diff --git a/assets/semgrep_rules/generated/nonfree/audit.yaml b/assets/semgrep_rules/generated/nonfree/audit.yaml index 32b6da75..1ce50111 100644 --- a/assets/semgrep_rules/generated/nonfree/audit.yaml +++ b/assets/semgrep_rules/generated/nonfree/audit.yaml @@ -34,8 +34,8 @@ rules: semgrep.dev: rule: rule_id: qNUXrw - version_id: vdTWQA - url: https://semgrep.dev/playground/r/vdTWQA/bash.curl.security.curl-pipe-bash.curl-pipe-bash + version_id: pZT1yLp + url: https://semgrep.dev/playground/r/pZT1yLp/bash.curl.security.curl-pipe-bash.curl-pipe-bash origin: community patterns: - pattern-either: @@ -79,8 +79,8 @@ rules: semgrep.dev: rule: rule_id: WAUy9q - version_id: kbTo7O - url: https://semgrep.dev/playground/r/kbTo7O/bash.lang.security.ifs-tampering.ifs-tampering + version_id: 9lTdW5W + url: https://semgrep.dev/playground/r/9lTdW5W/bash.lang.security.ifs-tampering.ifs-tampering origin: community - id: c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string message: Use %s, %d, %c... to format your variables, otherwise this could leak information. @@ -107,8 +107,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOlg - version_id: O9TPyd - url: https://semgrep.dev/playground/r/O9TPyd/c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string + version_id: xyTKZpQ + url: https://semgrep.dev/playground/r/xyTKZpQ/c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string origin: community languages: - c @@ -139,8 +139,8 @@ rules: semgrep.dev: rule: rule_id: GdU7OE - version_id: e1T6xy - url: https://semgrep.dev/playground/r/e1T6xy/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn + version_id: O9TNOdZ + url: https://semgrep.dev/playground/r/O9TNOdZ/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn origin: community languages: - c @@ -185,8 +185,8 @@ rules: semgrep.dev: rule: rule_id: d8UK7D - version_id: vdTZ2X - url: https://semgrep.dev/playground/r/vdTZ2X/c.lang.security.insecure-use-memset.insecure-use-memset + version_id: e1T013E + url: https://semgrep.dev/playground/r/e1T013E/c.lang.security.insecure-use-memset.insecure-use-memset origin: community - id: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn pattern: scanf(...) @@ -214,8 +214,8 @@ rules: semgrep.dev: rule: rule_id: AbUzPd - version_id: ZRTLwx - url: https://semgrep.dev/playground/r/ZRTLwx/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn + version_id: d6TrAvO + url: https://semgrep.dev/playground/r/d6TrAvO/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn origin: community languages: - c @@ -249,8 +249,8 @@ rules: semgrep.dev: rule: rule_id: BYUNjA - version_id: nWT67k - url: https://semgrep.dev/playground/r/nWT67k/c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn + version_id: ZRTQNpR + url: https://semgrep.dev/playground/r/ZRTQNpR/c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn origin: community languages: - c @@ -287,8 +287,8 @@ rules: semgrep.dev: rule: rule_id: DbUpo5 - version_id: ExT9nX - url: https://semgrep.dev/playground/r/ExT9nX/c.lang.security.insecure-use-string-copy-fn.insecure-use-string-copy-fn + version_id: nWTxPoA + url: https://semgrep.dev/playground/r/nWTxPoA/c.lang.security.insecure-use-string-copy-fn.insecure-use-string-copy-fn origin: community languages: - c @@ -320,8 +320,8 @@ rules: semgrep.dev: rule: rule_id: WAUo5v - version_id: 7ZTLOY - url: https://semgrep.dev/playground/r/7ZTLOY/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn + version_id: ExTjNA3 + url: https://semgrep.dev/playground/r/ExTjNA3/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn origin: community languages: - c @@ -369,8 +369,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5k4 - version_id: LjT10x - url: https://semgrep.dev/playground/r/LjT10x/c.lang.security.random-fd-exhaustion.random-fd-exhaustion + version_id: 7ZTgonl + url: https://semgrep.dev/playground/r/7ZTgonl/c.lang.security.random-fd-exhaustion.random-fd-exhaustion origin: community languages: - c @@ -406,8 +406,8 @@ rules: semgrep.dev: rule: rule_id: GdU75E - version_id: yeT6L5 - url: https://semgrep.dev/playground/r/yeT6L5/contrib.nodejsscan.crypto_node.node_md5 + version_id: 7ZTgoEl + url: https://semgrep.dev/playground/r/7ZTgoEl/contrib.nodejsscan.crypto_node.node_md5 origin: community languages: - javascript @@ -455,8 +455,8 @@ rules: semgrep.dev: rule: rule_id: ReUgYx - version_id: rxT5Y8 - url: https://semgrep.dev/playground/r/rxT5Y8/contrib.nodejsscan.crypto_node.node_sha1 + version_id: LjTqQkn + url: https://semgrep.dev/playground/r/LjTqQkn/contrib.nodejsscan.crypto_node.node_sha1 origin: community languages: - javascript @@ -506,8 +506,8 @@ rules: semgrep.dev: rule: rule_id: ZqUlxE - version_id: xyT4Lo - url: https://semgrep.dev/playground/r/xyT4Lo/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery + version_id: YDTp2kw + url: https://semgrep.dev/playground/r/YDTp2kw/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery origin: community languages: - csharp @@ -562,8 +562,8 @@ rules: semgrep.dev: rule: rule_id: 0oUrvj - version_id: O9Tyje - url: https://semgrep.dev/playground/r/O9Tyje/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug + version_id: JdTNpGG + url: https://semgrep.dev/playground/r/JdTNpGG/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug origin: community languages: - generic @@ -605,8 +605,8 @@ rules: semgrep.dev: rule: rule_id: nJUyJq - version_id: e1TxR6 - url: https://semgrep.dev/playground/r/e1TxR6/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled + version_id: 5PTdArE + url: https://semgrep.dev/playground/r/5PTdArE/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled origin: community languages: - generic @@ -652,8 +652,8 @@ rules: semgrep.dev: rule: rule_id: 7KUxPg - version_id: 7ZTOgD - url: https://semgrep.dev/playground/r/7ZTOgD/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings + version_id: WrTWQG5 + url: https://semgrep.dev/playground/r/WrTWQG5/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings origin: community languages: - generic @@ -720,8 +720,8 @@ rules: semgrep.dev: rule: rule_id: bwU5kK - version_id: gETq3W - url: https://semgrep.dev/playground/r/gETq3W/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation + version_id: YDTp2k5 + url: https://semgrep.dev/playground/r/YDTp2k5/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation origin: community languages: - csharp @@ -757,8 +757,8 @@ rules: semgrep.dev: rule: rule_id: 9AUOjg - version_id: 5PT6d9 - url: https://semgrep.dev/playground/r/5PT6d9/csharp.lang.security.injections.os-command.os-command-injection + version_id: X0TQxkK + url: https://semgrep.dev/playground/r/X0TQxkK/csharp.lang.security.injections.os-command.os-command-injection origin: community message: The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes @@ -840,8 +840,8 @@ rules: semgrep.dev: rule: rule_id: PeUxb0 - version_id: RGTbDR - url: https://semgrep.dev/playground/r/RGTbDR/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver + version_id: 1QTOY3v + url: https://semgrep.dev/playground/r/1QTOY3v/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver origin: community message: Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior. @@ -879,8 +879,8 @@ rules: semgrep.dev: rule: rule_id: NbUAwk - version_id: A8TR9g - url: https://semgrep.dev/playground/r/A8TR9g/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization + version_id: 9lTdWqB + url: https://semgrep.dev/playground/r/9lTdWqB/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization origin: community message: "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe" @@ -924,8 +924,8 @@ rules: semgrep.dev: rule: rule_id: JDUlKl - version_id: GxTwen - url: https://semgrep.dev/playground/r/GxTwen/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full + version_id: rxTyLl5 + url: https://semgrep.dev/playground/r/rxTyLl5/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full origin: community message: Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf @@ -980,8 +980,8 @@ rules: semgrep.dev: rule: rule_id: PeUkrK - version_id: 0bTLrGz - url: https://semgrep.dev/playground/r/0bTLrGz/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization + version_id: bZTb1QG + url: https://semgrep.dev/playground/r/bZTb1QG/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization origin: community message: The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute @@ -1045,8 +1045,8 @@ rules: semgrep.dev: rule: rule_id: OrUGgl - version_id: qkTN2K - url: https://semgrep.dev/playground/r/qkTN2K/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization + version_id: w8T9n51 + url: https://semgrep.dev/playground/r/w8T9n51/csharp.lang.security.insecure-deserialization.newtonsoft.insecure-newtonsoft-deserialization origin: community - id: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span severity: WARNING @@ -1078,8 +1078,8 @@ rules: semgrep.dev: rule: rule_id: 5rUyEN - version_id: YDTopx - url: https://semgrep.dev/playground/r/YDTopx/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span + version_id: O9TNOBk + url: https://semgrep.dev/playground/r/O9TNOBk/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span origin: community message: MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked. @@ -1114,8 +1114,8 @@ rules: semgrep.dev: rule: rule_id: GdUDBP - version_id: zyT5Kv - url: https://semgrep.dev/playground/r/zyT5Kv/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout + version_id: d6TrALz + url: https://semgrep.dev/playground/r/d6TrALz/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout origin: community message: 'Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount @@ -1162,11 +1162,13 @@ rules: semgrep.dev: rule: rule_id: 4bU2gd - version_id: pZTr14 - url: https://semgrep.dev/playground/r/pZTr14/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos + version_id: ZRTQNWg + url: https://semgrep.dev/playground/r/ZRTQNWg/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos origin: community - message: An attacker can then cause a program using a regular expression to enter - these extreme situations and then hang for a very long time. + message: When using `System.Text.RegularExpressions` to process untrusted input, + pass a timeout. A malicious user can provide input to `RegularExpressions` that + abuses the backtracking behaviour of this regular expression engine. This will + lead to excessive CPU usage, causing a Denial-of-Service attack patterns: - pattern-inside: | using System.Text.RegularExpressions; @@ -1286,8 +1288,8 @@ rules: semgrep.dev: rule: rule_id: x8UxeP - version_id: RGTvL8 - url: https://semgrep.dev/playground/r/RGTvL8/csharp.lang.security.sqli.csharp-sqli.csharp-sqli + version_id: nWTxPkZ + url: https://semgrep.dev/playground/r/nWTxPkZ/csharp.lang.security.sqli.csharp-sqli.csharp-sqli origin: community languages: - csharp @@ -1321,8 +1323,8 @@ rules: semgrep.dev: rule: rule_id: 10UdbE - version_id: X0TPQ1 - url: https://semgrep.dev/playground/r/X0TPQ1/csharp.lang.security.ssrf.http-client.ssrf + version_id: ExTjN6q + url: https://semgrep.dev/playground/r/ExTjN6q/csharp.lang.security.ssrf.http-client.ssrf origin: community message: SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself. @@ -1396,8 +1398,8 @@ rules: semgrep.dev: rule: rule_id: 9AURoq - version_id: jQTKgW - url: https://semgrep.dev/playground/r/jQTKgW/csharp.lang.security.ssrf.rest-client.ssrf + version_id: 7ZTgoPx + url: https://semgrep.dev/playground/r/7ZTgoPx/csharp.lang.security.ssrf.rest-client.ssrf origin: community message: SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself. @@ -1449,8 +1451,8 @@ rules: semgrep.dev: rule: rule_id: yyUPBe - version_id: 1QTjO6 - url: https://semgrep.dev/playground/r/1QTjO6/csharp.lang.security.ssrf.web-client.ssrf + version_id: LjTqQBz + url: https://semgrep.dev/playground/r/LjTqQBz/csharp.lang.security.ssrf.web-client.ssrf origin: community message: SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself. @@ -1543,8 +1545,8 @@ rules: semgrep.dev: rule: rule_id: r6UwoG - version_id: 9lTzdp - url: https://semgrep.dev/playground/r/9lTzdp/csharp.lang.security.ssrf.web-request.ssrf + version_id: 8KTQ9nK + url: https://semgrep.dev/playground/r/8KTQ9nK/csharp.lang.security.ssrf.web-request.ssrf origin: community message: The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that @@ -1614,8 +1616,8 @@ rules: semgrep.dev: rule: rule_id: lBU6Dv - version_id: yeTXRK - url: https://semgrep.dev/playground/r/yeTXRK/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure + version_id: gET3x0x + url: https://semgrep.dev/playground/r/gET3x0x/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure origin: community languages: - csharp @@ -1657,8 +1659,8 @@ rules: semgrep.dev: rule: rule_id: lBUzPw - version_id: kbT7dG - url: https://semgrep.dev/playground/r/kbT7dG/csharp.razor.security.html-raw-json.html-raw-json + version_id: PkTJ1be + url: https://semgrep.dev/playground/r/PkTJ1be/csharp.razor.security.html-raw-json.html-raw-json origin: community paths: include: @@ -1712,8 +1714,8 @@ rules: semgrep.dev: rule: rule_id: ReU2n5 - version_id: w8T39L - url: https://semgrep.dev/playground/r/w8T39L/dockerfile.security.last-user-is-root.last-user-is-root + version_id: e1T01GL + url: https://semgrep.dev/playground/r/e1T01GL/dockerfile.security.last-user-is-root.last-user-is-root origin: community - id: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint patterns: @@ -1756,8 +1758,8 @@ rules: semgrep.dev: rule: rule_id: ReUW9E - version_id: xyT4Ko - url: https://semgrep.dev/playground/r/xyT4Ko/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint + version_id: vdTYNBn + url: https://semgrep.dev/playground/r/vdTYNBn/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint origin: community - id: dockerfile.security.missing-user.missing-user patterns: @@ -1800,8 +1802,8 @@ rules: semgrep.dev: rule: rule_id: AbUN06 - version_id: O9TyNe - url: https://semgrep.dev/playground/r/O9TyNe/dockerfile.security.missing-user.missing-user + version_id: d6TrApz + url: https://semgrep.dev/playground/r/d6TrApz/dockerfile.security.missing-user.missing-user origin: community - id: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile patterns: @@ -1834,8 +1836,8 @@ rules: semgrep.dev: rule: rule_id: kxUlx1 - version_id: qkT25pY - url: https://semgrep.dev/playground/r/qkT25pY/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile + version_id: ZRTQNXg + url: https://semgrep.dev/playground/r/ZRTQNXg/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile origin: community languages: - dockerfile @@ -1865,8 +1867,8 @@ rules: semgrep.dev: rule: rule_id: gxUJrJ - version_id: d6TDrR - url: https://semgrep.dev/playground/r/d6TDrR/generic.ci.security.bash-reverse-shell.bash_reverse_shell + version_id: PkTJ1nv + url: https://semgrep.dev/playground/r/PkTJ1nv/generic.ci.security.bash-reverse-shell.bash_reverse_shell origin: community message: Semgrep found a bash reverse shell severity: ERROR @@ -1919,8 +1921,8 @@ rules: semgrep.dev: rule: rule_id: L1UyO5 - version_id: LjT072 - url: https://semgrep.dev/playground/r/LjT072/generic.dockerfile.security.last-user-is-root.last-user-is-root + version_id: qkT2xK0 + url: https://semgrep.dev/playground/r/qkT2xK0/generic.dockerfile.security.last-user-is-root.last-user-is-root origin: community - id: generic.nginx.security.alias-path-traversal.alias-path-traversal patterns: @@ -1979,8 +1981,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOjq - version_id: K3TvbXW - url: https://semgrep.dev/playground/r/K3TvbXW/generic.nginx.security.alias-path-traversal.alias-path-traversal + version_id: 2KTzrAQ + url: https://semgrep.dev/playground/r/2KTzrAQ/generic.nginx.security.alias-path-traversal.alias-path-traversal origin: community - id: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host paths: @@ -2020,8 +2022,8 @@ rules: semgrep.dev: rule: rule_id: GdU7yl - version_id: PkTYDx - url: https://semgrep.dev/playground/r/PkTYDx/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host + version_id: X0TQxo8 + url: https://semgrep.dev/playground/r/X0TQxo8/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host origin: community pattern-either: - pattern: proxy_pass $SCHEME://$$HOST ...; @@ -2063,8 +2065,8 @@ rules: semgrep.dev: rule: rule_id: ReUg7n - version_id: JdTq5o - url: https://semgrep.dev/playground/r/JdTq5o/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme + version_id: jQTgYLq + url: https://semgrep.dev/playground/r/jQTgYLq/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme origin: community pattern: proxy_pass $$SCHEME:// ...; - id: generic.nginx.security.header-injection.header-injection @@ -2112,8 +2114,8 @@ rules: semgrep.dev: rule: rule_id: AbUz8p - version_id: 5PT6k9 - url: https://semgrep.dev/playground/r/5PT6k9/generic.nginx.security.header-injection.header-injection + version_id: 1QTOY0e + url: https://semgrep.dev/playground/r/1QTOY0e/generic.nginx.security.header-injection.header-injection origin: community - id: generic.nginx.security.header-redefinition.header-redefinition patterns: @@ -2168,8 +2170,8 @@ rules: semgrep.dev: rule: rule_id: BYUN58 - version_id: GxT2j6 - url: https://semgrep.dev/playground/r/GxT2j6/generic.nginx.security.header-redefinition.header-redefinition + version_id: 9lTdWER + url: https://semgrep.dev/playground/r/9lTdWER/generic.nginx.security.header-redefinition.header-redefinition origin: community - id: generic.nginx.security.insecure-redirect.insecure-redirect patterns: @@ -2215,8 +2217,8 @@ rules: semgrep.dev: rule: rule_id: DbUpJe - version_id: e1T0Lzk - url: https://semgrep.dev/playground/r/e1T0Lzk/generic.nginx.security.insecure-redirect.insecure-redirect + version_id: yeTR2QA + url: https://semgrep.dev/playground/r/yeTR2QA/generic.nginx.security.insecure-redirect.insecure-redirect origin: community - id: generic.nginx.security.insecure-ssl-version.insecure-ssl-version patterns: @@ -2262,8 +2264,8 @@ rules: semgrep.dev: rule: rule_id: WAUo9k - version_id: A8TRkg - url: https://semgrep.dev/playground/r/A8TRkg/generic.nginx.security.insecure-ssl-version.insecure-ssl-version + version_id: rxTyLbD + url: https://semgrep.dev/playground/r/rxTyLbD/generic.nginx.security.insecure-ssl-version.insecure-ssl-version origin: community - id: generic.nginx.security.missing-ssl-version.missing-ssl-version patterns: @@ -2307,8 +2309,8 @@ rules: semgrep.dev: rule: rule_id: KxUbeA - version_id: DkTQqw - url: https://semgrep.dev/playground/r/DkTQqw/generic.nginx.security.missing-ssl-version.missing-ssl-version + version_id: NdT3d5q + url: https://semgrep.dev/playground/r/NdT3d5q/generic.nginx.security.missing-ssl-version.missing-ssl-version origin: community - id: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling patterns: @@ -2374,8 +2376,8 @@ rules: semgrep.dev: rule: rule_id: 6JUq0Z - version_id: WrTbOG - url: https://semgrep.dev/playground/r/WrTbOG/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling + version_id: kbTdxrx + url: https://semgrep.dev/playground/r/kbTdxrx/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling origin: community - id: generic.nginx.security.request-host-used.request-host-used pattern-either: @@ -2418,8 +2420,8 @@ rules: semgrep.dev: rule: rule_id: qNUjGg - version_id: 0bTvyq - url: https://semgrep.dev/playground/r/0bTvyq/generic.nginx.security.request-host-used.request-host-used + version_id: w8T9n4D + url: https://semgrep.dev/playground/r/w8T9n4D/generic.nginx.security.request-host-used.request-host-used origin: community - id: generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token pattern-regex: amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} @@ -2454,8 +2456,8 @@ rules: semgrep.dev: rule: rule_id: lBU9bw - version_id: 44TozP - url: https://semgrep.dev/playground/r/44TozP/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token + version_id: ExTjNPp + url: https://semgrep.dev/playground/r/ExTjNPp/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token origin: community - id: generic.secrets.security.detected-artifactory-password.detected-artifactory-password patterns: @@ -2511,8 +2513,8 @@ rules: semgrep.dev: rule: rule_id: YGUR5K - version_id: l4T4Wp7 - url: https://semgrep.dev/playground/r/l4T4Wp7/generic.secrets.security.detected-artifactory-password.detected-artifactory-password + version_id: 7ZTgoqQ + url: https://semgrep.dev/playground/r/7ZTgoqQ/generic.secrets.security.detected-artifactory-password.detected-artifactory-password origin: community - id: generic.secrets.security.detected-artifactory-token.detected-artifactory-token patterns: @@ -2564,8 +2566,8 @@ rules: semgrep.dev: rule: rule_id: 6JUj3l - version_id: o5TgkA8 - url: https://semgrep.dev/playground/r/o5TgkA8/generic.secrets.security.detected-artifactory-token.detected-artifactory-token + version_id: LjTqQD4 + url: https://semgrep.dev/playground/r/LjTqQD4/generic.secrets.security.detected-artifactory-token.detected-artifactory-token origin: community - id: generic.secrets.security.detected-aws-account-id.detected-aws-account-id patterns: @@ -2633,8 +2635,8 @@ rules: semgrep.dev: rule: rule_id: zdUkdd - version_id: GxT20A - url: https://semgrep.dev/playground/r/GxT20A/generic.secrets.security.detected-aws-account-id.detected-aws-account-id + version_id: gET3xGg + url: https://semgrep.dev/playground/r/gET3xGg/generic.secrets.security.detected-aws-account-id.detected-aws-account-id origin: community - id: generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key pattern-regex: da2-[a-z0-9]{26} @@ -2669,8 +2671,8 @@ rules: semgrep.dev: rule: rule_id: pKUOoZ - version_id: RGTbP5 - url: https://semgrep.dev/playground/r/RGTbP5/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key + version_id: QkTW0ln + url: https://semgrep.dev/playground/r/QkTW0ln/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key origin: community - id: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key patterns: @@ -2707,8 +2709,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUbe8 - version_id: PkTL4v - url: https://semgrep.dev/playground/r/PkTL4v/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key + version_id: 3ZTkQD3 + url: https://semgrep.dev/playground/r/3ZTkQD3/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key origin: community - id: generic.secrets.security.detected-aws-session-token.detected-aws-session-token patterns: @@ -2748,8 +2750,8 @@ rules: semgrep.dev: rule: rule_id: X5U8Er - version_id: BjTEBE - url: https://semgrep.dev/playground/r/BjTEBE/generic.secrets.security.detected-aws-session-token.detected-aws-session-token + version_id: 44TRlWe + url: https://semgrep.dev/playground/r/44TRlWe/generic.secrets.security.detected-aws-session-token.detected-aws-session-token origin: community - id: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash pattern-regex: "\\$2[aby]?\\$[\\d]+\\$[./A-Za-z0-9]{53}" @@ -2783,8 +2785,8 @@ rules: semgrep.dev: rule: rule_id: PeUk0Q - version_id: DkTQW8 - url: https://semgrep.dev/playground/r/DkTQW8/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash + version_id: PkTJ1qQ + url: https://semgrep.dev/playground/r/PkTJ1qQ/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash origin: community - id: generic.secrets.security.detected-codeclimate.detected-codeclimate pattern-regex: (?i)codeclima.{0,50}["|'|`]?[0-9a-f]{64}["|'|`]? @@ -2819,8 +2821,8 @@ rules: semgrep.dev: rule: rule_id: j2UvW7 - version_id: WrTbZr - url: https://semgrep.dev/playground/r/WrTbZr/generic.secrets.security.detected-codeclimate.detected-codeclimate + version_id: JdTNpAp + url: https://semgrep.dev/playground/r/JdTNpAp/generic.secrets.security.detected-codeclimate.detected-codeclimate origin: community - id: generic.secrets.security.detected-etc-shadow.detected-etc-shadow pattern-regex: root:[x!*]*:[0-9]*:[0-9]* @@ -2853,8 +2855,8 @@ rules: semgrep.dev: rule: rule_id: JDUP6p - version_id: 0bTvJx - url: https://semgrep.dev/playground/r/0bTvJx/generic.secrets.security.detected-etc-shadow.detected-etc-shadow + version_id: 5PTdA0e + url: https://semgrep.dev/playground/r/5PTdA0e/generic.secrets.security.detected-etc-shadow.detected-etc-shadow origin: community - id: generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token pattern-either: @@ -2892,8 +2894,8 @@ rules: semgrep.dev: rule: rule_id: 10UKBL - version_id: K3TlYv - url: https://semgrep.dev/playground/r/K3TlYv/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token + version_id: GxTv65k + url: https://semgrep.dev/playground/r/GxTv65k/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token origin: community - id: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth pattern-regex: '[fF][aA][cC][eE][bB][oO][oO][kK].*[tT][oO][kK][eE][nN].*[''|"]?[0-9a-f]{32}[''|"]?' @@ -2928,8 +2930,8 @@ rules: semgrep.dev: rule: rule_id: 9AU127 - version_id: qkTNb5 - url: https://semgrep.dev/playground/r/qkTNb5/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth + version_id: RGTDkYp + url: https://semgrep.dev/playground/r/RGTDkYp/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth origin: community - id: generic.secrets.security.detected-generic-api-key.detected-generic-api-key patterns: @@ -2967,8 +2969,8 @@ rules: semgrep.dev: rule: rule_id: yyUn8p - version_id: GxTv0Op - url: https://semgrep.dev/playground/r/GxTv0Op/generic.secrets.security.detected-generic-api-key.detected-generic-api-key + version_id: A8T951E + url: https://semgrep.dev/playground/r/A8T951E/generic.secrets.security.detected-generic-api-key.detected-generic-api-key origin: community - id: generic.secrets.security.detected-generic-secret.detected-generic-secret patterns: @@ -3006,8 +3008,8 @@ rules: semgrep.dev: rule: rule_id: r6Urqe - version_id: 9lTdJ3x - url: https://semgrep.dev/playground/r/9lTdJ3x/generic.secrets.security.detected-generic-secret.detected-generic-secret + version_id: BjTXrOJ + url: https://semgrep.dev/playground/r/BjTXrOJ/generic.secrets.security.detected-generic-secret.detected-generic-secret origin: community - id: generic.secrets.security.detected-github-token.detected-github-token patterns: @@ -3058,8 +3060,8 @@ rules: semgrep.dev: rule: rule_id: eqUv7b - version_id: 6xTe6q - url: https://semgrep.dev/playground/r/6xTe6q/generic.secrets.security.detected-github-token.detected-github-token + version_id: DkT6n47 + url: https://semgrep.dev/playground/r/DkT6n47/generic.secrets.security.detected-github-token.detected-github-token origin: community - id: generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account pattern-regex: (("|'|`)?type("|'|`)?\s{0,50}(:|=>|=)\s{0,50}("|'|`)?service_account("|'|`)?,?) @@ -3094,8 +3096,8 @@ rules: semgrep.dev: rule: rule_id: NbUkL8 - version_id: pZTrwz - url: https://semgrep.dev/playground/r/pZTrwz/generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account + version_id: K3TvjBP + url: https://semgrep.dev/playground/r/K3TvjBP/generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account origin: community - id: generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token pattern-regex: ya29\.[0-9A-Za-z\-_]+ @@ -3130,8 +3132,8 @@ rules: semgrep.dev: rule: rule_id: kxUkpo - version_id: 2KT1K7 - url: https://semgrep.dev/playground/r/2KT1K7/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token + version_id: qkT2xzr + url: https://semgrep.dev/playground/r/qkT2xzr/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token origin: community - id: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key pattern-regex: "[hH][eE][rR][oO][kK][uU].*[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}" @@ -3166,8 +3168,8 @@ rules: semgrep.dev: rule: rule_id: x8UnOB - version_id: jQTKRz - url: https://semgrep.dev/playground/r/jQTKRz/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key + version_id: YDTp2jG + url: https://semgrep.dev/playground/r/YDTp2jG/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key origin: community - id: generic.secrets.security.detected-hockeyapp.detected-hockeyapp pattern-regex: (?i)hockey.{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)? @@ -3202,8 +3204,8 @@ rules: semgrep.dev: rule: rule_id: OrU3zo - version_id: 1QTjeY - url: https://semgrep.dev/playground/r/1QTjeY/generic.secrets.security.detected-hockeyapp.detected-hockeyapp + version_id: 6xTvJOO + url: https://semgrep.dev/playground/r/6xTvJOO/generic.secrets.security.detected-hockeyapp.detected-hockeyapp origin: community - id: generic.secrets.security.detected-jwt-token.detected-jwt-token pattern-regex: eyJ[A-Za-z0-9-_=]{14,}\.[A-Za-z0-9-_=]{13,}\.?[A-Za-z0-9-_.+/=]*? @@ -3236,8 +3238,8 @@ rules: semgrep.dev: rule: rule_id: kxU8E8 - version_id: 9lTzk5 - url: https://semgrep.dev/playground/r/9lTzk5/generic.secrets.security.detected-jwt-token.detected-jwt-token + version_id: o5Tgljp + url: https://semgrep.dev/playground/r/o5Tgljp/generic.secrets.security.detected-jwt-token.detected-jwt-token origin: community - id: generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key pattern-regex: k2sk_v[0-9]_[0-9a-zA-Z]{24} @@ -3271,8 +3273,8 @@ rules: semgrep.dev: rule: rule_id: JDULYW - version_id: yeTXyx - url: https://semgrep.dev/playground/r/yeTXyx/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key + version_id: zyTK8vw + url: https://semgrep.dev/playground/r/zyTK8vw/generic.secrets.security.detected-kolide-api-key.detected-kolide-api-key origin: community - id: generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key pattern-regex: "[0-9a-f]{32}-us[0-9]{1,2}" @@ -3307,8 +3309,8 @@ rules: semgrep.dev: rule: rule_id: eqU8QR - version_id: rxTx91 - url: https://semgrep.dev/playground/r/rxTx91/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key + version_id: pZT1yv8 + url: https://semgrep.dev/playground/r/pZT1yv8/generic.secrets.security.detected-mailchimp-api-key.detected-mailchimp-api-key origin: community - id: generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key pattern-regex: key-[0-9a-zA-Z]{32} @@ -3343,8 +3345,8 @@ rules: semgrep.dev: rule: rule_id: v8UneY - version_id: bZTGNE - url: https://semgrep.dev/playground/r/bZTGNE/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key + version_id: 2KTzrBe + url: https://semgrep.dev/playground/r/2KTzrBe/generic.secrets.security.detected-mailgun-api-key.detected-mailgun-api-key origin: community - id: generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token patterns: @@ -3386,8 +3388,8 @@ rules: semgrep.dev: rule: rule_id: 5rU4pe - version_id: NdT1YG - url: https://semgrep.dev/playground/r/NdT1YG/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token + version_id: X0TQxXD + url: https://semgrep.dev/playground/r/X0TQxXD/generic.secrets.security.detected-npm-registry-auth-token.detected-npm-registry-auth-token origin: community - id: generic.secrets.security.detected-outlook-team.detected-outlook-team pattern-regex: https://outlook\.office\.com/webhook/[0-9a-f-]{36} @@ -3422,8 +3424,8 @@ rules: semgrep.dev: rule: rule_id: d8UjXq - version_id: w8T3Gy - url: https://semgrep.dev/playground/r/w8T3Gy/generic.secrets.security.detected-outlook-team.detected-outlook-team + version_id: jQTgYAP + url: https://semgrep.dev/playground/r/jQTgYAP/generic.secrets.security.detected-outlook-team.detected-outlook-team origin: community - id: generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token pattern-regex: access_token\$production\$[0-9a-z]{16}\$[0-9a-z]{32} @@ -3459,8 +3461,8 @@ rules: semgrep.dev: rule: rule_id: ZqU507 - version_id: xyT423 - url: https://semgrep.dev/playground/r/xyT423/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token + version_id: 1QTOYA1 + url: https://semgrep.dev/playground/r/1QTOYA1/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token origin: community - id: generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block pattern-regex: "-----BEGIN PGP PRIVATE KEY BLOCK-----" @@ -3496,8 +3498,8 @@ rules: semgrep.dev: rule: rule_id: nJUzXz - version_id: O9TyD4 - url: https://semgrep.dev/playground/r/O9TyD4/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block + version_id: 9lTdWYP + url: https://semgrep.dev/playground/r/9lTdWYP/generic.secrets.security.detected-pgp-private-key-block.detected-pgp-private-key-block origin: community - id: generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key pattern-regex: sk_live_[0-9a-z]{32} @@ -3532,8 +3534,8 @@ rules: semgrep.dev: rule: rule_id: EwU274 - version_id: e1Txpw - url: https://semgrep.dev/playground/r/e1Txpw/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key + version_id: yeTR291 + url: https://semgrep.dev/playground/r/yeTR291/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key origin: community - id: generic.secrets.security.detected-private-key.detected-private-key patterns: @@ -3581,8 +3583,8 @@ rules: semgrep.dev: rule: rule_id: 7KUQ0p - version_id: vdT2jK - url: https://semgrep.dev/playground/r/vdT2jK/generic.secrets.security.detected-private-key.detected-private-key + version_id: rxTyLRv + url: https://semgrep.dev/playground/r/rxTyLRv/generic.secrets.security.detected-private-key.detected-private-key origin: community - id: generic.secrets.security.detected-sauce-token.detected-sauce-token pattern-regex: (?i)sauce.{0,50}(\\\"|'|`)?[0-9a-f-]{36}(\\\"|'|`)? @@ -3617,8 +3619,8 @@ rules: semgrep.dev: rule: rule_id: L1UyZ5 - version_id: d6TDlN - url: https://semgrep.dev/playground/r/d6TDlN/generic.secrets.security.detected-sauce-token.detected-sauce-token + version_id: bZTb1D3 + url: https://semgrep.dev/playground/r/bZTb1D3/generic.secrets.security.detected-sauce-token.detected-sauce-token origin: community - id: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key pattern-regex: SG\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9-]{43}\b @@ -3653,8 +3655,8 @@ rules: semgrep.dev: rule: rule_id: x8U2EG - version_id: ZRTwg1 - url: https://semgrep.dev/playground/r/ZRTwg1/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key + version_id: NdT3d0j + url: https://semgrep.dev/playground/r/NdT3d0j/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key origin: community - id: generic.secrets.security.detected-slack-token.detected-slack-token pattern-either: @@ -3691,8 +3693,8 @@ rules: semgrep.dev: rule: rule_id: 8GUjRA - version_id: nWT7r1 - url: https://semgrep.dev/playground/r/nWT7r1/generic.secrets.security.detected-slack-token.detected-slack-token + version_id: kbTdx0X + url: https://semgrep.dev/playground/r/kbTdx0X/generic.secrets.security.detected-slack-token.detected-slack-token origin: community - id: generic.secrets.security.detected-slack-webhook.detected-slack-webhook pattern-regex: https://hooks\.slack\.com/services/T[a-zA-Z0-9_]{8,10}/B[a-zA-Z0-9_]{8,10}/[a-zA-Z0-9_]{24} @@ -3727,8 +3729,8 @@ rules: semgrep.dev: rule: rule_id: gxU1dy - version_id: ExTnQL - url: https://semgrep.dev/playground/r/ExTnQL/generic.secrets.security.detected-slack-webhook.detected-slack-webhook + version_id: w8T9ndZ + url: https://semgrep.dev/playground/r/w8T9ndZ/generic.secrets.security.detected-slack-webhook.detected-slack-webhook origin: community - id: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key pattern-regex: (?i)snyk.{0,50}['|"|`]?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"\s]? @@ -3762,8 +3764,8 @@ rules: semgrep.dev: rule: rule_id: OrUD9J - version_id: 7ZTOpG - url: https://semgrep.dev/playground/r/7ZTOpG/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key + version_id: xyTKZyY + url: https://semgrep.dev/playground/r/xyTKZyY/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key origin: community - id: generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key pattern-regex: (?i)softlayer.{0,50}["|'|`]?[a-z0-9]{64}["|'|`]? @@ -3798,8 +3800,8 @@ rules: semgrep.dev: rule: rule_id: eqUplZ - version_id: LjT0rO - url: https://semgrep.dev/playground/r/LjT0rO/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key + version_id: O9TNOKy + url: https://semgrep.dev/playground/r/O9TNOKy/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key origin: community - id: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key pattern-regex: (?i)sonar.{0,50}(\\\"|'|`)?[0-9a-f]{40}(\\\"|'|`)? @@ -3807,6 +3809,19 @@ rules: - regex message: SonarQube Docs API Key detected severity: ERROR + paths: + exclude: + - "*.svg" + - "*go.sum" + - "*cargo.lock" + - "*package.json" + - "*yarn.lock" + - "*package-lock.json" + - "*bundle.js" + - "*pnpm-lock*" + - "*Podfile.lock" + - "*/openssl/*.h" + - "*.xcscmblueprint" metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' @@ -3834,42 +3849,8 @@ rules: semgrep.dev: rule: rule_id: QrUzP1 - version_id: 8KTbxR - url: https://semgrep.dev/playground/r/8KTbxR/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key - origin: community -- id: generic.secrets.security.detected-sql-dump.detected-sql-dump - pattern-regex: Dumping data for table `.*` - languages: - - regex - message: SQL dump detected - severity: ERROR - metadata: - cwe: - - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' - category: security - technology: - - secrets - - sql - confidence: LOW - owasp: - - A01:2021 - Broken Access Control - references: - - https://owasp.org/Top10/A01_2021-Broken_Access_Control - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Mishandled Sensitive Information - source: https://semgrep.dev/r/generic.secrets.security.detected-sql-dump.detected-sql-dump - shortlink: https://sg.run/J3eR - semgrep.dev: - rule: - rule_id: GdU0zk - version_id: gETqYK - url: https://semgrep.dev/playground/r/gETqYK/generic.secrets.security.detected-sql-dump.detected-sql-dump + version_id: e1T01Xd + url: https://semgrep.dev/playground/r/e1T01Xd/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key origin: community - id: generic.secrets.security.detected-square-access-token.detected-square-access-token pattern-regex: sq0atp-[0-9A-Za-z\-_]{22} @@ -3904,8 +3885,8 @@ rules: semgrep.dev: rule: rule_id: 3qUPqO - version_id: QkTJpx - url: https://semgrep.dev/playground/r/QkTJpx/generic.secrets.security.detected-square-access-token.detected-square-access-token + version_id: vdTYNxW + url: https://semgrep.dev/playground/r/vdTYNxW/generic.secrets.security.detected-square-access-token.detected-square-access-token origin: community - id: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret pattern-regex: sq0csp-[0-9A-Za-z\\\-_]{43} @@ -3940,8 +3921,8 @@ rules: semgrep.dev: rule: rule_id: 4bUk4l - version_id: 3ZTdE0 - url: https://semgrep.dev/playground/r/3ZTdE0/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret + version_id: d6TrA5w + url: https://semgrep.dev/playground/r/d6TrA5w/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret origin: community - id: generic.secrets.security.detected-ssh-password.detected-ssh-password pattern-regex: sshpass -p.*['|\\\"] @@ -3976,8 +3957,8 @@ rules: semgrep.dev: rule: rule_id: PeUZ4d - version_id: 44To2P - url: https://semgrep.dev/playground/r/44To2P/generic.secrets.security.detected-ssh-password.detected-ssh-password + version_id: ZRTQNvQ + url: https://semgrep.dev/playground/r/ZRTQNvQ/generic.secrets.security.detected-ssh-password.detected-ssh-password origin: community - id: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key pattern-regex: sk_live_[0-9a-zA-Z]{24} @@ -4012,8 +3993,8 @@ rules: semgrep.dev: rule: rule_id: JDUy0z - version_id: PkTYBG - url: https://semgrep.dev/playground/r/PkTYBG/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key + version_id: nWTxP1O + url: https://semgrep.dev/playground/r/nWTxP1O/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key origin: community - id: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key pattern-regex: rk_live_[0-9a-zA-Z]{24} @@ -4048,8 +4029,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOWq - version_id: JdTqQx - url: https://semgrep.dev/playground/r/JdTqQx/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key + version_id: ExTjN3p + url: https://semgrep.dev/playground/r/ExTjN3p/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key origin: community - id: generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key patterns: @@ -4087,8 +4068,8 @@ rules: semgrep.dev: rule: rule_id: GdU7Nl - version_id: 5PT68z - url: https://semgrep.dev/playground/r/5PT68z/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key + version_id: 7ZTgojQ + url: https://semgrep.dev/playground/r/7ZTgojQ/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key origin: community - id: generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key pattern-regex: SK[0-9a-fA-F]{32} @@ -4123,82 +4104,8 @@ rules: semgrep.dev: rule: rule_id: ReUgJn - version_id: GxT2ZA - url: https://semgrep.dev/playground/r/GxT2ZA/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key - origin: community -- id: generic.secrets.security.detected-twitter-access-token.detected-twitter-access-token - pattern-regex: "[tT][wW][iI][tT][tT][eE][rR].*[1-9][0-9]+-[0-9a-zA-Z]{40}" - languages: - - regex - message: Twitter Access Token detected - severity: ERROR - metadata: - cwe: - - 'CWE-798: Use of Hard-coded Credentials' - source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json - category: security - technology: - - secrets - - twitter - confidence: LOW - owasp: - - A07:2021 - Identification and Authentication Failures - references: - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Hard-coded Secrets - source: https://semgrep.dev/r/generic.secrets.security.detected-twitter-access-token.detected-twitter-access-token - shortlink: https://sg.run/7oR4 - semgrep.dev: - rule: - rule_id: AbUzDp - version_id: RGTbo5 - url: https://semgrep.dev/playground/r/RGTbo5/generic.secrets.security.detected-twitter-access-token.detected-twitter-access-token - origin: community -- id: generic.secrets.security.detected-twitter-oauth.detected-twitter-oauth - patterns: - - pattern-regex: '[tT][wW][iI][tT][tT][eE][rR].*[''|"]?[0-9a-zA-Z]{35,44}[''|"]?' - - pattern-not-regex: '[tT][wW][iI][tT][tT][eE][rR].*hash.*=.*[''|"]?[0-9a-zA-Z]{35,44}[''|"]?' - languages: - - regex - message: Twitter OAuth detected - severity: ERROR - metadata: - cwe: - - 'CWE-798: Use of Hard-coded Credentials' - source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json - category: security - technology: - - secrets - - twitter - confidence: LOW - owasp: - - A07:2021 - Identification and Authentication Failures - references: - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Hard-coded Secrets - source: https://semgrep.dev/r/generic.secrets.security.detected-twitter-oauth.detected-twitter-oauth - shortlink: https://sg.run/Lwb7 - semgrep.dev: - rule: - rule_id: BYUNq8 - version_id: A8TRG6 - url: https://semgrep.dev/playground/r/A8TRG6/generic.secrets.security.detected-twitter-oauth.detected-twitter-oauth + version_id: LjTqQo4 + url: https://semgrep.dev/playground/r/LjTqQo4/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key origin: community - id: generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak patterns: @@ -4233,8 +4140,8 @@ rules: semgrep.dev: rule: rule_id: EwU3kN - version_id: DkTQK8 - url: https://semgrep.dev/playground/r/DkTQK8/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak + version_id: gET3xog + url: https://semgrep.dev/playground/r/gET3xog/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak origin: community - id: generic.unicode.security.bidi.contains-bidirectional-characters patterns: @@ -4278,8 +4185,8 @@ rules: semgrep.dev: rule: rule_id: d8UeX4 - version_id: WrTbPr - url: https://semgrep.dev/playground/r/WrTbPr/generic.unicode.security.bidi.contains-bidirectional-characters + version_id: QkTW0jn + url: https://semgrep.dev/playground/r/QkTW0jn/generic.unicode.security.bidi.contains-bidirectional-characters origin: community languages: - bash @@ -4340,8 +4247,8 @@ rules: semgrep.dev: rule: rule_id: qNUj6g - version_id: l4T58r - url: https://semgrep.dev/playground/r/l4T58r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly + version_id: A8T95ZE + url: https://semgrep.dev/playground/r/A8T95ZE/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly origin: community fix-regex: regex: "(HttpOnly\\s*:\\s+)false" @@ -4388,8 +4295,8 @@ rules: semgrep.dev: rule: rule_id: lBU9kw - version_id: YDToDR - url: https://semgrep.dev/playground/r/YDToDR/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure + version_id: BjTXrnJ + url: https://semgrep.dev/playground/r/BjTXrnJ/go.gorilla.security.audit.session-cookie-missing-secure.session-cookie-missing-secure origin: community fix-regex: regex: "(Secure\\s*:\\s+)false" @@ -4443,8 +4350,8 @@ rules: semgrep.dev: rule: rule_id: ReUKdz - version_id: JdTqLP - url: https://semgrep.dev/playground/r/JdTqLP/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check + version_id: DkT6nZ7 + url: https://semgrep.dev/playground/r/DkT6nZ7/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check origin: community - id: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection metadata: @@ -4470,8 +4377,8 @@ rules: semgrep.dev: rule: rule_id: PeUZ4X - version_id: GxT2rr - url: https://semgrep.dev/playground/r/GxT2rr/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection + version_id: 0bTLlY6 + url: https://semgrep.dev/playground/r/0bTLlY6/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection origin: community message: 'Found an insecure gRPC connection using ''grpc.WithInsecure()''. This creates a connection without encryption to a gRPC server. A malicious attacker @@ -4510,8 +4417,8 @@ rules: semgrep.dev: rule: rule_id: JDUy0B - version_id: RGTb3q - url: https://semgrep.dev/playground/r/RGTb3q/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection + version_id: K3Tvj6P + url: https://semgrep.dev/playground/r/K3Tvj6P/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection origin: community message: Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker @@ -4565,8 +4472,8 @@ rules: semgrep.dev: rule: rule_id: ReUgJJ - version_id: A8TRQ3 - url: https://semgrep.dev/playground/r/A8TRQ3/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified + version_id: qkT2xPr + url: https://semgrep.dev/playground/r/qkT2xPr/go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified origin: community languages: - go @@ -4606,8 +4513,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOWQ - version_id: BjTEdK - url: https://semgrep.dev/playground/r/BjTEdK/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm + version_id: l4T4vA3 + url: https://semgrep.dev/playground/r/l4T4vA3/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm origin: community languages: - go @@ -4650,8 +4557,8 @@ rules: semgrep.dev: rule: rule_id: yyUnov - version_id: 0bTv2e - url: https://semgrep.dev/playground/r/0bTv2e/go.lang.security.audit.crypto.bad_imports.insecure-module-used + version_id: l4T4vAR + url: https://semgrep.dev/playground/r/l4T4vAR/go.lang.security.audit.crypto.bad_imports.insecure-module-used origin: community languages: - go @@ -4694,8 +4601,8 @@ rules: semgrep.dev: rule: rule_id: r6UrW9 - version_id: K3Tl7K - url: https://semgrep.dev/playground/r/K3Tl7K/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key + version_id: YDTp2K7 + url: https://semgrep.dev/playground/r/YDTp2K7/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key origin: community languages: - go @@ -4731,8 +4638,8 @@ rules: semgrep.dev: rule: rule_id: d8UjY3 - version_id: X0TPdG - url: https://semgrep.dev/playground/r/X0TPdG/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key + version_id: 9lTdWGe + url: https://semgrep.dev/playground/r/9lTdWGe/go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key origin: community patterns: - pattern-either: @@ -4807,8 +4714,8 @@ rules: semgrep.dev: rule: rule_id: pKUOZ9 - version_id: jQTK3e - url: https://semgrep.dev/playground/r/jQTK3e/go.lang.security.audit.dangerous-command-write.dangerous-command-write + version_id: yeTR24B + url: https://semgrep.dev/playground/r/yeTR24B/go.lang.security.audit.dangerous-command-write.dangerous-command-write origin: community - id: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd patterns: @@ -4907,8 +4814,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUb8l - version_id: 1QTjdA - url: https://semgrep.dev/playground/r/1QTjdA/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd + version_id: rxTyLpr + url: https://semgrep.dev/playground/r/rxTyLpr/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd origin: community severity: ERROR languages: @@ -4987,8 +4894,8 @@ rules: semgrep.dev: rule: rule_id: X5U8RQ - version_id: 9lTzR9 - url: https://semgrep.dev/playground/r/9lTzR9/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command + version_id: bZTb17O + url: https://semgrep.dev/playground/r/bZTb17O/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command origin: community severity: ERROR languages: @@ -5100,8 +5007,8 @@ rules: semgrep.dev: rule: rule_id: j2UvPl - version_id: yeTXP4 - url: https://semgrep.dev/playground/r/yeTXP4/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec + version_id: NdT3dKY + url: https://semgrep.dev/playground/r/NdT3dKY/go.lang.security.audit.dangerous-syscall-exec.dangerous-syscall-exec origin: community severity: ERROR languages: @@ -5141,8 +5048,8 @@ rules: semgrep.dev: rule: rule_id: ZqU5bD - version_id: rxTxwE - url: https://semgrep.dev/playground/r/rxTxwE/go.lang.security.audit.database.string-formatted-query.string-formatted-query + version_id: kbTdxBw + url: https://semgrep.dev/playground/r/kbTdxBw/go.lang.security.audit.database.string-formatted-query.string-formatted-query origin: community patterns: - metavariable-regex: @@ -5318,8 +5225,8 @@ rules: semgrep.dev: rule: rule_id: nJUz3J - version_id: NdT1NP - url: https://semgrep.dev/playground/r/NdT1NP/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces + version_id: xyTKZgN + url: https://semgrep.dev/playground/r/xyTKZgN/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces origin: community pattern-either: - pattern: tls.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...) @@ -5357,8 +5264,8 @@ rules: semgrep.dev: rule: rule_id: 8GUjDW - version_id: O9Ty6W - url: https://semgrep.dev/playground/r/O9Ty6W/go.lang.security.audit.net.formatted-template-string.formatted-template-string + version_id: d6TrA0v + url: https://semgrep.dev/playground/r/d6TrA0v/go.lang.security.audit.net.formatted-template-string.formatted-template-string origin: community languages: - go @@ -5416,8 +5323,8 @@ rules: semgrep.dev: rule: rule_id: gxU1Kp - version_id: vdT296 - url: https://semgrep.dev/playground/r/vdT296/go.lang.security.audit.net.pprof.pprof-debug-exposure + version_id: nWTxPb9 + url: https://semgrep.dev/playground/r/nWTxPb9/go.lang.security.audit.net.pprof.pprof-debug-exposure origin: community message: The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import "net/http/pprof"`. @@ -5473,8 +5380,8 @@ rules: semgrep.dev: rule: rule_id: QrUz9R - version_id: d6TDeW - url: https://semgrep.dev/playground/r/d6TDeW/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr + version_id: ExTjNLe + url: https://semgrep.dev/playground/r/ExTjNLe/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr origin: community languages: - go @@ -5537,8 +5444,8 @@ rules: semgrep.dev: rule: rule_id: 3qUP8K - version_id: ZRTwOr - url: https://semgrep.dev/playground/r/ZRTwOr/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js + version_id: 7ZTgolZ + url: https://semgrep.dev/playground/r/7ZTgolZ/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js origin: community languages: - go @@ -5602,8 +5509,8 @@ rules: semgrep.dev: rule: rule_id: 4bUkDW - version_id: nWT7ZB - url: https://semgrep.dev/playground/r/nWT7ZB/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url + version_id: LjTqQWB + url: https://semgrep.dev/playground/r/LjTqQWB/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url origin: community languages: - go @@ -5662,8 +5569,8 @@ rules: semgrep.dev: rule: rule_id: PeUZ8X - version_id: ExTnK9 - url: https://semgrep.dev/playground/r/ExTnK9/go.lang.security.audit.net.use-tls.use-tls + version_id: 8KTQ9JB + url: https://semgrep.dev/playground/r/8KTQ9JB/go.lang.security.audit.net.use-tls.use-tls origin: community message: Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information. @@ -5698,8 +5605,8 @@ rules: semgrep.dev: rule: rule_id: 10UKGb - version_id: LjT05Y - url: https://semgrep.dev/playground/r/LjT05Y/go.lang.security.audit.reflect-makefunc.reflect-makefunc + version_id: QkTW0YB + url: https://semgrep.dev/playground/r/QkTW0YB/go.lang.security.audit.reflect-makefunc.reflect-makefunc origin: community severity: ERROR pattern: reflect.MakeFunc(...) @@ -5749,8 +5656,8 @@ rules: semgrep.dev: rule: rule_id: BYUBdJ - version_id: 44TogA - url: https://semgrep.dev/playground/r/44TogA/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name + version_id: 5PTdAR2 + url: https://semgrep.dev/playground/r/5PTdAR2/go.lang.security.audit.unsafe-reflect-by-name.unsafe-reflect-by-name origin: community severity: WARNING languages: @@ -5785,8 +5692,8 @@ rules: semgrep.dev: rule: rule_id: 9AU1p1 - version_id: PkTY0Z - url: https://semgrep.dev/playground/r/PkTY0Z/go.lang.security.audit.unsafe.use-of-unsafe-block + version_id: GxTv6nn + url: https://semgrep.dev/playground/r/GxTv6nn/go.lang.security.audit.unsafe.use-of-unsafe-block origin: community pattern: unsafe.$FUNC(...) - id: go.lang.security.audit.xss.import-text-template.import-text-template @@ -5825,8 +5732,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOZQ - version_id: JdTq6P - url: https://semgrep.dev/playground/r/JdTq6P/go.lang.security.audit.xss.import-text-template.import-text-template + version_id: RGTDk68 + url: https://semgrep.dev/playground/r/RGTDk68/go.lang.security.audit.xss.import-text-template.import-text-template origin: community severity: WARNING patterns: @@ -5875,8 +5782,8 @@ rules: semgrep.dev: rule: rule_id: GdU71y - version_id: 5PT6p8 - url: https://semgrep.dev/playground/r/5PT6p8/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter + version_id: A8T95O8 + url: https://semgrep.dev/playground/r/A8T95O8/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter origin: community patterns: - pattern-either: @@ -5928,8 +5835,8 @@ rules: semgrep.dev: rule: rule_id: ReUgyJ - version_id: GxT2zr - url: https://semgrep.dev/playground/r/GxT2zr/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter + version_id: BjTXrgq + url: https://semgrep.dev/playground/r/BjTXrgq/go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter origin: community severity: WARNING patterns: @@ -5979,8 +5886,8 @@ rules: semgrep.dev: rule: rule_id: AbUzBB - version_id: RGTbqq - url: https://semgrep.dev/playground/r/RGTbqq/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag + version_id: DkT6nPE + url: https://semgrep.dev/playground/r/DkT6nPE/go.lang.security.audit.xss.no-interpolation-in-tag.no-interpolation-in-tag origin: community languages: - generic @@ -6027,8 +5934,8 @@ rules: semgrep.dev: rule: rule_id: BYUNR6 - version_id: A8TRe3 - url: https://semgrep.dev/playground/r/A8TRe3/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string + version_id: WrTWQX0 + url: https://semgrep.dev/playground/r/WrTWQX0/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string origin: community languages: - generic @@ -6075,8 +5982,8 @@ rules: semgrep.dev: rule: rule_id: DbUpEr - version_id: BjTEzK - url: https://semgrep.dev/playground/r/BjTEzK/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter + version_id: 0bTLl8P + url: https://semgrep.dev/playground/r/0bTLl8P/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter origin: community severity: WARNING patterns: @@ -6124,8 +6031,8 @@ rules: semgrep.dev: rule: rule_id: WAUoLp - version_id: DkTQxN - url: https://semgrep.dev/playground/r/DkTQxN/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter + version_id: K3TvjDq + url: https://semgrep.dev/playground/r/K3TvjDq/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter origin: community severity: WARNING patterns: @@ -6175,8 +6082,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5n3 - version_id: WrTbNQ - url: https://semgrep.dev/playground/r/WrTbNQ/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type + version_id: qkT2xdw + url: https://semgrep.dev/playground/r/qkT2xdw/go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type origin: community languages: - go @@ -6221,8 +6128,8 @@ rules: semgrep.dev: rule: rule_id: 6JUjnL - version_id: K3Tl5K - url: https://semgrep.dev/playground/r/K3Tl5K/go.lang.security.bad_tmp.bad-tmp-file-creation + version_id: YDTp217 + url: https://semgrep.dev/playground/r/YDTp217/go.lang.security.bad_tmp.bad-tmp-file-creation origin: community pattern-either: - pattern: ioutil.WriteFile("=~//tmp/.*$/", ...) @@ -6298,8 +6205,8 @@ rules: semgrep.dev: rule: rule_id: oqUeqn - version_id: qkTNWO - url: https://semgrep.dev/playground/r/qkTNWO/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb + version_id: 6xTvJlY + url: https://semgrep.dev/playground/r/6xTvJlY/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb origin: community - id: go.lang.security.zip.path-traversal-inside-zip-extraction message: File traversal when extracting zip archive @@ -6331,8 +6238,8 @@ rules: semgrep.dev: rule: rule_id: zdUkoR - version_id: zyT5ne - url: https://semgrep.dev/playground/r/zyT5ne/go.lang.security.zip.path-traversal-inside-zip-extraction + version_id: X0TQxjB + url: https://semgrep.dev/playground/r/X0TQxjB/go.lang.security.zip.path-traversal-inside-zip-extraction origin: community languages: - go @@ -6374,8 +6281,8 @@ rules: semgrep.dev: rule: rule_id: KxUbxk - version_id: pZTrzq - url: https://semgrep.dev/playground/r/pZTrzq/go.otto.security.audit.dangerous-execution.dangerous-execution + version_id: jQTgY8k + url: https://semgrep.dev/playground/r/jQTgY8k/go.otto.security.audit.dangerous-execution.dangerous-execution origin: community severity: ERROR patterns: @@ -6431,8 +6338,8 @@ rules: semgrep.dev: rule: rule_id: JDUPQ7 - version_id: ZRTwGr - url: https://semgrep.dev/playground/r/ZRTwGr/java.jboss.security.seam-log-injection.seam-log-injection + version_id: JdTNpEA + url: https://semgrep.dev/playground/r/JdTNpEA/java.jboss.security.seam-log-injection.seam-log-injection origin: community severity: ERROR - id: java.jjwt.security.jwt-none-alg.jjwt-none-alg @@ -6470,8 +6377,8 @@ rules: semgrep.dev: rule: rule_id: j2Uvol - version_id: ExTnq9 - url: https://semgrep.dev/playground/r/ExTnq9/java.jjwt.security.jwt-none-alg.jjwt-none-alg + version_id: GxTv63n + url: https://semgrep.dev/playground/r/GxTv63n/java.jjwt.security.jwt-none-alg.jjwt-none-alg origin: community languages: - java @@ -6514,8 +6421,8 @@ rules: semgrep.dev: rule: rule_id: eqU8J3 - version_id: 7ZTOWO - url: https://semgrep.dev/playground/r/7ZTOWO/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind + version_id: WrTWQD0 + url: https://semgrep.dev/playground/r/WrTWQD0/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind origin: community message: Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html @@ -6551,8 +6458,8 @@ rules: semgrep.dev: rule: rule_id: v8Uny0 - version_id: LjT0PY - url: https://semgrep.dev/playground/r/LjT0PY/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion + version_id: 0bTLlDP + url: https://semgrep.dev/playground/r/0bTLlDP/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion origin: community message: '''Integer.toHexString()'' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces @@ -6600,8 +6507,8 @@ rules: semgrep.dev: rule: rule_id: d8UjJ3 - version_id: 8KTbAe - url: https://semgrep.dev/playground/r/8KTbAe/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size + version_id: K3TvjZq + url: https://semgrep.dev/playground/r/K3TvjZq/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size origin: community message: Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead. @@ -6648,8 +6555,8 @@ rules: semgrep.dev: rule: rule_id: ZqU5oD - version_id: gETqyZ - url: https://semgrep.dev/playground/r/gETqyZ/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle + version_id: qkT2xEw + url: https://semgrep.dev/playground/r/qkT2xEw/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle origin: community severity: WARNING fix: '"AES/GCM/NoPadding" @@ -6764,8 +6671,8 @@ rules: semgrep.dev: rule: rule_id: nJUzvJ - version_id: QkTJkW - url: https://semgrep.dev/playground/r/QkTJkW/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call + version_id: l4T4vgR + url: https://semgrep.dev/playground/r/l4T4vgR/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call origin: community severity: ERROR languages: @@ -6951,8 +6858,8 @@ rules: semgrep.dev: rule: rule_id: 4bUzzo - version_id: 3ZTd3l - url: https://semgrep.dev/playground/r/3ZTd3l/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder + version_id: YDTp2B7 + url: https://semgrep.dev/playground/r/YDTp2B7/java.lang.security.audit.command-injection-process-builder.command-injection-process-builder origin: community severity: ERROR languages: @@ -6987,8 +6894,8 @@ rules: semgrep.dev: rule: rule_id: EwU2z6 - version_id: 44ToQA - url: https://semgrep.dev/playground/r/44ToQA/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly + version_id: JdTNpEW + url: https://semgrep.dev/playground/r/JdTNpEW/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly origin: community message: A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading @@ -7034,8 +6941,8 @@ rules: semgrep.dev: rule: rule_id: L1Uyvp - version_id: JdTqlP - url: https://semgrep.dev/playground/r/JdTqlP/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag + version_id: GxTv63G + url: https://semgrep.dev/playground/r/GxTv63G/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag origin: community message: A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels @@ -7051,49 +6958,6 @@ rules: - pattern-not-inside: "$COOKIE.setSecure(...); ..." - pattern-not-inside: "$COOKIE = ResponseCookie.from(...). ...; ..." - pattern: "$RESPONSE.addCookie($COOKIE);" -- id: java.lang.security.audit.crypto.gcm-detection.gcm-detection - metadata: - category: security - cwe: - - 'CWE-323: Reusing a Nonce, Key Pair in Encryption' - references: - - https://cwe.mitre.org/data/definitions/323.html - technology: - - java - owasp: - - A02:2021 - Cryptographic Failures - subcategory: - - audit - likelihood: MEDIUM - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cryptographic Issues - source: https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-detection.gcm-detection - shortlink: https://sg.run/BLLb - semgrep.dev: - rule: - rule_id: 5rU88R - version_id: A8T93eQ - url: https://semgrep.dev/playground/r/A8T93eQ/java.lang.security.audit.crypto.gcm-detection.gcm-detection - origin: community - languages: - - java - message: GCM detected, please check that IV/nonce is not reused, an Initialization - Vector (IV) is a nonce used to randomize the encryption, so that even if multiple - messages with identical plaintext are encrypted, the generated corresponding ciphertexts - are different. Unlike the Key, the IV usually does not need to be secret, rather - it is important that it is random and unique. Certain encryption schemes the IV - is exchanged in public as part of the ciphertext. Reusing same Initialization - Vector with the same Key to encrypt multiple plaintext blocks allows an attacker - to compare the ciphertexts and then, with some assumptions on the content of the - messages, to gain important information about the data being encrypted. - patterns: - - pattern-either: - - pattern: $METHOD.getInstance("AES/GCM/NoPadding",...); - - pattern: new GCMParameterSpec(...); - severity: INFO - id: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests metadata: cwe: @@ -7125,8 +6989,8 @@ rules: semgrep.dev: rule: rule_id: KxUbW4 - version_id: qkTNQO - url: https://semgrep.dev/playground/r/qkTNQO/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests + version_id: YDTp25Q + url: https://semgrep.dev/playground/r/YDTp25Q/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests origin: community message: 'Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. @@ -7170,8 +7034,8 @@ rules: semgrep.dev: rule: rule_id: qNUj8b - version_id: l4T5yp - url: https://semgrep.dev/playground/r/l4T5yp/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + version_id: 6xTvJ31 + url: https://semgrep.dev/playground/r/6xTvJ31/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated origin: community message: DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder @@ -7217,8 +7081,8 @@ rules: semgrep.dev: rule: rule_id: lBU9n8 - version_id: YDTolk - url: https://semgrep.dev/playground/r/YDTolk/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier + version_id: o5Tglv2 + url: https://semgrep.dev/playground/r/o5Tglv2/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier origin: community severity: WARNING languages: @@ -7267,8 +7131,8 @@ rules: semgrep.dev: rule: rule_id: YGUR9A - version_id: JdTqlK - url: https://semgrep.dev/playground/r/JdTqlK/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager + version_id: zyTK8dW + url: https://semgrep.dev/playground/r/zyTK8dW/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager origin: community message: Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using @@ -7310,6 +7174,8 @@ rules: - java severity: WARNING metadata: + functional-categories: + - crypto::search::randomness::java.security owasp: - A02:2021 - Cryptographic Failures cwe: @@ -7332,8 +7198,8 @@ rules: semgrep.dev: rule: rule_id: lBUW5D - version_id: qkTNQE - url: https://semgrep.dev/playground/r/qkTNQE/java.lang.security.audit.crypto.weak-random.weak-random + version_id: NdT3dLr + url: https://semgrep.dev/playground/r/NdT3dLr/java.lang.security.audit.crypto.weak-random.weak-random origin: community pattern-either: - pattern: 'new java.util.Random(...).