inside: $M.load_state_dict(...) - pattern-not: patterns: - pattern: torch.save($STATE_DICT, ...) - pattern-inside: | $STATE_DICT = $M.state_dict() ... - id: gitlab.find_sec_bugs_kotlin.LDAP_ANONYMOUS-1 languages: - kotlin message: | Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to abuse poorly configured LDAP context metadata: shortDescription: Missing authentication for critical function (LDAP) category: security cwe: CWE-306 owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures security-severity: MEDIUM primary_identifier: find_sec_bugs.LDAP_ANONYMOUS-1 secondary_identifiers: - name: Find Security Bugs-LDAP_ANONYMOUS type: find_sec_bugs_type value: LDAP_ANONYMOUS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.LDAP_ANONYMOUS-1 shortlink: https://sg.run/Ew2Ro semgrep.dev: rule: r_id: 144337 rv_id: 920428 rule_id: WAUWB5G version_id: zyTG3r2 url: https://semgrep.dev/playground/r/zyTG3r2/gitlab.find_sec_bugs_kotlin.LDAP_ANONYMOUS-1 origin: community severity: WARNING patterns: - pattern-inside: | import javax.naming.Context ... - pattern: $ENV[Context.SECURITY_AUTHENTICATION] = "none" - id: trailofbits.rs.panic-in-function-returning-result.panic-in-function-returning-result message: '`expect` or `unwrap` called in function returning a `Result`' languages: - rust severity: WARNING metadata: category: security cwe: 'CWE-755: Improper Handling of Exceptional Conditions' subcategory: - audit confidence: HIGH likelihood: MEDIUM impact: LOW technology: - --no-technology-- description: Calling `unwrap` or `expect` in a function returning a `Result` references: - https://doc.rust-lang.org/std/result/ license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.rs.panic-in-function-returning-result.panic-in-function-returning-result shortlink: https://sg.run/WpeL semgrep.dev: rule: r_id: 13697 rv_id: 1028609 rule_id: 2ZUPQ3 version_id: NdTd9o5 url: https://semgrep.dev/playground/r/NdTd9o5/trailofbits.rs.panic-in-function-returning-result.panic-in-function-returning-result origin: community patterns: - pattern-either: - pattern: $EXPR.unwrap() - pattern: $EXPR.expect(...) - pattern-either: - pattern-inside: | fn $FUNC(...) -> Result<$T1, $T2> { ... } - pattern-inside: | fn $FUNC(...) -> Result<$T> { ... } - patterns: - pattern-inside: | fn $FUNC(...) -> $RETTYPE { ... } - pattern-either: - pattern-inside: | type $RETTYPE = Result<$T>; ... fn $FUNC(...) -> $RETTYPE { ... } - pattern-inside: | type $RETTYPE = Result<$T1, $T2>; ... fn $FUNC(...) -> $RETTYPE { ... } - pattern-not-inside: | #[cfg(test)] mod tests { ... #[test] fn $TESTFUNC(...) -> Result<$T1, $T2> { ... } ... } - pattern-not-inside: | #[cfg(test)] mod tests { ... #[test] fn $TESTFUNC(...) -> Result<$T> { ... } ... } - pattern-not-inside: | #[cfg(test)] mod tests { ... type $CUSTOMRESULT = Result<$T1, $T2>; ... #[test] fn $TESTFUNC(...) -> $CUSTOMRESULT { ... } ... } - id: trailofbits.generic.redis-unencrypted-transport.redis-unencrypted-transport message: | Found unencrypted Redis connection, prefer TLS encrypted `rediss://` transport languages: - generic severity: WARNING metadata: category: security subcategory: - audit cwe: 'CWE-319: Cleartext Transmission of Sensitive Information' confidence: HIGH likelihood: HIGH impact: HIGH technology: - redis references: - https://redis.io/docs/latest/develop/connect/cli/#host-port-password-and-database license: AGPL-3.0 license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/trailofbits.generic.redis-unencrypted-transport.redis-unencrypted-transport shortlink: https://sg.run/GdP8q semgrep.dev: rule: r_id: 150292 rv_id: 943186 rule_id: ReUD46j version_id: A8TJrek url: https://semgrep.dev/playground/r/A8TJrek/trailofbits.generic.redis-unencrypted-transport.redis-unencrypted-transport origin: community options: generic_ellipsis_max_span: 0 pattern: redis://... - id: gitlab.find_sec_bugs_kotlin.LDAP_INJECTION-1 languages: - kotlin message: | Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn't have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query. severity: WARNING metadata: shortDescription: Improper neutralization of special elements used in an LDAP query ('LDAP Injection') category: security cwe: CWE-90 owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.LDAP_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-LDAP_INJECTION type: find_sec_bugs_type value: LDAP_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.LDAP_INJECTION-1 shortlink: https://sg.run/v8DwR semgrep.dev: rule: r_id: 144333 rv_id: 920424 rule_id: ReUDJWR version_id: l4TXD1G url: https://semgrep.dev/playground/r/l4TXD1G/gitlab.find_sec_bugs_kotlin.LDAP_INJECTION-1 origin: community mode: taint pattern-sinks: - pattern: javax.naming.ldap.LdapName(...) - pattern: '($C: javax.naming.directory.Context).lookup(...)' - pattern: '($C: javax.naming.Context).lookup(...)' - patterns: - pattern-inside: '($C: com.unboundid.ldap.sdk.LDAPConnection).search($QUERY, ...)' - pattern: $QUERY - patterns: - pattern-either: - patterns: - pattern-either: - pattern: $CTX.lookup(...) - patterns: - pattern-inside: $CTX.search($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.search($NAME, $FILTER, ...) - pattern: $FILTER - metavariable-pattern: metavariable: $CTX pattern-either: - pattern: '($C: DirContext)' - pattern: '($IDC: InitialDirContext)' - pattern: '($LC: LdapContext)' - pattern: '($EDC: EventDirContext)' - pattern: '($LC: LdapCtx)' - pattern: '($C: javax.naming.directory.DirContext)' - pattern: '($IDC: javax.naming.directory.InitialDirContext)' - pattern: '($LC: javax.naming.ldap.LdapContext)' - pattern: '($EDC: javax.naming.event.EventDirContext)' - pattern: '($LC: com.sun.jndi.ldap.LdapCtx)' - patterns: - pattern-either: - pattern: $CTX.lookup(...) - patterns: - pattern-inside: $CTX.search($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.search($NAME, $FILTER, ...) - pattern: $FILTER - pattern-inside: pattern-either: - pattern: $CTX = DirContext(...);... - pattern: $CTX = InitialDirContext(...);... - pattern: $CTX = LdapContext(...);... - pattern: $CTX = EventDirContext(...);... - pattern: $CTX = LdapCtx(...);... - pattern: $CTX = javax.naming.directory.DirContext(...);... - pattern: $CTX = javax.naming.directory.InitialDirContext(...);... - pattern: $CTX = javax.naming.ldap.LdapContext(...);... - pattern: $CTX = javax.naming.event.EventDirContext(...);... - pattern: $CTX = com.sun.jndi.ldap.LdapCtx(...);... - pattern-either: - patterns: - pattern-either: - patterns: - pattern-inside: $CTX.list($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.lookup($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.search($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.search($NAME, $FILTER, ...) - pattern: $FILTER - metavariable-pattern: metavariable: $CTX pattern-either: - pattern: '($LT: LdapTemplate)' - pattern: '($LO: LdapOperations)' - pattern: '($LT: org.springframework.ldap.core.LdapTemplate)' - pattern: '($LO: org.springframework.ldap.core.LdapOperations)' - patterns: - pattern-either: - patterns: - pattern-inside: $CTX.list($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.lookup($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.search($QUERY, ...) - pattern: $QUERY - patterns: - pattern-inside: $CTX.search($NAME, $FILTER, ...) - pattern: $FILTER - pattern-inside: pattern-either: - pattern: $CTX = LdapTemplate(...);... - pattern: $CTX = LdapOperations(...);... - pattern: $CTX = org.springframework.ldap.core.LdapTemplate(...);... - pattern: $CTX = org.springframework.ldap.core.LdapOperations(...);... pattern-sources: - patterns: - pattern-inside: | fun $FUNC(..., $VAR: String, ...) { ... } - pattern: $VAR - patterns: - pattern-inside: | fun $FUNC(..., $X: String, ...) { ... $VAR = ... + $X ... } - pattern: $VAR - id: trailofbits.hcl.nomad.docker-hardcoded-password.docker-hardcoded-password message: | Found Nomad task using Docker auth with hardcoded password languages: - hcl severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - nomad - docker - podman references: - https://developer.hashicorp.com/nomad/docs/drivers/docker#password license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.hcl.nomad.docker-hardcoded-password.docker-hardcoded-password shortlink: https://sg.run/Reqnq semgrep.dev: rule: r_id: 150293 rv_id: 943187 rule_id: AbU9oOo version_id: BjT1DzD url: https://semgrep.dev/playground/r/BjT1DzD/trailofbits.hcl.nomad.docker-hardcoded-password.docker-hardcoded-password origin: community patterns: - pattern-inside: | task "..." { ... driver = "$RUNTIME" ... config { ... auth { ... } ... } ... } - pattern: password = "..." - metavariable-regex: metavariable: $RUNTIME regex: (docker|podman) - id: trailofbits.python.tensorflow-load-library.tensorflow-load-library message: Loading custom operator libraries can result in arbitrary code execution languages: - python severity: ERROR metadata: category: security cwe: 'CWE-676: Use of Potentially Dangerous Function' subcategory: - audit confidence: MEDIUM likelihood: MEDIUM impact: HIGH technology: - tensorflow description: Potential arbitrary code execution from `TensorFlow` library loading references: - https://www.tensorflow.org/api_docs/python/tf/load_library - https://www.tensorflow.org/api_docs/python/tf/load_op_library license: AGPL-3.0 license vulnerability_class: - Dangerous Method or Function source: https://semgrep.dev/r/trailofbits.python.tensorflow-load-library.tensorflow-load-library shortlink: https://sg.run/xp0j semgrep.dev: rule: r_id: 43930 rv_id: 833311 rule_id: WAUgBJ version_id: 2KT7xEg url: https://semgrep.dev/playground/r/2KT7xEg/trailofbits.python.tensorflow-load-library.tensorflow-load-library origin: community patterns: - pattern-either: - pattern: tensorflow.load_library(...) - pattern: tensorflow.load_op_library(...) - pattern-not: tensorflow.load_library("...") - pattern-not: tensorflow.load_op_library("...") - id: gitlab.bandit.B304-12 languages: - python message: | The IDEA encryption algorithm was meant as a drop-in replacement for DES and was created in 1991. A number of [vulnerabilities and exploits](https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm#Security) have been identified to work against IDEA and it is no longer recommended. If possible consider using ChaCha20Poly1305 or AES-GCM instead of Blowfish. For older applications that don't have support for `ChaCha20Poly1305`, `AES-256-GCM` is recommended, however it has many drawbacks: - Slower than `ChaCha20Poly1305`. - Catastrophic failure if nonce values are reused. Example using `ChaCha20Poly1305`: ``` import os # Import ChaCha20Poly1305 from cryptography from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = ChaCha20Poly1305.generate_key() # Create a new ChaCha20Poly1305 instance with our secure key chacha = ChaCha20Poly1305(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = chacha.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text chacha.decrypt(nonce, cipher_text, aad) ``` Example using `AESGCM`: ``` import os # Import AESGCM from cryptography from cryptography.hazmat.primitives.ciphers.aead import AESGCM # Our plaintext to encrypt plain_text = b"Secret text to encrypt" # We do not require authenticated but unencrypted data, so set to None aad = None # Generate a secure key key = AESGCM.generate_key(bit_length=128) # Create a new AESGCM instance with our secure key aesgcm = AESGCM(key) # Note: nonce values _must_ be regenerated every time they are used. nonce = os.urandom(12) # Encrypt our plaintext cipher_text = aesgcm.encrypt(nonce, plain_text, aad) # Decrypt the plain text using the nonce and cipher_text aesgcm.decrypt(nonce, cipher_text, aad) ``` For more information on the cryptography module see: - https://cryptography.io/en/latest/ metadata: cwe: CWE-327 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures shortDescription: Use of a Broken or Risky Cryptographic Algorithm security-severity: Medium category: security primary_identifier: bandit.B304-12 secondary_identifiers: - name: Bandit Test ID B304 type: bandit_test_id value: B304 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.bandit.B304-12 shortlink: https://sg.run/Jjjw semgrep.dev: rule: r_id: 11890 rv_id: 920090 rule_id: x8U22d version_id: LjTzeXr url: https://semgrep.dev/playground/r/LjTzeXr/gitlab.bandit.B304-12 origin: community pattern: cryptography.hazmat.primitives.ciphers.algorithms.IDEA(...) severity: WARNING - id: trailofbits.hcl.terraform.aws-oidc-role-policy-duplicate-condition.aws-oidc-role-policy-duplicate-condition message: | Found AWS role policy for GitHub Actions with duplicate condition. This overrides previous conditions, and the last condition with the duplicated key "wins." This likely breaks access controls and allows unauthorized access. languages: - hcl severity: WARNING metadata: category: security cwe: 'CWE-284: Improper Access Control' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - terraform - aws references: - https://securitylabs.datadoghq.com/articles/exploring-github-to-aws-keyless-authentication-flaws/ - https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk - https://github.com/Rezonate-io/github-oidc-checker/ license: AGPL-3.0 license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/trailofbits.hcl.terraform.aws-oidc-role-policy-duplicate-condition.aws-oidc-role-policy-duplicate-condition shortlink: https://sg.run/0oKDj semgrep.dev: rule: r_id: 150298 rv_id: 943192 rule_id: KxUvWD0 version_id: qkT41WW url: https://semgrep.dev/playground/r/qkT41WW/trailofbits.hcl.terraform.aws-oidc-role-policy-duplicate-condition.aws-oidc-role-policy-duplicate-condition origin: community patterns: - pattern-inside: | { ... Statement = [...] ... } - pattern-inside: | { ..., "Action": "sts:AssumeRoleWithWebIdentity", ... } - pattern-either: - pattern: | { ... "Condition": { ... "$KEY": {...} ... "$KEY": {...} ... } ... } - pattern: | { ... "Condition": { ... "StringEquals": { ... "$KEY": ..., ... "$KEY": ..., ... } ... } ... } - pattern: | { ... "Condition": { ... "StringLike": { ... "$KEY": ..., ... "$KEY": ..., ... } ... } ... } - id: trailofbits.hcl.terraform.aws-oidc-role-policy-missing-sub.aws-oidc-role-policy-missing-sub message: | Found AWS role policy for GitHub Actions missing OIDC subject. This means any GitHub repository can assume this role in CI. languages: - hcl severity: WARNING metadata: category: security cwe: 'CWE-284: Improper Access Control' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - terraform - aws references: - https://securitylabs.datadoghq.com/articles/exploring-github-to-aws-keyless-authentication-flaws/ - https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk - https://github.com/Rezonate-io/github-oidc-checker/ license: AGPL-3.0 license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/trailofbits.hcl.terraform.aws-oidc-role-policy-missing-sub.aws-oidc-role-policy-missing-sub shortlink: https://sg.run/KxRn5 semgrep.dev: rule: r_id: 150299 rv_id: 943193 rule_id: qNU28dk version_id: l4TxrWy url: https://semgrep.dev/playground/r/l4TxrWy/trailofbits.hcl.terraform.aws-oidc-role-policy-missing-sub.aws-oidc-role-policy-missing-sub origin: community patterns: - pattern-inside: | { ... Statement = [...] ... } - pattern-inside: | { ..., "Action": "sts:AssumeRoleWithWebIdentity", ... } - pattern: | { ... "Condition": { ... "StringEquals": { ... "token.actions.githubusercontent.com:aud": ..., ... } ... } ... } - pattern-not: | { ... "Condition": { ... "StringEquals": { ... "token.actions.githubusercontent.com:sub": ..., ... "token.actions.githubusercontent.com:aud": ..., ... } ... } ... } - pattern-not: | { ... "Condition": { ... "StringEquals": { ... "token.actions.githubusercontent.com:aud": ..., ... "token.actions.githubusercontent.com:sub": ..., ... } ... } ... } - pattern-not: | { ... "Condition": { ... "StringLike": { ... "token.actions.githubusercontent.com:sub": ..., ... } ... "StringEquals": { ... "token.actions.githubusercontent.com:aud": ..., ... } ... } ... } - pattern-not: | { ... "Condition": { ... "StringEquals": { ... "token.actions.githubusercontent.com:aud": ..., ... } ... "StringLike": { ... "token.actions.githubusercontent.com:sub": ..., ... } ... } ... } - id: trailofbits.hcl.terraform.vault-hardcoded-token.vault-hardcoded-token message: | Found Terraform Vault instance with hardcoded token languages: - hcl severity: WARNING metadata: category: security cwe: 'CWE-798: Use of Hard-coded Credentials' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - terraform references: - https://registry.terraform.io/providers/hashicorp/vault/latest/docs#token license: AGPL-3.0 license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/trailofbits.hcl.terraform.vault-hardcoded-token.vault-hardcoded-token shortlink: https://sg.run/4b6qz semgrep.dev: rule: r_id: 150300 rv_id: 943194 rule_id: lBU4nKL version_id: YDTv6AY url: https://semgrep.dev/playground/r/YDTv6AY/trailofbits.hcl.terraform.vault-hardcoded-token.vault-hardcoded-token origin: community patterns: - pattern-inside: provider "vault" { ... } - pattern: token = "..." - id: trailofbits.hcl.terraform.vault-skip-tls-verify.vault-skip-tls-verify message: | Found Terraform Vault instance with TLS verification disabled languages: - hcl severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit confidence: HIGH likelihood: HIGH impact: HIGH technology: - terraform references: - https://registry.terraform.io/providers/hashicorp/vault/latest/docs#skip_tls_verify license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.hcl.terraform.vault-skip-tls-verify.vault-skip-tls-verify shortlink: https://sg.run/Pe0nW semgrep.dev: rule: r_id: 150301 rv_id: 943195 rule_id: YGUp91o version_id: 6xTx5Ex url: https://semgrep.dev/playground/r/6xTx5Ex/trailofbits.hcl.terraform.vault-skip-tls-verify.vault-skip-tls-verify origin: community patterns: - pattern-inside: provider "vault" { ... } - pattern: skip_tls_verify = true - id: gitlab.find_sec_bugs_kotlin.MODIFICATION_AFTER_VALIDATION-1 languages: - kotlin message: | CERT: IDS11-J. Perform any string modifications before validation metadata: shortDescription: Collapse of data into unsafe value category: security cwe: CWE-182 confidence: HIGH owasp: - A1:2017-Injection - A03:2021-Injection security-severity: MEDIUM primary_identifier: find_sec_bugs.MODIFICATION_AFTER_VALIDATION-1 secondary_identifiers: - name: Find Security Bugs-MODIFICATION_AFTER_VALIDATION type: find_sec_bugs_type value: MODIFICATION_AFTER_VALIDATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.MODIFICATION_AFTER_VALIDATION-1 shortlink: https://sg.run/Redp2 semgrep.dev: rule: r_id: 144349 rv_id: 920440 rule_id: j2UgdeW version_id: w8TkbyJ url: https://semgrep.dev/playground/r/w8TkbyJ/gitlab.find_sec_bugs_kotlin.MODIFICATION_AFTER_VALIDATION-1 origin: community severity: WARNING patterns: - pattern-inside: | $PATTERN = Pattern.compile(...) ... - pattern-inside: | $PATTERN.matcher($VAR) ... - pattern-either: - pattern: | $VAR + $OTHER - patterns: - pattern: | $VAR.$METHOD(...) - metavariable-regex: metavariable: $METHOD regex: (replace|replaceAll|replaceFirst|concat) - id: generic.secrets.gitleaks.discord-api-token.discord-api-token message: A gitleaks discord-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.discord-api-token.discord-api-token shortlink: https://sg.run/W5e2 semgrep.dev: rule: r_id: 44697 rv_id: 1262714 rule_id: qNUA1y version_id: YDTZeYN url: https://semgrep.dev/playground/r/YDTZeYN/generic.secrets.gitleaks.discord-api-token.discord-api-token origin: community patterns: - pattern-regex: (?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: gitlab.find_sec_bugs_kotlin.NORMALIZATION_AFTER_VALIDATION-1 languages: - kotlin message: | IDS01-J. Normalize strings before validating them metadata: shortDescription: 'Incorrect behavior order: validate before canonicalize' category: security cwe: CWE-180 confidence: HIGH owasp: - A1:2017-Injection - A03:2021-Injection security-severity: MEDIUM primary_identifier: find_sec_bugs.NORMALIZATION_AFTER_VALIDATION-1 secondary_identifiers: - name: Find Security Bugs-NORMALIZATION_AFTER_VALIDATION type: find_sec_bugs_type value: NORMALIZATION_AFTER_VALIDATION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.NORMALIZATION_AFTER_VALIDATION-1 shortlink: https://sg.run/Ab636 semgrep.dev: rule: r_id: 144350 rv_id: 920441 rule_id: 10UO6W6 version_id: xyTdrQW url: https://semgrep.dev/playground/r/xyTdrQW/gitlab.find_sec_bugs_kotlin.NORMALIZATION_AFTER_VALIDATION-1 origin: community severity: WARNING patterns: - pattern: |- $Y = java.util.regex.Pattern.compile("[<>]"); ... $Y.matcher($VAR); ... java.text.Normalizer.normalize($VAR, ...); - id: trailofbits.hcl.nomad.docker-privileged-mode.docker-privileged-mode message: | Found Nomad task using Docker containers in privileged mode languages: - hcl severity: WARNING metadata: category: security cwe: 'CWE-250: Execution with Unnecessary Privileges' subcategory: - audit confidence: HIGH likelihood: MEDIUM impact: LOW technology: - nomad - docker - podman references: - https://developer.hashicorp.com/nomad/docs/drivers/docker#privileged - https://developer.hashicorp.com/nomad/docs/drivers/docker#allow_privileged license: AGPL-3.0 license vulnerability_class: - Improper Authorization source: https://semgrep.dev/r/trailofbits.hcl.nomad.docker-privileged-mode.docker-privileged-mode shortlink: https://sg.run/Abkr2 semgrep.dev: rule: r_id: 150294 rv_id: 943188 rule_id: BYUX3g0 version_id: DkTN9xp url: https://semgrep.dev/playground/r/DkTN9xp/trailofbits.hcl.nomad.docker-privileged-mode.docker-privileged-mode origin: community pattern-either: - patterns: - pattern-inside: | task "..." { ... config { ... } ... } - pattern: privileged = true - patterns: - pattern-inside: | plugin "$RUNTIME" { ... config { ... } ... } - pattern: allow_privileged = true - metavariable-regex: metavariable: $RUNTIME regex: (docker|podman) - id: gitlab.find_sec_bugs_kotlin.MALICIOUS_XSLT-1 languages: - kotlin message: | It is possible to attach malicious behavior to those style sheets. Therefore, if an attacker can control the content or the source of the style sheet, he might be able to trigger remote code execution. metadata: shortDescription: Improper neutralization of special elements in output used by a downstream component ('Injection') category: security cwe: CWE-74 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: MEDIUM primary_identifier: find_sec_bugs.MALICIOUS_XSLT-1 secondary_identifiers: - name: Find Security Bugs-MALICIOUS_XSLT type: find_sec_bugs_type value: MALICIOUS_XSLT license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.MALICIOUS_XSLT-1 shortlink: https://sg.run/KxrK6 semgrep.dev: rule: r_id: 144355 rv_id: 920446 rule_id: NbU3PWR version_id: ZRTedXe url: https://semgrep.dev/playground/r/ZRTedXe/gitlab.find_sec_bugs_kotlin.MALICIOUS_XSLT-1 origin: community severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - patterns: - pattern-inside: | fun $FUNC(...,$VAR: String, ...) { ... } - pattern-either: - pattern: FileInputStream(<... $VAR ...>); - pattern: javaClass.getResourceAsStream(<... $VAR ...>) - patterns: - pattern-inside: | class $CLZ { var $X = "..."; ... } - pattern-inside: | fun $FUNC(...,$Y: String, ...) { ... } - pattern-either: - pattern: FileInputStream($X + $Y); - pattern: javaClass.getResourceAsStream($X + $Y) pattern-sinks: - patterns: - pattern-either: - pattern-inside: '($T: javax.xml.transform.TransformerFactory).newTransformer($SRC, ...)' - pattern-inside: '($T: javax.xml.transform.Transformer).transform($SRC, ...)' - patterns: - pattern-inside: |- $FACTORY = javax.xml.transform.TransformerFactory.newInstance(...) ... - pattern-inside: $FACTORY.newTransformer($SRC, ...) - patterns: - pattern-inside: |- $FACTORY = javax.xml.transform.TransformerFactory(...) ... - pattern-inside: |- $T = $FACTORY.newTransformer(...) ... - pattern-inside: $T.transform($SRC, ...) - pattern: $SRC - id: trailofbits.hcl.nomad.podman-tls-verify-disabled.podman-tls-verify-disabled message: | Found Nomad task using Podman with registry TLS verification disabled languages: - hcl severity: WARNING metadata: category: security cwe: 'CWE-295: Improper Certificate Validation' subcategory: - audit confidence: HIGH likelihood: MEDIUM impact: LOW technology: - nomad - podman references: - https://developer.hashicorp.com/nomad/plugins/drivers/podman#auth license: AGPL-3.0 license vulnerability_class: - Improper Authentication source: https://semgrep.dev/r/trailofbits.hcl.nomad.podman-tls-verify-disabled.podman-tls-verify-disabled shortlink: https://sg.run/BYwbA semgrep.dev: rule: r_id: 150295 rv_id: 943189 rule_id: DbU6rPy version_id: WrTElNZ url: https://semgrep.dev/playground/r/WrTElNZ/trailofbits.hcl.nomad.podman-tls-verify-disabled.podman-tls-verify-disabled origin: community patterns: - pattern-inside: | task "..." { ... driver = "podman" ... config { ... auth { ... } ... } ... } - pattern: tlsVerify = false - id: gitlab.find_sec_bugs_kotlin.OGNL_INJECTION-1 message: | "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." languages: - kotlin severity: WARNING metadata: shortDescription: Expression injection (OGNL) category: security cwe: CWE-917 technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.OGNL_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-OGNL_INJECTION type: find_sec_bugs_type value: OGNL_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.OGNL_INJECTION-1 shortlink: https://sg.run/d8dq5 semgrep.dev: rule: r_id: 144334 rv_id: 920425 rule_id: AbU9DPg version_id: YDTYb49 url: https://semgrep.dev/playground/r/YDTYb49/gitlab.find_sec_bugs_kotlin.OGNL_INJECTION-1 origin: community patterns: - pattern-either: - pattern-inside: | fun $FUNC(..., $VAR: String, ...) { ... } - pattern-inside: | fun $FUNC(..., $VAR: Map<$K,$V>, ...) { ... } - pattern-inside: | fun $FUNC(..., $VAR: Map<$K,*>, ...) { ... } - pattern-inside: | fun $FUNC(..., $VAR: java.util.HashMap<$K,$V>, ...) { ... } - pattern-either: - pattern: com.opensymphony.xwork2.util.TextParseUtil.translateVariables(...,$VAR, ...) - pattern: com.opensymphony.xwork2.util.TextParseUtil.translateVariablesCollection(..., $VAR, ...) - pattern: com.opensymphony.xwork2.util.TextParseUtil.shallBeIncluded(..., $VAR, ...) - pattern: com.opensymphony.xwork2.util.TextParseUtil.commaDelimitedStringToSet(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.TextParser).evaluate(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.OgnlTextParser).evaluate(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).getGetMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).getSetMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).getField(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).setProperties(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).setProperty(...,$VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).getValue(...,$VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlReflectionProvider).setValue(...,$VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).getGetMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).getSetMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).getField(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).setProperties(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).setProperty(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).getValue(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.util.reflection.ReflectionProvider).setValue(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).setProperties(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).setProperty(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).getValue(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).setValue(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).callMethod(..., $VAR, ...) - pattern: ($P:com.opensymphony.xwork2.ognl.OgnlUtil).compile(..., $VAR, ...) - pattern: ($P:org.apache.struts2.util.VelocityStrutsUtil).evaluate(...) - pattern: org.apache.struts2.util.StrutsUtil.findString(...) - pattern: org.apache.struts2.util.StrutsUtil.findValue(..., $VAL) - pattern: org.apache.struts2.util.StrutsUtil.getText(...) - pattern: org.apache.struts2.util.StrutsUtil.translateVariables(...) - pattern: org.apache.struts2.util.StrutsUtil.makeSelectList(..., $VAR, ...) - pattern: ($T:org.apache.struts2.views.jsp.ui.OgnlTool).findValue(..., $VAR, ...) - pattern: ($V:com.opensymphony.xwork2.util.ValueStack).findString(...) - pattern: ($V:com.opensymphony.xwork2.util.ValueStack).findValue(..., $VAR, ...) - pattern: ($V:com.opensymphony.xwork2.util.ValueStack).setValue(..., $VAR, ...) - pattern: ($V:com.opensymphony.xwork2.util.ValueStack).setParameter(..., $VAR, ...) - id: python.lang.correctness.common-mistakes.is-not-is-not.is-not-is-not message: In Python 'X is not ...' is different from 'X is (not ...)'. In the latter the 'not' converts the '...' directly to boolean. languages: - python severity: ERROR pattern: $S is (not ...) metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.is-not-is-not.is-not-is-not shortlink: https://sg.run/0Qrv semgrep.dev: rule: r_id: 9610 rv_id: 946288 rule_id: oqUexJ version_id: jQTzvXe url: https://semgrep.dev/playground/r/jQTzvXe/python.lang.correctness.common-mistakes.is-not-is-not.is-not-is-not origin: community - id: python.lang.correctness.common-mistakes.is-comparison-string.identical-is-comparison pattern: $S is $S message: Found identical comparison using is. Ensure this is what you intended. languages: - python severity: ERROR metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.is-comparison-string.identical-is-comparison shortlink: https://sg.run/Do5Y semgrep.dev: rule: r_id: 9608 rv_id: 946286 rule_id: YGURPw version_id: 2KTYbxX url: https://semgrep.dev/playground/r/2KTYbxX/python.lang.correctness.common-mistakes.is-comparison-string.identical-is-comparison origin: community - id: python.lang.correctness.exceptions.exceptions.raise-not-base-exception message: In Python3, a runtime `TypeError` will be thrown if you attempt to raise an object or class which does not inherit from `BaseException` languages: - python severity: ERROR pattern-either: - pattern: raise "..." - pattern: | $X: BaseException raise $X(...) - patterns: - pattern: raise $EXCEPTION - metavariable-regex: metavariable: $EXCEPTION regex: '[0-9]*\.?[0-9]+' metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.exceptions.exceptions.raise-not-base-exception shortlink: https://sg.run/qxAz semgrep.dev: rule: r_id: 9612 rv_id: 946292 rule_id: pKUOlQ version_id: rxT6rzE url: https://semgrep.dev/playground/r/rxT6rzE/python.lang.correctness.exceptions.exceptions.raise-not-base-exception origin: community - id: gitlab.find_sec_bugs_kotlin.PT_ABSOLUTE_PATH_TRAVERSAL-1 languages: - kotlin message: | The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. See http://cwe.mitre.org/data/definitions/36.html for more information. severity: WARNING metadata: shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') category: security cwe: CWE-22 owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1 secondary_identifiers: - name: Find Security Bugs-PT_ABSOLUTE_PATH_TRAVERSAL type: find_sec_bugs_type value: PT_ABSOLUTE_PATH_TRAVERSAL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.PT_ABSOLUTE_PATH_TRAVERSAL-1 shortlink: https://sg.run/ZqdJL semgrep.dev: rule: r_id: 144335 rv_id: 920426 rule_id: BYUXqjb version_id: 6xTyXWg url: https://semgrep.dev/playground/r/6xTyXWg/gitlab.find_sec_bugs_kotlin.PT_ABSOLUTE_PATH_TRAVERSAL-1 origin: community mode: taint pattern-sanitizers: - pattern: org.apache.commons.io.FilenameUtils.getName(...) pattern-sinks: - patterns: - pattern-inside: | $U = java.net.URI($VAR) - pattern-either: - pattern-inside: java.io.File($U) - pattern-inside: java.nio.file.Paths.get($U) - pattern: $VAR - patterns: - pattern-inside: java.io.RandomAccessFile($INPUT,...) - pattern: $INPUT - pattern: java.io.FileReader(...) - pattern: javax.activation.FileDataSource(...) - pattern: java.io.FileInputStream(...) - pattern: java.io.File(...) - pattern: java.nio.file.Paths.get(...) - pattern: java.io.File.createTempFile(...) - pattern: java.io.File.createTempDirectory(...) - pattern: java.nio.file.Files.createTempFile(...) - pattern: java.nio.file.Files.createTempDirectory(...) - patterns: - pattern: $SRC.$METHOD(...) - metavariable-pattern: metavariable: $SRC pattern-either: - pattern: getClass() - pattern: getClass().getClassLoader() - pattern: '($C: ClassLoader)' - pattern: '($C: Class)' - pattern: $CLZ.getClassLoader() - metavariable-pattern: metavariable: $METHOD pattern-either: - pattern: getResourceAsStream - pattern: getResource - patterns: - pattern-inside: java.io.FileWriter($PATH, ...) - pattern: $PATH - patterns: - pattern-inside: java.io.FileOutputStream($PATH, ...) - pattern: $PATH pattern-sources: - pattern: '($REQ: HttpServletRequest).getParameter(...)' - patterns: - pattern-inside: fun $FUNC(..., @RequestParam $REQ:$TYPE, ...) {...} - focus-metavariable: $REQ - id: gitlab.find_sec_bugs_kotlin.SMTP_HEADER_INJECTION-1 languages: - kotlin message: | Simple Mail Transfer Protocol (SMTP) is a the text based protocol used for email delivery. Like with HTTP, headers are separate by new line separator. If kuser input is place in a header line, the application should remove or replace new line characters (CR / LF). You should use a safe wrapper such as Apache Common Email and Simple Java Mail which filter special characters that can lead to header injection. metadata: shortDescription: Improper neutralization of special elements used in a command category: security cwe: CWE-77 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.SMTP_HEADER_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-SMTP_HEADER_INJECTION type: find_sec_bugs_type value: SMTP_HEADER_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.SMTP_HEADER_INJECTION-1 shortlink: https://sg.run/PedoE semgrep.dev: rule: r_id: 144345 rv_id: 920436 rule_id: zdUKogv version_id: rxTjvGO url: https://semgrep.dev/playground/r/rxTjvGO/gitlab.find_sec_bugs_kotlin.SMTP_HEADER_INJECTION-1 origin: community severity: ERROR patterns: - pattern-inside: | $M = MimeMessage(...); ... - pattern-either: - patterns: - pattern-either: - pattern: $M.setSubject($VAR) - pattern: $M.addHeader($ARG, $VAR) - pattern: $M.addHeader($VAR, $ARG) - pattern: $M.setDescription($VAR) - pattern: $M.setDisposition($VAR) - metavariable-regex: metavariable: $VAR regex: ^[a-zA-Z_$][a-zA-Z0-9_$]*$ - patterns: - pattern-either: - pattern: $M.setSubject($OBJ.$GETTER(...)) - pattern: $M.setSubject($OBJ.$GETTER(...) + ...) - pattern: $M.setSubject(... + $OBJ.$GETTER(...)) - pattern: $M.setSubject(... + $OBJ.$GETTER(...) + ...) - pattern: $M.addHeader($ARG, $OBJ.$GETTER(...)) - pattern: $M.addHeader($ARG, $OBJ.$GETTER(...) + ...) - pattern: $M.addHeader($ARG, ... + $OBJ.$GETTER(...)) - pattern: $M.addHeader($ARG, ... + $OBJ.$GETTER(...) + ...) - pattern: $M.addHeader($OBJ.$GETTER(...), $ARG) - pattern: $M.addHeader($OBJ.$GETTER(...) + ..., $ARG) - pattern: $M.addHeader(... + $OBJ.$GETTER(...), $ARG) - pattern: $M.addHeader(... + $OBJ.$GETTER(...) + ..., $ARG) - pattern: $M.setDescription($OBJ.$GETTER(...)) - pattern: $M.setDisposition($OBJ.$GETTER(...) + ...) - pattern: $M.setDisposition(... + $OBJ.$GETTER(...)) - pattern: $M.setDisposition(... + $OBJ.$GETTER(...) + ...) - metavariable-regex: metavariable: $GETTER regex: ^get - id: gitlab.find_sec_bugs_kotlin.WICKET_XSS1-1 languages: - kotlin message: | Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS). metadata: shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') category: security cwe: CWE-79 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: MEDIUM primary_identifier: find_sec_bugs.WICKET_XSS1-1 secondary_identifiers: - name: Find Security Bugs-WICKET_XSS1 type: find_sec_bugs_type value: WICKET_XSS1 license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.WICKET_XSS1-1 shortlink: https://sg.run/lBdX5 semgrep.dev: rule: r_id: 144357 rv_id: 920448 rule_id: wdU9XgL version_id: ExT1WXN url: https://semgrep.dev/playground/r/ExT1WXN/gitlab.find_sec_bugs_kotlin.WICKET_XSS1-1 origin: community severity: WARNING patterns: - pattern-inside: | import org.apache.wicket.$A ... - pattern: | $OBJ.setEscapeModelStrings(false); - id: gitlab.find_sec_bugs_kotlin.XML_DECODER-1 languages: - kotlin message: | Avoid using XMLDecoder to parse content from an untrusted source. metadata: shortDescription: Deserialization of untrusted data category: security cwe: CWE-502 owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures security-severity: MEDIUM primary_identifier: find_sec_bugs.XML_DECODER-1 secondary_identifiers: - name: Find Security Bugs-XML_DECODER type: find_sec_bugs_type value: XML_DECODER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.XML_DECODER-1 shortlink: https://sg.run/0okxJ semgrep.dev: rule: r_id: 144354 rv_id: 920445 rule_id: bwUbpWe version_id: d6T6gpK url: https://semgrep.dev/playground/r/d6T6gpK/gitlab.find_sec_bugs_kotlin.XML_DECODER-1 origin: community severity: WARNING patterns: - pattern-either: - pattern: '($D: java.beans.XMLDecoder).readObject()' - patterns: - pattern: $D.readObject() - pattern-inside: | $D = XMLDecoder(...) ... - pattern-not: pattern-either: - patterns: - pattern-inside: | $DEC = java.beans.XMLDecoder(..., $CL) ... - pattern: $DEC.readObject() - metavariable-pattern: metavariable: $CL patterns: - pattern: | object : ClassLoader() { ... fun loadClass(name: String, resolve: Boolean): $RET { if($X){ throw ... } ... } ... } - metavariable-pattern: metavariable: $X pattern-either: - pattern: | name != ... - pattern: | !$LIST.contains(name) - patterns: - pattern-inside: | $CLASS_LOADER = $CL ... - pattern-inside: | $DEC = java.beans.XMLDecoder(..., $CLASS_LOADER) ... - pattern: $DEC.readObject() - metavariable-pattern: metavariable: $CL patterns: - pattern: | object : ClassLoader(){ ... fun loadClass(name: String, resolve: Boolean): $RET{ if($X){ throw ... } ... } ... } - metavariable-pattern: metavariable: $X pattern-either: - pattern: | name != ... - pattern: | !$LIST.contains(name) - id: gitlab.find_sec_bugs_kotlin.XPATH_INJECTION-1 languages: - kotlin message: | The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. metadata: shortDescription: Improper neutralization of data within XPath expressions ('XPath Injection') category: security cwe: CWE-643 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.XPATH_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-XPATH_INJECTION type: find_sec_bugs_type value: XPATH_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.XPATH_INJECTION-1 shortlink: https://sg.run/qN5b8 semgrep.dev: rule: r_id: 144356 rv_id: 920447 rule_id: kxUdNvG version_id: nWTnN0p url: https://semgrep.dev/playground/r/nWTnN0p/gitlab.find_sec_bugs_kotlin.XPATH_INJECTION-1 origin: community severity: ERROR mode: taint pattern-sources: - patterns: - pattern-inside: | fun $FUNC(..., $VAR: $T, ...) { ... } - pattern: $VAR pattern-sinks: - patterns: - pattern-either: - pattern-inside: "import javax.xml.xpath.*; \n...\n" - pattern-inside: "import javax.xml.xpath.XPath; \n...\n" - patterns: - pattern-either: - patterns: - pattern: $X.compile($VAR) - pattern-not: $X.compile("...") - patterns: - pattern: $X.evaluate($VAR, ...) - pattern-not: $X.evaluate("...", ...) pattern-sanitizers: - pattern-either: - pattern-inside: | $X.xPathVariableResolver = ...; ...; $X.compile("..."); - pattern-inside: | $X.setXPathVariableResolver(...); ...; $X.compile("..."); - id: gitlab.find_sec_bugs_kotlin.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 languages: - kotlin message: | Servlet reflected cross site scripting vulnerability severity: WARNING metadata: shortDescription: Improper neutralization of input during web page generation ('Cross-site Scripting') category: security cwe: CWE-79 owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: MEDIUM primary_identifier: find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 secondary_identifiers: - name: Find Security Bugs-XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER type: find_sec_bugs_type value: XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 shortlink: https://sg.run/YGdPQ semgrep.dev: rule: r_id: 144358 rv_id: 920449 rule_id: x8UKPbo version_id: 7ZTbRXn url: https://semgrep.dev/playground/r/7ZTbRXn/gitlab.find_sec_bugs_kotlin.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 origin: community mode: taint pattern-sanitizers: - patterns: - pattern-inside: org.owasp.encoder.Encode.forHtml($TAINTED); - pattern: $TAINTED pattern-sinks: - patterns: - pattern-inside: 'fun $FUNC(..., $RES: HttpServletResponse , ...) {...}' - pattern-inside: | $WRITER = $RES.getWriter(); ... - pattern: $WRITER.write($DATA,...); - pattern: $DATA - patterns: - pattern-inside: 'fun $FUNC(..., $RES: HttpServletResponse , ...) {...}' - pattern: $RES.getWriter().write($DATA,...); - pattern: $DATA pattern-sources: - patterns: - pattern-inside: 'fun $FUNC(..., $REQ: HttpServletRequest , ...) {...}' - pattern: $REQ.getParameter(...); - id: gitlab.find_sec_bugs_kotlin.XXE_SAXPARSER-1 languages: - kotlin message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: shortDescription: Improper restriction of XML external entity reference ('XXE') category: security cwe: CWE-611 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.XXE_SAXPARSER-1 secondary_identifiers: - name: Find Security Bugs-XXE_SAXPARSER type: find_sec_bugs_type value: XXE_SAXPARSER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.XXE_SAXPARSER-1 shortlink: https://sg.run/6JGej semgrep.dev: rule: r_id: 144359 rv_id: 920450 rule_id: OrUNwLe version_id: LjTzelk url: https://semgrep.dev/playground/r/LjTzelk/gitlab.find_sec_bugs_kotlin.XXE_SAXPARSER-1 origin: community severity: ERROR patterns: - pattern-inside: | $SF = SAXParserFactory.newInstance() ... - pattern-not-inside: | $SF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); ... - pattern-not-inside: | $SF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); ... - pattern-inside: | $P = $SFP.newSAXParser(); ... - pattern: $P.parse(...); - id: gitlab.find_sec_bugs_kotlin.XXE_XMLREADER-1 languages: - kotlin message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: shortDescription: Improper restriction of XML external entity reference ('XXE') category: security cwe: CWE-611 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.XXE_XMLREADER-1 secondary_identifiers: - name: Find Security Bugs-XXE_XMLREADER type: find_sec_bugs_type value: XXE_XMLREADER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.XXE_XMLREADER-1 shortlink: https://sg.run/oqP9n semgrep.dev: rule: r_id: 144360 rv_id: 920451 rule_id: eqU0QP6 version_id: 8KTvlBN url: https://semgrep.dev/playground/r/8KTvlBN/gitlab.find_sec_bugs_kotlin.XXE_XMLREADER-1 origin: community severity: ERROR patterns: - pattern-inside: | $R = XMLReaderFactory.createXMLReader() ... - pattern-not-inside: | $R.