Semgrep Trophy Case

CVEs
CVE Semgrep rule Affected software Description
CVE-2019-5479 javascript.lang.security.detect-non-literal-require larbitbase-api < v0.5.5 An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).
CVE-2020-8128 javascript.lang.security.detect-non-literal-require jsreport < 2.5.0 An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.
CVE-2020-8129 javascript.lang.security.detect-non-literal-require script-manager < 0.8.6 An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code.
CVE-2020-7739 javascript.phantom.security.audit.phantom-injection phantomjs-seo This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack.
CVE-2020-7740 javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection node-pdf-generator This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.
CVE-2020-7749 javascript.puppeteer.security.audit.puppeteer-setcontent-injection osm-static-maps This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.
CVE-2020-8492 contrib.dlint.redos.dlint-catastrophic-redos Python 2.7-2.717, 3.7-3.5.9, 3.6-3.6.10, 3.7-3.7.6, and 3.8-3.8.1 Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2020-6817 contrib.dlint.redos.dlint-catastrophic-redos Mozilla Bleach < 3.1.4 bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS.
Open Source Contributions
Affected software Semgrep rule Description
Poetry contrib.dlint.redos.dlint-catastrophic-redos This ReDoS occurs due to r"(?:(?P<user>.+)@)*" in both expressions. This is due to nested quantifiers with overlapping character space.
Colorama contrib.dlint.redos.dlint-catastrophic-redos The ReDoS occurs due to '\001?\033\\]((?:.|;)*?)(\x07)\002?'. In particular, this portion of the expression: (?:.|;)*. This is due to mutually inclusive alternation within a quantifier. Since . and ; have character overlap.
Bottle contrib.dlint.redos.dlint-catastrophic-redos A special subject string can be crafted to cause it to catastrophic backtracking. The culprit here is this portion of the expression: ((?:\\\\.|[^\\\\>]+)+)?. Due to mutually inclusive alternation, a long string of dots (.) will backtrack this expression.
Splunk SDK Python contrib.dlint.redos.dlint-catastrophic-redos The finding in internals.py at line 235 occurs due to (?:\\.|""|[^"])+. This is due to mutually inclusive alternation within a quantifier. Since \\. and [^"] have character overlap.
requests-gssapi contrib.dlint.redos.dlint-catastrophic-redos Denial-of-service (DoS) bug in requests_kerberos.kerberos_._negotiate_value. In particular, the (?:.*,)* portion of the regular expression causes catastrophic backtracking. Since "." and "," overlap and there are nested quantifiers we can cause catastrophic backtracking by repeating a comma. This means a server can send a specially crafted header along with an HTTP 401 and cause a DoS on the client.
Open EdX python.requests.security.disabled-cert-validation SSL certifcation is disabled in order to accept self-signed certificates.
RPyC python.lang.correctness.common-mistakes.default-mutable-dict In python, the default values of function parameters are instantiated at function definition time. All calls to that function that use the default value all point to the same global object. Because of this, two instances of Server (initialized without passing in a protocol_config option) actually share the same protocol_config. So modifying one server's config affects the other ones.
CMake python.lang.correctness.common-mistakes.default-mutable-dict ConvertMSBuildXMLToJSON: Fix python mutable default data structure
lte-template-flask python.flask.security.unescaped-template-extension Passing the host parameter to your jinja template in views.py:63. lis_person_name_full comes from request.form.get('lis_person_name_full'). This line may be susceptible to XSS attacks. I went ahead and html-escaped the lis_person_name_full variable in launch.htm.j2 file using the {{value|e}} pattern in Jinja. (https://jinja.palletsprojects.com/en/2.10.x/templates/#working-with-manual-escaping). Note that if your template file extensions ended with .html, .htm, .xml, or .xhtml, they would have been automatically html escaped.
netskrafl.is python.flask.security.xss.audit.template-unescaped-with-safe The | safe filter from from_url in the userprefs.html template causes XSS.
pdfcpu go.lang.correctness.useless-eqeq.eqeq-is-bad It looks like this test case in pkg/pdfcpu/image_test.go was intending to compare bb1 with bb2, but it was comparing bb1 twice.