$FUNC(...) @@ -7391,8 +7257,8 @@ rules: semgrep.dev: rule: rule_id: ReUPKp - version_id: YDTolW - url: https://semgrep.dev/playground/r/YDTolW/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell + version_id: w8T9nr4 + url: https://semgrep.dev/playground/r/w8T9nr4/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell origin: community languages: - java @@ -7423,8 +7289,8 @@ rules: semgrep.dev: rule: rule_id: gxU1Np - version_id: 6xTeDB - url: https://semgrep.dev/playground/r/6xTeDB/java.lang.security.audit.el-injection.el-injection + version_id: xyTKZO1 + url: https://semgrep.dev/playground/r/xyTKZO1/java.lang.security.audit.el-injection.el-injection origin: community message: An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. @@ -7592,8 +7458,8 @@ rules: semgrep.dev: rule: rule_id: KxUY7b - version_id: 2KT17O - url: https://semgrep.dev/playground/r/2KT17O/java.lang.security.audit.java-reverse-shell.java-reverse-shell + version_id: d6TrA15 + url: https://semgrep.dev/playground/r/d6TrA15/java.lang.security.audit.java-reverse-shell.java-reverse-shell origin: community languages: - java @@ -7631,8 +7497,8 @@ rules: semgrep.dev: rule: rule_id: PeUZNX - version_id: X0TP5y - url: https://semgrep.dev/playground/r/X0TP5y/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string + version_id: ZRTQNn9 + url: https://semgrep.dev/playground/r/ZRTQNn9/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string origin: community message: 'Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: ''jdbc.queryForObject("select @@ -7758,8 +7624,8 @@ rules: semgrep.dev: rule: rule_id: JDUy8B - version_id: jQTKr2 - url: https://semgrep.dev/playground/r/jQTKr2/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning + version_id: nWTxPjE + url: https://semgrep.dev/playground/r/nWTxPjE/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning origin: community message: An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution. @@ -7809,8 +7675,8 @@ rules: semgrep.dev: rule: rule_id: 5rUObQ - version_id: 1QTjPl - url: https://semgrep.dev/playground/r/1QTjPl/java.lang.security.audit.ldap-injection.ldap-injection + version_id: ExTjNOO + url: https://semgrep.dev/playground/r/ExTjNOO/java.lang.security.audit.ldap-injection.ldap-injection origin: community severity: WARNING languages: @@ -7894,8 +7760,8 @@ rules: semgrep.dev: rule: rule_id: GdU7py - version_id: yeTXN6 - url: https://semgrep.dev/playground/r/yeTXN6/java.lang.security.audit.object-deserialization.object-deserialization + version_id: LjTqQOj + url: https://semgrep.dev/playground/r/LjTqQOj/java.lang.security.audit.object-deserialization.object-deserialization origin: community message: Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams @@ -7935,8 +7801,8 @@ rules: semgrep.dev: rule: rule_id: ReUgjJ - version_id: rxTxDx - url: https://semgrep.dev/playground/r/rxTxDx/java.lang.security.audit.ognl-injection.ognl-injection + version_id: 8KTQ9Xw + url: https://semgrep.dev/playground/r/8KTQ9Xw/java.lang.security.audit.ognl-injection.ognl-injection origin: community severity: WARNING languages: @@ -8791,8 +8657,8 @@ rules: semgrep.dev: rule: rule_id: AbUzwB - version_id: bZTGBk - url: https://semgrep.dev/playground/r/bZTGBk/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission + version_id: gET3xjQ + url: https://semgrep.dev/playground/r/gET3xjQ/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission origin: community pattern-either: - pattern: java.nio.file.Files.setPosixFilePermissions($FILE, java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/")); @@ -8844,8 +8710,8 @@ rules: semgrep.dev: rule: rule_id: BYUN66 - version_id: NdT1Bn - url: https://semgrep.dev/playground/r/NdT1Bn/java.lang.security.audit.permissive-cors.permissive-cors + version_id: QkTW0Dr + url: https://semgrep.dev/playground/r/QkTW0Dr/java.lang.security.audit.permissive-cors.permissive-cors origin: community severity: WARNING languages: @@ -8925,8 +8791,8 @@ rules: semgrep.dev: rule: rule_id: DbUpAr - version_id: kbT7OK - url: https://semgrep.dev/playground/r/kbT7OK/java.lang.security.audit.script-engine-injection.script-engine-injection + version_id: 3ZTkQnw + url: https://semgrep.dev/playground/r/3ZTkQnw/java.lang.security.audit.script-engine-injection.script-engine-injection origin: community severity: WARNING languages: @@ -9064,8 +8930,8 @@ rules: semgrep.dev: rule: rule_id: 6JUjPD - version_id: w8T3k9 - url: https://semgrep.dev/playground/r/w8T3k9/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli + version_id: 44TRlpj + url: https://semgrep.dev/playground/r/44TRlpj/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli origin: community languages: - java @@ -9139,8 +9005,8 @@ rules: semgrep.dev: rule: rule_id: oqUe8K - version_id: xyT4dv - url: https://semgrep.dev/playground/r/xyT4dv/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli + version_id: PkTJ1vy + url: https://semgrep.dev/playground/r/PkTJ1vy/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli origin: community - id: java.lang.security.audit.sqli.jdo-sqli.jdo-sqli pattern-either: @@ -9243,8 +9109,8 @@ rules: semgrep.dev: rule: rule_id: zdUk7l - version_id: O9Tyvn - url: https://semgrep.dev/playground/r/O9Tyvn/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli + version_id: JdTNpbW + url: https://semgrep.dev/playground/r/JdTNpbW/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli origin: community - id: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli message: Detected a formatted string in a SQL statement. This could lead to SQL @@ -9315,8 +9181,8 @@ rules: semgrep.dev: rule: rule_id: pKUO7y - version_id: e1TxZ8 - url: https://semgrep.dev/playground/r/e1TxZ8/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli + version_id: 5PTdAjX + url: https://semgrep.dev/playground/r/5PTdAjX/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli origin: community - id: java.lang.security.audit.sqli.turbine-sqli.turbine-sqli pattern-either: @@ -9418,8 +9284,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUbJ3 - version_id: d6TD6l - url: https://semgrep.dev/playground/r/d6TD6l/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli + version_id: RGTDk7b + url: https://semgrep.dev/playground/r/RGTDk7b/java.lang.security.audit.sqli.turbine-sqli.turbine-sqli origin: community - id: java.lang.security.audit.sqli.vertx-sqli.vertx-sqli message: Detected a formatted string in a SQL statement. This could lead to SQL @@ -9497,8 +9363,8 @@ rules: semgrep.dev: rule: rule_id: X5U86z - version_id: ZRTweO - url: https://semgrep.dev/playground/r/ZRTweO/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli + version_id: A8T958Y + url: https://semgrep.dev/playground/r/A8T958Y/java.lang.security.audit.sqli.vertx-sqli.vertx-sqli origin: community - id: java.lang.security.audit.unsafe-reflection.unsafe-reflection patterns: @@ -9542,8 +9408,8 @@ rules: semgrep.dev: rule: rule_id: DbUW1W - version_id: 8KTbv9 - url: https://semgrep.dev/playground/r/8KTbv9/java.lang.security.audit.unsafe-reflection.unsafe-reflection + version_id: qkT2x6j + url: https://semgrep.dev/playground/r/qkT2x6j/java.lang.security.audit.unsafe-reflection.unsafe-reflection origin: community severity: WARNING languages: @@ -9575,8 +9441,8 @@ rules: semgrep.dev: rule: rule_id: KxUb1k - version_id: 3ZTdLR - url: https://semgrep.dev/playground/r/3ZTdLR/java.lang.security.audit.weak-ssl-context.weak-ssl-context + version_id: 6xTvJn1 + url: https://semgrep.dev/playground/r/6xTvJn1/java.lang.security.audit.weak-ssl-context.weak-ssl-context origin: community message: An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance("TLSv1.2") @@ -9625,8 +9491,8 @@ rules: semgrep.dev: rule: rule_id: qNUj3y - version_id: 44Toeb - url: https://semgrep.dev/playground/r/44Toeb/java.lang.security.audit.xml-decoder.xml-decoder + version_id: o5Tglq2 + url: https://semgrep.dev/playground/r/o5Tglq2/java.lang.security.audit.xml-decoder.xml-decoder origin: community severity: WARNING languages: @@ -9678,8 +9544,8 @@ rules: semgrep.dev: rule: rule_id: 10UKqE - version_id: PkTYj2 - url: https://semgrep.dev/playground/r/PkTYj2/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled + version_id: zyTK8oW + url: https://semgrep.dev/playground/r/zyTK8oW/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled origin: community pattern-regex: ".*escape.*?=.*?false.*" paths: @@ -9718,8 +9584,8 @@ rules: semgrep.dev: rule: rule_id: lBU9Gj - version_id: A8TRNx - url: https://semgrep.dev/playground/r/A8TRNx/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure + version_id: 1QTOY6y + url: https://semgrep.dev/playground/r/1QTOY6y/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure origin: community message: It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) @@ -9766,8 +9632,8 @@ rules: semgrep.dev: rule: rule_id: bwUw28 - version_id: l4T5Xb - url: https://semgrep.dev/playground/r/l4T5Xb/java.lang.security.do-privileged-use.do-privileged-use + version_id: w8T9nX4 + url: https://semgrep.dev/playground/r/w8T9nX4/java.lang.security.do-privileged-use.do-privileged-use origin: community message: Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called @@ -9856,8 +9722,8 @@ rules: semgrep.dev: rule: rule_id: QrUD20 - version_id: o5TnK6 - url: https://semgrep.dev/playground/r/o5TnK6/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization + version_id: e1T01QP + url: https://semgrep.dev/playground/r/e1T01QP/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization origin: community - id: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor languages: @@ -9888,8 +9754,8 @@ rules: semgrep.dev: rule: rule_id: 6JU67x - version_id: pZTrbj - url: https://semgrep.dev/playground/r/pZTrbj/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor + version_id: d6TrAX5 + url: https://semgrep.dev/playground/r/d6TrAX5/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor origin: community message: Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) @@ -9935,8 +9801,8 @@ rules: semgrep.dev: rule: rule_id: x8Unkq - version_id: 2KT1dO - url: https://semgrep.dev/playground/r/2KT1dO/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled + version_id: ZRTQN09 + url: https://semgrep.dev/playground/r/ZRTQN09/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled origin: community message: XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" @@ -9975,8 +9841,8 @@ rules: semgrep.dev: rule: rule_id: bwUwj4 - version_id: 9lTzAg - url: https://semgrep.dev/playground/r/9lTzAg/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization + version_id: LjTqQZj + url: https://semgrep.dev/playground/r/LjTqQZj/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization origin: community message: Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be @@ -10000,8 +9866,11 @@ rules: - A08:2017 - Insecure Deserialization - A08:2021 - Software and Data Integrity Failures references: - - https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ - https://frohoff.github.io/appseccali-marshalling-pickles/ + - https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi + - https://youtu.be/t_aw1mDNhzI + - https://github.com/qtc-de/remote-method-guesser + - https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331 category: security technology: - rmi @@ -10020,19 +9889,50 @@ rules: semgrep.dev: rule: rule_id: NbUkw5 - version_id: yeTXD6 - url: https://semgrep.dev/playground/r/yeTXD6/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization + version_id: 8KTQ9Rw + url: https://semgrep.dev/playground/r/8KTQ9Rw/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization origin: community - message: Using an arbitrary object ('Object $PARAM') with Java RMI is an insecure + message: Using an arbitrary object ('$PARAMTYPE $PARAM') with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON. languages: - java - pattern: | - interface $INTERFACE extends Remote { - $RETURNTYPE $METHOD(Object $PARAM) throws RemoteException; - } + patterns: + - pattern: | + interface $INTERFACE extends Remote { + $RETURNTYPE $METHOD($PARAMTYPE $PARAM) throws RemoteException; + } + - metavariable-pattern: + metavariable: "$PARAMTYPE" + language: generic + patterns: + - pattern-not: String + - pattern-not: java.lang.String + - pattern-not: boolean + - pattern-not: Boolean + - pattern-not: java.lang.Boolean + - pattern-not: byte + - pattern-not: Byte + - pattern-not: java.lang.Byte + - pattern-not: char + - pattern-not: Character + - pattern-not: java.lang.Character + - pattern-not: double + - pattern-not: Double + - pattern-not: java.lang.Double + - pattern-not: float + - pattern-not: Float + - pattern-not: java.lang.Float + - pattern-not: int + - pattern-not: Integer + - pattern-not: java.lang.Integer + - pattern-not: long + - pattern-not: Long + - pattern-not: java.lang.Long + - pattern-not: short + - pattern-not: Short + - pattern-not: java.lang.Short - id: java.servlets.security.cookie-issecure-false.cookie-issecure-false patterns: - pattern: "$COOKIE = new Cookie(...);\n" @@ -10072,8 +9972,8 @@ rules: semgrep.dev: rule: rule_id: kxUkn9 - version_id: rxTxjx - url: https://semgrep.dev/playground/r/rxTxjx/java.servlets.security.cookie-issecure-false.cookie-issecure-false + version_id: gET3xdQ + url: https://semgrep.dev/playground/r/gET3xdQ/java.servlets.security.cookie-issecure-false.cookie-issecure-false origin: community languages: - java @@ -10106,8 +10006,8 @@ rules: semgrep.dev: rule: rule_id: x8Un7b - version_id: bZTGLk - url: https://semgrep.dev/playground/r/bZTGLk/java.spring.security.audit.spel-injection.spel-injection + version_id: QkTW0Pr + url: https://semgrep.dev/playground/r/QkTW0Pr/java.spring.security.audit.spel-injection.spel-injection origin: community severity: WARNING languages: @@ -10222,8 +10122,8 @@ rules: semgrep.dev: rule: rule_id: OrU3gK - version_id: O9TyXn - url: https://semgrep.dev/playground/r/O9TyXn/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled + version_id: 5PTdAWX + url: https://semgrep.dev/playground/r/5PTdAWX/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled origin: community severity: WARNING languages: @@ -10261,8 +10161,8 @@ rules: semgrep.dev: rule: rule_id: PeUkkL - version_id: e1Tx98 - url: https://semgrep.dev/playground/r/e1Tx98/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval + version_id: GxTv6NG + url: https://semgrep.dev/playground/r/GxTv6NG/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval origin: community paths: include: @@ -10311,8 +10211,8 @@ rules: semgrep.dev: rule: rule_id: wdUJ7q - version_id: gETqeO - url: https://semgrep.dev/playground/r/gETqeO/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping + version_id: l4T4vEd + url: https://semgrep.dev/playground/r/l4T4vEd/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping origin: community languages: - java @@ -10343,8 +10243,8 @@ rules: semgrep.dev: rule: rule_id: PeUo5X - version_id: QkTJZG - url: https://semgrep.dev/playground/r/QkTJZG/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true + version_id: YDTp2LQ + url: https://semgrep.dev/playground/r/YDTp2LQ/javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true origin: community languages: - javascript @@ -10397,8 +10297,8 @@ rules: semgrep.dev: rule: rule_id: ZqU5Yn - version_id: PkTYQ2 - url: https://semgrep.dev/playground/r/PkTYQ2/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect + version_id: GxTv61D + url: https://semgrep.dev/playground/r/GxTv61D/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect origin: community languages: - javascript @@ -10440,8 +10340,8 @@ rules: semgrep.dev: rule: rule_id: nJUzgX - version_id: JdTqDK - url: https://semgrep.dev/playground/r/JdTqDK/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading + version_id: RGTDky2 + url: https://semgrep.dev/playground/r/RGTDky2/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading origin: community languages: - javascript @@ -10485,8 +10385,8 @@ rules: semgrep.dev: rule: rule_id: 7KUQ4k - version_id: GxT2PW - url: https://semgrep.dev/playground/r/GxT2PW/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method + version_id: BjTXrRr + url: https://semgrep.dev/playground/r/BjTXrRr/javascript.angular.security.detect-angular-trust-as-css.detect-angular-trust-as-css-method origin: community languages: - javascript @@ -10533,8 +10433,8 @@ rules: semgrep.dev: rule: rule_id: L1Uy88 - version_id: RGTbAB - url: https://semgrep.dev/playground/r/RGTbAB/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method + version_id: DkT6nEY + url: https://semgrep.dev/playground/r/DkT6nEY/javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method origin: community languages: - javascript @@ -10581,8 +10481,8 @@ rules: semgrep.dev: rule: rule_id: 8GUj8k - version_id: A8TRJx - url: https://semgrep.dev/playground/r/A8TRJx/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method + version_id: WrTWQLq + url: https://semgrep.dev/playground/r/WrTWQLq/javascript.angular.security.detect-angular-trust-as-js-method.detect-angular-trust-as-js-method origin: community languages: - javascript @@ -10629,8 +10529,8 @@ rules: semgrep.dev: rule: rule_id: QrUzeq - version_id: DkTQNo - url: https://semgrep.dev/playground/r/DkTQNo/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method + version_id: K3Tvjxg + url: https://semgrep.dev/playground/r/K3Tvjxg/javascript.angular.security.detect-angular-trust-as-resourceurl-method.detect-angular-trust-as-resourceurl-method origin: community languages: - javascript @@ -10677,8 +10577,8 @@ rules: semgrep.dev: rule: rule_id: 3qUP01 - version_id: WrTbE2 - url: https://semgrep.dev/playground/r/WrTbE2/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method + version_id: qkT2xDL + url: https://semgrep.dev/playground/r/qkT2xDL/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method origin: community languages: - javascript @@ -10726,8 +10626,8 @@ rules: semgrep.dev: rule: rule_id: PeUZPg - version_id: 0bTv1Y - url: https://semgrep.dev/playground/r/0bTv1Y/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method + version_id: l4T4vE1 + url: https://semgrep.dev/playground/r/l4T4vE1/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method origin: community languages: - javascript @@ -10771,8 +10671,8 @@ rules: semgrep.dev: rule: rule_id: AbUGBR - version_id: K3TlJD - url: https://semgrep.dev/playground/r/K3TlJD/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf + version_id: YDTp2LO + url: https://semgrep.dev/playground/r/YDTp2LO/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf origin: community languages: - javascript @@ -10826,8 +10726,8 @@ rules: semgrep.dev: rule: rule_id: kxUYE9 - version_id: l4T5xb - url: https://semgrep.dev/playground/r/l4T5xb/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization + version_id: o5TglAW + url: https://semgrep.dev/playground/r/o5TglAW/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization origin: community languages: - javascript @@ -10876,8 +10776,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOg6 - version_id: l4T5xP - url: https://semgrep.dev/playground/r/l4T5xP/javascript.browser.security.dom-based-xss.dom-based-xss + version_id: w8T9nYx + url: https://semgrep.dev/playground/r/w8T9nYx/javascript.browser.security.dom-based-xss.dom-based-xss origin: community languages: - javascript @@ -10920,8 +10820,8 @@ rules: semgrep.dev: rule: rule_id: GdU7dw - version_id: YDTovX - url: https://semgrep.dev/playground/r/YDTovX/javascript.browser.security.eval-detected.eval-detected + version_id: xyTKZ6r + url: https://semgrep.dev/playground/r/xyTKZ6r/javascript.browser.security.eval-detected.eval-detected origin: community languages: - javascript @@ -10960,8 +10860,8 @@ rules: semgrep.dev: rule: rule_id: ReUg41 - version_id: 6xTeJb - url: https://semgrep.dev/playground/r/6xTeJb/javascript.browser.security.insecure-document-method.insecure-document-method + version_id: O9TNO1x + url: https://semgrep.dev/playground/r/O9TNO1x/javascript.browser.security.insecure-document-method.insecure-document-method origin: community languages: - javascript @@ -11006,8 +10906,8 @@ rules: semgrep.dev: rule: rule_id: BYUN0X - version_id: zyT58j - url: https://semgrep.dev/playground/r/zyT58j/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation + version_id: vdTYNlP + url: https://semgrep.dev/playground/r/vdTYNlP/javascript.browser.security.insufficient-postmessage-origin-validation.insufficient-postmessage-origin-validation origin: community languages: - javascript @@ -11070,8 +10970,8 @@ rules: semgrep.dev: rule: rule_id: KxUbq4 - version_id: 9lTzWZ - url: https://semgrep.dev/playground/r/9lTzWZ/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration + version_id: LjTqQvN + url: https://semgrep.dev/playground/r/LjTqQvN/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration origin: community languages: - javascript @@ -11111,8 +11011,8 @@ rules: semgrep.dev: rule: rule_id: wdUKEq - version_id: O9TyOQ - url: https://semgrep.dev/playground/r/O9TyOQ/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage + version_id: 5PTdAbp + url: https://semgrep.dev/playground/r/5PTdAbp/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage origin: community languages: - javascript @@ -11164,8 +11064,8 @@ rules: semgrep.dev: rule: rule_id: OrUX9K - version_id: LjT0Qd - url: https://semgrep.dev/playground/r/LjT0Qd/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage + version_id: K3Tvj1g + url: https://semgrep.dev/playground/r/K3Tvj1g/javascript.express.security.audit.express-detect-notevil-usage.express-detect-notevil-usage origin: community languages: - javascript @@ -11228,8 +11128,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUY52 - version_id: QkTJ0Y - url: https://semgrep.dev/playground/r/QkTJ0Y/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent + version_id: YDTp2dO + url: https://semgrep.dev/playground/r/YDTp2dO/javascript.express.security.audit.express-libxml-vm-noent.express-libxml-vm-noent origin: community languages: - javascript @@ -11290,8 +11190,8 @@ rules: semgrep.dev: rule: rule_id: gxU12X - version_id: A8TR5l - url: https://semgrep.dev/playground/r/A8TR5l/javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect + version_id: 1QTOY1R + url: https://semgrep.dev/playground/r/1QTOY1R/javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect origin: community languages: - javascript @@ -11341,8 +11241,8 @@ rules: semgrep.dev: rule: rule_id: 4bUkPO - version_id: 0bTvlA - url: https://semgrep.dev/playground/r/0bTvlA/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape + version_id: bZTb12y + url: https://semgrep.dev/playground/r/bZTb12y/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape origin: community languages: - regex @@ -11389,8 +11289,8 @@ rules: semgrep.dev: rule: rule_id: PeUZrg - version_id: K3Tljp - url: https://semgrep.dev/playground/r/K3Tljp/javascript.express.security.audit.xss.ejs.var-in-href.var-in-href + version_id: NdT3d77 + url: https://semgrep.dev/playground/r/NdT3d77/javascript.express.security.audit.xss.ejs.var-in-href.var-in-href origin: community languages: - regex @@ -11435,8 +11335,8 @@ rules: semgrep.dev: rule: rule_id: JDUyrJ - version_id: qkTNxN - url: https://semgrep.dev/playground/r/qkTNxN/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src + version_id: kbTdx1n + url: https://semgrep.dev/playground/r/kbTdx1n/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src origin: community languages: - generic @@ -11485,8 +11385,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOD6 - version_id: l4T5vP - url: https://semgrep.dev/playground/r/l4T5vP/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag + version_id: w8T9nOx + url: https://semgrep.dev/playground/r/w8T9nOx/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag origin: community languages: - generic @@ -11532,8 +11432,8 @@ rules: semgrep.dev: rule: rule_id: GdU7Ew - version_id: YDTo2X - url: https://semgrep.dev/playground/r/YDTo2X/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite + version_id: xyTKZkr + url: https://semgrep.dev/playground/r/xyTKZkr/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite origin: community languages: - javascript @@ -11579,8 +11479,8 @@ rules: semgrep.dev: rule: rule_id: ReUgG1 - version_id: 6xTeQb - url: https://semgrep.dev/playground/r/6xTeQb/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape + version_id: O9TNO5x + url: https://semgrep.dev/playground/r/O9TNO5x/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape origin: community languages: - regex @@ -11624,8 +11524,8 @@ rules: semgrep.dev: rule: rule_id: DbUpyq - version_id: pZTrL6 - url: https://semgrep.dev/playground/r/pZTrL6/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes + version_id: d6TrAJk + url: https://semgrep.dev/playground/r/d6TrAJk/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes origin: community languages: - regex @@ -11667,8 +11567,8 @@ rules: semgrep.dev: rule: rule_id: WAUonl - version_id: 2KT13b - url: https://semgrep.dev/playground/r/2KT13b/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape + version_id: ZRTQNoL + url: https://semgrep.dev/playground/r/ZRTQNoL/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape origin: community languages: - regex @@ -11713,8 +11613,8 @@ rules: semgrep.dev: rule: rule_id: 0oU535 - version_id: X0TP2Z - url: https://semgrep.dev/playground/r/X0TP2Z/javascript.express.security.audit.xss.pug.var-in-href.var-in-href + version_id: nWTxPv7 + url: https://semgrep.dev/playground/r/nWTxPv7/javascript.express.security.audit.xss.pug.var-in-href.var-in-href origin: community languages: - regex @@ -11757,8 +11657,8 @@ rules: semgrep.dev: rule: rule_id: KxUbL4 - version_id: jQTKyR - url: https://semgrep.dev/playground/r/jQTKyR/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag + version_id: ExTjNzk + url: https://semgrep.dev/playground/r/ExTjNzk/javascript.express.security.audit.xss.pug.var-in-script-tag.var-in-script-tag origin: community languages: - regex @@ -11802,8 +11702,8 @@ rules: semgrep.dev: rule: rule_id: ReUo60 - version_id: 9lTz5Z - url: https://semgrep.dev/playground/r/9lTz5Z/javascript.express.security.express-data-exfiltration.express-data-exfiltration + version_id: LjTqQ8N + url: https://semgrep.dev/playground/r/LjTqQ8N/javascript.express.security.express-data-exfiltration.express-data-exfiltration origin: community languages: - javascript @@ -11878,8 +11778,8 @@ rules: semgrep.dev: rule: rule_id: pKUOjy - version_id: LjTqP9x - url: https://semgrep.dev/playground/r/LjTqP9x/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret + version_id: QkTW0e7 + url: https://semgrep.dev/playground/r/QkTW0e7/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret origin: community languages: - javascript @@ -11938,8 +11838,8 @@ rules: semgrep.dev: rule: rule_id: qNUjwb - version_id: LjT0Ad - url: https://semgrep.dev/playground/r/LjT0Ad/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup + version_id: K3TvjWg + url: https://semgrep.dev/playground/r/K3TvjWg/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup origin: community languages: - javascript @@ -11981,8 +11881,8 @@ rules: semgrep.dev: rule: rule_id: lBU9D8 - version_id: 8KTbyO - url: https://semgrep.dev/playground/r/8KTbyO/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection + version_id: qkT2x8L + url: https://semgrep.dev/playground/r/qkT2x8L/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection origin: community languages: - javascript @@ -12044,8 +11944,8 @@ rules: semgrep.dev: rule: rule_id: GdU7XP - version_id: QkTJwY - url: https://semgrep.dev/playground/r/QkTJwY/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data + version_id: YDTp29O + url: https://semgrep.dev/playground/r/YDTp29O/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data origin: community languages: - javascript @@ -12100,8 +12000,8 @@ rules: semgrep.dev: rule: rule_id: KxUbL3 - version_id: RGTbRG - url: https://semgrep.dev/playground/r/RGTbRG/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify + version_id: DkT6nrZ + url: https://semgrep.dev/playground/r/DkT6nrZ/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify origin: community languages: - javascript @@ -12154,8 +12054,8 @@ rules: semgrep.dev: rule: rule_id: qNUjwe - version_id: A8TRXl - url: https://semgrep.dev/playground/r/A8TRXl/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data + version_id: WrTWQ4X + url: https://semgrep.dev/playground/r/WrTWQ4X/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data origin: community languages: - javascript @@ -12203,8 +12103,8 @@ rules: semgrep.dev: rule: rule_id: v8UGEw - version_id: 3ZTk6WD - url: https://semgrep.dev/playground/r/3ZTk6WD/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key + version_id: e1T01kp + url: https://semgrep.dev/playground/r/e1T01kp/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key origin: community languages: - javascript @@ -12245,8 +12145,8 @@ rules: semgrep.dev: rule: rule_id: d8UlRq - version_id: GxT2kj - url: https://semgrep.dev/playground/r/GxT2kj/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization + version_id: vdTYNz9 + url: https://semgrep.dev/playground/r/vdTYNz9/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization origin: community languages: - javascript @@ -12290,8 +12190,8 @@ rules: semgrep.dev: rule: rule_id: QrUpbJ - version_id: 0bTvKr - url: https://semgrep.dev/playground/r/0bTvKr/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop + version_id: LjTqQbA + url: https://semgrep.dev/playground/r/LjTqQbA/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop origin: community languages: - typescript @@ -12361,8 +12261,8 @@ rules: semgrep.dev: rule: rule_id: lBUdr5 - version_id: K3TlKr - url: https://semgrep.dev/playground/r/K3TlKr/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true + version_id: 8KTQ9k5 + url: https://semgrep.dev/playground/r/8KTQ9k5/javascript.lang.security.audit.spawn-shell-true.spawn-shell-true origin: community languages: - javascript @@ -12418,8 +12318,8 @@ rules: semgrep.dev: rule: rule_id: OrU37Y - version_id: vdTYp9Q - url: https://semgrep.dev/playground/r/vdTYp9Q/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag + version_id: PkTJ1rO + url: https://semgrep.dev/playground/r/PkTJ1rO/javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag origin: community languages: - javascript @@ -12462,8 +12362,8 @@ rules: semgrep.dev: rule: rule_id: eqU8KW - version_id: 2KT1v5 - url: https://semgrep.dev/playground/r/2KT1v5/javascript.lang.security.audit.vm-injection.vm-runincontext-context-injection + version_id: GxTv6Eg + url: https://semgrep.dev/playground/r/GxTv6Eg/javascript.lang.security.audit.vm-injection.vm-runincontext-context-injection origin: community mode: taint pattern-sources: @@ -12543,8 +12443,8 @@ rules: semgrep.dev: rule: rule_id: j2Uvj8 - version_id: kbT7zy - url: https://semgrep.dev/playground/r/kbT7zy/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert + version_id: l4T4vOE + url: https://semgrep.dev/playground/r/l4T4vOE/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert origin: community languages: - javascript @@ -12588,8 +12488,8 @@ rules: semgrep.dev: rule: rule_id: 10UKNB - version_id: w8T3RP - url: https://semgrep.dev/playground/r/w8T3RP/javascript.lang.security.detect-child-process.detect-child-process + version_id: YDTp20d + url: https://semgrep.dev/playground/r/YDTp20d/javascript.lang.security.detect-child-process.detect-child-process origin: community languages: - javascript @@ -12671,8 +12571,8 @@ rules: semgrep.dev: rule: rule_id: 9AU17r - version_id: xyT4jE - url: https://semgrep.dev/playground/r/xyT4jE/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape + version_id: 6xTvJgP + url: https://semgrep.dev/playground/r/6xTvJgP/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape origin: community languages: - javascript @@ -12711,8 +12611,8 @@ rules: semgrep.dev: rule: rule_id: AbUWeE - version_id: 0bTL79P - url: https://semgrep.dev/playground/r/0bTL79P/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket + version_id: zyTK8J3 + url: https://semgrep.dev/playground/r/zyTK8J3/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket origin: community languages: - regex @@ -12752,8 +12652,8 @@ rules: semgrep.dev: rule: rule_id: r6UrvQ - version_id: vdT20l - url: https://semgrep.dev/playground/r/vdT20l/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override + version_id: pZT1yj3 + url: https://semgrep.dev/playground/r/pZT1yj3/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override origin: community languages: - javascript @@ -12795,8 +12695,8 @@ rules: semgrep.dev: rule: rule_id: NbUkR2 - version_id: ZRTwKY - url: https://semgrep.dev/playground/r/ZRTwKY/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes + version_id: X0TQxN9 + url: https://semgrep.dev/playground/r/X0TQxN9/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes origin: community languages: - javascript @@ -12835,8 +12735,8 @@ rules: semgrep.dev: rule: rule_id: kxUkPP - version_id: 7ZTOE3 - url: https://semgrep.dev/playground/r/7ZTOE3/javascript.lang.security.spawn-git-clone.spawn-git-clone + version_id: 9lTdW0z + url: https://semgrep.dev/playground/r/9lTdW0z/javascript.lang.security.spawn-git-clone.spawn-git-clone origin: community languages: - javascript @@ -12884,8 +12784,8 @@ rules: semgrep.dev: rule: rule_id: zdUYQb - version_id: LjT0k3 - url: https://semgrep.dev/playground/r/LjT0k3/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport + version_id: yeTR21L + url: https://semgrep.dev/playground/r/yeTR21L/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport origin: community languages: - typescript @@ -12935,8 +12835,8 @@ rules: semgrep.dev: rule: rule_id: gxU171 - version_id: 8KTb51 - url: https://semgrep.dev/playground/r/8KTb51/javascript.node-expat.security.audit.expat-xxe.expat-xxe + version_id: rxTyLzP + url: https://semgrep.dev/playground/r/rxTyLzP/javascript.node-expat.security.audit.expat-xxe.expat-xxe origin: community languages: - javascript @@ -13028,8 +12928,8 @@ rules: semgrep.dev: rule: rule_id: 3qUPXE - version_id: QkTJG4 - url: https://semgrep.dev/playground/r/QkTJG4/javascript.phantom.security.audit.phantom-injection.phantom-injection + version_id: NdT3dR3 + url: https://semgrep.dev/playground/r/NdT3dR3/javascript.phantom.security.audit.phantom-injection.phantom-injection origin: community languages: - javascript @@ -13078,8 +12978,8 @@ rules: semgrep.dev: rule: rule_id: 4bUkj1 - version_id: 3ZTd4d - url: https://semgrep.dev/playground/r/3ZTd4d/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection + version_id: kbTdxPg + url: https://semgrep.dev/playground/r/kbTdxPg/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection origin: community languages: - javascript @@ -13123,8 +13023,8 @@ rules: semgrep.dev: rule: rule_id: PeUZ30 - version_id: 44ToE3 - url: https://semgrep.dev/playground/r/44ToE3/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection + version_id: w8T9nbz + url: https://semgrep.dev/playground/r/w8T9nbz/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection origin: community languages: - javascript @@ -13168,8 +13068,8 @@ rules: semgrep.dev: rule: rule_id: JDUyxl - version_id: PkTYRA - url: https://semgrep.dev/playground/r/PkTYRA/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection + version_id: xyTKZrn + url: https://semgrep.dev/playground/r/xyTKZrn/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection origin: community languages: - javascript @@ -13219,8 +13119,8 @@ rules: semgrep.dev: rule: rule_id: 5rUO1N - version_id: JdTqk1 - url: https://semgrep.dev/playground/r/JdTqk1/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools + version_id: O9TNO7G + url: https://semgrep.dev/playground/r/O9TNO7G/javascript.playwright.security.audit.playwright-exposed-chrome-devtools.playwright-exposed-chrome-devtools origin: community languages: - javascript @@ -13263,8 +13163,8 @@ rules: semgrep.dev: rule: rule_id: GdU7eP - version_id: 5PT6qd - url: https://semgrep.dev/playground/r/5PT6qd/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection + version_id: e1T01Kp + url: https://semgrep.dev/playground/r/e1T01Kp/javascript.playwright.security.audit.playwright-goto-injection.playwright-goto-injection origin: community languages: - javascript @@ -13310,8 +13210,8 @@ rules: semgrep.dev: rule: rule_id: ReUgLk - version_id: GxT2qj - url: https://semgrep.dev/playground/r/GxT2qj/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection + version_id: vdTYNQ9 + url: https://semgrep.dev/playground/r/vdTYNQ9/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection origin: community languages: - javascript @@ -13357,8 +13257,8 @@ rules: semgrep.dev: rule: rule_id: AbUzdX - version_id: RGTbpQ - url: https://semgrep.dev/playground/r/RGTbpQ/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection + version_id: d6TrAg4 + url: https://semgrep.dev/playground/r/d6TrAg4/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection origin: community languages: - javascript @@ -13403,8 +13303,8 @@ rules: semgrep.dev: rule: rule_id: BYUNZk - version_id: A8TRqz - url: https://semgrep.dev/playground/r/A8TRqz/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection + version_id: ZRTQNdl + url: https://semgrep.dev/playground/r/ZRTQNdl/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection origin: community languages: - javascript @@ -13454,8 +13354,8 @@ rules: semgrep.dev: rule: rule_id: DbUpbk - version_id: BjTEbB - url: https://semgrep.dev/playground/r/BjTEbB/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools + version_id: nWTxPNn + url: https://semgrep.dev/playground/r/nWTxPNn/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools origin: community languages: - javascript @@ -13498,8 +13398,8 @@ rules: semgrep.dev: rule: rule_id: WAUoK7 - version_id: DkTQkK - url: https://semgrep.dev/playground/r/DkTQkK/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection + version_id: ExTjNWg + url: https://semgrep.dev/playground/r/ExTjNWg/javascript.puppeteer.security.audit.puppeteer-goto-injection.puppeteer-goto-injection origin: community languages: - javascript @@ -13545,8 +13445,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5zg - version_id: WrTb8y - url: https://semgrep.dev/playground/r/WrTb8y/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection + version_id: 7ZTgoRo + url: https://semgrep.dev/playground/r/7ZTgoRo/javascript.puppeteer.security.audit.puppeteer-setcontent-injection.puppeteer-setcontent-injection origin: community languages: - javascript @@ -13589,8 +13489,8 @@ rules: semgrep.dev: rule: rule_id: KxUbk3 - version_id: 0bTvor - url: https://semgrep.dev/playground/r/0bTvor/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection + version_id: 8KTQ9l5 + url: https://semgrep.dev/playground/r/8KTQ9l5/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection origin: community languages: - javascript @@ -13650,8 +13550,8 @@ rules: semgrep.dev: rule: rule_id: qNUj7e - version_id: K3Tlor - url: https://semgrep.dev/playground/r/K3Tlor/javascript.sax.security.audit.sax-xxe.sax-xxe + version_id: gET3xXP + url: https://semgrep.dev/playground/r/gET3xXP/javascript.sax.security.audit.sax-xxe.sax-xxe origin: community languages: - javascript @@ -13698,8 +13598,8 @@ rules: semgrep.dev: rule: rule_id: NbUAYW - version_id: qkTNOp - url: https://semgrep.dev/playground/r/qkTNOp/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls + version_id: QkTW0NE + url: https://semgrep.dev/playground/r/QkTW0NE/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls origin: community languages: - javascript @@ -13768,8 +13668,8 @@ rules: semgrep.dev: rule: rule_id: kxUR80 - version_id: o5Tndb - url: https://semgrep.dev/playground/r/o5Tndb/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation + version_id: PkTJ1GO + url: https://semgrep.dev/playground/r/PkTJ1GO/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation origin: community languages: - javascript @@ -13824,8 +13724,8 @@ rules: semgrep.dev: rule: rule_id: wdU8GB - version_id: zyT5LL - url: https://semgrep.dev/playground/r/zyT5LL/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version + version_id: JdTNpRZ + url: https://semgrep.dev/playground/r/JdTNpRZ/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version origin: community languages: - javascript @@ -13879,8 +13779,8 @@ rules: semgrep.dev: rule: rule_id: YGURez - version_id: pZTrn2 - url: https://semgrep.dev/playground/r/pZTrn2/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript + version_id: 5PTdAGB + url: https://semgrep.dev/playground/r/5PTdAGB/javascript.serialize-javascript.security.audit.unsafe-serialize-javascript.unsafe-serialize-javascript origin: community languages: - javascript @@ -13923,8 +13823,8 @@ rules: semgrep.dev: rule: rule_id: 6JUj9k - version_id: 2KT1p5 - url: https://semgrep.dev/playground/r/2KT1p5/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection + version_id: GxTv6Xg + url: https://semgrep.dev/playground/r/GxTv6Xg/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection origin: community languages: - javascript @@ -13967,8 +13867,8 @@ rules: semgrep.dev: rule: rule_id: oqUeDG - version_id: X0TP4n - url: https://semgrep.dev/playground/r/X0TP4n/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution + version_id: RGTDkxN + url: https://semgrep.dev/playground/r/RGTDkxN/javascript.thenify.security.audit.multiargs-code-execution.multiargs-code-execution origin: community languages: - javascript @@ -14019,8 +13919,8 @@ rules: semgrep.dev: rule: rule_id: zdUk2g - version_id: jQTKBN - url: https://semgrep.dev/playground/r/jQTKBN/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection + version_id: A8T95lP + url: https://semgrep.dev/playground/r/A8T95lP/javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection origin: community languages: - javascript @@ -14097,8 +13997,8 @@ rules: semgrep.dev: rule: rule_id: pKUO3v - version_id: 1QTj2X - url: https://semgrep.dev/playground/r/1QTj2X/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection + version_id: BjTXrLO + url: https://semgrep.dev/playground/r/BjTXrLO/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection origin: community languages: - javascript @@ -14460,8 +14360,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUb2o - version_id: 9lTzlE - url: https://semgrep.dev/playground/r/9lTzlE/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html + version_id: DkT6nyZ + url: https://semgrep.dev/playground/r/DkT6nyZ/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html origin: community languages: - regex @@ -14498,8 +14398,8 @@ rules: semgrep.dev: rule: rule_id: X5U8yj - version_id: yeTXOz - url: https://semgrep.dev/playground/r/yeTXOz/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection + version_id: WrTWQnX + url: https://semgrep.dev/playground/r/WrTWQnX/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection origin: community languages: - javascript @@ -14542,8 +14442,8 @@ rules: semgrep.dev: rule: rule_id: j2Uv58 - version_id: rxTx1B - url: https://semgrep.dev/playground/r/rxTx1B/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection + version_id: 0bTLl3D + url: https://semgrep.dev/playground/r/0bTLl3D/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection origin: community languages: - javascript @@ -14592,8 +14492,8 @@ rules: semgrep.dev: rule: rule_id: 10UKpB - version_id: bZTGZW - url: https://semgrep.dev/playground/r/bZTGZW/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe + version_id: K3TvjLe + url: https://semgrep.dev/playground/r/K3TvjLe/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe origin: community languages: - javascript @@ -14638,8 +14538,8 @@ rules: semgrep.dev: rule: rule_id: d8UegG - version_id: e1TxeQ - url: https://semgrep.dev/playground/r/e1TxeQ/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion + version_id: GxTv6XX + url: https://semgrep.dev/playground/r/GxTv6XX/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion origin: community message: '''Integer.toHexString()'' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces @@ -14689,8 +14589,8 @@ rules: semgrep.dev: rule: rule_id: yyUnpo - version_id: vdT2Xl - url: https://semgrep.dev/playground/r/vdT2Xl/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call + version_id: RGTDkxL + url: https://semgrep.dev/playground/r/RGTDkxL/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call origin: community severity: ERROR languages: @@ -14725,8 +14625,8 @@ rules: semgrep.dev: rule: rule_id: r6UrKQ - version_id: d6TD3J - url: https://semgrep.dev/playground/r/d6TD3J/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly + version_id: A8T95l2 + url: https://semgrep.dev/playground/r/A8T95l2/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly origin: community message: A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading @@ -14770,8 +14670,8 @@ rules: semgrep.dev: rule: rule_id: bwUw3j - version_id: ZRTw2Y - url: https://semgrep.dev/playground/r/ZRTw2Y/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag + version_id: BjTXrLP + url: https://semgrep.dev/playground/r/BjTXrLP/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag origin: community message: A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels @@ -14821,8 +14721,8 @@ rules: semgrep.dev: rule: rule_id: ReU3Yb - version_id: nWT794 - url: https://semgrep.dev/playground/r/nWT794/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + version_id: DkT6nyD + url: https://semgrep.dev/playground/r/DkT6nyD/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated origin: community message: DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient @@ -14858,8 +14758,8 @@ rules: semgrep.dev: rule: rule_id: WAUyAW - version_id: 7ZTOB3 - url: https://semgrep.dev/playground/r/7ZTOB3/kotlin.lang.security.gcm-detection.gcm-detection + version_id: 0bTLl3v + url: https://semgrep.dev/playground/r/0bTLl3v/kotlin.lang.security.gcm-detection.gcm-detection origin: community languages: - kt @@ -14908,8 +14808,8 @@ rules: semgrep.dev: rule: rule_id: KxU76z - version_id: 8KTbN1 - url: https://semgrep.dev/playground/r/8KTbN1/kotlin.lang.security.unencrypted-socket.unencrypted-socket + version_id: qkT2xwl + url: https://semgrep.dev/playground/r/qkT2xwl/kotlin.lang.security.unencrypted-socket.unencrypted-socket origin: community message: This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' @@ -14955,8 +14855,8 @@ rules: semgrep.dev: rule: rule_id: nJUZNL - version_id: 3ZTdRd - url: https://semgrep.dev/playground/r/3ZTdRd/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key + version_id: 6xTvJ9Z + url: https://semgrep.dev/playground/r/6xTvJ9Z/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key origin: community patterns: - pattern-either: @@ -15002,8 +14902,8 @@ rules: semgrep.dev: rule: rule_id: X5UdZj - version_id: 44To93 - url: https://semgrep.dev/playground/r/44To93/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query + version_id: QkTW0qD + url: https://semgrep.dev/playground/r/QkTW0qD/php.doctrine.security.audit.doctrine-dbal-dangerous-query.doctrine-dbal-dangerous-query origin: community patterns: - pattern-either: @@ -15103,8 +15003,8 @@ rules: semgrep.dev: rule: rule_id: YGUAoe - version_id: GxT2lj - url: https://semgrep.dev/playground/r/GxT2lj/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate + version_id: JdTNpx9 + url: https://semgrep.dev/playground/r/JdTNpx9/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate origin: community - id: php.lang.security.backticks-use.backticks-use pattern: "`...`;" @@ -15134,8 +15034,8 @@ rules: semgrep.dev: rule: rule_id: WAUow7 - version_id: RGTbEQ - url: https://semgrep.dev/playground/r/RGTbEQ/php.lang.security.backticks-use.backticks-use + version_id: 5PTdA1D + url: https://semgrep.dev/playground/r/5PTdA1D/php.lang.security.backticks-use.backticks-use origin: community languages: - php @@ -15173,8 +15073,8 @@ rules: semgrep.dev: rule: rule_id: KxUbX3 - version_id: DkTQwK - url: https://semgrep.dev/playground/r/DkTQwK/php.lang.security.eval-use.eval-use + version_id: A8T95d2 + url: https://semgrep.dev/playground/r/A8T95d2/php.lang.security.eval-use.eval-use origin: community languages: - php @@ -15211,8 +15111,8 @@ rules: semgrep.dev: rule: rule_id: qNUjye - version_id: WrTb7y - url: https://semgrep.dev/playground/r/WrTb7y/php.lang.security.exec-use.exec-use + version_id: BjTXrZP + url: https://semgrep.dev/playground/r/BjTXrZP/php.lang.security.exec-use.exec-use origin: community languages: - php @@ -15249,8 +15149,8 @@ rules: semgrep.dev: rule: rule_id: lBU90N - version_id: 0bTvGr - url: https://semgrep.dev/playground/r/0bTvGr/php.lang.security.file-inclusion.file-inclusion + version_id: DkT6nbD + url: https://semgrep.dev/playground/r/DkT6nbD/php.lang.security.file-inclusion.file-inclusion origin: community languages: - php @@ -15312,8 +15212,8 @@ rules: semgrep.dev: rule: rule_id: PeUZyE - version_id: K3Tlgr - url: https://semgrep.dev/playground/r/K3Tlgr/php.lang.security.ftp-use.ftp-use + version_id: WrTWQKR + url: https://semgrep.dev/playground/r/WrTWQKR/php.lang.security.ftp-use.ftp-use origin: community languages: - php @@ -15354,8 +15254,8 @@ rules: semgrep.dev: rule: rule_id: wdUjA5 - version_id: zyTKjzJ - url: https://semgrep.dev/playground/r/zyTKjzJ/php.lang.security.ldap-bind-without-password.ldap-bind-without-password + version_id: 6xTvJoZ + url: https://semgrep.dev/playground/r/6xTvJoZ/php.lang.security.ldap-bind-without-password.ldap-bind-without-password origin: community languages: - php @@ -15392,8 +15292,8 @@ rules: semgrep.dev: rule: rule_id: JDUyj4 - version_id: RGTbEE - url: https://semgrep.dev/playground/r/RGTbEE/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval + version_id: o5Tglwy + url: https://semgrep.dev/playground/r/o5Tglwy/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval origin: community languages: - php @@ -15428,8 +15328,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOzK - version_id: A8TRE0 - url: https://semgrep.dev/playground/r/A8TRE0/php.lang.security.mcrypt-use.mcrypt-use + version_id: zyTK8Zk + url: https://semgrep.dev/playground/r/zyTK8Zk/php.lang.security.mcrypt-use.mcrypt-use origin: community languages: - php @@ -15467,8 +15367,8 @@ rules: semgrep.dev: rule: rule_id: GdU7RO - version_id: BjTEyv - url: https://semgrep.dev/playground/r/BjTEyv/php.lang.security.md5-loose-equality.md5-loose-equality + version_id: pZT1yYG + url: https://semgrep.dev/playground/r/pZT1yYG/php.lang.security.md5-loose-equality.md5-loose-equality origin: community languages: - php @@ -15506,8 +15406,8 @@ rules: semgrep.dev: rule: rule_id: x8UxNQ - version_id: WrTb76 - url: https://semgrep.dev/playground/r/WrTb76/php.lang.security.non-literal-header.non-literal-header + version_id: X0TQxqd + url: https://semgrep.dev/playground/r/X0TQxqd/php.lang.security.non-literal-header.non-literal-header origin: community languages: - php @@ -15548,8 +15448,8 @@ rules: semgrep.dev: rule: rule_id: OrU6JZ - version_id: pZT1kED - url: https://semgrep.dev/playground/r/pZT1kED/php.lang.security.php-permissive-cors.php-permissive-cors + version_id: 1QTOYvP + url: https://semgrep.dev/playground/r/1QTOYvP/php.lang.security.php-permissive-cors.php-permissive-cors origin: community languages: - php @@ -15589,8 +15489,8 @@ rules: semgrep.dev: rule: rule_id: eqUzDE - version_id: o5TnL3 - url: https://semgrep.dev/playground/r/o5TnL3/php.lang.security.unlink-use.unlink-use + version_id: kbTdxbD + url: https://semgrep.dev/playground/r/kbTdxbD/php.lang.security.unlink-use.unlink-use origin: community languages: - php @@ -15629,8 +15529,8 @@ rules: semgrep.dev: rule: rule_id: v8U9OJ - version_id: zyT5BO - url: https://semgrep.dev/playground/r/zyT5BO/php.lang.security.unserialize-use.unserialize-use + version_id: w8T9nLW + url: https://semgrep.dev/playground/r/w8T9nLW/php.lang.security.unserialize-use.unserialize-use origin: community languages: - php @@ -15667,8 +15567,8 @@ rules: semgrep.dev: rule: rule_id: BYUNAg - version_id: pZTr2o - url: https://semgrep.dev/playground/r/pZTr2o/php.lang.security.weak-crypto.weak-crypto + version_id: xyTKZ50 + url: https://semgrep.dev/playground/r/xyTKZ50/php.lang.security.weak-crypto.weak-crypto origin: community languages: - php @@ -15723,8 +15623,8 @@ rules: semgrep.dev: rule: rule_id: d8UeKO - version_id: xyT4R4 - url: https://semgrep.dev/playground/r/xyT4R4/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled + version_id: QkTW0OD + url: https://semgrep.dev/playground/r/QkTW0OD/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled origin: community languages: - php @@ -15764,8 +15664,8 @@ rules: semgrep.dev: rule: rule_id: j2U3q8 - version_id: O9TyQ0 - url: https://semgrep.dev/playground/r/O9TyQ0/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect + version_id: 3ZTkQ1q + url: https://semgrep.dev/playground/r/3ZTkQ1q/php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect origin: community severity: WARNING - id: php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors @@ -15819,8 +15719,8 @@ rules: semgrep.dev: rule: rule_id: ZqUOlR - version_id: 2KTzG82 - url: https://semgrep.dev/playground/r/2KTzG82/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors + version_id: 44TRldD + url: https://semgrep.dev/playground/r/44TRldD/php.symfony.security.audit.symfony-permissive-cors.symfony-permissive-cors origin: community languages: - php @@ -15864,8 +15764,8 @@ rules: semgrep.dev: rule: rule_id: DbUe2y - version_id: vdT2or - url: https://semgrep.dev/playground/r/vdT2or/php.wordpress-plugins.security.audit.wp-ajax-no-auth-and-auth-hooks-audit.wp-ajax-no-auth-and-auth-hooks-audit + version_id: PkTJ1yN + url: https://semgrep.dev/playground/r/PkTJ1yN/php.wordpress-plugins.security.audit.wp-ajax-no-auth-and-auth-hooks-audit.wp-ajax-no-auth-and-auth-hooks-audit origin: community - id: php.wordpress-plugins.security.audit.wp-authorisation-checks-audit.wp-authorisation-checks-audit patterns: @@ -15904,8 +15804,8 @@ rules: semgrep.dev: rule: rule_id: WAU6YK - version_id: d6TD7r - url: https://semgrep.dev/playground/r/d6TD7r/php.wordpress-plugins.security.audit.wp-authorisation-checks-audit.wp-authorisation-checks-audit + version_id: JdTNpj9 + url: https://semgrep.dev/playground/r/JdTNpj9/php.wordpress-plugins.security.audit.wp-authorisation-checks-audit.wp-authorisation-checks-audit origin: community - id: php.wordpress-plugins.security.audit.wp-code-execution-audit.wp-code-execution-audit patterns: @@ -15945,8 +15845,8 @@ rules: semgrep.dev: rule: rule_id: 0oU6pX - version_id: ZRTwx6 - url: https://semgrep.dev/playground/r/ZRTwx6/php.wordpress-plugins.security.audit.wp-code-execution-audit.wp-code-execution-audit + version_id: 5PTdAzD + url: https://semgrep.dev/playground/r/5PTdAzD/php.wordpress-plugins.security.audit.wp-code-execution-audit.wp-code-execution-audit origin: community - id: php.wordpress-plugins.security.audit.wp-command-execution-audit.wp-command-execution-audit patterns: @@ -15988,8 +15888,8 @@ rules: semgrep.dev: rule: rule_id: KxUOw0 - version_id: nWT7J8 - url: https://semgrep.dev/playground/r/nWT7J8/php.wordpress-plugins.security.audit.wp-command-execution-audit.wp-command-execution-audit + version_id: GxTv6RX + url: https://semgrep.dev/playground/r/GxTv6RX/php.wordpress-plugins.security.audit.wp-command-execution-audit.wp-command-execution-audit origin: community - id: php.wordpress-plugins.security.audit.wp-csrf-audit.wp-csrf-audit pattern: check_ajax_referer(...,...,false) @@ -16025,8 +15925,8 @@ rules: semgrep.dev: rule: rule_id: qNUKpk - version_id: ExTnv2 - url: https://semgrep.dev/playground/r/ExTnv2/php.wordpress-plugins.security.audit.wp-csrf-audit.wp-csrf-audit + version_id: RGTDklL + url: https://semgrep.dev/playground/r/RGTDklL/php.wordpress-plugins.security.audit.wp-csrf-audit.wp-csrf-audit origin: community - id: php.wordpress-plugins.security.audit.wp-file-download-audit.wp-file-download-audit patterns: @@ -16066,8 +15966,8 @@ rules: semgrep.dev: rule: rule_id: lBUNXL - version_id: 7ZTOZe - url: https://semgrep.dev/playground/r/7ZTOZe/php.wordpress-plugins.security.audit.wp-file-download-audit.wp-file-download-audit + version_id: A8T9522 + url: https://semgrep.dev/playground/r/A8T9522/php.wordpress-plugins.security.audit.wp-file-download-audit.wp-file-download-audit origin: community - id: php.wordpress-plugins.security.audit.wp-file-inclusion-audit.wp-file-inclusion-audit patterns: @@ -16109,15 +16009,15 @@ rules: (''PHP Remote File Inclusion'')' license: Commons Clause License Condition v1.0[LGPL-2.1-only] vulnerability_class: - - Code Injection - Path Traversal + - Code Injection source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-file-inclusion-audit.wp-file-inclusion-audit shortlink: https://sg.run/PGPW semgrep.dev: rule: rule_id: YGU8Yo - version_id: LjT09r - url: https://semgrep.dev/playground/r/LjT09r/php.wordpress-plugins.security.audit.wp-file-inclusion-audit.wp-file-inclusion-audit + version_id: RGTDRwE + url: https://semgrep.dev/playground/r/RGTDRwE/php.wordpress-plugins.security.audit.wp-file-inclusion-audit.wp-file-inclusion-audit origin: community - id: php.wordpress-plugins.security.audit.wp-file-manipulation-audit.wp-file-manipulation-audit patterns: @@ -16155,15 +16055,15 @@ rules: (''PHP Remote File Inclusion'')' license: Commons Clause License Condition v1.0[LGPL-2.1-only] vulnerability_class: - - Code Injection - Path Traversal + - Code Injection source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-file-manipulation-audit.wp-file-manipulation-audit shortlink: https://sg.run/JpwW semgrep.dev: rule: rule_id: 6JU0yK - version_id: 8KTbgz - url: https://semgrep.dev/playground/r/8KTbgz/php.wordpress-plugins.security.audit.wp-file-manipulation-audit.wp-file-manipulation-audit + version_id: A8T9Xn0 + url: https://semgrep.dev/playground/r/A8T9Xn0/php.wordpress-plugins.security.audit.wp-file-manipulation-audit.wp-file-manipulation-audit origin: community - id: php.wordpress-plugins.security.audit.wp-open-redirect-audit.wp-open-redirect-audit pattern: wp_redirect(...) @@ -16200,8 +16100,8 @@ rules: semgrep.dev: rule: rule_id: oqU5KY - version_id: gETqEJ - url: https://semgrep.dev/playground/r/gETqEJ/php.wordpress-plugins.security.audit.wp-open-redirect-audit.wp-open-redirect-audit + version_id: WrTWQwR + url: https://semgrep.dev/playground/r/WrTWQwR/php.wordpress-plugins.security.audit.wp-open-redirect-audit.wp-open-redirect-audit origin: community - id: php.wordpress-plugins.security.audit.wp-php-object-injection-audit.wp-php-object-injection-audit patterns: @@ -16241,8 +16141,8 @@ rules: semgrep.dev: rule: rule_id: zdUelq - version_id: QkTJAk - url: https://semgrep.dev/playground/r/QkTJAk/php.wordpress-plugins.security.audit.wp-php-object-injection-audit.wp-php-object-injection-audit + version_id: 0bTLlXv + url: https://semgrep.dev/playground/r/0bTLlXv/php.wordpress-plugins.security.audit.wp-php-object-injection-audit.wp-php-object-injection-audit origin: community - id: php.wordpress-plugins.security.audit.wp-sql-injection-audit.wp-sql-injection-audit patterns: @@ -16292,8 +16192,8 @@ rules: semgrep.dev: rule: rule_id: pKUQN1 - version_id: 3ZTdWL - url: https://semgrep.dev/playground/r/3ZTdWL/php.wordpress-plugins.security.audit.wp-sql-injection-audit.wp-sql-injection-audit + version_id: K3TvjXy + url: https://semgrep.dev/playground/r/K3TvjXy/php.wordpress-plugins.security.audit.wp-sql-injection-audit.wp-sql-injection-audit origin: community - id: problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request message: Insecure transport rules to catch socket connections to http, telnet, and @@ -16322,8 +16222,8 @@ rules: semgrep.dev: rule: rule_id: NbUkl9 - version_id: X0TPkR - url: https://semgrep.dev/playground/r/X0TPkR/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request + version_id: 2KTzrqw + url: https://semgrep.dev/playground/r/2KTzrqw/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request origin: community languages: - java @@ -16377,8 +16277,8 @@ rules: semgrep.dev: rule: rule_id: 7KUQAE - version_id: O9TyE0 - url: https://semgrep.dev/playground/r/O9TyE0/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server + version_id: xyTKZoP + url: https://semgrep.dev/playground/r/xyTKZoP/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server origin: community languages: - javascript @@ -16422,8 +16322,8 @@ rules: semgrep.dev: rule: rule_id: 4bUkOY - version_id: ExTn62 - url: https://semgrep.dev/playground/r/ExTn62/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator + version_id: nWTxPKL + url: https://semgrep.dev/playground/r/nWTxPKL/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator origin: community languages: - python @@ -16497,8 +16397,8 @@ rules: semgrep.dev: rule: rule_id: DbUp5g - version_id: 5PT6ER - url: https://semgrep.dev/playground/r/5PT6ER/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb + version_id: X0TQxbJ + url: https://semgrep.dev/playground/r/X0TQxbJ/python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb origin: community severity: WARNING languages: @@ -16545,8 +16445,8 @@ rules: semgrep.dev: rule: rule_id: qNUjZ3 - version_id: BjTEvR - url: https://semgrep.dev/playground/r/BjTEvR/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size + version_id: yeTR2Jb + url: https://semgrep.dev/playground/r/yeTR2Jb/python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size origin: community languages: - python @@ -16588,8 +16488,8 @@ rules: semgrep.dev: rule: rule_id: lBU9jn - version_id: DkTQ7A - url: https://semgrep.dev/playground/r/DkTQ7A/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size + version_id: rxTyLZR + url: https://semgrep.dev/playground/r/rxTyLZR/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size origin: community languages: - python @@ -16625,8 +16525,8 @@ rules: semgrep.dev: rule: rule_id: lBUpNZ - version_id: WrTbJ4 - url: https://semgrep.dev/playground/r/WrTbJ4/python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication + version_id: bZTb1qg + url: https://semgrep.dev/playground/r/bZTb1qg/python.cryptography.security.mode-without-authentication.crypto-mode-without-authentication origin: community patterns: - pattern-either: @@ -16687,8 +16587,8 @@ rules: semgrep.dev: rule: rule_id: eqU8Wr - version_id: qkTNJ7 - url: https://semgrep.dev/playground/r/qkTNJ7/python.django.security.audit.avoid-mark-safe.avoid-mark-safe + version_id: RGTDkXP + url: https://semgrep.dev/playground/r/RGTDkXP/python.django.security.audit.avoid-mark-safe.avoid-mark-safe origin: community languages: - python @@ -16728,8 +16628,8 @@ rules: semgrep.dev: rule: rule_id: d8Ujk6 - version_id: YDTo4y - url: https://semgrep.dev/playground/r/YDTo4y/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql + version_id: BjTXr9d + url: https://semgrep.dev/playground/r/BjTXr9d/python.django.security.audit.custom-expression-as-sql.custom-expression-as-sql origin: community pattern: "$EXPRESSION.as_sql(...)" severity: WARNING @@ -16773,8 +16673,8 @@ rules: semgrep.dev: rule: rule_id: gxU1wE - version_id: o5TnJ7 - url: https://semgrep.dev/playground/r/o5TnJ7/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config + version_id: WrTWQRd + url: https://semgrep.dev/playground/r/WrTWQRd/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config origin: community severity: WARNING languages: @@ -16814,8 +16714,8 @@ rules: semgrep.dev: rule: rule_id: ZqU5z3 - version_id: zyT5r5 - url: https://semgrep.dev/playground/r/zyT5r5/python.django.security.audit.extends-custom-expression.extends-custom-expression + version_id: 0bTLl4p + url: https://semgrep.dev/playground/r/0bTLl4p/python.django.security.audit.extends-custom-expression.extends-custom-expression origin: community severity: WARNING pattern-either: @@ -16967,8 +16867,8 @@ rules: semgrep.dev: rule: rule_id: nJUzBP - version_id: pZTrAl - url: https://semgrep.dev/playground/r/pZTrAl/python.django.security.audit.query-set-extra.avoid-query-set-extra + version_id: K3TvjpJ + url: https://semgrep.dev/playground/r/K3TvjpJ/python.django.security.audit.query-set-extra.avoid-query-set-extra origin: community languages: - python @@ -17010,8 +16910,8 @@ rules: semgrep.dev: rule: rule_id: EwU2JA - version_id: 2KT1EW - url: https://semgrep.dev/playground/r/2KT1EW/python.django.security.audit.raw-query.avoid-raw-sql + version_id: qkT2x0x + url: https://semgrep.dev/playground/r/qkT2x0x/python.django.security.audit.raw-query.avoid-raw-sql origin: community languages: - python @@ -17085,8 +16985,8 @@ rules: semgrep.dev: rule: rule_id: 7KUQ2E - version_id: X0TPlW - url: https://semgrep.dev/playground/r/X0TPlW/python.django.security.audit.secure-cookies.django-secure-set-cookie + version_id: l4T4vL6 + url: https://semgrep.dev/playground/r/l4T4vL6/python.django.security.audit.secure-cookies.django-secure-set-cookie origin: community languages: - python @@ -17126,8 +17026,8 @@ rules: semgrep.dev: rule: rule_id: QrUzb2 - version_id: 44TRgoN - url: https://semgrep.dev/playground/r/44TRgoN/python.django.security.audit.templates.debug-template-tag.debug-template-tag + version_id: YDTp23Z + url: https://semgrep.dev/playground/r/YDTp23Z/python.django.security.audit.templates.debug-template-tag.debug-template-tag origin: community - id: python.django.security.audit.unvalidated-password.unvalidated-password patterns: @@ -17185,8 +17085,8 @@ rules: semgrep.dev: rule: rule_id: L1UywG - version_id: 1QTjkz - url: https://semgrep.dev/playground/r/1QTjkz/python.django.security.audit.unvalidated-password.unvalidated-password + version_id: JdTNpJk + url: https://semgrep.dev/playground/r/JdTNpJk/python.django.security.audit.unvalidated-password.unvalidated-password origin: community languages: - python @@ -17225,8 +17125,8 @@ rules: semgrep.dev: rule: rule_id: 3qUPve - version_id: 9lTzXo - url: https://semgrep.dev/playground/r/9lTzXo/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring + version_id: 5PTdAv7 + url: https://semgrep.dev/playground/r/5PTdAv7/python.django.security.audit.xss.class-extends-safestring.class-extends-safestring origin: community languages: - python @@ -17273,8 +17173,8 @@ rules: semgrep.dev: rule: rule_id: 4bUknY - version_id: yeTX5n - url: https://semgrep.dev/playground/r/yeTX5n/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off + version_id: GxTv6GY + url: https://semgrep.dev/playground/r/GxTv6GY/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off origin: community languages: - python @@ -17329,8 +17229,8 @@ rules: semgrep.dev: rule: rule_id: PeUZgE - version_id: rxTxGk - url: https://semgrep.dev/playground/r/rxTxGk/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse + version_id: RGTDkX9 + url: https://semgrep.dev/playground/r/RGTDkX9/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse origin: community languages: - python @@ -17400,8 +17300,8 @@ rules: semgrep.dev: rule: rule_id: JDUyd4 - version_id: bZTG6N - url: https://semgrep.dev/playground/r/bZTG6N/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe + version_id: A8T956L + url: https://semgrep.dev/playground/r/A8T956L/python.django.security.audit.xss.filter-with-is-safe.filter-with-is-safe origin: community languages: - python @@ -17443,8 +17343,8 @@ rules: semgrep.dev: rule: rule_id: v8UjKg - version_id: NdT1rN - url: https://semgrep.dev/playground/r/NdT1rN/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter + version_id: BjTXr9G + url: https://semgrep.dev/playground/r/BjTXr9G/python.django.security.audit.xss.formathtml-fstring-parameter.formathtml-fstring-parameter origin: community languages: - python @@ -17485,8 +17385,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOXK - version_id: kbT7e6 - url: https://semgrep.dev/playground/r/kbT7e6/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off + version_id: DkT6nO3 + url: https://semgrep.dev/playground/r/DkT6nO3/python.django.security.audit.xss.global-autoescape-off.global-autoescape-off origin: community languages: - python @@ -17537,8 +17437,8 @@ rules: semgrep.dev: rule: rule_id: GdU7QO - version_id: w8T3yA - url: https://semgrep.dev/playground/r/w8T3yA/python.django.security.audit.xss.html-magic-method.html-magic-method + version_id: WrTWQRg + url: https://semgrep.dev/playground/r/WrTWQRg/python.django.security.audit.xss.html-magic-method.html-magic-method origin: community languages: - python @@ -17585,8 +17485,8 @@ rules: semgrep.dev: rule: rule_id: ReUg5Y - version_id: xyT4Qd - url: https://semgrep.dev/playground/r/xyT4Qd/python.django.security.audit.xss.html-safe.html-safe + version_id: 0bTLl40 + url: https://semgrep.dev/playground/r/0bTLl40/python.django.security.audit.xss.html-safe.html-safe origin: community languages: - python @@ -17629,8 +17529,8 @@ rules: semgrep.dev: rule: rule_id: AbUzAZ - version_id: O9TyRX - url: https://semgrep.dev/playground/r/O9TyRX/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off + version_id: K3Tvjp9 + url: https://semgrep.dev/playground/r/K3Tvjp9/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off origin: community languages: - regex @@ -17692,8 +17592,8 @@ rules: semgrep.dev: rule: rule_id: BYUNwg - version_id: e1TxG1 - url: https://semgrep.dev/playground/r/e1TxG1/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape + version_id: qkT2x0z + url: https://semgrep.dev/playground/r/qkT2x0z/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape origin: community - id: python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape languages: @@ -17833,8 +17733,8 @@ rules: semgrep.dev: rule: rule_id: WAUov9 - version_id: d6TDpy - url: https://semgrep.dev/playground/r/d6TDpy/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape + version_id: YDTp231 + url: https://semgrep.dev/playground/r/YDTp231/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape origin: community - id: python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq message: Detected a template variable where autoescaping is explicitly disabled @@ -17868,8 +17768,8 @@ rules: semgrep.dev: rule: rule_id: KxUbdx - version_id: nWT70Q - url: https://semgrep.dev/playground/r/nWT70Q/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq + version_id: o5Tgl7v + url: https://semgrep.dev/playground/r/o5Tgl7v/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq origin: community languages: - regex @@ -17914,8 +17814,8 @@ rules: semgrep.dev: rule: rule_id: j2UR3n - version_id: 7ZTOXP - url: https://semgrep.dev/playground/r/7ZTOXP/python.django.security.globals-as-template-context.globals-as-template-context + version_id: pZT1yBE + url: https://semgrep.dev/playground/r/pZT1yBE/python.django.security.globals-as-template-context.globals-as-template-context origin: community pattern-either: - pattern: django.shortcuts.render(..., globals(...), ...) @@ -17956,8 +17856,8 @@ rules: semgrep.dev: rule: rule_id: AbUzAA - version_id: LjT0ll - url: https://semgrep.dev/playground/r/LjT0ll/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution + version_id: X0TQxv6 + url: https://semgrep.dev/playground/r/X0TQxv6/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution origin: community languages: - python @@ -18192,8 +18092,8 @@ rules: semgrep.dev: rule: rule_id: lBU97n - version_id: RGTbr7 - url: https://semgrep.dev/playground/r/RGTbr7/python.django.security.injection.mass-assignment.mass-assignment + version_id: xyTKZYJ + url: https://semgrep.dev/playground/r/xyTKZYJ/python.django.security.injection.mass-assignment.mass-assignment origin: community pattern-either: - pattern: "$MODEL.objects.create(**request.$W)" @@ -18232,8 +18132,8 @@ rules: semgrep.dev: rule: rule_id: 6JUjLj - version_id: DkTQvA - url: https://semgrep.dev/playground/r/DkTQvA/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join + version_id: vdTYN21 + url: https://semgrep.dev/playground/r/vdTYN21/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join origin: community patterns: - pattern-inside: | @@ -18344,8 +18244,8 @@ rules: semgrep.dev: rule: rule_id: lBU8Ad - version_id: jQTK9g - url: https://semgrep.dev/playground/r/jQTK9g/python.django.security.injection.tainted-sql-string.tainted-sql-string + version_id: JdTNpqk + url: https://semgrep.dev/playground/r/JdTNpqk/python.django.security.injection.tainted-sql-string.tainted-sql-string origin: community severity: ERROR languages: @@ -18408,8 +18308,8 @@ rules: semgrep.dev: rule: rule_id: 6JU1l0 - version_id: 1QTjXz - url: https://semgrep.dev/playground/r/1QTjXz/python.django.security.injection.tainted-url-host.tainted-url-host + version_id: 5PTdA67 + url: https://semgrep.dev/playground/r/5PTdA67/python.django.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sinks: @@ -18489,8 +18389,8 @@ rules: semgrep.dev: rule: rule_id: 10Ued2 - version_id: 9lTzno - url: https://semgrep.dev/playground/r/9lTzno/python.django.security.locals-as-template-context.locals-as-template-context + version_id: GxTv62Y + url: https://semgrep.dev/playground/r/GxTv62Y/python.django.security.locals-as-template-context.locals-as-template-context origin: community pattern-either: - pattern: django.shortcuts.render(..., locals(...), ...) @@ -18547,8 +18447,8 @@ rules: semgrep.dev: rule: rule_id: r6Ur5A - version_id: NdT1QN - url: https://semgrep.dev/playground/r/NdT1QN/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run + version_id: DkT6nQ3 + url: https://semgrep.dev/playground/r/DkT6nQ3/python.docker.security.audit.docker-arbitrary-container-run.docker-arbitrary-container-run origin: community - id: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG message: Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment @@ -18579,8 +18479,8 @@ rules: semgrep.dev: rule: rule_id: JDUyJR - version_id: ZRTwy2 - url: https://semgrep.dev/playground/r/ZRTwy2/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG + version_id: 1QTOYjN + url: https://semgrep.dev/playground/r/1QTOYjN/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG origin: community languages: - python @@ -18618,8 +18518,8 @@ rules: semgrep.dev: rule: rule_id: PeUZpr - version_id: d6TDby - url: https://semgrep.dev/playground/r/d6TDby/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV + version_id: jQTgYKX + url: https://semgrep.dev/playground/r/jQTgYKX/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_ENV origin: community languages: - python @@ -18655,8 +18555,8 @@ rules: semgrep.dev: rule: rule_id: 4bUkX0 - version_id: vdT238 - url: https://semgrep.dev/playground/r/vdT238/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY + version_id: X0TQxP6 + url: https://semgrep.dev/playground/r/X0TQxP6/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY origin: community languages: - python @@ -18692,8 +18592,8 @@ rules: semgrep.dev: rule: rule_id: 3qUPoy - version_id: e1TxA1 - url: https://semgrep.dev/playground/r/e1TxA1/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING + version_id: 2KTzr19 + url: https://semgrep.dev/playground/r/2KTzr19/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING origin: community languages: - python @@ -18728,8 +18628,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOv1 - version_id: ExTnYv - url: https://semgrep.dev/playground/r/ExTnYv/python.flask.security.audit.render-template-string.render-template-string + version_id: yeTR2Xr + url: https://semgrep.dev/playground/r/yeTR2Xr/python.flask.security.audit.render-template-string.render-template-string origin: community message: Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks. @@ -18779,8 +18679,8 @@ rules: semgrep.dev: rule: rule_id: GdU7GR - version_id: 7ZTOYP - url: https://semgrep.dev/playground/r/7ZTOYP/python.flask.security.audit.secure-set-cookie.secure-set-cookie + version_id: rxTyLx3 + url: https://semgrep.dev/playground/r/rxTyLx3/python.flask.security.audit.secure-set-cookie.secure-set-cookie origin: community languages: - python @@ -18812,8 +18712,8 @@ rules: semgrep.dev: rule: rule_id: ReUgXz - version_id: LjT0pl - url: https://semgrep.dev/playground/r/LjT0pl/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled + version_id: bZTb1Gq + url: https://semgrep.dev/playground/r/bZTb1Gq/python.flask.security.audit.wtf-csrf-disabled.flask-wtf-csrf-disabled origin: community severity: WARNING languages: @@ -18876,8 +18776,8 @@ rules: semgrep.dev: rule: rule_id: AbUz6A - version_id: 8KTbLL - url: https://semgrep.dev/playground/r/8KTbLL/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content + version_id: NdT3d1x + url: https://semgrep.dev/playground/r/NdT3d1x/python.flask.security.audit.xss.make-response-with-unknown-content.make-response-with-unknown-content origin: community languages: - python @@ -18909,8 +18809,8 @@ rules: semgrep.dev: rule: rule_id: v8UnZJ - version_id: gETq5L - url: https://semgrep.dev/playground/r/gETq5L/python.flask.security.dangerous-template-string.dangerous-template-string + version_id: kbTdx77 + url: https://semgrep.dev/playground/r/kbTdx77/python.flask.security.dangerous-template-string.dangerous-template-string origin: community languages: - python @@ -18995,8 +18895,8 @@ rules: semgrep.dev: rule: rule_id: NbUAeY - version_id: QkTJQL - url: https://semgrep.dev/playground/r/QkTJQL/python.flask.security.flask-api-method-string-format.flask-api-method-string-format + version_id: w8T9n32 + url: https://semgrep.dev/playground/r/w8T9n32/python.flask.security.flask-api-method-string-format.flask-api-method-string-format origin: community - id: python.flask.security.injection.os-system-injection.os-system-injection languages: @@ -19032,8 +18932,8 @@ rules: semgrep.dev: rule: rule_id: BYUN99 - version_id: PkTYnq - url: https://semgrep.dev/playground/r/PkTYnq/python.flask.security.injection.os-system-injection.os-system-injection + version_id: vdTYNk1 + url: https://semgrep.dev/playground/r/vdTYNk1/python.flask.security.injection.os-system-injection.os-system-injection origin: community pattern-either: - patterns: @@ -19112,8 +19012,8 @@ rules: semgrep.dev: rule: rule_id: DbUpOQ - version_id: JdTqZY - url: https://semgrep.dev/playground/r/JdTqZY/python.flask.security.injection.path-traversal-open.path-traversal-open + version_id: d6TrARQ + url: https://semgrep.dev/playground/r/d6TrARQ/python.flask.security.injection.path-traversal-open.path-traversal-open origin: community pattern-either: - patterns: @@ -19220,8 +19120,8 @@ rules: semgrep.dev: rule: rule_id: d8UjBO - version_id: 0bTv6b - url: https://semgrep.dev/playground/r/0bTv6b/python.flask.security.insecure-deserialization.insecure-deserialization + version_id: QkTW0yZ + url: https://semgrep.dev/playground/r/QkTW0yZ/python.flask.security.insecure-deserialization.insecure-deserialization origin: community message: Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data @@ -19310,8 +19210,8 @@ rules: semgrep.dev: rule: rule_id: ZqU5LR - version_id: K3TlOL - url: https://semgrep.dev/playground/r/K3TlOL/python.flask.security.open-redirect.open-redirect + version_id: 3ZTkQJQ + url: https://semgrep.dev/playground/r/3ZTkQJQ/python.flask.security.open-redirect.open-redirect origin: community languages: - python @@ -19349,8 +19249,8 @@ rules: semgrep.dev: rule: rule_id: nJUz6A - version_id: qkTNK7 - url: https://semgrep.dev/playground/r/qkTNK7/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization + version_id: 44TRl36 + url: https://semgrep.dev/playground/r/44TRl36/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization origin: community languages: - python @@ -19390,8 +19290,8 @@ rules: semgrep.dev: rule: rule_id: EwU293 - version_id: l4T5N0 - url: https://semgrep.dev/playground/r/l4T5N0/python.flask.security.unescaped-template-extension.unescaped-template-extension + version_id: PkTJ1LR + url: https://semgrep.dev/playground/r/PkTJ1LR/python.flask.security.unescaped-template-extension.unescaped-template-extension origin: community patterns: - pattern-not: flask.render_template("=~/.+\.html$/", ...) @@ -19453,8 +19353,8 @@ rules: semgrep.dev: rule: rule_id: 7KUQLl - version_id: YDTo8y - url: https://semgrep.dev/playground/r/YDTo8y/python.flask.security.unsanitized-input.response-contains-unsanitized-input + version_id: JdTNpgk + url: https://semgrep.dev/playground/r/JdTNpgk/python.flask.security.unsanitized-input.response-contains-unsanitized-input origin: community languages: - python @@ -19508,8 +19408,8 @@ rules: semgrep.dev: rule: rule_id: qNUjN2 - version_id: JdTqZd - url: https://semgrep.dev/playground/r/JdTqZd/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 + version_id: 5PTdA57 + url: https://semgrep.dev/playground/r/5PTdA57/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 origin: community languages: - python @@ -19559,8 +19459,8 @@ rules: semgrep.dev: rule: rule_id: lBU95l - version_id: 5PT6Yv - url: https://semgrep.dev/playground/r/5PT6Yv/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup + version_id: GxTv6wY + url: https://semgrep.dev/playground/r/GxTv6wY/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup origin: community languages: - python @@ -19603,8 +19503,8 @@ rules: semgrep.dev: rule: rule_id: YGURo6 - version_id: GxT2W2 - url: https://semgrep.dev/playground/r/GxT2W2/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off + version_id: RGTDkv9 + url: https://semgrep.dev/playground/r/RGTDkv9/python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off origin: community languages: - regex @@ -19643,8 +19543,8 @@ rules: semgrep.dev: rule: rule_id: 9AU1zW - version_id: 0bTvQ7 - url: https://semgrep.dev/playground/r/0bTvQ7/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data + version_id: K3Tvjy9 + url: https://semgrep.dev/playground/r/K3Tvjy9/python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data origin: community languages: - python @@ -19682,8 +19582,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUb1L - version_id: K3TlPb - url: https://semgrep.dev/playground/r/K3TlPb/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials + version_id: qkT2xqz + url: https://semgrep.dev/playground/r/qkT2xqz/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials origin: community message: Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens. @@ -19697,9 +19597,29 @@ rules: jwt.encode($PAYLOAD,...) severity: ERROR - id: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode - pattern: 'jwt.decode(..., verify=False, ...) + patterns: + - pattern-either: + - patterns: + - pattern: 'jwt.decode(..., options={..., "verify_signature": $BOOL, ...}, ...) - ' + ' + - metavariable-pattern: + metavariable: "$BOOL" + pattern: 'False + + ' + - focus-metavariable: "$BOOL" + - patterns: + - pattern: | + $OPTS = {..., "verify_signature": $BOOL, ...} + ... + jwt.decode(..., options=$OPTS, ...) + - metavariable-pattern: + metavariable: "$BOOL" + pattern: 'False + + ' + - focus-metavariable: "$BOOL" message: Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified. @@ -19729,12 +19649,12 @@ rules: semgrep.dev: rule: rule_id: 10UKjo - version_id: YDTozD - url: https://semgrep.dev/playground/r/YDTozD/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode + version_id: JdTNpgE + url: https://semgrep.dev/playground/r/JdTNpgE/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode origin: community - fix-regex: - regex: "(verify\\s*=\\s*)False" - replacement: "\\1True" + fix: 'True + + ' severity: ERROR languages: - python @@ -19772,8 +19692,8 @@ rules: semgrep.dev: rule: rule_id: nJUzeK - version_id: 6xTeAE - url: https://semgrep.dev/playground/r/6xTeAE/python.lang.security.audit.conn_recv.multiprocessing-recv + version_id: kbTdLKO + url: https://semgrep.dev/playground/r/kbTdLKO/python.lang.security.audit.conn_recv.multiprocessing-recv origin: community pattern-either: - pattern: multiprocessing.connection.Connection.recv(...) @@ -19821,8 +19741,8 @@ rules: semgrep.dev: rule: rule_id: 9AUkR3 - version_id: o5TnWB - url: https://semgrep.dev/playground/r/o5TnWB/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage + version_id: w8T9D1K + url: https://semgrep.dev/playground/r/w8T9D1K/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage origin: community languages: - python @@ -19886,8 +19806,8 @@ rules: semgrep.dev: rule: rule_id: 8GUj22 - version_id: 7ZTO58 - url: https://semgrep.dev/playground/r/7ZTO58/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected + version_id: BjTXpW3 + url: https://semgrep.dev/playground/r/BjTXpW3/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected origin: community languages: - python @@ -19931,8 +19851,8 @@ rules: semgrep.dev: rule: rule_id: gxU149 - version_id: X0T3nj - url: https://semgrep.dev/playground/r/X0T3nj/python.lang.security.audit.eval-detected.eval-detected + version_id: DkT6Yd0 + url: https://semgrep.dev/playground/r/DkT6Yd0/python.lang.security.audit.eval-detected.eval-detected origin: community languages: - python @@ -19975,8 +19895,8 @@ rules: semgrep.dev: rule: rule_id: QrUzKv - version_id: 8KTbW8 - url: https://semgrep.dev/playground/r/8KTbW8/python.lang.security.audit.exec-detected.exec-detected + version_id: WrTW3zn + url: https://semgrep.dev/playground/r/WrTW3zn/python.lang.security.audit.exec-detected.exec-detected origin: community languages: - python @@ -20010,8 +19930,8 @@ rules: semgrep.dev: rule: rule_id: 3qUP9k - version_id: gETqL2 - url: https://semgrep.dev/playground/r/gETqL2/python.lang.security.audit.formatted-sql-query.formatted-sql-query + version_id: 0bTLexz + url: https://semgrep.dev/playground/r/0bTLexz/python.lang.security.audit.formatted-sql-query.formatted-sql-query origin: community severity: WARNING languages: @@ -20062,8 +19982,8 @@ rules: semgrep.dev: rule: rule_id: 4bUkv7 - version_id: QkTJBN - url: https://semgrep.dev/playground/r/QkTJBN/python.lang.security.audit.ftplib.ftplib + version_id: K3TvG2X + url: https://semgrep.dev/playground/r/K3TvG2X/python.lang.security.audit.ftplib.ftplib origin: community severity: WARNING languages: @@ -20106,8 +20026,8 @@ rules: semgrep.dev: rule: rule_id: PeUZAW - version_id: 3ZTd7X - url: https://semgrep.dev/playground/r/3ZTd7X/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument + version_id: qkT2BYZ + url: https://semgrep.dev/playground/r/qkT2BYZ/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument origin: community - id: python.lang.security.audit.httpsconnection-detected.httpsconnection-detected message: The HTTPSConnection API has changed frequently with minor releases of Python. @@ -20139,8 +20059,8 @@ rules: semgrep.dev: rule: rule_id: JDUy7y - version_id: 44Toxd - url: https://semgrep.dev/playground/r/44Toxd/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected + version_id: l4T46Q7 + url: https://semgrep.dev/playground/r/l4T46Q7/python.lang.security.audit.httpsconnection-detected.httpsconnection-detected origin: community severity: WARNING languages: @@ -20180,8 +20100,8 @@ rules: semgrep.dev: rule: rule_id: qNUjlR - version_id: JdTq2d - url: https://semgrep.dev/playground/r/JdTq2d/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls + version_id: JdTNv1q + url: https://semgrep.dev/playground/r/JdTNv1q/python.lang.security.audit.insecure-transport.ftplib.use-ftp-tls.use-ftp-tls origin: community severity: WARNING languages: @@ -20246,8 +20166,8 @@ rules: semgrep.dev: rule: rule_id: lBU9BZ - version_id: 5PT6Bv - url: https://semgrep.dev/playground/r/5PT6Bv/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context + version_id: 5PTdeJ5 + url: https://semgrep.dev/playground/r/5PTdeJ5/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context origin: community languages: - python @@ -20312,8 +20232,8 @@ rules: semgrep.dev: rule: rule_id: YGURXw - version_id: GxT242 - url: https://semgrep.dev/playground/r/GxT242/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http + version_id: GxTv8L9 + url: https://semgrep.dev/playground/r/GxTv8L9/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http origin: community - id: python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http fix-regex: @@ -20352,8 +20272,8 @@ rules: semgrep.dev: rule: rule_id: 6JUjpG - version_id: RGTbBv - url: https://semgrep.dev/playground/r/RGTbBv/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http + version_id: RGTDRDO + url: https://semgrep.dev/playground/r/RGTDRDO/python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http origin: community languages: - python @@ -20415,8 +20335,8 @@ rules: semgrep.dev: rule: rule_id: oqUeYJ - version_id: A8TRyb - url: https://semgrep.dev/playground/r/A8TRyb/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers + version_id: A8T9X99 + url: https://semgrep.dev/playground/r/A8T9X99/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers origin: community languages: - python @@ -20450,8 +20370,8 @@ rules: semgrep.dev: rule: rule_id: zdUkPQ - version_id: BjTEoW - url: https://semgrep.dev/playground/r/BjTEoW/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp + version_id: BjTXpXx + url: https://semgrep.dev/playground/r/BjTXpXx/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp origin: community severity: WARNING languages: @@ -20513,8 +20433,8 @@ rules: semgrep.dev: rule: rule_id: pKUO9Q - version_id: DkTQL6 - url: https://semgrep.dev/playground/r/DkTQL6/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open + version_id: DkT6Y69 + url: https://semgrep.dev/playground/r/DkT6Y69/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open.insecure-openerdirector-open origin: community severity: WARNING languages: @@ -20583,8 +20503,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUbWA - version_id: WrTbgO - url: https://semgrep.dev/playground/r/WrTbgO/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp + version_id: WrTW3Wo + url: https://semgrep.dev/playground/r/WrTW3Wo/python.lang.security.audit.insecure-transport.urllib.insecure-request-object-ftp.insecure-request-object-ftp origin: community severity: WARNING languages: @@ -20626,8 +20546,8 @@ rules: semgrep.dev: rule: rule_id: X5U8Bp - version_id: 0bTvZ7 - url: https://semgrep.dev/playground/r/0bTvZ7/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object + version_id: 0bTLeLE + url: https://semgrep.dev/playground/r/0bTLeLE/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object origin: community severity: WARNING languages: @@ -20674,8 +20594,8 @@ rules: semgrep.dev: rule: rule_id: j2UvOG - version_id: K3TlRb - url: https://semgrep.dev/playground/r/K3TlRb/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp + version_id: K3TvGvY + url: https://semgrep.dev/playground/r/K3TvGvY/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen-ftp.insecure-urlopen-ftp origin: community severity: WARNING languages: @@ -20717,8 +20637,8 @@ rules: semgrep.dev: rule: rule_id: 10UKgW - version_id: qkTNro - url: https://semgrep.dev/playground/r/qkTNro/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen + version_id: qkT2B2X + url: https://semgrep.dev/playground/r/qkT2B2X/python.lang.security.audit.insecure-transport.urllib.insecure-urlopen.insecure-urlopen origin: community severity: WARNING languages: @@ -20764,8 +20684,8 @@ rules: semgrep.dev: rule: rule_id: 9AU1DY - version_id: l4T5Yz - url: https://semgrep.dev/playground/r/l4T5Yz/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp + version_id: l4T464W + url: https://semgrep.dev/playground/r/l4T464W/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open-ftp.insecure-urlopener-open-ftp origin: community severity: WARNING languages: @@ -20827,8 +20747,8 @@ rules: semgrep.dev: rule: rule_id: yyUnwW - version_id: YDToxD - url: https://semgrep.dev/playground/r/YDToxD/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open + version_id: YDTpnpl + url: https://semgrep.dev/playground/r/YDTpnpl/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open origin: community severity: WARNING languages: @@ -20895,8 +20815,8 @@ rules: semgrep.dev: rule: rule_id: r6UrPp - version_id: 6xTekE - url: https://semgrep.dev/playground/r/6xTekE/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp + version_id: 6xTvQvy + url: https://semgrep.dev/playground/r/6xTvQvy/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp origin: community severity: WARNING languages: @@ -20958,8 +20878,8 @@ rules: semgrep.dev: rule: rule_id: bwUw0n - version_id: o5TnPB - url: https://semgrep.dev/playground/r/o5TnPB/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve + version_id: o5Tg9gZ + url: https://semgrep.dev/playground/r/o5Tg9gZ/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve.insecure-urlopener-retrieve origin: community severity: WARNING languages: @@ -21026,8 +20946,8 @@ rules: semgrep.dev: rule: rule_id: NbUknL - version_id: zyT59G - url: https://semgrep.dev/playground/r/zyT59G/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp + version_id: zyTKDK8 + url: https://semgrep.dev/playground/r/zyTKDK8/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve-ftp.insecure-urlretrieve-ftp origin: community severity: WARNING languages: @@ -21069,8 +20989,8 @@ rules: semgrep.dev: rule: rule_id: kxUk4N - version_id: pZTrJN - url: https://semgrep.dev/playground/r/pZTrJN/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve + version_id: pZT1L1L + url: https://semgrep.dev/playground/r/pZT1L1L/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve origin: community severity: WARNING languages: @@ -21121,8 +21041,8 @@ rules: semgrep.dev: rule: rule_id: wdUJQY - version_id: 2KT1Xr - url: https://semgrep.dev/playground/r/2KT1Xr/python.lang.security.audit.logging.listeneval.listen-eval + version_id: 2KTz3zv + url: https://semgrep.dev/playground/r/2KTz3zv/python.lang.security.audit.logging.listeneval.listen-eval origin: community severity: WARNING pattern: logging.config.listen(...) @@ -21161,8 +21081,8 @@ rules: semgrep.dev: rule: rule_id: GdU79Z - version_id: jQTKpn - url: https://semgrep.dev/playground/r/jQTKpn/python.lang.security.audit.mako-templates-detected.mako-templates-detected + version_id: jQTgyg1 + url: https://semgrep.dev/playground/r/jQTgyg1/python.lang.security.audit.mako-templates-detected.mako-templates-detected origin: community languages: - python @@ -21199,8 +21119,8 @@ rules: semgrep.dev: rule: rule_id: ReUg13 - version_id: 1QTjn2 - url: https://semgrep.dev/playground/r/1QTjn2/python.lang.security.audit.marshal.marshal-usage + version_id: 1QTO7O3 + url: https://semgrep.dev/playground/r/1QTO7O3/python.lang.security.audit.marshal.marshal-usage origin: community pattern-either: - pattern: marshal.dump(...) @@ -21235,8 +21155,8 @@ rules: semgrep.dev: rule: rule_id: v8UnWQ - version_id: bZTGJ6 - url: https://semgrep.dev/playground/r/bZTGJ6/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection + version_id: bZTb9bx + url: https://semgrep.dev/playground/r/bZTb9bx/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection origin: community languages: - python @@ -21278,8 +21198,8 @@ rules: semgrep.dev: rule: rule_id: AbUGN5 - version_id: NdT1EQ - url: https://semgrep.dev/playground/r/NdT1EQ/python.lang.security.audit.non-literal-import.non-literal-import + version_id: NdT3o3E + url: https://semgrep.dev/playground/r/NdT3o3E/python.lang.security.audit.non-literal-import.non-literal-import origin: community languages: - python @@ -21320,8 +21240,8 @@ rules: semgrep.dev: rule: rule_id: AbUzbe - version_id: w8T3vv - url: https://semgrep.dev/playground/r/w8T3vv/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key + version_id: w8T9D9g + url: https://semgrep.dev/playground/r/w8T9D9g/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key origin: community languages: - python @@ -21364,8 +21284,8 @@ rules: semgrep.dev: rule: rule_id: d8Uj9x - version_id: kbT79r - url: https://semgrep.dev/playground/r/kbT79r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command + version_id: kbTdLdQ + url: https://semgrep.dev/playground/r/kbTdLdQ/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command origin: community severity: ERROR languages: @@ -21407,8 +21327,8 @@ rules: semgrep.dev: rule: rule_id: nJUZRY - version_id: xyT41l - url: https://semgrep.dev/playground/r/xyT41l/python.lang.security.audit.python-reverse-shell.python-reverse-shell + version_id: xyTKpKy + url: https://semgrep.dev/playground/r/xyTKpKy/python.lang.security.audit.python-reverse-shell.python-reverse-shell origin: community languages: - python @@ -21448,8 +21368,8 @@ rules: semgrep.dev: rule: rule_id: DbUWRY - version_id: e1TxwX - url: https://semgrep.dev/playground/r/e1TxwX/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli + version_id: e1T030o + url: https://semgrep.dev/playground/r/e1T030o/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli origin: community patterns: - pattern-either: @@ -21562,8 +21482,8 @@ rules: semgrep.dev: rule: rule_id: WAUZqq - version_id: 3ZTkkNZ - url: https://semgrep.dev/playground/r/3ZTkkNZ/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli + version_id: vdTY8YE + url: https://semgrep.dev/playground/r/vdTY8YE/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli origin: community patterns: - pattern-either: @@ -21664,8 +21584,8 @@ rules: semgrep.dev: rule: rule_id: 0oUEKo - version_id: d6TDE0 - url: https://semgrep.dev/playground/r/d6TDE0/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli + version_id: d6Trvr1 + url: https://semgrep.dev/playground/r/d6Trvr1/python.lang.security.audit.sqli.pg8000-sqli.pg8000-sqli origin: community patterns: - pattern-either: @@ -21761,8 +21681,8 @@ rules: semgrep.dev: rule: rule_id: KxU4Kg - version_id: ZRTwJ8 - url: https://semgrep.dev/playground/r/ZRTwJ8/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli + version_id: ZRTQpQ0 + url: https://semgrep.dev/playground/r/ZRTQpQ0/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli origin: community patterns: - pattern-either: @@ -21856,8 +21776,8 @@ rules: semgrep.dev: rule: rule_id: WAUorE - version_id: 7ZTOw8 - url: https://semgrep.dev/playground/r/7ZTOw8/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected + version_id: 7ZTgng4 + url: https://semgrep.dev/playground/r/7ZTgng4/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected origin: community languages: - python @@ -21891,8 +21811,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5Wl - version_id: LjT0Jv - url: https://semgrep.dev/playground/r/LjT0Jv/python.lang.security.audit.telnetlib.telnetlib + version_id: LjTqAqb + url: https://semgrep.dev/playground/r/LjTqAqb/python.lang.security.audit.telnetlib.telnetlib origin: community severity: WARNING languages: @@ -21933,8 +21853,8 @@ rules: semgrep.dev: rule: rule_id: KxUbNG - version_id: 8KTb08 - url: https://semgrep.dev/playground/r/8KTb08/python.lang.security.audit.weak-ssl-version.weak-ssl-version + version_id: 8KTQyQl + url: https://semgrep.dev/playground/r/8KTQyQl/python.lang.security.audit.weak-ssl-version.weak-ssl-version origin: community languages: - python @@ -22007,8 +21927,8 @@ rules: semgrep.dev: rule: rule_id: 9AUOZP - version_id: QkTJLN - url: https://semgrep.dev/playground/r/QkTJLN/python.lang.security.dangerous-globals-use.dangerous-globals-use + version_id: QkTWwWO + url: https://semgrep.dev/playground/r/QkTWwWO/python.lang.security.dangerous-globals-use.dangerous-globals-use origin: community severity: WARNING languages: @@ -22048,8 +21968,8 @@ rules: semgrep.dev: rule: rule_id: BYU7Kp - version_id: RGTbdv - url: https://semgrep.dev/playground/r/RGTbdv/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle + version_id: RGTDReO + url: https://semgrep.dev/playground/r/RGTDReO/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle origin: community message: Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. @@ -22085,8 +22005,8 @@ rules: semgrep.dev: rule: rule_id: ZqU5jZ - version_id: A8TRxb - url: https://semgrep.dev/playground/r/A8TRxb/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load + version_id: A8T9Xk9 + url: https://semgrep.dev/playground/r/A8T9Xk9/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load origin: community languages: - python @@ -22143,8 +22063,8 @@ rules: semgrep.dev: rule: rule_id: nJUzqK - version_id: BjTE4W - url: https://semgrep.dev/playground/r/BjTE4W/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel + version_id: BjTXpxx + url: https://semgrep.dev/playground/r/BjTXpxx/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel origin: community languages: - python @@ -22182,8 +22102,8 @@ rules: semgrep.dev: rule: rule_id: 7KUQNL - version_id: WrTbeO - url: https://semgrep.dev/playground/r/WrTbeO/python.lang.security.deserialization.pickle.avoid-cPickle + version_id: WrTW3Oo + url: https://semgrep.dev/playground/r/WrTW3Oo/python.lang.security.deserialization.pickle.avoid-cPickle origin: community languages: - python @@ -22222,8 +22142,8 @@ rules: semgrep.dev: rule: rule_id: L1Uy60 - version_id: 0bTv07 - url: https://semgrep.dev/playground/r/0bTv07/python.lang.security.deserialization.pickle.avoid-dill + version_id: 0bTLeyE + url: https://semgrep.dev/playground/r/0bTLeyE/python.lang.security.deserialization.pickle.avoid-dill origin: community languages: - python @@ -22262,8 +22182,8 @@ rules: semgrep.dev: rule: rule_id: EwU2BJ - version_id: DkTQB6 - url: https://semgrep.dev/playground/r/DkTQB6/python.lang.security.deserialization.pickle.avoid-pickle + version_id: DkT6Yq9 + url: https://semgrep.dev/playground/r/DkT6Yq9/python.lang.security.deserialization.pickle.avoid-pickle origin: community languages: - python @@ -22305,8 +22225,8 @@ rules: semgrep.dev: rule: rule_id: 8GUje2 - version_id: K3TlAb - url: https://semgrep.dev/playground/r/K3TlAb/python.lang.security.deserialization.pickle.avoid-shelve + version_id: K3TvGnY + url: https://semgrep.dev/playground/r/K3TvGnY/python.lang.security.deserialization.pickle.avoid-shelve origin: community languages: - python @@ -22352,8 +22272,8 @@ rules: semgrep.dev: rule: rule_id: OrU30g - version_id: YDTogD - url: https://semgrep.dev/playground/r/YDTogD/python.lang.security.insecure-hash-function.insecure-hash-function + version_id: YDTpnNl + url: https://semgrep.dev/playground/r/YDTpnNl/python.lang.security.insecure-hash-function.insecure-hash-function origin: community languages: - python @@ -22396,8 +22316,88 @@ rules: semgrep.dev: rule: rule_id: v8UnkQ - version_id: 5PT6Ky - url: https://semgrep.dev/playground/r/5PT6Ky/python.lang.security.unverified-ssl-context.unverified-ssl-context + version_id: o5Tg9kZ + url: https://semgrep.dev/playground/r/o5Tg9kZ/python.lang.security.unverified-ssl-context.unverified-ssl-context + origin: community + severity: ERROR + languages: + - python +- id: python.lang.security.use-defused-xml.use-defused-xml + metadata: + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + references: + - https://docs.python.org/3/library/xml.html + - https://github.com/tiran/defusedxml + - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/python.lang.security.use-defused-xml.use-defused-xml + shortlink: https://sg.run/kX47 + semgrep.dev: + rule: + rule_id: d8UjRx + version_id: pZT1LkL + url: https://semgrep.dev/playground/r/pZT1LkL/python.lang.security.use-defused-xml.use-defused-xml + origin: community + message: The Python documentation recommends using `defusedxml` instead of `xml` + because the native Python `xml` library is vulnerable to XML External Entity (XXE) + attacks. These attacks can leak confidential data and "XML bombs" can cause denial + of service. + languages: + - python + severity: ERROR + pattern: import xml +- id: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc + pattern-either: + - pattern: import xmlrpclib + - pattern: import SimpleXMLRPCServer + - pattern: import xmlrpc + message: Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. + Use defusedxml.xmlrpc instead. + metadata: + cwe: + - 'CWE-776: Improper Restriction of Recursive Entity References in DTDs (''XML + Entity Expansion'')' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + source-rule-url: https://github.com/PyCQA/bandit/blob/07f84cb5f5e7c1055e6feaa0fe93afa471de0ac3/bandit/blacklists/imports.py#L160 + references: + - https://pypi.org/project/defusedxml/ + - https://docs.python.org/3/library/xml.html#xml-vulnerabilities + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc + shortlink: https://sg.run/weqY + semgrep.dev: + rule: + rule_id: ZqU5EZ + version_id: 2KTz3Gv + url: https://semgrep.dev/playground/r/2KTz3Gv/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc origin: community severity: ERROR languages: @@ -22429,8 +22429,8 @@ rules: semgrep.dev: rule: rule_id: qNUoYR - version_id: ExTnyB - url: https://semgrep.dev/playground/r/ExTnyB/python.requests.security.disabled-cert-validation.disabled-cert-validation + version_id: K3TvGzY + url: https://semgrep.dev/playground/r/K3TvGzY/python.requests.security.disabled-cert-validation.disabled-cert-validation origin: community languages: - python @@ -22481,8 +22481,8 @@ rules: semgrep.dev: rule: rule_id: lBUdQZ - version_id: 7ZTO6z - url: https://semgrep.dev/playground/r/7ZTO6z/python.requests.security.no-auth-over-http.no-auth-over-http + version_id: qkT2B1X + url: https://semgrep.dev/playground/r/qkT2B1X/python.requests.security.no-auth-over-http.no-auth-over-http origin: community languages: - python @@ -22527,8 +22527,8 @@ rules: semgrep.dev: rule: rule_id: JDUP1G - version_id: LjT0dq - url: https://semgrep.dev/playground/r/LjT0dq/python.sh.security.string-concat.string-concat + version_id: l4T46rW + url: https://semgrep.dev/playground/r/l4T46rW/python.sh.security.string-concat.string-concat origin: community pattern-either: - pattern: sh.$BIN($X + $Y) @@ -22569,8 +22569,8 @@ rules: semgrep.dev: rule: rule_id: r6U2wE - version_id: 8KTbo4 - url: https://semgrep.dev/playground/r/8KTbo4/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text + version_id: RGTDRQR + url: https://semgrep.dev/playground/r/RGTDRQR/python.sqlalchemy.security.audit.avoid-sqlalchemy-text.avoid-sqlalchemy-text origin: community languages: - python @@ -22611,8 +22611,8 @@ rules: semgrep.dev: rule: rule_id: oqUz5y - version_id: gETq8A - url: https://semgrep.dev/playground/r/gETq8A/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query + version_id: A8T9Xrg + url: https://semgrep.dev/playground/r/A8T9Xrg/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query origin: community severity: ERROR languages: @@ -22672,8 +22672,8 @@ rules: semgrep.dev: rule: rule_id: KxU426 - version_id: RGTbWA - url: https://semgrep.dev/playground/r/RGTbWA/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify + version_id: YDTpn6x + url: https://semgrep.dev/playground/r/YDTpn6x/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify origin: community languages: - ruby @@ -22713,8 +22713,8 @@ rules: semgrep.dev: rule: rule_id: qNUoYd - version_id: A8TRP5 - url: https://semgrep.dev/playground/r/A8TRP5/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data + version_id: 6xTvQ54 + url: https://semgrep.dev/playground/r/6xTvQ54/ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data origin: community languages: - ruby @@ -22758,8 +22758,8 @@ rules: semgrep.dev: rule: rule_id: DbUWdB - version_id: BjTEjp - url: https://semgrep.dev/playground/r/BjTEjp/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials + version_id: o5Tg9yQ + url: https://semgrep.dev/playground/r/o5Tg9yQ/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials origin: community message: Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens. @@ -22803,8 +22803,8 @@ rules: semgrep.dev: rule: rule_id: WAUZz5 - version_id: DkTQoR - url: https://semgrep.dev/playground/r/DkTQoR/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret + version_id: zyTKDAv + url: https://semgrep.dev/playground/r/zyTKDAv/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret origin: community patterns: - pattern-inside: | @@ -22864,8 +22864,8 @@ rules: semgrep.dev: rule: rule_id: 0oUExR - version_id: WrTb58 - url: https://semgrep.dev/playground/r/WrTb58/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg + version_id: pZT1L64 + url: https://semgrep.dev/playground/r/pZT1L64/ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg origin: community languages: - ruby @@ -22906,8 +22906,8 @@ rules: semgrep.dev: rule: rule_id: YGUrq5 - version_id: RGTDg07 - url: https://semgrep.dev/playground/r/RGTDg07/ruby.lang.security.cookie-serialization.cookie-serialization + version_id: 1QTO7b6 + url: https://semgrep.dev/playground/r/1QTO7b6/ruby.lang.security.cookie-serialization.cookie-serialization origin: community languages: - ruby @@ -22952,8 +22952,8 @@ rules: semgrep.dev: rule: rule_id: 6JUqbn - version_id: YDToG8 - url: https://semgrep.dev/playground/r/YDToG8/ruby.lang.security.create-with.create-with + version_id: 9lTd5op + url: https://semgrep.dev/playground/r/9lTd5op/ruby.lang.security.create-with.create-with origin: community languages: - ruby @@ -22996,8 +22996,8 @@ rules: semgrep.dev: rule: rule_id: 0oUEyd - version_id: o5TnQP - url: https://semgrep.dev/playground/r/o5TnQP/ruby.lang.security.dangerous-open.dangerous-open + version_id: rxTy4o7 + url: https://semgrep.dev/playground/r/rxTy4o7/ruby.lang.security.dangerous-open.dangerous-open origin: community severity: WARNING languages: @@ -23040,8 +23040,8 @@ rules: semgrep.dev: rule: rule_id: KxU4nd - version_id: zyT5g6 - url: https://semgrep.dev/playground/r/zyT5g6/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline + version_id: bZTb9Ke + url: https://semgrep.dev/playground/r/bZTb9Ke/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline origin: community severity: WARNING languages: @@ -23082,8 +23082,8 @@ rules: semgrep.dev: rule: rule_id: OrUGn8 - version_id: pZTrgg - url: https://semgrep.dev/playground/r/pZTrgg/ruby.lang.security.dangerous-subshell.dangerous-subshell + version_id: NdT3o9R + url: https://semgrep.dev/playground/r/NdT3o9R/ruby.lang.security.dangerous-subshell.dangerous-subshell origin: community severity: WARNING languages: @@ -23118,8 +23118,8 @@ rules: semgrep.dev: rule: rule_id: qNUo50 - version_id: 2KT1NB - url: https://semgrep.dev/playground/r/2KT1NB/ruby.lang.security.dangerous-syscall.dangerous-syscall + version_id: kbTdLjG + url: https://semgrep.dev/playground/r/kbTdLjG/ruby.lang.security.dangerous-syscall.dangerous-syscall origin: community severity: WARNING languages: @@ -23156,8 +23156,8 @@ rules: semgrep.dev: rule: rule_id: zdUyqE - version_id: jQTKe4 - url: https://semgrep.dev/playground/r/jQTKe4/ruby.lang.security.file-disclosure.file-disclosure + version_id: xyTKpAo + url: https://semgrep.dev/playground/r/xyTKpAo/ruby.lang.security.file-disclosure.file-disclosure origin: community languages: - ruby @@ -23201,8 +23201,8 @@ rules: semgrep.dev: rule: rule_id: pKUGP7 - version_id: 1QTjWr - url: https://semgrep.dev/playground/r/1QTjWr/ruby.lang.security.filter-skipping.filter-skipping + version_id: O9TNdne + url: https://semgrep.dev/playground/r/O9TNdne/ruby.lang.security.filter-skipping.filter-skipping origin: community languages: - ruby @@ -23246,8 +23246,8 @@ rules: semgrep.dev: rule: rule_id: X5UZWK - version_id: 6xTvq7p - url: https://semgrep.dev/playground/r/6xTvq7p/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller + version_id: vdTY8p2 + url: https://semgrep.dev/playground/r/vdTY8p2/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller origin: community languages: - ruby @@ -23289,8 +23289,8 @@ rules: semgrep.dev: rule: rule_id: 9AUOQB - version_id: w8T3gb - url: https://semgrep.dev/playground/r/w8T3gb/ruby.lang.security.json-entity-escape.json-entity-escape + version_id: 7ZTgnQD + url: https://semgrep.dev/playground/r/7ZTgnQD/ruby.lang.security.json-entity-escape.json-entity-escape origin: community languages: - ruby @@ -23326,8 +23326,8 @@ rules: semgrep.dev: rule: rule_id: yyUvkJ - version_id: xyT4bz - url: https://semgrep.dev/playground/r/xyT4bz/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled + version_id: LjTqAy2 + url: https://semgrep.dev/playground/r/LjTqAy2/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled origin: community severity: WARNING languages: @@ -23378,8 +23378,8 @@ rules: semgrep.dev: rule: rule_id: r6UkO5 - version_id: e1TxPn - url: https://semgrep.dev/playground/r/e1TxPn/ruby.lang.security.missing-csrf-protection.missing-csrf-protection + version_id: gET3O1W + url: https://semgrep.dev/playground/r/gET3O1W/ruby.lang.security.missing-csrf-protection.missing-csrf-protection origin: community languages: - ruby @@ -23413,8 +23413,8 @@ rules: semgrep.dev: rule: rule_id: bwUOAG - version_id: A8T9zgD - url: https://semgrep.dev/playground/r/A8T9zgD/ruby.lang.security.model-attr-accessible.model-attr-accessible + version_id: QkTWwzp + url: https://semgrep.dev/playground/r/QkTWwzp/ruby.lang.security.model-attr-accessible.model-attr-accessible origin: community languages: - ruby @@ -23488,8 +23488,8 @@ rules: semgrep.dev: rule: rule_id: NbUADO - version_id: d6TDNB - url: https://semgrep.dev/playground/r/d6TDNB/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible + version_id: 3ZTkrPj + url: https://semgrep.dev/playground/r/3ZTkrPj/ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible origin: community languages: - ruby @@ -23524,8 +23524,8 @@ rules: semgrep.dev: rule: rule_id: eqUv0L - version_id: LjT0Dq - url: https://semgrep.dev/playground/r/LjT0Dq/ruby.lang.security.no-send.bad-send + version_id: GxTv876 + url: https://semgrep.dev/playground/r/GxTv876/ruby.lang.security.no-send.bad-send origin: community languages: - ruby @@ -23586,8 +23586,8 @@ rules: semgrep.dev: rule: rule_id: ZqUqQg - version_id: QkTJlz - url: https://semgrep.dev/playground/r/QkTJlz/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln + version_id: BjTXpNb + url: https://semgrep.dev/playground/r/BjTXpNb/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln origin: community languages: - ruby @@ -23618,8 +23618,8 @@ rules: semgrep.dev: rule: rule_id: 8GUAo4 - version_id: BjTEOp - url: https://semgrep.dev/playground/r/BjTEOp/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions + version_id: pZT1LO4 + url: https://semgrep.dev/playground/r/pZT1LO4/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions origin: community message: Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system @@ -23681,8 +23681,8 @@ rules: semgrep.dev: rule: rule_id: QrUnEk - version_id: DkTQ4P - url: https://semgrep.dev/playground/r/DkTQ4P/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection + version_id: e1T0386 + url: https://semgrep.dev/playground/r/e1T0386/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection origin: community - id: ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag metadata: @@ -23714,8 +23714,8 @@ rules: semgrep.dev: rule: rule_id: L1U4qz - version_id: 0bTvRB - url: https://semgrep.dev/playground/r/0bTvRB/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag + version_id: d6TrvjR + url: https://semgrep.dev/playground/r/d6TrvjR/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag origin: community message: "'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting @@ -23752,8 +23752,8 @@ rules: semgrep.dev: rule: rule_id: qNUXYy - version_id: K3TlBE - url: https://semgrep.dev/playground/r/K3TlBE/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes + version_id: ZRTQp5j + url: https://semgrep.dev/playground/r/ZRTQp5j/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes origin: community message: Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose @@ -23799,8 +23799,8 @@ rules: semgrep.dev: rule: rule_id: 8GUEQK - version_id: qkTNzD - url: https://semgrep.dev/playground/r/qkTNzD/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe + version_id: nWTxoYW + url: https://semgrep.dev/playground/r/nWTxoYW/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe origin: community message: "'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application @@ -23841,8 +23841,8 @@ rules: semgrep.dev: rule: rule_id: gxUW3x - version_id: YDToj9 - url: https://semgrep.dev/playground/r/YDToj9/ruby.rails.security.audit.xss.avoid-raw.avoid-raw + version_id: 7ZTgneD + url: https://semgrep.dev/playground/r/7ZTgneD/ruby.rails.security.audit.xss.avoid-raw.avoid-raw origin: community message: "'raw()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do @@ -23881,8 +23881,8 @@ rules: semgrep.dev: rule: rule_id: QrU6Ww - version_id: zyT5v2 - url: https://semgrep.dev/playground/r/zyT5v2/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline + version_id: gET3OWW + url: https://semgrep.dev/playground/r/gET3OWW/ruby.rails.security.audit.xss.avoid-render-inline.avoid-render-inline origin: community message: "'render inline: ...' renders an entire ERB template inline and is dangerous. If external data can reach here, this exposes your application to server-side @@ -23921,8 +23921,8 @@ rules: semgrep.dev: rule: rule_id: 3qUBk4 - version_id: pZTrvY - url: https://semgrep.dev/playground/r/pZTrvY/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text + version_id: QkTWw6p + url: https://semgrep.dev/playground/r/QkTWw6p/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text origin: community message: "'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) @@ -23963,8 +23963,8 @@ rules: semgrep.dev: rule: rule_id: 4bUzR9 - version_id: 2KT1Bq - url: https://semgrep.dev/playground/r/2KT1Bq/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation + version_id: 3ZTkrBj + url: https://semgrep.dev/playground/r/3ZTkrBj/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation origin: community message: Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site @@ -24008,8 +24008,8 @@ rules: semgrep.dev: rule: rule_id: PeUkJe - version_id: X0TPXb - url: https://semgrep.dev/playground/r/X0TPXb/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe + version_id: 44TR6zg + url: https://semgrep.dev/playground/r/44TR6zg/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe origin: community languages: - generic @@ -24054,8 +24054,8 @@ rules: semgrep.dev: rule: rule_id: JDUPNG - version_id: jQTKAE - url: https://semgrep.dev/playground/r/jQTKAE/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag + version_id: PkTJdkx + url: https://semgrep.dev/playground/r/PkTJdkx/ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag origin: community languages: - generic @@ -24100,8 +24100,8 @@ rules: semgrep.dev: rule: rule_id: 5rU4dE - version_id: 1QTjAj - url: https://semgrep.dev/playground/r/1QTjAj/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe + version_id: JdTNvPo + url: https://semgrep.dev/playground/r/JdTNvPo/ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe origin: community languages: - generic @@ -24146,8 +24146,8 @@ rules: semgrep.dev: rule: rule_id: GdU0vJ - version_id: 9lTzYK - url: https://semgrep.dev/playground/r/9lTzYK/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw + version_id: 5PTde49 + url: https://semgrep.dev/playground/r/5PTde49/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw origin: community languages: - generic @@ -24190,8 +24190,8 @@ rules: semgrep.dev: rule: rule_id: AbUW9y - version_id: rxTxJO - url: https://semgrep.dev/playground/r/rxTxJO/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute + version_id: RGTDRPR + url: https://semgrep.dev/playground/r/RGTDRPR/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute origin: community languages: - generic @@ -24243,8 +24243,8 @@ rules: semgrep.dev: rule: rule_id: BYUBXo - version_id: bZTGgb - url: https://semgrep.dev/playground/r/bZTGgb/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href + version_id: A8T9XWg + url: https://semgrep.dev/playground/r/A8T9XWg/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href origin: community languages: - generic @@ -24291,8 +24291,8 @@ rules: semgrep.dev: rule: rule_id: DbUW6B - version_id: NdT1pg - url: https://semgrep.dev/playground/r/NdT1pg/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag + version_id: BjTXpBb + url: https://semgrep.dev/playground/r/BjTXpBb/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag origin: community languages: - generic @@ -24351,8 +24351,8 @@ rules: semgrep.dev: rule: rule_id: KxUw3v - version_id: O9Ty2D - url: https://semgrep.dev/playground/r/O9Ty2D/ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes + version_id: K3TvG4Q + url: https://semgrep.dev/playground/r/K3TvG4Q/ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes origin: community - id: ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high patterns: @@ -24391,8 +24391,8 @@ rules: semgrep.dev: rule: rule_id: 5rUNql - version_id: d6TD5K - url: https://semgrep.dev/playground/r/d6TD5K/ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high + version_id: YDTpnrx + url: https://semgrep.dev/playground/r/YDTpnrx/ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high origin: community - id: ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium patterns: @@ -24431,8 +24431,8 @@ rules: semgrep.dev: rule: rule_id: GdUoq5 - version_id: ZRTwve - url: https://semgrep.dev/playground/r/ZRTwve/ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium + version_id: JdTNvPO + url: https://semgrep.dev/playground/r/JdTNvPO/ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium origin: community - id: ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml paths: @@ -24484,8 +24484,8 @@ rules: semgrep.dev: rule: rule_id: qNUpJ5 - version_id: nWT71p - url: https://semgrep.dev/playground/r/nWT71p/ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml + version_id: 5PTde4l + url: https://semgrep.dev/playground/r/5PTde4l/ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml origin: community - id: rust.lang.security.args-os.args-os message: 'args_os should not be used for security operations. From the docs: "The @@ -24512,8 +24512,8 @@ rules: semgrep.dev: rule: rule_id: DbUeEe - version_id: l4TPRR - url: https://semgrep.dev/playground/r/l4TPRR/rust.lang.security.args-os.args-os + version_id: X0TQ2ZP + url: https://semgrep.dev/playground/r/X0TQ2ZP/rust.lang.security.args-os.args-os origin: community languages: - rust @@ -24543,8 +24543,8 @@ rules: semgrep.dev: rule: rule_id: WAU6Lk - version_id: YDTPe7 - url: https://semgrep.dev/playground/r/YDTPe7/rust.lang.security.args.args + version_id: jQTgyqZ + url: https://semgrep.dev/playground/r/jQTgyqZ/rust.lang.security.args.args origin: community languages: - rust @@ -24574,8 +24574,8 @@ rules: semgrep.dev: rule: rule_id: 0oU6nZ - version_id: 6xTK9Y - url: https://semgrep.dev/playground/r/6xTK9Y/rust.lang.security.current-exe.current-exe + version_id: 1QTO7Zg + url: https://semgrep.dev/playground/r/1QTO7Zg/rust.lang.security.current-exe.current-exe origin: community languages: - rust @@ -24610,8 +24610,8 @@ rules: semgrep.dev: rule: rule_id: KxUOxA - version_id: qkTNPD - url: https://semgrep.dev/playground/r/qkTNPD/rust.lang.security.insecure-hashes.insecure-hashes + version_id: 9lTd5kQ + url: https://semgrep.dev/playground/r/9lTd5kQ/rust.lang.security.insecure-hashes.insecure-hashes origin: community languages: - rust @@ -24666,8 +24666,8 @@ rules: semgrep.dev: rule: rule_id: lBUNEw - version_id: YDToK9 - url: https://semgrep.dev/playground/r/YDToK9/rust.lang.security.reqwest-set-sensitive.reqwest-set-sensitive + version_id: rxTy490 + url: https://semgrep.dev/playground/r/rxTy490/rust.lang.security.reqwest-set-sensitive.reqwest-set-sensitive origin: community languages: - rust @@ -24699,8 +24699,8 @@ rules: semgrep.dev: rule: rule_id: oqU5AO - version_id: o5TxD0 - url: https://semgrep.dev/playground/r/o5TxD0/rust.lang.security.temp-dir.temp-dir + version_id: kbTdL8R + url: https://semgrep.dev/playground/r/kbTdL8R/rust.lang.security.temp-dir.temp-dir origin: community languages: - rust @@ -24727,8 +24727,8 @@ rules: semgrep.dev: rule: rule_id: zdUezd - version_id: pZTr4Y - url: https://semgrep.dev/playground/r/pZTr4Y/rust.lang.security.unsafe-usage.unsafe-usage + version_id: w8T9DGG + url: https://semgrep.dev/playground/r/w8T9DGG/rust.lang.security.unsafe-usage.unsafe-usage origin: community languages: - rust @@ -24781,8 +24781,8 @@ rules: semgrep.dev: rule: rule_id: JDUle4 - version_id: X0TP0b - url: https://semgrep.dev/playground/r/X0TP0b/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run + version_id: e1T03pD + url: https://semgrep.dev/playground/r/e1T03pD/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run origin: community - id: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run patterns: @@ -24835,8 +24835,8 @@ rules: semgrep.dev: rule: rule_id: 5rUy3K - version_id: jQTK0E - url: https://semgrep.dev/playground/r/jQTK0E/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run + version_id: vdTY8jv + url: https://semgrep.dev/playground/r/vdTY8jv/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run origin: community - id: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf patterns: @@ -24885,8 +24885,8 @@ rules: semgrep.dev: rule: rule_id: 5rUyl4 - version_id: 1QTjwj - url: https://semgrep.dev/playground/r/1QTjwj/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf + version_id: d6TrvlP + url: https://semgrep.dev/playground/r/d6TrvlP/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf origin: community languages: - scala @@ -24918,8 +24918,8 @@ rules: semgrep.dev: rule: rule_id: gxUgDk - version_id: yeTXWw - url: https://semgrep.dev/playground/r/yeTXWw/scala.lang.security.audit.insecure-random.insecure-random + version_id: nWTxoro + url: https://semgrep.dev/playground/r/nWTxoro/scala.lang.security.audit.insecure-random.insecure-random origin: community message: Flags the use of a predictable random value from `scala.util.Random`. This can lead to vulnerabilities when used in security contexts, such as in a CSRF @@ -24980,8 +24980,8 @@ rules: semgrep.dev: rule: rule_id: GdUDOZ - version_id: rxTxpO - url: https://semgrep.dev/playground/r/rxTxpO/scala.lang.security.audit.io-source-ssrf.io-source-ssrf + version_id: ExTjAQE + url: https://semgrep.dev/playground/r/ExTjAQE/scala.lang.security.audit.io-source-ssrf.io-source-ssrf origin: community languages: - scala @@ -25016,8 +25016,8 @@ rules: semgrep.dev: rule: rule_id: QrUdOZ - version_id: bZTG7b - url: https://semgrep.dev/playground/r/bZTG7b/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile + version_id: 7ZTgnpB + url: https://semgrep.dev/playground/r/7ZTgnpB/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile origin: community message: Flags cases of possible path traversal. If an unfiltered parameter is passed into 'fromFile', file from an arbitrary filesystem location could be read. This @@ -25080,8 +25080,8 @@ rules: semgrep.dev: rule: rule_id: 3qUj1Q - version_id: NdT1Kg - url: https://semgrep.dev/playground/r/NdT1Kg/scala.lang.security.audit.rsa-padding-set.rsa-padding-set + version_id: LjTqArR + url: https://semgrep.dev/playground/r/LjTqArR/scala.lang.security.audit.rsa-padding-set.rsa-padding-set origin: community message: Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with @@ -25172,8 +25172,8 @@ rules: semgrep.dev: rule: rule_id: KxUrkq - version_id: kbT7Bj - url: https://semgrep.dev/playground/r/kbT7Bj/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled + version_id: 8KTQyxg + url: https://semgrep.dev/playground/r/8KTQyxg/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled origin: community - id: scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run patterns: @@ -25241,8 +25241,8 @@ rules: semgrep.dev: rule: rule_id: 6JUEeo - version_id: w8T3PJ - url: https://semgrep.dev/playground/r/w8T3PJ/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run + version_id: gET3OY0 + url: https://semgrep.dev/playground/r/gET3OY0/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run origin: community - id: scala.lang.security.audit.scalac-debug.scalac-debug patterns: @@ -25281,8 +25281,8 @@ rules: semgrep.dev: rule: rule_id: JDUlE0 - version_id: xyT4gW - url: https://semgrep.dev/playground/r/xyT4gW/scala.lang.security.audit.scalac-debug.scalac-debug + version_id: QkTWwpg + url: https://semgrep.dev/playground/r/QkTWwpg/scala.lang.security.audit.scalac-debug.scalac-debug origin: community - id: scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf patterns: @@ -25331,8 +25331,8 @@ rules: semgrep.dev: rule: rule_id: AbU3xA - version_id: O9TyqD - url: https://semgrep.dev/playground/r/O9TyqD/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf + version_id: 3ZTkrEx + url: https://semgrep.dev/playground/r/3ZTkrEx/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf origin: community languages: - scala @@ -25381,8 +25381,8 @@ rules: semgrep.dev: rule: rule_id: qNUQ7w - version_id: d6TD0K - url: https://semgrep.dev/playground/r/d6TD0K/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled + version_id: JdTNvQO + url: https://semgrep.dev/playground/r/JdTNvQO/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled origin: community - id: scala.play.security.webservice-ssrf.webservice-ssrf patterns: @@ -25440,8 +25440,8 @@ rules: semgrep.dev: rule: rule_id: PeUxEE - version_id: gETqRr - url: https://semgrep.dev/playground/r/gETqRr/scala.play.security.webservice-ssrf.webservice-ssrf + version_id: WrTW3PB + url: https://semgrep.dev/playground/r/WrTW3PB/scala.play.security.webservice-ssrf.webservice-ssrf origin: community languages: - scala @@ -25479,8 +25479,8 @@ rules: semgrep.dev: rule: rule_id: OrU6W1 - version_id: QkTJYA - url: https://semgrep.dev/playground/r/QkTJYA/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret + version_id: 0bTLeJn + url: https://semgrep.dev/playground/r/0bTLeJn/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret origin: community pattern-either: - pattern: 'com.auth0.jwt.algorithms.Algorithm.HMAC256("..."); @@ -25582,8 +25582,8 @@ rules: semgrep.dev: rule: rule_id: wdUA97 - version_id: 3ZTdGb - url: https://semgrep.dev/playground/r/3ZTdGb/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal + version_id: K3TvGY1 + url: https://semgrep.dev/playground/r/K3TvGY1/scala.slick.security.scala-slick-overridesql-literal.scala-slick-overrideSql-literal origin: community - id: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal patterns: @@ -25627,8 +25627,8 @@ rules: semgrep.dev: rule: rule_id: x8UNKe - version_id: 44ToLG - url: https://semgrep.dev/playground/r/44ToLG/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal + version_id: qkT2Bb8 + url: https://semgrep.dev/playground/r/qkT2Bb8/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal origin: community - id: solidity.security.no-bidi-characters.no-bidi-characters message: The code must not contain any of Unicode Direction Control Characters @@ -25652,8 +25652,8 @@ rules: semgrep.dev: rule: rule_id: 5rUD6Z - version_id: GxTv7q3 - url: https://semgrep.dev/playground/r/GxTv7q3/solidity.security.no-bidi-characters.no-bidi-characters + version_id: A8T9XQO + url: https://semgrep.dev/playground/r/A8T9XQO/solidity.security.no-bidi-characters.no-bidi-characters origin: community patterns: - pattern-either: @@ -25699,8 +25699,8 @@ rules: semgrep.dev: rule: rule_id: lBUOZk - version_id: DkT6qwy - url: https://semgrep.dev/playground/r/DkT6qwy/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows + version_id: DkT6Y18 + url: https://semgrep.dev/playground/r/DkT6Y18/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows origin: community languages: - swift @@ -25794,8 +25794,8 @@ rules: semgrep.dev: rule: rule_id: NbUXOA - version_id: RGTb6W - url: https://semgrep.dev/playground/r/RGTb6W/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted + version_id: e1T03rw + url: https://semgrep.dev/playground/r/e1T03rw/terraform.aws.security.aws-athena-workgroup-unencrypted.aws-athena-workgroup-unencrypted origin: community - id: terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted patterns: @@ -25836,8 +25836,8 @@ rules: semgrep.dev: rule: rule_id: x8UxrP - version_id: A8TRO1 - url: https://semgrep.dev/playground/r/A8TRO1/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted + version_id: vdTY84K + url: https://semgrep.dev/playground/r/vdTY84K/terraform.aws.security.aws-backup-vault-unencrypted.aws-backup-vault-unencrypted origin: community - id: terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk patterns: @@ -25877,8 +25877,8 @@ rules: semgrep.dev: rule: rule_id: wdUl2j - version_id: DkTQPP - url: https://semgrep.dev/playground/r/DkTQPP/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk + version_id: ZRTQpG1 + url: https://semgrep.dev/playground/r/ZRTQpG1/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk origin: community languages: - hcl @@ -25927,8 +25927,8 @@ rules: semgrep.dev: rule: rule_id: OrUl0J - version_id: 0bTv8B - url: https://semgrep.dev/playground/r/0bTv8B/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted + version_id: ExTjAqL + url: https://semgrep.dev/playground/r/ExTjAqL/terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted origin: community - id: terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted patterns: @@ -25989,8 +25989,8 @@ rules: semgrep.dev: rule: rule_id: eqUrdZ - version_id: qkTNdD - url: https://semgrep.dev/playground/r/qkTNdD/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted + version_id: LjTqAPO + url: https://semgrep.dev/playground/r/LjTqAPO/terraform.aws.security.aws-codebuild-project-artifacts-unencrypted.aws-codebuild-project-artifacts-unencrypted origin: community - id: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions pattern-either: @@ -26044,8 +26044,8 @@ rules: semgrep.dev: rule: rule_id: DbUo7v - version_id: YDTo19 - url: https://semgrep.dev/playground/r/YDTo19/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions + version_id: gET3OJK + url: https://semgrep.dev/playground/r/gET3OJK/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions origin: community - id: terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk patterns: @@ -26085,8 +26085,8 @@ rules: semgrep.dev: rule: rule_id: ZqUGEp - version_id: 5PT6RG - url: https://semgrep.dev/playground/r/5PT6RG/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk + version_id: 3ZTkr60 + url: https://semgrep.dev/playground/r/3ZTkr60/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk origin: community languages: - hcl @@ -26134,8 +26134,8 @@ rules: semgrep.dev: rule: rule_id: AbU1WN - version_id: GxT2ne - url: https://semgrep.dev/playground/r/GxT2ne/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled + version_id: 44TR6gP + url: https://semgrep.dev/playground/r/44TR6gP/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled origin: community - id: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk patterns: @@ -26178,8 +26178,8 @@ rules: semgrep.dev: rule: rule_id: L1UPY9 - version_id: 0bTv8O - url: https://semgrep.dev/playground/r/0bTv8O/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk + version_id: A8T9Xe6 + url: https://semgrep.dev/playground/r/A8T9Xe6/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk origin: community languages: - hcl @@ -26229,8 +26229,8 @@ rules: semgrep.dev: rule: rule_id: YGUKl1 - version_id: K3TlDN - url: https://semgrep.dev/playground/r/K3TlDN/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted + version_id: BjTXpzE + url: https://semgrep.dev/playground/r/BjTXpzE/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted origin: community - id: terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled patterns: @@ -26290,8 +26290,8 @@ rules: semgrep.dev: rule: rule_id: zdU0Wo - version_id: 6xTer5 - url: https://semgrep.dev/playground/r/6xTer5/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled + version_id: K3TvGrv + url: https://semgrep.dev/playground/r/K3TvGrv/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled origin: community - id: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags patterns: @@ -26337,8 +26337,8 @@ rules: semgrep.dev: rule: rule_id: KxUB4o - version_id: 2KT1ZP - url: https://semgrep.dev/playground/r/2KT1ZP/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags + version_id: 6xTvQDq + url: https://semgrep.dev/playground/r/6xTvQDq/terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags origin: community - id: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk patterns: @@ -26381,8 +26381,8 @@ rules: semgrep.dev: rule: rule_id: gxUJ4n - version_id: jQTK8r - url: https://semgrep.dev/playground/r/jQTK8r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk + version_id: zyTKDWY + url: https://semgrep.dev/playground/r/zyTKDWY/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk origin: community languages: - hcl @@ -26427,8 +26427,8 @@ rules: semgrep.dev: rule: rule_id: PeU0L7 - version_id: bZTGn5 - url: https://semgrep.dev/playground/r/bZTGn5/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk + version_id: 1QTO7PY + url: https://semgrep.dev/playground/r/1QTO7PY/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk origin: community languages: - hcl @@ -26473,8 +26473,8 @@ rules: semgrep.dev: rule: rule_id: JDU6gw - version_id: NdT1bZ - url: https://semgrep.dev/playground/r/NdT1bZ/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk + version_id: 9lTd5J5 + url: https://semgrep.dev/playground/r/9lTd5J5/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk origin: community languages: - hcl @@ -26518,8 +26518,8 @@ rules: semgrep.dev: rule: rule_id: 5rUp50 - version_id: kbT7EW - url: https://semgrep.dev/playground/r/kbT7EW/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk + version_id: yeTRZNx + url: https://semgrep.dev/playground/r/yeTRZNx/terraform.aws.security.aws-fsx-lustre-filesystem-encrypted-with-cmk.aws-fsx-lustre-filesystem-encrypted-with-cmk origin: community languages: - hcl @@ -26562,8 +26562,8 @@ rules: semgrep.dev: rule: rule_id: GdUzwK - version_id: w8T3EN - url: https://semgrep.dev/playground/r/w8T3EN/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk + version_id: rxTy4D1 + url: https://semgrep.dev/playground/r/rxTy4D1/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk origin: community languages: - hcl @@ -26606,8 +26606,8 @@ rules: semgrep.dev: rule: rule_id: ReUqv6 - version_id: xyT4Ew - url: https://semgrep.dev/playground/r/xyT4Ew/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk + version_id: bZTb9BE + url: https://semgrep.dev/playground/r/bZTb9BE/terraform.aws.security.aws-fsx-windows-encrypted-with-cmk.aws-fsx-windows-encrypted-with-cmk origin: community languages: - hcl @@ -26650,8 +26650,8 @@ rules: semgrep.dev: rule: rule_id: WAUNxL - version_id: d6TDoE - url: https://semgrep.dev/playground/r/d6TDoE/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk + version_id: xyTKpN3 + url: https://semgrep.dev/playground/r/xyTKpN3/terraform.aws.security.aws-imagebuilder-component-encrypted-with-cmk.aws-imagebuilder-component-encrypted-with-cmk origin: community languages: - hcl @@ -26694,8 +26694,8 @@ rules: semgrep.dev: rule: rule_id: KxU5yW - version_id: ExTnlP - url: https://semgrep.dev/playground/r/ExTnlP/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk + version_id: vdTY8OK + url: https://semgrep.dev/playground/r/vdTY8OK/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk origin: community languages: - hcl @@ -26746,8 +26746,8 @@ rules: semgrep.dev: rule: rule_id: 8GU72N - version_id: 7ZTOGj - url: https://semgrep.dev/playground/r/7ZTOGj/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted + version_id: d6TrvKN + url: https://semgrep.dev/playground/r/d6TrvKN/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted origin: community - id: terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk patterns: @@ -26787,8 +26787,8 @@ rules: semgrep.dev: rule: rule_id: qNUWqn - version_id: LjT0nW - url: https://semgrep.dev/playground/r/LjT0nW/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk + version_id: ZRTQpl1 + url: https://semgrep.dev/playground/r/ZRTQpl1/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk origin: community languages: - hcl @@ -26853,8 +26853,8 @@ rules: semgrep.dev: rule: rule_id: 5rUp5w - version_id: 3ZTdZ8 - url: https://semgrep.dev/playground/r/3ZTdZ8/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted + version_id: LjTqAEO + url: https://semgrep.dev/playground/r/LjTqAEO/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted origin: community - id: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active patterns: @@ -26905,8 +26905,8 @@ rules: semgrep.dev: rule: rule_id: eqUl1O - version_id: PkTY9P - url: https://semgrep.dev/playground/r/PkTY9P/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active + version_id: gET3OyK + url: https://semgrep.dev/playground/r/gET3OyK/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active origin: community - id: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk patterns: @@ -26947,8 +26947,8 @@ rules: semgrep.dev: rule: rule_id: ReUqvX - version_id: A8TRK4 - url: https://semgrep.dev/playground/r/A8TRK4/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk + version_id: GxTv8DA + url: https://semgrep.dev/playground/r/GxTv8DA/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk origin: community languages: - hcl @@ -26991,8 +26991,8 @@ rules: semgrep.dev: rule: rule_id: AbUeYR - version_id: BjTElw - url: https://semgrep.dev/playground/r/BjTElw/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk + version_id: RGTDRK5 + url: https://semgrep.dev/playground/r/RGTDRK5/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk origin: community languages: - hcl @@ -27035,8 +27035,8 @@ rules: semgrep.dev: rule: rule_id: BYUzYY - version_id: DkTQgO - url: https://semgrep.dev/playground/r/DkTQgO/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk + version_id: A8T9X36 + url: https://semgrep.dev/playground/r/A8T9X36/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk origin: community languages: - hcl @@ -27079,8 +27079,8 @@ rules: semgrep.dev: rule: rule_id: DbUx8z - version_id: WrTbDb - url: https://semgrep.dev/playground/r/WrTbDb/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk + version_id: BjTXpeE + url: https://semgrep.dev/playground/r/BjTXpeE/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk origin: community languages: - hcl @@ -27130,8 +27130,8 @@ rules: semgrep.dev: rule: rule_id: WAUNrz - version_id: 0bTvDO - url: https://semgrep.dev/playground/r/0bTvDO/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted + version_id: DkT6YG8 + url: https://semgrep.dev/playground/r/DkT6YG8/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted origin: community - id: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues patterns: @@ -27184,8 +27184,8 @@ rules: semgrep.dev: rule: rule_id: 0oUrWL - version_id: 6xTe35 - url: https://semgrep.dev/playground/r/6xTe35/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues + version_id: l4T46Xr + url: https://semgrep.dev/playground/r/l4T46Xr/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues origin: community - id: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address patterns: @@ -27239,8 +27239,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUo79 - version_id: o5Tnve - url: https://semgrep.dev/playground/r/o5Tnve/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address + version_id: YDTpnYR + url: https://semgrep.dev/playground/r/YDTpnYR/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address origin: community - id: terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk patterns: @@ -27280,8 +27280,8 @@ rules: semgrep.dev: rule: rule_id: KxU5Nn - version_id: zyT5dy - url: https://semgrep.dev/playground/r/zyT5dy/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk + version_id: JdTNvoP + url: https://semgrep.dev/playground/r/JdTNvoP/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk origin: community languages: - hcl @@ -27325,8 +27325,8 @@ rules: semgrep.dev: rule: rule_id: qNUWl1 - version_id: pZTrow - url: https://semgrep.dev/playground/r/pZTrow/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public + version_id: 5PTdeN8 + url: https://semgrep.dev/playground/r/5PTdeN8/terraform.aws.security.aws-transfer-server-is-public.aws-transfer-server-is-public origin: community languages: - hcl @@ -27374,8 +27374,8 @@ rules: semgrep.dev: rule: rule_id: lBUWB9 - version_id: 2KT1eP - url: https://semgrep.dev/playground/r/2KT1eP/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted + version_id: GxTv8or + url: https://semgrep.dev/playground/r/GxTv8or/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted origin: community - id: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted patterns: @@ -27419,8 +27419,8 @@ rules: semgrep.dev: rule: rule_id: YGUAXr - version_id: X0TPEg - url: https://semgrep.dev/playground/r/X0TPEg/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted + version_id: RGTDR2q + url: https://semgrep.dev/playground/r/RGTDR2q/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted origin: community - id: terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption patterns: @@ -27463,8 +27463,8 @@ rules: semgrep.dev: rule: rule_id: wdUljO - version_id: 1QTjB4 - url: https://semgrep.dev/playground/r/1QTjB4/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption + version_id: BjTXpKK + url: https://semgrep.dev/playground/r/BjTXpKK/terraform.aws.security.missing-athena-workgroup-encryption.missing-athena-workgroup-encryption origin: community - id: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy metadata: @@ -27493,8 +27493,8 @@ rules: semgrep.dev: rule: rule_id: 7KU3dr - version_id: GxTvzYN - url: https://semgrep.dev/playground/r/GxTvzYN/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy + version_id: DkT6Y2N + url: https://semgrep.dev/playground/r/DkT6Y2N/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy origin: community message: "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users @@ -27583,8 +27583,8 @@ rules: semgrep.dev: rule: rule_id: WAUynd - version_id: w8T3rN - url: https://semgrep.dev/playground/r/w8T3rN/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered + version_id: rxTy46E + url: https://semgrep.dev/playground/r/rxTy46E/terraform.azure.security.appservice.appservice-account-identity-registered.appservice-account-identity-registered origin: community languages: - hcl @@ -27629,8 +27629,8 @@ rules: semgrep.dev: rule: rule_id: v8UNL7 - version_id: 44Topr - url: https://semgrep.dev/playground/r/44Topr/terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version + version_id: 8KTQyKe + url: https://semgrep.dev/playground/r/8KTQyKe/terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version origin: community languages: - hcl @@ -27693,8 +27693,8 @@ rules: semgrep.dev: rule: rule_id: 6JU1X8 - version_id: e1TxQN - url: https://semgrep.dev/playground/r/e1TxQN/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled + version_id: xyTKppv + url: https://semgrep.dev/playground/r/xyTKppv/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled origin: community languages: - hcl @@ -27754,8 +27754,8 @@ rules: semgrep.dev: rule: rule_id: oqU41L - version_id: vdT2ez - url: https://semgrep.dev/playground/r/vdT2ez/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2 + version_id: O9TNddn + url: https://semgrep.dev/playground/r/O9TNddn/terraform.azure.security.functionapp.functionapp-enable-http2.functionapp-enable-http2 origin: community languages: - hcl @@ -27817,8 +27817,8 @@ rules: semgrep.dev: rule: rule_id: 4bU1jy - version_id: ExTn7G - url: https://semgrep.dev/playground/r/ExTn7G/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl + version_id: nWTxooG + url: https://semgrep.dev/playground/r/nWTxooG/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl origin: community languages: - hcl @@ -27889,8 +27889,8 @@ rules: semgrep.dev: rule: rule_id: GdUreY - version_id: 7ZTO02 - url: https://semgrep.dev/playground/r/7ZTO02/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass + version_id: ExTjAAr + url: https://semgrep.dev/playground/r/ExTjAAr/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass origin: community languages: - hcl @@ -27938,8 +27938,8 @@ rules: semgrep.dev: rule: rule_id: zdUY3N - version_id: LjT0Z1 - url: https://semgrep.dev/playground/r/LjT0Z1/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny + version_id: 7ZTgnnb + url: https://semgrep.dev/playground/r/7ZTgnnb/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny origin: community languages: - hcl @@ -28001,8 +28001,8 @@ rules: semgrep.dev: rule: rule_id: ReU3L9 - version_id: gETqd4 - url: https://semgrep.dev/playground/r/gETqd4/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging + version_id: 8KTQyy9 + url: https://semgrep.dev/playground/r/8KTQyy9/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging origin: community languages: - hcl @@ -28052,8 +28052,8 @@ rules: semgrep.dev: rule: rule_id: 0oUELR - version_id: w8T3OQ - url: https://semgrep.dev/playground/r/w8T3OQ/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push + version_id: WrTW381 + url: https://semgrep.dev/playground/r/WrTW381/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push origin: community - id: terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging patterns: @@ -28108,8 +28108,8 @@ rules: semgrep.dev: rule: rule_id: x8UGx7 - version_id: xyT47L - url: https://semgrep.dev/playground/r/xyT47L/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging + version_id: 0bTLeoA + url: https://semgrep.dev/playground/r/0bTLeoA/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging origin: community - id: terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled patterns: @@ -28159,8 +28159,8 @@ rules: semgrep.dev: rule: rule_id: KxU4v6 - version_id: O9TygN - url: https://semgrep.dev/playground/r/O9TygN/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled + version_id: K3TvGop + url: https://semgrep.dev/playground/r/K3TvGop/terraform.lang.security.eks-public-endpoint-enabled.eks-public-endpoint-enabled origin: community - id: terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest patterns: @@ -28209,8 +28209,8 @@ rules: semgrep.dev: rule: rule_id: qNUo2d - version_id: e1TxNg - url: https://semgrep.dev/playground/r/e1TxNg/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest + version_id: qkT2BON + url: https://semgrep.dev/playground/r/qkT2BON/terraform.lang.security.elastic-search-encryption-at-rest.elastic-search-encryption-at-rest origin: community - id: terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges pattern-either: @@ -28317,8 +28317,8 @@ rules: semgrep.dev: rule: rule_id: NbUNDX - version_id: vdT27p - url: https://semgrep.dev/playground/r/vdT27p/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges + version_id: l4T46ZP + url: https://semgrep.dev/playground/r/l4T46ZP/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges origin: community languages: - hcl @@ -28525,8 +28525,8 @@ rules: semgrep.dev: rule: rule_id: kxUwK2 - version_id: d6TDdj - url: https://semgrep.dev/playground/r/d6TDdj/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure + version_id: YDTpnEX + url: https://semgrep.dev/playground/r/YDTpnEX/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure origin: community languages: - hcl @@ -28641,8 +28641,8 @@ rules: semgrep.dev: rule: rule_id: wdUj1k - version_id: ZRTwYq - url: https://semgrep.dev/playground/r/ZRTwYq/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration + version_id: 6xTvQRb + url: https://semgrep.dev/playground/r/6xTvQRb/terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration origin: community languages: - hcl @@ -28756,8 +28756,8 @@ rules: semgrep.dev: rule: rule_id: x8UxLq - version_id: nWT7gr - url: https://semgrep.dev/playground/r/nWT7gr/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs + version_id: o5Tg9Lg + url: https://semgrep.dev/playground/r/o5Tg9Lg/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs origin: community languages: - hcl @@ -28860,8 +28860,8 @@ rules: semgrep.dev: rule: rule_id: OrU6jO - version_id: ExTn0K - url: https://semgrep.dev/playground/r/ExTn0K/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users + version_id: zyTKDBj + url: https://semgrep.dev/playground/r/zyTKDBj/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users origin: community languages: - hcl @@ -28998,8 +28998,8 @@ rules: semgrep.dev: rule: rule_id: eqUzR3 - version_id: 7ZTO4W - url: https://semgrep.dev/playground/r/7ZTO4W/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles + version_id: pZT1L26 + url: https://semgrep.dev/playground/r/pZT1L26/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles origin: community languages: - hcl @@ -30133,8 +30133,8 @@ rules: semgrep.dev: rule: rule_id: v8U9r0 - version_id: LjT08E - url: https://semgrep.dev/playground/r/LjT08E/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure + version_id: 2KTz3Rb + url: https://semgrep.dev/playground/r/2KTz3Rb/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure origin: community languages: - hcl @@ -30214,8 +30214,8 @@ rules: semgrep.dev: rule: rule_id: d8Uew3 - version_id: 8KTb8v - url: https://semgrep.dev/playground/r/8KTb8v/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions + version_id: X0TQ2YZ + url: https://semgrep.dev/playground/r/X0TQ2YZ/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions origin: community languages: - hcl @@ -30257,8 +30257,8 @@ rules: semgrep.dev: rule: rule_id: eqUrzK - version_id: QkTJe0 - url: https://semgrep.dev/playground/r/QkTJe0/terraform.lang.security.rds-public-access.rds-public-access + version_id: 1QTO7Ed + url: https://semgrep.dev/playground/r/1QTO7Ed/terraform.lang.security.rds-public-access.rds-public-access origin: community - id: terraform.lang.security.s3-cors-all-origins.all-origins-allowed patterns: @@ -30292,8 +30292,8 @@ rules: semgrep.dev: rule: rule_id: lBUd4g - version_id: 3ZTd0r - url: https://semgrep.dev/playground/r/3ZTd0r/terraform.lang.security.s3-cors-all-origins.all-origins-allowed + version_id: 9lTd53Z + url: https://semgrep.dev/playground/r/9lTd53Z/terraform.lang.security.s3-cors-all-origins.all-origins-allowed origin: community - id: terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket patterns: @@ -30336,8 +30336,8 @@ rules: semgrep.dev: rule: rule_id: YGUrp5 - version_id: 44To0E - url: https://semgrep.dev/playground/r/44To0E/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket + version_id: yeTRZqN + url: https://semgrep.dev/playground/r/yeTRZqN/terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket origin: community - id: typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard message: 'Unescaped ''.'' character in CORS domain regex $CORS: $PATTERN' @@ -30364,8 +30364,8 @@ rules: semgrep.dev: rule: rule_id: qNUbXo - version_id: PkTJ0Yq - url: https://semgrep.dev/playground/r/PkTJ0Yq/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard + version_id: ZRTQpDy + url: https://semgrep.dev/playground/r/ZRTQpDy/typescript.lang.security.audit.cors-regex-wildcard.cors-regex-wildcard origin: community languages: - ts @@ -30412,8 +30412,8 @@ rules: semgrep.dev: rule: rule_id: pKUG17 - version_id: 0bTvPk - url: https://semgrep.dev/playground/r/0bTvPk/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any + version_id: nWTxoQd + url: https://semgrep.dev/playground/r/nWTxoQd/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any origin: community languages: - typescript @@ -30464,8 +30464,8 @@ rules: semgrep.dev: rule: rule_id: 2ZU4zx - version_id: K3TlWB - url: https://semgrep.dev/playground/r/K3TlWB/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled + version_id: ExTjAeb + url: https://semgrep.dev/playground/r/ExTjAeb/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled origin: community languages: - typescript @@ -30504,8 +30504,8 @@ rules: semgrep.dev: rule: rule_id: X5UZQK - version_id: qkTN8P - url: https://semgrep.dev/playground/r/qkTN8P/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect + version_id: 7ZTgnKJ + url: https://semgrep.dev/playground/r/7ZTgnKJ/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect origin: community languages: - typescript @@ -30524,99 +30524,6 @@ rules: - pattern-not: 'return {url: "..."} ' -- id: typescript.react.security.audit.react-href-var.react-href-var - message: Detected a variable used in an anchor tag with the 'href' attribute. A - malicious actor may be able to input the 'javascript:' URI, which could cause - cross-site scripting (XSS). It is recommended to disallow 'javascript:' URIs within - your application. - metadata: - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://reactjs.org/blog/2019/08/08/react-v16.9.0.html#deprecating-javascript-urls - - https://pragmaticwebsecurity.com/articles/spasecurity/react-xss-part1.html - category: security - confidence: LOW - technology: - - react - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/typescript.react.security.audit.react-href-var.react-href-var - shortlink: https://sg.run/bDZZ - semgrep.dev: - rule: - rule_id: OrUGkk - version_id: 6xTeP3 - url: https://semgrep.dev/playground/r/6xTeP3/typescript.react.security.audit.react-href-var.react-href-var - origin: community - languages: - - typescript - - javascript - severity: WARNING - mode: taint - pattern-sources: - - label: TAINTED - patterns: - - pattern-either: - - pattern-inside: 'function ...({..., $X, ...}) { ... } - - ' - - pattern-inside: 'function ...(..., $X, ...) { ... } - - ' - - focus-metavariable: "$X" - - pattern-either: - - pattern: "$X.$Y" - - pattern: "$X[...]" - - pattern-not-inside: "$F. ... .$SANITIZEUNC(...)\n" - - label: CONCAT - requires: TAINTED - patterns: - - pattern-either: - - pattern: "`...${$X}...`\n" - - pattern: "$SANITIZE + <... $X ...>\n" - - pattern-not: "`${$X}...`\n" - - pattern-not: "$X + ...\n" - - focus-metavariable: "$X" - - label: CLEAN - by-side-effect: true - patterns: - - pattern-either: - - pattern: "$A($SOURCE)" - - pattern: "$SANITIZE. ... .$A($SOURCE)" - - pattern: "$A. ... .$SANITIZE($SOURCE)" - - focus-metavariable: "$SOURCE" - - metavariable-regex: - metavariable: "$A" - regex: "(?i)(.*valid|.*sanitiz)" - pattern-sinks: - - requires: TAINTED and not CONCAT and not CLEAN - patterns: - - focus-metavariable: "$X" - - pattern-either: - - pattern: "<$EL href={$X} />\n" - - pattern: 'React.createElement($EL, {href: $X}) - - ' - - pattern-inside: | - $PARAMS = {href: $X}; - ... - React.createElement($EL, $PARAMS); - - metavariable-pattern: - patterns: - - pattern-not-regex: "(?i)(button)" - metavariable: "$EL" - id: typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property message: Property decoded from JWT token without verifying and cannot be trustworthy. metadata: @@ -30642,8 +30549,8 @@ rules: semgrep.dev: rule: rule_id: d8Uzqz - version_id: pZTr75 - url: https://semgrep.dev/playground/r/pZTr75/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property + version_id: 0bTLeGA + url: https://semgrep.dev/playground/r/0bTLeGA/typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property origin: community languages: - typescript @@ -30683,8 +30590,8 @@ rules: semgrep.dev: rule: rule_id: ZqUq6g - version_id: 2KT1JJ - url: https://semgrep.dev/playground/r/2KT1JJ/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage + version_id: K3TvGgp + url: https://semgrep.dev/playground/r/K3TvGgp/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage origin: community languages: - typescript @@ -30734,8 +30641,8 @@ rules: semgrep.dev: rule: rule_id: kxURd4 - version_id: xyT4eL - url: https://semgrep.dev/playground/r/xyT4eL/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html + version_id: WrTW3Gy + url: https://semgrep.dev/playground/r/WrTW3Gy/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html origin: community languages: - typescript @@ -30838,8 +30745,8 @@ rules: semgrep.dev: rule: rule_id: eqUvZ9 - version_id: e1Txkg - url: https://semgrep.dev/playground/r/e1Txkg/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume + version_id: K3TvG8r + url: https://semgrep.dev/playground/r/K3TvG8r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume origin: community languages: - yaml @@ -30894,8 +30801,8 @@ rules: semgrep.dev: rule: rule_id: qNUoWr - version_id: pZT1OYB - url: https://semgrep.dev/playground/r/pZT1OYB/yaml.docker-compose.security.no-new-privileges.no-new-privileges + version_id: qkT2BLp + url: https://semgrep.dev/playground/r/qkT2BLp/yaml.docker-compose.security.no-new-privileges.no-new-privileges origin: community languages: - yaml @@ -30941,8 +30848,8 @@ rules: semgrep.dev: rule: rule_id: lBUdW3 - version_id: ZRTwPq - url: https://semgrep.dev/playground/r/ZRTwPq/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled + version_id: YDTpnk2 + url: https://semgrep.dev/playground/r/YDTpnk2/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled origin: community languages: - yaml @@ -30989,8 +30896,8 @@ rules: semgrep.dev: rule: rule_id: YGUrAG - version_id: nWT74r - url: https://semgrep.dev/playground/r/nWT74r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled + version_id: 6xTvQGQ + url: https://semgrep.dev/playground/r/6xTvQGQ/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled origin: community languages: - yaml @@ -31045,8 +30952,8 @@ rules: semgrep.dev: rule: rule_id: v8U5vN - version_id: ExTnDK - url: https://semgrep.dev/playground/r/ExTnDK/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service + version_id: o5Tg9ob + url: https://semgrep.dev/playground/r/o5Tg9ob/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service origin: community languages: - yaml @@ -31088,8 +30995,8 @@ rules: semgrep.dev: rule: rule_id: X5Udrd - version_id: LjT0bE - url: https://semgrep.dev/playground/r/LjT0bE/yaml.github-actions.security.curl-eval.curl-eval + version_id: pZT1Le2 + url: https://semgrep.dev/playground/r/pZT1Le2/yaml.github-actions.security.curl-eval.curl-eval origin: community patterns: - pattern-inside: 'steps: [...]' @@ -31145,8 +31052,8 @@ rules: semgrep.dev: rule: rule_id: d8Ulkd - version_id: gETq2e - url: https://semgrep.dev/playground/r/gETq2e/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout + version_id: X0TQ2kn + url: https://semgrep.dev/playground/r/X0TQ2kn/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout origin: community patterns: - pattern-either: @@ -31214,8 +31121,8 @@ rules: semgrep.dev: rule: rule_id: WAUP0z - version_id: 5PT6Dr - url: https://semgrep.dev/playground/r/5PT6Dr/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled + version_id: xyTKp0E + url: https://semgrep.dev/playground/r/xyTKp0E/yaml.kubernetes.security.env.flask-debugging-enabled.flask-debugging-enabled origin: community patterns: - pattern-inside: 'env: [...] @@ -31259,8 +31166,8 @@ rules: semgrep.dev: rule: rule_id: nJUYPE - version_id: RGTbGr - url: https://semgrep.dev/playground/r/RGTbGr/yaml.kubernetes.security.hostipc-pod.hostipc-pod + version_id: e1T03bQ + url: https://semgrep.dev/playground/r/e1T03bQ/yaml.kubernetes.security.hostipc-pod.hostipc-pod origin: community languages: - yaml @@ -31298,8 +31205,8 @@ rules: semgrep.dev: rule: rule_id: EwU4NO - version_id: A8TR7n - url: https://semgrep.dev/playground/r/A8TR7n/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod + version_id: vdTY8ol + url: https://semgrep.dev/playground/r/vdTY8ol/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod origin: community languages: - yaml @@ -31338,8 +31245,8 @@ rules: semgrep.dev: rule: rule_id: 7KUeo0 - version_id: BjTE0Q - url: https://semgrep.dev/playground/r/BjTE0Q/yaml.kubernetes.security.hostpid-pod.hostpid-pod + version_id: d6Trv7J + url: https://semgrep.dev/playground/r/d6Trv7J/yaml.kubernetes.security.hostpid-pod.hostpid-pod origin: community languages: - yaml @@ -31408,8 +31315,8 @@ rules: semgrep.dev: rule: rule_id: L1UAxy - version_id: qkTNnP - url: https://semgrep.dev/playground/r/qkTNnP/yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value + version_id: LjTqA93 + url: https://semgrep.dev/playground/r/LjTqA93/yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value origin: community languages: - yaml @@ -31488,8 +31395,8 @@ rules: semgrep.dev: rule: rule_id: ZqUqeK - version_id: l4T5OK - url: https://semgrep.dev/playground/r/l4T5OK/yaml.kubernetes.security.run-as-non-root.run-as-non-root + version_id: 8KTQyg1 + url: https://semgrep.dev/playground/r/8KTQyg1/yaml.kubernetes.security.run-as-non-root.run-as-non-root origin: community languages: - yaml @@ -31545,8 +31452,8 @@ rules: semgrep.dev: rule: rule_id: nJUYn9 - version_id: RGTbGj - url: https://semgrep.dev/playground/r/RGTbGj/yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container + version_id: PkTJd2A + url: https://semgrep.dev/playground/r/PkTJd2A/yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container origin: community languages: - yaml diff --git a/assets/semgrep_rules/generated/nonfree/others.yaml b/assets/semgrep_rules/generated/nonfree/others.yaml index 068f39b9..6d74850c 100644 --- a/assets/semgrep_rules/generated/nonfree/others.yaml +++ b/assets/semgrep_rules/generated/nonfree/others.yaml @@ -29,8 +29,8 @@ rules: semgrep.dev: rule: rule_id: BYUKJE - version_id: GxT88Y - url: https://semgrep.dev/playground/r/GxT88Y/generic.dockerfile.missing-zypper-no-confirm-switch.missing-zypper-no-confirm-switch + version_id: K3TvjOd + url: https://semgrep.dev/playground/r/K3TvjOd/generic.dockerfile.missing-zypper-no-confirm-switch.missing-zypper-no-confirm-switch origin: community paths: include: @@ -57,8 +57,8 @@ rules: semgrep.dev: rule: rule_id: eqUz1k - version_id: qkTwjn - url: https://semgrep.dev/playground/r/qkTwjn/javascript.react.correctness.hooks.set-state-no-op.calling-set-state-on-current-state + version_id: LjTqQeA + url: https://semgrep.dev/playground/r/LjTqQeA/javascript.react.correctness.hooks.set-state-no-op.calling-set-state-on-current-state origin: community - id: ocaml.lang.compatibility.deprecated.deprecated-pervasives pattern: Pervasives.$X @@ -76,8 +76,8 @@ rules: semgrep.dev: rule: rule_id: 3qUP1E - version_id: X0TADB - url: https://semgrep.dev/playground/r/X0TADB/ocaml.lang.compatibility.deprecated.deprecated-pervasives + version_id: w8T9noW + url: https://semgrep.dev/playground/r/w8T9noW/ocaml.lang.compatibility.deprecated.deprecated-pervasives origin: community - id: ocaml.lang.portability.crlf-support.broken-input-line pattern: 'input_line @@ -101,8 +101,8 @@ rules: semgrep.dev: rule: rule_id: DbUKZX - version_id: kbTOJw - url: https://semgrep.dev/playground/r/kbTOJw/ocaml.lang.portability.crlf-support.broken-input-line + version_id: 7ZTgo3q + url: https://semgrep.dev/playground/r/7ZTgo3q/ocaml.lang.portability.crlf-support.broken-input-line origin: community - id: ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode pattern: open_in @@ -124,8 +124,8 @@ rules: semgrep.dev: rule: rule_id: WAUPAJ - version_id: w8TkYl - url: https://semgrep.dev/playground/r/w8TkYl/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode + version_id: LjTqQgo + url: https://semgrep.dev/playground/r/LjTqQgo/ocaml.lang.portability.crlf-support.prefer-read-in-binary-mode origin: community - id: ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode pattern: open_out @@ -147,8 +147,8 @@ rules: semgrep.dev: rule: rule_id: 0oUJY9 - version_id: xyTd6N - url: https://semgrep.dev/playground/r/xyTd6N/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode + version_id: 8KTQ9rJ + url: https://semgrep.dev/playground/r/8KTQ9rJ/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode origin: community - id: ocaml.lang.portability.slash-tmp.not-portable-tmp-string pattern: '"=~/\/tmp/" @@ -168,8 +168,8 @@ rules: semgrep.dev: rule: rule_id: zdU100 - version_id: O9Tv1v - url: https://semgrep.dev/playground/r/O9Tv1v/ocaml.lang.portability.slash-tmp.not-portable-tmp-string + version_id: gET3x7z + url: https://semgrep.dev/playground/r/gET3x7z/ocaml.lang.portability.slash-tmp.not-portable-tmp-string origin: community - id: python.flask.best-practice.use-jsonify.use-jsonify patterns: @@ -210,8 +210,8 @@ rules: semgrep.dev: rule: rule_id: NbUkx6 - version_id: l4TqoX - url: https://semgrep.dev/playground/r/l4TqoX/python.flask.best-practice.use-jsonify.use-jsonify + version_id: 0bTLlv0 + url: https://semgrep.dev/playground/r/0bTLlv0/python.flask.best-practice.use-jsonify.use-jsonify origin: community - id: python.flask.caching.query-string.flask-cache-query-string patterns: @@ -263,8 +263,8 @@ rules: semgrep.dev: rule: rule_id: kxUko3 - version_id: 44TePj - url: https://semgrep.dev/playground/r/44TePj/python.flask.caching.query-string.flask-cache-query-string + version_id: K3Tvjl9 + url: https://semgrep.dev/playground/r/K3Tvjl9/python.flask.caching.query-string.flask-cache-query-string origin: community - id: python.flask.correctness.access-request-in-wrong-handler.avoid-accessing-request-in-wrong-handler patterns: @@ -291,8 +291,8 @@ rules: semgrep.dev: rule: rule_id: wdUJe5 - version_id: PkTjry - url: https://semgrep.dev/playground/r/PkTjry/python.flask.correctness.access-request-in-wrong-handler.avoid-accessing-request-in-wrong-handler + version_id: qkT2xNz + url: https://semgrep.dev/playground/r/qkT2xNz/python.flask.correctness.access-request-in-wrong-handler.avoid-accessing-request-in-wrong-handler origin: community - id: python.lang.compatibility.python36.python36-compatibility-Popen1 pattern: subprocess.Popen(errors=$X, ...) @@ -310,8 +310,8 @@ rules: semgrep.dev: rule: rule_id: nJUz7A - version_id: 44Tejz - url: https://semgrep.dev/playground/r/44Tejz/python.lang.compatibility.python36.python36-compatibility-Popen1 + version_id: zyTK8RP + url: https://semgrep.dev/playground/r/zyTK8RP/python.lang.compatibility.python36.python36-compatibility-Popen1 origin: community - id: python.lang.compatibility.python36.python36-compatibility-Popen2 pattern: subprocess.Popen(encoding=$X, ...) @@ -329,8 +329,8 @@ rules: semgrep.dev: rule: rule_id: EwU2n3 - version_id: PkTj3B - url: https://semgrep.dev/playground/r/PkTj3B/python.lang.compatibility.python36.python36-compatibility-Popen2 + version_id: pZT1y9P + url: https://semgrep.dev/playground/r/pZT1y9P/python.lang.compatibility.python36.python36-compatibility-Popen2 origin: community - id: python.lang.compatibility.python36.python36-compatibility-ssl pattern: ssl.get_ciphers() @@ -348,8 +348,8 @@ rules: semgrep.dev: rule: rule_id: ZqU5wR - version_id: 3ZTLXP - url: https://semgrep.dev/playground/r/3ZTLXP/python.lang.compatibility.python36.python36-compatibility-ssl + version_id: o5Tglxx + url: https://semgrep.dev/playground/r/o5Tglxx/python.lang.compatibility.python36.python36-compatibility-ssl origin: community - id: python.lang.compatibility.python37.python37-compatibility-httpconn pattern: http.client.HTTPConnection(blocksize=$X,...) @@ -369,8 +369,8 @@ rules: semgrep.dev: rule: rule_id: 8GUjbX - version_id: GxToeD - url: https://semgrep.dev/playground/r/GxToeD/python.lang.compatibility.python37.python37-compatibility-httpconn + version_id: jQTgYO6 + url: https://semgrep.dev/playground/r/jQTgYO6/python.lang.compatibility.python37.python37-compatibility-httpconn origin: community - id: python.lang.compatibility.python37.python37-compatibility-httpsconn pattern: http.client.HTTPSConnection(blocksize=$X,...) @@ -390,8 +390,8 @@ rules: semgrep.dev: rule: rule_id: gxU1qd - version_id: RGT2L2 - url: https://semgrep.dev/playground/r/RGT2L2/python.lang.compatibility.python37.python37-compatibility-httpsconn + version_id: 1QTOYgK + url: https://semgrep.dev/playground/r/1QTOYgK/python.lang.compatibility.python37.python37-compatibility-httpsconn origin: community - id: python.lang.compatibility.python37.python37-compatibility-importlib pattern: importlib.source_hash() @@ -411,8 +411,8 @@ rules: semgrep.dev: rule: rule_id: 7KUQOl - version_id: JdToxL - url: https://semgrep.dev/playground/r/JdToxL/python.lang.compatibility.python37.python37-compatibility-importlib + version_id: 2KTzrWz + url: https://semgrep.dev/playground/r/2KTzrWz/python.lang.compatibility.python37.python37-compatibility-importlib origin: community - id: python.lang.compatibility.python37.python37-compatibility-importlib2 pattern: import importlib.resources @@ -432,8 +432,8 @@ rules: semgrep.dev: rule: rule_id: L1Uy0n - version_id: 5PTN1p - url: https://semgrep.dev/playground/r/5PTN1p/python.lang.compatibility.python37.python37-compatibility-importlib2 + version_id: X0TQxBO + url: https://semgrep.dev/playground/r/X0TQxBO/python.lang.compatibility.python37.python37-compatibility-importlib2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-importlib3 pattern: import importlib.abc.ResourceReader @@ -453,8 +453,8 @@ rules: semgrep.dev: rule: rule_id: QrUzJ9 - version_id: A8TNdJ - url: https://semgrep.dev/playground/r/A8TNdJ/python.lang.compatibility.python37.python37-compatibility-importlib3 + version_id: 9lTdWDO + url: https://semgrep.dev/playground/r/9lTdWDO/python.lang.compatibility.python37.python37-compatibility-importlib3 origin: community - id: python.lang.compatibility.python37.python37-compatibility-ipv4network1 pattern: ipaddress.IPv4Network.subnet_of($X) @@ -473,8 +473,8 @@ rules: semgrep.dev: rule: rule_id: JDUyqR - version_id: 0bTpzo - url: https://semgrep.dev/playground/r/0bTpzo/python.lang.compatibility.python37.python37-compatibility-ipv4network1 + version_id: NdT3dnB + url: https://semgrep.dev/playground/r/NdT3dnB/python.lang.compatibility.python37.python37-compatibility-ipv4network1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-ipv4network2 pattern: ipaddress.IPv4Network.supernet_of($X) @@ -493,8 +493,8 @@ rules: semgrep.dev: rule: rule_id: 5rUO61 - version_id: K3Twkg - url: https://semgrep.dev/playground/r/K3Twkg/python.lang.compatibility.python37.python37-compatibility-ipv4network2 + version_id: kbTdx4O + url: https://semgrep.dev/playground/r/kbTdx4O/python.lang.compatibility.python37.python37-compatibility-ipv4network2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-ipv6network1 pattern: ipaddress.IPv6Network.subnet_of($X) @@ -513,8 +513,8 @@ rules: semgrep.dev: rule: rule_id: 4bUko0 - version_id: DkT2bY - url: https://semgrep.dev/playground/r/DkT2bY/python.lang.compatibility.python37.python37-compatibility-ipv6network1 + version_id: rxTyLPw + url: https://semgrep.dev/playground/r/rxTyLPw/python.lang.compatibility.python37.python37-compatibility-ipv6network1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-ipv6network2 pattern: ipaddress.IPv6Network.supernet_of($X) @@ -533,8 +533,8 @@ rules: semgrep.dev: rule: rule_id: PeUZYr - version_id: WrTYKq - url: https://semgrep.dev/playground/r/WrTYKq/python.lang.compatibility.python37.python37-compatibility-ipv6network2 + version_id: bZTb10z + url: https://semgrep.dev/playground/r/bZTb10z/python.lang.compatibility.python37.python37-compatibility-ipv6network2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-locale1 pattern: locale.format_string(monetary=$X, ...) @@ -554,8 +554,8 @@ rules: semgrep.dev: rule: rule_id: GdU72R - version_id: qkTp7L - url: https://semgrep.dev/playground/r/qkTp7L/python.lang.compatibility.python37.python37-compatibility-locale1 + version_id: w8T9nQK + url: https://semgrep.dev/playground/r/w8T9nQK/python.lang.compatibility.python37.python37-compatibility-locale1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-math1 pattern: math.remainder($X, $Y) @@ -574,8 +574,8 @@ rules: semgrep.dev: rule: rule_id: ReUgbz - version_id: l4TXR1 - url: https://semgrep.dev/playground/r/l4TXR1/python.lang.compatibility.python37.python37-compatibility-math1 + version_id: xyTKZJZ + url: https://semgrep.dev/playground/r/xyTKZJZ/python.lang.compatibility.python37.python37-compatibility-math1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-multiprocess1 pattern: multiprocessing.Process.close() @@ -594,8 +594,8 @@ rules: semgrep.dev: rule: rule_id: AbUzRA - version_id: YDTYeO - url: https://semgrep.dev/playground/r/YDTYeO/python.lang.compatibility.python37.python37-compatibility-multiprocess1 + version_id: O9TNOod + url: https://semgrep.dev/playground/r/O9TNOod/python.lang.compatibility.python37.python37-compatibility-multiprocess1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-multiprocess2 pattern: multiprocessing.Process.kill() @@ -614,8 +614,8 @@ rules: semgrep.dev: rule: rule_id: BYUNE9 - version_id: 6xTy90 - url: https://semgrep.dev/playground/r/6xTy90/python.lang.compatibility.python37.python37-compatibility-multiprocess2 + version_id: e1T017y + url: https://semgrep.dev/playground/r/e1T017y/python.lang.compatibility.python37.python37-compatibility-multiprocess2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-os1 pattern: os.preadv(...) @@ -634,8 +634,8 @@ rules: semgrep.dev: rule: rule_id: DbUpQQ - version_id: o5TKDW - url: https://semgrep.dev/playground/r/o5TKDW/python.lang.compatibility.python37.python37-compatibility-os1 + version_id: vdTYNWX + url: https://semgrep.dev/playground/r/vdTYNWX/python.lang.compatibility.python37.python37-compatibility-os1 origin: community - id: python.lang.compatibility.python37.python37-compatibility-os2-ok2 patterns: @@ -658,8 +658,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5vW - version_id: zyTG29 - url: https://semgrep.dev/playground/r/zyTG29/python.lang.compatibility.python37.python37-compatibility-os2-ok2 + version_id: d6TrA98 + url: https://semgrep.dev/playground/r/d6TrA98/python.lang.compatibility.python37.python37-compatibility-os2-ok2 origin: community - id: python.lang.compatibility.python37.python37-compatibility-pdb pattern: pdb.set_trace(header=$X, ...) @@ -679,8 +679,8 @@ rules: semgrep.dev: rule: rule_id: KxUby2 - version_id: pZTb3R - url: https://semgrep.dev/playground/r/pZTb3R/python.lang.compatibility.python37.python37-compatibility-pdb + version_id: ZRTQNjx + url: https://semgrep.dev/playground/r/ZRTQNjx/python.lang.compatibility.python37.python37-compatibility-pdb origin: community - id: python.lang.compatibility.python37.python37-compatibility-textiowrapper pattern: TextIOWrapper.reconfigure(...) @@ -700,8 +700,8 @@ rules: semgrep.dev: rule: rule_id: 3qUPdy - version_id: BjTKZr - url: https://semgrep.dev/playground/r/BjTKZr/python.lang.compatibility.python37.python37-compatibility-textiowrapper + version_id: yeTR2wy + url: https://semgrep.dev/playground/r/yeTR2wy/python.lang.compatibility.python37.python37-compatibility-textiowrapper origin: community - id: python.sqlalchemy.performance.performance-improvements.batch-import pattern: | @@ -722,8 +722,8 @@ rules: semgrep.dev: rule: rule_id: AbUWjy - version_id: JdTodZ - url: https://semgrep.dev/playground/r/JdTodZ/python.sqlalchemy.performance.performance-improvements.batch-import + version_id: GxTv8x6 + url: https://semgrep.dev/playground/r/GxTv8x6/python.sqlalchemy.performance.performance-improvements.batch-import origin: community - id: python.sqlalchemy.performance.performance-improvements.len-all-count pattern: len($X.all()) @@ -742,8 +742,8 @@ rules: semgrep.dev: rule: rule_id: ReUPOw - version_id: PkTjgO - url: https://semgrep.dev/playground/r/PkTjgO/python.sqlalchemy.performance.performance-improvements.len-all-count + version_id: 5PTdeP9 + url: https://semgrep.dev/playground/r/5PTdeP9/python.sqlalchemy.performance.performance-improvements.len-all-count origin: community - id: terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret message: Key vault Secret should have a content type set @@ -773,8 +773,8 @@ rules: semgrep.dev: rule: rule_id: 8GUzld - version_id: 2KT8gD - url: https://semgrep.dev/playground/r/2KT8gD/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret + version_id: e1T0338 + url: https://semgrep.dev/playground/r/e1T0338/terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret origin: community languages: - hcl @@ -817,8 +817,8 @@ rules: semgrep.dev: rule: rule_id: j2Uqg5 - version_id: jQTwZL - url: https://semgrep.dev/playground/r/jQTwZL/typescript.react.best-practice.define-styled-components-on-module-level.define-styled-components-on-module-level + version_id: LjTqARd + url: https://semgrep.dev/playground/r/LjTqARd/typescript.react.best-practice.define-styled-components-on-module-level.define-styled-components-on-module-level origin: community languages: - typescript @@ -846,8 +846,8 @@ rules: semgrep.dev: rule: rule_id: 10UZOv - version_id: X0TQORq - url: https://semgrep.dev/playground/r/X0TQORq/typescript.react.best-practice.react-find-dom.react-find-dom + version_id: 8KTQy3O + url: https://semgrep.dev/playground/r/8KTQy3O/typescript.react.best-practice.react-find-dom.react-find-dom origin: community languages: - typescript @@ -877,8 +877,8 @@ rules: semgrep.dev: rule: rule_id: 9AUOdB - version_id: 9lTAK8 - url: https://semgrep.dev/playground/r/9lTAK8/typescript.react.best-practice.react-legacy-component.react-legacy-component + version_id: gET3Oro + url: https://semgrep.dev/playground/r/gET3Oro/typescript.react.best-practice.react-legacy-component.react-legacy-component origin: community - id: typescript.react.best-practice.react-props-in-state.react-props-in-state pattern-either: @@ -940,8 +940,8 @@ rules: semgrep.dev: rule: rule_id: yyUvRJ - version_id: vdTJo3 - url: https://semgrep.dev/playground/r/vdTJo3/typescript.react.best-practice.react-props-in-state.react-props-in-state + version_id: QkTWwEY + url: https://semgrep.dev/playground/r/QkTWwEY/typescript.react.best-practice.react-props-in-state.react-props-in-state origin: community languages: - typescript @@ -972,8 +972,8 @@ rules: semgrep.dev: rule: rule_id: r6Uky5 - version_id: K3Tvr5j - url: https://semgrep.dev/playground/r/K3Tvr5j/typescript.react.best-practice.react-props-spreading.react-props-spreading + version_id: 3ZTkr2Z + url: https://semgrep.dev/playground/r/3ZTkr2Z/typescript.react.best-practice.react-props-spreading.react-props-spreading origin: community - id: typescript.react.portability.i18next.i18next-key-format.i18next-key-format patterns: @@ -1037,8 +1037,8 @@ rules: semgrep.dev: rule: rule_id: oqUKJr - version_id: 5PTGOw - url: https://semgrep.dev/playground/r/5PTGOw/typescript.react.portability.i18next.i18next-key-format.i18next-key-format + version_id: 44TR6bp + url: https://semgrep.dev/playground/r/44TR6bp/typescript.react.portability.i18next.i18next-key-format.i18next-key-format origin: community - id: typescript.react.portability.i18next.jsx-label-not-i18n.jsx-label-not-i18n patterns: @@ -1071,8 +1071,8 @@ rules: semgrep.dev: rule: rule_id: zdUGrY - version_id: GxTX7Q - url: https://semgrep.dev/playground/r/GxTX7Q/typescript.react.portability.i18next.jsx-label-not-i18n.jsx-label-not-i18n + version_id: PkTJde4 + url: https://semgrep.dev/playground/r/PkTJde4/typescript.react.portability.i18next.jsx-label-not-i18n.jsx-label-not-i18n origin: community - id: typescript.react.portability.i18next.jsx-not-internationalized.jsx-not-internationalized patterns: @@ -1104,8 +1104,8 @@ rules: semgrep.dev: rule: rule_id: KxUwo1 - version_id: RGTxgX - url: https://semgrep.dev/playground/r/RGTxgX/typescript.react.portability.i18next.jsx-not-internationalized.jsx-not-internationalized + version_id: JdTNvnX + url: https://semgrep.dev/playground/r/JdTNvnX/typescript.react.portability.i18next.jsx-not-internationalized.jsx-not-internationalized origin: community - id: typescript.react.portability.i18next.mui-snackbar-message.mui-snackbar-message patterns: @@ -1132,8 +1132,8 @@ rules: semgrep.dev: rule: rule_id: qNUpO8 - version_id: A8TlzR - url: https://semgrep.dev/playground/r/A8TlzR/typescript.react.portability.i18next.mui-snackbar-message.mui-snackbar-message + version_id: 5PTde7b + url: https://semgrep.dev/playground/r/5PTde7b/typescript.react.portability.i18next.mui-snackbar-message.mui-snackbar-message origin: community - id: typescript.react.portability.i18next.useselect-label-not-i18n.useselect-label-not-i18n patterns: @@ -1164,6 +1164,6 @@ rules: semgrep.dev: rule: rule_id: nJUPJL - version_id: BjTLNY - url: https://semgrep.dev/playground/r/BjTLNY/typescript.react.portability.i18next.useselect-label-not-i18n.useselect-label-not-i18n + version_id: GxTv8ld + url: https://semgrep.dev/playground/r/GxTv8ld/typescript.react.portability.i18next.useselect-label-not-i18n.useselect-label-not-i18n origin: community diff --git a/assets/semgrep_rules/generated/nonfree/security_noaudit_novuln.yaml b/assets/semgrep_rules/generated/nonfree/security_noaudit_novuln.yaml index dc2ffcfe..66281790 100644 --- a/assets/semgrep_rules/generated/nonfree/security_noaudit_novuln.yaml +++ b/assets/semgrep_rules/generated/nonfree/security_noaudit_novuln.yaml @@ -25,8 +25,8 @@ rules: semgrep.dev: rule: rule_id: zdUkvA - version_id: BjT9E3 - url: https://semgrep.dev/playground/r/BjT9E3/contrib.dlint.dlint-equivalent.insecure-xml-use + version_id: DkT6nYQ + url: https://semgrep.dev/playground/r/DkT6nYQ/contrib.dlint.dlint-equivalent.insecure-xml-use origin: community pattern-either: - patterns: @@ -71,8 +71,8 @@ rules: semgrep.dev: rule: rule_id: NbUk4X - version_id: l4T58p - url: https://semgrep.dev/playground/r/l4T58p/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion + version_id: o5Tglp0 + url: https://semgrep.dev/playground/r/o5Tglp0/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion origin: community languages: - go @@ -147,8 +147,8 @@ rules: semgrep.dev: rule: rule_id: QrU96W - version_id: gETqOo - url: https://semgrep.dev/playground/r/gETqOo/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash + version_id: l4T4vn1 + url: https://semgrep.dev/playground/r/l4T4vn1/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash origin: community - patterns: - pattern-either: @@ -199,6 +199,6 @@ rules: semgrep.dev: rule: rule_id: EwUxO1 - version_id: 5PTdprj - url: https://semgrep.dev/playground/r/5PTdprj/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec + version_id: JdTNvlx + url: https://semgrep.dev/playground/r/JdTNvlx/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec origin: community diff --git a/assets/semgrep_rules/generated/nonfree/vulns.yaml b/assets/semgrep_rules/generated/nonfree/vulns.yaml index 9ed47f41..481e0e3c 100644 --- a/assets/semgrep_rules/generated/nonfree/vulns.yaml +++ b/assets/semgrep_rules/generated/nonfree/vulns.yaml @@ -34,8 +34,8 @@ rules: semgrep.dev: rule: rule_id: KxU7Rq - version_id: bZTYGz - url: https://semgrep.dev/playground/r/bZTYGz/bash.curl.security.curl-eval.curl-eval + version_id: zyTK8D1 + url: https://semgrep.dev/playground/r/zyTK8D1/bash.curl.security.curl-eval.curl-eval origin: community mode: taint pattern-sources: @@ -91,8 +91,8 @@ rules: semgrep.dev: rule: rule_id: JDUyw8 - version_id: w8Te3K - url: https://semgrep.dev/playground/r/w8Te3K/c.lang.security.double-free.double-free + version_id: kbTdxL3 + url: https://semgrep.dev/playground/r/kbTdxL3/c.lang.security.double-free.double-free origin: community languages: - c @@ -136,8 +136,8 @@ rules: semgrep.dev: rule: rule_id: WAU9Dz - version_id: xyTY4Z - url: https://semgrep.dev/playground/r/xyTY4Z/c.lang.security.function-use-after-free.function-use-after-free + version_id: w8T9nD5 + url: https://semgrep.dev/playground/r/w8T9nD5/c.lang.security.function-use-after-free.function-use-after-free origin: community languages: - c @@ -168,8 +168,8 @@ rules: semgrep.dev: rule: rule_id: ReUgWx - version_id: YDTPeG - url: https://semgrep.dev/playground/r/YDTPeG/c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn + version_id: vdTYN8J + url: https://semgrep.dev/playground/r/vdTYN8J/c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn origin: community languages: - c @@ -229,12 +229,87 @@ rules: semgrep.dev: rule: rule_id: KxUb9l - version_id: 8KTdb0 - url: https://semgrep.dev/playground/r/8KTdb0/c.lang.security.use-after-free.use-after-free + version_id: LjTqQAn + url: https://semgrep.dev/playground/r/LjTqQAn/c.lang.security.use-after-free.use-after-free origin: community languages: - c severity: WARNING +- id: clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe + languages: + - clojure + severity: ERROR + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://xerces.apache.org/xerces2-j/features.html + source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/xxe-clojure-xml/xxe-clojure-xml.yml + category: security + technology: + - clojure + - xml + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe + shortlink: https://sg.run/v7An + semgrep.dev: + rule: + rule_id: bwU3Gj + version_id: gET3xOd + url: https://semgrep.dev/playground/r/gET3xOd/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe + origin: community + message: DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. + Without prohibiting external entity declarations, this is vulnerable to XML external + entity attacks. Disable this by setting the feature "http://apache.org/xml/features/disallow-doctype-decl" + to true. Alternatively, allow DOCTYPE declarations and only prohibit external + entities declarations. This can be done by setting the features "http://xml.org/sax/features/external-general-entities" + and "http://xml.org/sax/features/external-parameter-entities" to false. + patterns: + - pattern-inside: | + (ns ... (:require [clojure.xml :as ...])) + ... + - pattern-either: + - pattern-inside: "(def ... ... ( ... ))\n" + - pattern-inside: "(defn ... ... ( ... ))\n" + - pattern-either: + - pattern: "(clojure.xml/parse $INPUT)" + - patterns: + - pattern-inside: "(doto (javax.xml.parsers.SAXParserFactory/newInstance) ...)