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) ... - pattern: $R.parse(...) - id: gitlab.find_sec_bugs_kotlin.XXE_XMLSTREAMREADER-1 languages: - kotlin message: | XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. metadata: shortDescription: Improper restriction of XML external entity reference ('XXE') category: security cwe: CWE-611 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.XXE_XMLSTREAMREADER-1 secondary_identifiers: - name: Find Security Bugs-XXE_XMLSTREAMREADER type: find_sec_bugs_type value: XXE_XMLSTREAMREADER license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.XXE_XMLSTREAMREADER-1 shortlink: https://sg.run/zdqb0 semgrep.dev: rule: r_id: 144361 rv_id: 920452 rule_id: v8UYeb2 version_id: gETkXnr url: https://semgrep.dev/playground/r/gETkXnr/gitlab.find_sec_bugs_kotlin.XXE_XMLSTREAMREADER-1 origin: community severity: ERROR patterns: - pattern-inside: | $SF = XMLInputFactory.newFactory(); ... - pattern-not-inside: | $SF.setProperty(XMLInputFactory.SUPPORT_DTD, false); ... - pattern-not-inside: | $SF.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ... - pattern-not-inside: | $SF.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); ... - pattern-not-inside: | $SF.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); ... - pattern: $SF.createXMLStreamReader(...) - id: gitlab.mobsf.java-webview-rule-ignore_ssl_certificate_errors pattern: | $RET onReceivedSslError(WebView $W, SslErrorHandler $H, SslError $E) { ... $H.proceed(); } message: "Insecure WebView Implementation. leading to a security problem known as SSL certificate \nvalidation bypass. This occurs when the app fails to properly validate SSL certificates, \nallowing potentially malicious or spoofed certificates to be accepted, leading to a \nMan-in-the-Middle (MitM) attack where an attacker intercepts and manipulates communication \nbetween the app and the server. \n\nTo fix this security issue, you should properly handle SSL errors and only proceed with \nthe connection if the SSL certificate is valid and trusted. Here's an example code in Java:\n``` \npublic class MyWebViewClient extends WebViewClient { \ \n @Override\n public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {\n // Check the SSL error type\n switch (error.getPrimaryError()) {\n case SslError.SSL_UNTRUSTED:\n // Certificate is untrusted\n // Handle the error appropriately, such as showing an error message\n break;\n \ case SslError.SSL_EXPIRED:\n // Certificate has expired\n // Handle the error appropriately\n break;\n case SslError.SSL_IDMISMATCH:\n \ // Certificate hostname mismatch\n // Handle the error appropriately\n \ break;\n case SslError.SSL_NOTYETVALID:\n // Certificate is not yet valid\n // Handle the error appropriately\n break;\n }\n \ // Cancel the connection\n // This prevents the WebView from loading the content\n handler.cancel();\n }\n}\n```\n" languages: - java severity: WARNING metadata: category: security cwe: CWE-295 shortDescription: Improper certificate validation" owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: MEDIUM primary_identifier: mobsf.java-webview-rule-ignore_ssl_certificate_errors secondary_identifiers: - name: mobsf ID java-webview-rule-ignore_ssl_certificate_errors type: mobsf_rule_type value: java-webview-rule-ignore_ssl_certificate_errors license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.java-webview-rule-ignore_ssl_certificate_errors shortlink: https://sg.run/pKJbR semgrep.dev: rule: r_id: 144362 rv_id: 920453 rule_id: d8UrXNR version_id: QkT1NgA url: https://semgrep.dev/playground/r/QkT1NgA/gitlab.mobsf.java-webview-rule-ignore_ssl_certificate_errors origin: community - id: gitlab.mobsf.java-webview-rule-webview_debugging patterns: - pattern-either: - pattern: | $WB.setWebContentsDebuggingEnabled(true); - pattern: | $X = true; ... $WB.setWebContentsDebuggingEnabled($X); message: "Remote WebView debugging is enabled. This allows an attacker with\ndebugging access to interact with the webview and steal or corrupt data.\nTo fix these security issues, it is recommended to disable remote \ndebugging and restrict file access in the WebView. \nHere's how you can do it:\n```\nWebView webView = new WebView(context);\n\n// Disable remote debugging\nif (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {\n WebView.setWebContentsDebuggingEnabled(false);\n}\n\n// Restrict file access from file URLs\nwebView.getSettings().setAllowFileAccessFromFileURLs(false);\n\n// Load a web page\nwebView.loadUrl(\"https://example.com\");\n```\n" languages: - java severity: WARNING metadata: category: security cwe: CWE-489 shortDescription: Active debug code owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: MEDIUM primary_identifier: mobsf.java-webview-rule-webview_debugging secondary_identifiers: - name: mobsf ID java-webview-rule-webview_debugging type: mobsf_rule_type value: java-webview-rule-webview_debugging license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.java-webview-rule-webview_debugging shortlink: https://sg.run/2Z4QY semgrep.dev: rule: r_id: 144363 rv_id: 920454 rule_id: ZqUQ0Rj version_id: 3ZTLweb url: https://semgrep.dev/playground/r/3ZTLweb/gitlab.mobsf.java-webview-rule-webview_debugging origin: community - id: gitlab.mobsf.java-webview-rule-webview_external_storage patterns: - pattern-either: - pattern: | $X = <... $E.getExternalStorageDirectory() ...>; ... $WV.loadUrl(<... $X ...>); - pattern: | $WV.loadUrl(<... $E.getExternalStorageDirectory().$F() ...>); - pattern: | $X = <... Environment.getExternalStorageDirectory().$F() ...>; ... $WV.loadUrl(<... $X ...>); - pattern: | $X = <... $E.getExternalFilesDir(...) ...>; ... $WV.loadUrl(<... $X ...>); message: "WebView load files from external storage. Files in external storage can be\nmodified by any application.\n\nLoading files from external storage in a WebView can introduce security risks, \nas it allows web content to access potentially sensitive data stored on the \ndevice's external storage. This can lead to unauthorized access to user data, \nincluding personal files, credentials, or other sensitive information, by \nmalicious web content.\n\nTo fix this security issue, you should avoid loading files directly from external \nstorage in a WebView. Instead, you should use a Content Provider or a secure file \nstorage mechanism to access files and provide them to the WebView as content.\n\nHere's a general approach to fix this problem:\n(1) Use a Content Provider: If you need to load files from external storage in a WebView, \nconsider using a Content Provider to securely access the files. Content Providers \nprovide controlled access to files stored on external storage and allow you to define \npermissions for accessing them.\n(2) Secure File Storage: Store files containing sensitive data in a secure location, such \nas internal storage or encrypted storage, and provide access to them through a secure \nAPI. Avoid exposing sensitive files directly to the WebView.\n(3) Restrict WebView Access: Configure the WebView to restrict access to external resources \nand content. Use methods like setAllowFileAccess() to control file access and \nsetAllowContentAccess() to control access to content from other origins.\nHere's an example of how you can use a Content Provider to provide secure access to \nfiles in a WebView:\n```\n// Define the URI of the content provider for accessing files\nUri contentProviderUri = Uri.parse(\"content://com.example.myapp.provider/files\");\n// Load the content from the Content Provider into the WebView\nwebView.loadUrl(contentProviderUri.toString());\n```\nIn the above code, we define the URI of a Content Provider that provides access to files \nstored in the app's external storage. The content is loaded from the Content Provider into \nthe WebView using loadUrl(), which ensures that access to files is controlled and secure, \npreventing unauthorized access to sensitive data.\n" languages: - java severity: ERROR metadata: category: security cwe: CWE-749 shortDescription: Exposed dangerous method or function owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: mobsf.java-webview-rule-webview_external_storage secondary_identifiers: - name: mobsf ID java-webview-rule-webview_external_storage type: mobsf_rule_type value: java-webview-rule-webview_external_storage license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.java-webview-rule-webview_external_storage shortlink: https://sg.run/X5dEe semgrep.dev: rule: r_id: 144364 rv_id: 920455 rule_id: nJUxXAW version_id: 44TeqGG url: https://semgrep.dev/playground/r/44TeqGG/gitlab.mobsf.java-webview-rule-webview_external_storage origin: community - id: gitlab.mobsf.java-webview-rule-webview_set_allow_file_access pattern: $WB.setAllowFileAccess(true); message: "WebView File System Access is enabled. An attacker able to inject \nscript into a WebView, could exploit the opportunity to unauthorized \naccess to sensitive user data or system files.\n\nTo fix this security issue, you should disable file access in the \nWebView or restrict it to specific directories. \nAn example:\n```\n// Create a WebView instance\nWebView webView = new WebView(context);\n// Disable file access in the WebView\nwebView.getSettings().setAllowFileAccess(false);\n```\n" languages: - java severity: WARNING metadata: category: security cwe: CWE-73 shortDescription: External control of file name or path owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: MEDIUM primary_identifier: mobsf.java-webview-rule-webview_set_allow_file_access secondary_identifiers: - name: mobsf ID java-webview-rule-webview_set_allow_file_access type: mobsf_rule_type value: java-webview-rule-webview_set_allow_file_access license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.java-webview-rule-webview_set_allow_file_access shortlink: https://sg.run/j2Ll2 semgrep.dev: rule: r_id: 144365 rv_id: 920456 rule_id: EwUj7Pj version_id: PkTjGOn url: https://semgrep.dev/playground/r/PkTjGOn/gitlab.mobsf.java-webview-rule-webview_set_allow_file_access origin: community - id: gitlab.mobsf.kotlin-webview-rule-android_kotlin_webview_debug patterns: - pattern: | $X.setWebContentsDebuggingEnabled(true) - pattern-inside: | WebView ... message: "Remote WebView debugging is enabled.This can introduce security \nrisks as it allows remote debugging tools, such as Chrome DevTools, \nto inspect and manipulate the WebView content. This can potentially \nexpose sensitive information, including user data, session tokens, \nand other confidential data, to unauthorized parties.\n\nTo fix this security issue, you should disable remote WebView \ndebugging in production builds of your app. Here's how you can do it:\n```\nimport WebKit\n\nclass ViewController: UIViewController {\n\n override func viewDidLoad() {\n super.viewDidLoad()\n\n \ // Disable remote WebView debugging in production builds\n #if DEBUG\n WebViewConfiguration.shared().preferences.setValue(true, forKey: \"developerExtrasEnabled\")\n #else\n WebViewConfiguration.shared().preferences.setValue(false, forKey: \"developerExtrasEnabled\")\n #endif\n\n // Other setup code...\n }\n\n // Other methods...\n}\n```\n" languages: - kotlin severity: WARNING metadata: category: security cwe: CWE-489 shortDescription: Leftover debug code owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: MEDIUM primary_identifier: mobsf.kotlin-webview-rule-android_kotlin_webview_debug secondary_identifiers: - name: mobsf ID kotlin-webview-rule-android_kotlin_webview_debug type: mobsf_rule_type value: kotlin-webview-rule-android_kotlin_webview_debug license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.kotlin-webview-rule-android_kotlin_webview_debug shortlink: https://sg.run/10wOQ semgrep.dev: rule: r_id: 144366 rv_id: 920457 rule_id: 7KUg0qD version_id: JdToRe2 url: https://semgrep.dev/playground/r/JdToRe2/gitlab.mobsf.kotlin-webview-rule-android_kotlin_webview_debug origin: community - id: gitlab.mobsf.oc-other-rule-ios_webview_ignore_ssl pattern-either: - pattern: allowsAnyHTTPSCertificateForHost - patterns: - pattern: loadingUnvalidatedHTTPSPage = $YES - metavariable-regex: metavariable: $YES regex: YES|yes - patterns: - pattern: allowsAnyHTTPSCertificate = $YES - metavariable-regex: metavariable: $YES regex: YES|yes paths: include: - '**/*.m' message: "UIWebView in App ignore SSL errors and accept any SSL Certificate. \nApp is vulnerable to MITM attacks. If the app does not verify the \nauthenticity of the server's SSL certificate, an attacker could \nimpersonate the server and intercept sensitive data transmitted \nbetween the app and the server.\nTo fix these security issues, you should ensure proper SSL certificate \nvalidation in your Objective-C code. Here's how you can do it:\n```\n- (void)loadSecureURL {\n NSURL *url = [NSURL URLWithString:@\"https://example.com\"];\n NSURLRequest *request = [NSURLRequest requestWithURL:url];\n \n // Create session configuration\n NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration defaultSessionConfiguration];\n configuration.TLSMinimumSupportedProtocol = kTLSProtocol12;\n \n // Create session with configuration\n NSURLSession *session = [NSURLSession sessionWithConfiguration:configuration];\n \n // Create data task\n NSURLSessionDataTask *task = [session dataTaskWithRequest:request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {\n if (error) {\n NSLog(@\"Error loading URL: %@\", error);\n // Handle error\n } else {\n // Handle response\n NSLog(@\"Response: %@\", response);\n }\n }];\n \n \ // Start task\n [task resume];\n}\n```\n" languages: - generic severity: ERROR metadata: category: security cwe: CWE-295 shortDescription: Improper certificate validation owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: CRITICAL primary_identifier: mobsf.oc-other-rule-ios_webview_ignore_ssl secondary_identifiers: - name: mobsf ID oc-other-rule-ios_webview_ignore_ssl type: mobsf_rule_type value: oc-other-rule-ios_webview_ignore_ssl license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.oc-other-rule-ios_webview_ignore_ssl shortlink: https://sg.run/yyK5d semgrep.dev: rule: r_id: 144368 rv_id: 920459 rule_id: 8GUQROj version_id: GxToXJb url: https://semgrep.dev/playground/r/GxToXJb/gitlab.mobsf.oc-other-rule-ios_webview_ignore_ssl origin: community - id: gitlab.mobsf.swift-other-rule-ios_biometric_acl patterns: - pattern-either: - pattern: .biometryAny - pattern: .userPresence - pattern: .touchIDAny - pattern: SecAccessControlCreateWithFlags(...) message: "Weak biometric ACL flag is associated with a key stored in Keychain. \nWith '.biometryAny/.userPresence/.touchIDAny' flag, an attacker with \nthe ability to add a biometry to the device can authenticate as the \nuser. It is recommended to use more specific and secure authentication \nmechanisms like '.biometryCurrentSet' and '.touchIDCurrentSet'.\n\nHere's an example of how to fix the problem by using .biometryCurrentSet \nfor biometric authentication in Swift:\n```\nimport LocalAuthentication\n\n// Create an instance of LAContext for biometric authentication\nlet context = LAContext()\n\n// Check if biometric authentication is available\nif context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: nil) {\n // Use biometryCurrentSet for biometric authentication\n context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, \n localizedReason: \"Authenticate with biometrics\", \n reply: { success, error in\n if success {\n print(\"Biometric authentication successful.\")\n // Proceed with authenticated actions\n \ } else {\n print(\"Biometric authentication failed: \n \ \\(error?.localizedDescription ?? \"Unknown error\")\")\n \ // Handle authentication failure\n }\n })\n} else {\n \ print(\"Biometric authentication not available.\")\n // Fallback to alternative authentication method\n}\n\n```\n" languages: - swift severity: ERROR metadata: category: security cwe: CWE-305 shortDescription: Authentication bypass by primary weakness owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures security-severity: CRITICAL primary_identifier: mobsf.swift-other-rule-ios_biometric_acl secondary_identifiers: - name: mobsf ID swift-other-rule-ios_biometric_acl type: mobsf_rule_type value: swift-other-rule-ios_biometric_acl license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.swift-other-rule-ios_biometric_acl shortlink: https://sg.run/r6GjA semgrep.dev: rule: r_id: 144369 rv_id: 920460 rule_id: gxU3dGW version_id: RGT2xrW url: https://semgrep.dev/playground/r/RGT2xrW/gitlab.mobsf.swift-other-rule-ios_biometric_acl origin: community - id: gitlab.mobsf.swift-other-rule-ios_dtls1_used patterns: - pattern: $Y.TLSMinimumSupportedProtocolVersion - pattern-inside: | ... $X = "tls_protocol_version_t.DTLSv10" ... message: "DTLS 1.2 should be used. Detected old version - DTLS 1.0.\nDTLS (Datagram Transport Layer Security) 1.0 suffers from \nvarious security vulnerabilities and weaknesses, as it is \nan outdated and less secure protocol compared to newer \nversions such as DTLS 1.2 or 1.3.\n\nHere's an example of how to use DTLS 1.2:\n```\nimport Network\n\n// Create a NWConnection instance with DTLS 1.2\nlet connection = NWConnection(host: NWEndpoint.Host(\"example.com\"), port: NWEndpoint.Port(\"443\"), using: .dtls)\n\n// Start the connection\nconnection.start(queue: .main)\n\n// Handle connection state changes\nconnection.stateUpdateHandler = { newState in\n switch newState {\n \ case .ready:\n print(\"Connection ready.\")\n // Perform data transfer or other operations\n case .failed(let error):\n print(\"Connection failed with error: \\(error)\")\n default:\n break\n }\n}\n```\n" languages: - swift severity: WARNING metadata: category: security cwe: CWE-757 shortDescription: Selection of less-secure algorithm during negotiation ('algorithm downgrade') owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: MEDIUM primary_identifier: mobsf.swift-other-rule-ios_dtls1_used secondary_identifiers: - name: mobsf ID swift-other-rule-ios_dtls1_used type: mobsf_rule_type value: swift-other-rule-ios_dtls1_used license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.swift-other-rule-ios_dtls1_used shortlink: https://sg.run/bwdRr semgrep.dev: rule: r_id: 144370 rv_id: 920461 rule_id: QrUWPlp version_id: A8TNlL1 url: https://semgrep.dev/playground/r/A8TNlL1/gitlab.mobsf.swift-other-rule-ios_dtls1_used origin: community - id: gitlab.mobsf.swift-other-rule-ios_file_no_special pattern-either: - pattern: .noFileProtection - pattern: FileProtectionType.none message: "The file has no special protections associated with it.\nUsing .noFileProtection or FileProtectionType.none for \nfile protection means that the file is not encrypted on disk, \nleaving it vulnerable to unauthorized access if the device is \ncompromised or if the file is accessed outside of the app's \nsandbox. To enhance security, it's crucial to use appropriate \nfile protection attributes based on the sensitivity of the data \nbeing stored. For sensitive data, you should use file protection \noptions that encrypt the data on disk, such as \nFileProtectionType.complete or \nFileProtectionType.completeUnlessOpen.\n\nHere's an example of how to fix the problem:\n```\nimport Foundation \n// Define the file URL\nlet fileURL = URL(fileURLWithPath: \"path/to/file\")\n// Define data to be written to the file\nlet data = \"Sensitive data\".data(using: .utf8)!\n// Write data to the file with complete file protection\ndo {\n try data.write(to: fileURL, options: .completeFileProtection)\n \ print(\"Data written to file with complete file protection.\")\n} catch {\n \ print(\"Error writing data to file: \\(error)\")\n}\n```\n" languages: - swift severity: ERROR metadata: category: security cwe: CWE-311 shortDescription: Missing encryption of sensitive data owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: CRITICAL primary_identifier: mobsf.swift-other-rule-ios_file_no_special secondary_identifiers: - name: mobsf ID swift-other-rule-ios_file_no_special type: mobsf_rule_type value: swift-other-rule-ios_file_no_special license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.swift-other-rule-ios_file_no_special shortlink: https://sg.run/NbkE1 semgrep.dev: rule: r_id: 144371 rv_id: 920462 rule_id: 3qUkqDj version_id: BjTKL8n url: https://semgrep.dev/playground/r/BjTKL8n/gitlab.mobsf.swift-other-rule-ios_file_no_special origin: community - id: python.requests.security.no-auth-over-http.no-auth-over-http fix-regex: regex: http:\/\/ replacement: https:// count: 1 message: Authentication detected over HTTP. HTTP does not provide any encryption or protection for these authentication credentials. This may expose these credentials to unauthorized parties. Use 'https://' instead. metadata: cwe: - 'CWE-523: Unprotected Transport of Credentials' owasp: - A02:2017 - Broken Authentication - A02:2021 - Cryptographic Failures - A04:2025 - Cryptographic Failures source-rule-url: https://pypi.org/project/flake8-flask/ references: - https://semgrep.dev/blog/2020/bento-check-no-auth-over-http/ - https://bento.dev/checks/requests/no-auth-over-http/ category: security technology: - requests subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/python.requests.security.no-auth-over-http.no-auth-over-http shortlink: https://sg.run/B4NW semgrep.dev: rule: r_id: 9695 rv_id: 1263575 rule_id: lBUdQZ version_id: 9lT4b2G url: https://semgrep.dev/playground/r/9lT4b2G/python.requests.security.no-auth-over-http.no-auth-over-http origin: community languages: - python severity: ERROR pattern-either: - pattern: requests.$W("=~/http:\/\/.*/", ..., auth=$X, ...) - pattern: | $URL = "=~/http:\/\/.../" ... requests.$W($URL, ..., auth=$X, ...) - id: gitlab.find_sec_bugs_kotlin.HTTP_PARAMETER_POLLUTION-1 languages: - kotlin message: | Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach. HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks. severity: ERROR metadata: shortDescription: Improper neutralization of argument delimiters in a command ('Argument Injection') category: security cwe: CWE-88 owasp: - A1:2017-Injection - A03:2021-Injection technology: - kotlin security-severity: CRITICAL primary_identifier: find_sec_bugs.HTTP_PARAMETER_POLLUTION-1 secondary_identifiers: - name: Find Security Bugs-HTTP_PARAMETER_POLLUTION type: find_sec_bugs_type value: HTTP_PARAMETER_POLLUTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.HTTP_PARAMETER_POLLUTION-1 shortlink: https://sg.run/eq7lE semgrep.dev: rule: r_id: 144332 rv_id: 920423 rule_id: GdUvNO6 version_id: qkTpwJD url: https://semgrep.dev/playground/r/qkTpwJD/gitlab.find_sec_bugs_kotlin.HTTP_PARAMETER_POLLUTION-1 origin: community mode: taint pattern-sources: - pattern: '($REQ: HttpServletRequest).getParameter(...)' pattern-sanitizers: - pattern: java.net.URLEncoder.encode(...) - pattern: com.google.common.net.UrlEscapers.urlPathSegmentEscaper().escape(...) pattern-sinks: - pattern: org.apache.http.client.methods.HttpGet(...) - pattern: org.apache.commons.httpclient.methods.GetMethod(...) - pattern: '($GM: org.apache.commons.httpclient.methods.GetMethod).setQueryString(...)' - id: trailofbits.python.waiting-with-pytorch-distributed.waiting-with-pytorch-distributed message: Not waiting for requests is a source of undefined behavior languages: - python severity: WARNING metadata: category: security cwe: 'CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior' subcategory: - vuln confidence: MEDIUM likelihood: LOW impact: LOW technology: - pytorch description: Possible `PyTorch` undefined behavior when not waiting for requests references: - https://pytorch.org/docs/stable/distributed.html#torch.distributed.isend license: AGPL-3.0 license vulnerability_class: - Other source: https://semgrep.dev/r/trailofbits.python.waiting-with-pytorch-distributed.waiting-with-pytorch-distributed shortlink: https://sg.run/LpoX semgrep.dev: rule: r_id: 44139 rv_id: 833312 rule_id: 5rUxGL version_id: X0T5Nnv url: https://semgrep.dev/playground/r/X0T5Nnv/trailofbits.python.waiting-with-pytorch-distributed.waiting-with-pytorch-distributed origin: community patterns: - pattern-either: - pattern: $REQ = torch.distributed.irecv(...) - pattern: $REQ = torch.distributed.isend(...) - pattern-not-inside: | ... $REQ.wait() - id: gitlab.find_sec_bugs_kotlin.INSECURE_SMTP_SSL-1 languages: - kotlin message: | Server identity verification is disabled when making SSL connections. metadata: shortDescription: Improper validation of certificate with host mismatch category: security cwe: CWE-297 owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: CRITICAL primary_identifier: find_sec_bugs.INSECURE_SMTP_SSL-1 secondary_identifiers: - name: Find Security Bugs-INSECURE_SMTP_SSL type: find_sec_bugs_type value: INSECURE_SMTP_SSL license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.INSECURE_SMTP_SSL-1 shortlink: https://sg.run/4bJZZ semgrep.dev: rule: r_id: 144344 rv_id: 920435 rule_id: oqUgqQQ version_id: yeTDgew url: https://semgrep.dev/playground/r/yeTDgew/gitlab.find_sec_bugs_kotlin.INSECURE_SMTP_SSL-1 origin: community severity: ERROR patterns: - pattern-either: - pattern-inside: | $E = org.apache.commons.mail.SimpleEmail(...) ... - pattern-inside: | $E = org.apache.commons.mail.Email(...) ... - pattern-inside: | $E = org.apache.commons.mail.MultiPartEmail(...) ... - pattern-inside: | $E = org.apache.commons.mail.HtmlEmail(...) ... - pattern-inside: | $E = org.apache.commons.mail.ImageHtmlEmail(...) ... - pattern-not: | $E.setSSLOnConnect(true) ... $E.setSSLCheckServerIdentity(true) - id: python.lang.correctness.common-mistakes.is-comparison-string.string-is-comparison patterns: - pattern-not: $S is None - pattern-not: type($X) is $T - pattern-not: $S is True - pattern-not: $S is False - pattern-not: $S is "" - pattern-either: - pattern: $S is "..." - pattern: '"..." is $S' message: Found string comparison using 'is' operator. The 'is' operator is for reference equality, not value equality, and therefore should not be used to compare strings. For more information, see https://github.com/satwikkansal/wtfpython#-how-not-to-use-is-operator" languages: - python severity: ERROR metadata: category: correctness technology: - python license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/python.lang.correctness.common-mistakes.is-comparison-string.string-is-comparison shortlink: https://sg.run/W814 semgrep.dev: rule: r_id: 9609 rv_id: 946287 rule_id: 6JUjKG version_id: X0TL8NG url: https://semgrep.dev/playground/r/X0TL8NG/python.lang.correctness.common-mistakes.is-comparison-string.string-is-comparison origin: community - id: javascript.browser.security.open-redirect.js-open-redirect message: The application accepts potentially user-controlled input `$PROP` which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection. options: interfile: true metadata: interfile: true cwe: - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' owasp: - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control asvs: section: V5 Validation, Sanitization and Encoding control_id: 5.5.1 Insecue Redirect control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation version: '4' category: security confidence: HIGH references: - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html technology: - browser subcategory: - vuln likelihood: HIGH impact: MEDIUM license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Open Redirect source: https://semgrep.dev/r/javascript.browser.security.open-redirect.js-open-redirect shortlink: https://sg.run/3xRe semgrep.dev: rule: r_id: 9243 rv_id: 1263122 rule_id: WAUopl version_id: pZT03x0 url: https://semgrep.dev/playground/r/pZT03x0/javascript.browser.security.open-redirect.js-open-redirect origin: community languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern: | new URLSearchParams($WINDOW. ... .location.search).get('...') - pattern: | new URLSearchParams(location.search).get('...') - pattern: | new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...') - pattern: | new URLSearchParams(location.hash.substring(1)).get('...') - patterns: - pattern-either: - pattern-inside: | $PROPS = new URLSearchParams($WINDOW. ... .location.search) ... - pattern-inside: | $PROPS = new URLSearchParams(location.search) ... - pattern-inside: | $PROPS = new URLSearchParams($WINDOW. ... .location.hash.substring(1)) ... - pattern-inside: | $PROPS = new URLSearchParams(location.hash.substring(1)) ... - pattern: $PROPS.get('...') - patterns: - pattern-either: - pattern-inside: | $PROPS = new URL($WINDOW. ... .location.href) ... - pattern-inside: | $PROPS = new URL(location.href) ... - pattern: $PROPS.searchParams.get('...') - patterns: - pattern-either: - pattern: | new URL($WINDOW. ... .location.href).searchParams.get('...') - pattern: | new URL(location.href).searchParams.get('...') pattern-sinks: - patterns: - pattern-either: - pattern: location.href = $SINK - pattern: $THIS. ... .location.href = $SINK - pattern: location.replace($SINK) - pattern: $THIS. ... .location.replace($SINK) - pattern: location = $SINK - pattern: $WINDOW. ... .location = $SINK - focus-metavariable: $SINK - metavariable-pattern: patterns: - pattern-not: | "..." + $VALUE - pattern-not: | `...${$VALUE}` metavariable: $SINK - id: gitlab.find_sec_bugs_kotlin.OVERLY_PERMISSIVE_FILE_PERMISSION-1 languages: - kotlin message: | Overly permissive file permission metadata: shortDescription: Incorrect permission assignment for critical resource cwe: CWE-732 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control category: security confidence: HIGH security-severity: MEDIUM primary_identifier: find_sec_bugs.OVERLY_PERMISSIVE_FILE_PERMISSION-1 secondary_identifiers: - name: Find Security Bugs-OVERLY_PERMISSIVE_FILE_PERMISSION type: find_sec_bugs_type value: OVERLY_PERMISSIVE_FILE_PERMISSION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.OVERLY_PERMISSIVE_FILE_PERMISSION-1 shortlink: https://sg.run/Qrdzx semgrep.dev: rule: r_id: 144342 rv_id: 920433 rule_id: YGUpWGx version_id: 1QT4NQj url: https://semgrep.dev/playground/r/1QT4NQj/gitlab.find_sec_bugs_kotlin.OVERLY_PERMISSIVE_FILE_PERMISSION-1 origin: community severity: WARNING patterns: - pattern-either: - pattern: java.nio.file.Files.setPosixFilePermissions(..., java.nio.file.attribute.PosixFilePermissions.fromString("$PERM_STRING")); - pattern: | $PERMISSIONS = java.nio.file.attribute.PosixFilePermissions.fromString("$PERM_STRING"); ... java.nio.file.Files.setPosixFilePermissions(..., $PERMISSIONS); - metavariable-regex: metavariable: $PERM_STRING regex: '[rwx-]{6}[rwx]{1,}' - id: php.lang.security.md5-loose-equality.md5-loose-equality mode: taint pattern-sinks: - pattern: | $VAR1 == $VAR2 - pattern: | $VAR1 != $VAR2 pattern-sources: - pattern: $PHAR->getSignature() - pattern: $RARENTRY->getCrc() - pattern: base_convert(...) - pattern: bin2hex(...) - pattern: dechex(...) - pattern: hash_file(...) - pattern: hash_final(...) - pattern: hash_hmac_file(...) - pattern: hash_hmac(...) - pattern: hash_pbkdf2(...) - pattern: hash(...) - pattern: md5_file(...) - pattern: md5(...) - pattern: openssl_x509_fingerprint(...) - pattern: rnp_locate_key(...) - pattern: sha1_file(...) - pattern: sha1(...) - pattern: sodium_bin2hex(...) pattern-sanitizers: - pattern: strlen(...) message: Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues metadata: cwe: - 'CWE-697: Incorrect Comparison' references: - https://www.php.net/manual/en/types.comparisons.php - https://web.archive.org/web/20210430183236/https://www.whitehatsec.com/blog/magic-hashes/ category: security technology: - php subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality shortlink: https://sg.run/Do4G semgrep.dev: rule: r_id: 9396 rv_id: 1024161 rule_id: GdU7RO version_id: 9lTWdQq url: https://semgrep.dev/playground/r/9lTWdQq/php.lang.security.md5-loose-equality.md5-loose-equality origin: community languages: - php severity: ERROR - id: php.lang.correctness.empty-with-boolean-expression.empty-with-boolean-expression pattern-either: - pattern: | empty($A && $B) - pattern: | empty($A || $B) message: Calling `empty` on a boolean expression may be an indication that a parenthesis is misplaced. metadata: category: correctness technology: - php confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/php.lang.correctness.empty-with-boolean-expression.empty-with-boolean-expression shortlink: https://sg.run/Dky1j semgrep.dev: rule: r_id: 187352 rv_id: 1018661 rule_id: KxUn5q2 version_id: d6TPRe7 url: https://semgrep.dev/playground/r/d6TPRe7/php.lang.correctness.empty-with-boolean-expression.empty-with-boolean-expression origin: community languages: - php severity: WARNING - id: gitlab.find_sec_bugs_kotlin.SAML_IGNORE_COMMENTS-1 languages: - kotlin message: | Ignoring XML comments in SAML may lead to authentication bypass metadata: shortDescription: Improper authentication cwe: CWE-287 category: security owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: MEDIUM primary_identifier: find_sec_bugs.SAML_IGNORE_COMMENTS-1 secondary_identifiers: - name: Find Security Bugs-SAML_IGNORE_COMMENTS type: find_sec_bugs_type value: SAML_IGNORE_COMMENTS license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.SAML_IGNORE_COMMENTS-1 shortlink: https://sg.run/WAd9z semgrep.dev: rule: r_id: 144353 rv_id: 920444 rule_id: r6Uydg7 version_id: vdTvQB4 url: https://semgrep.dev/playground/r/vdTvQB4/gitlab.find_sec_bugs_kotlin.SAML_IGNORE_COMMENTS-1 origin: community severity: WARNING pattern: '($POOL: org.opensaml.xml.parse.BasicParserPool).setIgnoreComments(false);' - id: gitlab.find_sec_bugs_kotlin.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 languages: - kotlin message: | The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. severity: ERROR metadata: shortDescription: Improper control of generation of code ('Code Injection') category: security cwe: CWE-94 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 secondary_identifiers: - name: Find Security Bugs-SCRIPT_ENGINE_INJECTION type: find_sec_bugs_type value: SCRIPT_ENGINE_INJECTION - name: Find Security Bugs-SPEL_INJECTION type: find_sec_bugs_type value: SPEL_INJECTION - name: Find Security Bugs-EL_INJECTION type: find_sec_bugs_type value: EL_INJECTION - name: Find Security Bugs-SEAM_LOG_INJECTION type: find_sec_bugs_type value: SEAM_LOG_INJECTION license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 shortlink: https://sg.run/3qPNl semgrep.dev: rule: r_id: 144343 rv_id: 920434 rule_id: 6JUvn74 version_id: 9lTA76K url: https://semgrep.dev/playground/r/9lTA76K/gitlab.find_sec_bugs_kotlin.SCRIPT_ENGINE_INJECTION-1.SPEL_INJECTION-1.EL_INJECTION-2.SEAM_LOG_INJECTION-1 origin: community mode: taint pattern-sinks: - patterns: - patterns: - pattern-inside: | $ENGINE = $F.getEngineByExtension(...) ... - pattern: $ENGINE.eval($ARG, ...); - pattern-not: $ENGINE.eval("..."); - pattern-not: '$ENGINE.eval("...", ($BINDING: javax.script.Bindings));' - patterns: - pattern: '($ENGINE: javax.script.ScriptEngine).eval($ARG, ...);' - pattern-not: '($ENGINE: javax.script.ScriptEngine).eval("...");' - pattern-not: '($ENGINE: javax.script.ScriptEngine).eval("...", ($BINDING: javax.script.Bindings));' - pattern: '($INVC: javax.script.Invocable).invokeFunction(..., $ARG)' - pattern: '($INVC: javax.script.Invocable).invokeMethod(..., $ARG)' pattern-sources: - patterns: - pattern-inside: 'fun $FUNC(..., $VAR: String, ...) { ... }' - pattern: $VAR - id: gitlab.find_sec_bugs_kotlin.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1 languages: - kotlin message: | The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. options: taint_assume_safe_functions: true metadata: shortDescription: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') category: security cwe: CWE-89 technology: - java owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1 secondary_identifiers: - name: Find Security Bugs-SQL_INJECTION_SPRING_JDBC type: find_sec_bugs_type value: SQL_INJECTION_SPRING_JDBC - name: Find Security Bugs-SQL_INJECTION_JPA type: find_sec_bugs_type value: SQL_INJECTION_JPA - name: Find Security Bugs-SQL_INJECTION_JDO type: find_sec_bugs_type value: SQL_INJECTION_JDO - name: Find Security Bugs-SQL_INJECTION_JDBC type: find_sec_bugs_type value: SQL_INJECTION_JDBC - name: Find Security Bugs-SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE type: find_sec_bugs_type value: SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE - name: Find Security Bugs-SQL_INJECTION type: find_sec_bugs_type value: SQL_INJECTION - name: Find Security Bugs-SQL_INJECTION_HIBERNATE type: find_sec_bugs_type value: SQL_INJECTION_HIBERNATE - name: Find Security Bugs-SQL_INJECTION_VERTX type: find_sec_bugs_type value: SQL_INJECTION_VERTX - name: Find Security Bugs-SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING type: find_sec_bugs_type value: SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1 shortlink: https://sg.run/nJ41b semgrep.dev: rule: r_id: 144336 rv_id: 920427 rule_id: DbU6low version_id: o5TK1J1 url: https://semgrep.dev/playground/r/o5TK1J1/gitlab.find_sec_bugs_kotlin.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1 origin: community severity: ERROR mode: taint pattern-sources: - patterns: - pattern-inside: 'fun $FUNC(..., $SRC: String, ...) { ... }' - pattern: $SRC pattern-propagators: - pattern: $SB.append($SRC) from: $SRC to: $SB - patterns: - pattern: $F(..., $SRC, ...) - focus-metavariable: $F - pattern-either: - pattern: String.format - pattern: StringBuilder from: $SRC to: $F pattern-sinks: - patterns: - pattern-either: - pattern: '($PM: javax.jdo.PersistenceManager).newQuery($ARG)' - pattern: '($PM: javax.jdo.PersistenceManager).newQuery(..., $ARG)' - pattern: '($Q: javax.jdo.Query).setFilter($ARG)' - pattern: '($Q: javax.jdo.Query).setGrouping($ARG)' - pattern: org.hibernate.criterion.Restrictions.sqlRestriction($ARG, ...) - pattern: '($S: org.hibernate.Session).createQuery($ARG, ...)' - pattern: '($S: org.hibernate.Session).createSQLQuery($ARG, ...)' - pattern: '($S: java.sql.Statement).executeQuery($ARG, ...)' - pattern: '($S: java.sql.Statement).execute($ARG, ...)' - pattern: '($S: java.sql.Statement).executeUpdate($ARG, ...)' - pattern: '($S: java.sql.Statement).executeLargeUpdate($ARG, ...)' - pattern: '($S: java.sql.Statement).addBatch($ARG, ...)' - pattern: '($S: java.sql.PreparedStatement).executeQuery($ARG, ...)' - pattern: '($S: java.sql.PreparedStatement).execute($ARG, ...)' - pattern: '($S: java.sql.PreparedStatement).executeUpdate($ARG, ...)' - pattern: '($S: java.sql.PreparedStatement).executeLargeUpdate($ARG, ...)' - pattern: '($S: java.sql.PreparedStatement).addBatch($ARG, ...)' - pattern: '($S: java.sql.Connection).prepareCall($ARG, ...)' - pattern: '($S: java.sql.Connection).prepareStatement($ARG, ...)' - pattern: '($S: java.sql.Connection).nativeSQL($ARG, ...)' - pattern: org.springframework.jdbc.core.PreparedStatementCreatorFactory($ARG, ...) - pattern: '($F: org.springframework.jdbc.core.PreparedStatementCreatorFactory).newPreparedStatementCreator($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).batchUpdate($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).execute($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).query($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForList($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForMap($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForObject($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForObject($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForRowSet($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForInt($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).queryForLong($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcOperations).update($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).batchUpdate($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).execute($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).query($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForList($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForMap($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForObject($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForRowSet($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForInt($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).queryForLong($ARG, ...)' - pattern: '($O: org.springframework.jdbc.core.JdbcTemplate).update($ARG, ...)' - pattern: '($O: io.vertx.sqlclient.SqlClient).query($ARG, ...)' - pattern: '($O: io.vertx.sqlclient.SqlClient).preparedQuery($ARG, ...)' - pattern: '($O: io.vertx.sqlclient.SqlConnection).prepare($ARG, ...)' - pattern: '($O: org.apache.turbine.om.peer.BasePeer).executeQuery($ARG, ...)' - pattern: '($O: org.apache.torque.util.BasePeer).executeQuery($ARG, ...)' - pattern: '($O: javax.persistence.EntityManager).createQuery($ARG, ...)' - pattern: '($O: javax.persistence.EntityManager).createNativeQuery($ARG, ...)' - pattern: '($H: org.jdbi.v3.core.Handle).createQuery($ARG, ...)' - pattern: '($H: org.jdbi.v3.core.Handle).createScript($ARG, ...)' - pattern: '($H: org.jdbi.v3.core.Handle).createUpdate($ARG, ...)' - pattern: '($H: org.jdbi.v3.core.Handle).execute($ARG, ...)' - pattern: '($H: org.jdbi.v3.core.Handle).prepareBatch($ARG, ...)' - pattern: '($H: org.jdbi.v3.core.Handle).select($ARG, ...)' - pattern: org.jdbi.v3.core.statement.Script($H, $ARG) - pattern: org.jdbi.v3.core.statement.Update($H, $ARG) - pattern: org.jdbi.v3.core.statement.PreparedBatch($H, $ARG) - focus-metavariable: $ARG - id: gitlab.find_sec_bugs_kotlin.