Skip to main content

Rule updates

Welcome to monthly rule updates! This document includes selected new rules, removed false positives (FP), and other rule updates. These new rules and their updates are made by the Semgrep community and r2c.

July 2022

New rules from Segmrep community and r2c

New rules from Semgrep community:

New rules have been added with taint sources:

There are now 80 team tier only rules covering Java, PHP, JavaScript, and TypeScript available in the Semgrep Registry. These rules are designed to have higher precision and lower false positive rates.

Rule changes and updates

Reduced severity to INFO:

Limit sources to specific properties of Request object rather than all properties:

The python.lang.security.audit.dangerous rules have been reworked. All Python dangerous rules have had their confidence level changed to LOW. Renamed rules:

Added to p/default (p/default are rules that run automatically with semgrep --config p/default):

Removed from p/default in Semgrep Registry:

Expand the list with all removed rules
- ajinabraham.njsscan.archive_path_overwrite.admzip_path_overwrite- ajinabraham.njsscan.archive_path_overwrite.tar_path_overwrite- ajinabraham.njsscan.archive_path_overwrite.zip_path_overwrite- ajinabraham.njsscan.archive_path_overwrite.zip_path_overwrite2- ajinabraham.njsscan.buffer_noassert.buffer_noassert- ajinabraham.njsscan.crypto_node.node_aes_ecb- ajinabraham.njsscan.crypto_node.node_aes_noiv- ajinabraham.njsscan.crypto_node.node_insecure_random_generator- ajinabraham.njsscan.crypto_node.node_md5- ajinabraham.njsscan.crypto_node.node_sha1- ajinabraham.njsscan.crypto_node.node_weak_crypto- ajinabraham.njsscan.error_disclosure.node_error_disclosure- ajinabraham.njsscan.eval_deserialize.node_deserialize- ajinabraham.njsscan.eval_deserialize.serializetojs_deserialize- ajinabraham.njsscan.eval_drpc_deserialize.grpc_insecure_connection- ajinabraham.njsscan.eval_grpc_deserialize.grpc_insecure_connection- ajinabraham.njsscan.eval_node.eval_nodejs- ajinabraham.njsscan.eval_require.eval_require- ajinabraham.njsscan.eval_sandbox.sandbox_code_injection- ajinabraham.njsscan.eval_vm2_injection.vm2_code_injection- ajinabraham.njsscan.eval_vm2_injection.vm2_context_injection- ajinabraham.njsscan.eval_vm_injection.vm_code_injection- ajinabraham.njsscan.eval_vm_injection.vm_compilefunction_injection- ajinabraham.njsscan.eval_vm_injection.vm_runincontext_injection- ajinabraham.njsscan.eval_vm_injection.vm_runinnewcontext_injection- ajinabraham.njsscan.eval_yaml_deserialize.yaml_deserialize- ajinabraham.njsscan.exec_os_command.generic_os_command_exec- ajinabraham.njsscan.exec_os_command.generic_os_command_exec2- ajinabraham.njsscan.exec_shelljs.shelljs_os_command_exec- ajinabraham.njsscan.express_bodyparser_dos.express_bodyparser- ajinabraham.njsscan.express_hbs_lfr.express_lfr- ajinabraham.njsscan.express_hbs_lfr.express_lfr_warning- ajinabraham.njsscan.good_anti_csrf.anti_csrf_control- ajinabraham.njsscan.good_helmet_checks.helmet_header_check_crossdomain- ajinabraham.njsscan.good_helmet_checks.helmet_header_check_csp- ajinabraham.njsscan.good_helmet_checks.helmet_header_check_expect_ct- ajinabraham.njsscan.good_helmet_checks.helmet_header_dns_prefetch- ajinabraham.njsscan.good_helmet_checks.helmet_header_feature_policy- ajinabraham.njsscan.good_helmet_checks.helmet_header_frame_guard- ajinabraham.njsscan.good_helmet_checks.helmet_header_hsts- ajinabraham.njsscan.good_helmet_checks.helmet_header_ienoopen- ajinabraham.njsscan.good_helmet_checks.helmet_header_nosniff- ajinabraham.njsscan.good_helmet_checks.helmet_header_referrer_policy- ajinabraham.njsscan.good_helmet_checks.helmet_header_x_powered_by- ajinabraham.njsscan.good_helmet_checks.helmet_header_xss_filter- ajinabraham.njsscan.good_ratelimiting.rate_limit_control- ajinabraham.njsscan.hardcoded_passport.hardcoded_passport_secret- ajinabraham.njsscan.header_cookie.cookie_session_default- ajinabraham.njsscan.header_cookie.cookie_session_no_domain- ajinabraham.njsscan.header_cookie.cookie_session_no_httponly- ajinabraham.njsscan.header_cookie.cookie_session_no_maxage- ajinabraham.njsscan.header_cookie.cookie_session_no_path- ajinabraham.njsscan.header_cookie.cookie_session_no_samesite- ajinabraham.njsscan.header_cookie.cookie_session_no_secure- ajinabraham.njsscan.header_cors_star.express_cors- ajinabraham.njsscan.header_cors_star.generic_cors- ajinabraham.njsscan.header_helmet_disabled.helmet_feature_disabled- ajinabraham.njsscan.header_injection.generic_header_injection- ajinabraham.njsscan.header_xss_protection.header_xss_generic- ajinabraham.njsscan.header_xss_protection.header_xss_lusca- ajinabraham.njsscan.host_header_injection.host_header_injection- ajinabraham.njsscan.jwt_exposed_credentials.jwt_exposed_credentials- ajinabraham.njsscan.jwt_exposed_data.jwt_exposed_data- ajinabraham.njsscan.jwt_express_hardcoded.jwt_express_hardcoded- ajinabraham.njsscan.jwt_hardcoded.hardcoded_jwt_secret- ajinabraham.njsscan.jwt_none_algorithm.node_jwt_none_algorithm- ajinabraham.njsscan.jwt_not_revoked.jwt_not_revoked- ajinabraham.njsscan.layer7_object_dos.layer7_object_dos- ajinabraham.njsscan.logic_bypass.node_logic_bypass- ajinabraham.njsscan.nosql_injection.node_nosqli_js_injection- ajinabraham.njsscan.path_traversal.generic_path_traversal- ajinabraham.njsscan.regex_dos.regex_dos- ajinabraham.njsscan.regex_injection.regex_injection_dos- ajinabraham.njsscan.resolve_path_traversal.join_resolve_path_traversal- ajinabraham.njsscan.security_electron.electron_allow_http- ajinabraham.njsscan.security_electron.electron_blink_integration- ajinabraham.njsscan.security_electron.electron_context_isolation- ajinabraham.njsscan.security_electron.electron_disable_websecurity- ajinabraham.njsscan.security_electron.electron_experimental_features- ajinabraham.njsscan.security_electron.electron_nodejs_integration- ajinabraham.njsscan.security_electronjs.electron_allow_http- ajinabraham.njsscan.security_electronjs.electron_blink_integration- ajinabraham.njsscan.security_electronjs.electron_context_isolation- ajinabraham.njsscan.security_electronjs.electron_disable_websecurity- ajinabraham.njsscan.security_electronjs.electron_experimental_features- ajinabraham.njsscan.security_electronjs.electron_nodejs_integration- ajinabraham.njsscan.sequelize_tls.sequelize_tls- ajinabraham.njsscan.sequelize_tls_validation.sequelize_tls_cert_validation- ajinabraham.njsscan.sequelize_weak_tls.sequelize_weak_tls- ajinabraham.njsscan.server_side_template_injection.server_side_template_injection- ajinabraham.njsscan.sql_injection.node_knex_sqli_injection- ajinabraham.njsscan.sql_injection.node_sqli_injection- ajinabraham.njsscan.sql_injection_knex.node_knex_sqli_injection- ajinabraham.njsscan.ssrf_node.node_ssrf- ajinabraham.njsscan.ssrf_phantomjs.phantom_ssrf- ajinabraham.njsscan.ssrf_playwright.playwright_ssrf- ajinabraham.njsscan.ssrf_puppeteer.puppeteer_ssrf- ajinabraham.njsscan.ssrf_wkhtmltoimage.wkhtmltoimage_ssrf- ajinabraham.njsscan.ssrf_wkhtmltopdf.wkhtmltopdf_ssrf- ajinabraham.njsscan.timing_attack_node.node_timing_attack- ajinabraham.njsscan.tls_node.node_curl_ssl_verify_disable- ajinabraham.njsscan.tls_node.node_tls_reject- ajinabraham.njsscan.xml_entity_expansion_dos.node_entity_expansion- ajinabraham.njsscan.xpathi_node.node_xpath_injection