\n" + - pattern: (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" + false) + - pattern-not-inside: | + (doto (javax.xml.parsers.SAXParserFactory/newInstance) + ... + (.setFeature "http://xml.org/sax/features/external-general-entities" false) + ... + (.setFeature "http://xml.org/sax/features/external-parameter-entities" false) + ...) + - pattern-not-inside: | + (doto (javax.xml.parsers.SAXParserFactory/newInstance) + ... + (.setFeature "http://xml.org/sax/features/external-parameter-entities" false) + ... + (.setFeature "http://xml.org/sax/features/external-general-entities" false) + ...) - id: clojure.lang.security.use-of-md5.use-of-md5 languages: - clojure @@ -270,8 +345,8 @@ rules: semgrep.dev: rule: rule_id: nJU1ep - version_id: d6TRAq - url: https://semgrep.dev/playground/r/d6TRAq/clojure.lang.security.use-of-md5.use-of-md5 + version_id: QkTW0w9 + url: https://semgrep.dev/playground/r/QkTW0w9/clojure.lang.security.use-of-md5.use-of-md5 origin: community pattern-either: - pattern: (MessageDigest/getInstance "MD5") @@ -280,6 +355,51 @@ rules: - pattern: (java.security.MessageDigest/getInstance "MD5") - pattern: "(java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)" - pattern: "(java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)" +- id: clojure.lang.security.use-of-sha1.use-of-sha1 + languages: + - clojure + severity: WARNING + message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic signature. + Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function + applications. + metadata: + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html + - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html + technology: + - clojure + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + - 'CWE-328: Use of Weak Hash' + category: security + subcategory: + - vuln + confidence: HIGH + likelihood: MEDIUM + impact: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Insecure Hashing Algorithm + - Cryptographic Issues + source: https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1 + shortlink: https://sg.run/dvwX + semgrep.dev: + rule: + rule_id: NbUy12 + version_id: 3ZTkQry + url: https://semgrep.dev/playground/r/3ZTkQry/clojure.lang.security.use-of-sha1.use-of-sha1 + origin: community + patterns: + - pattern-either: + - pattern: "(MessageDigest/getInstance $ALGO)" + - pattern: "(java.security.MessageDigest/getInstance $ALGO)" + - metavariable-regex: + metavariable: "$ALGO" + regex: (((org\.apache\.commons\.codec\.digest\.)?MessageDigestAlgorithms/)?"?(SHA-1|SHA1)"?) - id: contrib.owasp.java.xxe.documentbuilderfactory.owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory message: DocumentBuilderFactory being instantiated without calling the setFeature functions that are generally used for disabling entity processing, which can allow @@ -309,8 +429,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5Dw - version_id: PkTJZRq - url: https://semgrep.dev/playground/r/PkTJZRq/contrib.owasp.java.xxe.documentbuilderfactory.owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory + version_id: 3ZTkQWk + url: https://semgrep.dev/playground/r/3ZTkQWk/contrib.owasp.java.xxe.documentbuilderfactory.owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory origin: community severity: ERROR patterns: @@ -383,8 +503,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUv3R - version_id: 9lTzQp - url: https://semgrep.dev/playground/r/9lTzQp/csharp.dotnet.security.audit.ldap-injection.ldap-injection + version_id: BjTXrJe + url: https://semgrep.dev/playground/r/BjTXrJe/csharp.dotnet.security.audit.ldap-injection.ldap-injection origin: community languages: - csharp @@ -436,8 +556,8 @@ rules: semgrep.dev: rule: rule_id: x8Up5B - version_id: yeTXkK - url: https://semgrep.dev/playground/r/yeTXkK/csharp.dotnet.security.audit.mass-assignment.mass-assignment + version_id: DkT6nX2 + url: https://semgrep.dev/playground/r/DkT6nX2/csharp.dotnet.security.audit.mass-assignment.mass-assignment origin: community languages: - csharp @@ -501,8 +621,8 @@ rules: semgrep.dev: rule: rule_id: eqU32Y - version_id: bZTGAe - url: https://semgrep.dev/playground/r/bZTGAe/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization + version_id: 0bTLlgl + url: https://semgrep.dev/playground/r/0bTLlgl/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization origin: community languages: - csharp @@ -561,8 +681,8 @@ rules: semgrep.dev: rule: rule_id: v8U8Ab - version_id: NdT1DR - url: https://semgrep.dev/playground/r/NdT1DR/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing + version_id: K3Tvj8G + url: https://semgrep.dev/playground/r/K3Tvj8G/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing origin: community languages: - csharp @@ -603,8 +723,8 @@ rules: semgrep.dev: rule: rule_id: x8Uj2k - version_id: 5PT512 - url: https://semgrep.dev/playground/r/5PT512/csharp.dotnet.security.audit.xpath-injection.xpath-injection + version_id: l4T4voZ + url: https://semgrep.dev/playground/r/l4T4voZ/csharp.dotnet.security.audit.xpath-injection.xpath-injection origin: community languages: - csharp @@ -655,8 +775,8 @@ rules: semgrep.dev: rule: rule_id: EwUr68 - version_id: vdT2r2 - url: https://semgrep.dev/playground/r/vdT2r2/csharp.dotnet.security.razor-template-injection.razor-template-injection + version_id: GxTv6YJ + url: https://semgrep.dev/playground/r/GxTv6YJ/csharp.dotnet.security.razor-template-injection.razor-template-injection origin: community languages: - csharp @@ -704,8 +824,8 @@ rules: semgrep.dev: rule: rule_id: WAUJr0 - version_id: d6TDwR - url: https://semgrep.dev/playground/r/d6TDwR/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm + version_id: RGTDknw + url: https://semgrep.dev/playground/r/RGTDknw/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm origin: community languages: - csharp @@ -746,8 +866,8 @@ rules: semgrep.dev: rule: rule_id: 0oUqWP - version_id: ZRTw4j - url: https://semgrep.dev/playground/r/ZRTw4j/csharp.dotnet.security.use_ecb_mode.use_ecb_mode + version_id: A8T950y + url: https://semgrep.dev/playground/r/A8T950y/csharp.dotnet.security.use_ecb_mode.use_ecb_mode origin: community languages: - csharp @@ -796,8 +916,8 @@ rules: semgrep.dev: rule: rule_id: KxU3Nq - version_id: nWT7xW - url: https://semgrep.dev/playground/r/nWT7xW/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration + version_id: BjTXrJo + url: https://semgrep.dev/playground/r/BjTXrJo/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration origin: community languages: - csharp @@ -853,8 +973,8 @@ rules: semgrep.dev: rule: rule_id: QrU2G5 - version_id: ExTnjj - url: https://semgrep.dev/playground/r/ExTnjj/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding + version_id: DkT6nXB + url: https://semgrep.dev/playground/r/DkT6nXB/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding origin: community languages: - csharp @@ -897,8 +1017,8 @@ rules: semgrep.dev: rule: rule_id: KxUGLw - version_id: 44ToRg - url: https://semgrep.dev/playground/r/44ToRg/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token + version_id: zyTK8NE + url: https://semgrep.dev/playground/r/zyTK8NE/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token origin: community languages: - csharp @@ -931,8 +1051,8 @@ rules: semgrep.dev: rule: rule_id: gxUy01 - version_id: QkTJWp - url: https://semgrep.dev/playground/r/QkTJWp/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation + version_id: 6xTvJGn + url: https://semgrep.dev/playground/r/6xTvJGn/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation origin: community message: Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead. @@ -1059,8 +1179,8 @@ rules: semgrep.dev: rule: rule_id: 3qU3bE - version_id: PkTYJx - url: https://semgrep.dev/playground/r/PkTYJx/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine + version_id: pZT1ye7 + url: https://semgrep.dev/playground/r/pZT1ye7/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine origin: community - id: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings severity: WARNING @@ -1089,8 +1209,8 @@ rules: semgrep.dev: rule: rule_id: 4bUQ81 - version_id: JdTqNo - url: https://semgrep.dev/playground/r/JdTqNo/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings + version_id: 2KTzr5x + url: https://semgrep.dev/playground/r/2KTzr5x/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings origin: community message: The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is @@ -1134,8 +1254,8 @@ rules: semgrep.dev: rule: rule_id: bwUOjK - version_id: GxT2v6 - url: https://semgrep.dev/playground/r/GxT2v6/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization + version_id: jQTgYD5 + url: https://semgrep.dev/playground/r/jQTgYD5/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization origin: community message: The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they @@ -1178,8 +1298,8 @@ rules: semgrep.dev: rule: rule_id: kxURnR - version_id: BjTEXb - url: https://semgrep.dev/playground/r/BjTEXb/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization + version_id: yeTR2GJ + url: https://semgrep.dev/playground/r/yeTR2GJ/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization origin: community message: The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability. @@ -1220,8 +1340,8 @@ rules: semgrep.dev: rule: rule_id: wdU87G - version_id: 0bTvLq - url: https://semgrep.dev/playground/r/0bTvLq/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization + version_id: NdT3dGO + url: https://semgrep.dev/playground/r/NdT3dGO/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization origin: community message: The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they @@ -1264,8 +1384,8 @@ rules: semgrep.dev: rule: rule_id: x8UW7x - version_id: K3TlvQ - url: https://semgrep.dev/playground/r/K3TlvQ/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization + version_id: kbTdx34 + url: https://semgrep.dev/playground/r/kbTdx34/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization origin: community message: The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer @@ -1308,8 +1428,8 @@ rules: semgrep.dev: rule: rule_id: eqUvND - version_id: l4T54e - url: https://semgrep.dev/playground/r/l4T54e/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization + version_id: xyTKZwK + url: https://semgrep.dev/playground/r/xyTKZwK/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization origin: community message: The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they @@ -1370,8 +1490,8 @@ rules: semgrep.dev: rule: rule_id: ReUK9k - version_id: rxTxy7 - url: https://semgrep.dev/playground/r/rxTxy7/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override + version_id: QkTW02w + url: https://semgrep.dev/playground/r/QkTW02w/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override origin: community - id: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override mode: taint @@ -1423,8 +1543,8 @@ rules: semgrep.dev: rule: rule_id: AbU3pX - version_id: bZTGbe - url: https://semgrep.dev/playground/r/bZTGbe/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override + version_id: 3ZTkQb4 + url: https://semgrep.dev/playground/r/3ZTkQb4/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override origin: community - id: csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults mode: taint @@ -1478,8 +1598,8 @@ rules: semgrep.dev: rule: rule_id: BYUevk - version_id: NdT13R - url: https://semgrep.dev/playground/r/NdT13R/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults + version_id: 44TRl89 + url: https://semgrep.dev/playground/r/44TRl89/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults origin: community - id: generic.secrets.gitleaks.adafruit-api-key.adafruit-api-key message: A gitleaks adafruit-api-key was detected which attempts to identify hard-coded @@ -1517,8 +1637,8 @@ rules: semgrep.dev: rule: rule_id: kxUQj2 - version_id: JdTNP2y - url: https://semgrep.dev/playground/r/JdTNP2y/generic.secrets.gitleaks.adafruit-api-key.adafruit-api-key + version_id: xyTKZ9j + url: https://semgrep.dev/playground/r/xyTKZ9j/generic.secrets.gitleaks.adafruit-api-key.adafruit-api-key origin: community patterns: - pattern-regex: (?i)(?:adafruit)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -1558,8 +1678,8 @@ rules: semgrep.dev: rule: rule_id: wdUqzk - version_id: 5PTd4B4 - url: https://semgrep.dev/playground/r/5PTd4B4/generic.secrets.gitleaks.adobe-client-id.adobe-client-id + version_id: O9TNO48 + url: https://semgrep.dev/playground/r/O9TNO48/generic.secrets.gitleaks.adobe-client-id.adobe-client-id origin: community patterns: - pattern-regex: (?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -1599,13 +1719,13 @@ rules: semgrep.dev: rule: rule_id: x8UlAq - version_id: GxTv04Z - url: https://semgrep.dev/playground/r/GxTv04Z/generic.secrets.gitleaks.adobe-client-secret.adobe-client-secret + version_id: e1T01E4 + url: https://semgrep.dev/playground/r/e1T01E4/generic.secrets.gitleaks.adobe-client-secret.adobe-client-secret origin: community patterns: - pattern-regex: (?i)\b((p8e-)(?i)[a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.age-secret-key.age-secret-key - message: A gitleaks age secret key was detected which attempts to identify hard-coded + message: A gitleaks age-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide @@ -1640,8 +1760,8 @@ rules: semgrep.dev: rule: rule_id: OrUAnO - version_id: RGTDPB3 - url: https://semgrep.dev/playground/r/RGTDPB3/generic.secrets.gitleaks.age-secret-key.age-secret-key + version_id: vdTYNDo + url: https://semgrep.dev/playground/r/vdTYNDo/generic.secrets.gitleaks.age-secret-key.age-secret-key origin: community patterns: - pattern-regex: AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58} @@ -1681,8 +1801,8 @@ rules: semgrep.dev: rule: rule_id: eqUYL3 - version_id: A8T9Wye - url: https://semgrep.dev/playground/r/A8T9Wye/generic.secrets.gitleaks.airtable-api-key.airtable-api-key + version_id: d6TrAnL + url: https://semgrep.dev/playground/r/d6TrAnL/generic.secrets.gitleaks.airtable-api-key.airtable-api-key origin: community patterns: - pattern-regex: (?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -1722,8 +1842,8 @@ rules: semgrep.dev: rule: rule_id: v8UKp0 - version_id: BjTXBQe - url: https://semgrep.dev/playground/r/BjTXBQe/generic.secrets.gitleaks.algolia-api-key.algolia-api-key + version_id: ZRTQNBX + url: https://semgrep.dev/playground/r/ZRTQNBX/generic.secrets.gitleaks.algolia-api-key.algolia-api-key origin: community patterns: - pattern-regex: (?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -1763,8 +1883,8 @@ rules: semgrep.dev: rule: rule_id: d8UOQ3 - version_id: DkT6W32 - url: https://semgrep.dev/playground/r/DkT6W32/generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id + version_id: nWTxPdw + url: https://semgrep.dev/playground/r/nWTxPdw/generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id origin: community patterns: - pattern-regex: (?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -1804,8 +1924,8 @@ rules: semgrep.dev: rule: rule_id: ZqUk7D - version_id: WrTWZkE - url: https://semgrep.dev/playground/r/WrTWZkE/generic.secrets.gitleaks.alibaba-secret-key.alibaba-secret-key + version_id: ExTjNdd + url: https://semgrep.dev/playground/r/ExTjNdd/generic.secrets.gitleaks.alibaba-secret-key.alibaba-secret-key origin: community patterns: - pattern-regex: (?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -1845,8 +1965,8 @@ rules: semgrep.dev: rule: rule_id: nJU58J - version_id: 0bTLEQl - url: https://semgrep.dev/playground/r/0bTLEQl/generic.secrets.gitleaks.asana-client-id.asana-client-id + version_id: 7ZTgo5w + url: https://semgrep.dev/playground/r/7ZTgo5w/generic.secrets.gitleaks.asana-client-id.asana-client-id origin: community patterns: - pattern-regex: (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -1886,8 +2006,8 @@ rules: semgrep.dev: rule: rule_id: EwUyp6 - version_id: K3Tv4PG - url: https://semgrep.dev/playground/r/K3Tv4PG/generic.secrets.gitleaks.asana-client-secret.asana-client-secret + version_id: LjTqQxL + url: https://semgrep.dev/playground/r/LjTqQxL/generic.secrets.gitleaks.asana-client-secret.asana-client-secret origin: community patterns: - pattern-regex: (?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -1927,8 +2047,8 @@ rules: semgrep.dev: rule: rule_id: 7KUJ1X - version_id: qkT2o9R - url: https://semgrep.dev/playground/r/qkT2o9R/generic.secrets.gitleaks.atlassian-api-token.atlassian-api-token + version_id: 8KTQ9Wo + url: https://semgrep.dev/playground/r/8KTQ9Wo/generic.secrets.gitleaks.atlassian-api-token.atlassian-api-token origin: community patterns: - pattern-regex: (?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -1968,8 +2088,8 @@ rules: semgrep.dev: rule: rule_id: 0oUbQZ - version_id: l4T4deZ - url: https://semgrep.dev/playground/r/l4T4deZ/generic.secrets.gitleaks.authress-service-client-access-key.authress-service-client-access-key + version_id: gET3xLG + url: https://semgrep.dev/playground/r/gET3xLG/generic.secrets.gitleaks.authress-service-client-access-key.authress-service-client-access-key origin: community patterns: - pattern-regex: (?i)\b((?:sc|ext|scauth|authress)_[a-z0-9]{5,30}\.[a-z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-z0-9+/_=-]{30,120})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2009,8 +2129,8 @@ rules: semgrep.dev: rule: rule_id: 8GUPqW - version_id: 6xTvqAG - url: https://semgrep.dev/playground/r/6xTvqAG/generic.secrets.gitleaks.beamer-api-token.beamer-api-token + version_id: 3ZTkQ7G + url: https://semgrep.dev/playground/r/3ZTkQ7G/generic.secrets.gitleaks.beamer-api-token.beamer-api-token origin: community patterns: - pattern-regex: (?i)(?:beamer)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(b_[a-z0-9=_\-]{44})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2050,8 +2170,8 @@ rules: semgrep.dev: rule: rule_id: gxUvAp - version_id: o5TgzWJ - url: https://semgrep.dev/playground/r/o5TgzWJ/generic.secrets.gitleaks.bitbucket-client-id.bitbucket-client-id + version_id: 44TRlxB + url: https://semgrep.dev/playground/r/44TRlxB/generic.secrets.gitleaks.bitbucket-client-id.bitbucket-client-id origin: community patterns: - pattern-regex: (?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2091,8 +2211,8 @@ rules: semgrep.dev: rule: rule_id: QrUR7R - version_id: zyTKyXQ - url: https://semgrep.dev/playground/r/zyTKyXQ/generic.secrets.gitleaks.bitbucket-client-secret.bitbucket-client-secret + version_id: PkTJ1Ev + url: https://semgrep.dev/playground/r/PkTJ1Ev/generic.secrets.gitleaks.bitbucket-client-secret.bitbucket-client-secret origin: community patterns: - pattern-regex: (?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2132,8 +2252,8 @@ rules: semgrep.dev: rule: rule_id: 3qU5pK - version_id: pZT1GqQ - url: https://semgrep.dev/playground/r/pZT1GqQ/generic.secrets.gitleaks.bittrex-access-key.bittrex-access-key + version_id: JdTNp20 + url: https://semgrep.dev/playground/r/JdTNp20/generic.secrets.gitleaks.bittrex-access-key.bittrex-access-key origin: community patterns: - pattern-regex: (?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2173,8 +2293,8 @@ rules: semgrep.dev: rule: rule_id: 4bUKAW - version_id: 2KTz4AA - url: https://semgrep.dev/playground/r/2KTz4AA/generic.secrets.gitleaks.bittrex-secret-key.bittrex-secret-key + version_id: 5PTdABZ + url: https://semgrep.dev/playground/r/5PTdABZ/generic.secrets.gitleaks.bittrex-secret-key.bittrex-secret-key origin: community patterns: - pattern-regex: (?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2214,8 +2334,8 @@ rules: semgrep.dev: rule: rule_id: PeU7WX - version_id: X0TQZop - url: https://semgrep.dev/playground/r/X0TQZop/generic.secrets.gitleaks.clojars-api-token.clojars-api-token + version_id: GxTv64p + url: https://semgrep.dev/playground/r/GxTv64p/generic.secrets.gitleaks.clojars-api-token.clojars-api-token origin: community patterns: - pattern-regex: "(?i)(CLOJARS_)[a-z0-9]{60}" @@ -2255,8 +2375,8 @@ rules: semgrep.dev: rule: rule_id: JDUO3B - version_id: jQTgqLG - url: https://semgrep.dev/playground/r/jQTgqLG/generic.secrets.gitleaks.codecov-access-token.codecov-access-token + version_id: RGTDkB4 + url: https://semgrep.dev/playground/r/RGTDkB4/generic.secrets.gitleaks.codecov-access-token.codecov-access-token origin: community patterns: - pattern-regex: (?i)(?:codecov)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2296,8 +2416,8 @@ rules: semgrep.dev: rule: rule_id: 5rUKPQ - version_id: 1QTOZ0W - url: https://semgrep.dev/playground/r/1QTOZ0W/generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token + version_id: A8T95y7 + url: https://semgrep.dev/playground/r/A8T95y7/generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token origin: community patterns: - pattern-regex: (?i)(?:coinbase)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2337,8 +2457,8 @@ rules: semgrep.dev: rule: rule_id: GdUbxy - version_id: 9lTdOEY - url: https://semgrep.dev/playground/r/9lTdOEY/generic.secrets.gitleaks.confluent-access-token.confluent-access-token + version_id: BjTXrQL + url: https://semgrep.dev/playground/r/BjTXrQL/generic.secrets.gitleaks.confluent-access-token.confluent-access-token origin: community patterns: - pattern-regex: (?i)(?:confluent)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2378,8 +2498,8 @@ rules: semgrep.dev: rule: rule_id: ReUNQJ - version_id: yeTRvQW - url: https://semgrep.dev/playground/r/yeTRvQW/generic.secrets.gitleaks.confluent-secret-key.confluent-secret-key + version_id: DkT6n3b + url: https://semgrep.dev/playground/r/DkT6n3b/generic.secrets.gitleaks.confluent-secret-key.confluent-secret-key origin: community patterns: - pattern-regex: (?i)(?:confluent)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2419,8 +2539,8 @@ rules: semgrep.dev: rule: rule_id: AbUvrB - version_id: rxTykbp - url: https://semgrep.dev/playground/r/rxTykbp/generic.secrets.gitleaks.contentful-delivery-api-token.contentful-delivery-api-token + version_id: WrTWQkw + url: https://semgrep.dev/playground/r/WrTWQkw/generic.secrets.gitleaks.contentful-delivery-api-token.contentful-delivery-api-token origin: community patterns: - pattern-regex: (?i)(?:contentful)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{43})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2460,8 +2580,8 @@ rules: semgrep.dev: rule: rule_id: BYU4D6 - version_id: bZTbOxn - url: https://semgrep.dev/playground/r/bZTbOxn/generic.secrets.gitleaks.databricks-api-token.databricks-api-token + version_id: 0bTLlQd + url: https://semgrep.dev/playground/r/0bTLlQd/generic.secrets.gitleaks.databricks-api-token.databricks-api-token origin: community patterns: - pattern-regex: (?i)\b(dapi[a-h0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2501,8 +2621,8 @@ rules: semgrep.dev: rule: rule_id: DbUB9r - version_id: NdT3A5L - url: https://semgrep.dev/playground/r/NdT3A5L/generic.secrets.gitleaks.datadog-access-token.datadog-access-token + version_id: K3TvjPd + url: https://semgrep.dev/playground/r/K3TvjPd/generic.secrets.gitleaks.datadog-access-token.datadog-access-token origin: community patterns: - pattern-regex: (?i)(?:datadog)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2542,8 +2662,8 @@ rules: semgrep.dev: rule: rule_id: KxUqPA - version_id: kbTdRrN - url: https://semgrep.dev/playground/r/kbTdRrN/generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token + version_id: qkT2x90 + url: https://semgrep.dev/playground/r/qkT2x90/generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token origin: community patterns: - pattern-regex: (?i)(?:dnkey)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2583,8 +2703,8 @@ rules: semgrep.dev: rule: rule_id: WAUelp - version_id: w8T984Y - url: https://semgrep.dev/playground/r/w8T984Y/generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token + version_id: l4T4ve5 + url: https://semgrep.dev/playground/r/l4T4ve5/generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token origin: community patterns: - pattern-regex: (?i)\b(doo_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2624,8 +2744,8 @@ rules: semgrep.dev: rule: rule_id: 0oU073 - version_id: xyTKW9k - url: https://semgrep.dev/playground/r/xyTKW9k/generic.secrets.gitleaks.digitalocean-pat.digitalocean-pat + version_id: YDTp2zP + url: https://semgrep.dev/playground/r/YDTp2zP/generic.secrets.gitleaks.digitalocean-pat.digitalocean-pat origin: community patterns: - pattern-regex: (?i)\b(dop_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2665,8 +2785,8 @@ rules: semgrep.dev: rule: rule_id: KxUAzk - version_id: O9TNG4g - url: https://semgrep.dev/playground/r/O9TNG4g/generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token + version_id: JdTNp27 + url: https://semgrep.dev/playground/r/JdTNp27/generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token origin: community patterns: - pattern-regex: (?i)\b(dor_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2706,8 +2826,8 @@ rules: semgrep.dev: rule: rule_id: qNUA1y - version_id: e1T0vEk - url: https://semgrep.dev/playground/r/e1T0vEk/generic.secrets.gitleaks.discord-api-token.discord-api-token + version_id: 5PTdAxJ + url: https://semgrep.dev/playground/r/5PTdAxJ/generic.secrets.gitleaks.discord-api-token.discord-api-token origin: community patterns: - pattern-regex: (?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2747,8 +2867,8 @@ rules: semgrep.dev: rule: rule_id: lBU3rj - version_id: vdTY5DQ - url: https://semgrep.dev/playground/r/vdTY5DQ/generic.secrets.gitleaks.discord-client-id.discord-client-id + version_id: GxTv6gv + url: https://semgrep.dev/playground/r/GxTv6gv/generic.secrets.gitleaks.discord-client-id.discord-client-id origin: community patterns: - pattern-regex: (?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9]{18})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2788,8 +2908,8 @@ rules: semgrep.dev: rule: rule_id: YGUg6J - version_id: d6Trznx - url: https://semgrep.dev/playground/r/d6Trznx/generic.secrets.gitleaks.discord-client-secret.discord-client-secret + version_id: RGTDkde + url: https://semgrep.dev/playground/r/RGTDkde/generic.secrets.gitleaks.discord-client-secret.discord-client-secret origin: community patterns: - pattern-regex: (?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2829,8 +2949,8 @@ rules: semgrep.dev: rule: rule_id: 6JU45L - version_id: ZRTQqBZ - url: https://semgrep.dev/playground/r/ZRTQqBZ/generic.secrets.gitleaks.doppler-api-token.doppler-api-token + version_id: A8T95xr + url: https://semgrep.dev/playground/r/A8T95xr/generic.secrets.gitleaks.doppler-api-token.doppler-api-token origin: community patterns: - pattern-regex: "(dp\\.pt\\.)(?i)[a-z0-9]{43}" @@ -2870,8 +2990,8 @@ rules: semgrep.dev: rule: rule_id: oqUGyn - version_id: nWTxYdK - url: https://semgrep.dev/playground/r/nWTxYdK/generic.secrets.gitleaks.droneci-access-token.droneci-access-token + version_id: BjTXroN + url: https://semgrep.dev/playground/r/BjTXroN/generic.secrets.gitleaks.droneci-access-token.droneci-access-token origin: community patterns: - pattern-regex: (?i)(?:droneci)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2911,8 +3031,8 @@ rules: semgrep.dev: rule: rule_id: zdU6AR - version_id: ExTj4dJ - url: https://semgrep.dev/playground/r/ExTj4dJ/generic.secrets.gitleaks.dropbox-api-token.dropbox-api-token + version_id: DkT6nLW + url: https://semgrep.dev/playground/r/DkT6nLW/generic.secrets.gitleaks.dropbox-api-token.dropbox-api-token origin: community patterns: - pattern-regex: (?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{15})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2952,8 +3072,8 @@ rules: semgrep.dev: rule: rule_id: pKUR69 - version_id: 7ZTge5L - url: https://semgrep.dev/playground/r/7ZTge5L/generic.secrets.gitleaks.dropbox-long-lived-api-token.dropbox-long-lived-api-token + version_id: WrTWQgP + url: https://semgrep.dev/playground/r/WrTWQgP/generic.secrets.gitleaks.dropbox-long-lived-api-token.dropbox-long-lived-api-token origin: community patterns: - pattern-regex: (?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -2993,8 +3113,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUnbl - version_id: LjTq4x0 - url: https://semgrep.dev/playground/r/LjTq4x0/generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token + version_id: 0bTLlZ2 + url: https://semgrep.dev/playground/r/0bTLlZ2/generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token origin: community patterns: - pattern-regex: (?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(sl\.[a-z0-9\-=_]{135})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3034,8 +3154,8 @@ rules: semgrep.dev: rule: rule_id: X5UG8Q - version_id: 8KTQEW2 - url: https://semgrep.dev/playground/r/8KTQEW2/generic.secrets.gitleaks.duffel-api-token.duffel-api-token + version_id: K3TvjR5 + url: https://semgrep.dev/playground/r/K3TvjR5/generic.secrets.gitleaks.duffel-api-token.duffel-api-token origin: community patterns: - pattern-regex: duffel_(test|live)_(?i)[a-z0-9_\-=]{43} @@ -3075,8 +3195,8 @@ rules: semgrep.dev: rule: rule_id: j2UGvl - version_id: gET3WL9 - url: https://semgrep.dev/playground/r/gET3WL9/generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token + version_id: qkT2xrQ + url: https://semgrep.dev/playground/r/qkT2xrQ/generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token origin: community patterns: - pattern-regex: dt0c01\.(?i)[a-z0-9]{24}\.[a-z0-9]{64} @@ -3116,8 +3236,8 @@ rules: semgrep.dev: rule: rule_id: 10UJKb - version_id: QkTW6Lv - url: https://semgrep.dev/playground/r/QkTW6Lv/generic.secrets.gitleaks.easypost-api-token.easypost-api-token + version_id: l4T4vYX + url: https://semgrep.dev/playground/r/l4T4vYX/generic.secrets.gitleaks.easypost-api-token.easypost-api-token origin: community patterns: - pattern-regex: "\\bEZAK(?i)[a-z0-9]{54}" @@ -3157,8 +3277,8 @@ rules: semgrep.dev: rule: rule_id: 9AU811 - version_id: 3ZTkBgk - url: https://semgrep.dev/playground/r/3ZTkBgk/generic.secrets.gitleaks.easypost-test-api-token.easypost-test-api-token + version_id: YDTp2xv + url: https://semgrep.dev/playground/r/YDTp2xv/generic.secrets.gitleaks.easypost-test-api-token.easypost-test-api-token origin: community patterns: - pattern-regex: "\\bEZTK(?i)[a-z0-9]{54}" @@ -3198,8 +3318,8 @@ rules: semgrep.dev: rule: rule_id: yyUYnv - version_id: 44TRzJ7 - url: https://semgrep.dev/playground/r/44TRzJ7/generic.secrets.gitleaks.etsy-access-token.etsy-access-token + version_id: 6xTvJkJ + url: https://semgrep.dev/playground/r/6xTvJkJ/generic.secrets.gitleaks.etsy-access-token.etsy-access-token origin: community patterns: - pattern-regex: (?i)(?:etsy)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3239,8 +3359,8 @@ rules: semgrep.dev: rule: rule_id: r6UBr9 - version_id: PkTJkKW - url: https://semgrep.dev/playground/r/PkTJkKW/generic.secrets.gitleaks.facebook.facebook + version_id: o5TglP9 + url: https://semgrep.dev/playground/r/o5TglP9/generic.secrets.gitleaks.facebook.facebook origin: community patterns: - pattern-regex: (?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3280,8 +3400,8 @@ rules: semgrep.dev: rule: rule_id: bwUPw8 - version_id: JdTNP4y - url: https://semgrep.dev/playground/r/JdTNP4y/generic.secrets.gitleaks.fastly-api-token.fastly-api-token + version_id: zyTK89b + url: https://semgrep.dev/playground/r/zyTK89b/generic.secrets.gitleaks.fastly-api-token.fastly-api-token origin: community patterns: - pattern-regex: (?i)(?:fastly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3321,8 +3441,8 @@ rules: semgrep.dev: rule: rule_id: NbUvkX - version_id: 5PTd4x4 - url: https://semgrep.dev/playground/r/5PTd4x4/generic.secrets.gitleaks.finicity-api-token.finicity-api-token + version_id: pZT1yJn + url: https://semgrep.dev/playground/r/pZT1yJn/generic.secrets.gitleaks.finicity-api-token.finicity-api-token origin: community patterns: - pattern-regex: (?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3362,8 +3482,8 @@ rules: semgrep.dev: rule: rule_id: kxUQk2 - version_id: GxTv0gZ - url: https://semgrep.dev/playground/r/GxTv0gZ/generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret + version_id: 2KTzrXR + url: https://semgrep.dev/playground/r/2KTzrXR/generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret origin: community patterns: - pattern-regex: (?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3403,8 +3523,8 @@ rules: semgrep.dev: rule: rule_id: wdUqJk - version_id: RGTDPd3 - url: https://semgrep.dev/playground/r/RGTDPd3/generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token + version_id: X0TQxpk + url: https://semgrep.dev/playground/r/X0TQxpk/generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token origin: community patterns: - pattern-regex: (?i)(?:finnhub)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3444,8 +3564,8 @@ rules: semgrep.dev: rule: rule_id: x8Ulnq - version_id: A8T9Wxe - url: https://semgrep.dev/playground/r/A8T9Wxe/generic.secrets.gitleaks.flickr-access-token.flickr-access-token + version_id: jQTgYpJ + url: https://semgrep.dev/playground/r/jQTgYpJ/generic.secrets.gitleaks.flickr-access-token.flickr-access-token origin: community patterns: - pattern-regex: (?i)(?:flickr)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3485,8 +3605,8 @@ rules: semgrep.dev: rule: rule_id: OrUA3O - version_id: BjTXBoe - url: https://semgrep.dev/playground/r/BjTXBoe/generic.secrets.gitleaks.flutterwave-encryption-key.flutterwave-encryption-key + version_id: 1QTOYnk + url: https://semgrep.dev/playground/r/1QTOYnk/generic.secrets.gitleaks.flutterwave-encryption-key.flutterwave-encryption-key origin: community patterns: - pattern-regex: FLWSECK_TEST-(?i)[a-h0-9]{12} @@ -3526,8 +3646,8 @@ rules: semgrep.dev: rule: rule_id: eqUY83 - version_id: DkT6WL2 - url: https://semgrep.dev/playground/r/DkT6WL2/generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key + version_id: 9lTdWLn + url: https://semgrep.dev/playground/r/9lTdWLn/generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key origin: community patterns: - pattern-regex: FLWPUBK_TEST-(?i)[a-h0-9]{32}-X @@ -3567,8 +3687,8 @@ rules: semgrep.dev: rule: rule_id: v8UKn0 - version_id: WrTWZgE - url: https://semgrep.dev/playground/r/WrTWZgE/generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key + version_id: yeTR2zQ + url: https://semgrep.dev/playground/r/yeTR2zQ/generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key origin: community patterns: - pattern-regex: FLWSECK_TEST-(?i)[a-h0-9]{32}-X @@ -3608,8 +3728,8 @@ rules: semgrep.dev: rule: rule_id: d8UOj3 - version_id: 0bTLEZl - url: https://semgrep.dev/playground/r/0bTLEZl/generic.secrets.gitleaks.frameio-api-token.frameio-api-token + version_id: rxTyLXX + url: https://semgrep.dev/playground/r/rxTyLXX/generic.secrets.gitleaks.frameio-api-token.frameio-api-token origin: community patterns: - pattern-regex: fio-u-(?i)[a-z0-9\-_=]{64} @@ -3649,8 +3769,8 @@ rules: semgrep.dev: rule: rule_id: ZqUk5D - version_id: K3Tv4RG - url: https://semgrep.dev/playground/r/K3Tv4RG/generic.secrets.gitleaks.freshbooks-access-token.freshbooks-access-token + version_id: bZTb1JP + url: https://semgrep.dev/playground/r/bZTb1JP/generic.secrets.gitleaks.freshbooks-access-token.freshbooks-access-token origin: community patterns: - pattern-regex: (?i)(?:freshbooks)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3690,8 +3810,8 @@ rules: semgrep.dev: rule: rule_id: nJU5zJ - version_id: qkT2orR - url: https://semgrep.dev/playground/r/qkT2orR/generic.secrets.gitleaks.gcp-api-key.gcp-api-key + version_id: NdT3dEW + url: https://semgrep.dev/playground/r/NdT3dEW/generic.secrets.gitleaks.gcp-api-key.gcp-api-key origin: community patterns: - pattern-regex: (?i)\b(AIza[0-9A-Za-z\\-_]{35})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -3731,8 +3851,8 @@ rules: semgrep.dev: rule: rule_id: 7KUJQX - version_id: YDTprxw - url: https://semgrep.dev/playground/r/YDTprxw/generic.secrets.gitleaks.github-app-token.github-app-token + version_id: w8T9nvB + url: https://semgrep.dev/playground/r/w8T9nvB/generic.secrets.gitleaks.github-app-token.github-app-token origin: community patterns: - pattern-regex: "(ghu|ghs)_[0-9a-zA-Z]{36}" @@ -3772,8 +3892,8 @@ rules: semgrep.dev: rule: rule_id: L1ULyp - version_id: JdTNP4G - url: https://semgrep.dev/playground/r/JdTNP4G/generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat + version_id: xyTKZ1g + url: https://semgrep.dev/playground/r/xyTKZ1g/generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat origin: community patterns: - pattern-regex: github_pat_[0-9a-zA-Z_]{82} @@ -3813,8 +3933,8 @@ rules: semgrep.dev: rule: rule_id: 8GUPjW - version_id: 5PTd4xE - url: https://semgrep.dev/playground/r/5PTd4xE/generic.secrets.gitleaks.github-oauth.github-oauth + version_id: O9TNOr9 + url: https://semgrep.dev/playground/r/O9TNOr9/generic.secrets.gitleaks.github-oauth.github-oauth origin: community patterns: - pattern-regex: gho_[0-9a-zA-Z]{36} @@ -3854,8 +3974,8 @@ rules: semgrep.dev: rule: rule_id: gxUv1p - version_id: GxTv0gJ - url: https://semgrep.dev/playground/r/GxTv0gJ/generic.secrets.gitleaks.github-pat.github-pat + version_id: e1T01w5 + url: https://semgrep.dev/playground/r/e1T01w5/generic.secrets.gitleaks.github-pat.github-pat origin: community patterns: - pattern-regex: ghp_[0-9a-zA-Z]{36} @@ -3895,8 +4015,8 @@ rules: semgrep.dev: rule: rule_id: QrURzR - version_id: RGTDPdw - url: https://semgrep.dev/playground/r/RGTDPdw/generic.secrets.gitleaks.github-refresh-token.github-refresh-token + version_id: vdTYNJe + url: https://semgrep.dev/playground/r/vdTYNJe/generic.secrets.gitleaks.github-refresh-token.github-refresh-token origin: community patterns: - pattern-regex: ghr_[0-9a-zA-Z]{36} @@ -3936,8 +4056,8 @@ rules: semgrep.dev: rule: rule_id: 3qU5PK - version_id: A8T9Wxy - url: https://semgrep.dev/playground/r/A8T9Wxy/generic.secrets.gitleaks.gitlab-pat.gitlab-pat + version_id: d6TrAEY + url: https://semgrep.dev/playground/r/d6TrAEY/generic.secrets.gitleaks.gitlab-pat.gitlab-pat origin: community patterns: - pattern-regex: glpat-[0-9a-zA-Z\-\_]{20} @@ -3977,8 +4097,8 @@ rules: semgrep.dev: rule: rule_id: 4bUKkW - version_id: BjTXBoo - url: https://semgrep.dev/playground/r/BjTXBoo/generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt + version_id: ZRTQNJo + url: https://semgrep.dev/playground/r/ZRTQNJo/generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt origin: community patterns: - pattern-regex: glptt-[0-9a-f]{40} @@ -4018,8 +4138,8 @@ rules: semgrep.dev: rule: rule_id: PeU7ZX - version_id: DkT6WLB - url: https://semgrep.dev/playground/r/DkT6WLB/generic.secrets.gitleaks.gitlab-rrt.gitlab-rrt + version_id: nWTxPlg + url: https://semgrep.dev/playground/r/nWTxPlg/generic.secrets.gitleaks.gitlab-rrt.gitlab-rrt origin: community patterns: - pattern-regex: GR1348941[0-9a-zA-Z\-\_]{20} @@ -4059,8 +4179,8 @@ rules: semgrep.dev: rule: rule_id: JDUOyB - version_id: WrTWZg5 - url: https://semgrep.dev/playground/r/WrTWZg5/generic.secrets.gitleaks.gitter-access-token.gitter-access-token + version_id: ExTjNbD + url: https://semgrep.dev/playground/r/ExTjNbD/generic.secrets.gitleaks.gitter-access-token.gitter-access-token origin: community patterns: - pattern-regex: (?i)(?:gitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4100,8 +4220,8 @@ rules: semgrep.dev: rule: rule_id: 5rUKOQ - version_id: 0bTLEZR - url: https://semgrep.dev/playground/r/0bTLEZR/generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token + version_id: 7ZTgowR + url: https://semgrep.dev/playground/r/7ZTgowR/generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token origin: community patterns: - pattern-regex: (?i)(?:gocardless)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(live_(?i)[a-z0-9\-_=]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4141,8 +4261,8 @@ rules: semgrep.dev: rule: rule_id: GdUb7y - version_id: K3Tv4R6 - url: https://semgrep.dev/playground/r/K3Tv4R6/generic.secrets.gitleaks.grafana-api-key.grafana-api-key + version_id: LjTqQJg + url: https://semgrep.dev/playground/r/LjTqQJg/generic.secrets.gitleaks.grafana-api-key.grafana-api-key origin: community patterns: - pattern-regex: (?i)\b(eyJrIjoi[A-Za-z0-9]{70,400}={0,2})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4182,8 +4302,8 @@ rules: semgrep.dev: rule: rule_id: ReUNgJ - version_id: qkT2ord - url: https://semgrep.dev/playground/r/qkT2ord/generic.secrets.gitleaks.grafana-cloud-api-token.grafana-cloud-api-token + version_id: 8KTQ90Z + url: https://semgrep.dev/playground/r/8KTQ90Z/generic.secrets.gitleaks.grafana-cloud-api-token.grafana-cloud-api-token origin: community patterns: - pattern-regex: (?i)\b(glc_[A-Za-z0-9+/]{32,400}={0,2})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4223,8 +4343,8 @@ rules: semgrep.dev: rule: rule_id: AbUvzB - version_id: l4T4dYg - url: https://semgrep.dev/playground/r/l4T4dYg/generic.secrets.gitleaks.grafana-service-account-token.grafana-service-account-token + version_id: gET3xpl + url: https://semgrep.dev/playground/r/gET3xpl/generic.secrets.gitleaks.grafana-service-account-token.grafana-service-account-token origin: community patterns: - pattern-regex: (?i)\b(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4264,8 +4384,8 @@ rules: semgrep.dev: rule: rule_id: BYU4N6 - version_id: YDTprx5 - url: https://semgrep.dev/playground/r/YDTprx5/generic.secrets.gitleaks.hashicorp-tf-api-token.hashicorp-tf-api-token + version_id: QkTW0Lb + url: https://semgrep.dev/playground/r/QkTW0Lb/generic.secrets.gitleaks.hashicorp-tf-api-token.hashicorp-tf-api-token origin: community patterns: - pattern-regex: "(?i)[a-z0-9]{14}\\.atlasv1\\.[a-z0-9\\-_=]{60,70}" @@ -4305,8 +4425,8 @@ rules: semgrep.dev: rule: rule_id: DbUBpr - version_id: 6xTvqkn - url: https://semgrep.dev/playground/r/6xTvqkn/generic.secrets.gitleaks.heroku-api-key.heroku-api-key + version_id: 3ZTkQgo + url: https://semgrep.dev/playground/r/3ZTkQgo/generic.secrets.gitleaks.heroku-api-key.heroku-api-key origin: community patterns: - pattern-regex: (?i)(?:heroku)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4346,8 +4466,8 @@ rules: semgrep.dev: rule: rule_id: WAUeop - version_id: o5TgzPA - url: https://semgrep.dev/playground/r/o5TgzPA/generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key + version_id: 44TRlJo + url: https://semgrep.dev/playground/r/44TRlJo/generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key origin: community patterns: - pattern-regex: (?i)(?:hubspot)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4373,7 +4493,7 @@ rules: owasp: - A07:2021 - Identification and Authentication Failures references: - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln @@ -4387,8 +4507,8 @@ rules: semgrep.dev: rule: rule_id: j2Ujvk - version_id: JdTNydj - url: https://semgrep.dev/playground/r/JdTNydj/generic.secrets.gitleaks.huggingface-access-token.huggingface-access-token + version_id: PkTJ1KL + url: https://semgrep.dev/playground/r/PkTJ1KL/generic.secrets.gitleaks.huggingface-access-token.huggingface-access-token origin: community patterns: - pattern-regex: (?:^|[\\'"` >=:])(hf_[a-zA-Z]{34})(?:$|[\\'"` <]) @@ -4414,7 +4534,7 @@ rules: owasp: - A07:2021 - Identification and Authentication Failures references: - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln @@ -4428,11 +4548,52 @@ rules: semgrep.dev: rule: rule_id: 10UNKO - version_id: 5PTdOXw - url: https://semgrep.dev/playground/r/5PTdOXw/generic.secrets.gitleaks.huggingface-organization-api-token.huggingface-organization-api-token + version_id: JdTNp47 + url: https://semgrep.dev/playground/r/JdTNp47/generic.secrets.gitleaks.huggingface-organization-api-token.huggingface-organization-api-token origin: community patterns: - pattern-regex: (?:^|[\\'"` >=:\(,)])(api_org_[a-zA-Z]{34})(?:$|[\\'"` <\),]) +- id: generic.secrets.gitleaks.infracost-api-token.infracost-api-token + message: A gitleaks infracost-api-token was detected which attempts to identify + hard-coded credentials. It is not recommended to store credentials in source-code, + as this risks secrets being leaked and used by either an internal or external + malicious adversary. It is recommended to use environment variables to securely + provide credentials or retrieve credentials from a secure vault or HSM (Hardware + Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.gitleaks.infracost-api-token.infracost-api-token + shortlink: https://sg.run/KByn + semgrep.dev: + rule: + rule_id: 3qU1LG + version_id: 5PTdAKJ + url: https://semgrep.dev/playground/r/5PTdAKJ/generic.secrets.gitleaks.infracost-api-token.infracost-api-token + origin: community + patterns: + - pattern-regex: (?i)\b(ico-[a-zA-Z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.intercom-api-key.intercom-api-key message: A gitleaks intercom-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this @@ -4469,8 +4630,8 @@ rules: semgrep.dev: rule: rule_id: 0oU053 - version_id: zyTKy9E - url: https://semgrep.dev/playground/r/zyTKy9E/generic.secrets.gitleaks.intercom-api-key.intercom-api-key + version_id: GxTv6bv + url: https://semgrep.dev/playground/r/GxTv6bv/generic.secrets.gitleaks.intercom-api-key.intercom-api-key origin: community patterns: - pattern-regex: (?i)(?:intercom)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{60})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4510,8 +4671,8 @@ rules: semgrep.dev: rule: rule_id: qNUn9g - version_id: pZT1GJ7 - url: https://semgrep.dev/playground/r/pZT1GJ7/generic.secrets.gitleaks.jfrog-api-key.jfrog-api-key + version_id: RGTDkNe + url: https://semgrep.dev/playground/r/RGTDkNe/generic.secrets.gitleaks.jfrog-api-key.jfrog-api-key origin: community patterns: - pattern-regex: (?i)(?:jfrog|artifactory|bintray|xray)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{73})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4551,8 +4712,8 @@ rules: semgrep.dev: rule: rule_id: lBUOew - version_id: 2KTz4Xx - url: https://semgrep.dev/playground/r/2KTz4Xx/generic.secrets.gitleaks.jfrog-identity-token.jfrog-identity-token + version_id: A8T95vr + url: https://semgrep.dev/playground/r/A8T95vr/generic.secrets.gitleaks.jfrog-identity-token.jfrog-identity-token origin: community patterns: - pattern-regex: (?i)(?:jfrog|artifactory|bintray|xray)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4578,7 +4739,7 @@ rules: owasp: - A07:2021 - Identification and Authentication Failures references: - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln @@ -4592,8 +4753,8 @@ rules: semgrep.dev: rule: rule_id: 9AU71e - version_id: GxTv7QQ - url: https://semgrep.dev/playground/r/GxTv7QQ/generic.secrets.gitleaks.jwt-base64.jwt-base64 + version_id: BjTXr4N + url: https://semgrep.dev/playground/r/BjTXr4N/generic.secrets.gitleaks.jwt-base64.jwt-base64 origin: community patterns: - pattern-regex: "\\bZXlK(?:(?PaGJHY2lPaU)|(?PaGNIVWlPaU)|(?PaGNIWWlPaU)|(?PaGRXUWlPaU)|(?PaU5qUWlP)|(?PamNtbDBJanBi)|(?PamRIa2lPaU)|(?PbGNHc2lPbn)|(?PbGJtTWlPaU)|(?PcWEzVWlPaU)|(?PcWQyc2lPb)|(?PcGMzTWlPaU)|(?PcGRpSTZJ)|(?PcmFXUWlP)|(?PclpYbGZiM0J6SWpwY)|(?PcmRIa2lPaUp)|(?PdWIyNWpaU0k2)|(?Pd01tTWlP)|(?Pd01uTWlPaU)|(?Pd2NIUWlPaU)|(?PemRXSWlPaU)|(?PemRuUWlP)|(?PMFlXY2lPaU)|(?PMGVYQWlPaUp)|(?PMWNtd2l)|(?PMWMyVWlPaUp)|(?PMlpYSWlPaU)|(?PMlpYSnphVzl1SWpv)|(?PNElqb2)|(?PNE5XTWlP)|(?PNE5YUWlPaU)|(?PNE5YUWpVekkxTmlJNkl)|(?PNE5YVWlPaU)|(?PNmFYQWlPaU))[a-zA-Z0-9\\/\\\\_+\\-\\r\\n]{40,}={0,2}" @@ -4632,8 +4793,8 @@ rules: semgrep.dev: rule: rule_id: KxUAbk - version_id: X0TQZpK - url: https://semgrep.dev/playground/r/X0TQZpK/generic.secrets.gitleaks.jwt.jwt + version_id: DkT6nBW + url: https://semgrep.dev/playground/r/DkT6nBW/generic.secrets.gitleaks.jwt.jwt origin: community patterns: - pattern-regex: \b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4673,8 +4834,8 @@ rules: semgrep.dev: rule: rule_id: qNUAjy - version_id: jQTgqp5 - url: https://semgrep.dev/playground/r/jQTgqp5/generic.secrets.gitleaks.kraken-access-token.kraken-access-token + version_id: WrTWQeP + url: https://semgrep.dev/playground/r/WrTWQeP/generic.secrets.gitleaks.kraken-access-token.kraken-access-token origin: community patterns: - pattern-regex: (?i)(?:kraken)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9\/=_\+\-]{80,90})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4714,8 +4875,8 @@ rules: semgrep.dev: rule: rule_id: lBU39j - version_id: 1QTOZnv - url: https://semgrep.dev/playground/r/1QTOZnv/generic.secrets.gitleaks.kucoin-access-token.kucoin-access-token + version_id: 0bTLl02 + url: https://semgrep.dev/playground/r/0bTLl02/generic.secrets.gitleaks.kucoin-access-token.kucoin-access-token origin: community patterns: - pattern-regex: (?i)(?:kucoin)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4755,8 +4916,8 @@ rules: semgrep.dev: rule: rule_id: PeU7Zg - version_id: 9lTdOLB - url: https://semgrep.dev/playground/r/9lTdOLB/generic.secrets.gitleaks.kucoin-secret-key.kucoin-secret-key + version_id: K3TvjA5 + url: https://semgrep.dev/playground/r/K3TvjA5/generic.secrets.gitleaks.kucoin-secret-key.kucoin-secret-key origin: community patterns: - pattern-regex: (?i)(?:kucoin)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4796,8 +4957,8 @@ rules: semgrep.dev: rule: rule_id: JDUOyJ - version_id: yeTRvzJ - url: https://semgrep.dev/playground/r/yeTRvzJ/generic.secrets.gitleaks.launchdarkly-access-token.launchdarkly-access-token + version_id: qkT2xAQ + url: https://semgrep.dev/playground/r/qkT2xAQ/generic.secrets.gitleaks.launchdarkly-access-token.launchdarkly-access-token origin: community patterns: - pattern-regex: (?i)(?:launchdarkly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4837,8 +4998,8 @@ rules: semgrep.dev: rule: rule_id: 5rUKO6 - version_id: rxTykX5 - url: https://semgrep.dev/playground/r/rxTykX5/generic.secrets.gitleaks.linear-api-key.linear-api-key + version_id: l4T4v3X + url: https://semgrep.dev/playground/r/l4T4v3X/generic.secrets.gitleaks.linear-api-key.linear-api-key origin: community patterns: - pattern-regex: lin_api_(?i)[a-z0-9]{40} @@ -4878,8 +5039,8 @@ rules: semgrep.dev: rule: rule_id: GdUb7w - version_id: bZTbOJG - url: https://semgrep.dev/playground/r/bZTbOJG/generic.secrets.gitleaks.linear-client-secret.linear-client-secret + version_id: YDTp2gv + url: https://semgrep.dev/playground/r/YDTp2gv/generic.secrets.gitleaks.linear-client-secret.linear-client-secret origin: community patterns: - pattern-regex: (?i)(?:linear)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4919,8 +5080,8 @@ rules: semgrep.dev: rule: rule_id: ReUNg1 - version_id: NdT3AEO - url: https://semgrep.dev/playground/r/NdT3AEO/generic.secrets.gitleaks.linkedin-client-id.linkedin-client-id + version_id: 6xTvJ4J + url: https://semgrep.dev/playground/r/6xTvJ4J/generic.secrets.gitleaks.linkedin-client-id.linkedin-client-id origin: community patterns: - pattern-regex: (?i)(?:linkedin|linked-in)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{14})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -4960,8 +5121,8 @@ rules: semgrep.dev: rule: rule_id: AbUvWj - version_id: kbTdR94 - url: https://semgrep.dev/playground/r/kbTdR94/generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret + version_id: o5TglG9 + url: https://semgrep.dev/playground/r/o5TglG9/generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret origin: community patterns: - pattern-regex: (?i)(?:linkedin|linked-in)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5001,8 +5162,8 @@ rules: semgrep.dev: rule: rule_id: BYU4BX - version_id: w8T98q1 - url: https://semgrep.dev/playground/r/w8T98q1/generic.secrets.gitleaks.lob-api-key.lob-api-key + version_id: zyTK86b + url: https://semgrep.dev/playground/r/zyTK86b/generic.secrets.gitleaks.lob-api-key.lob-api-key origin: community patterns: - pattern-regex: (?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}((live|test)_[a-f0-9]{35})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5042,8 +5203,8 @@ rules: semgrep.dev: rule: rule_id: DbUBWq - version_id: xyTKWlK - url: https://semgrep.dev/playground/r/xyTKWlK/generic.secrets.gitleaks.lob-pub-api-key.lob-pub-api-key + version_id: pZT1yRn + url: https://semgrep.dev/playground/r/pZT1yRn/generic.secrets.gitleaks.lob-pub-api-key.lob-pub-api-key origin: community patterns: - pattern-regex: (?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}((test|live)_pub_[a-f0-9]{31})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5083,8 +5244,8 @@ rules: semgrep.dev: rule: rule_id: WAUeZl - version_id: O9TNGAk - url: https://semgrep.dev/playground/r/O9TNGAk/generic.secrets.gitleaks.mailchimp-api-key.mailchimp-api-key + version_id: 2KTzrnR + url: https://semgrep.dev/playground/r/2KTzrnR/generic.secrets.gitleaks.mailchimp-api-key.mailchimp-api-key origin: community patterns: - pattern-regex: (?i)(?:mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us20)(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5124,8 +5285,8 @@ rules: semgrep.dev: rule: rule_id: 0oU0E5 - version_id: e1T0vYL - url: https://semgrep.dev/playground/r/e1T0vYL/generic.secrets.gitleaks.mailgun-private-api-token.mailgun-private-api-token + version_id: X0TQxGk + url: https://semgrep.dev/playground/r/X0TQxGk/generic.secrets.gitleaks.mailgun-private-api-token.mailgun-private-api-token origin: community patterns: - pattern-regex: (?