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 languages: - kotlin message: | A malicious user in control of a template can run malicious code on the server-side. Velocity templates should be seen as scripts. metadata: shortDescription: Improper control of generation of code ('Code Injection') category: security cwe: CWE-94 owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: find_sec_bugs.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 secondary_identifiers: - name: Find Security Bugs-TEMPLATE_INJECTION_PEBBLE type: find_sec_bugs_type value: TEMPLATE_INJECTION_PEBBLE - name: Find Security Bugs-TEMPLATE_INJECTION_FREEMARKER type: find_sec_bugs_type value: TEMPLATE_INJECTION_FREEMARKER - name: Find Security Bugs-TEMPLATE_INJECTION_VELOCITY type: find_sec_bugs_type value: TEMPLATE_INJECTION_VELOCITY license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 shortlink: https://sg.run/BYoJ9 semgrep.dev: rule: r_id: 144351 rv_id: 920442 rule_id: 9AUdrNp version_id: O9Tv7RD url: https://semgrep.dev/playground/r/O9Tv7RD/gitlab.find_sec_bugs_kotlin.TEMPLATE_INJECTION_PEBBLE-1.TEMPLATE_INJECTION_FREEMARKER-1.TEMPLATE_INJECTION_VELOCITY-1 origin: community severity: ERROR pattern-either: - patterns: - pattern: org.apache.velocity.app.Velocity.evaluate(..., $VAR) - pattern-not: org.apache.velocity.app.Velocity.evaluate(..., "...") - patterns: - pattern-not-inside: | $C = ($CFG: freemarker.template.Configuration).getTemplate("..."); ... - pattern-inside: | $C = ($CFG: freemarker.template.Configuration).getTemplate($IN); ... - pattern: $C.process(...) - patterns: - pattern-inside: | import com.mitchellbosecke.pebble.PebbleEngine; ... - pattern-inside: | $C = $T.getTemplate($IN); ... - pattern-not-inside: | $C = $T.getTemplate("..."); ... - pattern: $C.evaluate(...) - id: gitlab.mobsf.swift-other-rule-ios_tls3_not_used pattern-either: - patterns: - pattern: $X.TLSMinimumSupportedProtocolVersion = $VAL - metavariable-pattern: metavariable: $VAL pattern-either: - pattern: | .TLSv1_0 - pattern: | .TLSv1_1 - pattern: | .TLSv1_2 message: "The app uses TLS 1.0, TLS 1.1 or TLS 1.2. TLS 1.3 should be used instead.\nTLS versions 1.1 and 1.0 were deprecated by the IETF in June 2018 due to \na number of attacks against the vulnerable versions. Use of a deprecated \nTLS version may result in the unauthorized retrieval of sensitive \ninformation. It is strongly recommended that all TLS connections\nuse TLS 1.3\n\nTLS 1.3 includes several security improvements over previous versions, such\nas stronger cryptographic algorithms and negotiation mechanisms, reducing \nthe risk of security vulnerabilities and attacks like BEAST and POODLE.\n\n\nExample using TLS 1.3:\n```\nimport Foundation\n// Create a URLSession configuration with TLS 1.3 support\nlet configuration = URLSessionConfiguration.default\nconfiguration.tlsMinimumSupportedProtocol = .TLSv13\n// Create a URLSession with the custom configuration\nlet session = URLSession(configuration: configuration) \n// Define the URL to connect to\nlet url = URL(string: \"https://example.com\")!\n// Create a data task to fetch data from the URL\nlet task = session.dataTask(with: url) { data, response, error in\n // Handle response\n if let error = error {\n print(\"Error: \\(error)\")\n return\n }\n if let httpResponse = response as? HTTPURLResponse {\n print(\"Status code: \\(httpResponse.statusCode)\")\n } \n if let data = data {\n // Process received data\n print(\"Received data: \\(data)\")\n \ }\n}\n// Start the data task\ntask.resume()\n```\n" languages: - swift severity: ERROR metadata: category: security cwe: CWE-757 shortDescription: Selection of less-secure algorithm during negotiation ('algorithm downgrade') owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration security-severity: CRITICAL primary_identifier: mobsf.swift-other-rule-ios_tls3_not_used secondary_identifiers: - name: mobsf ID swift-other-rule-ios_tls3_not_used type: mobsf_rule_type value: swift-other-rule-ios_tls3_not_used license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.swift-other-rule-ios_tls3_not_used shortlink: https://sg.run/wdWPX semgrep.dev: rule: r_id: 144373 rv_id: 920464 rule_id: PeUJ4qx version_id: WrTYnjD url: https://semgrep.dev/playground/r/WrTYnjD/gitlab.mobsf.swift-other-rule-ios_tls3_not_used origin: community - id: gitlab.nodejs_scan.javascript-crypto-rule-node_aes_ecb patterns: - pattern-either: - pattern: | $X.createCipheriv("=~/^aes-([0-9]+)-ecb$/i", ...) - pattern: | $X.createDecipheriv("=~/^aes-([0-9]+)-ecb$/i", ...) message: | AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data. languages: - javascript severity: WARNING metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-327 shortDescription: Use of a broken or risky cryptographic algorithm security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-crypto-rule-node_aes_ecb secondary_identifiers: - name: NodeJS Scan ID javascript-crypto-rule-node_aes_ecb type: njsscan_rule_type value: AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-crypto-rule-node_aes_ecb shortlink: https://sg.run/x80JP semgrep.dev: rule: r_id: 144374 rv_id: 920465 rule_id: JDUN0Ao version_id: 0bTp39B url: https://semgrep.dev/playground/r/0bTp39B/gitlab.nodejs_scan.javascript-crypto-rule-node_aes_ecb origin: community - id: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret message: 'Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)' metadata: cwe: - 'CWE-522: Insufficiently Protected Credentials' owasp: - A02:2017 - Broken Authentication - A04:2021 - Insecure Design - A06:2025 - Insecure Design references: - https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ category: security technology: - jwt cwe2021-top25: true subcategory: - vuln likelihood: HIGH impact: MEDIUM confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret shortlink: https://sg.run/l2E9 semgrep.dev: rule: r_id: 9557 rv_id: 1263452 rule_id: X5U8P5 version_id: PkTR3X3 url: https://semgrep.dev/playground/r/PkTR3X3/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret origin: community patterns: - pattern: | jwt.encode($_, "...", ...) languages: - python severity: ERROR - id: gitlab.nodejs_scan.javascript-crypto-rule-node_aes_noiv patterns: - pattern-either: - pattern: | $X.createCipheriv("=~/^aes-/i", $KEY, "", ...) message: | AES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier. languages: - javascript severity: WARNING metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-327 shortDescription: Use of a broken or risky cryptographic algorithm security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-crypto-rule-node_aes_noiv secondary_identifiers: - name: NodeJS Scan ID javascript-crypto-rule-node_aes_noiv type: njsscan_rule_type value: AES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-crypto-rule-node_aes_noiv shortlink: https://sg.run/Or3Eb semgrep.dev: rule: r_id: 144375 rv_id: 920466 rule_id: 5rUdW09 version_id: K3TwLQE url: https://semgrep.dev/playground/r/K3TwLQE/gitlab.nodejs_scan.javascript-crypto-rule-node_aes_noiv origin: community - id: gitlab.nodejs_scan.javascript-crypto-rule-node_insecure_random_generator pattern-either: - patterns: - pattern-inside: | require('crypto') ... - pattern: | $X.pseudoRandomBytes(...) - pattern: | Math.random(...) message: "This rule identifies use of cryptographically weak random number generators.\nUsing cryptographically weak random number generators like `crypto.pseudoRandomBytes()` \nand `Math.random()` for security-critical tasks can expose systems to significant \nvulnerabilities. Attackers might predict the generated random numbers, compromising \nthe integrity and confidentiality of cryptographic operations. This could lead to \nbreaches where sensitive data is accessed or manipulated, authentication mechanisms \nare bypassed, or secure communications are intercepted, ultimately undermining the \nsecurity of the entire system or application.\n\nMitigation strategy:\nReplace the use of these cryptographically weak random number generators with \n`crypto.randomBytes()`, a method provided by Node.js's `crypto` module that \ngenerates cryptographically secure random numbers. This method should be used \nfor all operations requiring secure randomness, such as generating keys, tokens, \nor any cryptographic material.\n\nSecure Code Example:\n```\nconst crypto = require('crypto');\nconst secureBytes = crypto.randomBytes(256);\nconsole.log(`Secure random bytes: ${secureBytes.toString('hex')}`);\n```\n" languages: - javascript severity: WARNING metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-338 shortDescription: Use of cryptographically weak pseudo-random number generator (PRNG) security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-crypto-rule-node_insecure_random_generator secondary_identifiers: - name: NodeJS Scan ID javascript-crypto-rule-node_insecure_random_generator type: njsscan_rule_type value: crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-crypto-rule-node_insecure_random_generator shortlink: https://sg.run/eq7DE semgrep.dev: rule: r_id: 144376 rv_id: 920467 rule_id: GdUvN56 version_id: qkTpweD url: https://semgrep.dev/playground/r/qkTpweD/gitlab.nodejs_scan.javascript-crypto-rule-node_insecure_random_generator origin: community - id: gitlab.nodejs_scan.javascript-crypto-rule-node_sha1 pattern-either: - patterns: - pattern-either: - patterns: - pattern-inside: | $Y = $X.createHash('sha1') ... - pattern: | $Y.update("...") - pattern: | $X.createHash('sha1').update("...") - patterns: - pattern-inside: | require('crypto-js') ... - pattern: | $X.SHA1("...") - patterns: - pattern-either: - pattern-inside: | $M = require('sha1') ... - pattern-inside: | $M = require('js-sha1') ... - pattern: | $M("...") - patterns: - pattern-inside: | require('node-forge') ... - pattern-either: - patterns: - pattern-inside: | $Y = $X.md.sha1.create() ... - pattern: | $Y.update("...") - pattern: | $X.md.sha1.create().update("...") - patterns: - pattern-inside: | $X = require('jshashes') ... $Y = new $X.SHA1() ... - pattern: | $Y.$METHOD("...") - patterns: - pattern-inside: | require('hash.js') ... - pattern-either: - patterns: - pattern-inside: | $Y = $X.sha1() ... - pattern: | $Y.update("...") - pattern: | $X.sha1().update("...") - patterns: - pattern-inside: | $X = require('jssha') ... - pattern-either: - pattern: | new $X('SHA-1', ...).update("...") - patterns: - pattern-inside: | $Y = new $X('SHA-1', ...) ... - pattern: | $Y.update("...") - patterns: - pattern-either: - pattern: | $X('sha1').update("...") - patterns: - pattern-inside: | $Y = $X('sha1') ... - pattern: | $Y.update("...") - pattern: | $X.subtle.digest('SHA-1', ...) - patterns: - pattern-either: - pattern: | $X.SHA1.digest(...) - patterns: - pattern-inside: | $Y = $X.SHA1 ... - pattern: "$Y.digest(...) \n" - patterns: - pattern-either: - pattern: | $X.codec.hex.fromBits($SJCL) - patterns: - pattern-inside: | $Y = $SJCL ... - pattern: | $X.codec.hex.fromBits($Y) - metavariable-pattern: metavariable: $SJCL pattern: | $K.hash.sha1.hash("...") message: "The SHA-1 hashing algorithm is no longer considered secure for cryptographic applications due to its vulnerability to collision attacks, where two different inputs produce the same output hash. SHA-1's susceptibility to collision attacks undermines the security of cryptographic operations, allowing attackers to forge signatures or manipulate data without detection. This poses significant risks in authentication systems, data integrity validations, and secure communications. \nRemediation: To mitigate this vulnerability, replace the SHA1 hashing algorithm with stronger cryptographic hash functions, such as SHA-256 or SHA-3. These \ algorithms offer significantly improved security and are resistant to collision attacks, making them suitable for cryptographic purposes in modern applications.\nSecure Code example: ``` const crypto = require('crypto'); const hash = crypto.createHash('sha256').update('sensitive data').digest('hex'); console.log(hash); ```\n" languages: - javascript severity: WARNING metadata: shortDescription: Use of weak hash category: security owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-328 security-severity: MEDIUM primary_identifier: nodejs_scan.javascript-crypto-rule-node_sha1 secondary_identifiers: - name: NodeJS Scan ID javascript-crypto-rule-node_sha1 type: njsscan_rule_type value: SHA1 is a a weak hash which is known to have collision. Use a strong hashing function. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-crypto-rule-node_sha1 shortlink: https://sg.run/d8dB5 semgrep.dev: rule: r_id: 144378 rv_id: 920469 rule_id: AbU9D1g version_id: YDTYbO9 url: https://semgrep.dev/playground/r/YDTYbO9/gitlab.nodejs_scan.javascript-crypto-rule-node_sha1 origin: community - id: gitlab.nodejs_scan.javascript-crypto-rule-node_timing_attack patterns: - pattern-not: if ($Z == null) { ... }; - pattern-not: if ($Z === null) { ... }; - pattern-not: if ($Z != null) { ... }; - pattern-not: if ($Z !== null) { ... }; - pattern-not: if ($Q != undefined) { ... }; - pattern-not: if ($Q !== undefined) { ... }; - pattern-not: if ($Q == undefined) { ... }; - pattern-not: if ($Q === undefined) { ... }; - pattern-not: return $Y == null; - pattern-not: return $Y === null; - pattern-not: return $Y != null; - pattern-not: return $Y !== null; - pattern-not: return $Y == undefined; - pattern-not: return $Y === undefined; - pattern-not: return $Y != undefined; - pattern-not: return $Y !== undefined; - pattern-either: - pattern: | if (password == $X) { ... } - pattern: | if ($X == password) { ... } - pattern: | if (password === $X) { ... } - pattern: | if ($X === password) { ... } - pattern: | if (pass == $X) { ... } - pattern: | if ($X == pass) { ... } - pattern: | if (pass === $X) { ... } - pattern: | if ($X === pass) { ... } - pattern: | if (secret == $X) { ... } - pattern: | if ($X == secret) { ... } - pattern: | if (secret === $X) { ... } - pattern: | if ($X === secret) { ... } - pattern: | if (api == $X) { ... } - pattern: | if ($X == api) { ... } - pattern: | if (api === $X) { ... } - pattern: | if ($X === api) { ... } - pattern: | if (apiKey == $X) { ... } - pattern: | if ($X == apiKey) { ... } - pattern: | if (apiKey === $X) { ... } - pattern: | if ($X === apiKey) { ... } - pattern: | if (apiSecret == $X) { ... } - pattern: | if ($X == apiSecret) { ... } - pattern: | if (apiSecret === $X) { ... } - pattern: | if ($X === apiSecret) { ... } - pattern: | if (token == $X) { ... } - pattern: | if ($X == token) { ... } - pattern: | if (token === $X) { ... } - pattern: | if ($X === token) { ... } - pattern: | if (hash == $X) { ... } - pattern: | if ($X == hash) { ... } - pattern: | if (hash === $X) { ... } - pattern: | if ($X === hash) { ... } - pattern: | if (auth_token == $X) { ... } - pattern: | if ($X == auth_token) { ... } - pattern: | if (auth_token === $X) { ... } - pattern: | if ($X === auth_token) { ... } - pattern: | if (password != $X) { ... } - pattern: | if ($X != password) { ... } - pattern: | if (password !== $X) { ... } - pattern: | if ($X !== password) { ... } - pattern: | if (pass != $X) { ... } - pattern: | if ($X != pass) { ... } - pattern: | if (pass !== $X) { ... } - pattern: | if ($X !== pass) { ... } - pattern: | if (secret != $X) { ... } - pattern: | if ($X != secret) { ... } - pattern: | if (secret !== $X) { ... } - pattern: | if ($X !== secret) { ... } - pattern: | if (api != $X) { ... } - pattern: | if ($X != api) { ... } - pattern: | if (api !== $X) { ... } - pattern: | if ($X !== api) { ... } - pattern: | if (apiKey != $X) { ... } - pattern: | if ($X != apiKey) { ... } - pattern: | if (apiKey !== $X) { ... } - pattern: | if ($X !== apiKey) { ... } - pattern: | if (apiSecret != $X) { ... } - pattern: | if ($X != apiSecret) { ... } - pattern: | if (apiSecret !== $X) { ... } - pattern: | if ($X !== apiSecret) { ... } - pattern: | if (token != $X) { ... } - pattern: | if ($X != token) { ... } - pattern: | if (token !== $X) { ... } - pattern: | if ($X !== token) { ... } - pattern: | if (hash != $X) { ... } - pattern: | if ($X != hash) { ... } - pattern: | if (hash !== $X) { ... } - pattern: | if ($X !== hash) { ... } - pattern: | if (auth_token != $X) { ... } - pattern: | if ($X != auth_token) { ... } - pattern: | if (auth_token !== $X) { ... } - pattern: | if ($X !== auth_token) { ... } - pattern: | return $X === auth_token; - pattern: | return auth_token === $X; - pattern: | return $X === token; - pattern: | return token === $X; - pattern: | return $X === hash; - pattern: | return hash === $X; - pattern: | return $X === password; - pattern: | return password === $X; - pattern: | return $X === pass; - pattern: | return pass === $X; - pattern: | return $X === apiKey; - pattern: | return apiKey === $X; - pattern: | return $X === apiSecret; - pattern: | return apiSecret === $X; - pattern: | return $X === api_key; - pattern: | return api_key === $X; - pattern: | return $X === api_secret; - pattern: | return api_secret === $X; - pattern: | return $X === secret; - pattern: | return secret === $X; - pattern: | return $X === api; - pattern: | return api === $X; - pattern: | return $X == auth_token; - pattern: | return auth_token == $X; - pattern: | return $X == token; - pattern: | return token == $X; - pattern: | return $X == hash; - pattern: | return hash == $X; - pattern: | return $X == password; - pattern: | return password == $X; - pattern: | return $X == pass; - pattern: | return pass == $X; - pattern: | return $X == apiKey; - pattern: | return apiKey == $X; - pattern: | return $X == apiSecret; - pattern: | return apiSecret == $X; - pattern: | return $X == api_key; - pattern: | return api_key == $X; - pattern: | return $X == api_secret; - pattern: | return api_secret == $X; - pattern: | return $X == secret; - pattern: | return secret == $X; - pattern: | return $X == api; - pattern: | return api == $X; - pattern: | return $X !== auth_token; - pattern: | return auth_token !== $X; - pattern: | return $X !== token; - pattern: | return token !== $X; - pattern: | return $X !== hash; - pattern: | return hash !== $X; - pattern: | return $X !== password; - pattern: | return password !== $X; - pattern: | return $X !== pass; - pattern: | return pass !== $X; - pattern: | return $X !== apiKey; - pattern: | return apiKey !== $X; - pattern: | return $X !== apiSecret; - pattern: | return apiSecret !== $X; - pattern: | return $X !== api_key; - pattern: | return api_key !== $X; - pattern: | return $X !== api_secret; - pattern: | return api_secret !== $X; - pattern: | return $X !== secret; - pattern: | return secret !== $X; - pattern: | return $X !== api; - pattern: | return api !== $X; - pattern: | return $X != auth_token; - pattern: | return auth_token != $X; - pattern: | return $X != token; - pattern: | return token != $X; - pattern: | return $X != hash; - pattern: | return hash != $X; - pattern: | return $X != password; - pattern: | return password != $X; - pattern: | return $X != pass; - pattern: | return pass != $X; - pattern: | return $X != apiKey; - pattern: | return apiKey != $X; - pattern: | return $X != apiSecret; - pattern: | return apiSecret != $X; - pattern: | return $X != api_key; - pattern: | return api_key != $X; - pattern: | return $X != api_secret; - pattern: | return api_secret != $X; - pattern: | return $X != secret; - pattern: | return secret != $X; - pattern: | return $X != api; - pattern: | return api != $X; message: | 'String comparisons using ''==='', ''!=='', ''!='' and ''=='' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/' languages: - javascript severity: WARNING metadata: cwe: CWE-208 shortDescription: Observable timing discrepancy category: security owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures security-severity: MEDIUM primary_identifier: nodejs_scan.javascript-crypto-rule-node_timing_attack secondary_identifiers: - name: NodeJS Scan ID javascript-crypto-rule-node_timing_attack type: njsscan_rule_type value: '''String comparisons using ''''==='''', ''''!=='''', ''''!='''' and ''''=='''' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/''' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-crypto-rule-node_timing_attack shortlink: https://sg.run/ZqdEL semgrep.dev: rule: r_id: 144379 rv_id: 920470 rule_id: BYUXqOb version_id: 6xTyXzg url: https://semgrep.dev/playground/r/6xTyXzg/gitlab.nodejs_scan.javascript-crypto-rule-node_timing_attack origin: community - id: ruby.rails.security.audit.avoid-logging-everything.avoid-logging-everything languages: - ruby severity: ERROR message: Avoid logging `params` and `params.inspect` as this bypasses Rails filter_parameters and may inadvertently log sensitive data. Instead, reference specific fields to ensure only expected data is logged. metadata: category: security technology: - rails references: - https://guides.rubyonrails.org/configuring.html#config-filter-parameters - https://api.rubyonrails.org/v7.1/classes/ActiveSupport/ParameterFilter.html cwe: - 'CWE-532: Insertion of Sensitive Information into Log File' likelihood: HIGH impact: MEDIUM confidence: LOW subcategory: - audit license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/ruby.rails.security.audit.avoid-logging-everything.avoid-logging-everything shortlink: https://sg.run/9l3x2 semgrep.dev: rule: r_id: 191423 rv_id: 1024163 rule_id: wdU6kwq version_id: rxTLyOG url: https://semgrep.dev/playground/r/rxTLyOG/ruby.rails.security.audit.avoid-logging-everything.avoid-logging-everything origin: community patterns: - pattern-either: - pattern: Rails.logger.$METHOD(params) - pattern: Rails.logger.$METHOD("...#{params}...") - pattern: Rails.logger.$METHOD(params.inspect) - pattern: Rails.logger.$METHOD("...#{params.inspect}...") - pattern: | Rails.logger.$METHOD do "...#{params}..." end - pattern: | Rails.logger.$METHOD do "...#{params.inspect}..." end - pattern: | Rails.logger.$METHOD do params end - pattern: | Rails.logger.$METHOD do params.inspect end - pattern-not: | Rails.logger.$METHOD do params[...] end - pattern-not: | Rails.logger.$METHOD do "#{params.inspect[...]}" end - metavariable-regex: metavariable: $METHOD regex: (info|warn|error|fatal|unknown) - id: gitlab.nodejs_scan.javascript-crypto-rule-node_tls_reject patterns: - pattern-either: - pattern: | $X.env.NODE_TLS_REJECT_UNAUTHORIZED = $VAL - pattern: | $X.env['NODE_TLS_REJECT_UNAUTHORIZED']= $VAL - metavariable-pattern: metavariable: $VAL pattern-either: - pattern: | '0' - pattern: | 0 message: "The application sets NODE_TLS_REJECT_UNAUTHORIZED to '0', which instructs Node.js to disable TLS/SSL certificate validation. \nThis configuration allows the application to accept self-signed certificates or certificates from untrusted authorities, \nundermining the TLS security model. Disabling TLS/SSL certificate validation compromises the integrity and confidentiality \nof data in transit between the client and server. It makes the application vulnerable to man-in-the-middle (MITM) attacks, \nwhere an attacker could intercept or alter the data being exchanged.\n\nMitigation Strategy:\nDo not disable TLS/SSL certificate validation in production environments. Ensure that NODE_TLS_REJECT_UNAUTHORIZED is \nset to '1' or is removed entirely from the production configuration (as the default configuration of validating SSL \ncertificate is safe).\n\nSecure Code Example:\n```\nconst https = require('https')\nprocess.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '1'\nconst req = https.request(options, res => {\n let data = ''\n res.on('data', chunk => {\n data += chunk\n })\n res.on('end', () => {\n console.log('Response Body:', data)\n })\n})\nreq.end()\n```\n" languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-295 shortDescription: Improper Certificate Validation security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-crypto-rule-node_tls_reject secondary_identifiers: - name: NodeJS Scan ID javascript-crypto-rule-node_tls_reject type: njsscan_rule_type value: Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-crypto-rule-node_tls_reject shortlink: https://sg.run/nJ4zb semgrep.dev: rule: r_id: 144380 rv_id: 920471 rule_id: DbU6l4w version_id: o5TK1R1 url: https://semgrep.dev/playground/r/o5TK1R1/gitlab.nodejs_scan.javascript-crypto-rule-node_tls_reject origin: community - id: gitlab.find_sec_bugs_kotlin.URLCONNECTION_SSRF_FD-1 languages: - kotlin message: | Server-Side Request Forgery occur when a web server executes a request to a user supplied destination parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services or to launch attacks from your web server. metadata: shortDescription: Server-Side Request Forgery (SSRF) category: security cwe: CWE-918 owasp: - A1:2017-Injection - A10:2021-Server-Side Request Forgery security-severity: CRITICAL primary_identifier: find_sec_bugs.URLCONNECTION_SSRF_FD-1 secondary_identifiers: - name: Find Security Bugs-URLCONNECTION_SSRF_FD type: find_sec_bugs_type value: URLCONNECTION_SSRF_FD license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.find_sec_bugs_kotlin.URLCONNECTION_SSRF_FD-1 shortlink: https://sg.run/JDy0Z semgrep.dev: rule: r_id: 144346 rv_id: 920437 rule_id: pKU1Zg4 version_id: bZTLo6b url: https://semgrep.dev/playground/r/bZTLo6b/gitlab.find_sec_bugs_kotlin.URLCONNECTION_SSRF_FD-1 origin: community severity: ERROR pattern-either: - patterns: - pattern-either: - pattern-inside: | import java.net.*; ... - pattern-inside: | import java.net.URL; ... - pattern-inside: | import java.net.URI; ... - pattern: $TYPE(...). ... .$FUNC - pattern-not: $TYPE("..."). ... .$FUNC - metavariable-pattern: metavariable: $FUNC pattern-either: - pattern: connect - pattern: GetContent - pattern: openConnection - pattern: openStream - pattern: getContent - pattern: content - metavariable-pattern: metavariable: $TYPE pattern-either: - pattern: URL - pattern: java.net.URL - pattern: URI - pattern: java.net.URI - patterns: - pattern-either: - pattern-inside: | import java.net.*; ... - pattern-inside: | import java.net.InetSocketAddress; ... - pattern: | InetSocketAddress(..., $PORT) - pattern-not: | InetSocketAddress("...", $PORT) - id: gitlab.nodejs_scan.javascript-database-rule-node_nosqli_injection patterns: - pattern-not-inside: | $SANITIZE = require('mongo-sanitize') ... $SANITIZE(...) ... - pattern-not-inside: | import $SANITIZE from 'mongo-sanitize' ... $SANITIZE(...) ... - pattern-not: | $OBJ.findOne({$KEY : String(...).$FUNC()}, ...) - pattern-not: | $OBJ.findOne({$KEY : String(...).$FUNC}, ...) - pattern-not: | $OBJ.findOne({$KEY : String(...)}, ...) - pattern-either: - pattern: | $OBJ.findOne({$KEY : <... $REQ.$FOO.$BAR ...> }, ...) - pattern: | $OBJ.findOne({$KEY: <... $REQ.$FOO ...> }, ...) - pattern: | $INP = <... $REQ.$FOO.$BAR ...>; ... $OBJ.findOne({$KEY : <... $INP ...> }, ...) - pattern: | $INP = <... $REQ.$FOO ...>; ... $OBJ.findOne({$KEY: <... $INP ...> }, ...) - pattern: | $QUERY = {$KEY: <... $REQ.$FOO.$BAR ...>}; ... $OBJ.findOne($QUERY, ...) - pattern: | $QUERY = {$KEY: <... $REQ.$FOO ...>}; ... $OBJ.findOne($QUERY, ...) - pattern: | $INP = <... $REQ.$FOO.$BAR ...>; ... $QUERY = {$KEY : <... $INP ...> }; ... $OBJ.findOne(<... $QUERY ...>, ...) - pattern: | $INP = <... $REQ.$FOO ...>; ... $QUERY = {$KEY : <... $INP ...> }; ... $OBJ.findOne(<... $QUERY ...>, ...) - pattern: | $QUERY[$KEY] = <... $REQ.$FOO.$BAR ...>; ... $OBJ.findOne($QUERY, ...) - pattern: | $QUERY[$KEY] = <... $REQ.$FOO ...>; ... $OBJ.findOne($QUERY, ...) - pattern: | $INP = <... $REQ.$FOO.$BAR ...>; ... $QUERY[$KEY] = <... $INP ...>; ... $OBJ.findOne(<... $QUERY ...>, ...) - pattern: | $INP = <... $REQ.$FOO ...>; ... $QUERY[$KEY] = <... $INP ...>; ... $OBJ.findOne(<... $QUERY ...>, ...) message: | Untrusted user input in findOne() function can result in NoSQL Injection. languages: - javascript severity: ERROR metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-943 shortDescription: Improper neutralization of special elements in data query logic security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-database-rule-node_nosqli_injection secondary_identifiers: - name: NodeJS Scan ID javascript-database-rule-node_nosqli_injection type: njsscan_rule_type value: Untrusted user input in findOne() function can result in NoSQL Injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-database-rule-node_nosqli_injection shortlink: https://sg.run/L1bE7 semgrep.dev: rule: r_id: 144383 rv_id: 920474 rule_id: KxUvEBQ version_id: 2KTdOwq url: https://semgrep.dev/playground/r/2KTdOwq/gitlab.nodejs_scan.javascript-database-rule-node_nosqli_injection origin: community - id: gitlab.nodejs_scan.javascript-database-rule-sequelize_tls message: | 'The Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.' languages: - javascript severity: WARNING metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-319 shortDescription: Cleartext transmission of sensitive information security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-database-rule-sequelize_tls secondary_identifiers: - name: NodeJS Scan ID javascript-database-rule-sequelize_tls type: njsscan_rule_type value: |- 'The Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks. ' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-database-rule-sequelize_tls shortlink: https://sg.run/QrdEx semgrep.dev: rule: r_id: 144386 rv_id: 920477 rule_id: YGUpWjx version_id: 1QT4Nkj url: https://semgrep.dev/playground/r/1QT4Nkj/gitlab.nodejs_scan.javascript-database-rule-sequelize_tls origin: community patterns: - pattern: | { host: $HOST, database: $DATABASE, dialect: $DIALECT } - pattern-not: | { host: $HOST, database: $DATABASE, dialect: "postgres", dialectOptions: { ssl: true } } - pattern-not: | { host: $HOST, database: $DATABASE, dialect: $DIALECT, dialectOptions: { ssl: { ... } } } - metavariable-regex: metavariable: $DIALECT regex: '[''"](mariadb|mysql|postgres|oracle)[''"]' - id: gitlab.nodejs_scan.javascript-database-rule-sequelize_tls_cert_validation message: "The Sequelize connection string indicates that TLS certificate validation \nof database server is disabled. This is equivalent to not having TLS. An \nattacker can present any invalid certificate and Sequelize will make database \nconnection ignoring certificate errors. This setting make the connection\nsusceptible to man in the middle (MITM) attacks. Not applicable to SQLite database.\n" severity: ERROR languages: - javascript metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-295 shortDescription: Improper certificate validation security-severity: HIGH category: security primary_identifier: nodejs_scan.javascript-database-rule-sequelize_tls_cert_validation secondary_identifiers: - name: NodeJS Scan ID javascript-database-rule-sequelize_tls_cert_validation type: njsscan_rule_type value: |- 'The Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database. ' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-database-rule-sequelize_tls_cert_validation shortlink: https://sg.run/3qPOl semgrep.dev: rule: r_id: 144387 rv_id: 920478 rule_id: 6JUvnO4 version_id: 9lTA7XK url: https://semgrep.dev/playground/r/9lTA7XK/gitlab.nodejs_scan.javascript-database-rule-sequelize_tls_cert_validation origin: community patterns: - pattern: | { host: $HOST, database: $DATABASE, dialect: $DIALECT, dialectOptions: { ssl: { rejectUnauthorized: false } } } - metavariable-regex: metavariable: $DIALECT regex: '[''"](mariadb|mysql|postgres)[''"]' - id: gitlab.mobsf.swift-other-rule-ios_keychain_weak_accessibility_value pattern-either: - pattern: kSecAttrAccessibleAlways - pattern: kSecAttrAccessibleAfterFirstUnlock message: "A key stored in the Keychain is using a weak accessibility value. \n\nkSecAttrAccessibleAlways allows access to the keychain item at all \ntimes, even when the device is locked. Storing sensitive data with \nthis accessibility option means that the data is accessible to anyone \nwho gains physical access to the device, regardless of whether it's \nlocked or not. This increases the risk of unauthorized access to \nsensitive information. kSecAttrAccessibleAfterFirstUnlock allows access\nto the keychain item only after the device has been unlocked once after\na reboot. While this provides some level of protection, the data becomes\naccessible as soon as the device is unlocked for the first time after a\nreboot. If sensitive data is stored with this accessibility option, it \ncould still be accessed by an attacker who gains physical access to the\ndevice before it's unlocked for the first time after a reboot.\n\nTo mitigate these security risks, it's important to use the appropriate \naccessibility option based on the sensitivity of the data being stored. \nFor sensitive data that should only be accessible when the device is \nunlocked, the kSecAttrAccessibleWhenUnlocked or \nkSecAttrAccessibleWhenUnlockedThisDeviceOnly \noptions should be used.\n\nHere's an example code that fixes the problem by using the \nkSecAttrAccessibleWhenUnlocked option:\n```\nimport Foundation\nimport Security\n\n// Define the data to be stored in the keychain\nlet secretData = \"superSecretData\".data(using: .utf8)!\n\n// Create query dictionary to specify the keychain item\nlet query: [String: Any] = [\n kSecClass as String: kSecClassGenericPassword,\n kSecAttrService as String: \"com.example.myApp\",\n \ kSecAttrAccount as String: \"userPassword\",\n kSecValueData as String: secretData,\n kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked\n]\n\n// Add the keychain item\nlet status = SecItemAdd(query as CFDictionary, nil)\nif status == errSecSuccess {\n print(\"Secret data successfully stored in keychain.\")\n} else {\n print(\"Error storing secret data in keychain: \\(status)\")\n}\n```\n" languages: - swift severity: WARNING metadata: category: security cwe: CWE-305 shortDescription: Authentication bypass by primary weakness owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures security-severity: MEDIUM primary_identifier: mobsf.swift-other-rule-ios_keychain_weak_accessibility_value secondary_identifiers: - name: mobsf ID swift-other-rule-ios_keychain_weak_accessibility_value type: mobsf_rule_type value: swift-other-rule-ios_keychain_weak_accessibility_value license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.mobsf.swift-other-rule-ios_keychain_weak_accessibility_value shortlink: https://sg.run/kxdYz semgrep.dev: rule: r_id: 144372 rv_id: 920463 rule_id: 4bUR4Wg version_id: DkT2yvP url: https://semgrep.dev/playground/r/DkT2yvP/gitlab.mobsf.swift-other-rule-ios_keychain_weak_accessibility_value origin: community - id: gitlab.nodejs_scan.javascript-database-rule-node_knex_sqli_injection patterns: - pattern-either: - pattern-inside: | $KNEX = require('knex') ... - pattern-inside: | $KNEX = require('knex')(...) ... - pattern-either: - pattern: | $K.raw(<... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $K.raw(<... $REQ.$QUERY ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY.$VAR ...>; ... $K.raw(<... $SQL ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY ...>; ... $K.raw(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $SQL = <... $INP ...>; ... $K.raw(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $SQL = <... $INP ...>; ... $K.raw(<... $SQL ...>, ...) - pattern: | $K.whereRaw(<... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $K.whereRaw(<... $REQ.$QUERY ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY.$VAR ...>; ... $K.whereRaw(<... $SQL ...>, ...) - pattern: | $SQL = <... $REQ.$QUERY ...>; ... $K.whereRaw(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $SQL = <... $INP ...>; ... $K.whereRaw(<... $SQL ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $SQL = <... $INP ...>; ... $K.whereRaw(<... $SQL ...>, ...) message: | Untrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection. languages: - javascript severity: ERROR metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-89 shortDescription: Improper neutralization of special elements used in an SQL command (SQL Injection) security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-database-rule-node_knex_sqli_injection secondary_identifiers: - name: NodeJS Scan ID javascript-database-rule-node_knex_sqli_injection type: njsscan_rule_type value: Untrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-database-rule-node_knex_sqli_injection shortlink: https://sg.run/7KRO4 semgrep.dev: rule: r_id: 144382 rv_id: 920473 rule_id: 0oULNRq version_id: pZTbDxY url: https://semgrep.dev/playground/r/pZTbDxY/gitlab.nodejs_scan.javascript-database-rule-node_knex_sqli_injection origin: community - id: gitlab.nodejs_scan.javascript-database-rule-node_nosqli_js_injection patterns: - pattern-either: - pattern: | $OBJ.$FUNC({$where: <... $REQ.$FOO.$BAR ...>}, ...) - pattern: | $OBJ.$FUNC({$where: <... $REQ.$QUERY ...>}, ...) - pattern: | $NSQL = <... $REQ.$QUERY.$...>; ... $OBJ.$FUNC({$where: <... $NSQL ...>}, ...) - pattern: | $NSQL = <... $REQ.$QUERY ...>; ... $OBJ.$FUNC({$where: <... $NSQL ...>}, ...) - pattern: | $INP = $REQ.$FOO.$BAR; ... $QRY = {$where: <... $INP ...>}; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $INP = $REQ.$FOO; ... $QRY = {$where: <... $INP ...>}; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $QRY["$where"] = <... $REQ.$FOO ...>; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $QRY["$where"] = <... $REQ.$FOO.$BAR ...>; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $INP = $REQ.$FOO; ... $QRY["$where"] = <... $INP ...>; ... $OBJ.$FUNC(<... $QRY ...>, ...) - pattern: | $INP = $REQ.$FOO.$BAR; ... $QRY["$where"] = <... $INP ...>; ... $OBJ.$FUNC(<... $QRY ...>, ...) message: | Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection. languages: - javascript severity: ERROR metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-943 shortDescription: Improper neutralization of special elements in data query logic security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-database-rule-node_nosqli_js_injection secondary_identifiers: - name: NodeJS Scan ID javascript-database-rule-node_nosqli_js_injection type: njsscan_rule_type value: Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-database-rule-node_nosqli_js_injection shortlink: https://sg.run/8GAZ4 semgrep.dev: rule: r_id: 144384 rv_id: 920475 rule_id: qNU26zK version_id: X0TAKlb url: https://semgrep.dev/playground/r/X0TAKlb/gitlab.nodejs_scan.javascript-database-rule-node_nosqli_js_injection origin: community - id: gitlab.nodejs_scan.javascript-crypto-rule-node_weak_crypto patterns: - pattern-either: - pattern: | $X.createCipher('des', ...) message: | A weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application. languages: - javascript severity: WARNING metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-327 shortDescription: Use of a broken or risky cryptographic algorithm security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-crypto-rule-node_weak_crypto secondary_identifiers: - name: NodeJS Scan ID javascript-crypto-rule-node_weak_crypto type: njsscan_rule_type value: A weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-crypto-rule-node_weak_crypto shortlink: https://sg.run/Ew2Eo semgrep.dev: rule: r_id: 144381 rv_id: 920472 rule_id: WAUWB2G version_id: zyTG3Q2 url: https://semgrep.dev/playground/r/zyTG3Q2/gitlab.nodejs_scan.javascript-crypto-rule-node_weak_crypto origin: community - id: gitlab.nodejs_scan.javascript-database-rule-sequelize_weak_tls message: | 'The Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it''s recommended to use TLS1.3. Not applicable to SQLite database.' metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-757 shortDescription: Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade) security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-database-rule-sequelize_weak_tls secondary_identifiers: - name: NodeJS Scan ID javascript-database-rule-sequelize_weak_tls type: njsscan_rule_type value: |- 'The Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it''s recommended to use TLS1.3. Not applicable to SQLite database. ' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-database-rule-sequelize_weak_tls shortlink: https://sg.run/4bJOZ semgrep.dev: rule: r_id: 144388 rv_id: 920479 rule_id: oqUgqjQ version_id: yeTDg5w url: https://semgrep.dev/playground/r/yeTDg5w/gitlab.nodejs_scan.javascript-database-rule-sequelize_weak_tls origin: community severity: ERROR languages: - javascript patterns: - pattern-inside: | { host: $HOST, database: $DATABASE, dialect: $DIALECT, dialectOptions: { ssl: ... } } - pattern-either: - pattern: | { minVersion: 'TLSv1' } - pattern: | { minVersion: 'TLSv1.1' } - metavariable-regex: metavariable: $DIALECT regex: '[''"](mariadb|mysql|postgres)[''"]' - id: gitlab.nodejs_scan.javascript-dos-rule-layer7_object_dos mode: taint pattern-sources: - patterns: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern: $REQ.$FUNC. ... - metavariable-regex: metavariable: $FUNC regex: ^(body|params|query|baseUrl|cookies|hostname|subdomains|ip|ips|originalUrl|path)$ pattern-sinks: - patterns: - pattern: | for(...; $COND; ...){...} - focus-metavariable: $COND - metavariable-pattern: metavariable: $COND pattern-either: - pattern: | Object.Keys($VAR).length - pattern: $VAR.length - patterns: - pattern-either: - pattern: $OBJ.forEach - pattern: $OBJ.map - pattern: Object.keys($OBJ).map - pattern: $OBJ.filter - pattern: $OBJ.reduce - pattern: $OBJ.reduceRight - focus-metavariable: $OBJ message: "This application is looping over user controlled objects, which can lead to a layer 7 denial of service vulnerability.\n\nA layer 7 denial of service attack refers to overloading the application layer of the OSI model, typically layer 7. \nThis can happen when user-controlled input such as objects, arrays, strings, etc. are iterated or looped over without proper validation or limits in place.