- ajinabraham.njsscan.xss_mustache_escape.xss_disable_mustache_escape- ajinabraham.njsscan.xss_node.express_xss- ajinabraham.njsscan.xss_serialize_js.xss_serialize_javascript- ajinabraham.njsscan.xss_templates.handlebars_noescape- ajinabraham.njsscan.xss_templates.handlebars_safestring- ajinabraham.njsscan.xss_templates.squirrelly_autoescape- ajinabraham.njsscan.xxe_expat.xxe_expat- ajinabraham.njsscan.xxe_node.node_xxe- ajinabraham.njsscan.xxe_sax.xxe_sax- ajinabraham.njsscan.xxe_xml2json.xxe_xml2json- contrib.dlint.dlint-equivalent.insecure-commands-use- contrib.dlint.dlint-equivalent.insecure-compile-use- contrib.dlint.dlint-equivalent.insecure-cryptography-attribute-use- contrib.dlint.dlint-equivalent.insecure-dl-use- contrib.dlint.dlint-equivalent.insecure-duo-client-use- contrib.dlint.dlint-equivalent.insecure-eval-use- contrib.dlint.dlint-equivalent.insecure-exec-use- contrib.dlint.dlint-equivalent.insecure-gl-use- contrib.dlint.dlint-equivalent.insecure-hashlib-use- contrib.dlint.dlint-equivalent.insecure-itsdangerous-use- contrib.dlint.dlint-equivalent.insecure-marshal-use- contrib.dlint.dlint-equivalent.insecure-onelogin-attribute-use- contrib.dlint.dlint-equivalent.insecure-os-exec-use- contrib.dlint.dlint-equivalent.insecure-os-temp-use- contrib.dlint.dlint-equivalent.insecure-pickle-use- contrib.dlint.dlint-equivalent.insecure-popen2-use- contrib.dlint.dlint-equivalent.insecure-pycrypto-use- contrib.dlint.dlint-equivalent.insecure-requests-use- contrib.dlint.dlint-equivalent.insecure-shelve-use- contrib.dlint.dlint-equivalent.insecure-simplexmlrpcserver-use- contrib.dlint.dlint-equivalent.insecure-ssl-use- contrib.dlint.dlint-equivalent.insecure-subprocess-use- contrib.dlint.dlint-equivalent.insecure-tarfile-use- contrib.dlint.dlint-equivalent.insecure-tempfile-use- contrib.dlint.dlint-equivalent.insecure-urllib3-connections-use- contrib.dlint.dlint-equivalent.insecure-urllib3-warnings-use- contrib.dlint.dlint-equivalent.insecure-xml-use- contrib.dlint.dlint-equivalent.insecure-xmlsec-attribute-use- contrib.dlint.dlint-equivalent.insecure-yaml-use- contrib.dlint.dlint-equivalent.insecure-zipfile-use- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-npm- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pip- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pipenv- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-yarn- generic.html-templates.security.var-in-href.var-in-href- generic.nginx.security.request-host-used.request-host-used- generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account- javascript.browser.security.raw-html-join.raw-html-join- javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event- javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect- javascript.express.security.audit.remote-property-injection.remote-property-injection- javascript.express.security.audit.res-render-injection.res-render-injection- javascript.express.security.audit.xss.mustache.var-in-script-tag.var-in-script-tag- javascript.lang.correctness.no-replaceall.no-replaceall- javascript.lang.security.audit.prototype-pollution.prototype-pollution-assignment.prototype-pollution-assignment- javascript.lang.security.detect-non-literal-require.detect-non-literal-require- javascript.sequelize.security.audit.sequelize-raw-query.sequelize-raw-query- python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe- python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var- typescript.react.security.audit.react-missing-noreferrer.react-missing-noreferrer- typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property

Other:


Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.