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(key-[a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5165,8 +5326,8 @@ rules: semgrep.dev: rule: rule_id: KxUA44 - version_id: vdTY5Kn - url: https://semgrep.dev/playground/r/vdTY5Kn/generic.secrets.gitleaks.mailgun-pub-key.mailgun-pub-key + version_id: jQTgYGJ + url: https://semgrep.dev/playground/r/jQTgYGJ/generic.secrets.gitleaks.mailgun-pub-key.mailgun-pub-key origin: community patterns: - pattern-regex: (?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(pubkey-[a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5206,8 +5367,8 @@ rules: semgrep.dev: rule: rule_id: qNUAob - version_id: d6TrzOz - url: https://semgrep.dev/playground/r/d6TrzOz/generic.secrets.gitleaks.mailgun-signing-key.mailgun-signing-key + version_id: 1QTOYJk + url: https://semgrep.dev/playground/r/1QTOYJk/generic.secrets.gitleaks.mailgun-signing-key.mailgun-signing-key origin: community patterns: - pattern-regex: (?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5247,8 +5408,8 @@ rules: semgrep.dev: rule: rule_id: lBU3d8 - version_id: ZRTQqkg - url: https://semgrep.dev/playground/r/ZRTQqkg/generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token + version_id: 9lTdW8n + url: https://semgrep.dev/playground/r/9lTdW8n/generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token origin: community patterns: - pattern-regex: (?i)(?:mapbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(pk\.[a-z0-9]{60}\.[a-z0-9]{22})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5288,8 +5449,8 @@ rules: semgrep.dev: rule: rule_id: YGUgrA - version_id: nWTxY5Z - url: https://semgrep.dev/playground/r/nWTxY5Z/generic.secrets.gitleaks.mattermost-access-token.mattermost-access-token + version_id: yeTR2YQ + url: https://semgrep.dev/playground/r/yeTR2YQ/generic.secrets.gitleaks.mattermost-access-token.mattermost-access-token origin: community patterns: - pattern-regex: (?i)(?:mattermost)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{26})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5329,8 +5490,8 @@ rules: semgrep.dev: rule: rule_id: 6JU4qD - version_id: ExTj4yq - url: https://semgrep.dev/playground/r/ExTj4yq/generic.secrets.gitleaks.messagebird-api-token.messagebird-api-token + version_id: rxTyLBX + url: https://semgrep.dev/playground/r/rxTyLBX/generic.secrets.gitleaks.messagebird-api-token.messagebird-api-token origin: community patterns: - pattern-regex: (?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{25})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5370,8 +5531,8 @@ rules: semgrep.dev: rule: rule_id: oqUGzK - version_id: 7ZTgeJx - url: https://semgrep.dev/playground/r/7ZTgeJx/generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id + version_id: bZTb1PP + url: https://semgrep.dev/playground/r/bZTb1PP/generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id origin: community patterns: - pattern-regex: (?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5411,8 +5572,8 @@ rules: semgrep.dev: rule: rule_id: zdU6yl - version_id: LjTq4Lz - url: https://semgrep.dev/playground/r/LjTq4Lz/generic.secrets.gitleaks.microsoft-teams-webhook.microsoft-teams-webhook + version_id: NdT3dvW + url: https://semgrep.dev/playground/r/NdT3dvW/generic.secrets.gitleaks.microsoft-teams-webhook.microsoft-teams-webhook origin: community patterns: - pattern-regex: https:\/\/[a-z0-9]+\.webhook\.office\.com\/webhookb2\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\/IncomingWebhook\/[a-z0-9]{32}\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12} @@ -5452,8 +5613,8 @@ rules: semgrep.dev: rule: rule_id: pKURGy - version_id: 8KTQEPK - url: https://semgrep.dev/playground/r/8KTQEPK/generic.secrets.gitleaks.netlify-access-token.netlify-access-token + version_id: kbTdxQ0 + url: https://semgrep.dev/playground/r/kbTdxQ0/generic.secrets.gitleaks.netlify-access-token.netlify-access-token origin: community patterns: - pattern-regex: (?i)(?:netlify)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40,46})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5493,8 +5654,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUn43 - version_id: gET3Wvx - url: https://semgrep.dev/playground/r/gET3Wvx/generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token + version_id: w8T9nqB + url: https://semgrep.dev/playground/r/w8T9nqB/generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token origin: community patterns: - pattern-regex: (?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRJS-[a-f0-9]{19})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5534,8 +5695,8 @@ rules: semgrep.dev: rule: rule_id: X5UGZz - version_id: QkTW6Rw - url: https://semgrep.dev/playground/r/QkTW6Rw/generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id + version_id: xyTKZlg + url: https://semgrep.dev/playground/r/xyTKZlg/generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id origin: community patterns: - pattern-regex: (?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5575,8 +5736,8 @@ rules: semgrep.dev: rule: rule_id: j2UGqB - version_id: 3ZTkB54 - url: https://semgrep.dev/playground/r/3ZTkB54/generic.secrets.gitleaks.new-relic-user-api-key.new-relic-user-api-key + version_id: O9TNOA9 + url: https://semgrep.dev/playground/r/O9TNOA9/generic.secrets.gitleaks.new-relic-user-api-key.new-relic-user-api-key origin: community patterns: - pattern-regex: (?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRAK-[a-z0-9]{27})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5616,8 +5777,8 @@ rules: semgrep.dev: rule: rule_id: 10UJZE - version_id: 44TRzK9 - url: https://semgrep.dev/playground/r/44TRzK9/generic.secrets.gitleaks.npm-access-token.npm-access-token + version_id: e1T01Y5 + url: https://semgrep.dev/playground/r/e1T01Y5/generic.secrets.gitleaks.npm-access-token.npm-access-token origin: community patterns: - pattern-regex: (?i)\b(npm_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5657,8 +5818,8 @@ rules: semgrep.dev: rule: rule_id: 9AU8Oq - version_id: PkTJk7e - url: https://semgrep.dev/playground/r/PkTJk7e/generic.secrets.gitleaks.nytimes-access-token.nytimes-access-token + version_id: vdTYNKe + url: https://semgrep.dev/playground/r/vdTYNKe/generic.secrets.gitleaks.nytimes-access-token.nytimes-access-token origin: community patterns: - pattern-regex: (?i)(?:nytimes|new-york-times,|newyorktimes)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5698,8 +5859,8 @@ rules: semgrep.dev: rule: rule_id: yyUYve - version_id: JdTNPOG - url: https://semgrep.dev/playground/r/JdTNPOG/generic.secrets.gitleaks.okta-access-token.okta-access-token + version_id: d6TrAOY + url: https://semgrep.dev/playground/r/d6TrAOY/generic.secrets.gitleaks.okta-access-token.okta-access-token origin: community patterns: - pattern-regex: (?i)(?:okta)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{42})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5739,8 +5900,8 @@ rules: semgrep.dev: rule: rule_id: YGU0zK - version_id: 5PTd4KE - url: https://semgrep.dev/playground/r/5PTd4KE/generic.secrets.gitleaks.openai-api-key.openai-api-key + version_id: ZRTQNko + url: https://semgrep.dev/playground/r/ZRTQNko/generic.secrets.gitleaks.openai-api-key.openai-api-key origin: community patterns: - pattern-regex: (?i)\b(sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5780,8 +5941,8 @@ rules: semgrep.dev: rule: rule_id: r6UBkG - version_id: GxTv0bJ - url: https://semgrep.dev/playground/r/GxTv0bJ/generic.secrets.gitleaks.plaid-api-token.plaid-api-token + version_id: nWTxP5g + url: https://semgrep.dev/playground/r/nWTxP5g/generic.secrets.gitleaks.plaid-api-token.plaid-api-token origin: community patterns: - pattern-regex: (?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5821,8 +5982,8 @@ rules: semgrep.dev: rule: rule_id: bwUPO4 - version_id: RGTDPNw - url: https://semgrep.dev/playground/r/RGTDPNw/generic.secrets.gitleaks.plaid-client-id.plaid-client-id + version_id: ExTjNyD + url: https://semgrep.dev/playground/r/ExTjNyD/generic.secrets.gitleaks.plaid-client-id.plaid-client-id origin: community patterns: - pattern-regex: (?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5862,8 +6023,8 @@ rules: semgrep.dev: rule: rule_id: NbUvA5 - version_id: A8T9Wvy - url: https://semgrep.dev/playground/r/A8T9Wvy/generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key + version_id: 7ZTgoJR + url: https://semgrep.dev/playground/r/7ZTgoJR/generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key origin: community patterns: - pattern-regex: (?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5903,8 +6064,8 @@ rules: semgrep.dev: rule: rule_id: kxUQR9 - version_id: BjTXB4o - url: https://semgrep.dev/playground/r/BjTXB4o/generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token + version_id: LjTqQLg + url: https://semgrep.dev/playground/r/LjTqQLg/generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token origin: community patterns: - pattern-regex: (?i)\b(pscale_tkn_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5944,8 +6105,8 @@ rules: semgrep.dev: rule: rule_id: wdUq8q - version_id: DkT6WBB - url: https://semgrep.dev/playground/r/DkT6WBB/generic.secrets.gitleaks.planetscale-oauth-token.planetscale-oauth-token + version_id: 8KTQ9PZ + url: https://semgrep.dev/playground/r/8KTQ9PZ/generic.secrets.gitleaks.planetscale-oauth-token.planetscale-oauth-token origin: community patterns: - pattern-regex: (?i)\b(pscale_oauth_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -5985,8 +6146,8 @@ rules: semgrep.dev: rule: rule_id: x8UlWb - version_id: WrTWZe5 - url: https://semgrep.dev/playground/r/WrTWZe5/generic.secrets.gitleaks.planetscale-password.planetscale-password + version_id: gET3xvl + url: https://semgrep.dev/playground/r/gET3xvl/generic.secrets.gitleaks.planetscale-password.planetscale-password origin: community patterns: - pattern-regex: (?i)\b(pscale_pw_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6026,8 +6187,8 @@ rules: semgrep.dev: rule: rule_id: OrUAGK - version_id: 0bTLE0R - url: https://semgrep.dev/playground/r/0bTLE0R/generic.secrets.gitleaks.postman-api-token.postman-api-token + version_id: QkTW0Rb + url: https://semgrep.dev/playground/r/QkTW0Rb/generic.secrets.gitleaks.postman-api-token.postman-api-token origin: community patterns: - pattern-regex: (?i)\b(PMAK-(?i)[a-f0-9]{24}\-[a-f0-9]{34})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6067,8 +6228,8 @@ rules: semgrep.dev: rule: rule_id: eqUYv2 - version_id: K3Tv4A6 - url: https://semgrep.dev/playground/r/K3Tv4A6/generic.secrets.gitleaks.prefect-api-token.prefect-api-token + version_id: 3ZTkQ5o + url: https://semgrep.dev/playground/r/3ZTkQ5o/generic.secrets.gitleaks.prefect-api-token.prefect-api-token origin: community patterns: - pattern-regex: (?i)\b(pnu_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6108,8 +6269,8 @@ rules: semgrep.dev: rule: rule_id: v8UK5w - version_id: qkT2oAd - url: https://semgrep.dev/playground/r/qkT2oAd/generic.secrets.gitleaks.private-key.private-key + version_id: 44TRlKo + url: https://semgrep.dev/playground/r/44TRlKo/generic.secrets.gitleaks.private-key.private-key origin: community patterns: - pattern-regex: "(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\\s\\S-]*KEY( @@ -6150,8 +6311,8 @@ rules: semgrep.dev: rule: rule_id: d8UOzo - version_id: l4T4d3g - url: https://semgrep.dev/playground/r/l4T4d3g/generic.secrets.gitleaks.pulumi-api-token.pulumi-api-token + version_id: PkTJ17L + url: https://semgrep.dev/playground/r/PkTJ17L/generic.secrets.gitleaks.pulumi-api-token.pulumi-api-token origin: community patterns: - pattern-regex: (?i)\b(pul-[a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6191,8 +6352,8 @@ rules: semgrep.dev: rule: rule_id: ZqUkqn - version_id: YDTprg5 - url: https://semgrep.dev/playground/r/YDTprg5/generic.secrets.gitleaks.pypi-upload-token.pypi-upload-token + version_id: JdTNpO7 + url: https://semgrep.dev/playground/r/JdTNpO7/generic.secrets.gitleaks.pypi-upload-token.pypi-upload-token origin: community patterns: - pattern-regex: pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000} @@ -6232,8 +6393,8 @@ rules: semgrep.dev: rule: rule_id: nJU5YX - version_id: 6xTvq4n - url: https://semgrep.dev/playground/r/6xTvq4n/generic.secrets.gitleaks.rapidapi-access-token.rapidapi-access-token + version_id: 5PTdAlJ + url: https://semgrep.dev/playground/r/5PTdAlJ/generic.secrets.gitleaks.rapidapi-access-token.rapidapi-access-token origin: community patterns: - pattern-regex: (?i)(?:rapidapi)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{50})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6273,8 +6434,8 @@ rules: semgrep.dev: rule: rule_id: EwUy4Z - version_id: o5TgzGA - url: https://semgrep.dev/playground/r/o5TgzGA/generic.secrets.gitleaks.readme-api-token.readme-api-token + version_id: GxTv6Ov + url: https://semgrep.dev/playground/r/GxTv6Ov/generic.secrets.gitleaks.readme-api-token.readme-api-token origin: community patterns: - pattern-regex: (?i)\b(rdme_[a-z0-9]{70})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6314,8 +6475,8 @@ rules: semgrep.dev: rule: rule_id: 7KUJek - version_id: zyTKy6E - url: https://semgrep.dev/playground/r/zyTKy6E/generic.secrets.gitleaks.rubygems-api-token.rubygems-api-token + version_id: RGTDkWe + url: https://semgrep.dev/playground/r/RGTDkWe/generic.secrets.gitleaks.rubygems-api-token.rubygems-api-token origin: community patterns: - pattern-regex: (?i)\b(rubygems_[a-f0-9]{48})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6341,7 +6502,7 @@ rules: owasp: - A07:2021 - Identification and Authentication Failures references: - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules subcategory: - vuln @@ -6355,8 +6516,8 @@ rules: semgrep.dev: rule: rule_id: yyUgnB - version_id: A8T9zAR - url: https://semgrep.dev/playground/r/A8T9zAR/generic.secrets.gitleaks.scalingo-api-token.scalingo-api-token + version_id: A8T95Pr + url: https://semgrep.dev/playground/r/A8T95Pr/generic.secrets.gitleaks.scalingo-api-token.scalingo-api-token origin: community patterns: - pattern-regex: "\\btk-us-[a-zA-Z0-9-_]{48}\\b" @@ -6396,8 +6557,8 @@ rules: semgrep.dev: rule: rule_id: L1UL48 - version_id: pZT1GR7 - url: https://semgrep.dev/playground/r/pZT1GR7/generic.secrets.gitleaks.sendbird-access-id.sendbird-access-id + version_id: BjTXrjN + url: https://semgrep.dev/playground/r/BjTXrjN/generic.secrets.gitleaks.sendbird-access-id.sendbird-access-id origin: community patterns: - pattern-regex: (?i)(?:sendbird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6437,8 +6598,8 @@ rules: semgrep.dev: rule: rule_id: 8GUPEk - version_id: 2KTz4nx - url: https://semgrep.dev/playground/r/2KTz4nx/generic.secrets.gitleaks.sendbird-access-token.sendbird-access-token + version_id: DkT6noW + url: https://semgrep.dev/playground/r/DkT6noW/generic.secrets.gitleaks.sendbird-access-token.sendbird-access-token origin: community patterns: - pattern-regex: (?i)(?:sendbird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6478,8 +6639,8 @@ rules: semgrep.dev: rule: rule_id: gxUvWX - version_id: X0TQZGK - url: https://semgrep.dev/playground/r/X0TQZGK/generic.secrets.gitleaks.sendgrid-api-token.sendgrid-api-token + version_id: WrTWQ5P + url: https://semgrep.dev/playground/r/WrTWQ5P/generic.secrets.gitleaks.sendgrid-api-token.sendgrid-api-token origin: community patterns: - pattern-regex: (?i)\b(SG\.(?i)[a-z0-9=_\-\.]{66})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6519,8 +6680,8 @@ rules: semgrep.dev: rule: rule_id: QrUR6q - version_id: jQTgqG5 - url: https://semgrep.dev/playground/r/jQTgqG5/generic.secrets.gitleaks.sendinblue-api-token.sendinblue-api-token + version_id: 0bTLlk2 + url: https://semgrep.dev/playground/r/0bTLlk2/generic.secrets.gitleaks.sendinblue-api-token.sendinblue-api-token origin: community patterns: - pattern-regex: (?i)\b(xkeysib-[a-f0-9]{64}\-(?i)[a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6560,8 +6721,8 @@ rules: semgrep.dev: rule: rule_id: 3qU5B1 - version_id: 1QTOZJv - url: https://semgrep.dev/playground/r/1QTOZJv/generic.secrets.gitleaks.sentry-access-token.sentry-access-token + version_id: K3Tvj95 + url: https://semgrep.dev/playground/r/K3Tvj95/generic.secrets.gitleaks.sentry-access-token.sentry-access-token origin: community patterns: - pattern-regex: (?i)(?:sentry)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6601,8 +6762,8 @@ rules: semgrep.dev: rule: rule_id: 4bUKzO - version_id: 9lTdO8B - url: https://semgrep.dev/playground/r/9lTdO8B/generic.secrets.gitleaks.shippo-api-token.shippo-api-token + version_id: qkT2xgQ + url: https://semgrep.dev/playground/r/qkT2xgQ/generic.secrets.gitleaks.shippo-api-token.shippo-api-token origin: community patterns: - pattern-regex: (?i)\b(shippo_(live|test)_[a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -6642,8 +6803,8 @@ rules: semgrep.dev: rule: rule_id: PeU7kg - version_id: yeTRvYJ - url: https://semgrep.dev/playground/r/yeTRvYJ/generic.secrets.gitleaks.shopify-access-token.shopify-access-token + version_id: l4T4vqX + url: https://semgrep.dev/playground/r/l4T4vqX/generic.secrets.gitleaks.shopify-access-token.shopify-access-token origin: community patterns: - pattern-regex: shpat_[a-fA-F0-9]{32} @@ -6683,8 +6844,8 @@ rules: semgrep.dev: rule: rule_id: JDUOPJ - version_id: rxTykB5 - url: https://semgrep.dev/playground/r/rxTykB5/generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token + version_id: YDTp2Gv + url: https://semgrep.dev/playground/r/YDTp2Gv/generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token origin: community patterns: - pattern-regex: shpca_[a-fA-F0-9]{32} @@ -6724,8 +6885,8 @@ rules: semgrep.dev: rule: rule_id: 5rUK46 - version_id: bZTbOPG - url: https://semgrep.dev/playground/r/bZTbOPG/generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token + version_id: JdTNpwp + url: https://semgrep.dev/playground/r/JdTNpwp/generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token origin: community patterns: - pattern-regex: shppa_[a-fA-F0-9]{32} @@ -6765,8 +6926,8 @@ rules: semgrep.dev: rule: rule_id: GdUb0w - version_id: NdT3AvO - url: https://semgrep.dev/playground/r/NdT3AvO/generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret + version_id: 5PTdAle + url: https://semgrep.dev/playground/r/5PTdAle/generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret origin: community patterns: - pattern-regex: shpss_[a-fA-F0-9]{32} @@ -6806,8 +6967,8 @@ rules: semgrep.dev: rule: rule_id: ReUNP1 - version_id: kbTdRQ4 - url: https://semgrep.dev/playground/r/kbTdRQ4/generic.secrets.gitleaks.sidekiq-secret.sidekiq-secret + version_id: GxTv6Ok + url: https://semgrep.dev/playground/r/GxTv6Ok/generic.secrets.gitleaks.sidekiq-secret.sidekiq-secret origin: community patterns: - pattern-regex: (?i)(?:BUNDLE_ENTERPRISE__CONTRIBSYS__COM|BUNDLE_GEMS__CONTRIBSYS__COM)(?:[0-9a-z\-_\t @@ -6848,8 +7009,8 @@ rules: semgrep.dev: rule: rule_id: AbUvGj - version_id: w8T98g1 - url: https://semgrep.dev/playground/r/w8T98g1/generic.secrets.gitleaks.sidekiq-sensitive-url.sidekiq-sensitive-url + version_id: RGTDkWp + url: https://semgrep.dev/playground/r/RGTDkWp/generic.secrets.gitleaks.sidekiq-sensitive-url.sidekiq-sensitive-url origin: community patterns: - pattern-regex: "(?i)\\b(http(?:s??):\\/\\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\\/|\\#|\\?|:]|$)" @@ -6889,8 +7050,8 @@ rules: semgrep.dev: rule: rule_id: 6JUgAl - version_id: xyTKWbK - url: https://semgrep.dev/playground/r/xyTKWbK/generic.secrets.gitleaks.slack-app-token.slack-app-token + version_id: A8T95PE + url: https://semgrep.dev/playground/r/A8T95PE/generic.secrets.gitleaks.slack-app-token.slack-app-token origin: community patterns: - pattern-regex: "(?i)(xapp-\\d-[A-Z0-9]+-\\d+-[a-z0-9]+)" @@ -6930,8 +7091,8 @@ rules: semgrep.dev: rule: rule_id: oqUEWO - version_id: O9TNGLk - url: https://semgrep.dev/playground/r/O9TNGLk/generic.secrets.gitleaks.slack-bot-token.slack-bot-token + version_id: BjTXrjJ + url: https://semgrep.dev/playground/r/BjTXrjJ/generic.secrets.gitleaks.slack-bot-token.slack-bot-token origin: community patterns: - pattern-regex: "(xoxb-[0-9]{10,13}\\-[0-9]{10,13}[a-zA-Z0-9-]*)" @@ -6971,8 +7132,8 @@ rules: semgrep.dev: rule: rule_id: zdUJXd - version_id: e1T0vPL - url: https://semgrep.dev/playground/r/e1T0vPL/generic.secrets.gitleaks.slack-config-access-token.slack-config-access-token + version_id: DkT6no7 + url: https://semgrep.dev/playground/r/DkT6no7/generic.secrets.gitleaks.slack-config-access-token.slack-config-access-token origin: community patterns: - pattern-regex: "(?i)(xoxe.xox[bp]-\\d-[A-Z0-9]{163,166})" @@ -7012,8 +7173,8 @@ rules: semgrep.dev: rule: rule_id: pKUjqZ - version_id: vdTY5bn - url: https://semgrep.dev/playground/r/vdTY5bn/generic.secrets.gitleaks.slack-config-refresh-token.slack-config-refresh-token + version_id: WrTWQ5j + url: https://semgrep.dev/playground/r/WrTWQ5j/generic.secrets.gitleaks.slack-config-refresh-token.slack-config-refresh-token origin: community patterns: - pattern-regex: "(?i)(xoxe-\\d-[A-Z0-9]{146})" @@ -7053,8 +7214,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUxA8 - version_id: d6TrzNz - url: https://semgrep.dev/playground/r/d6TrzNz/generic.secrets.gitleaks.slack-legacy-bot-token.slack-legacy-bot-token + version_id: 0bTLlk6 + url: https://semgrep.dev/playground/r/0bTLlk6/generic.secrets.gitleaks.slack-legacy-bot-token.slack-legacy-bot-token origin: community patterns: - pattern-regex: "(xoxb-[0-9]{8,14}\\-[a-zA-Z0-9]{18,26})" @@ -7094,8 +7255,8 @@ rules: semgrep.dev: rule: rule_id: X5UNor - version_id: ZRTQqRg - url: https://semgrep.dev/playground/r/ZRTQqRg/generic.secrets.gitleaks.slack-legacy-token.slack-legacy-token + version_id: K3Tvj9P + url: https://semgrep.dev/playground/r/K3Tvj9P/generic.secrets.gitleaks.slack-legacy-token.slack-legacy-token origin: community patterns: - pattern-regex: "(xox[os]-\\d+-\\d+-\\d+-[a-fA-F\\d]+)" @@ -7135,8 +7296,8 @@ rules: semgrep.dev: rule: rule_id: j2UXL7 - version_id: nWTxYDZ - url: https://semgrep.dev/playground/r/nWTxYDZ/generic.secrets.gitleaks.slack-legacy-workspace-token.slack-legacy-workspace-token + version_id: qkT2xgr + url: https://semgrep.dev/playground/r/qkT2xgr/generic.secrets.gitleaks.slack-legacy-workspace-token.slack-legacy-workspace-token origin: community patterns: - pattern-regex: "(xox[ar]-(?:\\d-)?[0-9a-zA-Z]{8,48})" @@ -7176,8 +7337,8 @@ rules: semgrep.dev: rule: rule_id: 10UL0L - version_id: ExTj45q - url: https://semgrep.dev/playground/r/ExTj45q/generic.secrets.gitleaks.slack-user-token.slack-user-token + version_id: l4T4vq3 + url: https://semgrep.dev/playground/r/l4T4vq3/generic.secrets.gitleaks.slack-user-token.slack-user-token origin: community patterns: - pattern-regex: "(xox[pe](?:-[0-9]{10,13}){3}-[a-zA-Z0-9-]{28,34})" @@ -7217,8 +7378,8 @@ rules: semgrep.dev: rule: rule_id: 9AU0E7 - version_id: 7ZTge6x - url: https://semgrep.dev/playground/r/7ZTge6x/generic.secrets.gitleaks.slack-webhook-url.slack-webhook-url + version_id: YDTp2GG + url: https://semgrep.dev/playground/r/YDTp2GG/generic.secrets.gitleaks.slack-webhook-url.slack-webhook-url origin: community patterns: - pattern-regex: "(https?:\\/\\/)?hooks.slack.com\\/(services|workflows)\\/[A-Za-z0-9+\\/]{43,46}" @@ -7258,11 +7419,12 @@ rules: semgrep.dev: rule: rule_id: yyU1Qp - version_id: LjTq4dz - url: https://semgrep.dev/playground/r/LjTq4dz/generic.secrets.gitleaks.snyk-api-token.snyk-api-token + version_id: 6xTvJ7O + url: https://semgrep.dev/playground/r/6xTvJ7O/generic.secrets.gitleaks.snyk-api-token.snyk-api-token origin: community patterns: - - pattern-regex: (?i)(?:snyk)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: (?i)(?:snyk_token|snyk_key|snyk_api_token|snyk_api_key|snyk_oauth_token)(?:[0-9a-z\-_\t + .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.square-access-token.square-access-token message: A gitleaks square-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, @@ -7299,8 +7461,8 @@ rules: semgrep.dev: rule: rule_id: WAUePl - version_id: 8KTQEoK - url: https://semgrep.dev/playground/r/8KTQEoK/generic.secrets.gitleaks.square-access-token.square-access-token + version_id: o5TglQp + url: https://semgrep.dev/playground/r/o5TglQp/generic.secrets.gitleaks.square-access-token.square-access-token origin: community patterns: - pattern-regex: (?i)\b(sq0atp-[0-9A-Za-z\-_]{22})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7340,8 +7502,8 @@ rules: semgrep.dev: rule: rule_id: 0oU0J5 - version_id: gET3W8x - url: https://semgrep.dev/playground/r/gET3W8x/generic.secrets.gitleaks.squarespace-access-token.squarespace-access-token + version_id: zyTK8gw + url: https://semgrep.dev/playground/r/zyTK8gw/generic.secrets.gitleaks.squarespace-access-token.squarespace-access-token origin: community patterns: - pattern-regex: (?i)(?:squarespace)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7381,11 +7543,11 @@ rules: semgrep.dev: rule: rule_id: KxUAY4 - version_id: QkTW63w - url: https://semgrep.dev/playground/r/QkTW63w/generic.secrets.gitleaks.stripe-access-token.stripe-access-token + version_id: pZT1yg8 + url: https://semgrep.dev/playground/r/pZT1yg8/generic.secrets.gitleaks.stripe-access-token.stripe-access-token origin: community patterns: - - pattern-regex: "(?i)(sk|pk)_(test|live)_[0-9a-z]{10,32}" + - pattern-regex: (?i)\b((sk|pk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$) - id: generic.secrets.gitleaks.sumologic-access-id.sumologic-access-id message: A gitleaks sumologic-access-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, @@ -7422,8 +7584,8 @@ rules: semgrep.dev: rule: rule_id: qNUAbb - version_id: 3ZTkBK4 - url: https://semgrep.dev/playground/r/3ZTkBK4/generic.secrets.gitleaks.sumologic-access-id.sumologic-access-id + version_id: 2KTzrNe + url: https://semgrep.dev/playground/r/2KTzrNe/generic.secrets.gitleaks.sumologic-access-id.sumologic-access-id origin: community patterns: - pattern-regex: (?i:(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3})(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(su[a-zA-Z0-9]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7463,8 +7625,8 @@ rules: semgrep.dev: rule: rule_id: lBU3z8 - version_id: 44TRzN9 - url: https://semgrep.dev/playground/r/44TRzN9/generic.secrets.gitleaks.sumologic-access-token.sumologic-access-token + version_id: X0TQxeD + url: https://semgrep.dev/playground/r/X0TQxeD/generic.secrets.gitleaks.sumologic-access-token.sumologic-access-token origin: community patterns: - pattern-regex: (?i)(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7504,8 +7666,8 @@ rules: semgrep.dev: rule: rule_id: YGUgQA - version_id: PkTJkwe - url: https://semgrep.dev/playground/r/PkTJkwe/generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token + version_id: jQTgYeP + url: https://semgrep.dev/playground/r/jQTgYeP/generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token origin: community patterns: - pattern-regex: "(?i)(?:^|[^0-9])([0-9]{5,16}:A[a-zA-Z0-9_\\-]{34})(?:$|[^a-zA-Z0-9_\\-])" @@ -7545,8 +7707,8 @@ rules: semgrep.dev: rule: rule_id: 6JU46D - version_id: JdTNPwG - url: https://semgrep.dev/playground/r/JdTNPwG/generic.secrets.gitleaks.travisci-access-token.travisci-access-token + version_id: 1QTOYW1 + url: https://semgrep.dev/playground/r/1QTOYW1/generic.secrets.gitleaks.travisci-access-token.travisci-access-token origin: community patterns: - pattern-regex: (?i)(?:travis)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{22})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7586,8 +7748,8 @@ rules: semgrep.dev: rule: rule_id: oqUGrK - version_id: 5PTd4lE - url: https://semgrep.dev/playground/r/5PTd4lE/generic.secrets.gitleaks.twilio-api-key.twilio-api-key + version_id: 9lTdWNP + url: https://semgrep.dev/playground/r/9lTdWNP/generic.secrets.gitleaks.twilio-api-key.twilio-api-key origin: community patterns: - pattern-regex: SK[0-9a-fA-F]{32} @@ -7627,8 +7789,8 @@ rules: semgrep.dev: rule: rule_id: zdU61l - version_id: GxTv0OJ - url: https://semgrep.dev/playground/r/GxTv0OJ/generic.secrets.gitleaks.twitch-api-token.twitch-api-token + version_id: yeTR2b1 + url: https://semgrep.dev/playground/r/yeTR2b1/generic.secrets.gitleaks.twitch-api-token.twitch-api-token origin: community patterns: - pattern-regex: (?i)(?:twitch)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7668,8 +7830,8 @@ rules: semgrep.dev: rule: rule_id: pKURwy - version_id: RGTDPWw - url: https://semgrep.dev/playground/r/RGTDPWw/generic.secrets.gitleaks.twitter-access-secret.twitter-access-secret + version_id: rxTyLgv + url: https://semgrep.dev/playground/r/rxTyLgv/generic.secrets.gitleaks.twitter-access-secret.twitter-access-secret origin: community patterns: - pattern-regex: (?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{45})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7709,8 +7871,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUnK3 - version_id: A8T9WPy - url: https://semgrep.dev/playground/r/A8T9WPy/generic.secrets.gitleaks.twitter-access-token.twitter-access-token + version_id: bZTb1W3 + url: https://semgrep.dev/playground/r/bZTb1W3/generic.secrets.gitleaks.twitter-access-token.twitter-access-token origin: community patterns: - pattern-regex: (?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9]{15,25}-[a-zA-Z0-9]{20,40})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7750,8 +7912,8 @@ rules: semgrep.dev: rule: rule_id: X5UG7z - version_id: BjTXBjo - url: https://semgrep.dev/playground/r/BjTXBjo/generic.secrets.gitleaks.twitter-api-key.twitter-api-key + version_id: NdT3dWj + url: https://semgrep.dev/playground/r/NdT3dWj/generic.secrets.gitleaks.twitter-api-key.twitter-api-key origin: community patterns: - pattern-regex: (?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{25})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7791,8 +7953,8 @@ rules: semgrep.dev: rule: rule_id: j2UGRB - version_id: DkT6WoB - url: https://semgrep.dev/playground/r/DkT6WoB/generic.secrets.gitleaks.twitter-api-secret.twitter-api-secret + version_id: kbTdxvX + url: https://semgrep.dev/playground/r/kbTdxvX/generic.secrets.gitleaks.twitter-api-secret.twitter-api-secret origin: community patterns: - pattern-regex: (?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{50})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7832,8 +7994,8 @@ rules: semgrep.dev: rule: rule_id: 10UJeE - version_id: WrTWZ55 - url: https://semgrep.dev/playground/r/WrTWZ55/generic.secrets.gitleaks.twitter-bearer-token.twitter-bearer-token + version_id: w8T9ngZ + url: https://semgrep.dev/playground/r/w8T9ngZ/generic.secrets.gitleaks.twitter-bearer-token.twitter-bearer-token origin: community patterns: - pattern-regex: (?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(A{22}[a-zA-Z0-9%]{80,100})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7873,8 +8035,8 @@ rules: semgrep.dev: rule: rule_id: 9AU8kq - version_id: 0bTLEkR - url: https://semgrep.dev/playground/r/0bTLEkR/generic.secrets.gitleaks.typeform-api-token.typeform-api-token + version_id: xyTKZbY + url: https://semgrep.dev/playground/r/xyTKZbY/generic.secrets.gitleaks.typeform-api-token.typeform-api-token origin: community patterns: - pattern-regex: (?i)(?:typeform)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(tfp_[a-z0-9\-_\.=]{59})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7914,8 +8076,8 @@ rules: semgrep.dev: rule: rule_id: yyUYye - version_id: K3Tv496 - url: https://semgrep.dev/playground/r/K3Tv496/generic.secrets.gitleaks.vault-batch-token.vault-batch-token + version_id: O9TNOLy + url: https://semgrep.dev/playground/r/O9TNOLy/generic.secrets.gitleaks.vault-batch-token.vault-batch-token origin: community patterns: - pattern-regex: (?i)\b(hvb\.[a-z0-9_-]{138,212})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7955,8 +8117,8 @@ rules: semgrep.dev: rule: rule_id: r6UB9G - version_id: qkT2ogd - url: https://semgrep.dev/playground/r/qkT2ogd/generic.secrets.gitleaks.vault-service-token.vault-service-token + version_id: e1T01Pd + url: https://semgrep.dev/playground/r/e1T01Pd/generic.secrets.gitleaks.vault-service-token.vault-service-token origin: community patterns: - pattern-regex: (?i)\b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -7996,8 +8158,8 @@ rules: semgrep.dev: rule: rule_id: bwUPN4 - version_id: l4T4dqg - url: https://semgrep.dev/playground/r/l4T4dqg/generic.secrets.gitleaks.yandex-access-token.yandex-access-token + version_id: vdTYNbW + url: https://semgrep.dev/playground/r/vdTYNbW/generic.secrets.gitleaks.yandex-access-token.yandex-access-token origin: community patterns: - pattern-regex: (?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -8037,8 +8199,8 @@ rules: semgrep.dev: rule: rule_id: NbUvY5 - version_id: YDTprG5 - url: https://semgrep.dev/playground/r/YDTprG5/generic.secrets.gitleaks.yandex-api-key.yandex-api-key + version_id: d6TrA2w + url: https://semgrep.dev/playground/r/d6TrA2w/generic.secrets.gitleaks.yandex-api-key.yandex-api-key origin: community patterns: - pattern-regex: (?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(AQVN[A-Za-z0-9_\-]{35,38})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -8078,8 +8240,8 @@ rules: semgrep.dev: rule: rule_id: kxUQ89 - version_id: JdTNPw0 - url: https://semgrep.dev/playground/r/JdTNPw0/generic.secrets.gitleaks.yandex-aws-access-token.yandex-aws-access-token + version_id: ZRTQN1Q + url: https://semgrep.dev/playground/r/ZRTQN1Q/generic.secrets.gitleaks.yandex-aws-access-token.yandex-aws-access-token origin: community patterns: - pattern-regex: (?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(YC[a-zA-Z0-9_\-]{38})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -8119,8 +8281,8 @@ rules: semgrep.dev: rule: rule_id: wdUqGq - version_id: 5PTd4lZ - url: https://semgrep.dev/playground/r/5PTd4lZ/generic.secrets.gitleaks.zendesk-secret-key.zendesk-secret-key + version_id: nWTxPAO + url: https://semgrep.dev/playground/r/nWTxPAO/generic.secrets.gitleaks.zendesk-secret-key.zendesk-secret-key origin: community patterns: - pattern-regex: (?i)(?:zendesk)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) @@ -8165,9 +8327,210 @@ rules: semgrep.dev: rule: rule_id: DbUple - version_id: BjTE7E - url: https://semgrep.dev/playground/r/BjTE7E/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri + version_id: 8KTQ97x + url: https://semgrep.dev/playground/r/8KTQ97x/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri + origin: community +- id: generic.visualforce.security.ncino.html.usesriforcdns.use-SRI-for-CDNs + languages: + - generic + severity: WARNING + message: 'Consuming CDNs without including a SubResource Integrity (SRI) can expose + your application and its users to compromised code. SRIs allow you to consume + specific versions of content where if even a single byte is compromised, the resource + will not be loaded. Add an integrity attribute to your " + - pattern-not: "" + paths: + include: + - "*.component" + - "*.page" +- id: generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute + languages: + - generic + severity: INFO + message: Visualforce Pages must have the cspHeader attribute set to true. This attribute + is available in API version 55 or higher. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm&type=5 + category: security + subcategory: + - vuln + technology: + - salesforce + - visualforce + cwe2022-top25: true + cwe2021-top25: true + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute + shortlink: https://sg.run/yoj8 + semgrep.dev: + rule: + rule_id: DbUj7d + version_id: PkTJ1XQ + url: https://semgrep.dev/playground/r/PkTJ1XQ/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute + origin: community + patterns: + - pattern: "..." + - pattern-not: ... + - pattern-not: "......" + - pattern-not: "......" + paths: + include: + - "*.page" +- id: generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version + languages: + - generic + severity: WARNING + message: Visualforce Pages must use API version 55 or higher for required use of + the cspHeader attribute set to true. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + references: + - https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm + category: security + subcategory: + - vuln + technology: + - salesforce + - visualforce + cwe2022-top25: true + cwe2021-top25: true + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version + shortlink: https://sg.run/rWr6 + semgrep.dev: + rule: + rule_id: WAUwJW + version_id: JdTNpYp + url: https://semgrep.dev/playground/r/JdTNpYp/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version + origin: community + patterns: + - pattern-inside: "" + - pattern-either: + - pattern-regex: "[>][0-9].[0-9][<]" + - pattern-regex: "[>][1-4][0-9].[0-9][<]" + - pattern-regex: "[>][5][0-4].[0-9][<]" + paths: + include: + - "*.page-meta.xml" - id: go.aws-lambda.security.database-sqli.database-sqli languages: - go @@ -8206,8 +8569,8 @@ rules: semgrep.dev: rule: rule_id: WAUdJ7 - version_id: 0bTv2x - url: https://semgrep.dev/playground/r/0bTv2x/go.aws-lambda.security.database-sqli.database-sqli + version_id: 5PTdA2e + url: https://semgrep.dev/playground/r/5PTdA2e/go.aws-lambda.security.database-sqli.database-sqli origin: community pattern-sinks: - patterns: @@ -8277,8 +8640,8 @@ rules: semgrep.dev: rule: rule_id: 0oUwqg - version_id: K3Tl7v - url: https://semgrep.dev/playground/r/K3Tl7v/go.aws-lambda.security.tainted-sql-string.tainted-sql-string + version_id: GxTv6Kk + url: https://semgrep.dev/playground/r/GxTv6Kk/go.aws-lambda.security.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sources: @@ -8393,8 +8756,8 @@ rules: semgrep.dev: rule: rule_id: AbU5o3 - version_id: 6xTvERe - url: https://semgrep.dev/playground/r/6xTvERe/go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage + version_id: WrTWQAj + url: https://semgrep.dev/playground/r/WrTWQAj/go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage origin: community - id: go.jwt-go.security.jwt.hardcoded-jwt-key message: A hard-coded credential was detected. It is not recommended to store credentials @@ -8431,8 +8794,8 @@ rules: semgrep.dev: rule: rule_id: GdU7Ny - version_id: o5Tg2Lx - url: https://semgrep.dev/playground/r/o5Tg2Lx/go.jwt-go.security.jwt.hardcoded-jwt-key + version_id: YDTp2KG + url: https://semgrep.dev/playground/r/YDTp2KG/go.jwt-go.security.jwt.hardcoded-jwt-key origin: community severity: WARNING languages: @@ -8472,8 +8835,8 @@ rules: semgrep.dev: rule: rule_id: bwUwy8 - version_id: qkTNXO - url: https://semgrep.dev/playground/r/qkTNXO/go.lang.security.audit.crypto.math_random.math-random-used + version_id: 6xTvJwY + url: https://semgrep.dev/playground/r/6xTvJwY/go.lang.security.audit.crypto.math_random.math-random-used origin: community message: Do not use `math/rand`. Use `crypto/rand` instead. languages: @@ -8531,8 +8894,8 @@ rules: semgrep.dev: rule: rule_id: kxUkJ2 - version_id: YDToDk - url: https://semgrep.dev/playground/r/YDToDk/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure + version_id: zyTK80x + url: https://semgrep.dev/playground/r/zyTK80x/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure origin: community languages: - go @@ -8571,8 +8934,8 @@ rules: semgrep.dev: rule: rule_id: wdUJYk - version_id: 6xTe1W - url: https://semgrep.dev/playground/r/6xTe1W/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher + version_id: pZT1y4r + url: https://semgrep.dev/playground/r/pZT1y4r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher origin: community languages: - go @@ -8665,8 +9028,8 @@ rules: semgrep.dev: rule: rule_id: eqU8B3 - version_id: pZTrpq - url: https://semgrep.dev/playground/r/pZTrpq/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES + version_id: jQTgY4k + url: https://semgrep.dev/playground/r/jQTgY4k/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES origin: community patterns: - pattern-inside: | @@ -8711,8 +9074,8 @@ rules: semgrep.dev: rule: rule_id: x8Un6q - version_id: o5Tn4R - url: https://semgrep.dev/playground/r/o5Tn4R/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 + version_id: 2KTzro0 + url: https://semgrep.dev/playground/r/2KTzro0/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 origin: community patterns: - pattern-inside: | @@ -8756,8 +9119,8 @@ rules: semgrep.dev: rule: rule_id: v8Unl0 - version_id: 2KT1PX - url: https://semgrep.dev/playground/r/2KT1PX/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4 + version_id: 1QTOYRO + url: https://semgrep.dev/playground/r/1QTOYRO/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4 origin: community patterns: - pattern-inside: | @@ -8796,8 +9159,8 @@ rules: semgrep.dev: rule: rule_id: OrU31O - version_id: zyT5Ye - url: https://semgrep.dev/playground/r/zyT5Ye/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1 + version_id: X0TQx0B + url: https://semgrep.dev/playground/r/X0TQx0B/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1 origin: community patterns: - pattern-inside: | @@ -8848,8 +9211,8 @@ rules: semgrep.dev: rule: rule_id: 4bU1Wj - version_id: zyTKnBP - url: https://semgrep.dev/playground/r/zyTKnBP/go.lang.security.audit.md5-used-as-password.md5-used-as-password + version_id: w8T9nPl + url: https://semgrep.dev/playground/r/w8T9nPl/go.lang.security.audit.md5-used-as-password.md5-used-as-password origin: community mode: taint pattern-sources: @@ -8903,8 +9266,8 @@ rules: semgrep.dev: rule: rule_id: EwU2Z6 - version_id: kbT7wJ - url: https://semgrep.dev/playground/r/kbT7wJ/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly + version_id: O9TNOqv + url: https://semgrep.dev/playground/r/O9TNOqv/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly origin: community fix-regex: regex: "(HttpOnly\\s*:\\s+)false" @@ -8952,8 +9315,8 @@ rules: semgrep.dev: rule: rule_id: 7KUQ8X - version_id: w8T3jO - url: https://semgrep.dev/playground/r/w8T3jO/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure + version_id: e1T01o9 + url: https://semgrep.dev/playground/r/e1T01o9/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure origin: community fix-regex: regex: "(Secure\\s*:\\s+)false" @@ -8990,8 +9353,8 @@ rules: semgrep.dev: rule: rule_id: L1Uyjp - version_id: xyT4x7 - url: https://semgrep.dev/playground/r/xyT4x7/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace + version_id: vdTYNwN + url: https://semgrep.dev/playground/r/vdTYNwN/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace origin: community patterns: - pattern-not-inside: | @@ -9061,8 +9424,8 @@ rules: semgrep.dev: rule: rule_id: 5rU9JO - version_id: e1TxzK - url: https://semgrep.dev/playground/r/e1TxzK/go.lang.security.audit.net.fs-directory-listing.fs-directory-listing + version_id: ZRTQN9K + url: https://semgrep.dev/playground/r/ZRTQN9K/go.lang.security.audit.net.fs-directory-listing.fs-directory-listing origin: community - id: go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf patterns: @@ -9139,8 +9502,8 @@ rules: semgrep.dev: rule: rule_id: JDUyXB - version_id: 7ZTOvO - url: https://semgrep.dev/playground/r/7ZTOvO/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf + version_id: gET3xR5 + url: https://semgrep.dev/playground/r/gET3xR5/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf origin: community severity: WARNING languages: @@ -9214,8 +9577,8 @@ rules: semgrep.dev: rule: rule_id: YGUrnQ - version_id: 8KTbze - url: https://semgrep.dev/playground/r/8KTbze/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli + version_id: 3ZTkQGg + url: https://semgrep.dev/playground/r/3ZTkQGg/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli origin: community severity: ERROR - id: go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli @@ -9313,8 +9676,8 @@ rules: semgrep.dev: rule: rule_id: 6JUqQ1 - version_id: gETqJZ - url: https://semgrep.dev/playground/r/gETqJZ/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli + version_id: 44TRlLK + url: https://semgrep.dev/playground/r/44TRlLK/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli origin: community severity: ERROR - id: go.lang.security.audit.sqli.pg-sqli.pg-sqli @@ -9353,8 +9716,8 @@ rules: semgrep.dev: rule: rule_id: AbUWXY - version_id: QkTJnW - url: https://semgrep.dev/playground/r/QkTJnW/go.lang.security.audit.sqli.pg-sqli.pg-sqli + version_id: PkTJ1lw + url: https://semgrep.dev/playground/r/PkTJ1lw/go.lang.security.audit.sqli.pg-sqli.pg-sqli origin: community severity: ERROR patterns: @@ -9427,8 +9790,8 @@ rules: semgrep.dev: rule: rule_id: oqUz92 - version_id: 3ZTd6l - url: https://semgrep.dev/playground/r/3ZTd6l/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli + version_id: JdTNpBA + url: https://semgrep.dev/playground/r/JdTNpBA/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli origin: community patterns: - pattern-either: @@ -9536,8 +9899,8 @@ rules: semgrep.dev: rule: rule_id: qNUQJe - version_id: pZT1zeP - url: https://semgrep.dev/playground/r/pZT1zeP/go.lang.security.filepath-clean-misuse.filepath-clean-misuse + version_id: o5Tgl30 + url: https://semgrep.dev/playground/r/o5Tgl30/go.lang.security.filepath-clean-misuse.filepath-clean-misuse origin: community - id: go.lang.security.injection.raw-html-format.raw-html-format languages: @@ -9575,8 +9938,8 @@ rules: semgrep.dev: rule: rule_id: PeUonQ - version_id: YDToAk - url: https://semgrep.dev/playground/r/YDToAk/go.lang.security.injection.raw-html-format.raw-html-format + version_id: zyTK8wx + url: https://semgrep.dev/playground/r/zyTK8wx/go.lang.security.injection.raw-html-format.raw-html-format origin: community mode: taint pattern-sources: @@ -9640,8 +10003,8 @@ rules: semgrep.dev: rule: rule_id: PeUoqy - version_id: 2KTzL5z - url: https://semgrep.dev/playground/r/2KTzL5z/go.lang.security.injection.tainted-sql-string.tainted-sql-string + version_id: pZT1ydr + url: https://semgrep.dev/playground/r/pZT1ydr/go.lang.security.injection.tainted-sql-string.tainted-sql-string origin: community mode: taint severity: ERROR @@ -9727,8 +10090,8 @@ rules: semgrep.dev: rule: rule_id: AbUQLr - version_id: X0TQgkO - url: https://semgrep.dev/playground/r/X0TQgkO/go.lang.security.injection.tainted-url-host.tainted-url-host + version_id: 2KTzrk0 + url: https://semgrep.dev/playground/r/2KTzrk0/go.lang.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sources: @@ -9805,8 +10168,8 @@ rules: semgrep.dev: rule: rule_id: AbUnNo - version_id: rxTx2E - url: https://semgrep.dev/playground/r/rxTx2E/html.security.plaintext-http-link.plaintext-http-link + version_id: w8T9nEl + url: https://semgrep.dev/playground/r/w8T9nEl/html.security.plaintext-http-link.plaintext-http-link origin: community patterns: - pattern: ... @@ -9864,8 +10227,8 @@ rules: semgrep.dev: rule: rule_id: v8Ul0r - version_id: A8T93nK - url: https://semgrep.dev/playground/r/A8T93nK/java.android.security.exported_activity.exported_activity + version_id: ExTjNle + url: https://semgrep.dev/playground/r/ExTjNle/java.android.security.exported_activity.exported_activity origin: community - id: java.aws-lambda.security.tainted-sql-string.tainted-sql-string languages: @@ -9907,8 +10270,8 @@ rules: semgrep.dev: rule: rule_id: YGUl4z - version_id: jQTgQD6 - url: https://semgrep.dev/playground/r/jQTgQD6/java.aws-lambda.security.tainted-sql-string.tainted-sql-string + version_id: 7ZTgoGZ + url: https://semgrep.dev/playground/r/7ZTgoGZ/java.aws-lambda.security.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sources: @@ -9989,7 +10352,7 @@ rules: regex: "(?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)" - metavariable-regex: metavariable: "$SQLCMD" - regex: "(execute|query|executeUpdate)" + regex: "(execute|query|executeUpdate|batchUpdate)" options: interfile: true metadata: @@ -10022,8 +10385,8 @@ rules: semgrep.dev: rule: rule_id: 6JUDWk - version_id: 1QTO53K - url: https://semgrep.dev/playground/r/1QTO53K/java.aws-lambda.security.tainted-sqli.tainted-sqli + version_id: LjTqQnB + url: https://semgrep.dev/playground/r/LjTqQnB/java.aws-lambda.security.tainted-sqli.tainted-sqli origin: community - id: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify message: Detected the decoding of a JWT token without a verify step. JWT tokens @@ -10054,8 +10417,8 @@ rules: semgrep.dev: rule: rule_id: pKUOE9 - version_id: w8T3lO - url: https://semgrep.dev/playground/r/w8T3lO/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify + version_id: 8KTQ96B + url: https://semgrep.dev/playground/r/8KTQ96B/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify origin: community languages: - java @@ -10106,8 +10469,8 @@ rules: semgrep.dev: rule: rule_id: oqUeAn - version_id: A8T9WP7 - url: https://semgrep.dev/playground/r/A8T9WP7/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret + version_id: gET3xz5 + url: https://semgrep.dev/playground/r/gET3xz5/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret origin: community languages: - java @@ -10167,8 +10530,8 @@ rules: semgrep.dev: rule: rule_id: zdUkzR - version_id: O9TylW - url: https://semgrep.dev/playground/r/O9TylW/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg + version_id: QkTW05B + url: https://semgrep.dev/playground/r/QkTW05B/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg origin: community languages: - java @@ -10220,8 +10583,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUb9l - version_id: d6TD4W - url: https://semgrep.dev/playground/r/d6TD4W/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal + version_id: PkTJ19w + url: https://semgrep.dev/playground/r/PkTJ19w/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal origin: community message: Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. @@ -10301,8 +10664,8 @@ rules: semgrep.dev: rule: rule_id: X5U8rQ - version_id: nWT7GB - url: https://semgrep.dev/playground/r/nWT7GB/java.jboss.security.session_sqli.find-sql-string-concatenation + version_id: 5PTdAQ2 + url: https://semgrep.dev/playground/r/5PTdAQ2/java.jboss.security.session_sqli.find-sql-string-concatenation origin: community - id: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs message: When data from an untrusted source is put into a logger and not neutralized @@ -10331,8 +10694,8 @@ rules: semgrep.dev: rule: rule_id: 8GUjwW - version_id: 5PT6y8 - url: https://semgrep.dev/playground/r/5PT6y8/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs + version_id: RGTDk8b + url: https://semgrep.dev/playground/r/RGTDk8b/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs origin: community severity: WARNING languages: @@ -10399,6 +10762,8 @@ rules: use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information. metadata: + functional-categories: + - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: @@ -10429,8 +10794,8 @@ rules: semgrep.dev: rule: rule_id: PeUZNg - version_id: GxT2Dr - url: https://semgrep.dev/playground/r/GxT2Dr/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated + version_id: A8T95KY + url: https://semgrep.dev/playground/r/A8T95KY/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated origin: community severity: WARNING patterns: @@ -10454,6 +10819,8 @@ rules: message: Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. metadata: + functional-categories: + - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: @@ -10478,8 +10845,8 @@ rules: semgrep.dev: rule: rule_id: JDUy8J - version_id: RGTbKq - url: https://semgrep.dev/playground/r/RGTbKq/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated + version_id: BjTXrl2 + url: https://semgrep.dev/playground/r/BjTXrl2/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated origin: community severity: WARNING patterns: @@ -10495,6 +10862,8 @@ rules: - kt - id: java.lang.security.audit.crypto.ecb-cipher.ecb-cipher metadata: + functional-categories: + - crypto::search::mode::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: @@ -10519,8 +10888,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOb6 - version_id: A8TR33 - url: https://semgrep.dev/playground/r/A8TR33/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher + version_id: DkT6nJd + url: https://semgrep.dev/playground/r/DkT6nJd/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher origin: community message: Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. @@ -10537,6 +10906,8 @@ rules: regex: ".*ECB.*" - id: java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse metadata: + functional-categories: + - crypto::search::randomness::javax.crypto cwe: - 'CWE-323: Reusing a Nonce, Key Pair in Encryption' category: security @@ -10560,8 +10931,8 @@ rules: semgrep.dev: rule: rule_id: GdUZZ3 - version_id: DkTQGN - url: https://semgrep.dev/playground/r/DkTQGN/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse + version_id: 0bTLlBy + url: https://semgrep.dev/playground/r/0bTLlBy/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse origin: community languages: - java @@ -10607,8 +10978,8 @@ rules: semgrep.dev: rule: rule_id: GdU7pw - version_id: WrTbdQ - url: https://semgrep.dev/playground/r/WrTbdQ/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher + version_id: K3Tvjez + url: https://semgrep.dev/playground/r/K3Tvjez/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher origin: community message: 'NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). @@ -10650,8 +11021,8 @@ rules: semgrep.dev: rule: rule_id: ReUgj1 - version_id: 0bTvwe - url: https://semgrep.dev/playground/r/0bTvwe/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector + version_id: qkT2xGj + url: https://semgrep.dev/playground/r/qkT2xGj/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector origin: community severity: WARNING languages: @@ -10677,6 +11048,8 @@ rules: } - id: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding metadata: + functional-categories: + - crypto::search::mode::javax.crypto cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: @@ -10707,8 +11080,8 @@ rules: semgrep.dev: rule: rule_id: AbUzoj - version_id: K3TlrK - url: https://semgrep.dev/playground/r/K3TlrK/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding + version_id: l4T4vbd + url: https://semgrep.dev/playground/r/l4T4vbd/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding origin: community message: Using RSA without OAEP mode weakens the encryption. severity: WARNING @@ -10718,6 +11091,8 @@ rules: pattern: $CIPHER.getInstance("=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/") - id: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket metadata: + functional-categories: + - net::search::crypto-config::java.net cwe: - 'CWE-319: Cleartext Transmission of Sensitive Information' owasp: @@ -10747,8 +11122,8 @@ rules: semgrep.dev: rule: rule_id: BYUN3X - version_id: 5PT6y3 - url: https://semgrep.dev/playground/r/5PT6y3/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket + version_id: pZT1yob + url: https://semgrep.dev/playground/r/pZT1yob/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket origin: community message: Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket @@ -10762,6 +11137,8 @@ rules: - id: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb pattern: $CIPHER.getInstance("=~/AES/ECB.*/") metadata: + functional-categories: + - crypto::search::mode::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: @@ -10786,8 +11163,8 @@ rules: semgrep.dev: rule: rule_id: WAU2yA - version_id: GxT2DW - url: https://semgrep.dev/playground/r/GxT2DW/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb + version_id: 2KTzreY + url: https://semgrep.dev/playground/r/2KTzreY/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb origin: community message: 'Use of AES with ECB mode detected. ECB doesn''t provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, @@ -10799,6 +11176,8 @@ rules: - id: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish pattern: $CIPHER.getInstance("Blowfish") metadata: + functional-categories: + - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: @@ -10823,8 +11202,8 @@ rules: semgrep.dev: rule: rule_id: 0oUR28 - version_id: RGTbKB - url: https://semgrep.dev/playground/r/RGTbKB/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish + version_id: X0TQxEx + url: https://semgrep.dev/playground/r/X0TQxEx/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish origin: community message: 'Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, @@ -10866,6 +11245,8 @@ rules: - pattern: Cipher.getInstance("AES") - pattern: (Cipher $CIPHER).getInstance("AES") metadata: + functional-categories: + - crypto::search::mode::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: @@ -10890,8 +11271,8 @@ rules: semgrep.dev: rule: rule_id: KxUB7Z - version_id: A8TR3x - url: https://semgrep.dev/playground/r/A8TR3x/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes + version_id: jQTgYWy + url: https://semgrep.dev/playground/r/jQTgYWy/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes origin: community message: 'Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn''t provide message confidentiality and is not semantically @@ -10909,6 +11290,8 @@ rules: - java severity: WARNING metadata: + functional-categories: + - crypto::search::hash-algorithm::org.apache.commons owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures @@ -10933,8 +11316,8 @@ rules: semgrep.dev: rule: rule_id: BYUGK0 - version_id: BjTEe4 - url: https://semgrep.dev/playground/r/BjTEe4/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils + version_id: 1QTOYBy + url: https://semgrep.dev/playground/r/1QTOYBy/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils origin: community patterns: - pattern: "$DU.$GET_ALGO().digest(...)\n" @@ -10956,6 +11339,8 @@ rules: - java severity: WARNING metadata: + functional-categories: + - crypto::search::hash-algorithm::java.security owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures @@ -10980,8 +11365,8 @@ rules: semgrep.dev: rule: rule_id: KxU5lW - version_id: DkTQGo - url: https://semgrep.dev/playground/r/DkTQGo/java.lang.security.audit.crypto.use-of-md5.use-of-md5 + version_id: 9lTdW2l + url: https://semgrep.dev/playground/r/9lTdW2l/java.lang.security.audit.crypto.use-of-md5.use-of-md5 origin: community patterns: - pattern: 'java.security.MessageDigest.getInstance($ALGO, ...); @@ -10997,6 +11382,8 @@ rules: - id: java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 pattern: $CIPHER.getInstance("RC2") metadata: + functional-categories: + - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: @@ -11021,8 +11408,8 @@ rules: semgrep.dev: rule: rule_id: qNUzXG - version_id: WrTbd2 - url: https://semgrep.dev/playground/r/WrTbd2/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 + version_id: yeTR28q + url: https://semgrep.dev/playground/r/yeTR28q/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 origin: community message: 'Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). @@ -11034,6 +11421,8 @@ rules: - id: java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 pattern: $CIPHER.getInstance("RC4") metadata: + functional-categories: + - crypto::search::symmetric-algorithm::javax.crypto cwe: - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' owasp: @@ -11058,8 +11447,8 @@ rules: semgrep.dev: rule: rule_id: lBUw8k - version_id: 0bTvwY - url: https://semgrep.dev/playground/r/0bTvwY/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 + version_id: rxTyLql + url: https://semgrep.dev/playground/r/rxTyLql/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 origin: community message: 'Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure @@ -11077,6 +11466,8 @@ rules: - java severity: WARNING metadata: + functional-categories: + - crypto::search::hash-algorithm::javax.crypto owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures @@ -11106,8 +11497,8 @@ rules: semgrep.dev: rule: rule_id: qNUWNn - version_id: BjTXezz - url: https://semgrep.dev/playground/r/BjTXezz/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1 + version_id: bZTb1rl + url: https://semgrep.dev/playground/r/bZTb1rl/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1 origin: community pattern-either: - patterns: @@ -11124,6 +11515,8 @@ rules: - java severity: WARNING metadata: + functional-categories: + - crypto::search::key-length::java.security cwe: - 'CWE-326: Inadequate Encryption Strength' owasp: @@ -11153,8 +11546,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5P5 - version_id: l4T5yb - url: https://semgrep.dev/playground/r/l4T5yb/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key + version_id: kbTdxpZ + url: https://semgrep.dev/playground/r/kbTdxpZ/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key origin: community patterns: - pattern: | @@ -11200,8 +11593,8 @@ rules: semgrep.dev: rule: rule_id: QrUzxR - version_id: WrTxK0 - url: https://semgrep.dev/playground/r/WrTxK0/java.lang.security.audit.formatted-sql-string.formatted-sql-string + version_id: O9TNOzA + url: https://semgrep.dev/playground/r/O9TNOzA/java.lang.security.audit.formatted-sql-string.formatted-sql-string origin: community options: taint_assume_safe_numbers: true @@ -11288,8 +11681,8 @@ rules: semgrep.dev: rule: rule_id: 3qUPyK - version_id: zyT5W7 - url: https://semgrep.dev/playground/r/zyT5W7/java.lang.security.audit.http-response-splitting.http-response-splitting + version_id: e1T015P + url: https://semgrep.dev/playground/r/e1T015P/java.lang.security.audit.http-response-splitting.http-response-splitting origin: community message: Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This @@ -11339,8 +11732,8 @@ rules: semgrep.dev: rule: rule_id: 4bUkrW - version_id: pZTrXj - url: https://semgrep.dev/playground/r/pZTrXj/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection + version_id: vdTYNgx + url: https://semgrep.dev/playground/r/vdTYNgx/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection origin: community message: Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'. @@ -11392,8 +11785,8 @@ rules: semgrep.dev: rule: rule_id: JDULAW - version_id: 9lTzJg - url: https://semgrep.dev/playground/r/9lTzJg/java.lang.security.audit.md5-used-as-password.md5-used-as-password + version_id: 7ZTgod0 + url: https://semgrep.dev/playground/r/7ZTgod0/java.lang.security.audit.md5-used-as-password.md5-used-as-password origin: community mode: taint pattern-sources: @@ -11444,8 +11837,8 @@ rules: semgrep.dev: rule: rule_id: oqUBJG - version_id: qkT2jyn - url: https://semgrep.dev/playground/r/qkT2jyn/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request + version_id: GxTv6yG + url: https://semgrep.dev/playground/r/GxTv6yG/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request origin: community languages: - java @@ -11485,7 +11878,7 @@ rules: regex: "(?