\n\nFor example, if a user can control the size of an array or object passed into the application, \nthey could create an extremely large input that gets looped over. This would consume excessive CPU cycles or memory, \npotentially crashing or slowing down the application.\n\nTo prevent this, limits should be set on the number of iterations, input sizes, recursion depth, etc.\n\nSample case of secure array looped over with user-controlled input\n```\n// Potential DoS if req.body.list.length is large.\napp.post('/dos/layer7-object-dos/for-loop/1', function (req, res) {\n \ var list = req.body.list;\n for (let i = 0; i <= 10; i++) {\n if(!list[i]){\n \ // return;\n } \n }\n res.send(\"res\")\n});\n```\n\nImplementing protections against layer 7 denial of service attacks is important for securing modern web applications and APIs.\n" languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-400 shortDescription: Uncontrolled resource consumption security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-dos-rule-layer7_object_dos secondary_identifiers: - name: NodeJS Scan ID javascript-dos-rule-layer7_object_dos type: njsscan_rule_type value: Layer7 Denial of Service. Looping over user controlled objects can result in DoS. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-dos-rule-layer7_object_dos shortlink: https://sg.run/PedEE semgrep.dev: rule: r_id: 144389 rv_id: 920480 rule_id: zdUKovv version_id: rxTjv8O url: https://semgrep.dev/playground/r/rxTjv8O/gitlab.nodejs_scan.javascript-dos-rule-layer7_object_dos origin: community - id: gitlab.nodejs_scan.javascript-dos-rule-regex_dos patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $REGEX.test(<... $REQ ...>) - pattern: | $REGEX.test(<... $REQ.$QUERY ...>) - pattern: | $REGEX.test(<... $REQ.$BODY.$PARAM ...>) - pattern: | $INP = <... $REQ ...>; ... $REGEX.test(<... $INP ...>) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $REGEX.test(<... $INP ...>) - pattern: | $INP = <... $REQ.$BODY.$PARAM ...>; ... $REGEX.test(<... $INP ...>) - pattern: | /.../g.exec(<... $REQ ...>) - pattern: | /.../g.exec(<... $REQ.$QUERY ...>) - pattern: | /.../.exec(<... $REQ.$BODY.$PARAM ...>) - pattern: | $INP = <... $REQ ...>; ... /.../.exec(<... $INP ...>) - pattern: | $INP = <... $REQ.$QUERY ...>; ... /.../.exec(<... $INP ...>) - pattern: | $INP = <... $REQ.$BODY.$PARAM ...>; ... /.../.exec(<... $INP ...>) - pattern: | $RE = /.../; ... $RE.exec(<... $REQ ...>) - pattern: | $RE = /.../; ... $RE.exec(<... $REQ.$QUERY ...>) - pattern: | $RE = /.../; ... $RE.exec(<... $REQ.$BODY.$PARAM ...>) message: | Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-185 shortDescription: Incorrect regular expression security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-dos-rule-regex_dos secondary_identifiers: - name: NodeJS Scan ID javascript-dos-rule-regex_dos type: njsscan_rule_type value: Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-dos-rule-regex_dos shortlink: https://sg.run/JDyEZ semgrep.dev: rule: r_id: 144390 rv_id: 920481 rule_id: pKU1Zv4 version_id: bZTLo4b url: https://semgrep.dev/playground/r/bZTLo4b/gitlab.nodejs_scan.javascript-dos-rule-regex_dos origin: community - id: gitlab.nodejs_scan.javascript-electronjs-rule-electron_allow_http patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {allowRunningInsecureContent: true}}) - pattern: | var $X = {webPreferences: {allowRunningInsecureContent: true}}; message: | Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks. languages: - javascript severity: ERROR metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-319 shortDescription: Cleartext Transmission of Sensitive Information security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-electronjs-rule-electron_allow_http secondary_identifiers: - name: NodeJS Scan ID javascript-electronjs-rule-electron_allow_http type: njsscan_rule_type value: Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-electronjs-rule-electron_allow_http shortlink: https://sg.run/5r5Ol semgrep.dev: rule: r_id: 144391 rv_id: 920482 rule_id: 2ZUzyBk version_id: NdTeRQg url: https://semgrep.dev/playground/r/NdTeRQg/gitlab.nodejs_scan.javascript-electronjs-rule-electron_allow_http origin: community - id: gitlab.nodejs_scan.javascript-electronjs-rule-electron_blink_integration patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {enableBlinkFeatures: '...'}}) - pattern: | var $X = {webPreferences: {enableBlinkFeatures: '...'}}; message: | Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application. languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-272 shortDescription: Least privilege violation security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-electronjs-rule-electron_blink_integration secondary_identifiers: - name: NodeJS Scan ID javascript-electronjs-rule-electron_blink_integration type: njsscan_rule_type value: Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-electronjs-rule-electron_blink_integration shortlink: https://sg.run/GdjE1 semgrep.dev: rule: r_id: 144392 rv_id: 920483 rule_id: X5UQDX1 version_id: kbTOPZj url: https://semgrep.dev/playground/r/kbTOPZj/gitlab.nodejs_scan.javascript-electronjs-rule-electron_blink_integration origin: community - id: gitlab.nodejs_scan.javascript-electronjs-rule-electron_context_isolation patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {contextIsolation: false}}) - pattern: | var $X = {webPreferences: {contextIsolation: false}}; message: | Disabling context isolation can introduce Prototype Pollution vulnerabilities. languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-693 shortDescription: Protection mechanism failure security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-electronjs-rule-electron_context_isolation secondary_identifiers: - name: NodeJS Scan ID javascript-electronjs-rule-electron_context_isolation type: njsscan_rule_type value: javascript-electronjs-rule-electron_context_isolation license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-electronjs-rule-electron_context_isolation shortlink: https://sg.run/RedE2 semgrep.dev: rule: r_id: 144393 rv_id: 920484 rule_id: j2UgdAW version_id: w8Tkb0J url: https://semgrep.dev/playground/r/w8Tkb0J/gitlab.nodejs_scan.javascript-electronjs-rule-electron_context_isolation origin: community - id: gitlab.nodejs_scan.javascript-electronjs-rule-electron_disable_websecurity patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {webSecurity: false}}) - pattern: | var $X = {webPreferences: {webSecurity: false}}; message: | Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain. languages: - javascript severity: ERROR metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-693 shortDescription: Origin validation error security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-electronjs-rule-electron_disable_websecurity secondary_identifiers: - name: NodeJS Scan ID javascript-electronjs-rule-electron_disable_websecurity type: njsscan_rule_type value: Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-electronjs-rule-electron_disable_websecurity shortlink: https://sg.run/Ab6O6 semgrep.dev: rule: r_id: 144394 rv_id: 920485 rule_id: 10UO6A6 version_id: xyTdr3W url: https://semgrep.dev/playground/r/xyTdr3W/gitlab.nodejs_scan.javascript-electronjs-rule-electron_disable_websecurity origin: community - id: gitlab.nodejs_scan.javascript-electronjs-rule-electron_experimental_features patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {experimentalFeatures: true}}) - pattern: | var $X = {webPreferences: {experimentalFeatures: true}}; message: | Experimental features are not expected to be in production ready applications. languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-272 shortDescription: Least privilege violation security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-electronjs-rule-electron_experimental_features secondary_identifiers: - name: NodeJS Scan ID javascript-electronjs-rule-electron_experimental_features type: njsscan_rule_type value: Experimental features are not expected to be in production ready applications. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-electronjs-rule-electron_experimental_features shortlink: https://sg.run/BYo89 semgrep.dev: rule: r_id: 144395 rv_id: 920486 rule_id: 9AUdrYp version_id: O9Tv7ZD url: https://semgrep.dev/playground/r/O9Tv7ZD/gitlab.nodejs_scan.javascript-electronjs-rule-electron_experimental_features origin: community - id: gitlab.nodejs_scan.javascript-electronjs-rule-electron_nodejs_integration patterns: - pattern-either: - pattern: | new BrowserWindow({webPreferences: {nodeIntegration: true}}) - pattern: | var $X = {webPreferences: {nodeIntegration: true}}; message: | Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS). languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-272 shortDescription: Least privilege violation security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-electronjs-rule-electron_nodejs_integration secondary_identifiers: - name: NodeJS Scan ID javascript-electronjs-rule-electron_nodejs_integration type: njsscan_rule_type value: Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS). license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-electronjs-rule-electron_nodejs_integration shortlink: https://sg.run/DbpEW semgrep.dev: rule: r_id: 144396 rv_id: 920487 rule_id: yyURl9K version_id: e1TZKAz url: https://semgrep.dev/playground/r/e1TZKAz/gitlab.nodejs_scan.javascript-electronjs-rule-electron_nodejs_integration origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-eval_nodejs patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | new Function(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | new Function(..., <... $REQ.$QUERY ...>, ...) - pattern: | eval(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | eval(..., <... $REQ.$QUERY ...>, ...) - pattern: | setTimeout(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | setTimeout(..., <... $REQ.$QUERY ...>, ...) - pattern: | setInterval(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | setInterval(..., <... $REQ.$QUERY ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... new Function(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... new Function(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... eval(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... eval(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... setTimeout(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... setTimeout(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... setInterval(..., <... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... setInterval(..., <... $INP ...>, ...) message: | User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection languages: - javascript severity: ERROR metadata: cwe: CWE-95 shortDescription: Improper neutralization of directives in dynamically evaluated code ('Eval Injection') category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: HIGH primary_identifier: nodejs_scan.javascript-eval-rule-eval_nodejs secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-eval_nodejs type: njsscan_rule_type value: User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-eval_nodejs shortlink: https://sg.run/WAdEz semgrep.dev: rule: r_id: 144397 rv_id: 920488 rule_id: r6UydR7 version_id: vdTvQ34 url: https://semgrep.dev/playground/r/vdTvQ34/gitlab.nodejs_scan.javascript-eval-rule-eval_nodejs origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-eval_require mode: taint pattern-sources: - patterns: - pattern-inside: | function ($REQ, $RES, ...) {...} - focus-metavariable: $REQ pattern-sinks: - patterns: - pattern: | require($REQ, ...) - focus-metavariable: $REQ pattern-sanitizers: - patterns: - pattern-either: - pattern: "if($VALIDATION){\n...\nrequire($REQ, ...) \n...\n} \n" - pattern: | $A = $VALIDATION ... if($A){ ... require($REQ, ...) ... } - metavariable-pattern: metavariable: $VALIDATION pattern-either: - pattern: "$AL.includes(...) \n" - pattern: | $AL.indexOf(...) !== -1 - pattern: | $AL.find(...) !== undefined - pattern: | $ALS.has(...) message: "Passing untrusted user input directly into the require() function without proper \nvalidation or sanitization can possibly cause a vulnerability known as remote code execution (RCE). \nAn attacker could manipulate the input to load and execute arbitrary code from external sources, \npotentially leading to severe security breaches such as data theft, system compromise, \nor unauthorized access.\nTo mitigate this risk, it's crucial to validate and sanitize user input\nthoroughly before passing it to functions like require(), ensuring that only trusted and safe inputs are utilized.\n\nFollowing is an example of secure validation against allowlist to prevent the vulnerability:\n```\n// Define a list of explicitly allowed packages for require\nconst allowedPkgs = [\n 'package1',\n 'package2',\n \ 'package3'\n];\n\napp.get(\"/eval/require/7\", async (req, res) => {\n var isAllowed = allowedPkgs.includes(req.query.name); \n if (isAllowed) {\n // ok: rules_lgpl_javascript_eval_rule-eval-require\n var cp = require(req.query.name);\n \ cp.exec('ls', (error, stdout, stderr) => {\n console.log(\"exec output : \\n\", stdout)\n }); \n }\n res.send(\"Please check console logs.\");\n});\n```\n" severity: ERROR languages: - javascript metadata: cwe: CWE-706 shortDescription: Use of incorrectly-resolved name or reference category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-eval-rule-eval_require secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-eval_require type: njsscan_rule_type value: Untrusted user input in `require()` function allows an attacker to load arbitrary code. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-eval_require shortlink: https://sg.run/0okOJ semgrep.dev: rule: r_id: 144398 rv_id: 920489 rule_id: bwUbpDe version_id: d6T6gbK url: https://semgrep.dev/playground/r/d6T6gbK/gitlab.nodejs_scan.javascript-eval-rule-eval_require origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-grpc_insecure_connection patterns: - pattern-either: - pattern-inside: | require('grpc') ... - pattern-inside: | import $MOD from 'grpc' ... - pattern: $CREDENTIALS.createInsecure() message: | Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. metadata: owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures cwe: CWE-502 shortDescription: Deserialization of Untrusted Data security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-eval-rule-grpc_insecure_connection secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-grpc_insecure_connection type: njsscan_rule_type value: Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-grpc_insecure_connection shortlink: https://sg.run/KxrE6 semgrep.dev: rule: r_id: 144399 rv_id: 920490 rule_id: NbU3P0R version_id: ZRTedye url: https://semgrep.dev/playground/r/ZRTedye/gitlab.nodejs_scan.javascript-eval-rule-grpc_insecure_connection origin: community severity: ERROR languages: - javascript - typescript - id: gitlab.nodejs_scan.javascript-eval-rule-node_deserialize patterns: - pattern-either: - pattern: | require('node-serialize').unserialize(...) - pattern-inside: | $MOD = require('node-serialize') ... - pattern-inside: | import $MOD from 'node-serialize' ... - pattern: | $MOD.unserialize(...) message: | User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection. languages: - javascript - typescript severity: ERROR metadata: owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures cwe: CWE-502 shortDescription: Deserialization of Untrusted Data security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-eval-rule-node_deserialize secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-node_deserialize type: njsscan_rule_type value: User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-node_deserialize shortlink: https://sg.run/4bJOE semgrep.dev: rule: r_id: 144400 rv_id: 920491 rule_id: kxUdN0G version_id: nWTnNwp url: https://semgrep.dev/playground/r/nWTnNwp/gitlab.nodejs_scan.javascript-eval-rule-node_deserialize origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-sandbox_code_injection patterns: - pattern-inside: | require('sandbox') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $S.run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... $S.run(<... $CODE ...>,...) - pattern: | new $SANDBOX(...).run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... new $SANDBOX(...).run(<... $CODE ...>,...) - pattern: | $S.run(<... $REQ.$BODY ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... $S.run(<... $CODE ...>,...) - pattern: | new $SANDBOX(...).run(<... $REQ.$BODY ...>,...) - pattern: |- $CODE = <... $REQ.$BODY ...>; ... new $SANDBOX(...).run(<... $CODE ...>,...) message: | Unrusted data in `sandbox` can result in code injection. severity: ERROR languages: - javascript metadata: cwe: CWE-94 shortDescription: Improper control of generation of code (Code Injection) category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-eval-rule-sandbox_code_injection secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-sandbox_code_injection type: njsscan_rule_type value: Unrusted data in `sandbox` can result in code injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-sandbox_code_injection shortlink: https://sg.run/PedEq semgrep.dev: rule: r_id: 144401 rv_id: 920492 rule_id: wdU9XdL version_id: ExT1WYN url: https://semgrep.dev/playground/r/ExT1WYN/gitlab.nodejs_scan.javascript-eval-rule-sandbox_code_injection origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-serializetojs_deserialize patterns: - pattern-either: - pattern: | require('serialize-to-js').deserialize(...) - pattern-inside: | $MOD = require('serialize-to-js') ... - pattern-inside: | import $MOD from 'serialize-to-js' ... - pattern: | $MOD.deserialize(...) message: | User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection. languages: - javascript - typescript severity: ERROR metadata: owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures cwe: CWE-502 shortDescription: Deserialization of Untrusted Data security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-eval-rule-serializetojs_deserialize secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-serializetojs_deserialize type: njsscan_rule_type value: User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-serializetojs_deserialize shortlink: https://sg.run/JDyEQ semgrep.dev: rule: r_id: 144402 rv_id: 920493 rule_id: x8UKPyo version_id: 7ZTbRYn url: https://semgrep.dev/playground/r/7ZTbRYn/gitlab.nodejs_scan.javascript-eval-rule-serializetojs_deserialize origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-server_side_template_injection patterns: - pattern-either: - pattern-inside: | require('handlebars') ... - pattern-inside: | require('pug') ... - pattern-inside: | require('hamljs') ... - pattern-inside: | require('ejs') ... - pattern-inside: | require('squirrelly') ... - pattern-inside: | require('eta') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $HB.compile(..., <... $REQ.$FOO ...>, ...) - pattern: | $HB.compile(..., <... $REQ.$FOO.$BAR ...>, ...) - pattern: | $X = <... $REQ.$FOO ...>; ... $HB.compile(..., <... $X ...>, ...) - pattern: | $X = <... $REQ.$FOO.$BAR ...>; ... $HB.compile(..., <... $X ...>, ...) - pattern: | $X = $SOURCE.replace('...', <... $REQ.$FOO ...>, ...) ... $HB.compile(..., <... $X ...>, ...) - pattern: | $X = $SOURCE.replace('...', <... $REQ.$FOO.$BAR ...>, ...) ... $HB.compile(..., <... $X ...>, ...) - pattern: | $HB.Compile(..., <... $REQ.$FOO ...>, ...) - pattern: | $HB.Compile(..., <... $REQ.$FOO.$BAR ...>, ...) - pattern: | $X = <... $REQ.$FOO ...>; ... $HB.Compile(..., <... $X ...>, ...) - pattern: | $X = <... $REQ.$FOO.$BAR ...>; ... $HB.Compile(..., <... $X ...>, ...) - pattern: | $X = $SOURCE.replace('...', <... $REQ.$FOO ...>, ...) ... $HB.Compile(..., <... $X ...>, ...) - pattern: | $X = $SOURCE.replace('...', <... $REQ.$FOO.$BAR ...>, ...) ... $HB.Compile(..., <... $X ...>, ...) message: | Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection. languages: - javascript severity: ERROR metadata: cwe: CWE-94 shortDescription: Improper control of generation of code (Code Injection) category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-eval-rule-server_side_template_injection secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-server_side_template_injection type: njsscan_rule_type value: Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-server_side_template_injection shortlink: https://sg.run/5r5O3 semgrep.dev: rule: r_id: 144403 rv_id: 920494 rule_id: OrUNwKe version_id: LjTzepk url: https://semgrep.dev/playground/r/LjTzepk/gitlab.nodejs_scan.javascript-eval-rule-server_side_template_injection origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-vm2_code_injection patterns: - pattern-inside: | require('vm2') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $VM.run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... $VM.run(<... $CODE ...>,...) - pattern: | new VM(...).run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | new NodeVM(...).run(<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... new NodeVM(...).run(<... $CODE ...>,...) - pattern: | $CODE = <... $REQ.$QUERY.$FOO ...>; ... new VMScript(<... $CODE ...>,...) - pattern: | $VM.run(<... $REQ.$BODY ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... $VM.run(<... $CODE ...>,...) - pattern: | new VM(...).run(<... $REQ.$BODY ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... new VM(...).run($CODE,...) - pattern: | new NodeVM(...).run(<... $REQ.$BODY ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... new NodeVM(...).run(<... $CODE ...>,...) - pattern: | $CODE = <... $REQ.$BODY ...>; ... new VMScript(<... $CODE ...>,...) message: | Untrusted user input reaching `vm2` can result in code injection. severity: WARNING languages: - javascript metadata: cwe: CWE-94 shortDescription: Improper control of generation of code (Code Injection) category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-eval-rule-vm2_code_injection secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-vm2_code_injection type: njsscan_rule_type value: Untrusted user input reaching `vm2` can result in code injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-vm2_code_injection shortlink: https://sg.run/GdjEn semgrep.dev: rule: r_id: 144404 rv_id: 920495 rule_id: eqU0QX6 version_id: 8KTvlLN url: https://semgrep.dev/playground/r/8KTvlLN/gitlab.nodejs_scan.javascript-eval-rule-vm2_code_injection origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-vm2_context_injection patterns: - pattern-inside: | require('vm2') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | new VM({sandbox: <... $REQ.$QUERY.$FOO ...>},...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $OPTS = {sandbox: <... $REQ.$QUERY.$FOO ...>}; ... new VM($OPTS,...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | new NodeVM({sandbox: <... $REQ.$QUERY.$FOO ...>},...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $OPTS = {sandbox: <... $REQ.$QUERY.$FOO ...>}; ... new NodeVM($OPTS,...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: | new VM({sandbox: <... $REQ.$BODY ...>},...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... new VM({sandbox: <... $CONTEXT ...>},...) - pattern: | $OPTS = {sandbox: <... $REQ.$BODY ...>}; ... new VM($OPTS,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new VM($OPTS,...) - pattern: | new NodeVM({sandbox: <... $REQ.$BODY ...>},...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... new NodeVM({sandbox: <... $CONTEXT ...>},...) - pattern: | $OPTS = {sandbox: <... $REQ.$BODY ...>}; ... new NodeVM($OPTS,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) - pattern: |- $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {sandbox: <... $CONTEXT ...>}; ... new NodeVM($OPTS,...) message: | Untrusted user input reaching `vm2` sandbox can result in context injection. severity: ERROR languages: - javascript metadata: cwe: CWE-94 shortDescription: Improper control of generation of code (Code Injection) category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-eval-rule-vm2_context_injection secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-vm2_context_injection type: njsscan_rule_type value: Untrusted user input reaching `vm2` sandbox can result in context injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-vm2_context_injection shortlink: https://sg.run/RedEK semgrep.dev: rule: r_id: 144405 rv_id: 920496 rule_id: v8UYex2 version_id: gETkX5r url: https://semgrep.dev/playground/r/gETkX5r/gitlab.nodejs_scan.javascript-eval-rule-vm2_context_injection origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-vm_code_injection patterns: - pattern-inside: | $VM = require('vm') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $VM.runInContext(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $VM.runInContext(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInContext($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $VM.runInContext($INPUT,...) - pattern: $VM.runInNewContext(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $VM.runInNewContext(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInNewContext($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $VM.runInNewContext($INPUT,...) - pattern: $VM.runInThisContext(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $VM.runInThisContext(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInThisContext($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $VM.runInThisContext($INPUT,...) - pattern: $VM.compileFunction(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $VM.compileFunction(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $VM.compileFunction($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $VM.compileFunction($INPUT,...) - pattern: new $VM.Script(<... $REQ.$QUERY.$FOO ...>,...) - pattern: new $VM.Script(<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... new $VM.Script($INPUT,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... new $VM.Script($INPUT,...) message: | Untrusted user input reaching `vm` can result in code injection. severity: ERROR languages: - javascript metadata: cwe: CWE-94 shortDescription: Improper control of generation of code (Code Injection) category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-eval-rule-vm_code_injection secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-vm_code_injection type: njsscan_rule_type value: Untrusted user input reaching `vm` can result in code injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-vm_code_injection shortlink: https://sg.run/Ab6O4 semgrep.dev: rule: r_id: 144406 rv_id: 920497 rule_id: d8UrX2R version_id: QkT1NQA url: https://semgrep.dev/playground/r/QkT1NQA/gitlab.nodejs_scan.javascript-eval-rule-vm_code_injection origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-vm_compilefunction_injection patterns: - pattern-inside: | require('vm') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $REQ.$QUERY.$FOO ...>},...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $OPTS = {parsingContext: <... $REQ.$QUERY.$FOO ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $REQ.$BODY ...>},...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.compileFunction($CODE,$PARAMS,{parsingContext: <... $CONTEXT ...>},...) - pattern: | $OPTS = {parsingContext: <... $REQ.$BODY ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $OPTS = {parsingContext: <... $CONTEXT ...>}; ... $VM.compileFunction($CODE,$PARAMS,$OPTS,...) message: | Untrusted user input in `vm.compileFunction()` can result in code injection. severity: ERROR languages: - javascript metadata: cwe: CWE-94 shortDescription: Improper control of generation of code (Code Injection) category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-eval-rule-vm_compilefunction_injection secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-vm_compilefunction_injection type: njsscan_rule_type value: Untrusted user input in `vm.compileFunction()` can result in code injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-vm_compilefunction_injection shortlink: https://sg.run/BYo85 semgrep.dev: rule: r_id: 144407 rv_id: 920498 rule_id: ZqUQ01j version_id: 3ZTLwxb url: https://semgrep.dev/playground/r/3ZTLwxb/gitlab.nodejs_scan.javascript-eval-rule-vm_compilefunction_injection origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-vm_runincontext_injection patterns: - pattern-inside: | require('vm') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.runInContext($CODE,<... $CONTEXT ...>,...) message: | Untrusted user input in `vm.runInContext()` can result in code injection. severity: ERROR languages: - javascript metadata: cwe: CWE-94 shortDescription: Improper control of generation of code (Code Injection) category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-eval-rule-vm_runincontext_injection secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-vm_runincontext_injection type: njsscan_rule_type value: Untrusted user input in `vm.runInContext()` can result in code injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-vm_runincontext_injection shortlink: https://sg.run/DbpLj semgrep.dev: rule: r_id: 144408 rv_id: 920499 rule_id: nJUxX1W version_id: 44TeqYG url: https://semgrep.dev/playground/r/44TeqYG/gitlab.nodejs_scan.javascript-eval-rule-vm_runincontext_injection origin: community - id: gitlab.nodejs_scan.javascript-eval-rule-vm_runinnewcontext_injection patterns: - pattern-inside: | require('vm') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $VM.runInNewContext($CODE,<... $REQ.$QUERY.$FOO ...>,...) - pattern: | $CONTEXT = <... $REQ.$QUERY.$FOO ...>; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>}; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VAR = <... $REQ.$QUERY.$FOO ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VM.runInNewContext($CODE,<... $REQ.$BODY ...>,...) - pattern: | $CONTEXT = <... $REQ.$BODY ...>; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = {$NAME: <... $REQ.$BODY ...>}; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $CONTEXT = <... {$NAME:$REQ.$BODY} ...>; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) - pattern: | $VAR = <... $REQ.$BODY ...>; ... $CONTEXT = {$NAME: <... $VAR ...>}; ... $VM.runInNewContext($CODE,<... $CONTEXT ...>,...) message: | Untrusted user input in `vm.runInNewContext()` can result in code injection. severity: ERROR languages: - javascript metadata: cwe: CWE-94 shortDescription: Improper control of generation of code (Code Injection) category: security owasp: - A1:2017-Injection - A03:2021-Injection security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-eval-rule-vm_runinnewcontext_injection secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-vm_runinnewcontext_injection type: njsscan_rule_type value: Untrusted user input in `vm.runInNewContext()` can result in code injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-vm_runinnewcontext_injection shortlink: https://sg.run/WAdPA semgrep.dev: rule: r_id: 144409 rv_id: 920500 rule_id: EwUj73j version_id: PkTjGnn url: https://semgrep.dev/playground/r/PkTjGnn/gitlab.nodejs_scan.javascript-eval-rule-vm_runinnewcontext_injection origin: community - id: generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token message: A gitleaks digitalocean-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token shortlink: https://sg.run/AGj2 semgrep.dev: rule: r_id: 44694 rv_id: 1262711 rule_id: WAUelp version_id: K3TKkrN url: https://semgrep.dev/playground/r/K3TKkrN/generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token origin: community patterns: - pattern-regex: (?i)\b(doo_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key message: A gitleaks flutterwave-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key shortlink: https://sg.run/pQxL semgrep.dev: rule: r_id: 44718 rv_id: 1262738 rule_id: v8UKn0 version_id: 7ZTE3bj url: https://semgrep.dev/playground/r/7ZTE3bj/generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key origin: community patterns: - pattern-regex: FLWSECK_TEST-(?i)[a-h0-9]{32}-X - id: gitlab.nodejs_scan.javascript-eval-rule-yaml_deserialize patterns: - pattern-either: - pattern: | require('js-yaml').load(...) - pattern-inside: | $MOD = require('js-yaml') ... - pattern-inside: | import $MOD from 'js-yaml' ... - pattern: | $MOD.load(...) message: | User controlled data in 'yaml.load()' function can result in Remote Code Injection. languages: - javascript - typescript severity: ERROR metadata: owasp: - A8:2017-Insecure Deserialization - A08:2021-Software and Data Integrity Failures cwe: CWE-502 shortDescription: Deserialization of Untrusted Data security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-eval-rule-yaml_deserialize secondary_identifiers: - name: NodeJS Scan ID javascript-eval-rule-yaml_deserialize type: njsscan_rule_type value: User controlled data in 'yaml.load()' function can result in Remote Code Injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-eval-rule-yaml_deserialize shortlink: https://sg.run/0okwb semgrep.dev: rule: r_id: 144410 rv_id: 920501 rule_id: 7KUg0jD version_id: JdToRZ2 url: https://semgrep.dev/playground/r/JdToRZ2/gitlab.nodejs_scan.javascript-eval-rule-yaml_deserialize origin: community - id: generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token message: A gitleaks defined-networking-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token shortlink: https://sg.run/Ne3z semgrep.dev: rule: r_id: 66771 rv_id: 1262710 rule_id: KxUqPA version_id: 0bTKzwO url: https://semgrep.dev/playground/r/0bTKzwO/generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token origin: community patterns: - pattern-regex: (?i)(?:dnkey)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: gitlab.nodejs_scan.javascript-exec-rule-shelljs_os_command_exec patterns: - pattern-inside: | require('shelljs') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $EXEC.exec(<... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $EXEC.exec( <... $REQ.$QUERY ...>, ...) - pattern: | $INP = <... $REQ.$QUERY.$VAR ...>; ... $EXEC.exec(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$QUERY ...>; ... $EXEC.exec(<... $INP ...>, ...) message: | User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution. languages: - javascript severity: ERROR metadata: shortDescription: Improper neutralization of special elements used in an OS command ('OS Command Injection') category: security owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-78 security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-exec-rule-shelljs_os_command_exec secondary_identifiers: - name: NodeJS Scan ID javascript-exec-rule-shelljs_os_command_exec type: njsscan_rule_type value: User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-exec-rule-shelljs_os_command_exec shortlink: https://sg.run/KxrZd semgrep.dev: rule: r_id: 144411 rv_id: 920502 rule_id: L1UqZo2 version_id: 5PTNGYx url: https://semgrep.dev/playground/r/5PTNGYx/gitlab.nodejs_scan.javascript-exec-rule-shelljs_os_command_exec origin: community - id: generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key message: A gitleaks flutterwave-public-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key shortlink: https://sg.run/zQvW semgrep.dev: rule: r_id: 44717 rv_id: 1262737 rule_id: eqUY83 version_id: ExTEx1P url: https://semgrep.dev/playground/r/ExTEx1P/generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key origin: community patterns: - pattern-regex: FLWPUBK_TEST-(?i)[a-h0-9]{32}-X - id: gitlab.nodejs_scan.javascript-headers-rule-cookie_session_default patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {name:...} ...>,...) - pattern-not-inside: | $OPTS = <... {name:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.name = ...; ... $SESSION($OPTS,...) message: | Consider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly. severity: INFO languages: - javascript metadata: owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures cwe: CWE-522 shortDescription: Insufficiently protected credentials security-severity: INFO category: security primary_identifier: nodejs_scan.javascript-headers-rule-cookie_session_default secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-cookie_session_default type: njsscan_rule_type value: Consider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_default shortlink: https://sg.run/qN5gx semgrep.dev: rule: r_id: 144412 rv_id: 920503 rule_id: 8GUQR7j version_id: GxToXWb url: https://semgrep.dev/playground/r/GxToXWb/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_default origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_domain patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{domain:...}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{domain:...}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {domain:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {domain:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.domain = ...; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.domain = ...; ... $SESSION($OPTS,...) message: | 'Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.' severity: INFO languages: - javascript metadata: owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures cwe: CWE-522 shortDescription: Insufficiently protected credentials security-severity: INFO category: security primary_identifier: nodejs_scan.javascript-headers-rule-cookie_session_no_domain secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-cookie_session_no_domain type: njsscan_rule_type value: '''Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.''' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_domain shortlink: https://sg.run/lBd1j semgrep.dev: rule: r_id: 144413 rv_id: 920504 rule_id: gxU3doW version_id: RGT2xwW url: https://semgrep.dev/playground/r/RGT2xwW/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_domain origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_httponly patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern-either: - pattern-inside: $SESSION(<... {cookie:{httpOnly:false}} ...>,...) - pattern-inside: | $OPTS = <... {cookie:{httpOnly:false}} ...>; ... $SESSION($OPTS,...) - pattern-inside: | $OPTS = ...; ... $COOKIE = <... {httpOnly:false} ...>; ... $SESSION($OPTS,...) - pattern-inside: | $OPTS = ...; ... $OPTS.cookie = <... {httpOnly:false} ...>; ... $SESSION($OPTS,...) - pattern-inside: | $OPTS = ...; ... $COOKIE.httpOnly = false; ... $SESSION($OPTS,...) - pattern-inside: | $OPTS = ...; ... $OPTS.cookie.httpOnly = false; ... $SESSION($OPTS,...) message: | 'Session middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.' severity: WARNING languages: - javascript metadata: owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures cwe: CWE-1004 shortDescription: Sensitive cookie without 'HttpOnly' flag security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-headers-rule-cookie_session_no_httponly secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-cookie_session_no_httponly type: njsscan_rule_type value: '''Session middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.''' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_httponly shortlink: https://sg.run/YGd5X semgrep.dev: rule: r_id: 144414 rv_id: 920505 rule_id: QrUWPjp version_id: A8TNln1 url: https://semgrep.dev/playground/r/A8TNln1/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_httponly origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_maxage patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{maxAge:...}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{maxAge:...}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {maxAge:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {maxAge:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.maxAge = ...; ... $SESSION($OPTS,...) - pattern-not-inside: |- $OPTS = ...; ... $OPTS.cookie.maxAge = ...; ... $SESSION($OPTS,...) message: | 'Session middleware settings: `maxAge` not set. Use it to set expiration date for cookies.' severity: INFO languages: - javascript metadata: owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures cwe: CWE-613 shortDescription: Insufficient session expiration security-severity: INFO category: security primary_identifier: nodejs_scan.javascript-headers-rule-cookie_session_no_maxage secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-cookie_session_no_maxage type: njsscan_rule_type value: '''Session middleware settings: `maxAge` not set. Use it to set expiration date for cookies.''' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_maxage shortlink: https://sg.run/6JGZ6 semgrep.dev: rule: r_id: 144415 rv_id: 920506 rule_id: 3qUkqzj version_id: BjTKLGn url: https://semgrep.dev/playground/r/BjTKLGn/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_maxage origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_path patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{path:...}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{path:...}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {path:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {path:...} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.path = ...; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.path = ...; ... $SESSION($OPTS,...) message: | 'Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.' severity: INFO languages: - javascript metadata: owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures cwe: CWE-522 shortDescription: Insufficiently protected credentials security-severity: INFO category: security primary_identifier: nodejs_scan.javascript-headers-rule-cookie_session_no_path secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-cookie_session_no_path type: njsscan_rule_type value: '''Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.''' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_path shortlink: https://sg.run/oqPrN semgrep.dev: rule: r_id: 144416 rv_id: 920507 rule_id: 4bUR4wg version_id: DkT2yeP url: https://semgrep.dev/playground/r/DkT2yeP/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_path origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_samesite patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{sameSite:true}} ...