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)" - metavariable-regex: metavariable: "$SQLCMD" - regex: "(execute|query|executeUpdate)" + regex: "(execute|query|executeUpdate|batchUpdate)" - id: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request message: Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into @@ -11554,8 +11947,8 @@ rules: semgrep.dev: rule: rule_id: zdUWrg - version_id: 9lTdZqO - url: https://semgrep.dev/playground/r/9lTdZqO/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request + version_id: BjTXr52 + url: https://semgrep.dev/playground/r/BjTXr52/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request origin: community - id: java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request message: Detected input from a HTTPServletRequest going into the environment variables @@ -11608,8 +12001,8 @@ rules: semgrep.dev: rule: rule_id: nJULjy - version_id: yeTRAGy - url: https://semgrep.dev/playground/r/yeTRAGy/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request + version_id: DkT6nld + url: https://semgrep.dev/playground/r/DkT6nld/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request origin: community - id: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request message: Detected input from a HTTPServletRequest going into an LDAP query. This @@ -11641,8 +12034,8 @@ rules: semgrep.dev: rule: rule_id: pKUXAv - version_id: ExTn1r - url: https://semgrep.dev/playground/r/ExTn1r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request + version_id: WrTWQBW + url: https://semgrep.dev/playground/r/WrTWQBW/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request origin: community severity: WARNING languages: @@ -11735,8 +12128,8 @@ rules: semgrep.dev: rule: rule_id: 2ZU7Eo - version_id: rxTy2lw - url: https://semgrep.dev/playground/r/rxTy2lw/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request + version_id: 0bTLlNy + url: https://semgrep.dev/playground/r/0bTLlNy/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request origin: community - id: java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request message: Detected input from a HTTPServletRequest going into a XPath evaluate or @@ -11780,8 +12173,8 @@ rules: semgrep.dev: rule: rule_id: X5U5nj - version_id: LjT0zX - url: https://semgrep.dev/playground/r/LjT0zX/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request + version_id: K3TvjEz + url: https://semgrep.dev/playground/r/K3TvjEz/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request origin: community - id: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect message: Application redirects to a destination URL specified by a user-supplied @@ -11816,8 +12209,8 @@ rules: semgrep.dev: rule: rule_id: WAUo0p - version_id: gETqkO - url: https://semgrep.dev/playground/r/gETqkO/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect + version_id: l4T4vkd + url: https://semgrep.dev/playground/r/l4T4vkd/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect origin: community severity: WARNING languages: @@ -11947,8 +12340,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5j3 - version_id: QkTJ1G - url: https://semgrep.dev/playground/r/QkTJ1G/java.lang.security.audit.url-rewriting.url-rewriting + version_id: YDTp2WQ + url: https://semgrep.dev/playground/r/YDTp2WQ/java.lang.security.audit.url-rewriting.url-rewriting origin: community severity: WARNING languages: @@ -12047,8 +12440,8 @@ rules: semgrep.dev: rule: rule_id: j2UrJ8 - version_id: BjTEK4 - url: https://semgrep.dev/playground/r/BjTEK4/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false + version_id: 9lTdWrl + url: https://semgrep.dev/playground/r/9lTdWrl/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false origin: community message: DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable @@ -12130,8 +12523,8 @@ rules: semgrep.dev: rule: rule_id: 10UPQB - version_id: DkTQ2o - url: https://semgrep.dev/playground/r/DkTQ2o/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing + version_id: yeTR2lq + url: https://semgrep.dev/playground/r/yeTR2lq/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing origin: community message: DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature @@ -12291,8 +12684,8 @@ rules: semgrep.dev: rule: rule_id: 9AUJ6r - version_id: WrTbY2 - url: https://semgrep.dev/playground/r/WrTbY2/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true + version_id: rxTyLdl + url: https://semgrep.dev/playground/r/rxTyLdl/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true origin: community message: External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature "http://xml.org/sax/features/external-general-entities" @@ -12339,8 +12732,8 @@ rules: semgrep.dev: rule: rule_id: yyUNeo - version_id: 0bTvpY - url: https://semgrep.dev/playground/r/0bTvpY/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true + version_id: bZTb1pl + url: https://semgrep.dev/playground/r/bZTb1pl/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true origin: community message: External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature "http://xml.org/sax/features/external-parameter-entities" @@ -12388,8 +12781,8 @@ rules: semgrep.dev: rule: rule_id: j2Udpk - version_id: K3TlwD - url: https://semgrep.dev/playground/r/K3TlwD/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing + version_id: NdT3dPr + url: https://semgrep.dev/playground/r/NdT3dPr/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing origin: community message: DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` @@ -12552,8 +12945,8 @@ rules: semgrep.dev: rule: rule_id: v8UeQ1 - version_id: qkTNpE - url: https://semgrep.dev/playground/r/qkTNpE/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled + version_id: kbTdxNZ + url: https://semgrep.dev/playground/r/kbTdxNZ/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled origin: community message: DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes "accessExternalDTD" @@ -12733,8 +13126,8 @@ rules: semgrep.dev: rule: rule_id: NbUk7X - version_id: YDToYW - url: https://semgrep.dev/playground/r/YDToYW/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal + version_id: xyTKZP1 + url: https://semgrep.dev/playground/r/xyTKZP1/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal origin: community message: Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. @@ -12807,8 +13200,8 @@ rules: semgrep.dev: rule: rule_id: kxUk12 - version_id: 6xTeyB - url: https://semgrep.dev/playground/r/6xTeyB/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization + version_id: O9TNOwA + url: https://semgrep.dev/playground/r/O9TNOwA/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization origin: community message: JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization @@ -12861,8 +13254,8 @@ rules: semgrep.dev: rule: rule_id: wdUJOk - version_id: zyT5G7 - url: https://semgrep.dev/playground/r/zyT5G7/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss + version_id: vdTYNex + url: https://semgrep.dev/playground/r/vdTYNex/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss origin: community severity: ERROR patterns: @@ -12912,8 +13305,8 @@ rules: semgrep.dev: rule: rule_id: OrU35O - version_id: X0TPAy - url: https://semgrep.dev/playground/r/X0TPAy/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe + version_id: nWTxPXE + url: https://semgrep.dev/playground/r/nWTxPXE/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe origin: community message: XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable @@ -12985,8 +13378,8 @@ rules: semgrep.dev: rule: rule_id: eqUerQ - version_id: NdT1en - url: https://semgrep.dev/playground/r/NdT1en/java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml + version_id: 3ZTkQqw + url: https://semgrep.dev/playground/r/3ZTkQqw/java.spring.security.audit.spring-actuator-fully-enabled-yaml.spring-actuator-fully-enabled-yaml origin: community - id: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled pattern: management.endpoints.web.exposure.include=* @@ -13027,8 +13420,8 @@ rules: semgrep.dev: rule: rule_id: EwU4vg - version_id: JdTNyzY - url: https://semgrep.dev/playground/r/JdTNyzY/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled + version_id: 44TRl4j + url: https://semgrep.dev/playground/r/44TRl4j/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled origin: community - id: java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml patterns: @@ -13081,8 +13474,8 @@ rules: semgrep.dev: rule: rule_id: kxUWpX - version_id: w8T3K9 - url: https://semgrep.dev/playground/r/w8T3K9/java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml + version_id: PkTJ14y + url: https://semgrep.dev/playground/r/PkTJ14y/java.spring.security.audit.spring-actuator-non-health-enabled-yaml.spring-actuator-dangerous-endpoints-enabled-yaml origin: community - id: java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled patterns: @@ -13124,8 +13517,8 @@ rules: semgrep.dev: rule: rule_id: wdUWrZ - version_id: xyT4qv - url: https://semgrep.dev/playground/r/xyT4qv/java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled + version_id: JdTNp0W + url: https://semgrep.dev/playground/r/JdTNp0W/java.spring.security.audit.spring-actuator-non-health-enabled.spring-actuator-dangerous-endpoints-enabled origin: community - id: java.spring.security.audit.spring-sqli.spring-sqli mode: taint @@ -13204,8 +13597,8 @@ rules: semgrep.dev: rule: rule_id: eqU8N2 - version_id: 0bTOzP - url: https://semgrep.dev/playground/r/0bTOzP/java.spring.security.audit.spring-sqli.spring-sqli + version_id: RGTDkJb + url: https://semgrep.dev/playground/r/RGTDkJb/java.spring.security.audit.spring-sqli.spring-sqli origin: community - id: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect message: Application redirects a user to a destination URL specified by a user supplied @@ -13234,8 +13627,8 @@ rules: semgrep.dev: rule: rule_id: v8Un7w - version_id: d6TDPl - url: https://semgrep.dev/playground/r/d6TDPl/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect + version_id: A8T95DY + url: https://semgrep.dev/playground/r/A8T95DY/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect origin: community severity: WARNING languages: @@ -13303,8 +13696,8 @@ rules: semgrep.dev: rule: rule_id: lBUxok - version_id: NdT3XGB - url: https://semgrep.dev/playground/r/NdT3XGB/java.spring.security.injection.tainted-file-path.tainted-file-path + version_id: DkT6nEd + url: https://semgrep.dev/playground/r/DkT6nEd/java.spring.security.injection.tainted-file-path.tainted-file-path origin: community mode: taint pattern-sources: @@ -13390,8 +13783,8 @@ rules: semgrep.dev: rule: rule_id: YGUvkL - version_id: ExTngr - url: https://semgrep.dev/playground/r/ExTngr/java.spring.security.injection.tainted-html-string.tainted-html-string + version_id: WrTWQLW + url: https://semgrep.dev/playground/r/WrTWQLW/java.spring.security.injection.tainted-html-string.tainted-html-string origin: community mode: taint pattern-sources: @@ -13508,8 +13901,8 @@ rules: semgrep.dev: rule: rule_id: 10UdRR - version_id: kbTd63O - url: https://semgrep.dev/playground/r/kbTd63O/java.spring.security.injection.tainted-sql-string.tainted-sql-string + version_id: 0bTLlny + url: https://semgrep.dev/playground/r/0bTLlny/java.spring.security.injection.tainted-sql-string.tainted-sql-string origin: community options: taint_assume_safe_numbers: true @@ -13580,6 +13973,8 @@ rules: - pattern: "(StringBuilder $STRB).append($INPUT)" from: "$INPUT" to: "$STRB" + label: CONCAT + requires: INPUT pattern-sources: - patterns: - pattern-either: @@ -13603,7 +13998,6 @@ rules: - pattern-either: - pattern: "$X + $SOURCE" - pattern: "$SOURCE + $Y" - - pattern: "(StringBuilder $STRB).append($SOURCE)" - pattern: String.format("...", ..., $SOURCE, ...) - pattern: String.join("...", ..., $SOURCE, ...) - pattern: "(String $STR).concat($SOURCE)" @@ -13679,8 +14073,8 @@ rules: semgrep.dev: rule: rule_id: 6JUxGN - version_id: LjT0XX - url: https://semgrep.dev/playground/r/LjT0XX/java.spring.security.injection.tainted-system-command.tainted-system-command + version_id: K3Tvjxz + url: https://semgrep.dev/playground/r/K3Tvjxz/java.spring.security.injection.tainted-system-command.tainted-system-command origin: community - id: java.spring.security.injection.tainted-url-host.tainted-url-host languages: @@ -13722,8 +14116,8 @@ rules: semgrep.dev: rule: rule_id: oqUZo8 - version_id: w8T9lNK - url: https://semgrep.dev/playground/r/w8T9lNK/java.spring.security.injection.tainted-url-host.tainted-url-host + version_id: qkT2xDj + url: https://semgrep.dev/playground/r/qkT2xDj/java.spring.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sources: @@ -13809,8 +14203,8 @@ rules: semgrep.dev: rule: rule_id: d8Ujdo - version_id: 3ZTdOR - url: https://semgrep.dev/playground/r/3ZTdOR/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods + version_id: JdTNpXL + url: https://semgrep.dev/playground/r/JdTNpXL/javascript.angular.security.detect-angular-element-methods.detect-angular-element-methods origin: community languages: - javascript @@ -13884,8 +14278,8 @@ rules: semgrep.dev: rule: rule_id: GdUP71 - version_id: 44ToZb - url: https://semgrep.dev/playground/r/44ToZb/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint + version_id: 5PTdAZp + url: https://semgrep.dev/playground/r/5PTdAZp/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint origin: community languages: - javascript @@ -13975,8 +14369,8 @@ rules: semgrep.dev: rule: rule_id: EwU20Z - version_id: 5PT693 - url: https://semgrep.dev/playground/r/5PT693/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled + version_id: A8T95BJ + url: https://semgrep.dev/playground/r/A8T95BJ/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled origin: community languages: - javascript @@ -14014,8 +14408,8 @@ rules: semgrep.dev: rule: rule_id: gxU1QX - version_id: BjTE14 - url: https://semgrep.dev/playground/r/BjTE14/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method + version_id: 0bTLlno + url: https://semgrep.dev/playground/r/0bTLlno/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method origin: community languages: - javascript @@ -14063,8 +14457,8 @@ rules: semgrep.dev: rule: rule_id: DbU2X8 - version_id: qkTN4E - url: https://semgrep.dev/playground/r/qkTN4E/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config + version_id: 6xTvJB0 + url: https://semgrep.dev/playground/r/6xTvJB0/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config origin: community languages: - javascript @@ -14119,8 +14513,8 @@ rules: semgrep.dev: rule: rule_id: r6UDNQ - version_id: YDTovW - url: https://semgrep.dev/playground/r/YDTovW/javascript.aws-lambda.security.detect-child-process.detect-child-process + version_id: zyTK8z9 + url: https://semgrep.dev/playground/r/zyTK8z9/javascript.aws-lambda.security.detect-child-process.detect-child-process origin: community languages: - javascript @@ -14192,8 +14586,8 @@ rules: semgrep.dev: rule: rule_id: 0oU1xk - version_id: JdTqDX - url: https://semgrep.dev/playground/r/JdTqDX/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object + version_id: pZT1yER + url: https://semgrep.dev/playground/r/pZT1yER/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object origin: community languages: - javascript @@ -14274,8 +14668,8 @@ rules: semgrep.dev: rule: rule_id: bwUBlj - version_id: 5PT69b - url: https://semgrep.dev/playground/r/5PT69b/javascript.aws-lambda.security.knex-sqli.knex-sqli + version_id: 2KTzr8N + url: https://semgrep.dev/playground/r/2KTzr8N/javascript.aws-lambda.security.knex-sqli.knex-sqli origin: community languages: - javascript @@ -14347,8 +14741,8 @@ rules: semgrep.dev: rule: rule_id: NbUBJ2 - version_id: GxT2Pd - url: https://semgrep.dev/playground/r/GxT2Pd/javascript.aws-lambda.security.mysql-sqli.mysql-sqli + version_id: X0TQxRX + url: https://semgrep.dev/playground/r/X0TQxRX/javascript.aws-lambda.security.mysql-sqli.mysql-sqli origin: community languages: - javascript @@ -14431,8 +14825,8 @@ rules: semgrep.dev: rule: rule_id: kxU25P - version_id: RGTbAG - url: https://semgrep.dev/playground/r/RGTbAG/javascript.aws-lambda.security.pg-sqli.pg-sqli + version_id: jQTgYP0 + url: https://semgrep.dev/playground/r/jQTgYP0/javascript.aws-lambda.security.pg-sqli.pg-sqli origin: community languages: - javascript @@ -14502,8 +14896,8 @@ rules: semgrep.dev: rule: rule_id: wdUA5o - version_id: A8TRJl - url: https://semgrep.dev/playground/r/A8TRJl/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli + version_id: 1QTOYGR + url: https://semgrep.dev/playground/r/1QTOYGR/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli origin: community languages: - javascript @@ -14568,8 +14962,8 @@ rules: semgrep.dev: rule: rule_id: x8UNw5 - version_id: BjTE1Z - url: https://semgrep.dev/playground/r/BjTE1Z/javascript.aws-lambda.security.tainted-eval.tainted-eval + version_id: 9lTdWpv + url: https://semgrep.dev/playground/r/9lTdWpv/javascript.aws-lambda.security.tainted-eval.tainted-eval origin: community languages: - javascript @@ -14631,8 +15025,8 @@ rules: semgrep.dev: rule: rule_id: OrUJBY - version_id: DkTQNj - url: https://semgrep.dev/playground/r/DkTQNj/javascript.aws-lambda.security.tainted-html-response.tainted-html-response + version_id: yeTR2o8 + url: https://semgrep.dev/playground/r/yeTR2o8/javascript.aws-lambda.security.tainted-html-response.tainted-html-response origin: community languages: - javascript @@ -14693,8 +15087,8 @@ rules: semgrep.dev: rule: rule_id: PeUxwW - version_id: WrTbE1 - url: https://semgrep.dev/playground/r/WrTbE1/javascript.aws-lambda.security.tainted-html-string.tainted-html-string + version_id: rxTyLWd + url: https://semgrep.dev/playground/r/rxTyLWd/javascript.aws-lambda.security.tainted-html-string.tainted-html-string origin: community languages: - javascript @@ -14774,8 +15168,8 @@ rules: semgrep.dev: rule: rule_id: eqUDqW - version_id: 0bTv1A - url: https://semgrep.dev/playground/r/0bTv1A/javascript.aws-lambda.security.tainted-sql-string.tainted-sql-string + version_id: bZTb1yy + url: https://semgrep.dev/playground/r/bZTb1yy/javascript.aws-lambda.security.tainted-sql-string.tainted-sql-string origin: community languages: - javascript @@ -14849,8 +15243,8 @@ rules: semgrep.dev: rule: rule_id: v8UOdZ - version_id: K3TlJp - url: https://semgrep.dev/playground/r/K3TlJp/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection + version_id: NdT3d47 + url: https://semgrep.dev/playground/r/NdT3d47/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection origin: community languages: - javascript @@ -14922,8 +15316,8 @@ rules: semgrep.dev: rule: rule_id: JDUy9J - version_id: qkTN4N - url: https://semgrep.dev/playground/r/qkTN4N/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution + version_id: kbTdxJn + url: https://semgrep.dev/playground/r/kbTdxJn/javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution origin: community languages: - javascript @@ -14984,8 +15378,8 @@ rules: semgrep.dev: rule: rule_id: WAUopl - version_id: xyTKG0Z - url: https://semgrep.dev/playground/r/xyTKG0Z/javascript.browser.security.open-redirect.js-open-redirect + version_id: nWTxP37 + url: https://semgrep.dev/playground/r/nWTxP37/javascript.browser.security.open-redirect.js-open-redirect origin: community languages: - javascript @@ -15087,8 +15481,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5b5 - version_id: jQTKYR - url: https://semgrep.dev/playground/r/jQTKYR/javascript.browser.security.raw-html-concat.raw-html-concat + version_id: ExTjNZk + url: https://semgrep.dev/playground/r/ExTjNZk/javascript.browser.security.raw-html-concat.raw-html-concat origin: community languages: - javascript @@ -15263,8 +15657,8 @@ rules: semgrep.dev: rule: rule_id: qNUjnb - version_id: yeTX2N - url: https://semgrep.dev/playground/r/yeTX2N/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection + version_id: 8KTQ9wQ + url: https://semgrep.dev/playground/r/8KTQ9wQ/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-compilescript-injection.chrome-remote-interface-compilescript-injection origin: community languages: - javascript @@ -15322,8 +15716,8 @@ rules: semgrep.dev: rule: rule_id: x8UWWg - version_id: w8T3nR - url: https://semgrep.dev/playground/r/w8T3nR/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run + version_id: PkTJ1NB + url: https://semgrep.dev/playground/r/PkTJ1NB/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run origin: community languages: - javascript @@ -15384,8 +15778,8 @@ rules: semgrep.dev: rule: rule_id: x8UqEb - version_id: O9TNlEd - url: https://semgrep.dev/playground/r/O9TNlEd/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing + version_id: GxTv6pD + url: https://semgrep.dev/playground/r/GxTv6pD/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing origin: community languages: - javascript @@ -15446,8 +15840,8 @@ rules: semgrep.dev: rule: rule_id: eqU8k2 - version_id: vdT2Nd - url: https://semgrep.dev/playground/r/vdT2Nd/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name + version_id: RGTDkj2 + url: https://semgrep.dev/playground/r/RGTDkj2/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name origin: community patterns: - pattern-either: @@ -15503,8 +15897,8 @@ rules: semgrep.dev: rule: rule_id: ZqU5Pn - version_id: nWT7Pd - url: https://semgrep.dev/playground/r/nWT7Pd/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain + version_id: DkT6nAY + url: https://semgrep.dev/playground/r/DkT6nAY/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain origin: community patterns: - pattern-either: @@ -15577,8 +15971,8 @@ rules: semgrep.dev: rule: rule_id: EwU2DZ - version_id: 7ZTOoJ - url: https://semgrep.dev/playground/r/7ZTOoJ/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires + version_id: 0bTLljo + url: https://semgrep.dev/playground/r/0bTLljo/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires origin: community patterns: - pattern-either: @@ -15652,8 +16046,8 @@ rules: semgrep.dev: rule: rule_id: d8UjGo - version_id: ZRTwNy - url: https://semgrep.dev/playground/r/ZRTwNy/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly + version_id: BjTXr6r + url: https://semgrep.dev/playground/r/BjTXr6r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly origin: community patterns: - pattern-either: @@ -15727,8 +16121,8 @@ rules: semgrep.dev: rule: rule_id: nJUz4X - version_id: ExTnNb - url: https://semgrep.dev/playground/r/ExTnNb/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path + version_id: WrTWQ0q + url: https://semgrep.dev/playground/r/WrTWQ0q/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path origin: community patterns: - pattern-either: @@ -15801,8 +16195,8 @@ rules: semgrep.dev: rule: rule_id: v8Unzw - version_id: d6TDAp - url: https://semgrep.dev/playground/r/d6TDAp/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure + version_id: A8T95wJ + url: https://semgrep.dev/playground/r/A8T95wJ/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure origin: community patterns: - pattern-either: @@ -15876,8 +16270,8 @@ rules: semgrep.dev: rule: rule_id: 7KUQ9k - version_id: 8KTb9O - url: https://semgrep.dev/playground/r/8KTb9O/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked + version_id: qkT2x3L + url: https://semgrep.dev/playground/r/qkT2x3L/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked origin: community languages: - javascript @@ -15927,8 +16321,8 @@ rules: semgrep.dev: rule: rule_id: pKUNeD - version_id: e1T0rby - url: https://semgrep.dev/playground/r/e1T0rby/javascript.express.security.audit.express-libxml-noent.express-libxml-noent + version_id: l4T4vG1 + url: https://semgrep.dev/playground/r/l4T4vG1/javascript.express.security.audit.express-libxml-noent.express-libxml-noent origin: community languages: - javascript @@ -16019,8 +16413,8 @@ rules: semgrep.dev: rule: rule_id: X5ULkq - version_id: 3ZTdQZ - url: https://semgrep.dev/playground/r/3ZTdQZ/javascript.express.security.audit.express-open-redirect.express-open-redirect + version_id: 6xTvJN0 + url: https://semgrep.dev/playground/r/6xTvJN0/javascript.express.security.audit.express-open-redirect.express-open-redirect origin: community languages: - javascript @@ -16139,8 +16533,8 @@ rules: semgrep.dev: rule: rule_id: L1Uyb8 - version_id: 44Tolp - url: https://semgrep.dev/playground/r/44Tolp/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal + version_id: o5Tgl6W + url: https://semgrep.dev/playground/r/o5Tgl6W/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal origin: community languages: - javascript @@ -16242,8 +16636,8 @@ rules: semgrep.dev: rule: rule_id: j2UzDx - version_id: PkTY14 - url: https://semgrep.dev/playground/r/PkTY14/javascript.express.security.audit.express-res-sendfile.express-res-sendfile + version_id: zyTK8E9 + url: https://semgrep.dev/playground/r/zyTK8E9/javascript.express.security.audit.express-res-sendfile.express-res-sendfile origin: community languages: - javascript @@ -16334,8 +16728,8 @@ rules: semgrep.dev: rule: rule_id: 10Uo39 - version_id: vdTY4oX - url: https://semgrep.dev/playground/r/vdTY4oX/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret + version_id: pZT1y5R + url: https://semgrep.dev/playground/r/pZT1y5R/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret origin: community languages: - javascript @@ -16397,8 +16791,8 @@ rules: semgrep.dev: rule: rule_id: eqU9l2 - version_id: 5PT6Ab - url: https://semgrep.dev/playground/r/5PT6Ab/javascript.express.security.audit.express-ssrf.express-ssrf + version_id: 2KTzr9N + url: https://semgrep.dev/playground/r/2KTzr9N/javascript.express.security.audit.express-ssrf.express-ssrf origin: community languages: - javascript @@ -16593,8 +16987,8 @@ rules: semgrep.dev: rule: rule_id: 9AUyqj - version_id: d6Tr478 - url: https://semgrep.dev/playground/r/d6Tr478/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization + version_id: X0TQxrX + url: https://semgrep.dev/playground/r/X0TQxrX/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization origin: community languages: - javascript @@ -16686,8 +17080,8 @@ rules: semgrep.dev: rule: rule_id: 8GUjkk - version_id: RGTbkG - url: https://semgrep.dev/playground/r/RGTbkG/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event + version_id: jQTgYo0 + url: https://semgrep.dev/playground/r/jQTgYo0/javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event origin: community languages: - javascript @@ -16764,8 +17158,8 @@ rules: semgrep.dev: rule: rule_id: JDUL1B - version_id: BjTErZ - url: https://semgrep.dev/playground/r/BjTErZ/javascript.express.security.audit.remote-property-injection.remote-property-injection + version_id: 9lTdWxv + url: https://semgrep.dev/playground/r/9lTdWxv/javascript.express.security.audit.remote-property-injection.remote-property-injection origin: community languages: - javascript @@ -16852,8 +17246,8 @@ rules: semgrep.dev: rule: rule_id: QrUzrq - version_id: ZRTQGxx - url: https://semgrep.dev/playground/r/ZRTQGxx/javascript.express.security.audit.res-render-injection.res-render-injection + version_id: yeTR2K8 + url: https://semgrep.dev/playground/r/yeTR2K8/javascript.express.security.audit.res-render-injection.res-render-injection origin: community languages: - javascript @@ -16930,8 +17324,8 @@ rules: semgrep.dev: rule: rule_id: 3qUPA1 - version_id: nWTxGJk - url: https://semgrep.dev/playground/r/nWTxGJk/javascript.express.security.audit.xss.direct-response-write.direct-response-write + version_id: rxTyLQd + url: https://semgrep.dev/playground/r/rxTyLQd/javascript.express.security.audit.xss.direct-response-write.direct-response-write origin: community languages: - javascript @@ -17166,8 +17560,8 @@ rules: semgrep.dev: rule: rule_id: 5rULJQ - version_id: 1QTj7d - url: https://semgrep.dev/playground/r/1QTj7d/javascript.express.security.cors-misconfiguration.cors-misconfiguration + version_id: 7ZTgokN + url: https://semgrep.dev/playground/r/7ZTgokN/javascript.express.security.cors-misconfiguration.cors-misconfiguration origin: community languages: - javascript @@ -17254,8 +17648,8 @@ rules: semgrep.dev: rule: rule_id: zdUkJl - version_id: ExTjqvX - url: https://semgrep.dev/playground/r/ExTjqvX/javascript.express.security.express-expat-xxe.express-expat-xxe + version_id: 8KTQ98Q + url: https://semgrep.dev/playground/r/8KTQ98Q/javascript.express.security.express-expat-xxe.express-expat-xxe origin: community languages: - javascript @@ -17358,8 +17752,8 @@ rules: semgrep.dev: rule: rule_id: EwUr9k - version_id: 7ZTgWZY - url: https://semgrep.dev/playground/r/7ZTgWZY/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage + version_id: gET3xQ6 + url: https://semgrep.dev/playground/r/gET3xQ6/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage origin: community languages: - javascript @@ -17529,8 +17923,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUbx3 - version_id: NdT1od - url: https://semgrep.dev/playground/r/NdT1od/javascript.express.security.express-phantom-injection.express-phantom-injection + version_id: 3ZTkQ0P + url: https://semgrep.dev/playground/r/3ZTkQ0P/javascript.express.security.express-phantom-injection.express-phantom-injection origin: community languages: - javascript @@ -17612,8 +18006,8 @@ rules: semgrep.dev: rule: rule_id: X5U8Nz - version_id: kbT7LL - url: https://semgrep.dev/playground/r/kbT7LL/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection + version_id: 44TRl0z + url: https://semgrep.dev/playground/r/44TRl0z/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection origin: community languages: - javascript @@ -17696,8 +18090,8 @@ rules: semgrep.dev: rule: rule_id: j2UvXB - version_id: w8T3DR - url: https://semgrep.dev/playground/r/w8T3DR/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection + version_id: PkTJ1PB + url: https://semgrep.dev/playground/r/PkTJ1PB/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection origin: community languages: - javascript @@ -17776,8 +18170,8 @@ rules: semgrep.dev: rule: rule_id: DbUKPX - version_id: xyT4p8 - url: https://semgrep.dev/playground/r/xyT4p8/javascript.express.security.express-vm-injection.express-vm-injection + version_id: JdTNp9L + url: https://semgrep.dev/playground/r/JdTNp9L/javascript.express.security.express-vm-injection.express-vm-injection origin: community languages: - javascript @@ -17852,8 +18246,8 @@ rules: semgrep.dev: rule: rule_id: WAUPXJ - version_id: O9TydQ - url: https://semgrep.dev/playground/r/O9TydQ/javascript.express.security.express-vm2-injection.express-vm2-injection + version_id: 5PTdAgp + url: https://semgrep.dev/playground/r/5PTdAgp/javascript.express.security.express-vm2-injection.express-vm2-injection origin: community languages: - javascript @@ -17947,8 +18341,8 @@ rules: semgrep.dev: rule: rule_id: kxUkl9 - version_id: e1Tx3b - url: https://semgrep.dev/playground/r/e1Tx3b/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection + version_id: GxTv6dD + url: https://semgrep.dev/playground/r/GxTv6dD/javascript.express.security.express-wkhtml-injection.express-wkhtmltoimage-injection origin: community severity: ERROR languages: @@ -18018,8 +18412,8 @@ rules: semgrep.dev: rule: rule_id: wdUJxq - version_id: vdT28d - url: https://semgrep.dev/playground/r/vdT28d/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection + version_id: RGTDk42 + url: https://semgrep.dev/playground/r/RGTDk42/javascript.express.security.express-wkhtml-injection.express-wkhtmltopdf-injection origin: community languages: - javascript @@ -18098,8 +18492,8 @@ rules: semgrep.dev: rule: rule_id: x8Uneb - version_id: d6TDvp - url: https://semgrep.dev/playground/r/d6TDvp/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe + version_id: A8T95oJ + url: https://semgrep.dev/playground/r/A8T95oJ/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe origin: community languages: - javascript @@ -18184,8 +18578,8 @@ rules: semgrep.dev: rule: rule_id: 5rUL0X - version_id: ZRTwpy - url: https://semgrep.dev/playground/r/ZRTwpy/javascript.express.security.injection.raw-html-format.raw-html-format + version_id: BjTXr3r + url: https://semgrep.dev/playground/r/BjTXr3r/javascript.express.security.injection.raw-html-format.raw-html-format origin: community languages: - javascript @@ -18286,8 +18680,8 @@ rules: semgrep.dev: rule: rule_id: NbUNpr - version_id: nWT7od - url: https://semgrep.dev/playground/r/nWT7od/javascript.express.security.injection.tainted-sql-string.tainted-sql-string + version_id: DkT6nrY + url: https://semgrep.dev/playground/r/DkT6nrY/javascript.express.security.injection.tainted-sql-string.tainted-sql-string origin: community languages: - javascript @@ -18370,8 +18764,8 @@ rules: semgrep.dev: rule: rule_id: OrU3WK - version_id: 8KTQAg0 - url: https://semgrep.dev/playground/r/8KTQAg0/javascript.express.security.require-request.require-request + version_id: WrTWQ4q + url: https://semgrep.dev/playground/r/WrTWQ4q/javascript.express.security.require-request.require-request origin: community languages: - javascript @@ -18440,8 +18834,8 @@ rules: semgrep.dev: rule: rule_id: GdUrLy - version_id: 7ZTOnJ - url: https://semgrep.dev/playground/r/7ZTOnJ/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration + version_id: 0bTLlPo + url: https://semgrep.dev/playground/r/0bTLlPo/javascript.express.security.x-frame-options-misconfiguration.x-frame-options-misconfiguration origin: community languages: - javascript @@ -18529,8 +18923,8 @@ rules: semgrep.dev: rule: rule_id: JDUyRl - version_id: gET3JEv - url: https://semgrep.dev/playground/r/gET3JEv/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret + version_id: 5PTdAgB + url: https://semgrep.dev/playground/r/5PTdAgB/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret origin: community languages: - javascript @@ -18609,8 +19003,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOGN - version_id: PkTYd4 - url: https://semgrep.dev/playground/r/PkTYd4/javascript.jose.security.jwt-none-alg.jwt-none-alg + version_id: GxTv6dg + url: https://semgrep.dev/playground/r/GxTv6dg/javascript.jose.security.jwt-none-alg.jwt-none-alg origin: community languages: - javascript @@ -18673,8 +19067,8 @@ rules: semgrep.dev: rule: rule_id: WAUon7 - version_id: qkT2og0 - url: https://semgrep.dev/playground/r/qkT2og0/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret + version_id: K3TvjWe + url: https://semgrep.dev/playground/r/K3TvjWe/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret origin: community languages: - javascript @@ -18687,8 +19081,12 @@ rules: - patterns: - pattern-inside: "$VALUE = '$Y' \n...\n" - pattern: "$VALUE" - - pattern-inside: "$JWT.sign($VALUE, '$Y',...)" - - pattern-inside: "$JWT.verify($VALUE, '$Y',...)" + - patterns: + - pattern-either: + - pattern-inside: "$JWT.sign($VALUE, $Y,...)" + - pattern-inside: "$JWT.verify($VALUE, $Y,...)" + - focus-metavariable: "$Y" + - pattern: "'...'\n" - patterns: - pattern-inside: | $SECRET = "$Y" @@ -18751,8 +19149,8 @@ rules: semgrep.dev: rule: rule_id: 0oU53g - version_id: WrTb31 - url: https://semgrep.dev/playground/r/WrTb31/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg + version_id: qkT2x86 + url: https://semgrep.dev/playground/r/qkT2x86/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg origin: community languages: - javascript @@ -18799,8 +19197,8 @@ rules: semgrep.dev: rule: rule_id: DbUKEz - version_id: QkTWnA3 - url: https://semgrep.dev/playground/r/QkTWnA3/javascript.lang.security.audit.code-string-concat.code-string-concat + version_id: rxTyL7P + url: https://semgrep.dev/playground/r/rxTyL7P/javascript.lang.security.audit.code-string-concat.code-string-concat origin: community languages: - javascript @@ -18894,8 +19292,8 @@ rules: semgrep.dev: rule: rule_id: qNUo10 - version_id: K3TlGp - url: https://semgrep.dev/playground/r/K3TlGp/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell + version_id: bZTb1eA + url: https://semgrep.dev/playground/r/bZTb1eA/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell origin: community languages: - javascript @@ -18973,8 +19371,8 @@ rules: semgrep.dev: rule: rule_id: zdU1gD - version_id: YDTonX - url: https://semgrep.dev/playground/r/YDTonX/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp + version_id: w8T9nxz + url: https://semgrep.dev/playground/r/w8T9nxz/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp origin: community languages: - javascript @@ -19029,8 +19427,8 @@ rules: semgrep.dev: rule: rule_id: GdUr5G - version_id: RGTb0Q - url: https://semgrep.dev/playground/r/RGTb0Q/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password + version_id: d6TrAG4 + url: https://semgrep.dev/playground/r/d6TrAG4/javascript.lang.security.audit.md5-used-as-password.md5-used-as-password origin: community languages: - javascript @@ -19077,8 +19475,8 @@ rules: semgrep.dev: rule: rule_id: 8GUjrq - version_id: BjTEkB - url: https://semgrep.dev/playground/r/BjTEkB/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal + version_id: nWTxP4n + url: https://semgrep.dev/playground/r/nWTxP4n/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal origin: community languages: - javascript @@ -19167,8 +19565,8 @@ rules: semgrep.dev: rule: rule_id: d8UKLD - version_id: qkTNRp - url: https://semgrep.dev/playground/r/qkTNRp/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli + version_id: gET3x2P + url: https://semgrep.dev/playground/r/gET3x2P/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli origin: community languages: - javascript @@ -19260,8 +19658,8 @@ rules: semgrep.dev: rule: rule_id: kxU8Pd - version_id: l4T5Jx - url: https://semgrep.dev/playground/r/l4T5Jx/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli + version_id: QkTW0rE + url: https://semgrep.dev/playground/r/QkTW0rE/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli origin: community languages: - javascript @@ -19326,8 +19724,8 @@ rules: semgrep.dev: rule: rule_id: ZqUlWE - version_id: YDToZ2 - url: https://semgrep.dev/playground/r/YDToZ2/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli + version_id: 3ZTkQAW + url: https://semgrep.dev/playground/r/3ZTkQAW/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli origin: community languages: - javascript @@ -19401,8 +19799,8 @@ rules: semgrep.dev: rule: rule_id: ReUPN9 - version_id: 6xTe2Q - url: https://semgrep.dev/playground/r/6xTe2Q/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli + version_id: 44TRlP8 + url: https://semgrep.dev/playground/r/44TRlP8/javascript.lang.security.audit.sqli.node-postgres-sqli.node-postgres-sqli origin: community languages: - javascript @@ -19470,8 +19868,8 @@ rules: semgrep.dev: rule: rule_id: yyUngo - version_id: O9Typz - url: https://semgrep.dev/playground/r/O9Typz/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression + version_id: o5TglEE + url: https://semgrep.dev/playground/r/o5TglEE/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression origin: community languages: - javascript @@ -19566,8 +19964,8 @@ rules: semgrep.dev: rule: rule_id: AbUGOq - version_id: ExTnEW - url: https://semgrep.dev/playground/r/ExTnEW/javascript.lang.security.insecure-object-assign.insecure-object-assign + version_id: 1QTOYLD + url: https://semgrep.dev/playground/r/1QTOYLD/javascript.lang.security.insecure-object-assign.insecure-object-assign origin: community languages: - javascript @@ -19618,8 +20016,8 @@ rules: semgrep.dev: rule: rule_id: QrUzq6 - version_id: l4T4dq5 - url: https://semgrep.dev/playground/r/l4T4dq5/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret + version_id: bZTb1oA + url: https://semgrep.dev/playground/r/bZTb1oA/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret origin: community languages: - javascript @@ -19734,8 +20132,8 @@ rules: semgrep.dev: rule: rule_id: yyU0GX - version_id: 44TRg5w - url: https://semgrep.dev/playground/r/44TRg5w/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + version_id: 3ZTkQwW + url: https://semgrep.dev/playground/r/3ZTkQwW/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection origin: community languages: - javascript @@ -19818,8 +20216,8 @@ rules: semgrep.dev: rule: rule_id: 7KUpLy - version_id: NdT1Z0 - url: https://semgrep.dev/playground/r/NdT1Z0/json.aws.security.public-s3-bucket.public-s3-bucket + version_id: qkT2xw6 + url: https://semgrep.dev/playground/r/qkT2xw6/json.aws.security.public-s3-bucket.public-s3-bucket origin: community patterns: - pattern-inside: | @@ -19892,8 +20290,8 @@ rules: semgrep.dev: rule: rule_id: 9AU1br - version_id: kbT7Dy - url: https://semgrep.dev/playground/r/kbT7Dy/json.aws.security.public-s3-policy-statement.public-s3-policy-statement + version_id: l4T4vDE + url: https://semgrep.dev/playground/r/l4T4vDE/json.aws.security.public-s3-policy-statement.public-s3-policy-statement origin: community severity: WARNING languages: @@ -19936,8 +20334,8 @@ rules: semgrep.dev: rule: rule_id: JDULx5 - version_id: w8T3pP - url: https://semgrep.dev/playground/r/w8T3pP/json.aws.security.wildcard-assume-role.wildcard-assume-role + version_id: YDTp2bd + url: https://semgrep.dev/playground/r/YDTp2bd/json.aws.security.wildcard-assume-role.wildcard-assume-role origin: community languages: - json @@ -19970,8 +20368,8 @@ rules: semgrep.dev: rule: rule_id: v8U9Q7 - version_id: O9Ty8z - url: https://semgrep.dev/playground/r/O9Ty8z/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind + version_id: 5PTdAGD + url: https://semgrep.dev/playground/r/5PTdAGD/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind origin: community message: Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html @@ -20009,8 +20407,8 @@ rules: semgrep.dev: rule: rule_id: DbU1Zd - version_id: ExTnoW - url: https://semgrep.dev/playground/r/ExTnoW/kotlin.lang.security.ecb-cipher.ecb-cipher + version_id: WrTWQnR + url: https://semgrep.dev/playground/r/WrTWQnR/kotlin.lang.security.ecb-cipher.ecb-cipher origin: community message: Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. @@ -20067,8 +20465,8 @@ rules: semgrep.dev: rule: rule_id: 0oU2Yy - version_id: LjT0G3 - url: https://semgrep.dev/playground/r/LjT0G3/kotlin.lang.security.no-null-cipher.no-null-cipher + version_id: K3TvjLy + url: https://semgrep.dev/playground/r/K3TvjLy/kotlin.lang.security.no-null-cipher.no-null-cipher origin: community message: 'NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). @@ -20110,8 +20508,8 @@ rules: semgrep.dev: rule: rule_id: qNUXPj - version_id: gETqPw - url: https://semgrep.dev/playground/r/gETqPw/kotlin.lang.security.use-of-md5.use-of-md5 + version_id: l4T4vRQ + url: https://semgrep.dev/playground/r/l4T4vRQ/kotlin.lang.security.use-of-md5.use-of-md5 origin: community pattern-either: - pattern: '$VAR = $MD.getInstance("MD5") @@ -20155,8 +20553,8 @@ rules: semgrep.dev: rule: rule_id: ZqUOdd - version_id: DkT6GxG - url: https://semgrep.dev/playground/r/DkT6GxG/kotlin.lang.security.use-of-sha1.use-of-sha1 + version_id: YDTp2ep + url: https://semgrep.dev/playground/r/YDTp2ep/kotlin.lang.security.use-of-sha1.use-of-sha1 origin: community pattern-either: - patterns: @@ -20202,8 +20600,8 @@ rules: semgrep.dev: rule: rule_id: kxUw23 - version_id: PkTYzA - url: https://semgrep.dev/playground/r/PkTYzA/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query + version_id: 3ZTkQXq + url: https://semgrep.dev/playground/r/3ZTkQXq/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query origin: community mode: taint pattern-sinks: @@ -20295,8 +20693,8 @@ rules: semgrep.dev: rule: rule_id: DbUpjk - version_id: JdTqn1 - url: https://semgrep.dev/playground/r/JdTqn1/php.lang.security.assert-use.assert-use + version_id: 44TRljD + url: https://semgrep.dev/playground/r/44TRljD/php.lang.security.assert-use.assert-use origin: community languages: - php @@ -20338,8 +20736,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5Xg - version_id: A8TREz - url: https://semgrep.dev/playground/r/A8TREz/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off + version_id: GxTv6eX + url: https://semgrep.dev/playground/r/GxTv6eX/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off origin: community languages: - php @@ -20385,8 +20783,8 @@ rules: semgrep.dev: rule: rule_id: nJUykq - version_id: BjTEyB - url: https://semgrep.dev/playground/r/BjTEyB/php.lang.security.deserialization.extract-user-data + version_id: RGTDkLL + url: https://semgrep.dev/playground/r/RGTDkLL/php.lang.security.deserialization.extract-user-data origin: community severity: ERROR - id: php.lang.security.injection.echoed-request.echoed-request @@ -20438,8 +20836,8 @@ rules: semgrep.dev: rule: rule_id: BYUyyg - version_id: PkTJ02l - url: https://semgrep.dev/playground/r/PkTJ02l/php.lang.security.injection.echoed-request.echoed-request + version_id: 0bTLlzv + url: https://semgrep.dev/playground/r/0bTLlzv/php.lang.security.injection.echoed-request.echoed-request origin: community - id: php.lang.security.injection.tainted-filename.tainted-filename severity: WARNING @@ -20469,8 +20867,8 @@ rules: semgrep.dev: rule: rule_id: 5rUpro - version_id: l4T5px - url: https://semgrep.dev/playground/r/l4T5px/php.lang.security.injection.tainted-filename.tainted-filename + version_id: K3Tvjky + url: https://semgrep.dev/playground/r/K3Tvjky/php.lang.security.injection.tainted-filename.tainted-filename origin: community languages: - php @@ -20660,8 +21058,8 @@ rules: semgrep.dev: rule: rule_id: v8U4DA - version_id: YDTow2 - url: https://semgrep.dev/playground/r/YDTow2/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation + version_id: qkT2x7l + url: https://semgrep.dev/playground/r/qkT2x7l/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation origin: community mode: taint pattern-sources: @@ -20714,8 +21112,8 @@ rules: semgrep.dev: rule: rule_id: qNUXdL - version_id: JdTqnv - url: https://semgrep.dev/playground/r/JdTqnv/php.lang.security.injection.tainted-sql-string.tainted-sql-string + version_id: l4T4v0Q + url: https://semgrep.dev/playground/r/l4T4v0Q/php.lang.security.injection.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sanitizers: @@ -20790,8 +21188,8 @@ rules: semgrep.dev: rule: rule_id: lBU8K1 - version_id: 5PT67o - url: https://semgrep.dev/playground/r/5PT67o/php.lang.security.injection.tainted-url-host.tainted-url-host + version_id: YDTp27p + url: https://semgrep.dev/playground/r/YDTp27p/php.lang.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sources: @@ -20864,8 +21262,8 @@ rules: semgrep.dev: rule: rule_id: YGUD1O - version_id: DkTQwv - url: https://semgrep.dev/playground/r/DkTQwv/php.lang.security.md5-used-as-password.md5-used-as-password + version_id: 2KTzrjK + url: https://semgrep.dev/playground/r/2KTzrjK/php.lang.security.md5-used-as-password.md5-used-as-password origin: community mode: taint pattern-sources: @@ -20916,8 +21314,8 @@ rules: semgrep.dev: rule: rule_id: DbUGbE - version_id: 0bTvGQ - url: https://semgrep.dev/playground/r/0bTvGQ/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv + version_id: jQTgY2Q + url: https://semgrep.dev/playground/r/jQTgY2Q/php.lang.security.openssl-cbc-static-iv.openssl-cbc-static-iv origin: community - id: php.lang.security.phpinfo-use.phpinfo-use pattern: phpinfo(...); @@ -20947,8 +21345,8 @@ rules: semgrep.dev: rule: rule_id: ReUglY - version_id: l4T5pq - url: https://semgrep.dev/playground/r/l4T5pq/php.lang.security.phpinfo-use.phpinfo-use + version_id: yeTR2r0 + url: https://semgrep.dev/playground/r/yeTR2r0/php.lang.security.phpinfo-use.phpinfo-use origin: community languages: - php @@ -20994,8 +21392,8 @@ rules: semgrep.dev: rule: rule_id: 3qUb4n - version_id: 6xTeRw - url: https://semgrep.dev/playground/r/6xTeRw/php.lang.security.redirect-to-request-uri.redirect-to-request-uri + version_id: bZTb1d9 + url: https://semgrep.dev/playground/r/bZTb1d9/php.lang.security.redirect-to-request-uri.redirect-to-request-uri origin: community languages: - php @@ -21051,8 +21449,8 @@ rules: semgrep.dev: rule: rule_id: zdUln0 - version_id: X0TPYR - url: https://semgrep.dev/playground/r/X0TPYR/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection + version_id: e1T01OG + url: https://semgrep.dev/playground/r/e1T01OG/php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection origin: community - id: php.laravel.security.laravel-sql-injection.laravel-sql-injection metadata: @@ -21082,8 +21480,8 @@ rules: semgrep.dev: rule: rule_id: j2UQdp - version_id: kbT7Wq - url: https://semgrep.dev/playground/r/kbT7Wq/php.laravel.security.laravel-sql-injection.laravel-sql-injection + version_id: 8KTQ9ZJ + url: https://semgrep.dev/playground/r/8KTQ9ZJ/php.laravel.security.laravel-sql-injection.laravel-sql-injection origin: community severity: WARNING message: Detected a SQL query based on user input. This could lead to SQL injection, @@ -21271,8 +21669,8 @@ rules: semgrep.dev: rule: rule_id: X5ULgE - version_id: w8T3We - url: https://semgrep.dev/playground/r/w8T3We/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator + version_id: gET3xDz + url: https://semgrep.dev/playground/r/gET3xDz/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator origin: community - id: problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification message: Checks for disabling of TLS/SSL certificate verification. This should only @@ -21300,8 +21698,8 @@ rules: semgrep.dev: rule: rule_id: DbUpjg - version_id: 44To5Z - url: https://semgrep.dev/playground/r/44To5Z/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification + version_id: qkT2xyl + url: https://semgrep.dev/playground/r/qkT2xyl/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification origin: community languages: - go @@ -21340,8 +21738,8 @@ rules: semgrep.dev: rule: rule_id: WAUow9 - version_id: PkTY21 - url: https://semgrep.dev/playground/r/PkTY21/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions + version_id: l4T4vjQ + url: https://semgrep.dev/playground/r/l4T4vjQ/problem-based-packs.insecure-transport.go-stdlib.disallow-old-tls-versions.disallow-old-tls-versions origin: community languages: - go @@ -21385,8 +21783,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5XN - version_id: JdTqGv - url: https://semgrep.dev/playground/r/JdTqGv/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request + version_id: YDTp2yp + url: https://semgrep.dev/playground/r/YDTp2yp/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request origin: community languages: - go @@ -21443,8 +21841,8 @@ rules: semgrep.dev: rule: rule_id: KxUbXx - version_id: 5PT6ro - url: https://semgrep.dev/playground/r/5PT6ro/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request + version_id: JdTNpW5 + url: https://semgrep.dev/playground/r/JdTNpW5/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request origin: community languages: - go @@ -21493,8 +21891,8 @@ rules: semgrep.dev: rule: rule_id: qNUjy3 - version_id: GxT2Yq - url: https://semgrep.dev/playground/r/GxT2Yq/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request + version_id: 5PTdAwP + url: https://semgrep.dev/playground/r/5PTdAwP/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request origin: community languages: - go @@ -21536,8 +21934,8 @@ rules: semgrep.dev: rule: rule_id: lBU90n - version_id: RGTbnE - url: https://semgrep.dev/playground/r/RGTbnE/problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request + version_id: GxTv6A7 + url: https://semgrep.dev/playground/r/GxTv6A7/problem-based-packs.insecure-transport.go-stdlib.http-customized-request.http-customized-request origin: community languages: - go @@ -21575,8 +21973,8 @@ rules: semgrep.dev: rule: rule_id: YGUR70 - version_id: A8TR00 - url: https://semgrep.dev/playground/r/A8TR00/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request + version_id: RGTDkzP + url: https://semgrep.dev/playground/r/RGTDkzP/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request origin: community languages: - go @@ -21631,8 +22029,8 @@ rules: semgrep.dev: rule: rule_id: 6JUjoX - version_id: BjTEJv - url: https://semgrep.dev/playground/r/BjTEJv/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request + version_id: A8T954G + url: https://semgrep.dev/playground/r/A8T954G/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request origin: community languages: - go @@ -21701,8 +22099,8 @@ rules: semgrep.dev: rule: rule_id: oqUewD - version_id: DkTQXv - url: https://semgrep.dev/playground/r/DkTQXv/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request + version_id: BjTXrPd + url: https://semgrep.dev/playground/r/BjTXrPd/problem-based-packs.insecure-transport.go-stdlib.telnet-request.telnet-request origin: community languages: - go @@ -21738,8 +22136,8 @@ rules: semgrep.dev: rule: rule_id: zdUkZZ - version_id: WrTbG6 - url: https://semgrep.dev/playground/r/WrTbG6/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification + version_id: DkT6n5x + url: https://semgrep.dev/playground/r/DkT6n5x/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification origin: community languages: - java @@ -21793,8 +22191,8 @@ rules: semgrep.dev: rule: rule_id: pKUOYW - version_id: 0bTvgQ - url: https://semgrep.dev/playground/r/0bTvgQ/problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request + version_id: WrTWQ1d + url: https://semgrep.dev/playground/r/WrTWQ1d/problem-based-packs.insecure-transport.java-spring.spring-ftp-request.spring-ftp-request origin: community languages: - java @@ -21845,8 +22243,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUbjg - version_id: K3Tl8R - url: https://semgrep.dev/playground/r/K3Tl8R/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request + version_id: 0bTLldp + url: https://semgrep.dev/playground/r/0bTLldp/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request origin: community languages: - java @@ -21903,8 +22301,8 @@ rules: semgrep.dev: rule: rule_id: X5U8qv - version_id: qkTNLA - url: https://semgrep.dev/playground/r/qkTNLA/problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification + version_id: K3Tvj0J + url: https://semgrep.dev/playground/r/K3Tvj0J/problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification origin: community languages: - java @@ -21963,8 +22361,8 @@ rules: semgrep.dev: rule: rule_id: j2Uv2K - version_id: l4T5oq - url: https://semgrep.dev/playground/r/l4T5oq/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1 + version_id: qkT2xZx + url: https://semgrep.dev/playground/r/qkT2xZx/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions1.disallow-old-tls-versions1 origin: community languages: - java @@ -22012,8 +22410,8 @@ rules: semgrep.dev: rule: rule_id: 10UKvx - version_id: YDTokj - url: https://semgrep.dev/playground/r/YDTokj/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2 + version_id: l4T4vj6 + url: https://semgrep.dev/playground/r/l4T4vj6/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2 origin: community languages: - java @@ -22054,8 +22452,8 @@ rules: semgrep.dev: rule: rule_id: 9AU1wD - version_id: 6xTeGw - url: https://semgrep.dev/playground/r/6xTeGw/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request + version_id: YDTp2yZ + url: https://semgrep.dev/playground/r/YDTp2yZ/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request origin: community languages: - java @@ -22099,8 +22497,8 @@ rules: semgrep.dev: rule: rule_id: yyUnjk - version_id: o5Tno3 - url: https://semgrep.dev/playground/r/o5Tno3/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request + version_id: 6xTvJY8 + url: https://semgrep.dev/playground/r/6xTvJY8/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request origin: community languages: - java @@ -22146,8 +22544,8 @@ rules: semgrep.dev: rule: rule_id: r6Ur3y - version_id: zyT5NO - url: https://semgrep.dev/playground/r/zyT5NO/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request + version_id: o5TglNL + url: https://semgrep.dev/playground/r/o5TglNL/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request origin: community languages: - java @@ -22228,8 +22626,8 @@ rules: semgrep.dev: rule: rule_id: 6JUOJ2 - version_id: pZTreo - url: https://semgrep.dev/playground/r/pZTreo/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request + version_id: zyTK84N + url: https://semgrep.dev/playground/r/zyTK84N/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request origin: community languages: - java @@ -22273,8 +22671,8 @@ rules: semgrep.dev: rule: rule_id: bwUwvR - version_id: 2KT15y - url: https://semgrep.dev/playground/r/2KT15y/problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request + version_id: pZT1yWA + url: https://semgrep.dev/playground/r/pZT1yWA/problem-based-packs.insecure-transport.java-stdlib.httpurlconnection-http-request.httpurlconnection-http-request origin: community languages: - java @@ -22325,8 +22723,8 @@ rules: semgrep.dev: rule: rule_id: kxUkXk - version_id: jQTKDo - url: https://semgrep.dev/playground/r/jQTKDo/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request + version_id: X0TQx9J + url: https://semgrep.dev/playground/r/X0TQx9J/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request origin: community languages: - java @@ -22361,8 +22759,8 @@ rules: semgrep.dev: rule: rule_id: wdUJw8 - version_id: 1QTj3q - url: https://semgrep.dev/playground/r/1QTj3q/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation + version_id: jQTgYxL + url: https://semgrep.dev/playground/r/jQTgYxL/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation origin: community languages: - java @@ -22397,8 +22795,8 @@ rules: semgrep.dev: rule: rule_id: x8Uno2 - version_id: 9lTzq0 - url: https://semgrep.dev/playground/r/9lTzq0/problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request + version_id: 1QTOYln + url: https://semgrep.dev/playground/r/1QTOYln/problem-based-packs.insecure-transport.java-stdlib.unirest-http-request.unirest-http-request origin: community languages: - java @@ -22443,8 +22841,8 @@ rules: semgrep.dev: rule: rule_id: OrU3Y6 - version_id: yeTXGg - url: https://semgrep.dev/playground/r/yeTXGg/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification + version_id: 9lTdWB8 + url: https://semgrep.dev/playground/r/9lTdWB8/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification origin: community languages: - javascript @@ -22483,8 +22881,8 @@ rules: semgrep.dev: rule: rule_id: eqU8nr - version_id: rxTxlK - url: https://semgrep.dev/playground/r/rxTxlK/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1 + version_id: yeTR2jb + url: https://semgrep.dev/playground/r/yeTR2jb/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1 origin: community languages: - javascript @@ -22542,8 +22940,8 @@ rules: semgrep.dev: rule: rule_id: v8UnPO - version_id: bZTGQd - url: https://semgrep.dev/playground/r/bZTGQd/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2 + version_id: rxTyL3R + url: https://semgrep.dev/playground/r/rxTyL3R/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2 origin: community languages: - javascript @@ -22616,8 +23014,8 @@ rules: semgrep.dev: rule: rule_id: d8UjZ6 - version_id: NdT1Gl - url: https://semgrep.dev/playground/r/NdT1Gl/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request + version_id: bZTb1vg + url: https://semgrep.dev/playground/r/bZTb1vg/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request origin: community languages: - javascript @@ -22660,8 +23058,8 @@ rules: semgrep.dev: rule: rule_id: ZqU5r3 - version_id: kbT73q - url: https://semgrep.dev/playground/r/kbT73q/problem-based-packs.insecure-transport.js-node.http-request.http-request + version_id: NdT3dlK + url: https://semgrep.dev/playground/r/NdT3dlK/problem-based-packs.insecure-transport.js-node.http-request.http-request origin: community languages: - javascript @@ -22722,8 +23120,8 @@ rules: semgrep.dev: rule: rule_id: nJUzKP - version_id: w8T3Ne - url: https://semgrep.dev/playground/r/w8T3Ne/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support + version_id: kbTdxXE + url: https://semgrep.dev/playground/r/kbTdxXE/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support origin: community languages: - javascript @@ -22781,8 +23179,8 @@ rules: semgrep.dev: rule: rule_id: EwU2GA - version_id: xyT404 - url: https://semgrep.dev/playground/r/xyT404/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request + version_id: w8T9nwr + url: https://semgrep.dev/playground/r/w8T9nwr/problem-based-packs.insecure-transport.js-node.telnet-request.telnet-request origin: community languages: - javascript @@ -22828,8 +23226,8 @@ rules: semgrep.dev: rule: rule_id: L1UyKG - version_id: e1Txb7 - url: https://semgrep.dev/playground/r/e1Txb7/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests + version_id: O9TNOY1 + url: https://semgrep.dev/playground/r/O9TNOY1/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests origin: community languages: - ruby @@ -22874,8 +23272,8 @@ rules: semgrep.dev: rule: rule_id: 8GUj13 - version_id: vdT2dr - url: https://semgrep.dev/playground/r/vdT2dr/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request + version_id: e1T01nJ + url: https://semgrep.dev/playground/r/e1T01nJ/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request origin: community languages: - ruby @@ -22916,8 +23314,8 @@ rules: semgrep.dev: rule: rule_id: gxU1lE - version_id: d6TDLr - url: https://semgrep.dev/playground/r/d6TDLr/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request + version_id: vdTYNP7 + url: https://semgrep.dev/playground/r/vdTYNP7/problem-based-packs.insecure-transport.ruby-stdlib.net-http-request.net-http-request origin: community languages: - ruby @@ -22965,8 +23363,8 @@ rules: semgrep.dev: rule: rule_id: QrUzo2 - version_id: ZRTwW6 - url: https://semgrep.dev/playground/r/ZRTwW6/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request + version_id: d6TrAZG + url: https://semgrep.dev/playground/r/d6TrAZG/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request origin: community languages: - ruby @@ -23002,8 +23400,8 @@ rules: semgrep.dev: rule: rule_id: 3qUPNe - version_id: nWT7k8 - url: https://semgrep.dev/playground/r/nWT7k8/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request + version_id: ZRTQNrd + url: https://semgrep.dev/playground/r/ZRTQNrd/problem-based-packs.insecure-transport.ruby-stdlib.openuri-request.openuri-request origin: community languages: - ruby @@ -23083,8 +23481,8 @@ rules: semgrep.dev: rule: rule_id: EwUrX8 - version_id: 7ZTOPe - url: https://semgrep.dev/playground/r/7ZTOPe/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec + version_id: 7ZTgoAA + url: https://semgrep.dev/playground/r/7ZTgoAA/python.aws-lambda.security.dangerous-asyncio-create-exec.dangerous-asyncio-create-exec origin: community languages: - python @@ -23145,8 +23543,8 @@ rules: semgrep.dev: rule: rule_id: 7KUxXg - version_id: LjT0Br - url: https://semgrep.dev/playground/r/LjT0Br/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec + version_id: LjTqQKw + url: https://semgrep.dev/playground/r/LjTqQKw/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec origin: community languages: - python @@ -23204,8 +23602,8 @@ rules: semgrep.dev: rule: rule_id: L1UEl7 - version_id: 8KTbnz - url: https://semgrep.dev/playground/r/8KTbnz/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell + version_id: 8KTQ91d + url: https://semgrep.dev/playground/r/8KTQ91d/python.aws-lambda.security.dangerous-asyncio-shell.dangerous-asyncio-shell origin: community languages: - python @@ -23249,8 +23647,8 @@ rules: semgrep.dev: rule: rule_id: 8GUGBq - version_id: gETq0J - url: https://semgrep.dev/playground/r/gETq0J/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process + version_id: gET3xlq + url: https://semgrep.dev/playground/r/gET3xlq/python.aws-lambda.security.dangerous-spawn-process.dangerous-spawn-process origin: community languages: - python @@ -23288,10 +23686,12 @@ rules: regex: "(.