>,...) - pattern-not-inside: $SESSION(<... {cookie:{sameSite:'lax'}} ...>,...) - pattern-not-inside: $SESSION(<... {cookie:{sameSite:'strict'}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{sameSite:true}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {sameSite:true} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {sameSite:true} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.sameSite = true; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.sameSite = true; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = <... {cookie:{sameSite:'strict'}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {sameSite:'strict'} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {sameSite:'strict'} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.sameSite = 'strict'; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.sameSite = 'strict'; ... $SESSION($OPTS,...) message: | 'Default session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.' severity: WARNING languages: - javascript metadata: owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures cwe: CWE-1275 shortDescription: Sensitive cookie with improper SameSite attribute security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-headers-rule-cookie_session_no_samesite secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-cookie_session_no_samesite type: njsscan_rule_type value: '''Default session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.''' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_samesite shortlink: https://sg.run/zdqg1 semgrep.dev: rule: r_id: 144417 rv_id: 920508 rule_id: PeUJ4Xx version_id: WrTYn6D url: https://semgrep.dev/playground/r/WrTYn6D/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_samesite origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_secure patterns: - pattern-either: - pattern-inside: | $SESSION = require('cookie-session') ... - pattern-inside: | $SESSION = require('express-session') ... - pattern: $SESSION(...) - pattern-not-inside: $SESSION(<... {cookie:{secure:true}} ...>,...) - pattern-not-inside: | $OPTS = <... {cookie:{secure:true}} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE = <... {secure:true} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie = <... {secure:true} ...>; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $COOKIE.secure = true; ... $SESSION($OPTS,...) - pattern-not-inside: | $OPTS = ...; ... $OPTS.cookie.secure = true; ... $SESSION($OPTS,...) message: | 'Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.' severity: WARNING languages: - javascript metadata: owasp: - A2:2017-Broken Authentication - A07:2021-Identification and Authentication Failures cwe: CWE-614 shortDescription: Sensitive cookie in HTTPS session without 'Secure' attribute security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-headers-rule-cookie_session_no_secure secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-cookie_session_no_secure type: njsscan_rule_type value: '''Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.''' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_secure shortlink: https://sg.run/pKJgN semgrep.dev: rule: r_id: 144418 rv_id: 920509 rule_id: JDUN0Yo version_id: 0bTp36B url: https://semgrep.dev/playground/r/0bTp36B/gitlab.nodejs_scan.javascript-headers-rule-cookie_session_no_secure origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-express_cors patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $APP.options('*', cors(...)) - pattern: | $RES.set("=~/access-control-allow-origin/i", '*', ...) - pattern: | $RES.set(..., { "=~/access-control-allow-origin/i" : '*' }, ...) - pattern: | $RES.header("=~/access-control-allow-origin/i", '*', ...) - pattern: | $RES.writeHead(..., {"=~/access-control-allow-origin/i": '*' }, ...) message: | Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-346 shortDescription: Origin validation error security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-headers-rule-express_cors secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-express_cors type: njsscan_rule_type value: Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-express_cors shortlink: https://sg.run/2Z4w5 semgrep.dev: rule: r_id: 144419 rv_id: 920510 rule_id: 5rUdW29 version_id: K3TwLOE url: https://semgrep.dev/playground/r/K3TwLOE/gitlab.nodejs_scan.javascript-headers-rule-express_cors origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-generic_header_injection patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $INP = $REQ.$QUERY; ... $RES.set(..., <... $INP ...>, ...) - pattern: | $INP = $REQ.$QUERY.$VAR; ... $RES.set(..., <... $INP ...>, ...) - pattern: | $INP = $REQ.$VAR; ... $RES.set(..., { $X: <... $INP ...>}, ...) - pattern: | $INP = $REQ.$QUERY.$FOO; ... $RES.set(..., { $X: <... $INP ...>}, ...) - pattern: | $INP = $REQ.$VAR; ... $RES.writeHead(..., { $X: <... $INP ...> }, ...) - pattern: | $INP = $REQ.$QUERY.$FOO; ... $RES.writeHead(..., { $X: <... $INP ...> }, ...) - pattern: | $RES.set(..., <... $REQ.$QUERY ...>, ...) - pattern: | $RES.set(..., <... $REQ.$QUERY.$VAR ...>, ...) - pattern: | $RES.set(..., { $X: <... $REQ.$VAR ...>}, ...) - pattern: | $RES.set(..., { $X: <... $REQ.$QUERY.$FOO ...>}, ...) - pattern: | $RES.writeHead(..., { $X: <... $REQ.$VAR ...> }, ...) - pattern: | $RES.writeHead(..., { $X: <... $REQ.$QUERY.$FOO ...> }, ...) message: | Untrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks. languages: - javascript severity: ERROR metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-644 shortDescription: Improper neutralization of HTTP headers for scripting syntax security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-headers-rule-generic_header_injection secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-generic_header_injection type: njsscan_rule_type value: Untrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-generic_header_injection shortlink: https://sg.run/j2LXA semgrep.dev: rule: r_id: 144421 rv_id: 920512 rule_id: ReUDJZR version_id: l4TXDNG url: https://semgrep.dev/playground/r/l4TXDNG/gitlab.nodejs_scan.javascript-headers-rule-generic_header_injection origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-header_xss_generic patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $RES.header("=~/x-xss-protection/i", 0, ...) - pattern: | $RES.set("=~/x-xss-protection/i", 0, ...) - pattern: | $RES.set(..., { "=~/x-xss-protection/i" : 0 }, ...) - pattern: | $RES.writeHead(..., {"=~/x-xss-protection/i": 0 }, ...) message: | X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter. languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-693 shortDescription: Protection mechanism failure security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-headers-rule-header_xss_generic secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-header_xss_generic type: njsscan_rule_type value: X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-header_xss_generic shortlink: https://sg.run/10wxD semgrep.dev: rule: r_id: 144422 rv_id: 920513 rule_id: AbU9DZg version_id: YDTYb89 url: https://semgrep.dev/playground/r/YDTYb89/gitlab.nodejs_scan.javascript-headers-rule-header_xss_generic origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-header_xss_lusca patterns: - pattern-inside: | $X = require('lusca') ... - pattern-not: | $X.use(helmet()) - pattern-either: - pattern: | $X.xssProtection(false) - pattern: | $X({ xssProtection: false}) message: | X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter. languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-693 shortDescription: Protection mechanism failure security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-headers-rule-header_xss_lusca secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-header_xss_lusca type: njsscan_rule_type value: X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-header_xss_lusca shortlink: https://sg.run/9ABw4 semgrep.dev: rule: r_id: 144423 rv_id: 920514 rule_id: BYUXqnb version_id: JdToRZr url: https://semgrep.dev/playground/r/JdToRZr/gitlab.nodejs_scan.javascript-headers-rule-header_xss_lusca origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-helmet_feature_disabled patterns: - pattern-either: - pattern: | $HELMET(..., {frameguard: false}, ...) - pattern: | $HELMET(..., {contentSecurityPolicy: false}, ...) - pattern: | $HELMET(..., {permittedCrossDomainPolicies: false}, ...) - pattern: | $HELMET(..., {dnsPrefetchControl: false}, ...) - pattern: | $HELMET(..., {expectCt: false}, ...) - pattern: | $HELMET(..., {featurePolicy: false}, ...) - pattern: | $HELMET(..., {hsts: false}, ...) - pattern: | $HELMET(..., {ieNoOpen: false}, ...) - pattern: | $HELMET(..., {noSniff: false}, ...) - pattern: | $HELMET(..., {hidePoweredBy: false}, ...) - pattern: | $HELMET(..., {referrerPolicy: false}, ...) - pattern: | $HELMET(..., {xssFilter: false}, ...) message: | One or more Security Response header is explicitly disabled in Helmet. languages: - javascript severity: WARNING metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-693 shortDescription: Protection mechanism failure security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-headers-rule-helmet_feature_disabled secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-helmet_feature_disabled type: njsscan_rule_type value: One or more Security Response header is explicitly disabled in Helmet. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-helmet_feature_disabled shortlink: https://sg.run/yyKgr semgrep.dev: rule: r_id: 144424 rv_id: 920515 rule_id: DbU6lZw version_id: 5PTNGYG url: https://semgrep.dev/playground/r/5PTNGYG/gitlab.nodejs_scan.javascript-headers-rule-helmet_feature_disabled origin: community - id: gitlab.nodejs_scan.javascript-headers-rule-host_header_injection patterns: - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $X = <... "=~/.*http[s]*:///i" + $REQ.host ...>; - pattern: | $X = <... "=~/.*http[s]*:///i" + $REQ["host"] ...>; - pattern: | $X = <... "=~/.*http[s]*:///i" + $REQ("host") ...>; - pattern: | $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ.host ...>}; - pattern: | $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ["host"] ...>}; - pattern: | $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ("host") ...>}; - pattern: | $Z = $REQ.host; ... $X = <... "=~/.*http[s]*:///i" + $Z ...>; - pattern: | $Z = $REQ["host"]; ... $X = <... "=~/.*http[s]*:///i" + $Z ...>; - pattern: | $Z = $REQ("host") ... $X = <... "=~/.*http[s]*:///i" + $Z ...>; - pattern: | $Z = $REQ.host; ... $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ.host ...>}; - pattern: | $Z = $REQ["host"]; ... $X = { $Y: <... "=~/.*http[s]*:///i" + $Z ...>}; - pattern: | $Z = $REQ("host") ... $X = { $Y: <... "=~/.*http[s]*:///i" + $REQ("host") ...>}; message: | Using untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning. languages: - javascript severity: ERROR metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-20 shortDescription: Improper input validation security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-headers-rule-host_header_injection secondary_identifiers: - name: NodeJS Scan ID javascript-headers-rule-host_header_injection type: njsscan_rule_type value: Using untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-headers-rule-host_header_injection shortlink: https://sg.run/r6Gg0 semgrep.dev: rule: r_id: 144425 rv_id: 920516 rule_id: WAUWBAG version_id: GxToXWe url: https://semgrep.dev/playground/r/GxToXWe/gitlab.nodejs_scan.javascript-headers-rule-host_header_injection origin: community - id: gitlab.nodejs_scan.javascript-jwt-rule-jwt_not_revoked patterns: - pattern-inside: | $JWT = require('express-jwt') ... - pattern: $JWT(...) - pattern-not-inside: $JWT(<... {isRevoked:...} ...>,...) - pattern-not-inside: |- $OPTS = <... {isRevoked:...} ...>; ... $JWT($OPTS,...) message: | No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option. severity: WARNING languages: - javascript metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-522 shortDescription: Insufficiently protected credentials security-severity: HIGH category: security primary_identifier: nodejs_scan.javascript-jwt-rule-jwt_not_revoked secondary_identifiers: - name: NodeJS Scan ID javascript-jwt-rule-jwt_not_revoked type: njsscan_rule_type value: No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-jwt-rule-jwt_not_revoked shortlink: https://sg.run/x80gp semgrep.dev: rule: r_id: 144430 rv_id: 920521 rule_id: PeUJ4XK version_id: WrTYn6b url: https://semgrep.dev/playground/r/WrTYn6b/gitlab.nodejs_scan.javascript-jwt-rule-jwt_not_revoked origin: community - id: gitlab.nodejs_scan.javascript-jwt-rule-node_jwt_none_algorithm mode: taint pattern-sources: - pattern: $JWT = require("jsonwebtoken") - pattern: import $JWT from "jsonwebtoken" pattern-sinks: - pattern: $JWT.verify($P, $X, {...,algorithms:[...,'none',...],...},...) - pattern: $JWT.sign($P, $X, {...,algorithm:'none',...},...) message: | Use of `{algorithm:'none'}` detected with `jsonwebtoken`. Using none as the algorithm for jsonwebtoken can directly impact the integrity of the information transfer through the JWT token. Consider using a secure algorithm to sign your JWT token such as HMAC or RSA. Some safe usage examples: ``` let token = jwt.sign({user:"user1"}, 'secret', {algorithm: 'HS256'}); ``` Using a secure algorithm can protect the integrity of the token information. Avoid using none as the algorithm when signing jwt tokens since it can violate the integrity of the JWT information. languages: - javascript severity: ERROR metadata: owasp: - A3:2017-Sensitive Data Exposure - A02:2021-Cryptographic Failures cwe: CWE-327 shortDescription: Use of a broken or risky cryptographic algorithm security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-jwt-rule-node_jwt_none_algorithm secondary_identifiers: - name: NodeJS Scan ID javascript-jwt-rule-node_jwt_none_algorithm type: njsscan_rule_type value: Algorithm is set to none for JWT token. This can nullify the integrity of JWT signature. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-jwt-rule-node_jwt_none_algorithm shortlink: https://sg.run/Or3Zp semgrep.dev: rule: r_id: 144431 rv_id: 920522 rule_id: JDUN0YO version_id: 0bTp36O url: https://semgrep.dev/playground/r/0bTp36O/gitlab.nodejs_scan.javascript-jwt-rule-node_jwt_none_algorithm origin: community - id: gitlab.nodejs_scan.javascript-memory-rule-buffer_noassert pattern-either: - pattern: $OBJ.readUInt8(..., true) - pattern: $OBJ.readUInt16LE(..., true) - pattern: $OBJ.readUInt16BE(..., true) - pattern: $OBJ.readUInt32LE(..., true) - pattern: $OBJ.readUInt32BE(..., true) - pattern: $OBJ.readInt8(..., true) - pattern: $OBJ.readInt16LE(..., true) - pattern: $OBJ.readInt16BE(..., true) - pattern: $OBJ.readInt32LE(..., true) - pattern: $OBJ.readInt32BE(..., true) - pattern: $OBJ.readFloatLE(..., true) - pattern: $OBJ.readFloatBE(..., true) - pattern: $OBJ.readDoubleLE(..., true) - pattern: $OBJ.readDoubleBE(..., true) - pattern: $OBJ.writeUInt8(..., true) - pattern: $OBJ.writeUInt16LE(..., true) - pattern: $OBJ.writeUInt16BE(..., true) - pattern: $OBJ.writeUInt32LE(..., true) - pattern: $OBJ.writeUInt32BE(..., true) - pattern: $OBJ.writeInt8(..., true) - pattern: $OBJ.writeInt16LE(..., true) - pattern: $OBJ.writeInt16BE(..., true) - pattern: $OBJ.writeInt32LE(..., true) - pattern: $OBJ.writeInt32BE(..., true) - pattern: $OBJ.writeFloatLE(..., true) - pattern: $OBJ.writeFloatBE(..., true) - pattern: $OBJ.writeDoubleLE(..., true) - pattern: $OBJ.writeDoubleBE(..., true) severity: WARNING languages: - javascript metadata: owasp: - A6:2017-Security Misconfiguration - A05:2021-Security Misconfiguration cwe: CWE-119 shortDescription: Improper restriction of operations within the bounds of a memory buffer security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-memory-rule-buffer_noassert secondary_identifiers: - name: NodeJS Scan ID javascript-memory-rule-buffer_noassert type: njsscan_rule_type value: Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-memory-rule-buffer_noassert shortlink: https://sg.run/eq76l semgrep.dev: rule: r_id: 144432 rv_id: 920523 rule_id: 5rUdW2l version_id: K3TwLON url: https://semgrep.dev/playground/r/K3TwLON/gitlab.nodejs_scan.javascript-memory-rule-buffer_noassert origin: community message: | Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer. - id: gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect mode: taint pattern-sources: - patterns: - pattern-inside: | function ($REQ, $RES, ...) {...} - focus-metavariable: $REQ pattern-sinks: - pattern: | $RES.redirect(...) pattern-sanitizers: - pattern-either: - patterns: - pattern-either: - pattern: "if($VALIDATION){\n ...\n $RES.redirect(...)\n ...\n} \n" - pattern: | $A = $VALIDATION ... if($A){ ... $RES.redirect(...) ... } - metavariable-pattern: metavariable: $VALIDATION pattern-either: - pattern: "$AL.includes(...) \n" - pattern: | $AL.indexOf(...) !== -1 - pattern: | $AL.find(...) !== undefined - pattern: | $ALS.has(...) - patterns: - pattern: | $RES.redirect("$DOM" + ...) - metavariable-regex: metavariable: $DOM regex: (http(s)?:\/\/.*\/) message: "Passing untrusted user input in `redirect()` can result in an open redirect\nvulnerability. This could be abused by malicious actors to trick users into \nbeing redirected to websites under their control to capture authentication\ninformation. \nTo prevent open redirect vulnerabilities:\n\n- Always validate and sanitize user inputs, especially URL parameters\n or query strings that may influence the flow of the application.\n- Use allowlists (lists of permitted URLs) to validate redirect targets \n against known, trusted URLs before performing the redirect.\n- Avoid directly using user input for redirecting. If unavoidable, ensure\n strict validation against an allowlist.\n\nFollowing is an example of secure validation against allowlist to prevent the vulnerability:\n ```\n // Define a list of explicitly allowed URLs for redirection\n const allowedUrls = [\n 'https://www.example.com/page1',\n \ 'https://www.example.com/page2',\n 'https://secure.example.com/page3'\n ];\n\n app.get('/redirect/:url', (req, res) => {\n const url = decodeURIComponent(req.params.url);\n \ const isAllowed = allowedUrls.includes(url);\n if (isAllowed) {\n // If the URL is allowed, proceed with the redirect\n res.redirect(url);\n \ } else {\n res.status(400).send('Invalid redirect URL');\n }\n });\n ```\n" languages: - javascript severity: ERROR metadata: shortDescription: URL redirection to untrusted site 'open redirect' category: security owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-601 security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-redirect-rule-express_open_redirect secondary_identifiers: - name: NodeJS Scan ID javascript-redirect-rule-express_open_redirect type: njsscan_rule_type value: Untrusted user input in redirect() can result in Open Redirect vulnerability. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect shortlink: https://sg.run/v8Dg4 semgrep.dev: rule: r_id: 144433 rv_id: 920524 rule_id: GdUvNK5 version_id: qkTpw9Y url: https://semgrep.dev/playground/r/qkTpw9Y/gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect origin: community - id: javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method message: The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API. metadata: owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection - A05:2025 - Injection references: - https://docs.angularjs.org/api/ng/service/$sce#trustAsJs - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf cwe: - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site Scripting'')' category: security technology: - angular cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: MEDIUM confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cross-Site-Scripting (XSS) source: https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method shortlink: https://sg.run/x1nA semgrep.dev: rule: r_id: 9230 rv_id: 1263097 rule_id: 8GUj8k version_id: A8Tgdpo url: https://semgrep.dev/playground/r/A8Tgdpo/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method origin: community languages: - javascript - typescript severity: WARNING patterns: - pattern-either: - pattern: | $SOURCE = $scope.$INPUT; $sce.trustAsJs($SOURCE); - pattern: | $sce.trustAsJs($scope.$INPUT); - pattern-inside: | app.controller(..., function($scope,$sce){ ... }); - id: gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect2 mode: taint pattern-sources: - patterns: - pattern-inside: | function ($REQ, $RES, ...) {...} - focus-metavariable: $REQ pattern-sinks: - pattern-either: - patterns: - pattern-not: | $RES.$METHOD("=~/location/i", "=~/http(s)?:\/\/.*\//" + ...) - pattern-not-inside: | $VAR = "=~/http(s)?:\/\/.*\//" + ...; ... - pattern: | $RES.$METHOD("=~/location/i", $VAR) - metavariable-regex: metavariable: $METHOD regex: (header|set|append|setHeader) - patterns: - pattern-not-inside: | $V = "=~/http(s)?:\/\/.*\//" + ...; ... - pattern-not: patterns: - pattern: "$RES.writeHead(..., { \n ..., \n location: $V,\n ...\n})\n" - metavariable-pattern: metavariable: $V patterns: - pattern: | "=~/http(s)?:\/\/.*\//" + ... - pattern: "$RES.writeHead(..., { \n ..., \n location: $V,\n ...\n })\n" - focus-metavariable: $V - patterns: - pattern-not: | $RES.location("=~/http(s)?:\/\/.*\//" + ...) - pattern-not-inside: | $VAR = "=~/http(s)?:\/\/.*\//" + ...; ... - pattern: | $RES.location($VAR) pattern-sanitizers: - pattern-either: - patterns: - pattern-either: - pattern: "if($VALIDATION){\n ...\n} \n" - pattern: | $A = $VALIDATION ... if($A){ ... } - metavariable-pattern: metavariable: $VALIDATION pattern-either: - pattern: "$AL.includes(...) \n" - pattern: | $AL.indexOf(...) !== -1 - pattern: | $AL.find(...) !== undefined - pattern: | $ALS.has(...) message: "Passing untrusted user input in `redirect()` can result in an open redirect\nvulnerability. This could be abused by malicious actors to trick users into \nbeing redirected to websites under their control to capture authentication\ninformation. \nTo prevent open redirect vulnerabilities:\n\n- Always validate and sanitize user inputs, especially URL parameters\n or query strings that may influence the flow of the application.\n- Use allowlists (lists of permitted URLs) to validate redirect targets \n against known, trusted URLs before performing the redirect.\n- Avoid directly using user input for redirecting. If unavoidable, ensure\n strict validation against an allowlist.\n\nFollowing is an example of secure validation against allowlist to prevent the vulnerability:\n ```\n // Define a list of explicitly allowed URLs for redirection\n const allowedUrls = [\n 'https://www.example.com/page1',\n \ 'https://www.example.com/page2',\n 'https://secure.example.com/page3'\n ];\n\n app.get('/redirect/:url', (req, res) => {\n const url = decodeURIComponent(req.params.url);\n \ const isAllowed = allowedUrls.includes(url);\n if (isAllowed) {\n // If the URL is allowed, proceed with the redirect\n res.location(url).status(302).end();\n \ } else {\n res.status(400).send('Invalid redirect URL');\n }\n });\n ```\n" languages: - javascript severity: ERROR metadata: shortDescription: URL redirection to untrusted site 'open redirect' category: security owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-601 security-severity: CRITICAL primary_identifier: nodejs_scan.javascript-redirect-rule-express_open_redirect2 secondary_identifiers: - name: NodeJS Scan ID javascript-redirect-rule-express_open_redirect2 type: njsscan_rule_type value: Untrusted user input in response header('Location') can result in Open Redirect vulnerability. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect2 shortlink: https://sg.run/d8dYY semgrep.dev: rule: r_id: 144434 rv_id: 920525 rule_id: ReUDJZZ version_id: l4TXDe4 url: https://semgrep.dev/playground/r/l4TXDe4/gitlab.nodejs_scan.javascript-redirect-rule-express_open_redirect2 origin: community - id: gitlab.nodejs_scan.javascript-ssrf-rule-node_ssrf mode: taint pattern-sources: - patterns: - focus-metavariable: $REQ - pattern: function ($REQ, $RES, ...) {...} - patterns: - focus-metavariable: $REQ - pattern: function $FUNC($REQ, $RES, ...) {...} pattern-sanitizers: - patterns: - pattern-either: - pattern: "if($VALIDATION){\n...\n} \n" - pattern: | $A = $VALIDATION ... if($A){ ... } - metavariable-pattern: metavariable: $VALIDATION pattern-either: - pattern: "$AL.includes(...) \n" - pattern: | $AL.indexOf(...) !== -1 - pattern: | $AL.find(...) !== undefined - pattern: | $ALS.has(...) pattern-sinks: - pattern-either: - patterns: - pattern-either: - pattern-inside: | $NEEDLE = require('needle'); ... - pattern-inside: | import $NEEDLE from 'needle' ... - pattern-either: - pattern: $NEEDLE('$VERB', ...) - pattern: $NEEDLE.$VERB($REQ. ...,...) - metavariable-regex: metavariable: $VERB regex: ^(get|put|post|patch|delete|head)$ - patterns: - pattern-either: - pattern-inside: | $AXIOS = require('axios'); ... - pattern-inside: | import $AXIOS from 'axios' ... - pattern-either: - patterns: - pattern: $AXIOS(...) - pattern-not-inside: | if($ARR.indexof(<...$REQ...>) != -1){...} - patterns: - pattern: $AXIOS.$VERB(...) - metavariable-regex: metavariable: $VERB regex: ^(get|put|post|patch|delete|head)$ - patterns: - pattern-either: - pattern-inside: | {..., request, ... } = require('urllib'); ... - pattern-inside: | import {..., request, ... } from 'urllib' ... - pattern: request(...) - patterns: - pattern-either: - pattern-inside: | $URLLIIB = require('urllib'); ... - pattern-inside: | import $URLLIIB from 'urllib' ... - pattern: $URLLIIB.request(...) - patterns: - pattern-either: - pattern-inside: | $SA = require('superagent'); ... - pattern-inside: | import $SA from 'superagent' ... - patterns: - pattern: $SA.$VERB(...) - metavariable-regex: metavariable: $VERB regex: ^(get|put|post|patch|delete|head)$ - pattern: fetch(...) - patterns: - pattern-either: - pattern-inside: | $HTTP = require('$PKG'); ... - pattern-inside: | import $HTTP from $PKG ... - pattern-either: - patterns: - pattern: $HTTP.$VERB(...) - metavariable-regex: metavariable: $VERB regex: ^(get|put|post|patch|delete|head)$ - metavariable-regex: metavariable: $PKG regex: ^(http|https)$ - patterns: - pattern-either: - pattern-inside: | $IO = require('socket.io-client'); ... - pattern-inside: | import $IO from 'socket.io-client' ... - pattern: $IO(...) - patterns: - pattern-either: - pattern-inside: | $NET = require('net'); ... $NETCLIENT = new $NET.Socket() ... - pattern-inside: | import $NET from 'net' ... $NETCLIENT = new $NET.Socket() ... - pattern: $NETCLIENT.connect(...) - patterns: - pattern-either: - pattern-inside: | $BENT = require('bent'); ... - pattern-inside: | import $BENT from 'bent'; ... - pattern: $BENT(...) - patterns: - pattern-either: - pattern-inside: | $BENT = require('bent'); ... $MTD = $BENT(...) - pattern-inside: | import $BENT from 'bent'; ... $MTD = $BENT(...) - pattern: $MTD(...) - patterns: - pattern-either: - pattern-inside: | $BENT = require('bent'); ... $GETBENT = $BENT('$PKG') ... - pattern-inside: | import $BENT from 'bent'; ... $GETBENT = $BENT('$PKG') ... - pattern: $GETBENT(...) - metavariable-regex: metavariable: $PKG regex: ^(json|buffer)$ - patterns: - pattern-either: - pattern-inside: | import $GOT from 'got'; ... - pattern: $GOT.$VERB(...) - metavariable-regex: metavariable: $VERB regex: ^(get|put|post|patch|delete|head)$ - patterns: - pattern-either: - pattern-inside: | $REQUEST = require('request'); ... - pattern-inside: | import $REQUEST from 'request'; ... - pattern: $REQUEST(...) message: "This application allows user-controlled URLs to be passed directly to HTTP client libraries. This can result in Server-Side Request Forgery (SSRF). SSRF refers to an attack where the attacker can abuse functionality on the server to force it to make requests to other internal systems within your infrastructure that are not directly exposed to the internet. This allows the attacker to access internal resources they do not have direct access to.\nSome risks of SSRF are:\n- Access and manipulation of internal databases, APIs, or administrative panels - Ability to scan internal network architecture and services - Can be used to pivot attacks into the internal network - Circumvent network segregation and firewall rules\nTo avoid this, try using hardcoded HTTP request calls or a whitelisting object to check whether the user input is trying to access allowed resources or not.\nHere is an example: ``` var whitelist = [\n \"https://example.com\", \n \"https://example.com/sample\"\n]\napp.get('/ssrf/node-ssrf/axios/safe/3', function (req, res) {\n if(whitelist.includes(req.query.url)){\n axios.get(url, {})\n .then(function (response) {\n console.log(response);\n \ })\n .catch(function (response) {\n console.log(response); \ \n })\n }\n}); ``` For more information on SSRF see OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html\n" languages: - javascript severity: ERROR metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-918 shortDescription: Server-side request forgery (SSRF) security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-ssrf-rule-node_ssrf secondary_identifiers: - name: NodeJS Scan ID javascript-ssrf-rule-node_ssrf type: njsscan_rule_type value: User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF). license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-ssrf-rule-node_ssrf shortlink: https://sg.run/ZqdGn semgrep.dev: rule: r_id: 144435 rv_id: 920526 rule_id: AbU9DZO version_id: YDTYbzN url: https://semgrep.dev/playground/r/YDTYbzN/gitlab.nodejs_scan.javascript-ssrf-rule-node_ssrf origin: community - id: terraform.gcp.security.gcp-storage-bucket-uniform-access.gcp-storage-bucket-uniform-access patterns: - pattern: resource - pattern-inside: | resource "google_storage_bucket" "..." { ... } - pattern-not-inside: | resource "google_storage_bucket" "..." { ... uniform_bucket_level_access = true ... } message: Ensure that Cloud Storage buckets have uniform bucket-level access enabled. Setting `uniform_bucket_level_access` to `true` ensures that access is managed uniformly at the bucket level, which improves security by disabling object-level ACLs. metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' category: security technology: - terraform - gcp references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-storage-bucket-uniform-access.gcp-storage-bucket-uniform-access shortlink: https://sg.run/YJo4 semgrep.dev: rule: r_id: 33714 rv_id: 1263880 rule_id: 7KUZPb version_id: rxTAKKg url: https://semgrep.dev/playground/r/rxTAKKg/terraform.gcp.security.gcp-storage-bucket-uniform-access.gcp-storage-bucket-uniform-access origin: community languages: - hcl severity: WARNING - id: gitlab.nodejs_scan.javascript-ssrf-rule-phantom_ssrf patterns: - pattern-inside: | require('phantom') ... - pattern-either: - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $PAGE.open(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.setContent(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.open(<... $REQ.$BODY ...>,...) - pattern: $PAGE.setContent(<... $REQ.$BODY ...>,...) - pattern: $PAGE.openUrl(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.openUrl(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateJavaScript(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateJavaScript(<... $REQ.$BODY ...>,...) - pattern: $PAGE.property("content",<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.property("content",<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.open(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.open(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.openUrl(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.openUrl(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateJavaScript(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateJavaScript(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.property("content",<... $INPUT ...>,...) - pattern: |- $INPUT = <... $REQ.$BODY ...>; ... $PAGE.property("content",<... $INPUT ...>,...) message: | 'If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities. ' metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-918 shortDescription: Server-side request forgery (SSRF) security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-ssrf-rule-phantom_ssrf secondary_identifiers: - name: NodeJS Scan ID javascript-ssrf-rule-phantom_ssrf type: njsscan_rule_type value: |- 'If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities. ' license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-ssrf-rule-phantom_ssrf shortlink: https://sg.run/nJ4yO semgrep.dev: rule: r_id: 144436 rv_id: 920527 rule_id: BYUXqnl version_id: 6xTyXA5 url: https://semgrep.dev/playground/r/6xTyXA5/gitlab.nodejs_scan.javascript-ssrf-rule-phantom_ssrf origin: community severity: ERROR languages: - javascript - id: gitlab.nodejs_scan.javascript-ssrf-rule-playwright_ssrf patterns: - pattern-inside: | require('playwright') ... - pattern-either: - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $PAGE.goto(<... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.goto(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.setContent(<... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.setContent(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluate(<... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.evaluate(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluate($CODE,..., <... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.evaluate($CODE,..., <... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluateHandle(<... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.evaluateHandle(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluateHandle($CODE,..., <... $REQ.$QUERY.$FOO ...>, ...) - pattern: $PAGE.evaluateHandle($CODE,..., <... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluateOnNewDocument(<... $REQ.$BODY ...>, ...) - pattern: $PAGE.evaluateOnNewDocument(<... $REQ.$BODY.$FOO ...>, ...) - pattern: $CONTEXT.addInitScript(<... $REQ.$BODY ...>,...) - pattern: $CONTEXT.addInitScript(<... $REQ.$BODY.$FOO ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.goto(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.goto(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluate($CODE,..., <... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluate($CODE,..., <... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluate(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluate(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateHandle(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateHandle(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateHandle($CODE,..., <... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateHandle($CODE,..., <... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateOnNewDocument(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateOnNewDocument(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $CONTEXT.addInitScript($INPUT,...) message: | If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities. metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-918 shortDescription: Server-side request forgery (SSRF) security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-ssrf-rule-playwright_ssrf secondary_identifiers: - name: NodeJS Scan ID javascript-ssrf-rule-playwright_ssrf type: njsscan_rule_type value: If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-ssrf-rule-playwright_ssrf shortlink: https://sg.run/Ew2ZA semgrep.dev: rule: r_id: 144437 rv_id: 920528 rule_id: DbU6lZJ version_id: o5TK1We url: https://semgrep.dev/playground/r/o5TK1We/gitlab.nodejs_scan.javascript-ssrf-rule-playwright_ssrf origin: community severity: ERROR languages: - javascript - id: gitlab.nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf patterns: - pattern-inside: | require('puppeteer') ... - pattern-either: - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: $PAGE.goto(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.goto(<... $REQ.$BODY ...>,...) - pattern: $PAGE.setContent(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.setContent(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluate(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluate(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateHandle(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateHandle(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateOnNewDocument(<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateOnNewDocument(<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluate($CODE,<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluate($CODE,<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateHandle($CODE,<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateHandle($CODE,<... $REQ.$BODY ...>,...) - pattern: $PAGE.evaluateOnNewDocument($CODE,<... $REQ.$QUERY.$FOO ...>,...) - pattern: $PAGE.evaluateOnNewDocument($CODE,<... $REQ.$BODY ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.goto(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.goto(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.setContent(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluate(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluate(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateHandle(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateHandle(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateOnNewDocument(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateOnNewDocument(<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluate($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluate($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateHandle($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateHandle($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$QUERY.$FOO ...>; ... $PAGE.evaluateOnNewDocument($CODE,<... $INPUT ...>,...) - pattern: | $INPUT = <... $REQ.$BODY ...>; ... $PAGE.evaluateOnNewDocument($CODE,<... $INPUT ...>,...) message: | If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities. metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-918 shortDescription: Server-side request forgery (SSRF) security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf secondary_identifiers: - name: NodeJS Scan ID javascript-ssrf-rule-puppeteer_ssrf type: njsscan_rule_type value: If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf shortlink: https://sg.run/7KRwR semgrep.dev: rule: r_id: 144438 rv_id: 920529 rule_id: WAUWBAB version_id: zyTG3Xy url: https://semgrep.dev/playground/r/zyTG3Xy/gitlab.nodejs_scan.javascript-ssrf-rule-puppeteer_ssrf origin: community severity: ERROR languages: - javascript - id: gitlab.nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf mode: taint pattern-sources: - patterns: - pattern: | function($REQ, $RES, ...){ ... } - focus-metavariable: $REQ pattern-sinks: - patterns: - pattern-either: - pattern-inside: | $W = require('wkhtmltoimage') ... - pattern-inside: | import $W from 'wkhtmltoimage' ... - pattern: | $W.generate(...) pattern-sanitizers: - patterns: - pattern-inside: | if($ALLOWED.includes($URL)){ ... } message: "This rule detects instances where user-controlled URLs are passed directly\nto the `generate` function of `wkhtmltoimage` library. This practice can\nlead to Server Side Request Forgery (SSRF) vulnerabilities, where an\nattacker can induce the server to make requests to arbitrary URLs. This\ncan potentially expose internal services within the network or lead to\ninformation disclosure.\n\nTo mitigate this vulnerability, ensure that URLs are safe and intended for \npublic access. Implementing allowlists for acceptable domains or schemes can \nsignificantly reduce the risk of SSRF. Additionally, consider using server-side \nproxy services that restrict the outgoing requests to trusted domains and \nresources.\n\nSecure Code Example:\n```\nconst wkhtmltoimage = require('wkhtmltoimage');\n\n// Define an allowlist of domains\nconst allowedDomains = ['example.com', 'trusted-source.com'];\n\napp.post('/generate-image', (req, res) => {\n const userInputUrl = req.body.url; \n const parsedUrl = new URL(userInputUrl);\n\n // Check if the domain is in the allowlist\n if (allowedDomains.includes(parsedUrl.hostname)) {\n wkhtmltoimage.generate(userInputUrl, { output: 'output.jpg' }, \n function (err, stream) {\n if (err) {\n return res.status(500).send('Error generating image');\n }\n // Send a success response or the image itself\n res.status(200).send('Image generated successfully');\n \ });\n } else {\n res.status(400).send('URL is not allowed due to security policies.');\n }\n});\n```\n" languages: - javascript severity: WARNING metadata: owasp: - A1:2017-Injection - A10:2021-Server-Side Request Forgery cwe: CWE-918 shortDescription: Server-side request forgery (SSRF) security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf secondary_identifiers: - name: NodeJS Scan ID javascript-ssrf-rule-wkhtmltoimage_ssrf type: njsscan_rule_type value: User controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF). license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf shortlink: https://sg.run/L1bZJ semgrep.dev: rule: r_id: 144439 rv_id: 920530 rule_id: 0oULNYn version_id: pZTbDqw url: https://semgrep.dev/playground/r/pZTbDqw/gitlab.nodejs_scan.javascript-ssrf-rule-wkhtmltoimage_ssrf origin: community - id: gitlab.nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf patterns: - pattern-inside: | require('wkhtmltopdf') ... - pattern-either: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern-inside: function $FUNC($REQ, $RES, ...) {...} - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...} - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...}; - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...}) - pattern-either: - pattern: | $INP = <... $REQ.$VAR ...>; ... wkhtmltopdf(<... $INP ...>, ...) - pattern: | $INP = <... $REQ.$VAR.$FOO ...>; ... wkhtmltopdf(<... $INP ...>, ...) - pattern: | wkhtmltopdf(<... $REQ.$VAR ...>, ...) - pattern: | wkhtmltopdf(<... $REQ.$VAR.$FOO ...>, ...) message: | User controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF). languages: - javascript severity: ERROR metadata: owasp: - A1:2017-Injection - A03:2021-Injection cwe: CWE-918 shortDescription: Server-side request forgery (SSRF) security-severity: CRITICAL category: security primary_identifier: nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf secondary_identifiers: - name: NodeJS Scan ID javascript-ssrf-rule-wkhtmltopdf_ssrf type: njsscan_rule_type value: User controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF). license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf shortlink: https://sg.run/8GAe7 semgrep.dev: rule: r_id: 144440 rv_id: 920531 rule_id: KxUvE61 version_id: 2KTdOAP url: https://semgrep.dev/playground/r/2KTdOAP/gitlab.nodejs_scan.javascript-ssrf-rule-wkhtmltopdf_ssrf origin: community - id: gitlab.nodejs_scan.javascript-traversal-rule-admzip_path_overwrite patterns: - pattern-inside: | $X = require('adm-zip') ... - pattern-not: | if ($FILENAME.indexOf('..')) - pattern-not: | $FS.createWriteStream($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-not: | $FS.writeFile($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-not: | $FS.writeFileSync($PATH.join(..., $PATH.basename($FILENAME, ...))) - pattern-either: - pattern: $ZIPENTZ.forEach(function $FUNC($ENTRY, ...) { $FS.createWriteStream(...) }, ...) - pattern: $ZIPENTZ.forEach(function $FUNC($ENTRY, ...) { $FS.writeFile(...) }, ...) - pattern: $ZIPENTZ.forEach(function $FUNC($ENTRY, ...) { $FS.writeFileSync(...) }, ...) message: | Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection. languages: - javascript metadata: shortDescription: Improper limitation of a pathname to a restricted directory ('Path Traversal') cwe: CWE-22 owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-traversal-rule-admzip_path_overwrite secondary_identifiers: - name: NodeJS Scan ID javascript-traversal-rule-admzip_path_overwrite type: njsscan_rule_type value: Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-traversal-rule-admzip_path_overwrite shortlink: https://sg.run/gx3zn semgrep.dev: rule: r_id: 144441 rv_id: 920532 rule_id: qNU26P8 version_id: X0TAKog url: https://semgrep.dev/playground/r/X0TAKog/gitlab.nodejs_scan.javascript-traversal-rule-admzip_path_overwrite origin: community severity: WARNING - id: terraform.gcp.security.gcp-sub-network-logging-enabled.gcp-sub-network-logging-enabled patterns: - pattern: | resource "google_compute_subnetwork" $ANYTHING { ... } - pattern-not-inside: "resource \"google_compute_subnetwork\" $ANYTHING {\n ...\n \ log_config {\n ...\n } \n ...\n}\n" message: Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network languages: - hcl severity: WARNING metadata: owasp: - A05:2017 - Broken Access Control - A01:2021 - Broken Access Control - A01:2025 - Broken Access Control cwe: - 'CWE-1220: Insufficient Granularity of Access Control' technology: - terraform - gcp category: security references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Other source: https://semgrep.dev/r/terraform.gcp.security.gcp-sub-network-logging-enabled.gcp-sub-network-logging-enabled shortlink: https://sg.run/6PvB semgrep.dev: rule: r_id: 33715 rv_id: 1263881 rule_id: L1U9BX version_id: bZT533D url: https://semgrep.dev/playground/r/bZT533D/terraform.gcp.security.gcp-sub-network-logging-enabled.gcp-sub-network-logging-enabled origin: community - id: gitlab.nodejs_scan.javascript-traversal-rule-express_lfr mode: taint pattern-sources: - patterns: - pattern-inside: function ($REQ, $RES, ...) {...} - pattern: $REQ.$FUNC. ... - metavariable-regex: metavariable: $FUNC regex: ^(body|params|query|cookies|hostname|subdomains|ip|ips|originalUrl|path)$ pattern-sinks: - pattern: $RES.render(..., $VAR) message: "This application is using untrusted user input in express render() function.\nRendering templates with untrusted user input enables arbitrary file read \nvulnerabilities when using templating engines like Handlebars (hbs). \n\nAn attacker can craft malicious input that traverses the filesystem and exposes sensitive files. \nConsider sanitizing and validating all user input before passing it to render() to prevent arbitrary file reads. \n\nSample safe use of express.render function\n```\napp.get(\"/traversal/2\", async (req, res) => {\n var indexPath = \"index\";\n res.render(indexPath, { title: \"Index Page\" })\n});\n```\n\nFor more details see: \nhttps://owasp.org/www-community/attacks/Path_Traversal\n" languages: - javascript severity: WARNING metadata: owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control cwe: CWE-23 shortDescription: Relative path traversal security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-traversal-rule-express_lfr secondary_identifiers: - name: NodeJS Scan ID javascript-traversal-rule-express_lfr type: njsscan_rule_type value: Untrusted user input in express render() function can result in arbitrary file read when hbs templating is used. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-traversal-rule-express_lfr shortlink: https://sg.run/QrdZP semgrep.dev: rule: r_id: 144442 rv_id: 920533 rule_id: lBU4kAO version_id: jQTwjLr url: https://semgrep.dev/playground/r/jQTwjLr/gitlab.nodejs_scan.javascript-traversal-rule-express_lfr origin: community - id: gitlab.nodejs_scan.javascript-traversal-rule-express_lfr_warning patterns: - pattern-not-inside: | require('hbs') ... - pattern-inside: | require('express') ... - pattern-either: - pattern: | $INP = <... $REQ.$QUERY ...>; ... $RES.render($VIEW, <... $INP ...>) - pattern: | $INP = <... $REQ.$QUERY.$FOO ...>; ... $RES.render($VIEW, <... $INP ...>) - pattern: $RES.render($VIEW, <... $REQ.$QUERY.$FOO ...>) - pattern: $RES.render($VIEW, <... $REQ.$BODY ...>) message: | Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used. languages: - javascript severity: WARNING metadata: owasp: - A5:2017-Broken Access Control - A01:2021-Broken Access Control cwe: CWE-23 shortDescription: Relative path traversal security-severity: MEDIUM category: security primary_identifier: nodejs_scan.javascript-traversal-rule-express_lfr_warning secondary_identifiers: - name: NodeJS Scan ID javascript-traversal-rule-express_lfr_warning type: njsscan_rule_type value: Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used. license: MIT vulnerability_class: - Other source: https://semgrep.dev/r/gitlab.nodejs_scan.javascript-traversal-rule-express_lfr_warning shortlink: https://sg.run/3qPwb semgrep.dev: rule: r_id: 144443 rv_id: 920534 rule_id: YGUpWKb version_id: 1QT4N04 url: https://semgrep.dev/playground/r/1QT4N04/gitlab.nodejs_scan.javascript-traversal-rule-express_lfr_warning origin: community - id: generic.secrets.gitleaks.grafana-api-key.grafana-api-key message: A gitleaks grafana-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.grafana-api-key.grafana-api-key shortlink: https://sg.run/vQzb semgrep.dev: rule: r_id: 44733 rv_id: 1262753 rule_id: GdUb7y version_id: WrTqKYb url: https://semgrep.dev/playground/r/WrTqKYb/generic.secrets.gitleaks.grafana-api-key.grafana-api-key origin: community patterns: - pattern-regex: (?i)\b(eyJrIjoi[A-Za-z0-9]{70,400}={0,2})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit languages: - php severity: WARNING message: Detected usage of vulnerable functions with user input, which could lead to SSRF vulnerabilities. mode: taint pattern-sources: - patterns: - pattern-either: - pattern: $_GET[...] - pattern: $_POST[...] - pattern: $_REQUEST[...] - pattern: get_option(...) - pattern: get_user_meta(...) - pattern: get_query_var(...) pattern-sinks: - patterns: - focus-metavariable: $URL - pattern-either: - pattern: wp_remote_get($URL, ...) - pattern: wp_safe_remote_get($URL, ...) - pattern: wp_safe_remote_request($URL, ...) - pattern: wp_safe_remote_head($URL, ...) - pattern: wp_oembed_get($URL, ...) - pattern: vip_safe_wp_remote_get($URL, ...) - pattern: wp_safe_remote_post($URL, ...) paths: include: - '**/wp-content/plugins/**/*.php' metadata: cwe: 'CWE-918: Server-Side Request Forgery (SSRF)' owasp: A10:2021 - Server-Side Request Forgery (SSRF) category: security confidence: MEDIUM likelihood: MEDIUM impact: HIGH subcategory: - audit technology: - Wordpress Plugins references: - https://developer.wordpress.org/reference/functions/wp_safe_remote_get/ - https://developer.wordpress.org/reference/functions/wp_remote_get/ - https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/ vulnerability_class: - Server-Side Request Forgery (SSRF) license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit shortlink: https://sg.run/K3y06 semgrep.dev: rule: r_id: 191611 rv_id: 1039233 rule_id: 6JUZyKX version_id: JdTp6rq url: https://semgrep.dev/playground/r/JdTp6rq/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit origin: community - id: terraform.gcp.security.gcp-artifact-registry-encrypted-with-cmk.gcp-artifact-registry-encrypted-with-cmk patterns: - pattern: | resource "google_artifact_registry_repository" $ANYTHING { ... } - pattern-not-inside: | resource "google_artifact_registry_repository" $ANYTHING { ... kms_key_name = ... ... } message: Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) metadata: category: security technology: - terraform - gcp owasp: - A03:2017 - Sensitive Data Exposure cwe: - 'CWE-320: CWE CATEGORY: Key Management Errors' references: - https://cloud.google.com/artifact-registry/docs/repositories/create-repos#create-repo-gcloud-apt - https://cloud.google.com/artifact-registry/docs/cmek subcategory: - audit likelihood: LOW impact: LOW confidence: LOW license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Cryptographic Issues source: https://semgrep.dev/r/terraform.gcp.security.gcp-artifact-registry-encrypted-with-cmk.gcp-artifact-registry-encrypted-with-cmk shortlink: https://sg.run/AKJ4 semgrep.dev: rule: r_id: 32294 rv_id: 1026179 rule_id: eqU45d version_id: jQTYllz url: https://semgrep.dev/playground/r/jQTYllz/terraform.gcp.security.gcp-artifact-registry-encrypted-with-cmk.gcp-artifact-registry-encrypted-with-cmk origin: community languages: - hcl severity: WARNING - id: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure patterns: - pattern: $APP.UseDeveloperExceptionPage(...); - pattern-not-inside: | if ($ENV.IsDevelopment(...)) { ... } - pattern-not-inside: | if ($ENV.EnvironmentName == "Development") { ... } message: Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering. metadata: category: security technology: - csharp owasp: - A06:2017 - Security Misconfiguration - A04:2021 - Insecure Design - A06:2025 - Insecure Design cwe: - 'CWE-209: Generation of Error Message Containing Sensitive Information' references: - https://cwe.mitre.org/data/definitions/209.html - https://owasp.org/Top10/A04_2021-Insecure_Design/ subcategory: - audit likelihood: LOW impact: LOW confidence: HIGH license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Mishandled Sensitive Information source: https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure shortlink: https://sg.run/XvkA semgrep.dev: rule: r_id: 26720 rv_id: 1262653 rule_id: lBU6Dv version_id: 0bTKzrB url: https://semgrep.dev/playground/r/0bTKzrB/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure origin: community languages: - csharp severity: WARNING - id: generic.secrets.gitleaks.jwt.jwt message: A gitleaks jwt was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.jwt.jwt shortlink: https://sg.run/8pyE semgrep.dev: rule: r_id: 44740 rv_id: 1262769 rule_id: KxUAbk version_id: rxTAK64 url: https://semgrep.dev/playground/r/rxTAK64/generic.secrets.gitleaks.jwt.jwt origin: community patterns: - pattern-regex: \b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.jwt-base64.jwt-base64 message: A gitleaks jwt-base64 was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). languages: - regex severity: INFO metadata: likelihood: LOW impact: MEDIUM confidence: LOW category: security cwe: - 'CWE-798: Use of Hard-coded Credentials' cwe2021-top25: true cwe2022-top25: true owasp: - A07:2021 - Identification and Authentication Failures - A07:2025 - Authentication Failures references: - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln technology: - gitleaks license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license vulnerability_class: - Hard-coded Secrets source: https://semgrep.dev/r/generic.secrets.gitleaks.jwt-base64.jwt-base64 shortlink: https://sg.run/7xoZ semgrep.dev: rule: r_id: 67938 rv_id: 1262768 rule_id: 9AU71e version_id: yeTxp02 url: https://semgrep.dev/playground/r/yeTxp02/generic.secrets.gitleaks.jwt-base64.jwt-base64 origin: community patterns: - pattern-regex: \bZXlK(?:(?PaGJHY2lPaU)|(?PaGNIVWlPaU)|(?PaGNIWWlPaU)|(?PaGRXUWlPaU)|(?PaU5qUWlP)|(?PamNtbDBJanBi)|(?PamRIa2lPaU)|(?PbGNHc2lPbn)|(?PbGJtTWlPaU)|(?PcWEzVWlPaU)|(?PcWQyc2lPb)|(?PcGMzTWlPaU)|(?PcGRpSTZJ)|(?PcmFXUWlP)|(?PclpYbGZiM0J6SWpwY)|(?PcmRIa2lPaUp)|(?PdWIyNWpaU0k2)|(?Pd01tTWlP)|(?Pd01uTWlPaU)|(?Pd2NIUWlPaU)|(?P_{emRXSWlPaU)|(?PemRuUWlP)|(?PMFlXY2lPaU)|(?PMGVYQWlPaUp)|(?PMWNtd2l)|(?PMWMyVWlPaUp)|(?PMlpYSWlPaU)|(?PMlpYSnphVzl1SWpv)|(?PNElqb2)|(?PNE5XTWlP)|(?PNE5YUWlPaU)|(?PNE5YUWpVekkxTmlJNkl)|(?PNE5YVWlPaU)|(?PNmFYQWlPaU))[a-zA-Z0-9\/\\_+\-\r\n]{40,}={0,2}
- id: elixir.lang.best-practice.deprecated-use-bitwise.deprecated_use_bitwise
message: The syntax `use Bitwise` is already deprecated. Please use `import Bitwise`
instead.
severity: WARNING
languages:
- elixir
pattern: use Bitwise
fix: import Bitwise
metadata:
references:
- https://github.com/elixir-lang/elixir/commit/f1b9d3e818e5bebd44540f87be85979f24b9abfc
category: best-practice
technology:
- elixir
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/elixir.lang.best-practice.deprecated-use-bitwise.deprecated_use_bitwise
shortlink: https://sg.run/bpOe
semgrep.dev:
rule:
r_id: 67426
rv_id: 945275
rule_id: oqUEDJ
version_id: pZTNONR
url: https://semgrep.dev/playground/r/pZTNONR/elixir.lang.best-practice.deprecated-use-bitwise.deprecated_use_bitwise
origin: community
- id: terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging
message: Storage Analytics logs detailed information about successful and failed
requests to a storage service. This information can be used to monitor individual
requests and to diagnose issues with a storage service. Requests are logged on
a best-effort basis.
patterns:
- pattern-either:
- pattern-inside: |
resource "azurerm_storage_account" "..." {
...
queue_properties {
...
}
...
}
- pattern-inside: |
resource "azurerm_storage_account" "..." {
...
}
- pattern-not-inside: |
resource "azurerm_storage_account" "..." {
...
queue_properties {
...
logging {
...
}
...
}
...
}
metadata:
cwe:
- 'CWE-778: Insufficient Logging'
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging
- https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet
owasp:
- A10:2017 - Insufficient Logging & Monitoring
- A09:2021 - Security Logging and Monitoring Failures
- A09:2025 - Security Logging & Alerting Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Insufficient Logging
source: https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging
shortlink: https://sg.run/0yEv
semgrep.dev:
rule:
r_id: 15154
rv_id: 1263806
rule_id: ReU3L9
version_id: DkTRb05
url: https://semgrep.dev/playground/r/DkTRb05/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging
origin: community
languages:
- hcl
severity: WARNING
- id: terraform.azure.security.storage.storage-enforce-https.storage-enforce-https
message: Detected a Storage that was not configured to deny action by default. Add
`enable_https_traffic_only = true` in your resource block.
patterns:
- pattern-not-inside: |
resource "azurerm_storage_account" "..." {
...
enable_https_traffic_only = true
...
}
- pattern-inside: |
resource "azurerm_storage_account" "..." {
...
enable_https_traffic_only = false
...
}
metadata:
cwe:
- 'CWE-319: Cleartext Transmission of Sensitive Information'
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only
- https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
- A04:2025 - Cryptographic Failures
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Mishandled Sensitive Information
source: https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https
shortlink: https://sg.run/0y9v
semgrep.dev:
rule:
r_id: 15110
rv_id: 1263805
rule_id: pKUpDA
version_id: BjTkZ0A
url: https://semgrep.dev/playground/r/BjTkZ0A/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https
origin: community
languages:
- hcl
severity: WARNING
- id: python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text
mode: taint
pattern-sinks:
- pattern: |
sqlalchemy.text(...)
pattern-sources:
- patterns:
- pattern: |
$X + $Y
- metavariable-type:
metavariable: $X
type: string
- patterns:
- pattern: |
$X + $Y
- metavariable-type:
metavariable: $Y
type: string
- patterns:
- pattern: |
f"..."
- patterns:
- pattern: |
$X.format(...)
- metavariable-type:
metavariable: $X
type: string
- patterns:
- pattern: |
$X % $Y
- metavariable-type:
metavariable: $X
type: string
message: sqlalchemy.text passes the constructed SQL statement to the database mostly
unchanged. This means that the usual SQL injection protections are not applied
and this function is vulnerable to SQL injection if user input can reach here.
Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.) to construct
SQL.
metadata:
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
- A05:2025 - Injection
cwe:
- 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
(''SQL Injection'')'
category: security
technology:
- sqlalchemy
confidence: MEDIUM
references:
- https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- SQL Injection
source: https://semgrep.dev/r/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text
shortlink: https://sg.run/yP1O
semgrep.dev:
rule:
r_id: 15824
rv_id: 1263577
rule_id: r6U2wE
version_id: rxTAKqq
url: https://semgrep.dev/playground/r/rxTAKqq/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text
origin: community
languages:
- python
severity: ERROR
- id: terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires
message: Ensure that the expiration date is set on all secrets
patterns:
- pattern: resource
- pattern-not-inside: |
resource "azurerm_key_vault_secret" "..." {
...
expiration_date = "..."
...
}
- pattern-not-inside: |
resource "azurerm_key_vault_secret" "..." {
...
expiration_date = ...
...
}
- pattern-inside: |
resource "azurerm_key_vault_secret" "..." {
...
}
metadata:
cwe:
- 'CWE-262: Not Using Password Aging'
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#expiration_date
- https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Improper Authentication
source: https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires
shortlink: https://sg.run/d2RZ
semgrep.dev:
rule:
r_id: 15134
rv_id: 1028693
rule_id: QrUdNy
version_id: 0bTl7og
url: https://semgrep.dev/playground/r/0bTl7og/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires
origin: community
languages:
- hcl
severity: INFO
- id: dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url
patterns:
- pattern: |
RUN ... $PIP install ... --extra-index-url ...
- metavariable-regex:
metavariable: $PIP
regex: pip|pip3
message: 'When `--extra-index-url` is used in a `pip install` command, this is usually
meant to install a package from a package index other than the public one. However,
if a package is added with the same name to the public PyPi repository, and if
the version number is high enough, this package will be installed when building
this docker image. This package may be a malicious dependency. Such an attack
is called a dependency confusion attack. If using a private package index, prefer
to use `--index-url` if possible. '
languages:
- dockerfile
severity: INFO
metadata:
references:
- https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url
- https://github.com/semgrep/semgrep-rules/issues/3032
category: security
subcategory:
- audit
confidence: MEDIUM
impact: HIGH
likelihood: LOW
technology:
- docker
cwe:
- 'CWE-427: Uncontrolled Search Path Element'
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url
shortlink: https://sg.run/qk4p8
semgrep.dev:
rule:
r_id: 197112
rv_id: 1039209
rule_id: pKUkLD3
version_id: 1QTY5L3
url: https://semgrep.dev/playground/r/1QTY5L3/dockerfile.audit.dockerfile-pip-extra-index-url.dockerfile-pip-extra-index-url
origin: community
- id: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host
paths:
include:
- '*.conf'
- '*.vhost'
- '**/sites-available/*'
- '**/sites-enabled/*'
languages:
- generic
severity: WARNING
message: The host for this proxy URL is dynamically determined. This can be dangerous
if the host can be injected by an attacker because it may forcibly alter destination
of the proxy. Consider hardcoding acceptable destinations and retrieving them
with 'map' or something similar.
metadata:
source-rule-url: https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md
references:
- https://nginx.org/en/docs/http/ngx_http_map_module.html
category: security
technology:
- nginx
confidence: MEDIUM
cwe:
- 'CWE-441: Unintended Proxy or Intermediary (''Confused Deputy'')'
owasp:
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Server-Side Request Forgery (SSRF)
source: https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host
shortlink: https://sg.run/ndpb
semgrep.dev:
rule:
r_id: 9036
rv_id: 1262671
rule_id: GdU7yl
version_id: kbTzG2j
url: https://semgrep.dev/playground/r/kbTzG2j/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host
origin: community
pattern-either:
- pattern: proxy_pass $SCHEME://$$HOST ...;
- pattern: proxy_pass $$SCHEME://$$HOST ...;
- id: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme
paths:
include:
- '*.conf'
- '*.vhost'
- '**/sites-available/*'
- '**/sites-enabled/*'
languages:
- generic
severity: WARNING
message: The protocol scheme for this proxy is dynamically determined. This can
be dangerous if the scheme can be injected by an attacker because it may forcibly
alter the connection scheme. Consider hardcoding a scheme for this proxy.
metadata:
cwe:
- 'CWE-16: CWE CATEGORY: Configuration'
references:
- https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md
category: security
technology:
- nginx
confidence: MEDIUM
owasp:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration
- A02:2025 - Security Misconfiguration
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme
shortlink: https://sg.run/EkAo
semgrep.dev:
rule:
r_id: 9037
rv_id: 1262672
rule_id: ReUg7n
version_id: w8TRoAJ
url: https://semgrep.dev/playground/r/w8TRoAJ/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme
origin: community
pattern: proxy_pass $$SCHEME:// ...;
- id: generic.nginx.security.header-injection.header-injection
pattern: |
location ... <$VARIABLE> ... {
...
add_header ... $$VARIABLE
...
}
paths:
include:
- '*.conf'
- '*.vhost'
- '**/sites-available/*'
- '**/sites-enabled/*'
languages:
- generic
severity: ERROR
message: 'The $$VARIABLE path parameter is added as a header in the response. This
could allow an attacker to inject a newline and add a new header into the response.
This is called HTTP response splitting. To fix, do not allow whitespace in the
path parameter: ''[^\s]+''.'
metadata:
cwe:
- 'CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (''HTTP
Request/Response Splitting'')'
references:
- https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
- https://owasp.org/www-community/attacks/HTTP_Response_Splitting
category: security
technology:
- nginx
confidence: MEDIUM
owasp:
- A03:2021 - Injection
- A05:2025 - Injection
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Improper Validation
source: https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection
shortlink: https://sg.run/7oj4
semgrep.dev:
rule:
r_id: 9038
rv_id: 1262673
rule_id: AbUz8p
version_id: xyTjzNW
url: https://semgrep.dev/playground/r/xyTjzNW/generic.nginx.security.header-injection.header-injection
origin: community
- id: generic.nginx.security.header-redefinition.header-redefinition
patterns:
- pattern-inside: |
server {
...
add_header ...;
...
...
}
- pattern-inside: |
location ... {
...
...
}
- pattern: add_header ...;
paths:
include:
- '*.conf'
- '*.vhost'
- '**/sites-available/*'
- '**/sites-enabled/*'
languages:
- generic
severity: WARNING
message: The 'add_header' directive is called in a 'location' block after headers
have been set at the server block. Calling 'add_header' in the location block
will actually overwrite the headers defined in the server block, no matter which
headers are set. To fix this, explicitly set all headers or set all headers in
the server block.
metadata:
cwe:
- 'CWE-16: CWE CATEGORY: Configuration'
references:
- https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
category: security
technology:
- nginx
confidence: LOW
owasp:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration
- A02:2025 - Security Misconfiguration
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition
shortlink: https://sg.run/Lwl7
semgrep.dev:
rule:
r_id: 9039
rv_id: 1262674
rule_id: BYUN58
version_id: O9TpxJD
url: https://semgrep.dev/playground/r/O9TpxJD/generic.nginx.security.header-redefinition.header-redefinition
origin: community
- id: generic.nginx.security.insecure-redirect.insecure-redirect
patterns:
- pattern-either:
- pattern: rewrite ... redirect
- pattern: rewrite ... permanent
- pattern-not-inside: rewrite ... https ... $host ... redirect
- pattern-not-inside: rewrite ... https ... $host ... permanent
- pattern-not-regex: (?i)https:\/\/
paths:
include:
- '*.conf'
- '*.vhost'
- '**/sites-available/*'
- '**/sites-enabled/*'
message: Detected an insecure redirect in this nginx configuration. If no scheme
is specified, nginx will forward the request with the incoming scheme. This could
result in unencrypted communications. To fix this, include the 'https' scheme.
languages:
- generic
severity: WARNING
metadata:
cwe:
- 'CWE-319: Cleartext Transmission of Sensitive Information'
category: security
technology:
- nginx
confidence: LOW
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
- A04:2025 - Cryptographic Failures
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Mishandled Sensitive Information
source: https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect
shortlink: https://sg.run/8y14
semgrep.dev:
rule:
r_id: 9040
rv_id: 1262675
rule_id: DbUpJe
version_id: e1TyjDz
url: https://semgrep.dev/playground/r/e1TyjDz/generic.nginx.security.insecure-redirect.insecure-redirect
origin: community
- id: generic.nginx.security.insecure-ssl-version.insecure-ssl-version
patterns:
- pattern-not: ssl_protocols TLSv1.2 TLSv1.3;
- pattern-not: ssl_protocols TLSv1.3 TLSv1.2;
- pattern-not: ssl_protocols TLSv1.2;
- pattern-not: ssl_protocols TLSv1.3;
- pattern: ssl_protocols ...;
paths:
include:
- '*.conf'
- '*.vhost'
- '**/sites-available/*'
- '**/sites-enabled/*'
languages:
- generic
severity: WARNING
message: Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2
and TLS1.3; older versions are known to be broken and are susceptible to attacks.
Prefer use of TLSv1.2 or later.
metadata:
cwe:
- 'CWE-326: Inadequate Encryption Strength'
references:
- https://www.acunetix.com/blog/web-security-zone/hardening-nginx/
- https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
category: security
technology:
- nginx
confidence: HIGH
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
- A04:2025 - Cryptographic Failures
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Cryptographic Issues
source: https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version
shortlink: https://sg.run/gLKy
semgrep.dev:
rule:
r_id: 9041
rv_id: 1262676
rule_id: WAUo9k
version_id: vdT06O4
url: https://semgrep.dev/playground/r/vdT06O4/generic.nginx.security.insecure-ssl-version.insecure-ssl-version
origin: community
- id: php.wordpress-plugins.security.audit.wp-file-download-audit.wp-file-download-audit
patterns:
- pattern-either:
- pattern: file(...)
- pattern: readfile(...)
- pattern: file_get_contents(...)
message: These functions can be used to read to content of the files if the data
inside is user-controlled. Don't use the input directly or validate the data properly
before passing it to these functions.
paths:
include:
- '**/wp-content/plugins/**/*.php'
languages:
- php
severity: WARNING
metadata:
category: security
confidence: LOW
likelihood: LOW
impact: MEDIUM
subcategory:
- audit
technology:
- Wordpress Plugins
references:
- https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#file-download
cwe:
- 'CWE-73: External Control of File Name or Path'
owasp:
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Path Traversal
source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-file-download-audit.wp-file-download-audit
shortlink: https://sg.run/4gkz
semgrep.dev:
rule:
r_id: 39200
rv_id: 1263323
rule_id: lBUNXL
version_id: zyTb26p
url: https://semgrep.dev/playground/r/zyTb26p/php.wordpress-plugins.security.audit.wp-file-download-audit.wp-file-download-audit
origin: community
- id: php.wordpress-plugins.security.audit.wp-file-inclusion-audit.wp-file-inclusion-audit
patterns:
- pattern-either:
- pattern: include(...)
- pattern: require(...)
- pattern: include_once(...)
- pattern: require_once(...)
- pattern: fread(...)
message: These functions can lead to Local File Inclusion (LFI) or Remote File Inclusion
(RFI) if the data inside is user-controlled. Validate the data properly before
passing it to these functions.
paths:
include:
- '''**/wp-content/plugins/**/*.php'''
languages:
- php
severity: WARNING
metadata:
category: security
confidence: LOW
likelihood: LOW
impact: HIGH
subcategory:
- audit
technology:
- Wordpress Plugins
references:
- https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#file-inclusion
owasp:
- A01:2021 - Broken Access Control
- A08:2021 - Software and Data Integrity Failures
- A01:2025 - Broken Access Control
- A08:2025 - Software or Data Integrity Failures
cwe:
- 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
Traversal'')'
- 'CWE-73: The software allows user input to control or influence paths of file
names that are used in filesystem operations.'
- 'CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program
(''PHP Remote File Inclusion'')'
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Code Injection
- Path Traversal
source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-file-inclusion-audit.wp-file-inclusion-audit
shortlink: https://sg.run/PGPW
semgrep.dev:
rule:
r_id: 39201
rv_id: 1263324
rule_id: YGU8Yo
version_id: pZT03RB
url: https://semgrep.dev/playground/r/pZT03RB/php.wordpress-plugins.security.audit.wp-file-inclusion-audit.wp-file-inclusion-audit
origin: community
- id: php.wordpress-plugins.security.audit.wp-file-manipulation-audit.wp-file-manipulation-audit
patterns:
- pattern-either:
- pattern: unlink(...)
- pattern: wp_delete_file(...)
message: These functions can be used to delete the files if the data inside the
functions are user controlled. Use these functions carefully.
paths:
include:
- '**/wp-content/plugins/**/*.php'
languages:
- php
severity: WARNING
metadata:
category: security
confidence: LOW
likelihood: LOW
impact: HIGH
subcategory:
- audit
technology:
- Wordpress Plugins
references:
- https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#file-manipulation
owasp:
- A01:2021 - Broken Access Control
- A08:2021 - Software and Data Integrity Failures
- A01:2025 - Broken Access Control
- A08:2025 - Software or Data Integrity Failures
cwe:
- 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
Traversal'')'
- 'CWE-73: The software allows user input to control or influence paths of file
names that are used in filesystem operations.'
- 'CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program
(''PHP Remote File Inclusion'')'
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Code Injection
- Path Traversal
source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-file-manipulation-audit.wp-file-manipulation-audit
shortlink: https://sg.run/JpwW
semgrep.dev:
rule:
r_id: 39202
rv_id: 1263325
rule_id: 6JU0yK
version_id: 2KTv2n1
url: https://semgrep.dev/playground/r/2KTv2n1/php.wordpress-plugins.security.audit.wp-file-manipulation-audit.wp-file-manipulation-audit
origin: community
- id: php.wordpress-plugins.security.audit.wp-open-redirect-audit.wp-open-redirect-audit
pattern: wp_redirect(...)
message: This function can be used to redirect to user supplied URLs. If user input
is not sanitised or validated, this could lead to Open Redirect vulnerabilities.
Use "wp_safe_redirect()" to prevent this kind of attack.
paths:
include:
- '**/wp-content/plugins/**/*.php'
languages:
- php
severity: WARNING
metadata:
category: security
confidence: LOW
likelihood: LOW
impact: MEDIUM
subcategory:
- audit
technology:
- Wordpress Plugins
references:
- https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#open-redirect
- https://developer.wordpress.org/reference/functions/wp_safe_redirect/
cwe:
- 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')'
owasp:
- A05:2021 - Security Misconfiguration
- A02:2025 - Security Misconfiguration
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Open Redirect
source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-open-redirect-audit.wp-open-redirect-audit
shortlink: https://sg.run/5nZX
semgrep.dev:
rule:
r_id: 39203
rv_id: 1263326
rule_id: oqU5KY
version_id: X0TzyG3
url: https://semgrep.dev/playground/r/X0TzyG3/php.wordpress-plugins.security.audit.wp-open-redirect-audit.wp-open-redirect-audit
origin: community
- id: php.wordpress-plugins.security.audit.wp-php-object-injection-audit.wp-php-object-injection-audit
patterns:
- pattern-either:
- pattern: unserialize(...)
- pattern: maybe_unserialize(...)
message: If the data used inside the patterns are directly used without proper sanitization,
then this could lead to PHP Object Injection. Do not use these function with user-supplied
input, use JSON functions instead.
paths:
include:
- '**/wp-content/plugins/**/*.php'
languages:
- php
severity: WARNING
metadata:
category: security
confidence: LOW
likelihood: LOW
impact: HIGH
subcategory:
- audit
technology:
- Wordpress Plugins
references:
- https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#php-object-injection
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
cwe:
- 'CWE-502: Deserialization of Untrusted Data'
owasp:
- A03:2021 - Injection
- A05:2025 - Injection
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- 'Insecure Deserialization '
source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-php-object-injection-audit.wp-php-object-injection-audit
shortlink: https://sg.run/G6X2
semgrep.dev:
rule:
r_id: 39204
rv_id: 1263327
rule_id: zdUelq
version_id: jQTn5GO
url: https://semgrep.dev/playground/r/jQTn5GO/php.wordpress-plugins.security.audit.wp-php-object-injection-audit.wp-php-object-injection-audit
origin: community
- id: php.wordpress-plugins.security.audit.wp-sql-injection-audit.wp-sql-injection-audit
patterns:
- pattern-either:
- pattern: $wpdb->query(...)
- pattern: $wpdb->get_var(...)
- pattern: $wpdb->get_row(...)
- pattern: $wpdb->get_col(...)
- pattern: $wpdb->get_results(...)
- pattern: $wpdb->replace(...)
- pattern-not: $wpdb->prepare(...)
- pattern-not: $wpdb->delete(...)
- pattern-not: $wpdb->update(...)
- pattern-not: $wpdb->insert(...)
message: Detected unsafe API methods. This could lead to SQL Injection if the used
variable in the functions are user controlled and not properly escaped or sanitized.
In order to prevent SQL Injection, use safe api methods like "$wpdb->prepare"
properly or escape/sanitize the data properly.
paths:
include:
- '**/wp-content/plugins/**/*.php'
languages:
- php
severity: WARNING
metadata:
confidence: LOW
likelihood: LOW
impact: HIGH
category: security
subcategory:
- audit
technology:
- Wordpress Plugins
references:
- https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#sql-injection
- https://owasp.org/www-community/attacks/SQL_Injection
owasp:
- A03:2021 - Injection
- A05:2025 - Injection
cwe:
- 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
(''SQL Injection'')'
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- SQL Injection
source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-sql-injection-audit.wp-sql-injection-audit
shortlink: https://sg.run/RAbe
semgrep.dev:
rule:
r_id: 39205
rv_id: 1263328
rule_id: pKUQN1
version_id: 1QTypW8
url: https://semgrep.dev/playground/r/1QTypW8/php.wordpress-plugins.security.audit.wp-sql-injection-audit.wp-sql-injection-audit
origin: community
- id: generic.secrets.security.detected-artifactory-token.detected-artifactory-token
patterns:
- pattern-regex: |
\bAKC[a-zA-Z0-9]{10,}
- pattern-not-regex: |
sha(128|256|512).*
- pattern-not-regex: (?s)---BEGIN.*---\Z
languages:
- regex
paths:
exclude:
- '*.svg'
- '*go.sum'
- '*package.json'
- '*package-lock.json'
- '*bundle.js'
- '*pnpm-lock*'
- '*Podfile.lock'
- '**/*/openssl/*.h'
- '*.xcscmblueprint'
- '*cargo.lock'
message: Artifactory token detected
severity: ERROR
metadata:
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/artifactory.py
category: security
technology:
- secrets
- artifactory
confidence: LOW
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token
shortlink: https://sg.run/5Q2l
semgrep.dev:
rule:
r_id: 9047
rv_id: 1262858
rule_id: 6JUj3l
version_id: l4TJR6J
url: https://semgrep.dev/playground/r/l4TJR6J/generic.secrets.security.detected-artifactory-token.detected-artifactory-token
origin: community
- id: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key
pattern-regex: (?i)sonar.{0,50}(\\\"|'|`)?[0-9a-f]{40}(\\\"|'|`)?
languages:
- regex
message: SonarQube Docs API Key detected
severity: ERROR
paths:
exclude:
- '*.svg'
- '*go.sum'
- '*cargo.lock'
- '*package.json'
- '*yarn.lock'
- '*package-lock.json'
- '*bundle.js'
- '*pnpm-lock*'
- '*Podfile.lock'
- '**/*/openssl/*.h'
- '*.xcscmblueprint'
metadata:
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
category: security
technology:
- secrets
- sonarqube
confidence: LOW
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key
shortlink: https://sg.run/x10P
semgrep.dev:
rule:
r_id: 9074
rv_id: 1262895
rule_id: QrUzP1
version_id: A8TgdgQ
url: https://semgrep.dev/playground/r/A8TgdgQ/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key
origin: community
- id: csharp.lang.security.sqli.csharp-sqli.csharp-sqli
mode: taint
pattern-sources:
- patterns:
- pattern: |
(string $X)
- pattern-not: |
"..."
pattern-propagators:
- pattern: (StringBuilder $B).$ANY(...,(string $X),...)
from: $X
to: $B
pattern-sinks:
- patterns:
- pattern-either:
- patterns:
- pattern: |
new $PATTERN($CMD,...)
- focus-metavariable: $CMD
- patterns:
- pattern: |
$CMD.$PATTERN = $VALUE;
- focus-metavariable: $VALUE
- metavariable-regex:
metavariable: $PATTERN
regex: ^(SqlCommand|CommandText|OleDbCommand|OdbcCommand|OracleCommand)$
pattern-sanitizers:
- pattern-either:
- pattern: |
$CMD.Parameters.Add(...)
- pattern: |
$CMD.Parameters.AddRange(...)
- pattern: |
$CMD.Parameters.AddWithValue(...)
- pattern: |
$CMD.Parameters[$IDX].Value = ...
by-side-effect: true
message: Detected a formatted string in a SQL statement. This could lead to SQL
injection if variables in the SQL statement are not properly sanitized. Use a
prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand'
and 'SqlParameter'.
metadata:
category: security
technology:
- csharp
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
- A05:2025 - Injection
cwe:
- 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
(''SQL Injection'')'
confidence: MEDIUM
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- SQL Injection
source: https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli
shortlink: https://sg.run/d2Xd
semgrep.dev:
rule:
r_id: 15078
rv_id: 1262648
rule_id: x8UxeP
version_id: RGT0LqW
url: https://semgrep.dev/playground/r/RGT0LqW/csharp.lang.security.sqli.csharp-sqli.csharp-sqli
origin: community
languages:
- csharp
severity: ERROR
- id: terraform.azure.security.azure-cognitiveservices-disables-public-network.azure-cognitiveservices-disables-public-network
message: Ensure that Cognitive Services accounts disable public network access
patterns:
- pattern: resource
- pattern-not-inside: |
resource "azurerm_cognitive_account" "..." {
...
public_network_access_enabled = false
...
}
- pattern-inside: |
resource "azurerm_cognitive_account" "..." {
...
}
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- azure
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.azure.security.azure-cognitiveservices-disables-public-network.azure-cognitiveservices-disables-public-network
shortlink: https://sg.run/kP17
semgrep.dev:
rule:
r_id: 23972
rv_id: 1263770
rule_id: nJUPQL
version_id: o5TbDEk
url: https://semgrep.dev/playground/r/o5TbDEk/terraform.azure.security.azure-cognitiveservices-disables-public-network.azure-cognitiveservices-disables-public-network
origin: community
languages:
- hcl
severity: WARNING
- id: terraform.gcp.security.gcp-build-workers-private.gcp-build-workers-private
patterns:
- pattern: resource
- pattern-inside: |
resource "google_cloudbuild_worker_pool" "..." {
...
}
- pattern-not-inside: |
resource "google_cloudbuild_worker_pool" "..." {
...
worker_config {
...
no_external_ip = true
...
}
...
}
message: "Ensure Cloud build workers are private\t"
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- gcp
references:
- https://docs.bridgecrew.io/docs/google-cloud-policy-index
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.gcp.security.gcp-build-workers-private.gcp-build-workers-private
shortlink: https://sg.run/Jzyj
semgrep.dev:
rule:
r_id: 32302
rv_id: 1263812
rule_id: 8GU3Rx
version_id: YDTZebq
url: https://semgrep.dev/playground/r/YDTZebq/terraform.gcp.security.gcp-build-workers-private.gcp-build-workers-private
origin: community
languages:
- hcl
severity: WARNING
- id: terraform.gcp.security.gcp-compute-ip-forward.gcp-compute-ip-forward
patterns:
- pattern: resource
- pattern-inside: |
resource "google_compute_instance" "..." {
...
can_ip_forward = true
...
}
message: "Ensure that IP forwarding is not enabled on Instances. This lets the instance
act as a traffic router and receive traffic not intended for it, which may route
traffic through unintended passages.\t"
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- gcp
references:
- https://docs.bridgecrew.io/docs/google-cloud-policy-index
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.gcp.security.gcp-compute-ip-forward.gcp-compute-ip-forward
shortlink: https://sg.run/qe5e
semgrep.dev:
rule:
r_id: 32312
rv_id: 1263822
rule_id: AbUEDE
version_id: K3TKkLw
url: https://semgrep.dev/playground/r/K3TKkLw/terraform.gcp.security.gcp-compute-ip-forward.gcp-compute-ip-forward
origin: community
languages:
- hcl
severity: INFO
- id: terraform.gcp.security.gcp-memory-store-for-redis-auth-enabled.gcp-memory-store-for-redis-auth-enabled
patterns:
- pattern: resource
- pattern-inside: |
resource "google_redis_instance" "..." {
...
}
- pattern-not-inside: |
resource "google_redis_instance" "..." {
...
auth_enabled = true
...
}
message: Ensure Memorystore for Redis has AUTH enabled
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- gcp
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.gcp.security.gcp-memory-store-for-redis-auth-enabled.gcp-memory-store-for-redis-auth-enabled
shortlink: https://sg.run/Gvvq
semgrep.dev:
rule:
r_id: 33692
rv_id: 1263858
rule_id: oqUoo6
version_id: 5PTo11k
url: https://semgrep.dev/playground/r/5PTo11k/terraform.gcp.security.gcp-memory-store-for-redis-auth-enabled.gcp-memory-store-for-redis-auth-enabled
origin: community
languages:
- hcl
severity: WARNING
- id: terraform.gcp.security.gcp-org-impersonation-roles-iam-binding.gcp-org-impersonation-roles-iam-binding
patterns:
- pattern: resource
- pattern-inside: |
resource "google_organization_iam_binding" "..." {
...
role = "roles/editor"
members = [ ... ]
...
}
message: "Ensure no roles that enable to impersonate and manage all service accounts
are used at an organization level\t"
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- gcp
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.gcp.security.gcp-org-impersonation-roles-iam-binding.gcp-org-impersonation-roles-iam-binding
shortlink: https://sg.run/Aqq2
semgrep.dev:
rule:
r_id: 33694
rv_id: 1263860
rule_id: pKUeej
version_id: RGT0LLg
url: https://semgrep.dev/playground/r/RGT0LLg/terraform.gcp.security.gcp-org-impersonation-roles-iam-binding.gcp-org-impersonation-roles-iam-binding
origin: community
languages:
- hcl
severity: WARNING
- id: terraform.gcp.security.gcp-project-member-default-service-account-iam-binding.gcp-project-member-default-service-account-iam-binding
patterns:
- pattern: resource
- pattern-inside: |
resource "google_project_iam_binding" "..." {
...
members = [..., $MEMBER, ...]
...
}
- metavariable-regex:
metavariable: $MEMBER
regex: ((.*)-compute@developer.gserviceaccount.com)
message: Ensure Default Service account is not used at a project level
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- gcp
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.gcp.security.gcp-project-member-default-service-account-iam-binding.gcp-project-member-default-service-account-iam-binding
shortlink: https://sg.run/Kvv5
semgrep.dev:
rule:
r_id: 33699
rv_id: 1263865
rule_id: 9AUqqg
version_id: 0bTKzzw
url: https://semgrep.dev/playground/r/0bTKzzw/terraform.gcp.security.gcp-project-member-default-service-account-iam-binding.gcp-project-member-default-service-account-iam-binding
origin: community
languages:
- hcl
severity: WARNING
- id: terraform.gcp.security.gcp-project-member-default-service-account-iam-member.gcp-project-member-default-service-account-iam-member
patterns:
- pattern: resource
- pattern-inside: |
resource "google_project_iam_member" "..." {
...
member = $MEMBER
...
}
- metavariable-regex:
metavariable: $MEMBER
regex: ((.*)-compute@developer.gserviceaccount.com)
message: Ensure Default Service account is not used at a project level
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- gcp
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.gcp.security.gcp-project-member-default-service-account-iam-member.gcp-project-member-default-service-account-iam-member
shortlink: https://sg.run/4XXz
semgrep.dev:
rule:
r_id: 33700
rv_id: 1263866
rule_id: yyUGG6
version_id: K3TKkkw
url: https://semgrep.dev/playground/r/K3TKkkw/terraform.gcp.security.gcp-project-member-default-service-account-iam-member.gcp-project-member-default-service-account-iam-member
origin: community
languages:
- hcl
severity: WARNING
- id: terraform.gcp.security.gcp-project-service-account-user-iam-binding.gcp-project-service-account-user-iam-binding
patterns:
- pattern: resource
- pattern-either:
- pattern-inside: |
resource "google_project_iam_binding" "..." {
...
role = "roles/iam.serviceAccountTokenCreator"
...
}
- pattern-inside: |
resource "google_project_iam_binding" "..." {
...
role = "roles/iam.serviceAccountUser"
...
}
message: Ensure that IAM users are not assigned the Service Account User or Service
Account Token Creator roles at project level
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- gcp
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.gcp.security.gcp-project-service-account-user-iam-binding.gcp-project-service-account-user-iam-binding
shortlink: https://sg.run/PvvW
semgrep.dev:
rule:
r_id: 33701
rv_id: 1263867
rule_id: r6Ullx
version_id: qkTR774
url: https://semgrep.dev/playground/r/qkTR774/terraform.gcp.security.gcp-project-service-account-user-iam-binding.gcp-project-service-account-user-iam-binding
origin: community
languages:
- hcl
severity: WARNING
- id: dgryski.semgrep-go.returnnil.return-nil
patterns:
- pattern-either:
- pattern: |
if $X == nil {
return $X
}
- pattern: |
if $X != nil {
return ...
}
return $X
message: return nil instead of nil value
languages:
- go
severity: ERROR
metadata:
license: MIT
source: https://semgrep.dev/r/dgryski.semgrep-go.returnnil.return-nil
shortlink: https://sg.run/KlNj
semgrep.dev:
rule:
r_id: 8711
rv_id: 833084
rule_id: bwUwx0
version_id: 7ZTx9nk
url: https://semgrep.dev/playground/r/7ZTx9nk/dgryski.semgrep-go.returnnil.return-nil
origin: community
- id: terraform.gcp.security.gcp-project-service-account-user-iam-member.gcp-project-service-account-user-iam-member
patterns:
- pattern: resource
- pattern-either:
- pattern-inside: |
resource "google_project_iam_member" "..." {
...
role = "roles/iam.serviceAccountTokenCreator"
...
}
- pattern-inside: |
resource "google_project_iam_member" "..." {
...
role = "roles/iam.serviceAccountUser"
...
}
message: Ensure that IAM users are not assigned the Service Account User or Service
Account Token Creator roles at project level
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- gcp
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.gcp.security.gcp-project-service-account-user-iam-member.gcp-project-service-account-user-iam-member
shortlink: https://sg.run/JvvW
semgrep.dev:
rule:
r_id: 33702
rv_id: 1263868
rule_id: bwUQQk
version_id: l4TJRRv
url: https://semgrep.dev/playground/r/l4TJRRv/terraform.gcp.security.gcp-project-service-account-user-iam-member.gcp-project-service-account-user-iam-member
origin: community
languages:
- hcl
severity: WARNING
- id: terraform.gcp.security.gcp-pubsub-private-topic-iam-binding.gcp-pubsub-private-topic-iam-binding
patterns:
- pattern: resource
- pattern-either:
- pattern-inside: |
resource "google_pubsub_topic_iam_binding" "..." {
...
members = [ ..., "allAuthenticatedUsers", ...]
...
}
- pattern-inside: |
resource "google_pubsub_topic_iam_binding" "..." {
...
members = [ ..., "allUsers", ...]
...
}
message: Ensure that Pub/Sub Topics are not anonymously or publicly accessible
metadata:
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
- A01:2025 - Broken Access Control
cwe:
- 'CWE-1220: Insufficient Granularity of Access Control'
category: security
technology:
- terraform
- gcp
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/terraform.gcp.security.gcp-pubsub-private-topic-iam-binding.gcp-pubsub-private-topic-iam-binding
shortlink: https://sg.run/Gvo2
semgrep.dev:
rule:
r_id: 33704
rv_id: 1263869
rule_id: kxU35K
version_id: YDTZeen
url: https://semgrep.dev/playground/r/YDTZeen/terraform.gcp.security.gcp-pubsub-private-topic-iam-binding.gcp-pubsub-private-topic-iam-binding
origin: community
languages:
- hcl
severity: WARNING
- id: java.lang.security.java-pattern-from-string-parameter.java-pattern-from-string-parameter
languages:
- java
severity: INFO
message: A regular expression is being used directly from a String method parameter.
This could be a Regular Expression Denial of Service (ReDoS) vulnerability if
the parameter is user-controlled and not properly validated. Ensure that a validation
is in place to prevent evaluation using a regular expression prone to ReDoS.
patterns:
- pattern-inside: |-
$TYPE $METHOD(..., String $PARAM, ...) {
...
}
- pattern-either:
- pattern: java.util.regex.Pattern.matches($PARAM, $ANY_STRING_TO_MATCH)
- pattern: java.util.regex.Pattern.compile($PARAM,...)
paths:
include:
- '**/*.java'
metadata:
category: security
owasp:
- A03:2021 Injection
technology:
- java
references:
- https://en.wikipedia.org/wiki/ReDoS
- https://learn.snyk.io/lesson/redos
cwe:
- 'CWE-1333: Inefficient Regular Expression Complexity'
likelihood: LOW
impact: LOW
confidence: LOW
subcategory:
- audit
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Denial-of-Service (DoS)
source: https://semgrep.dev/r/java.lang.security.java-pattern-from-string-parameter.java-pattern-from-string-parameter
shortlink: https://sg.run/Wrw5z
semgrep.dev:
rule:
r_id: 208197
rv_id: 1138066
rule_id: EwURXy0
version_id: l4T6Z0z
url: https://semgrep.dev/playground/r/l4T6Z0z/java.lang.security.java-pattern-from-string-parameter.java-pattern-from-string-parameter
origin: community
- id: java.servlets.security.security-constraint-http-method.security-constraint-http-method
languages:
- xml
severity: WARNING
message: The tag "http-method" is used to specify on which HTTP methods the java
web security constraint apply. The target security constraints could be bypassed
if a non listed HTTP method is used. Inverse the logic by using the tag "http-method-omission"
to define for which HTTP methods the security constraint do not apply. Using this
way, only expected allowed HTTP methods will be skipped by the security constraint.
pattern: $X
paths:
include:
- '**/web.xml'
metadata:
category: security
owasp:
- A05:2021 Security Misconfiguration
- A01:2021 Broken Access Control
technology:
- java
references:
- https://docs.oracle.com/javaee/7/tutorial/security-webtier002.htm
- https://jakarta.ee/learn/docs/jakartaee-tutorial/current/security/security-advanced/security-advanced.html#_securing_http_resources
cwe:
- 'CWE-863: Incorrect Authorization'
likelihood: LOW
impact: LOW
confidence: LOW
subcategory:
- audit
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Other
source: https://semgrep.dev/r/java.servlets.security.security-constraint-http-method.security-constraint-http-method
shortlink: https://sg.run/0be3J
semgrep.dev:
rule:
r_id: 208198
rv_id: 1138067
rule_id: 7KUDXJ9
version_id: YDTnE7D
url: https://semgrep.dev/playground/r/YDTnE7D/java.servlets.security.security-constraint-http-method.security-constraint-http-method
origin: community
- id: generic.secrets.gitleaks.etsy-access-token.etsy-access-token
message: A gitleaks etsy-access-token was detected which attempts to identify hard-coded
credentials. It is not recommended to store credentials in source-code, as this
risks secrets being leaked and used by either an internal or external malicious
adversary. It is recommended to use environment variables to securely provide
credentials or retrieve credentials from a secure vault or HSM (Hardware Security
Module).
languages:
- regex
severity: INFO
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
subcategory:
- vuln
technology:
- gitleaks
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.gitleaks.etsy-access-token.etsy-access-token
shortlink: https://sg.run/W58g
semgrep.dev:
rule:
r_id: 44709
rv_id: 1262726
rule_id: yyUYnv
version_id: bZT53L5
url: https://semgrep.dev/playground/r/bZT53L5/generic.secrets.gitleaks.etsy-access-token.etsy-access-token
origin: community
patterns:
- pattern-regex: (?i)(?:etsy)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)
- id: generic.secrets.gitleaks.generic-api-key.generic-api-key
message: A gitleaks generic-api-key was detected which attempts to identify hard-coded
credentials. It is not recommended to store credentials in source-code, as this
risks secrets being leaked and used by either an internal or external malicious
adversary. It is recommended to use environment variables to securely provide
credentials or retrieve credentials from a secure vault or HSM (Hardware Security
Module). This rule can introduce a lot of false positives, it is not recommended
to be used in PR comments.
languages:
- regex
severity: INFO
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
subcategory:
- vuln
technology:
- gitleaks
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key
shortlink: https://sg.run/1KZv
semgrep.dev:
rule:
r_id: 44722
rv_id: 1262742
rule_id: EwUy26
version_id: QkTGq1P
url: https://semgrep.dev/playground/r/QkTGq1P/generic.secrets.gitleaks.generic-api-key.generic-api-key
origin: community
paths:
exclude:
- '*.svg'
- '*go.sum'
- '*cargo.lock'
- '*package.json'
- '*package-lock.json'
- '*bundle.js'
- '*pnpm-lock*'
- '*Podfile.lock'
- '**/*/openssl/*.h'
- '*.xcscmblueprint'
patterns:
- pattern-regex: (?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t.]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|@\"|\"|\s|=|\x60){0,5}(?!([a-z]+\.[a-zA-Z]+)|.*(\d{4}-\d{2}-\d{2})|:*(?!("|'))[0-9A-Za-z]+\.[0-9A-Za-z]+,|[A-Z]+_[A-Z]+_)(?P[0-9a-z\-_.=\~@]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)
- metavariable-analysis:
analyzer: entropy
metavariable: $CONTENT
- focus-metavariable: $CONTENT
- pattern-not-regex: .*((?i)omitted|arn:aws|(?i)(pub.*key|public.*key)|(?i)clientToken|symbol|cache|author\.).*
- pattern-not-regex: (\d\.\d\.\d-}|([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})|(\w)\1{5}|(?i)keywords|xxxx|eeeeeeee|0000|\*\*\*|example|test|author=|author("|')|preview|[A-Z]+_KEY|[.]value|[.]key|-\d\.\d\.)
- metavariable-regex:
metavariable: $CONTENT
regex: (?!(^0x0*|^pub)|.*\.(bin|json|exe)$|.*(?i)(Client|Factory)$|(^__[A-Za-z]+__$)|^(12345|abcd)|^\d+(\.\d+)?$)
- pattern-not-regex: (\w|\.)\1{5}
- metavariable-regex:
metavariable: $CONTENT
regex: (?!(?i).*(client|endpoint|vpn|_ec2_|aws_|authorize|author|define|config|credential|setting|sample|xxxxxx|000000|buffer|delete|aaaaaa|fewfwef|getenv|env_|system|example|ecdsa|sha256|sha1|sha2|md5|alert|wizard|target|onboard|welcome|page|exploit|experiment|expire|rabbitmq|scraper|widget|music|dns_|dns-|yahoo|want|json|action|script|fix_|fix-|develop|compas|stripe|service|master|metric|tech|gitignore|rich|open|stack|irc_|irc-|sublime|kohana|has_|has-|fabric|wordpres|role|osx_|osx-|boost|addres|queue|working|sandbox|internet|print|vision|tracking|being|generator|traffic|world|pull|rust|watcher|small|auth|full|hash|more|install|auto|complete|learn|paper|installer|research|acces|last|binding|spine|into|chat|algorithm|resource|uploader|video|maker|next|proc|lock|robot|snake|patch|matrix|drill|terminal|term|stuff|genetic|generic|identity|audit|pattern|audio|web_|web-|crud|problem|statu|cms-|cms_|arch|coffee|workflow|changelog|another|uiview|content|kitchen|gnu_|gnu-|gnu\.|conf|couchdb|client|opencv|rendering|update|concept|varnish|gui_|gui-|gui\.|version|shared|extra|product|still|not_|not-|not\.|drop|ring|png_|png-|png\.|actively|import|output|backup|start|embedded|registry|pool|semantic|instagram|bash|system|ninja|drupal|jquery|polyfill|physic|league|guide|pack|synopsi|sketch|injection|svg_|svg-|svg\.|friendly|wave|convert|manage|camera|link|slide|timer|wrapper|gallery|url_|url-|url\.|todomvc|requirej|party|http|payment|async|library|home|coco|gaia|display|universal|func|metadata|hipchat|under|room|config|personal|realtime|resume|database|testing|tiny|basic|forum|meetup|yet_|yet-|yet\.|cento|dead|fluentd|editor|utilitie|run_|run-|run\.|box_|box-|box\.|bot_|bot-|bot\.|making|sample|group|monitor|ajax|parallel|cassandra|ultimate|site|get_|get-|get\.|gen_|gen-|gen\.|gem_|gem-|gem\.|extended|image|knife|asset|nested|zero|plugin|bracket|mule|mozilla|number|act_|act-|act\.|map_|map-|map\.|micro|debug|openshift|chart|expres|backend|task|source|translate|jbos|composer|sqlite|profile|mustache|mqtt|yeoman|have|builder|smart|like|oauth|school|guideline|captcha|filter|bitcoin|bridge|color|toolbox|discovery|new_|new-|new\.|dashboard|when|setting|level|post|standard|port|platform|yui_|yui-|yui\.|grunt|animation|haskell|icon|latex|cheat|lua_|lua-|lua\.|gulp|case|author|without|simulator|wifi|directory|lisp|list|flat|adventure|story|storm|gpu_|gpu-|gpu\.|store|caching|attention|solr|logger|demo|shortener|hadoop|finder|phone|pipeline|range|textmate|showcase|app_|app-|app\.|idiomatic|edit|our_|our-|our\.|out_|out-|out\.|sentiment|linked|why_|why-|why\.|local|cube|gmail|job_|job-|job\.|rpc_|rpc-|rpc\.|contest|tcp_|tcp-|tcp\.|usage|buildout|weather|transfer|automated|sphinx|issue|sas_|sas-|sas\.|parallax|jasmine|addon|machine|solution|dsl_|dsl-|dsl\.|episode|menu|theme|best|adapter|debugger|chrome|tutorial|life|step|people|joomla|paypal|developer|solver|team|current|love|visual|date|data|canva|container|future|xml_|xml-|xml\.|twig|nagio|spatial|original|sync|archived|refinery|science|mapping|gitlab|play|ext_|ext-|ext\.|session|impact|set_|set-|set\.|see_|see-|see\.|migration|commit|community|shopify|what'|cucumber|statamic|mysql|location|tower|line|code|amqp|hello|send|index|high|notebook|alloy|python|field|document|soap|edition|email|php_|php-|php\.|command|transport|official|upload|study|secure|angularj|akka|scalable|package|request|con_|con-|con\.|flexible|security|comment|module|flask|graph|flash|apache|change|window|space|lambda|sheet|bookmark|carousel|friend|objective|jekyll|bootstrap|first|article|gwt_|gwt-|gwt\.|classic|media|websocket|touch|desktop|real|read|recorder|moved|storage|validator|add-on|pusher|scs_|scs-|scs\.|inline|asp_|asp-|asp\.|timeline|base|encoding|ffmpeg|kindle|tinymce|pretty|jpa_|jpa-|jpa\.|used|user|required|webhook|download|resque|espresso|cloud|mongo|benchmark|pure|cakephp|modx|mode|reactive|fuel|written|flickr|mail|brunch|meteor|dynamic|neo_|neo-|neo\.|new_|new-|new\.|net_|net-|net\.|typo|type|keyboard|erlang|adobe|logging|ckeditor|message|iso_|iso-|iso\.|hook|ldap|folder|reference|railscast|www_|www-|www\.|tracker|azure|fork|form|digital|exporter|skin|string|template|designer|gollum|fluent|entity|language|alfred|summary|wiki|kernel|calendar|plupload|symfony|foundry|remote|talk|search|dev_|dev-|dev\.|del_|del-|del\.|token|idea|sencha|selector|interface|create|fun_|fun-|fun\.|groovy|query|grail|red_|red-|red\.|laravel|monkey|slack|supported|instant|value|center|latest|work|but_|but-|but\.|bug_|bug-|bug\.|virtual|tweet|statsd|studio|path|real-time|frontend|notifier|coding|tool|firmware|flow|random|mediawiki|bosh|been|beer|lightbox|theory|origin|redmine|hub_|hub-|hub\.|require|pro_|pro-|pro\.|ant_|ant-|ant\.|any_|any-|any\.|recipe|closure|mapper|event|todo|model|redi|provider|rvm_|rvm-|rvm\.|program|memcached|rail|silex|foreman|activity|license|strategy|batch|streaming|fast|use_|use-|use\.|usb_|usb-|usb\.|impres|academy|slider|please|layer|cros|now_|now-|now\.|miner|extension|own_|own-|own\.|app_|app-|app\.|debian|symphony|example|feature|serie|tree|project|runner|entry|leetcode|layout|webrtc|logic|login|worker|toolkit|mocha|support|back|inside|device|jenkin|contact|fake|awesome|ocaml|bit_|bit-|bit\.|drive|screen|prototype|gist|binary|nosql|rest|overview|dart|dark|emac|mongoid|solarized|homepage|emulator|commander|django|yandex|gradle|xcode|writer|crm_|crm-|crm\.|jade|startup|error|using|format|name|spring|parser|scratch|magic|try_|try-|try\.|rack|directive|challenge|slim|counter|element|chosen|doc_|doc-|doc\.|meta|should|button|packet|stream|hardware|android|infinite|password|software|ghost|xamarin|spec|chef|interview|hubot|mvc_|mvc-|mvc\.|exercise|leaflet|launcher|air_|air-|air\.|photo|board|boxen|way_|way-|way\.|computing|welcome|notepad|portfolio|cat_|cat-|cat\.|can_|can-|can\.|magento|yaml|domain|card|yii_|yii-|yii\.|checker|browser|upgrade|only|progres|aura|ruby_|ruby-|ruby\.|polymer|util|lite|hackathon|rule|log_|log-|log\.|opengl|stanford|skeleton|history|inspector|help|soon|selenium|lab_|lab-|lab\.|scheme|schema|look|ready|leveldb|docker|game|minimal|logstash|messaging|within|heroku|mongodb|kata|suite|picker|win_|win-|win\.|wip_|wip-|wip\.|panel|started|starter|front-end|detector|deploy|editing|based|admin|capture|spree|page|bundle|goal|rpg_|rpg-|rpg\.|setup|side|mean|reader|cookbook|mini|modern|seed|dom_|dom-|dom\.|doc_|doc-|doc\.|dot_|dot-|dot\.|syntax|sugar|loader|website|make|kit_|kit-|kit\.|protocol|human|daemon|golang|manager|countdown|connector|swagger|map_|map-|map\.|mac_|mac-|mac\.|man_|man-|man\.|orm_|orm-|orm\.|org_|org-|org\.|little|zsh_|zsh-|zsh\.|shop|show|workshop|money|grid|server|octopres|svn_|svn-|svn\.|ember|embed|general|file|important|dropbox|portable|public|docpad|fish|sbt_|sbt-|sbt\.|done|para|network|common|readme|popup|simple|purpose|mirror|single|cordova|exchange|object|design|gateway|account|lamp|intellij|math|mit_|mit-|mit\.|control|enhanced|emitter|multi|add_|add-|add\.|about|socket|preview|vagrant|cli_|cli-|cli\.|powerful|top_|top-|top\.|radio|watch|fluid|amazon|report|couchbase|automatic|detection|sprite|pyramid|portal|advanced|plu_|plu-|plu\.|runtime|git_|git-|git\.|uri_|uri-|uri\.|haml|node|sql_|sql-|sql\.|cool|core|obsolete|handler|iphone|extractor|array|copy|nlp_|nlp-|nlp\.|reveal|pop_|pop-|pop\.|engine|parse|check|html|nest|all_|all-|all\.|chinese|buildpack|what|tag_|tag-|tag\.|proxy|style|cookie|feed|restful|compiler|creating|prelude|context|java|rspec|mock|backbone|light|spotify|flex|related|shell|which|clas|webapp|swift|ansible|unity|console|tumblr|export|campfire|conway'|made|riak|hero|here|unix|unit|glas|smtp|how_|how-|how\.|hot_|hot-|hot\.|debug|release|diff|player|easy|right|old_|old-|old\.|animate|time|push|explorer|course|training|nette|router|draft|structure|note|salt|where|spark|trello|power|method|social|via_|via-|via\.|vim_|vim-|vim\.|select|webkit|github|ftp_|ftp-|ftp\.|creator|mongoose|led_|led-|led\.|movie|currently|pdf_|pdf-|pdf\.|load|markdown|phalcon|input|custom|atom|oracle|phonegap|ubuntu|great|rdf_|rdf-|rdf\.|popcorn|firefox|zip_|zip-|zip\.|cuda|dotfile|static|openwrt|viewer|powered|graphic|les_|les-|les\.|doe_|doe-|doe\.|maven|word|eclipse|lab_|lab-|lab\.|hacking|steam|analytic|option|abstract|archive|reality|switcher|club|write|kafka|arduino|angular|online|title|don't|contao|notice|analyzer|learning|zend|external|staging|busines|tdd_|tdd-|tdd\.|scanner|building|snippet|modular|bower|stm_|stm-|stm\.|lib_|lib-|lib\.|alpha|mobile|clean|linux|nginx|manifest|some|raspberry|gnome|ide_|ide-|ide\.|block|statistic|info|drag|youtube|koan|facebook|paperclip|art_|art-|art\.|quality|tab_|tab-|tab\.|need|dojo|shield|computer|stat|state|twitter|utility|converter|hosting|devise|liferay|updated|force|tip_|tip-|tip\.|behavior|active|call|answer|deck|better|principle|ches|bar_|bar-|bar\.|reddit|three|haxe|just|plug-in|agile|manual|tetri|super|beta|parsing|doctrine|minecraft|useful|perl|sharing|agent|switch|view|dash|channel|repo|pebble|profiler|warning|cluster|running|markup|evented|mod_|mod-|mod\.|share|csv_|csv-|csv\.|response|good|house|connect|built|build|find|ipython|webgl|big_|big-|big\.|google|scala|sdl_|sdl-|sdl\.|sdk_|sdk-|sdk\.|native|day_|day-|day\.|puppet|text|routing|helper|linkedin|crawler|host|guard|merchant|poker|over|writing|free|classe|component|craft|nodej|phoenix|longer|quick|lazy|memory|clone|hacker|middleman|factory|motion|multiple|tornado|hack|ssh_|ssh-|ssh\.|review|vimrc|driver|driven|blog|particle|table|intro|importer|thrift|xmpp|framework|refresh|react|font|librarie|variou|formatter|analysi|karma|scroll|tut_|tut-|tut\.|apple|tag_|tag-|tag\.|tab_|tab-|tab\.|category|ionic|cache|homebrew|reverse|english|getting|shipping|clojure|boot|book|branch|combination|combo))
- id: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted
patterns:
- pattern: |
resource "aws_kinesis_stream" $ANYTHING {
...
}
- pattern-not: |
resource "aws_kinesis_stream" $ANYTHING {
...
encryption_type = "KMS"
...
}
message: The AWS Kinesis stream does not encrypt data at rest. The data could be
read if the Kinesis stream storage layer is compromised. Enable Kinesis stream
server-side encryption.
languages:
- hcl
severity: WARNING
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
- A06:2025 - Insecure Design
cwe:
- 'CWE-311: Missing Encryption of Sensitive Data'
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type
- https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: MEDIUM
rule-origin-note: published from /src/aws-kinesis-stream-unencrypted.yml in None
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Cryptographic Issues
source: https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted
shortlink: https://sg.run/KZ0L
semgrep.dev:
rule:
r_id: 52199
rv_id: 1263728
rule_id: 8GU72N
version_id: pZT037O
url: https://semgrep.dev/playground/r/pZT037O/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted
origin: community
- id: terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk
patterns:
- pattern: |
resource "aws_kinesis_stream" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_kinesis_stream" $ANYTHING {
...
kms_key_id = ...
...
}
message: Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you
control over the encryption key in terms of access and rotation.
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
cwe:
- 'CWE-320: CWE CATEGORY: Key Management Errors'
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Cryptographic Issues
source: https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk
shortlink: https://sg.run/ryBn
semgrep.dev:
rule:
r_id: 17369
rv_id: 946705
rule_id: KxU5yW
version_id: d6TPzwr
url: https://semgrep.dev/playground/r/d6TPzwr/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk
origin: community
languages:
- hcl
severity: WARNING
- id: trailofbits.ruby.json-create-deserialization.json-create-deserialization
message: |
Found `json_create` class method. This implies custom JSON deserialization
is occuring. This can lead to RCE and other deserialization-type bugs.
Usage should be audited and, at least, fuzzed.
languages:
- ruby
severity: INFO
metadata:
category: security
cwe: 'CWE-502: Deserialization of Untrusted Data'
subcategory:
- audit
confidence: LOW
likelihood: LOW
impact: HIGH
technology:
- ruby
references:
- https://github.blog/2024-06-20-execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/
- https://github.com/github/codeql/blob/main/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
- https://stackoverflow.com/questions/17226402/whats-the-difference-between-json-load-and-json-parse-methods-of-ruby-lib
license: AGPL-3.0 license
vulnerability_class:
- 'Insecure Deserialization '
source: https://semgrep.dev/r/trailofbits.ruby.json-create-deserialization.json-create-deserialization
shortlink: https://sg.run/WAz0g
semgrep.dev:
rule:
r_id: 150309
rv_id: 943203
rule_id: 10UOqrZ
version_id: 9lTyoZX
url: https://semgrep.dev/playground/r/9lTyoZX/trailofbits.ruby.json-create-deserialization.json-create-deserialization
origin: community
patterns:
- pattern-inside: |
class $CLS
...
end
- pattern: |
def self.json_create($OBJ)
...
end
- id: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile
patterns:
- pattern: |
RUN sudo ...
message: Avoid using sudo in Dockerfiles. Running processes as a non-root user can
help reduce the potential impact of configuration errors and security vulnerabilities.
metadata:
category: security
technology:
- dockerfile
cwe:
- 'CWE-250: Execution with Unnecessary Privileges'
owasp:
- A05:2021 - Security Misconfiguration
- A02:2025 - Security Misconfiguration
references:
- https://cwe.mitre.org/data/definitions/250.html
- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: HIGH
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Improper Authorization
source: https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile
shortlink: https://sg.run/80Q7
semgrep.dev:
rule:
r_id: 66384
rv_id: 1262661
rule_id: kxUlx1
version_id: pZT03zY
url: https://semgrep.dev/playground/r/pZT03zY/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile
origin: community
languages:
- dockerfile
severity: WARNING
- id: dgryski.semgrep-go.netip.net-ip-req-remoteaddr
patterns:
- pattern: net.IP($R.RemoteAddr)
message: Converting RemoteAddr to net.IP is probably wrong
fix: net.ParseIP($R.RemoteAddr)
languages:
- go
severity: ERROR
metadata:
license: MIT
source: https://semgrep.dev/r/dgryski.semgrep-go.netip.net-ip-req-remoteaddr
shortlink: https://sg.run/L1On9
semgrep.dev:
rule:
r_id: 111583
rv_id: 833062
rule_id: nJUxobq
version_id: o5TBE9K
url: https://semgrep.dev/playground/r/o5TBE9K/dgryski.semgrep-go.netip.net-ip-req-remoteaddr
origin: community
- id: csharp.lang.security.ssrf.http-client.ssrf
severity: ERROR
languages:
- csharp
metadata:
cwe:
- 'CWE-918: Server-Side Request Forgery (SSRF)'
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
- A01:2025 - Broken Access Control
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Server-Side Request Forgery (SSRF)
source: https://semgrep.dev/r/csharp.lang.security.ssrf.http-client.ssrf
shortlink: https://sg.run/4eB9
semgrep.dev:
rule:
r_id: 13700
rv_id: 1262649
rule_id: 10UdbE
version_id: A8Tgde1
url: https://semgrep.dev/playground/r/A8Tgde1/csharp.lang.security.ssrf.http-client.ssrf
origin: community
message: SSRF is an attack vector that abuses an application to interact with the
internal/external network or the machine itself.
patterns:
- pattern-inside: |
using System.Net.Http;
...
- pattern-either:
- pattern: |
$T $F(..., $X, ...)
{
...
HttpClient $Y = new HttpClient();
...
... $Y.GetAsync(<... $X ...>, ...);
}
- pattern: |
$T $F(..., $X, ...)
{
...
$A $B = <... $X ...>;
...
HttpClient $Y = new HttpClient();
...
... $Y.GetAsync($B, ...);
}
- pattern: |
$T $F(..., $X, ...)
{
...
HttpClient $Y = new HttpClient();
...
... $Y.GetStringAsync(<... $X ...>);
}
- pattern: |
$T $F(..., $X, ...)
{
...
$A $B = <... $X ...>;
...
HttpClient $Y = new HttpClient();
...
... $Y.GetStringAsync($B);
}
- id: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request
message: Detected input from a HTTPServletRequest going into a SQL sink or statement.
This could lead to SQL injection if variables in the SQL statement are not properly
sanitized. Use parameterized SQL queries or properly sanitize user input instead.
severity: WARNING
metadata:
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
category: security
cwe:
- 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
(''SQL Injection'')'
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
- A05:2025 - Injection
references:
- https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
- https://owasp.org/www-community/attacks/SQL_Injection
subcategory:
- vuln
technology:
- sql
- java
- servlets
- spring
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- SQL Injection
source: https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request
shortlink: https://sg.run/Lg56
semgrep.dev:
rule:
r_id: 18239
rv_id: 1409390
rule_id: oqUBJG
version_id: 7ZTKJNj
url: https://semgrep.dev/playground/r/7ZTKJNj/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request
origin: community
languages:
- java
mode: taint
options:
taint_assume_safe_numbers: true
taint_assume_safe_booleans: true
pattern-sources:
- patterns:
- pattern-either:
- pattern: |
(HttpServletRequest $REQ).$REQFUNC(...)
- pattern: "(ServletRequest $REQ).$REQFUNC(...) \n"
- metavariable-regex:
metavariable: $REQFUNC
regex: (getInputStream|getParameter|getParameterMap|getParameterValues|getReader|getCookies|getHeader|getHeaderNames|getHeaders|getPart|getParts|getQueryString)
pattern-sinks:
- patterns:
- pattern-either:
- pattern: "(java.sql.CallableStatement $STMT) = ...; \n"
- pattern: |
(java.sql.Statement $STMT) = ...;
...
$OUTPUT = $STMT.$FUNC(...);
- pattern: |
(java.sql.PreparedStatement $STMT) = ...;
- pattern: |
$VAR = $CONN.prepareStatement(...)
- pattern: |
$PATH.queryForObject(...);
- pattern: |
(java.util.Map $STMT) = $PATH.queryForMap(...);
- pattern: |
(org.springframework.jdbc.support.rowset.SqlRowSet $STMT) = ...;
- pattern: |
(org.springframework.jdbc.core.JdbcTemplate $TEMPL).batchUpdate(...)
- patterns:
- pattern-inside: |
(String $SQL) = "$SQLSTR" + ...;
...
- pattern: $PATH.$SQLCMD(..., $SQL, ...);
- metavariable-regex:
metavariable: $SQLSTR
regex: (?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)
- metavariable-regex:
metavariable: $SQLCMD
regex: (execute|query|executeUpdate|batchUpdate)
- id: terraform.gcp.security.gcp-gke-cluster-logging.gcp-gke-cluster-logging
patterns:
- pattern: |
resource "google_container_cluster" $ANYTHING {
...
logging_service = "none"
...
}
message: Ensure logging is set to Enabled on Kubernetes Engine Clusters
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
cwe:
- 'CWE-320: CWE CATEGORY: Key Management Errors'
technology:
- terraform
- gcp
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Cryptographic Issues
source: https://semgrep.dev/r/terraform.gcp.security.gcp-gke-cluster-logging.gcp-gke-cluster-logging
shortlink: https://sg.run/vYYY
semgrep.dev:
rule:
r_id: 33677
rv_id: 946938
rule_id: PeU222
version_id: jQTzqqn
url: https://semgrep.dev/playground/r/jQTzqqn/terraform.gcp.security.gcp-gke-cluster-logging.gcp-gke-cluster-logging
origin: community
- id: generic.secrets.gitleaks.facebook-page-access-token.facebook-page-access-token
message: A gitleaks facebook-page-access-token was detected which attempts to identify
hard-coded credentials. It is not recommended to store credentials in source-code,
as this risks secrets being leaked and used by either an internal or external
malicious adversary. It is recommended to use environment variables to securely
provide credentials or retrieve credentials from a secure vault or HSM (Hardware
Security Module).
languages:
- regex
severity: INFO
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
subcategory:
- vuln
technology:
- gitleaks
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.gitleaks.facebook-page-access-token.facebook-page-access-token
shortlink: https://sg.run/BYK5b
semgrep.dev:
rule:
r_id: 121951
rv_id: 1262728
rule_id: PeUJbAl
version_id: kbTzGOW
url: https://semgrep.dev/playground/r/kbTzGOW/generic.secrets.gitleaks.facebook-page-access-token.facebook-page-access-token
origin: community
patterns:
- pattern-regex: (?i)\b(EAA[MC][a-z0-9]{20,})(?:['|\"|\n|\r|\s|\x60|;]|$)
- id: generic.secrets.gitleaks.codecov-access-token.codecov-access-token
message: A gitleaks codecov-access-token was detected which attempts to identify
hard-coded credentials. It is not recommended to store credentials in source-code,
as this risks secrets being leaked and used by either an internal or external
malicious adversary. It is recommended to use environment variables to securely
provide credentials or retrieve credentials from a secure vault or HSM (Hardware
Security Module).
languages:
- regex
severity: INFO
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
subcategory:
- vuln
technology:
- gitleaks
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.gitleaks.codecov-access-token.codecov-access-token
shortlink: https://sg.run/3leK
semgrep.dev:
rule:
r_id: 44687
rv_id: 1262703
rule_id: JDUO3B
version_id: 5PTo1yG
url: https://semgrep.dev/playground/r/5PTo1yG/generic.secrets.gitleaks.codecov-access-token.codecov-access-token
origin: community
patterns:
- pattern-regex: (?i)(?:codecov)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
- id: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return
message: Missing mutex unlock (`$T` variable) before returning from a function. This
could result in panics resulting from double lock operations
languages:
- go
severity: ERROR
metadata:
category: security
cwe: 'CWE-667: Improper Locking'
subcategory:
- vuln
confidence: MEDIUM
likelihood: HIGH
impact: MEDIUM
technology:
- --no-technology--
description: Missing `mutex` unlock before returning from a function
references:
- https://pkg.go.dev/sync#Mutex
- https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/
license: AGPL-3.0 license
vulnerability_class:
- Other
source: https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return
shortlink: https://sg.run/18Bk
semgrep.dev:
rule:
r_id: 14222
rv_id: 937959
rule_id: L1U5Gz
version_id: O9TXj4X
url: https://semgrep.dev/playground/r/O9TXj4X/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return
origin: community
patterns:
- pattern-either:
- pattern: panic(...)
- pattern: return ...
- metavariable-pattern:
metavariable: $T
patterns:
- pattern: |
($T : sync.Mutex)
- pattern-inside: |
$T.Lock()
...
- pattern-not-inside: |
$T.Unlock()
...
- pattern-not-inside: |
defer $T.Unlock()
...
- pattern-not-inside: |
defer func(...) {
...
$T.Unlock()
...
}(...)
...
- pattern-not-inside: "$FOO(..., ..., func(...) { \n ... \n})\n"
- pattern-not-inside: |
return func(...) {
...
$T.Unlock()
...
}
- id: generic.secrets.gitleaks.clojars-api-token.clojars-api-token
message: A gitleaks clojars-api-token was detected which attempts to identify hard-coded
credentials. It is not recommended to store credentials in source-code, as this
risks secrets being leaked and used by either an internal or external malicious
adversary. It is recommended to use environment variables to securely provide
credentials or retrieve credentials from a secure vault or HSM (Hardware Security
Module).
languages:
- regex
severity: INFO
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
subcategory:
- vuln
technology:
- gitleaks
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.gitleaks.clojars-api-token.clojars-api-token
shortlink: https://sg.run/QXwZ
semgrep.dev:
rule:
r_id: 44686
rv_id: 1262699
rule_id: PeU7WX
version_id: qkTR7QD
url: https://semgrep.dev/playground/r/qkTR7QD/generic.secrets.gitleaks.clojars-api-token.clojars-api-token
origin: community
patterns:
- pattern-regex: (?i)(CLOJARS_)[a-z0-9]{60}
- id: yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection
message: Using input or workflow parameters in here-scripts can lead to command
injection or code injection. Convert the parameters to env variables instead.
languages:
- yaml
metadata:
category: security
cwe:
- 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS
Command Injection'')'
- 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'
owasp:
- "A03:2021 \u2013 Injection"
confidence: MEDIUM
likelihood: MEDIUM
impact: HIGH
subcategory:
- vuln
references:
- https://github.com/argoproj/argo-workflows/issues/5061
- https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370
technology:
- ci
- argo
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Code Injection
- Command Injection
source: https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection
shortlink: https://sg.run/yqeZ
semgrep.dev:
rule:
r_id: 40768
rv_id: 1151472
rule_id: 10U0zW
version_id: xyTp17z
url: https://semgrep.dev/playground/r/xyTp17z/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection
origin: community
severity: ERROR
patterns:
- pattern-inside: |
apiVersion: $VERSION
...
- metavariable-regex:
metavariable: $VERSION
regex: (argoproj.io.*)
- pattern-either:
- patterns:
- pattern-inside: |
command:
...
- $LANG
...
...
source:
$SCRIPT
- metavariable-regex:
metavariable: $LANG
regex: .*(sh|bash|ksh|csh|tcsh|zsh|python|python3|node|perl|ruby|php|lua|awk|sed|powershell|fish|dash|R|grooby|scala|clj|elixir|coffee|dart|haskell|ocaml).*
- metavariable-pattern:
metavariable: $SCRIPT
pattern-either:
- pattern-regex: (.*{{.*inputs.parameters.*}}.*)
- pattern-regex: (.*{{.*workflow.parameters.*}}.*)
- focus-metavariable: $SCRIPT
- patterns:
- pattern-either:
- pattern-inside: |
container:
...
command: $LANG
...
args: $PARAM
- pattern-inside: |
containerSet:
...
containers:
- ...
command: $LANG
...
args: $PARAM
- metavariable-regex:
metavariable: $LANG
regex: .*(sh|bash|ksh|csh|tcsh|zsh|python|python3|node|perl|ruby|php|lua|awk|sed|powershell|fish|dash|R|grooby|scala|clj|elixir|coffee|dart|haskell|ocaml).*
- metavariable-pattern:
metavariable: $PARAM
pattern-either:
- pattern-regex: (.*{{.*inputs.parameters.*}}.*)
- pattern-regex: (.*{{.*workflow.parameters.*}}.*)
- focus-metavariable: $PARAM
- id: generic.secrets.gitleaks.facebook-secret.facebook-secret
message: A gitleaks facebook-secret was detected which attempts to identify hard-coded
credentials. It is not recommended to store credentials in source-code, as this
risks secrets being leaked and used by either an internal or external malicious
adversary. It is recommended to use environment variables to securely provide
credentials or retrieve credentials from a secure vault or HSM (Hardware Security
Module).
languages:
- regex
severity: INFO
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
subcategory:
- vuln
technology:
- gitleaks
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.gitleaks.facebook-secret.facebook-secret
shortlink: https://sg.run/DblB2
semgrep.dev:
rule:
r_id: 121952
rv_id: 1262729
rule_id: JDUNK7E
version_id: w8TRokN
url: https://semgrep.dev/playground/r/w8TRokN/generic.secrets.gitleaks.facebook-secret.facebook-secret
origin: community
patterns:
- pattern-regex: (?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
- id: generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key
message: A gitleaks plaid-secret-key was detected which attempts to identify hard-coded
credentials. It is not recommended to store credentials in source-code, as this
risks secrets being leaked and used by either an internal or external malicious
adversary. It is recommended to use environment variables to securely provide
credentials or retrieve credentials from a secure vault or HSM (Hardware Security
Module).
languages:
- regex
severity: INFO
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
subcategory:
- vuln
technology:
- gitleaks
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key
shortlink: https://sg.run/rQAR
semgrep.dev:
rule:
r_id: 44769
rv_id: 1262800
rule_id: NbUvA5
version_id: qkTR7xY
url: https://semgrep.dev/playground/r/qkTR7xY/generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key
origin: community
patterns:
- pattern-regex: (?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)
- id: dockerfile.security.missing-user.missing-user
patterns:
- pattern: |
CMD $...VARS
- pattern-not-inside: |
USER $USER
...
- pattern-not-inside: |
HEALTHCHECK ... CMD ...
fix: |
USER non-root
CMD $...VARS
message: By not specifying a USER, a program in the container may run as 'root'.
This is a security hazard. If an attacker can control a process running as root,
they may have control over the container. Ensure that the last USER in a Dockerfile
is a USER other than 'root'.
severity: ERROR
languages:
- dockerfile
metadata:
cwe:
- 'CWE-250: Execution with Unnecessary Privileges'
category: security
technology:
- dockerfile
confidence: MEDIUM
owasp:
- A04:2021 - Insecure Design
- A06:2025 - Insecure Design
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Improper Authorization
source: https://semgrep.dev/r/dockerfile.security.missing-user.missing-user
shortlink: https://sg.run/Gbvn
semgrep.dev:
rule:
r_id: 20148
rv_id: 1262660
rule_id: AbUN06
version_id: zyTb2n2
url: https://semgrep.dev/playground/r/zyTb2n2/dockerfile.security.missing-user.missing-user
origin: community
- id: trailofbits.javascript.apollo-graphql.v3-cors-express.v3-express-bad-cors
languages:
- js
- ts
message: The Apollo GraphQL server is setup with a CORS policy that reflects any
origin, or with a regex that has known flaws.
severity: ERROR
metadata:
category: security
cwe: 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains'
subcategory:
- vuln
confidence: MEDIUM
likelihood: HIGH
impact: HIGH
technology:
- graphql
- apollo-graphql-server
- apollo-graphql-server-v3
description: Bad CORS policy
references:
- https://www.apollographql.com/docs/apollo-server/v3/security/cors#configuring-cors-options-for-apollo-server
license: AGPL-3.0 license
vulnerability_class:
- Improper Validation
source: https://semgrep.dev/r/trailofbits.javascript.apollo-graphql.v3-cors-express.v3-express-bad-cors
shortlink: https://sg.run/vE1n
semgrep.dev:
rule:
r_id: 60577
rv_id: 833282
rule_id: ZqUbNY
version_id: d6TKGL6
url: https://semgrep.dev/playground/r/d6TKGL6/trailofbits.javascript.apollo-graphql.v3-cors-express.v3-express-bad-cors
origin: community
mode: taint
pattern-sources:
- patterns:
- pattern-inside: |
{ origin: $BAD_CORS_ORIGIN }
- metavariable-pattern:
metavariable: $BAD_CORS_ORIGIN
pattern-either:
- pattern: |
true
- patterns:
- pattern-either:
- pattern: |
$CORS_SINGLE_ORIGIN
- pattern: |
[..., $CORS_SINGLE_ORIGIN, ...]
- metavariable-pattern:
metavariable: $CORS_SINGLE_ORIGIN
pattern-either:
- pattern-regex: ^/.*[^\\]\..*/$
- pattern-regex: ^/.*[^$]/$
- pattern: |
'null'
pattern-sinks:
- patterns:
- pattern-either:
- pattern-inside: |
$X = require('apollo-server-express');
...
- pattern-inside: |
import 'apollo-server-express';
...
- pattern-either:
- patterns:
- pattern-inside: |
$X = new ApolloServer({...})
...
$X.applyMiddleware({...})
- pattern: |
$X.applyMiddleware({..., cors: $CORS_ORIGIN, ...})
- focus-metavariable: $CORS_ORIGIN
- id: trailofbits.hcl.nomad.root-user.root-user
message: |
Found Nomad task using root user
languages:
- hcl
severity: WARNING
metadata:
category: security
cwe: 'CWE-250: Execution with Unnecessary Privileges'
subcategory:
- audit
confidence: HIGH
likelihood: MEDIUM
impact: LOW
technology:
- nomad
references:
- https://developer.hashicorp.com/nomad/docs/job-specification/task#user
- https://developer.hashicorp.com/nomad/docs/configuration/client#user-denylist
license: AGPL-3.0 license
vulnerability_class:
- Improper Authorization
source: https://semgrep.dev/r/trailofbits.hcl.nomad.root-user.root-user
shortlink: https://sg.run/DbOnP
semgrep.dev:
rule:
r_id: 150296
rv_id: 943190
rule_id: WAUW4XK
version_id: 0bT17rJ
url: https://semgrep.dev/playground/r/0bT17rJ/trailofbits.hcl.nomad.root-user.root-user
origin: community
patterns:
- pattern-inside: task "..." { ... }
- pattern-either:
- pattern: user = "root"
- pattern: user = "Administrator"
- id: trailofbits.javascript.apollo-graphql.v3-cors-express.v3-express-no-cors
languages:
- js
- ts
message: The Apollo GraphQL server lacks a CORS policy. By default, the server uses
the Access-Control-Allow-Origin HTTP header with the wildcard value (*).
severity: WARNING
metadata:
category: security
cwe: 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains'
subcategory:
- vuln
confidence: HIGH
likelihood: LOW
impact: LOW
technology:
- graphql
- apollo-graphql-server
- apollo-graphql-server-v3
description: Lack of CORS policy
references:
- https://www.apollographql.com/docs/apollo-server/v3/security/cors#configuring-cors-options-for-apollo-server
license: AGPL-3.0 license
vulnerability_class:
- Improper Validation
source: https://semgrep.dev/r/trailofbits.javascript.apollo-graphql.v3-cors-express.v3-express-no-cors
shortlink: https://sg.run/eNE0
semgrep.dev:
rule:
r_id: 60576
rv_id: 833281
rule_id: d8UYAJ
version_id: vdTOzdO
url: https://semgrep.dev/playground/r/vdTOzdO/trailofbits.javascript.apollo-graphql.v3-cors-express.v3-express-no-cors
origin: community
patterns:
- pattern-either:
- pattern-inside: |
$X = require('apollo-server-express');
...
- pattern-inside: |
import 'apollo-server-express';
...
- pattern: |
$X = new ApolloServer({...})
- pattern-not-inside: |
$X = new ApolloServer({...})
...
$X.applyMiddleware({..., cors: ..., ...})
- id: python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp
message: Detected a 'urllib.request.Request()' object using an insecure transport
protocol, 'ftp://'. This connection will not be encrypted. Consider using SFTP
instead. urllib does not support SFTP natively, so consider using a library which
supports SFTP.
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
- A04:2025 - Cryptographic Failures
cwe:
- 'CWE-319: Cleartext Transmission of Sensitive Information'
references:
- https://docs.python.org/3/library/urllib.request.html#urllib.request.Request
category: security
technology:
- urllib
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Mishandled Sensitive Information
source: https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp
shortlink: https://sg.run/l2Py
semgrep.dev:
rule:
r_id: 9657
rv_id: 1263490
rule_id: 2ZUbWA
version_id: LjTkgWZ
url: https://semgrep.dev/playground/r/LjTkgWZ/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp
origin: community
severity: WARNING
languages:
- python
pattern-either:
- pattern: urllib.request.Request("=~/^[Ff][Tt][Pp]://.*/", ...)
- pattern: |
$URL = "=~/^[Ff][Tt][Pp]://.*/"
...
urllib.request.Request($URL, ...)
- pattern: |-
def $FUNC(..., $URL = "=~/^[Ff][Tt][Pp]://.*/", ...):
...
urllib.request.Request($URL, ...)
- id: java.lang.security.audit.formatted-sql-string.formatted-sql-string
metadata:
cwe:
- 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command
(''SQL Injection'')'
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
- A05:2025 - Injection
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION
asvs:
section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
control_id: 5.3.5 Injection
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
version: '4'
references:
- https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
- https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps
- https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement
category: security
technology:
- java
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- SQL Injection
source: https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string
shortlink: https://sg.run/OPXp
semgrep.dev:
rule:
r_id: 9175
rv_id: 1409389
rule_id: QrUzxR
version_id: ExTeyBP
url: https://semgrep.dev/playground/r/ExTeyBP/java.lang.security.audit.formatted-sql-string.formatted-sql-string
origin: community
options:
taint_assume_safe_numbers: true
taint_assume_safe_booleans: true
message: Detected a formatted string in a SQL statement. This could lead to SQL
injection if variables in the SQL statement are not properly sanitized. Use a
prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement
using 'connection.prepareStatement'.
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern: |
(HttpServletRequest $REQ)
- patterns:
- pattern-inside: |
$ANNOT $FUNC (..., $INPUT, ...) {
...
}
- pattern: (String $INPUT)
- focus-metavariable: $INPUT
label: INPUT
- patterns:
- pattern-either:
- pattern: $X + $INPUT
- pattern: $X += $INPUT
- pattern: String.format(..., $INPUT, ...)
- pattern: String.join(..., $INPUT, ...)
- pattern: (String $STR).concat($INPUT)
- pattern: $INPUT.concat(...)
- patterns:
- pattern-either:
- pattern: $STRB.append($INPUT)
- pattern: new $STRB(..., $INPUT, ...)
- metavariable-type:
metavariable: $STRB
type: StringBuilder
label: CONCAT
requires: INPUT
pattern-propagators:
- pattern: (StringBuffer $S).append($X)
from: $X
to: $S
- pattern: (StringBuilder $S).append($X)
from: $X
to: $S
pattern-sinks:
- patterns:
- pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE *$/" ...>)
- pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE %s$/" ...>)
- pattern-either:
- pattern: (Statement $S).$SQLFUNC(...)
- pattern: (PreparedStatement $P).$SQLFUNC(...)
- pattern: (Connection $C).createStatement(...).$SQLFUNC(...)
- pattern: (Connection $C).prepareStatement(...).$SQLFUNC(...)
- pattern: (EntityManager $EM).$SQLFUNC(...)
- metavariable-regex:
metavariable: $SQLFUNC
regex: execute|executeQuery|createQuery|query|addBatch|nativeSQL|create|prepare
requires: CONCAT
pattern-sanitizers:
- patterns:
- pattern: (CriteriaBuilder $CB).$ANY(...)
severity: ERROR
languages:
- java
- id: yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor
languages:
- yaml
message: The Shai-hulud backdoor creates a purposefully vulnerable github action
with the name `discussion.yaml`.
paths:
include:
- '**/.github/workflows/discussion.yaml'
metadata:
category: security
cwe:
- 'CWE-509: Replicating Malicious Code (Virus or Worm)'
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
- A05:2025 - Injection
technology:
- github-actions
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: HIGH
confidence: HIGH
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Command Injection
source_rule_url: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
references:
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
source: https://semgrep.dev/r/yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor
shortlink: https://sg.run/JdYPZ
semgrep.dev:
rule:
r_id: 238946
rv_id: 1263927
rule_id: 7KUDRPj
version_id: 6xT29ol
url: https://semgrep.dev/playground/r/6xT29ol/yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor
origin: community
patterns:
- pattern-inside: 'steps: [...]'
- pattern-inside: |
- run: ...
...
- pattern: 'run: $SHELL'
- metavariable-pattern:
language: generic
metavariable: $SHELL
patterns:
- pattern-either:
- pattern: ${{ github.event.issue.title }}
- pattern: ${{ github.event.issue.body }}
- pattern: ${{ github.event.pull_request.title }}
- pattern: ${{ github.event.pull_request.body }}
- pattern: ${{ github.event.comment.body }}
- pattern: ${{ github.event.review.body }}
- pattern: ${{ github.event.review_comment.body }}
- pattern: ${{ github.event.pages. ... .page_name}}
- pattern: ${{ github.event.head_commit.message }}
- pattern: ${{ github.event.head_commit.author.email }}
- pattern: ${{ github.event.head_commit.author.name }}
- pattern: ${{ github.event.commits ... .author.email }}
- pattern: ${{ github.event.commits ... .author.name }}
- pattern: ${{ github.event.pull_request.head.ref }}
- pattern: ${{ github.event.pull_request.head.label }}
- pattern: ${{ github.event.pull_request.head.repo.default_branch }}
- pattern: ${{ github.head_ref }}
- pattern: ${{ github.event.inputs ... }}
- pattern: ${{ github.event.discussion.title }}
- pattern: ${{ github.event.discussion.body }}
- pattern: ${{ inputs ... }}
severity: ERROR
- id: generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token
pattern-regex: access_token\$production\$[0-9a-z]{16}\$[0-9a-z]{32}
languages:
- regex
message: PayPal Braintree Access Token detected
severity: ERROR
metadata:
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
category: security
technology:
- secrets
- paypal
- braintree
confidence: LOW
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token
shortlink: https://sg.run/9oBR
semgrep.dev:
rule:
r_id: 9067
rv_id: 1262885
rule_id: ZqU507
version_id: 8KT5ryb
url: https://semgrep.dev/playground/r/8KT5ryb/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token
origin: community
- id: generic.secrets.gitleaks.slack-config-access-token.slack-config-access-token
message: A gitleaks slack-config-access-token was detected which attempts to identify
hard-coded credentials. It is not recommended to store credentials in source-code,
as this risks secrets being leaked and used by either an internal or external
malicious adversary. It is recommended to use environment variables to securely
provide credentials or retrieve credentials from a secure vault or HSM (Hardware
Security Module).
languages:
- regex
severity: INFO
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A07:2021 - Identification and Authentication Failures
- A07:2025 - Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
subcategory:
- vuln
technology:
- gitleaks
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
vulnerability_class:
- Hard-coded Secrets
source: https://semgrep.dev/r/generic.secrets.gitleaks.slack-config-access-token.slack-config-access-token
shortlink: https://sg.run/vGWb
semgrep.dev:
rule:
r_id: 66777
rv_id: 1262827
rule_id: zdUJXd
version_id: bZT5317
url: https://semgrep.dev/playground/r/bZT5317/generic.secrets.gitleaks.slack-config-access-token.slack-config-access-token
origin: community
patterns:
- pattern-regex: (?i)(xoxe.xox[bp]-\d-[A-Z0-9]{163,166})
- id: python.lang.correctness.useless-eqeq.useless-eqeq
patterns:
- pattern-not-inside: |
def __eq__(...):
...
- pattern-not-inside: |
def __cmp__(...):
...
- pattern-not-inside: assert(...)
- pattern-not-inside: assert ..., ...
- pattern-not-inside: assertTrue(...)
- pattern-not-inside: assertFalse(...)
- pattern-either:
- pattern: $X == $X
- pattern: $X != $X
- pattern-not: 1 == 1
message: 'This expression is always True: `$X == $X` or `$X != $X`. If testing for
floating point NaN, use `math.isnan($X)`, or `cmath.isnan($X)` if the number is
complex.'
languages:
- python
severity: INFO
metadata:
category: correctness
technology:
- python
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/python.lang.correctness.useless-eqeq.useless-eqeq
shortlink: https://sg.run/GeAp
semgrep.dev:
rule:
r_id: 9604
rv_id: 946306
rule_id: 0oU5Ol
version_id: LjTXybY
url: https://semgrep.dev/playground/r/LjTXybY/python.lang.correctness.useless-eqeq.useless-eqeq
origin: community
- id: ocaml.lang.best-practice.mutex.mutex-lock-exn
pattern: Mutex.lock $MUTEX
message: Raw `Mutex.lock`/`Mutex.unlock` is not exception-safe. If an exception
is raised between lock and unlock, the mutex will never be released, causing a
deadlock. Replace with `Mutex.protect $MUTEX (fun () -> ...)` which guarantees
the mutex is released even when exceptions are raised.
languages:
- ocaml
severity: WARNING
metadata:
category: best-practice
technology:
- ocaml
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/ocaml.lang.best-practice.mutex.mutex-lock-exn
shortlink: https://sg.run/P9B53
semgrep.dev:
rule:
r_id: 291645
rv_id: 1423384
rule_id: 6JU5WrQ
version_id: A8TEB3K
url: https://semgrep.dev/playground/r/A8TEB3K/ocaml.lang.best-practice.mutex.mutex-lock-exn
origin: community
- id: package_managers.bun.bun-missing-minimum-release-age.bun-missing-minimum-release-age
pattern-either:
- patterns:
- pattern-regex: (?ms)\[install\](?P[^\[]*?)(?=\[|\z)
- metavariable-regex:
metavariable: $TARGET
regex: ^(?![\s\S]*minimumReleaseAge)
- focus-metavariable: $TARGET
- patterns:
- pattern-regex: minimumReleaseAge\s*=\s*\d+
- pattern-regex: =\s*(?P\d+)
- metavariable-comparison:
metavariable: $AGE
comparison: int($AGE) < 604800
- focus-metavariable: $AGE
- patterns:
- pattern-regex: (?m)minimumReleaseAge[ \t]*=[ \t]*(?P[^\s\d][^\n]*)
- focus-metavariable: $VAL
- patterns:
- pattern-regex: (?m)minimumReleaseAge\s*=\s*$
message: 'This bunfig.toml does not set a minimum release age or sets it too low.
Newly published packages can be malicious or unstable. Add `minimumReleaseAge
= 604800` under the `[install]` section to wait 7 days before resolving newly
published package versions. Added in: v1.3 Reference: https://bun.sh/docs/runtime/bunfig'
languages:
- generic
severity: MEDIUM
paths:
include:
- '**/bunfig.toml'
- '**/.bunfig.toml'
metadata:
category: security
technology:
- bun
- javascript
cwe:
- 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere'
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- audit
vulnerability_class:
- Insecure Configuration
references:
- https://bun.sh/docs/runtime/bunfig
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/package_managers.bun.bun-missing-minimum-release-age.bun-missing-minimum-release-age
shortlink: https://sg.run/JqPrR
semgrep.dev:
rule:
r_id: 291646
rv_id: 1423385
rule_id: oqUyJOb
version_id: BjTyRe5
url: https://semgrep.dev/playground/r/BjTyRe5/package_managers.bun.bun-missing-minimum-release-age.bun-missing-minimum-release-age
origin: community
- id: package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown
pattern-either:
- patterns:
- pattern-inside: |
updates:
...
- pattern: |
- package-ecosystem: $ECOSYSTEM
...
- pattern-not: |
- package-ecosystem: $ECOSYSTEM
...
cooldown:
...
...
- patterns:
- pattern-inside: |
updates:
...
- pattern-regex: default-days\s*:\s*(?P\d+)
- metavariable-comparison:
metavariable: $DAYS
comparison: int($DAYS) < 7
- focus-metavariable: $DAYS
- patterns:
- pattern-inside: |
updates:
...
- pattern: |
cooldown:
default-days: $DAYS
- metavariable-regex:
metavariable: $DAYS
regex: ^\D
- focus-metavariable: $DAYS
message: 'This Dependabot configuration does not set a cooldown period. Newly published
packages can be malicious or unstable. Add a `cooldown` block with `default-days:
7` to each `package-ecosystem` entry under `updates` to wait 7 days before proposing
updates to newly published package versions. Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown'
languages:
- yaml
severity: MEDIUM
paths:
include:
- '**/.github/dependabot.yml'
- '**/.github/dependabot.yaml'
metadata:
category: security
technology:
- dependabot
cwe:
- 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere'
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- audit
vulnerability_class:
- Insecure Configuration
references:
- https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown
shortlink: https://sg.run/5WvGK
semgrep.dev:
rule:
r_id: 291647
rv_id: 1423386
rule_id: zdUArOL
version_id: DkTwEGl
url: https://semgrep.dev/playground/r/DkTwEGl/package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown
origin: community
- id: package_managers.npm.npm-missing-minimum-release-age.npm-missing-minimum-release-age
pattern-either:
- patterns:
- pattern-regex: (?:(?:^---\n)(?:[^\n]*\n)|^)(?P(?:(?!\n---)[\s\S])*\S(?:(?!\n---)[\s\S])*)
- pattern-not-regex: min-release-age
- focus-metavariable: $TARGET
- patterns:
- pattern-regex: min-release-age\s*=\s*\d+
- pattern-regex: =\s*(?P\d+)
- metavariable-comparison:
metavariable: $AGE
comparison: int($AGE) < 7
- focus-metavariable: $AGE
- patterns:
- pattern-regex: (?m)min-release-age[ \t]*=[ \t]*(?P[^\s\d][^\n]*)
- focus-metavariable: $VAL
- patterns:
- pattern-regex: (?m)min-release-age\s*=\s*$
message: 'This .npmrc does not set a minimum release age or sets it too low. Newly
published packages can be malicious or unstable. Add `min-release-age = 7` to
wait 7 days before resolving newly published package versions. Added in: v11.10
Reference: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/'
languages:
- generic
severity: MEDIUM
paths:
include:
- '**/.npmrc'
metadata:
category: security
technology:
- npm
- javascript
cwe:
- 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere'
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- audit
vulnerability_class:
- Insecure Configuration
references:
- https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/
- https://github.com/npm/cli/pull/8965
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/package_managers.npm.npm-missing-minimum-release-age.npm-missing-minimum-release-age
shortlink: https://sg.run/GRo1z
semgrep.dev:
rule:
r_id: 291648
rv_id: 1423387
rule_id: pKU6A82
version_id: WrT7LdL
url: https://semgrep.dev/playground/r/WrT7LdL/package_managers.npm.npm-missing-minimum-release-age.npm-missing-minimum-release-age
origin: community
- id: package_managers.pnpm.pnpm-block-exotic-sub-dependencies.pnpm-block-exotic-sub-dependencies
message: 'Missing or incorrect blockExoticSubdeps. Set `blockExoticSubdeps: true`
to transitive dependencies from being installed from untrusted sources. Added
in: v10.26.0 Reference: https://pnpm.io/settings#blockexoticsubdeps'
languages:
- yaml
severity: MEDIUM
paths:
include:
- '**/pnpm-workspace.yaml'
pattern-either:
- patterns:
- pattern-regex: (?ms)(?:\A|^---$\n)(?:(?!^blockExoticSubdeps\s*:)(?!^---$)[\s\S])*?(?P^(?:packages|catalog)\s*:)(?:(?!^blockExoticSubdeps\s*:)(?!^---$)[\s\S])*?(?=^---$|\z)
- focus-metavariable: $TARGET
- patterns:
- pattern: |
blockExoticSubdeps: $VAL
- metavariable-regex:
metavariable: $VAL
regex: ^(?!true$).+
- focus-metavariable: $VAL
- patterns:
- pattern-regex: (?m)^\s*blockExoticSubdeps\s*:\s*$
metadata:
category: security
technology:
- pnpm
cwe:
- 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere'
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- audit
vulnerability_class:
- Insecure Configuration
references:
- https://pnpm.io/settings#blockexoticsubdeps
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/package_managers.pnpm.pnpm-block-exotic-sub-dependencies.pnpm-block-exotic-sub-dependencies
shortlink: https://sg.run/RrWRv
semgrep.dev:
rule:
r_id: 291649
rv_id: 1423388
rule_id: 2ZUQEZ5
version_id: 0bTGnwj
url: https://semgrep.dev/playground/r/0bTGnwj/package_managers.pnpm.pnpm-block-exotic-sub-dependencies.pnpm-block-exotic-sub-dependencies
origin: community
- id: package_managers.pnpm.pnpm-missing-minimum-release-age.pnpm-minimum-release-age
message: 'This pnpm workspace configuration does not set a minimum release age.
Newly published packages can be malicious or unstable. Add `minimumReleaseAge:
10080` (minutes) to wait at least seven days before installing newly published
package versions. Added in: v10.16.0 Reference: https://pnpm.io/settings#minimumreleaseage'
languages:
- yaml
severity: MEDIUM
paths:
include:
- '**/pnpm-workspace.yaml'
pattern-either:
- patterns:
- pattern-regex: (?ms)(?:\A|^---$\n)(?:(?!^minimumReleaseAge\s*:)(?!^---$)[\s\S])*?(?P^(?:packages|catalog)\s*:)(?:(?!^minimumReleaseAge\s*:)(?!^---$)[\s\S])*?(?=^---$|\z)
- focus-metavariable: $TARGET
- patterns:
- pattern-regex: ^\s*minimumReleaseAge\s*:\s*(?P\d+)
- metavariable-comparison:
metavariable: $AGE
comparison: int($AGE) < 10080
- focus-metavariable: $AGE
- patterns:
- pattern: |
minimumReleaseAge: $AGE
- metavariable-regex:
metavariable: $AGE
regex: ^\D
- focus-metavariable: $AGE
- patterns:
- pattern-regex: (?m)^\s*minimumReleaseAge\s*:\s*$
metadata:
category: security
technology:
- pnpm
cwe:
- 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere'
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- audit
vulnerability_class:
- Insecure Configuration
references:
- https://pnpm.io/settings#minimumreleaseage
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/package_managers.pnpm.pnpm-missing-minimum-release-age.pnpm-minimum-release-age
shortlink: https://sg.run/Aj0o0
semgrep.dev:
rule:
r_id: 291650
rv_id: 1423389
rule_id: X5Uwn1n
version_id: K3TgxrW
url: https://semgrep.dev/playground/r/K3TgxrW/package_managers.pnpm.pnpm-missing-minimum-release-age.pnpm-minimum-release-age
origin: community
- id: package_managers.pnpm.pnpm-trust-policy.pnpm-trust-policy
message: 'Missing or incorrect trustPolicy. Set `trustPolicy: no-downgrade` to prevent
malicious package updates from downgrading security settings. Added in: v10.21.0
Reference: https://pnpm.io/settings#trustpolicy'
languages:
- yaml
severity: MEDIUM
paths:
include:
- '**/pnpm-workspace.yaml'
pattern-either:
- patterns:
- pattern-regex: (?ms)(?:\A|^---$\n)(?:(?!^trustPolicy\s*:)(?!^---$)[\s\S])*?(?P^(?:packages|catalog)\s*:)(?:(?!^trustPolicy\s*:)(?!^---$)[\s\S])*?(?=^---$|\z)
- focus-metavariable: $TARGET
- patterns:
- pattern: |
trustPolicy: $VAL
- metavariable-regex:
metavariable: $VAL
regex: ^(?!no-downgrade$).+
- focus-metavariable: $VAL
- patterns:
- pattern-regex: (?m)^\s*trustPolicy\s*:\s*$
metadata:
category: security
technology:
- pnpm
cwe:
- 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere'
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- audit
vulnerability_class:
- Insecure Configuration
references:
- https://pnpm.io/settings#minimumreleaseage
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/package_managers.pnpm.pnpm-trust-policy.pnpm-trust-policy
shortlink: https://sg.run/B2Kz7
semgrep.dev:
rule:
r_id: 291651
rv_id: 1423390
rule_id: j2U6J8N
version_id: qkTvDQn
url: https://semgrep.dev/playground/r/qkTvDQn/package_managers.pnpm.pnpm-trust-policy.pnpm-trust-policy
origin: community
- id: package_managers.renovate.renovate-missing-minimum-release-age.renovate-missing-minimum-release-age
pattern-either:
- patterns:
- pattern-inside: |
"packageRules": [
...
]
- pattern-either:
- pattern: |
{ ..., "matchPackageNames": [...], ... }
- pattern: |
{ ..., "matchPackagePatterns": [...], ... }
- pattern: |
{ ..., "matchDepTypes": [...], ... }
- pattern-not: |
{
...,
"minimumReleaseAge": $AGE,
...
}
- patterns:
- pattern-inside: |
"packageRules": [
...
]
- pattern-regex: '"minimumReleaseAge":\s*"(?P\d+) days?"'
- metavariable-comparison:
metavariable: $AGE
comparison: int($AGE) < 7
- focus-metavariable: $AGE
- patterns:
- pattern-inside: |
"packageRules": [
...
]
- pattern: |
"minimumReleaseAge": "$AGE"
- metavariable-regex:
metavariable: $AGE
regex: ^(?!\d+ days?$)
- focus-metavariable: $AGE
message: 'This Renovate configuration does not set a minimum release age. Newly
published packages can be malicious or unstable. Add `"minimumReleaseAge": "7
days"` within a `packageRules` entry to wait 7 days before proposing updates to
newly published package versions. Added in: v42 Reference: https://docs.renovatebot.com/configuration-options/#minimumreleaseage'
languages:
- json
severity: MEDIUM
paths:
include:
- '**/renovate.json'
- '**/.renovaterc'
- '**/.renovaterc.json'
- '**/renovate.json5'
metadata:
category: security
technology:
- renovate
cwe:
- 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere'
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- audit
vulnerability_class:
- Insecure Configuration
references:
- https://docs.renovatebot.com/configuration-options/#minimumreleaseage
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/package_managers.renovate.renovate-missing-minimum-release-age.renovate-missing-minimum-release-age
shortlink: https://sg.run/D8l2q
semgrep.dev:
rule:
r_id: 291652
rv_id: 1423391
rule_id: 10UbQrX
version_id: l4TpEyD
url: https://semgrep.dev/playground/r/l4TpEyD/package_managers.renovate.renovate-missing-minimum-release-age.renovate-missing-minimum-release-age
origin: community
- id: package_managers.uv.uv-missing-dependency-cooldown.uv-missing-dependency-cooldown
pattern-either:
- patterns:
- pattern-regex: (?ms)\[tool\.uv\](?P[^\[]*?)(?=\[|\z)
- metavariable-regex:
metavariable: $TARGET
regex: ^(?![\s\S]*exclude-newer)
- focus-metavariable: $TARGET
- patterns:
- pattern-regex: exclude-newer\s*=\s*"(?P\d+) days?"
- metavariable-comparison:
metavariable: $DAYS
comparison: int($DAYS) < 7
- focus-metavariable: $DAYS
- patterns:
- pattern-regex: exclude-newer\s*=\s*"(?P[^"]+)"
- metavariable-regex:
metavariable: $VAL
regex: ^(?!\d+ days?$)(?!\d{4}-\d{2}-\d{2}$)(?!\d{4}-\d{2}-\d{2}T)
- focus-metavariable: $VAL
message: 'This pyproject.toml configures uv but does not set a dependency cooldown.
Newly published packages can be malicious or unstable. Add `exclude-newer = "7
days"` under `[tool.uv]` to wait 7 days before resolving newly published package
versions. Added in: 0.9.17 Reference: https://docs.astral.sh/uv/concepts/resolution/#dependency-cooldowns'
languages:
- generic
severity: MEDIUM
paths:
include:
- '**/pyproject.toml'
- '**/uv.toml'
metadata:
category: security
technology:
- uv
- python
cwe:
- 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere'
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- audit
vulnerability_class:
- Insecure Configuration
references:
- https://docs.astral.sh/uv/concepts/resolution/#dependency-cooldowns
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/package_managers.uv.uv-missing-dependency-cooldown.uv-missing-dependency-cooldown
shortlink: https://sg.run/WeY0Z
semgrep.dev:
rule:
r_id: 291653
rv_id: 1423392
rule_id: 9AUo6vE
version_id: YDTwLle
url: https://semgrep.dev/playground/r/YDTwLle/package_managers.uv.uv-missing-dependency-cooldown.uv-missing-dependency-cooldown
origin: community
- id: package_managers.yarn.yarn-missing-minimal-age-gate.yarn-missing-minimal-age-gate
pattern-either:
- patterns:
- pattern-regex: (?ms)(?:\A|^---$\n)(?:(?!^npmMinimalAgeGate\s*:)(?!^---$)[\s\S])*?(?P^(?:nodeLinker|yarnPath|enableGlobalCache|npmScopes|npmRegistryServer)\s*:)(?:(?!^npmMinimalAgeGate\s*:)(?!^---$)[\s\S])*?(?=^---$|\z)
- focus-metavariable: $TARGET
- patterns:
- pattern-regex: (?m)npmMinimalAgeGate\s*:\s*['"]?(?P\d+)d['"]?
- metavariable-comparison:
metavariable: $DAYS
comparison: int($DAYS) < 7
- focus-metavariable: $DAYS
- patterns:
- pattern-regex: (?m)npmMinimalAgeGate[ \t]*:[ \t]*(?P\S+)
- metavariable-regex:
metavariable: $VAL
regex: ^(?!['"]?\d+d['"]?$)
- focus-metavariable: $VAL
- patterns:
- pattern-regex: (?m)^npmMinimalAgeGate\s*:\s*$
message: 'This .yarnrc.yml does not set a minimal age gate or sets it too low. Newly
published packages can be malicious or unstable. Add `npmMinimalAgeGate: "7d"`
to wait 7 days before resolving newly published package versions. Added in: 4.10
Reference: https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate'
languages:
- yaml
severity: MEDIUM
paths:
include:
- '**/.yarnrc.yml'
metadata:
category: security
technology:
- yarn
- javascript
cwe:
- 'CWE-829: Inclusion of Functionality from Untrusted Control Sphere'
owasp:
- A08:2021 - Software and Data Integrity Failures
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- audit
vulnerability_class:
- Insecure Configuration
references:
- https://yarnpkg.com/configuration/yarnrc#npmMinimalAgeGate
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/package_managers.yarn.yarn-missing-minimal-age-gate.yarn-missing-minimal-age-gate
shortlink: https://sg.run/0gvNq
semgrep.dev:
rule:
r_id: 291654
rv_id: 1423393
rule_id: yyUBeEz
version_id: JdTnXlj
url: https://semgrep.dev/playground/r/JdTnXlj/package_managers.yarn.yarn-missing-minimal-age-gate.yarn-missing-minimal-age-gate
origin: community
- id: dockerfile.best-practice.remove-package-lists.remove-package-lists
patterns:
- pattern-not-inside: RUN ... rm -rf /var/lib/apt/lists/*
- pattern: RUN apt-get update ...
- pattern: apt-get update
message: The package lists were not deleted after running 'apt-get update', which
increases the size of the image. Remove the package lists by appending '&& rm
-rf /var/lib/apt/lists/*' at the end of apt-get command chain.
severity: WARNING
languages:
- dockerfile
metadata:
source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3009
references:
- https://github.com/hadolint/hadolint/wiki/DL3009
category: best-practice
technology:
- dockerfile
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/dockerfile.best-practice.remove-package-lists.remove-package-lists
shortlink: https://sg.run/8k57
semgrep.dev:
rule:
r_id: 20140
rv_id: 945258
rule_id: QrU1Ax
version_id: YDTvRvQ
url: https://semgrep.dev/playground/r/YDTvRvQ/dockerfile.best-practice.remove-package-lists.remove-package-lists
origin: community
- id: dockerfile.best-practice.remove-package-cache.remove-package-cache
patterns:
- pattern-not-inside: RUN ... && apt-get clean ...
- pattern: RUN ... apt-get update ...
- pattern: apt-get update
message: The package cache was not deleted after running 'apt-get update', which
increases the size of the image. Remove the package cache by appending '&& apt-get
clean' at the end of apt-get command chain.
severity: WARNING
languages:
- dockerfile
metadata:
source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3009
references:
- https://github.com/hadolint/hadolint/wiki/DL3009
category: best-practice
technology:
- dockerfile
license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license
source: https://semgrep.dev/r/dockerfile.best-practice.remove-package-cache.remove-package-cache
shortlink: https://sg.run/L2vJ
semgrep.dev:
rule:
r_id: 20139
rv_id: 945257
rule_id: gxUkEK
version_id: l4Tx9xd
url: https://semgrep.dev/playground/r/l4Tx9xd/dockerfile.best-practice.remove-package-cache.remove-package-cache
origin: community}