*)(sh|bash|ksh|csh|tcsh|zsh)" - id: python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use mode: taint - message: Detected subprocess function with argument tainted by `event` object. If + message: Detected subprocess function with argument tainted by an `event` object. If this data can be controlled by a malicious actor, it may be an instance of command - injection. Audit the use of this call to ensure it is not controllable by an external - resource. You may consider using 'shlex.escape()'. + injection. The default option for `shell` is False, and this is secure by default. + Consider removing the `shell=True` or setting it to False explicitely. Using `shell=False` + means you have to split the command string into an array of strings for the command + and its arguments. You may consider using 'shlex.split()' for this purpose. metadata: owasp: - A01:2017 - Injection @@ -23326,8 +23726,8 @@ rules: semgrep.dev: rule: rule_id: gxUyn1 - version_id: QkTJ2k - url: https://semgrep.dev/playground/r/QkTJ2k/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use + version_id: QkTW0oy + url: https://semgrep.dev/playground/r/QkTW0oy/python.aws-lambda.security.dangerous-subprocess-use.dangerous-subprocess-use origin: community languages: - python @@ -23340,17 +23740,11 @@ rules: ... pattern-sinks: - patterns: - - focus-metavariable: "$CMD" - - pattern-either: - - pattern: subprocess.$FUNC($CMD, ...) - - pattern: subprocess.$FUNC([$CMD,...], ...) - - pattern: subprocess.$FUNC("=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...) - - pattern: subprocess.$FUNC(["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $CMD, ...], - ...) - - pattern: subprocess.$FUNC("=~/(python)/", $CMD, ...) - - pattern: subprocess.$FUNC(["=~/(python)/",$CMD,...],...) + - pattern: subprocess.$FUNC(..., shell=True, ...) pattern-sanitizers: - - pattern: shlex.escape(...) + - pattern: shlex.split(...) + - pattern: pipes.quote(...) + - pattern: shlex.quote(...) - id: python.aws-lambda.security.dangerous-system-call.dangerous-system-call mode: taint message: Detected `os` function with argument tainted by `event` object. This is @@ -23390,8 +23784,8 @@ rules: semgrep.dev: rule: rule_id: QrUkg6 - version_id: 3ZTdbL - url: https://semgrep.dev/playground/r/3ZTdbL/python.aws-lambda.security.dangerous-system-call.dangerous-system-call + version_id: 3ZTkQN9 + url: https://semgrep.dev/playground/r/3ZTkQN9/python.aws-lambda.security.dangerous-system-call.dangerous-system-call origin: community languages: - python @@ -23439,8 +23833,8 @@ rules: semgrep.dev: rule: rule_id: KxUJ2B - version_id: 44To8Z - url: https://semgrep.dev/playground/r/44To8Z/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection + version_id: 44TRlny + url: https://semgrep.dev/playground/r/44TRlny/python.aws-lambda.security.dynamodb-filter-injection.dynamodb-filter-injection origin: community message: Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly @@ -23513,8 +23907,8 @@ rules: semgrep.dev: rule: rule_id: 3qU3eE - version_id: PkTYb1 - url: https://semgrep.dev/playground/r/PkTYb1/python.aws-lambda.security.mysql-sqli.mysql-sqli + version_id: PkTJ1gJ + url: https://semgrep.dev/playground/r/PkTJ1gJ/python.aws-lambda.security.mysql-sqli.mysql-sqli origin: community pattern-sinks: - patterns: @@ -23576,8 +23970,8 @@ rules: semgrep.dev: rule: rule_id: 4bUQG1 - version_id: JdTqKv - url: https://semgrep.dev/playground/r/JdTqKv/python.aws-lambda.security.psycopg-sqli.psycopg-sqli + version_id: JdTNpd5 + url: https://semgrep.dev/playground/r/JdTNpd5/python.aws-lambda.security.psycopg-sqli.psycopg-sqli origin: community pattern-sinks: - patterns: @@ -23633,8 +24027,8 @@ rules: semgrep.dev: rule: rule_id: PeUxO0 - version_id: 5PT6Eo - url: https://semgrep.dev/playground/r/5PT6Eo/python.aws-lambda.security.pymssql-sqli.pymssql-sqli + version_id: 5PTdAXP + url: https://semgrep.dev/playground/r/5PTdAXP/python.aws-lambda.security.pymssql-sqli.pymssql-sqli origin: community pattern-sinks: - patterns: @@ -23687,8 +24081,8 @@ rules: semgrep.dev: rule: rule_id: JDUlel - version_id: GxT2Bq - url: https://semgrep.dev/playground/r/GxT2Bq/python.aws-lambda.security.pymysql-sqli.pymysql-sqli + version_id: GxTv6Q7 + url: https://semgrep.dev/playground/r/GxTv6Q7/python.aws-lambda.security.pymysql-sqli.pymysql-sqli origin: community pattern-sinks: - patterns: @@ -23745,8 +24139,8 @@ rules: semgrep.dev: rule: rule_id: 5rUy3N - version_id: RGTb9E - url: https://semgrep.dev/playground/r/RGTb9E/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli + version_id: RGTDk5P + url: https://semgrep.dev/playground/r/RGTDk5P/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli origin: community pattern-sinks: - patterns: @@ -23808,8 +24202,8 @@ rules: semgrep.dev: rule: rule_id: GdUDJP - version_id: A8TRp0 - url: https://semgrep.dev/playground/r/A8TRp0/python.aws-lambda.security.tainted-code-exec.tainted-code-exec + version_id: A8T95AG + url: https://semgrep.dev/playground/r/A8T95AG/python.aws-lambda.security.tainted-code-exec.tainted-code-exec origin: community languages: - python @@ -23860,8 +24254,8 @@ rules: semgrep.dev: rule: rule_id: ReUKrk - version_id: BjTEvv - url: https://semgrep.dev/playground/r/BjTEvv/python.aws-lambda.security.tainted-html-response.tainted-html-response + version_id: BjTXrwd + url: https://semgrep.dev/playground/r/BjTXrwd/python.aws-lambda.security.tainted-html-response.tainted-html-response origin: community languages: - python @@ -23902,8 +24296,8 @@ rules: semgrep.dev: rule: rule_id: JDUlwy - version_id: DkTQ7v - url: https://semgrep.dev/playground/r/DkTQ7v/python.aws-lambda.security.tainted-html-string.tainted-html-string + version_id: DkT6nDx + url: https://semgrep.dev/playground/r/DkT6nDx/python.aws-lambda.security.tainted-html-string.tainted-html-string origin: community mode: taint pattern-sources: @@ -23989,8 +24383,8 @@ rules: semgrep.dev: rule: rule_id: JDUDQg - version_id: WrTbJ6 - url: https://semgrep.dev/playground/r/WrTbJ6/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization + version_id: WrTWQvd + url: https://semgrep.dev/playground/r/WrTWQvd/python.aws-lambda.security.tainted-pickle-deserialization.tainted-pickle-deserialization origin: community languages: - python @@ -24031,8 +24425,8 @@ rules: semgrep.dev: rule: rule_id: AbU3LX - version_id: 0bTvqQ - url: https://semgrep.dev/playground/r/0bTvqQ/python.aws-lambda.security.tainted-sql-string.tainted-sql-string + version_id: 0bTLlAp + url: https://semgrep.dev/playground/r/0bTLlAp/python.aws-lambda.security.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sinks: @@ -24097,8 +24491,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOwK - version_id: YDTprGP - url: https://semgrep.dev/playground/r/YDTprGP/python.boto3.security.hardcoded-token.hardcoded-token + version_id: qkT2xkx + url: https://semgrep.dev/playground/r/qkT2xkx/python.boto3.security.hardcoded-token.hardcoded-token origin: community languages: - python @@ -24159,8 +24553,8 @@ rules: semgrep.dev: rule: rule_id: OrUADK - version_id: qkTNJA - url: https://semgrep.dev/playground/r/qkTNJA/python.cryptography.security.empty-aes-key.empty-aes-key + version_id: o5Tgl0L + url: https://semgrep.dev/playground/r/o5Tgl0L/python.cryptography.security.empty-aes-key.empty-aes-key origin: community - id: python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4 pattern: cryptography.hazmat.primitives.ciphers.algorithms.ARC4(...) @@ -24192,8 +24586,8 @@ rules: semgrep.dev: rule: rule_id: KxU8gK - version_id: l4T51q - url: https://semgrep.dev/playground/r/l4T51q/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4 + version_id: zyTK8pN + url: https://semgrep.dev/playground/r/zyTK8pN/python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4 origin: community severity: WARNING languages: @@ -24228,8 +24622,8 @@ rules: semgrep.dev: rule: rule_id: qNULvO - version_id: YDTo4j - url: https://semgrep.dev/playground/r/YDTo4j/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish + version_id: pZT1yKA + url: https://semgrep.dev/playground/r/pZT1yKA/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish origin: community severity: WARNING languages: @@ -24264,8 +24658,8 @@ rules: semgrep.dev: rule: rule_id: BYUNPg - version_id: JdTqKY - url: https://semgrep.dev/playground/r/JdTqKY/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea + version_id: 2KTzrgw + url: https://semgrep.dev/playground/r/2KTzrgw/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea origin: community severity: WARNING languages: @@ -24304,8 +24698,8 @@ rules: semgrep.dev: rule: rule_id: lBUopp - version_id: GxT2B3 - url: https://semgrep.dev/playground/r/GxT2B3/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 + version_id: jQTgYbL + url: https://semgrep.dev/playground/r/jQTgYbL/python.cryptography.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 origin: community severity: WARNING languages: @@ -24354,8 +24748,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5dN - version_id: RGTb97 - url: https://semgrep.dev/playground/r/RGTb97/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 + version_id: 1QTOY9n + url: https://semgrep.dev/playground/r/1QTOY9n/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 origin: community severity: WARNING languages: @@ -24397,8 +24791,8 @@ rules: semgrep.dev: rule: rule_id: KxUb0x - version_id: A8TRpD - url: https://semgrep.dev/playground/r/A8TRpD/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size + version_id: 9lTdWg8 + url: https://semgrep.dev/playground/r/9lTdWg8/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size origin: community languages: - python @@ -24444,8 +24838,8 @@ rules: semgrep.dev: rule: rule_id: YGURy0 - version_id: 0bTvqb - url: https://semgrep.dev/playground/r/0bTvqb/python.distributed.security.require-encryption + version_id: NdT3d8K + url: https://semgrep.dev/playground/r/NdT3d8K/python.distributed.security.require-encryption origin: community languages: - python @@ -24476,8 +24870,8 @@ rules: semgrep.dev: rule: rule_id: OrU3e6 - version_id: K3Tl3L - url: https://semgrep.dev/playground/r/K3Tl3L/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization + version_id: GxTv6G7 + url: https://semgrep.dev/playground/r/GxTv6G7/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization origin: community message: Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code @@ -24562,12 +24956,50 @@ rules: semgrep.dev: rule: rule_id: v8UnqO - version_id: l4T510 - url: https://semgrep.dev/playground/r/l4T510/python.django.security.audit.csrf-exempt.no-csrf-exempt + version_id: A8T956G + url: https://semgrep.dev/playground/r/A8T956G/python.django.security.audit.csrf-exempt.no-csrf-exempt origin: community languages: - python severity: WARNING +- id: python.django.security.hashids-with-django-secret.hashids-with-django-secret + languages: + - python + message: The Django secret key is used as salt in HashIDs. The HashID mechanism + is not secure. By observing sufficient HashIDs, the salt used to construct them + can be recovered. This means the Django secret key can be obtained by attackers, + through the HashIDs. + metadata: + category: security + subcategory: + - vuln + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A02:2021 – Cryptographic Failures + references: + - https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY + - http://carnage.github.io/2015/08/cryptanalysis-of-hashids + technology: + - django + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret + shortlink: https://sg.run/bxeZ + semgrep.dev: + rule: + rule_id: 0oUXqy + version_id: 2KTzrD9 + url: https://semgrep.dev/playground/r/2KTzrD9/python.django.security.hashids-with-django-secret.hashids-with-django-secret + origin: community + pattern-either: + - pattern: hashids.Hashids(..., salt=django.conf.settings.SECRET_KEY, ...) + - pattern: hashids.Hashids(django.conf.settings.SECRET_KEY, ...) + severity: ERROR - id: python.django.security.injection.code.user-eval-format-string.user-eval-format-string message: Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection @@ -24596,8 +25028,8 @@ rules: semgrep.dev: rule: rule_id: BYUNw9 - version_id: 8KTbBL - url: https://semgrep.dev/playground/r/8KTbBL/python.django.security.injection.code.user-eval-format-string.user-eval-format-string + version_id: jQTgYEX + url: https://semgrep.dev/playground/r/jQTgYEX/python.django.security.injection.code.user-eval-format-string.user-eval-format-string origin: community patterns: - pattern-inside: | @@ -24733,8 +25165,8 @@ rules: semgrep.dev: rule: rule_id: DbUpDQ - version_id: gETqnL - url: https://semgrep.dev/playground/r/gETqnL/python.django.security.injection.code.user-eval.user-eval + version_id: 1QTOYDN + url: https://semgrep.dev/playground/r/1QTOYDN/python.django.security.injection.code.user-eval.user-eval origin: community patterns: - pattern-inside: | @@ -24788,8 +25220,8 @@ rules: semgrep.dev: rule: rule_id: WAUovx - version_id: QkTJgL - url: https://semgrep.dev/playground/r/QkTJgL/python.django.security.injection.code.user-exec-format-string.user-exec-format-string + version_id: 9lTdWjb + url: https://semgrep.dev/playground/r/9lTdWjb/python.django.security.injection.code.user-exec-format-string.user-exec-format-string origin: community patterns: - pattern-inside: | @@ -25018,8 +25450,8 @@ rules: semgrep.dev: rule: rule_id: 0oU5AW - version_id: 3ZTde5 - url: https://semgrep.dev/playground/r/3ZTde5/python.django.security.injection.code.user-exec.user-exec + version_id: yeTR26r + url: https://semgrep.dev/playground/r/yeTR26r/python.django.security.injection.code.user-exec.user-exec origin: community patterns: - pattern-inside: | @@ -25096,8 +25528,8 @@ rules: semgrep.dev: rule: rule_id: KxUbp2 - version_id: 44ToGN - url: https://semgrep.dev/playground/r/44ToGN/python.django.security.injection.command.command-injection-os-system.command-injection-os-system + version_id: rxTyL53 + url: https://semgrep.dev/playground/r/rxTyL53/python.django.security.injection.command.command-injection-os-system.command-injection-os-system origin: community languages: - python @@ -25431,8 +25863,8 @@ rules: semgrep.dev: rule: rule_id: EwUepx - version_id: PkTYOq - url: https://semgrep.dev/playground/r/PkTYOq/python.django.security.injection.command.subprocess-injection.subprocess-injection + version_id: bZTb1Yq + url: https://semgrep.dev/playground/r/bZTb1Yq/python.django.security.injection.command.subprocess-injection.subprocess-injection origin: community - id: python.django.security.injection.csv-writer-injection.csv-writer-injection languages: @@ -25471,8 +25903,8 @@ rules: semgrep.dev: rule: rule_id: 7KUK1y - version_id: JdTqeY - url: https://semgrep.dev/playground/r/JdTqeY/python.django.security.injection.csv-writer-injection.csv-writer-injection + version_id: NdT3dxx + url: https://semgrep.dev/playground/r/NdT3dxx/python.django.security.injection.csv-writer-injection.csv-writer-injection origin: community mode: taint pattern-sinks: @@ -25527,8 +25959,8 @@ rules: semgrep.dev: rule: rule_id: qNUj02 - version_id: 5PT63R - url: https://semgrep.dev/playground/r/5PT63R/python.django.security.injection.email.xss-html-email-body.xss-html-email-body + version_id: kbTdxo7 + url: https://semgrep.dev/playground/r/kbTdxo7/python.django.security.injection.email.xss-html-email-body.xss-html-email-body origin: community languages: - python @@ -25740,8 +26172,8 @@ rules: semgrep.dev: rule: rule_id: lBU9Ll - version_id: GxT2J3 - url: https://semgrep.dev/playground/r/GxT2J3/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message + version_id: w8T9ne2 + url: https://semgrep.dev/playground/r/w8T9ne2/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message origin: community languages: - python @@ -25997,8 +26429,8 @@ rules: semgrep.dev: rule: rule_id: PeUZgr - version_id: A8TRLD - url: https://semgrep.dev/playground/r/A8TRLD/python.django.security.injection.open-redirect.open-redirect + version_id: O9TNOyj + url: https://semgrep.dev/playground/r/O9TNOyj/python.django.security.injection.open-redirect.open-redirect origin: community languages: - python @@ -26595,8 +27027,8 @@ rules: semgrep.dev: rule: rule_id: YGUR36 - version_id: BjTE8R - url: https://semgrep.dev/playground/r/BjTE8R/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name + version_id: e1T01x0 + url: https://semgrep.dev/playground/r/e1T01x0/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name origin: community patterns: - pattern-inside: | @@ -26684,8 +27116,8 @@ rules: semgrep.dev: rule: rule_id: oqUe7z - version_id: WrTbj4 - url: https://semgrep.dev/playground/r/WrTbj4/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open + version_id: d6TrADQ + url: https://semgrep.dev/playground/r/d6TrADQ/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open origin: community languages: - python @@ -27141,8 +27573,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUPER - version_id: 0bTv9b - url: https://semgrep.dev/playground/r/0bTv9b/python.django.security.injection.raw-html-format.raw-html-format + version_id: ZRTQNw5 + url: https://semgrep.dev/playground/r/ZRTQNw5/python.django.security.injection.raw-html-format.raw-html-format origin: community mode: taint pattern-sanitizers: @@ -27203,8 +27635,8 @@ rules: semgrep.dev: rule: rule_id: JDUydR - version_id: K3TlQL - url: https://semgrep.dev/playground/r/K3TlQL/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse + version_id: nWTxP7Y + url: https://semgrep.dev/playground/r/nWTxP7Y/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse origin: community languages: - python @@ -27479,8 +27911,8 @@ rules: semgrep.dev: rule: rule_id: 5rUOX1 - version_id: qkTNe7 - url: https://semgrep.dev/playground/r/qkTNe7/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest + version_id: ExTjNnQ + url: https://semgrep.dev/playground/r/ExTjNnQ/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest origin: community languages: - python @@ -27756,8 +28188,8 @@ rules: semgrep.dev: rule: rule_id: GdU7QR - version_id: l4T520 - url: https://semgrep.dev/playground/r/l4T520/python.django.security.injection.request-data-fileresponse.request-data-fileresponse + version_id: 7ZTgoOv + url: https://semgrep.dev/playground/r/7ZTgoOv/python.django.security.injection.request-data-fileresponse.request-data-fileresponse origin: community languages: - python @@ -27848,8 +28280,8 @@ rules: semgrep.dev: rule: rule_id: ReUg5z - version_id: YDToOy - url: https://semgrep.dev/playground/r/YDToOy/python.django.security.injection.request-data-write.request-data-write + version_id: LjTqQ0P + url: https://semgrep.dev/playground/r/LjTqQ0P/python.django.security.injection.request-data-write.request-data-write origin: community languages: - python @@ -28059,8 +28491,8 @@ rules: semgrep.dev: rule: rule_id: zdUkx1 - version_id: 6xTezd - url: https://semgrep.dev/playground/r/6xTezd/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where + version_id: 8KTQ9bG + url: https://semgrep.dev/playground/r/8KTQ9bG/python.django.security.injection.sql.sql-injection-extra.sql-injection-using-extra-where origin: community languages: - python @@ -28383,8 +28815,8 @@ rules: semgrep.dev: rule: rule_id: pKUOBp - version_id: o5TnR7 - url: https://semgrep.dev/playground/r/o5TnR7/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql + version_id: gET3xqk + url: https://semgrep.dev/playground/r/gET3xqk/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql origin: community languages: - python @@ -28700,8 +29132,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUbDL - version_id: zyT5Q5 - url: https://semgrep.dev/playground/r/zyT5Q5/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute + version_id: QkTW0JZ + url: https://semgrep.dev/playground/r/QkTW0JZ/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute origin: community languages: - python @@ -29007,8 +29439,8 @@ rules: semgrep.dev: rule: rule_id: X5U8v5 - version_id: pZTrxl - url: https://semgrep.dev/playground/r/pZTrxl/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw + version_id: 3ZTkQdQ + url: https://semgrep.dev/playground/r/3ZTkQdQ/python.django.security.injection.sql.sql-injection-using-raw.sql-injection-using-raw origin: community languages: - python @@ -29315,8 +29747,8 @@ rules: semgrep.dev: rule: rule_id: j2UvEw - version_id: 2KT1wW - url: https://semgrep.dev/playground/r/2KT1wW/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests + version_id: 44TRlo6 + url: https://semgrep.dev/playground/r/44TRlo6/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests origin: community languages: - python @@ -29582,8 +30014,8 @@ rules: semgrep.dev: rule: rule_id: 10UKDo - version_id: X0TPJW - url: https://semgrep.dev/playground/r/X0TPJW/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib + version_id: PkTJ1YR + url: https://semgrep.dev/playground/r/PkTJ1YR/python.django.security.injection.ssrf.ssrf-injection-urllib.ssrf-injection-urllib origin: community languages: - python @@ -29871,8 +30303,8 @@ rules: semgrep.dev: rule: rule_id: DbUGvk - version_id: yeTXdn - url: https://semgrep.dev/playground/r/yeTXdn/python.django.security.nan-injection.nan-injection + version_id: RGTDkb9 + url: https://semgrep.dev/playground/r/RGTDkb9/python.django.security.nan-injection.nan-injection origin: community - id: python.django.security.passwords.password-empty-string.password-empty-string message: "'$VAR' is the empty string and is being used to set the password on '$MODEL'. @@ -29900,8 +30332,8 @@ rules: semgrep.dev: rule: rule_id: 9AU1jW - version_id: rxTx8k - url: https://semgrep.dev/playground/r/rxTx8k/python.django.security.passwords.password-empty-string.password-empty-string + version_id: A8T95RL + url: https://semgrep.dev/playground/r/A8T95RL/python.django.security.passwords.password-empty-string.password-empty-string origin: community patterns: - pattern-either: @@ -29948,8 +30380,8 @@ rules: semgrep.dev: rule: rule_id: yyUn6Z - version_id: bZTG4N - url: https://semgrep.dev/playground/r/bZTG4N/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default + version_id: BjTXrEG + url: https://semgrep.dev/playground/r/BjTXrEG/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default origin: community languages: - python @@ -29995,8 +30427,8 @@ rules: semgrep.dev: rule: rule_id: L1Uy1n - version_id: kbT7Z6 - url: https://semgrep.dev/playground/r/kbT7Z6/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host + version_id: 6xTvJer + url: https://semgrep.dev/playground/r/6xTvJer/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host origin: community languages: - python @@ -30038,8 +30470,8 @@ rules: semgrep.dev: rule: rule_id: 8GUjdX - version_id: w8T30A - url: https://semgrep.dev/playground/r/w8T30A/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly + version_id: o5Tglnv + url: https://semgrep.dev/playground/r/o5Tglnv/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly origin: community languages: - python @@ -30075,8 +30507,8 @@ rules: semgrep.dev: rule: rule_id: gxU1bd - version_id: xyT43d - url: https://semgrep.dev/playground/r/xyT43d/python.flask.security.audit.debug-enabled.debug-enabled + version_id: zyTK85o + url: https://semgrep.dev/playground/r/zyTK85o/python.flask.security.audit.debug-enabled.debug-enabled origin: community severity: WARNING languages: @@ -30112,8 +30544,8 @@ rules: semgrep.dev: rule: rule_id: QrUz49 - version_id: O9TyZX - url: https://semgrep.dev/playground/r/O9TyZX/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string + version_id: pZT1yrE + url: https://semgrep.dev/playground/r/pZT1yrE/python.flask.security.audit.directly-returned-format-string.directly-returned-format-string origin: community languages: - python @@ -30164,6 +30596,51 @@ rules: - pattern-not-inside: | $X = "..." ... +- id: python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret + languages: + - python + message: The Flask secret key is used as salt in HashIDs. The HashID mechanism is + not secure. By observing sufficient HashIDs, the salt used to construct them can + be recovered. This means the Flask secret key can be obtained by attackers, through + the HashIDs. + metadata: + category: security + subcategory: + - vuln + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A02:2021 – Cryptographic Failures + references: + - https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY + - http://carnage.github.io/2015/08/cryptanalysis-of-hashids + technology: + - flask + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret + shortlink: https://sg.run/N0Rx + semgrep.dev: + rule: + rule_id: KxUX3z + version_id: xyTKZ4J + url: https://semgrep.dev/playground/r/xyTKZ4J/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret + origin: community + pattern-either: + - pattern: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...) + - pattern: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...) + - patterns: + - pattern-inside: | + $APP = flask.Flask(...) + ... + - pattern-either: + - pattern: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...) + - pattern: hashids.Hashids($APP.config['SECRET_KEY'], ...) + severity: ERROR - id: python.flask.security.injection.csv-writer-injection.csv-writer-injection languages: - python @@ -30201,8 +30678,8 @@ rules: semgrep.dev: rule: rule_id: L1UR2K - version_id: 3ZTdx5 - url: https://semgrep.dev/playground/r/3ZTdx5/python.flask.security.injection.csv-writer-injection.csv-writer-injection + version_id: O9TNO0j + url: https://semgrep.dev/playground/r/O9TNO0j/python.flask.security.injection.csv-writer-injection.csv-writer-injection origin: community mode: taint pattern-sinks: @@ -30297,8 +30774,8 @@ rules: semgrep.dev: rule: rule_id: WAUdj7 - version_id: 44ToYN - url: https://semgrep.dev/playground/r/44ToYN/python.flask.security.injection.nan-injection.nan-injection + version_id: e1T01d0 + url: https://semgrep.dev/playground/r/e1T01d0/python.flask.security.injection.nan-injection.nan-injection origin: community - id: python.flask.security.injection.raw-html-concat.raw-html-format languages: @@ -30337,8 +30814,8 @@ rules: semgrep.dev: rule: rule_id: GdUrJv - version_id: 5PT6YR - url: https://semgrep.dev/playground/r/5PT6YR/python.flask.security.injection.raw-html-concat.raw-html-format + version_id: ZRTQNE5 + url: https://semgrep.dev/playground/r/ZRTQNE5/python.flask.security.injection.raw-html-concat.raw-html-format origin: community mode: taint pattern-sanitizers: @@ -30410,8 +30887,8 @@ rules: semgrep.dev: rule: rule_id: WAUoRx - version_id: o5TgewN - url: https://semgrep.dev/playground/r/o5TgewN/python.flask.security.injection.ssrf-requests.ssrf-requests + version_id: nWTxPeY + url: https://semgrep.dev/playground/r/nWTxPeY/python.flask.security.injection.ssrf-requests.ssrf-requests origin: community pattern-either: - patterns: @@ -30553,8 +31030,8 @@ rules: semgrep.dev: rule: rule_id: 8GU3qp - version_id: RGTbw7 - url: https://semgrep.dev/playground/r/RGTbw7/python.flask.security.injection.subprocess-injection.subprocess-injection + version_id: ExTjNkQ + url: https://semgrep.dev/playground/r/ExTjNkQ/python.flask.security.injection.subprocess-injection.subprocess-injection origin: community - id: python.flask.security.injection.tainted-sql-string.tainted-sql-string message: Detected user input used to manually construct a SQL string. This is usually @@ -30590,8 +31067,8 @@ rules: semgrep.dev: rule: rule_id: YGUDKQ - version_id: A8TRnD - url: https://semgrep.dev/playground/r/A8TRnD/python.flask.security.injection.tainted-sql-string.tainted-sql-string + version_id: 7ZTgo7v + url: https://semgrep.dev/playground/r/7ZTgo7v/python.flask.security.injection.tainted-sql-string.tainted-sql-string origin: community severity: ERROR languages: @@ -30660,8 +31137,8 @@ rules: semgrep.dev: rule: rule_id: ReU3Wb - version_id: BjTEGR - url: https://semgrep.dev/playground/r/BjTEGR/python.flask.security.injection.tainted-url-host.tainted-url-host + version_id: LjTqQYP + url: https://semgrep.dev/playground/r/LjTqQYP/python.flask.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sinks: @@ -30741,8 +31218,8 @@ rules: semgrep.dev: rule: rule_id: 0oU54W - version_id: DkTQeA - url: https://semgrep.dev/playground/r/DkTQeA/python.flask.security.injection.user-eval.eval-injection + version_id: 8KTQ92G + url: https://semgrep.dev/playground/r/8KTQ92G/python.flask.security.injection.user-eval.eval-injection origin: community pattern-either: - patterns: @@ -30818,8 +31295,8 @@ rules: semgrep.dev: rule: rule_id: KxUbl2 - version_id: WrTb64 - url: https://semgrep.dev/playground/r/WrTb64/python.flask.security.injection.user-exec.exec-injection + version_id: gET3x4k + url: https://semgrep.dev/playground/r/gET3x4k/python.flask.security.injection.user-exec.exec-injection origin: community pattern-either: - patterns: @@ -30904,8 +31381,8 @@ rules: semgrep.dev: rule: rule_id: QrU1Xg - version_id: DkTQ36 - url: https://semgrep.dev/playground/r/DkTQ36/python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled + version_id: WrTWQxg + url: https://semgrep.dev/playground/r/WrTWQxg/python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled origin: community languages: - python @@ -30946,8 +31423,8 @@ rules: semgrep.dev: rule: rule_id: 3qULRx - version_id: WrTbkO - url: https://semgrep.dev/playground/r/WrTbkO/python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled + version_id: 0bTLlO0 + url: https://semgrep.dev/playground/r/0bTLlO0/python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled origin: community languages: - python @@ -30982,8 +31459,8 @@ rules: semgrep.dev: rule: rule_id: X5U8P5 - version_id: qkTN9o - url: https://semgrep.dev/playground/r/qkTN9o/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret + version_id: l4T4vPA + url: https://semgrep.dev/playground/r/l4T4vPA/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret origin: community patterns: - pattern: 'jwt.encode($X, $SECRET, ...) @@ -31026,8 +31503,8 @@ rules: semgrep.dev: rule: rule_id: j2UvKw - version_id: l4T5ez - url: https://semgrep.dev/playground/r/l4T5ez/python.jwt.security.jwt-none-alg.jwt-python-none-alg + version_id: YDTp2P1 + url: https://semgrep.dev/playground/r/YDTp2P1/python.jwt.security.jwt-none-alg.jwt-python-none-alg origin: community languages: - python @@ -31137,8 +31614,8 @@ rules: semgrep.dev: rule: rule_id: 7KUE1E - version_id: X0TPo2 - url: https://semgrep.dev/playground/r/X0TPo2/python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args + version_id: vdTY8rX + url: https://semgrep.dev/playground/r/vdTY8rX/python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args origin: community languages: - python @@ -31240,8 +31717,8 @@ rules: semgrep.dev: rule: rule_id: 8GU5q3 - version_id: 1QTj02 - url: https://semgrep.dev/playground/r/1QTj02/python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args + version_id: ZRTQp4x + url: https://semgrep.dev/playground/r/ZRTQp4x/python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args origin: community languages: - python @@ -31352,8 +31829,8 @@ rules: semgrep.dev: rule: rule_id: QrUG72 - version_id: yeTXQG - url: https://semgrep.dev/playground/r/yeTXQG/python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args + version_id: ExTjA8X + url: https://semgrep.dev/playground/r/ExTjA8X/python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args origin: community severity: WARNING languages: @@ -31469,8 +31946,8 @@ rules: semgrep.dev: rule: rule_id: 4bUEAY - version_id: bZTGx6 - url: https://semgrep.dev/playground/r/bZTGx6/python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args + version_id: LjTqANx + url: https://semgrep.dev/playground/r/LjTqANx/python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args origin: community languages: - python @@ -31588,8 +32065,8 @@ rules: semgrep.dev: rule: rule_id: JDUz34 - version_id: kbT7rr - url: https://semgrep.dev/playground/r/kbT7rr/python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args + version_id: gET3OZv + url: https://semgrep.dev/playground/r/gET3OZv/python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args origin: community languages: - python @@ -31678,8 +32155,8 @@ rules: semgrep.dev: rule: rule_id: GdUkxO - version_id: xyT49l - url: https://semgrep.dev/playground/r/xyT49l/python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args + version_id: 3ZTkrYD + url: https://semgrep.dev/playground/r/3ZTkrYD/python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args origin: community severity: WARNING languages: @@ -31801,8 +32278,8 @@ rules: semgrep.dev: rule: rule_id: AbUgrZ - version_id: e1TxEX - url: https://semgrep.dev/playground/r/e1TxEX/python.lang.security.audit.dangerous-subprocess-use-tainted-env-args.dangerous-subprocess-use-tainted-env-args + version_id: PkTJd5l + url: https://semgrep.dev/playground/r/PkTJd5l/python.lang.security.audit.dangerous-subprocess-use-tainted-env-args.dangerous-subprocess-use-tainted-env-args origin: community languages: - python @@ -31918,8 +32395,8 @@ rules: semgrep.dev: rule: rule_id: DbUR9g - version_id: ZRTwB8 - url: https://semgrep.dev/playground/r/ZRTwB8/python.lang.security.audit.dangerous-system-call-tainted-env-args.dangerous-system-call-tainted-env-args + version_id: GxTv8LN + url: https://semgrep.dev/playground/r/GxTv8LN/python.lang.security.audit.dangerous-system-call-tainted-env-args.dangerous-system-call-tainted-env-args origin: community languages: - python @@ -32014,8 +32491,8 @@ rules: semgrep.dev: rule: rule_id: 0oUK7N - version_id: ExTnd7 - url: https://semgrep.dev/playground/r/ExTnd7/python.lang.security.audit.dangerous-testcapi-run-in-subinterp-tainted-env-args.dangerous-testcapi-run-in-subinterp-tainted-env-args + version_id: A8T9Xjw + url: https://semgrep.dev/playground/r/A8T9Xjw/python.lang.security.audit.dangerous-testcapi-run-in-subinterp-tainted-env-args.dangerous-testcapi-run-in-subinterp-tainted-env-args origin: community severity: WARNING languages: @@ -32049,8 +32526,8 @@ rules: semgrep.dev: rule: rule_id: zdUYqR - version_id: PkTYE6 - url: https://semgrep.dev/playground/r/PkTYE6/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions + version_id: YDTpnq3 + url: https://semgrep.dev/playground/r/YDTpnq3/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions origin: community message: These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write @@ -32133,8 +32610,8 @@ rules: semgrep.dev: rule: rule_id: x8UnJk - version_id: X0TPp2 - url: https://semgrep.dev/playground/r/X0TPp2/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure + version_id: X0TQ2Q4 + url: https://semgrep.dev/playground/r/X0TQ2Q4/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure origin: community - id: python.lang.security.audit.md5-used-as-password.md5-used-as-password severity: WARNING @@ -32174,8 +32651,8 @@ rules: semgrep.dev: rule: rule_id: 6JU1w1 - version_id: 9lTzL3 - url: https://semgrep.dev/playground/r/9lTzL3/python.lang.security.audit.md5-used-as-password.md5-used-as-password + version_id: 9lTd5d6 + url: https://semgrep.dev/playground/r/9lTd5d6/python.lang.security.audit.md5-used-as-password.md5-used-as-password origin: community mode: taint pattern-sources: @@ -32220,8 +32697,8 @@ rules: semgrep.dev: rule: rule_id: OrU3og - version_id: yeTXzG - url: https://semgrep.dev/playground/r/yeTXzG/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces + version_id: yeTRZR5 + url: https://semgrep.dev/playground/r/yeTRZR5/python.lang.security.audit.network.bind.avoid-bind-to-all-interfaces origin: community languages: - python @@ -32278,8 +32755,8 @@ rules: semgrep.dev: rule: rule_id: eqU87k - version_id: rxTxXN - url: https://semgrep.dev/playground/r/rxTxXN/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation + version_id: rxTy4y8 + url: https://semgrep.dev/playground/r/rxTy4y8/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation origin: community languages: - python @@ -32314,8 +32791,8 @@ rules: semgrep.dev: rule: rule_id: BYUN2e - version_id: nWT7lj - url: https://semgrep.dev/playground/r/nWT7lj/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated + version_id: nWTxox3 + url: https://semgrep.dev/playground/r/nWTxox3/python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated origin: community languages: - python @@ -32360,8 +32837,8 @@ rules: semgrep.dev: rule: rule_id: DbUpz2 - version_id: ExTnb7 - url: https://semgrep.dev/playground/r/ExTnb7/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true + version_id: ExTjAjz + url: https://semgrep.dev/playground/r/ExTjAjz/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true origin: community languages: - python @@ -32524,8 +33001,8 @@ rules: semgrep.dev: rule: rule_id: KxUKzx - version_id: gETqp2 - url: https://semgrep.dev/playground/r/gETqp2/python.lang.security.dangerous-code-run.dangerous-interactive-code-run + version_id: gET3O37 + url: https://semgrep.dev/playground/r/gET3O37/python.lang.security.dangerous-code-run.dangerous-interactive-code-run origin: community severity: WARNING languages: @@ -32693,8 +33170,8 @@ rules: semgrep.dev: rule: rule_id: qNUR13 - version_id: 3ZTdgX - url: https://semgrep.dev/playground/r/3ZTdgX/python.lang.security.dangerous-os-exec.dangerous-os-exec + version_id: 3ZTkrkN + url: https://semgrep.dev/playground/r/3ZTkrkN/python.lang.security.dangerous-os-exec.dangerous-os-exec origin: community languages: - python @@ -32905,8 +33382,8 @@ rules: semgrep.dev: rule: rule_id: lBUJrn - version_id: 44ToJd - url: https://semgrep.dev/playground/r/44ToJd/python.lang.security.dangerous-spawn-process.dangerous-spawn-process + version_id: 44TR6Rn + url: https://semgrep.dev/playground/r/44TR6Rn/python.lang.security.dangerous-spawn-process.dangerous-spawn-process origin: community languages: - python @@ -33047,8 +33524,8 @@ rules: semgrep.dev: rule: rule_id: PeURWr - version_id: PkTYK6 - url: https://semgrep.dev/playground/r/PkTYK6/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string + version_id: PkTJdJp + url: https://semgrep.dev/playground/r/PkTJdJp/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string origin: community severity: WARNING languages: @@ -33222,8 +33699,8 @@ rules: semgrep.dev: rule: rule_id: JDUz3R - version_id: JdTq4d - url: https://semgrep.dev/playground/r/JdTq4d/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use + version_id: JdTNvNq + url: https://semgrep.dev/playground/r/JdTNvNq/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use origin: community languages: - python @@ -33394,8 +33871,8 @@ rules: semgrep.dev: rule: rule_id: 5rUoP1 - version_id: 5PT6xv - url: https://semgrep.dev/playground/r/5PT6xv/python.lang.security.dangerous-system-call.dangerous-system-call + version_id: 5PTded5 + url: https://semgrep.dev/playground/r/5PTded5/python.lang.security.dangerous-system-call.dangerous-system-call origin: community languages: - python @@ -33542,8 +34019,8 @@ rules: semgrep.dev: rule: rule_id: GdUkxR - version_id: GxT2g2 - url: https://semgrep.dev/playground/r/GxT2g2/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp + version_id: GxTv8v9 + url: https://semgrep.dev/playground/r/GxTv8v9/python.lang.security.dangerous-testcapi-run-in-subinterp.dangerous-testcapi-run-in-subinterp origin: community severity: WARNING languages: @@ -33589,8 +34066,8 @@ rules: semgrep.dev: rule: rule_id: PeU2e2 - version_id: GxTv7k3 - url: https://semgrep.dev/playground/r/GxTv7k3/python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 + version_id: qkT2B5X + url: https://semgrep.dev/playground/r/qkT2B5X/python.lang.security.insecure-hash-algorithms-md5.insecure-hash-algorithm-md5 origin: community severity: WARNING languages: @@ -33637,13 +34114,13 @@ rules: semgrep.dev: rule: rule_id: x8UnBk - version_id: l4T53z - url: https://semgrep.dev/playground/r/l4T53z/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 + version_id: l4T46lW + url: https://semgrep.dev/playground/r/l4T46lW/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 origin: community severity: WARNING languages: - python -- id: python.lang.security.use-defused-xml.use-defused-xml +- id: python.lang.security.use-defused-xml-parse.use-defused-xml-parse metadata: owasp: - A04:2017 - XML External Entities (XXE) @@ -33667,62 +34144,25 @@ rules: license: Commons Clause License Condition v1.0[LGPL-2.1-only] vulnerability_class: - XML Injection - source: https://semgrep.dev/r/python.lang.security.use-defused-xml.use-defused-xml - shortlink: https://sg.run/kX47 + source: https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse + shortlink: https://sg.run/n3jG semgrep.dev: rule: - rule_id: d8UjRx - version_id: GxT2bo - url: https://semgrep.dev/playground/r/GxT2bo/python.lang.security.use-defused-xml.use-defused-xml + rule_id: X5Uqnx + version_id: zyTKDj8 + url: https://semgrep.dev/playground/r/zyTKDj8/python.lang.security.use-defused-xml-parse.use-defused-xml-parse origin: community - message: The Python documentation recommends using `defusedxml` instead of `xml` - because the native Python `xml` library is vulnerable to XML External Entity (XXE) - attacks. These attacks can leak confidential data and "XML bombs" can cause denial - of service. + message: The native Python `xml` library is vulnerable to XML External Entity (XXE) + attacks. These attacks can leak confidential data and "XML bombs" can cause denial + of service. Do not use this library to parse untrusted input. Instead the Python + documentation recommends using `defusedxml`. languages: - python severity: ERROR - pattern: import xml -- id: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc - pattern-either: - - pattern: import xmlrpclib - - pattern: import SimpleXMLRPCServer - - pattern: import xmlrpc - message: Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. - Use defusedxml.xmlrpc instead. - metadata: - cwe: - - 'CWE-776: Improper Restriction of Recursive Entity References in DTDs (''XML - Entity Expansion'')' - owasp: - - A04:2017 - XML External Entities (XXE) - - A05:2021 - Security Misconfiguration - source-rule-url: https://github.com/PyCQA/bandit/blob/07f84cb5f5e7c1055e6feaa0fe93afa471de0ac3/bandit/blacklists/imports.py#L160 - references: - - https://pypi.org/project/defusedxml/ - - https://docs.python.org/3/library/xml.html#xml-vulnerabilities - category: security - technology: - - python - subcategory: - - vuln - likelihood: LOW - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - XML Injection - source: https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc - shortlink: https://sg.run/weqY - semgrep.dev: - rule: - rule_id: ZqU5EZ - version_id: RGTbNA - url: https://semgrep.dev/playground/r/RGTbNA/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc - origin: community - severity: ERROR - languages: - - python + patterns: + - pattern: xml.etree.ElementTree.parse($...ARGS) + - pattern-not: xml.etree.ElementTree.parse("...") + fix: defusedxml.etree.ElementTree.parse($...ARGS) - id: python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish message: Detected Blowfish cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead. @@ -33752,8 +34192,8 @@ rules: semgrep.dev: rule: rule_id: JDUGnK - version_id: BjTE4p - url: https://semgrep.dev/playground/r/BjTE4p/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish + version_id: jQTgyl1 + url: https://semgrep.dev/playground/r/jQTgyl1/python.pycryptodome.security.insecure-cipher-algorithm-blowfish.insecure-cipher-algorithm-blowfish origin: community severity: WARNING languages: @@ -33790,8 +34230,8 @@ rules: semgrep.dev: rule: rule_id: 5rUr73 - version_id: DkTQBR - url: https://semgrep.dev/playground/r/DkTQBR/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des + version_id: 1QTO7z3 + url: https://semgrep.dev/playground/r/1QTO7z3/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des origin: community severity: WARNING languages: @@ -33828,8 +34268,8 @@ rules: semgrep.dev: rule: rule_id: GdUYlW - version_id: WrTbe8 - url: https://semgrep.dev/playground/r/WrTbe8/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2 + version_id: 9lTd5e6 + url: https://semgrep.dev/playground/r/9lTd5e6/python.pycryptodome.security.insecure-cipher-algorithm-rc2.insecure-cipher-algorithm-rc2 origin: community severity: WARNING languages: @@ -33866,8 +34306,8 @@ rules: semgrep.dev: rule: rule_id: ReUnEB - version_id: 0bTv0G - url: https://semgrep.dev/playground/r/0bTv0G/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4 + version_id: yeTRZ35 + url: https://semgrep.dev/playground/r/yeTRZ35/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4 origin: community severity: WARNING languages: @@ -33904,8 +34344,8 @@ rules: semgrep.dev: rule: rule_id: PeUk5W - version_id: K3TlA8 - url: https://semgrep.dev/playground/r/K3TlA8/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor + version_id: rxTy408 + url: https://semgrep.dev/playground/r/rxTy408/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor origin: community severity: WARNING languages: @@ -33945,8 +34385,8 @@ rules: semgrep.dev: rule: rule_id: AbU0Ex - version_id: qkTNAJ - url: https://semgrep.dev/playground/r/qkTNAJ/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2 + version_id: bZTb9Rx + url: https://semgrep.dev/playground/r/bZTb9Rx/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2 origin: community severity: WARNING languages: @@ -33986,8 +34426,8 @@ rules: semgrep.dev: rule: rule_id: BYUJy4 - version_id: l4T532 - url: https://semgrep.dev/playground/r/l4T532/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4 + version_id: NdT3ogE + url: https://semgrep.dev/playground/r/NdT3ogE/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4 origin: community severity: WARNING languages: @@ -34027,8 +34467,8 @@ rules: semgrep.dev: rule: rule_id: DbUXwo - version_id: YDTog8 - url: https://semgrep.dev/playground/r/YDTog8/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5 + version_id: kbTdLgQ + url: https://semgrep.dev/playground/r/kbTdLgQ/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5 origin: community severity: WARNING languages: @@ -34068,8 +34508,8 @@ rules: semgrep.dev: rule: rule_id: ReUPO3 - version_id: 6xTe4A - url: https://semgrep.dev/playground/r/6xTe4A/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1 + version_id: w8T9D6g + url: https://semgrep.dev/playground/r/w8T9D6g/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1 origin: community severity: WARNING languages: @@ -34114,8 +34554,8 @@ rules: semgrep.dev: rule: rule_id: AbUWje - version_id: o5TnGP - url: https://semgrep.dev/playground/r/o5TnGP/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size + version_id: xyTKpvy + url: https://semgrep.dev/playground/r/xyTKpvy/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size origin: community languages: - python @@ -34157,8 +34597,8 @@ rules: semgrep.dev: rule: rule_id: BYUBWe - version_id: zyT566 - url: https://semgrep.dev/playground/r/zyT566/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size + version_id: O9TNdk2 + url: https://semgrep.dev/playground/r/O9TNdk2/python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size origin: community languages: - python @@ -34194,8 +34634,8 @@ rules: semgrep.dev: rule: rule_id: YGUw8w - version_id: pZTrRg - url: https://semgrep.dev/playground/r/pZTrRg/python.pycryptodome.security.mode-without-authentication.crypto-mode-without-authentication + version_id: e1T03go + url: https://semgrep.dev/playground/r/e1T03go/python.pycryptodome.security.mode-without-authentication.crypto-mode-without-authentication origin: community patterns: - pattern-either: @@ -34250,8 +34690,8 @@ rules: semgrep.dev: rule: rule_id: d8UlOX - version_id: 2KT1nB - url: https://semgrep.dev/playground/r/2KT1nB/python.pymongo.security.mongodb.mongo-client-bad-auth + version_id: vdTY81E + url: https://semgrep.dev/playground/r/vdTY81E/python.pymongo.security.mongodb.mongo-client-bad-auth origin: community - id: python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default patterns: @@ -34292,8 +34732,8 @@ rules: semgrep.dev: rule: rule_id: bwUXKB - version_id: X0TPG0 - url: https://semgrep.dev/playground/r/X0TPG0/python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default + version_id: d6Trvq1 + url: https://semgrep.dev/playground/r/d6Trvq1/python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default origin: community languages: - python @@ -34345,8 +34785,8 @@ rules: semgrep.dev: rule: rule_id: NbUq9e - version_id: jQTKG4 - url: https://semgrep.dev/playground/r/jQTKG4/python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value + version_id: ZRTQp60 + url: https://semgrep.dev/playground/r/ZRTQp60/python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value origin: community languages: - python @@ -34390,8 +34830,8 @@ rules: semgrep.dev: rule: rule_id: kxUYjY - version_id: 1QTjJr - url: https://semgrep.dev/playground/r/1QTjJr/python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite + version_id: nWTxoO3 + url: https://semgrep.dev/playground/r/nWTxoO3/python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite origin: community languages: - python @@ -34439,8 +34879,8 @@ rules: semgrep.dev: rule: rule_id: wdUKzn - version_id: 9lTz82 - url: https://semgrep.dev/playground/r/9lTz82/python.pyramid.audit.authtkt-cookie-secure-unsafe-default.pyramid-authtkt-cookie-secure-unsafe-default + version_id: ExTjARz + url: https://semgrep.dev/playground/r/ExTjARz/python.pyramid.audit.authtkt-cookie-secure-unsafe-default.pyramid-authtkt-cookie-secure-unsafe-default origin: community languages: - python @@ -34491,8 +34931,8 @@ rules: semgrep.dev: rule: rule_id: x8UqAp - version_id: yeTXYl - url: https://semgrep.dev/playground/r/yeTXYl/python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value + version_id: 7ZTgnD4 + url: https://semgrep.dev/playground/r/7ZTgnD4/python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value origin: community languages: - python @@ -34540,8 +34980,8 @@ rules: semgrep.dev: rule: rule_id: eqU9Le - version_id: bZTGP2 - url: https://semgrep.dev/playground/r/bZTGP2/python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally + version_id: 8KTQy4l + url: https://semgrep.dev/playground/r/8KTQy4l/python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally origin: community - id: python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled message: Origin check for the CSRF token is disabled for this view. This might represent @@ -34576,8 +35016,8 @@ rules: semgrep.dev: rule: rule_id: v8UGpL - version_id: NdT1vw - url: https://semgrep.dev/playground/r/NdT1vw/python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled + version_id: gET3O67 + url: https://semgrep.dev/playground/r/gET3O67/python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled origin: community severity: WARNING languages: @@ -34643,8 +35083,8 @@ rules: semgrep.dev: rule: rule_id: d8UPQ7 - version_id: kbT7Ql - url: https://semgrep.dev/playground/r/kbT7Ql/python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default + version_id: QkTWw8O + url: https://semgrep.dev/playground/r/QkTWw8O/python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default origin: community languages: - python @@ -34703,8 +35143,8 @@ rules: semgrep.dev: rule: rule_id: ZqU37W - version_id: w8T3qb - url: https://semgrep.dev/playground/r/w8T3qb/python.pyramid.audit.set-cookie-httponly-unsafe-value.pyramid-set-cookie-httponly-unsafe-value + version_id: 3ZTkrlN + url: https://semgrep.dev/playground/r/3ZTkrlN/python.pyramid.audit.set-cookie-httponly-unsafe-value.pyramid-set-cookie-httponly-unsafe-value origin: community languages: - python @@ -34756,8 +35196,8 @@ rules: semgrep.dev: rule: rule_id: nJUp80 - version_id: xyT4lz - url: https://semgrep.dev/playground/r/xyT4lz/python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default + version_id: 44TR67n + url: https://semgrep.dev/playground/r/44TR67n/python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default origin: community languages: - python @@ -34810,8 +35250,8 @@ rules: semgrep.dev: rule: rule_id: EwUgpY - version_id: O9TyAb - url: https://semgrep.dev/playground/r/O9TyAb/python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value + version_id: PkTJdDp + url: https://semgrep.dev/playground/r/PkTJdDp/python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value origin: community languages: - python @@ -34863,8 +35303,8 @@ rules: semgrep.dev: rule: rule_id: 7KUr15 - version_id: e1TxYn - url: https://semgrep.dev/playground/r/e1TxYn/python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default + version_id: JdTNv5q + url: https://semgrep.dev/playground/r/JdTNv5q/python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default origin: community languages: - python @@ -34921,8 +35361,8 @@ rules: semgrep.dev: rule: rule_id: L1UX2J - version_id: vdT2Kq - url: https://semgrep.dev/playground/r/vdT2Kq/python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value + version_id: 5PTdek5 + url: https://semgrep.dev/playground/r/5PTdek5/python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value origin: community languages: - python @@ -34969,8 +35409,8 @@ rules: semgrep.dev: rule: rule_id: 8GUKqP - version_id: d6TDOB - url: https://semgrep.dev/playground/r/d6TDOB/python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally + version_id: GxTv8j9 + url: https://semgrep.dev/playground/r/GxTv8j9/python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally origin: community - id: python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response message: Detected data rendered directly to the end user via 'Response'. This bypasses @@ -35003,8 +35443,8 @@ rules: semgrep.dev: rule: rule_id: gxUeA8 - version_id: ZRTwkw - url: https://semgrep.dev/playground/r/ZRTwkw/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response + version_id: RGTDRQO + url: https://semgrep.dev/playground/r/RGTDRQO/python.pyramid.security.direct-use-of-response.pyramid-direct-use-of-response origin: community languages: - python @@ -35069,8 +35509,8 @@ rules: semgrep.dev: rule: rule_id: QrUZ7l - version_id: nWT75e - url: https://semgrep.dev/playground/r/nWT75e/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection + version_id: A8T9Xr9 + url: https://semgrep.dev/playground/r/A8T9Xr9/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection origin: community mode: taint pattern-sources: @@ -35169,8 +35609,8 @@ rules: semgrep.dev: rule: rule_id: BYUBWo - version_id: QkTJ3z - url: https://semgrep.dev/playground/r/QkTJ3z/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection + version_id: BjTXpDb + url: https://semgrep.dev/playground/r/BjTXpDb/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection origin: community - id: ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli languages: @@ -35209,8 +35649,8 @@ rules: semgrep.dev: rule: rule_id: 0oUw9g - version_id: 3ZTdKB - url: https://semgrep.dev/playground/r/3ZTdKB/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli + version_id: DkT6Y9w + url: https://semgrep.dev/playground/r/DkT6Y9w/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli origin: community pattern-sinks: - patterns: @@ -35266,8 +35706,8 @@ rules: semgrep.dev: rule: rule_id: KxUrQ3 - version_id: 44ToN2 - url: https://semgrep.dev/playground/r/44ToN2/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli + version_id: WrTW3lG + url: https://semgrep.dev/playground/r/WrTW3lG/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli origin: community pattern-sinks: - patterns: @@ -35326,8 +35766,8 @@ rules: semgrep.dev: rule: rule_id: qNUQee - version_id: PkTYwo - url: https://semgrep.dev/playground/r/PkTYwo/ruby.aws-lambda.security.pg-sqli.pg-sqli + version_id: 0bTLe7q + url: https://semgrep.dev/playground/r/0bTLe7q/ruby.aws-lambda.security.pg-sqli.pg-sqli origin: community pattern-sinks: - patterns: @@ -35387,8 +35827,8 @@ rules: semgrep.dev: rule: rule_id: lBUy2N - version_id: JdTqw6 - url: https://semgrep.dev/playground/r/JdTqw6/ruby.aws-lambda.security.sequel-sqli.sequel-sqli + version_id: K3TvGzQ + url: https://semgrep.dev/playground/r/K3TvGzQ/ruby.aws-lambda.security.sequel-sqli.sequel-sqli origin: community pattern-sinks: - patterns: @@ -35446,8 +35886,8 @@ rules: semgrep.dev: rule: rule_id: zdUlNJ - version_id: 5PT6ly - url: https://semgrep.dev/playground/r/5PT6ly/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization + version_id: qkT2B1K + url: https://semgrep.dev/playground/r/qkT2B1K/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization origin: community pattern-sinks: - patterns: @@ -35510,8 +35950,8 @@ rules: semgrep.dev: rule: rule_id: PeUxOE - version_id: GxT2Oo - url: https://semgrep.dev/playground/r/GxT2Oo/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string + version_id: l4T46re + url: https://semgrep.dev/playground/r/l4T46re/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sources: @@ -35598,8 +36038,8 @@ rules: semgrep.dev: rule: rule_id: lBUdQg - version_id: qkTNgJ - url: https://semgrep.dev/playground/r/qkTNgJ/ruby.lang.security.bad-deserialization.bad-deserialization + version_id: jQTgy6W + url: https://semgrep.dev/playground/r/jQTgy6W/ruby.lang.security.bad-deserialization.bad-deserialization origin: community languages: - ruby @@ -35662,8 +36102,8 @@ rules: semgrep.dev: rule: rule_id: WAUZOw - version_id: 6xTe7A - url: https://semgrep.dev/playground/r/6xTe7A/ruby.lang.security.dangerous-exec.dangerous-exec + version_id: yeTRZBK + url: https://semgrep.dev/playground/r/yeTRZBK/ruby.lang.security.dangerous-exec.dangerous-exec origin: community severity: WARNING languages: @@ -35691,8 +36131,8 @@ rules: semgrep.dev: rule: rule_id: oqUzXA - version_id: X0TPe0 - url: https://semgrep.dev/playground/r/X0TPe0/ruby.lang.security.divide-by-zero.divide-by-zero + version_id: w8T9DzL + url: https://semgrep.dev/playground/r/w8T9DzL/ruby.lang.security.divide-by-zero.divide-by-zero origin: community languages: - ruby @@ -35736,8 +36176,8 @@ rules: semgrep.dev: rule: rule_id: 2ZU4lx - version_id: 9lTzN2 - url: https://semgrep.dev/playground/r/9lTzN2/ruby.lang.security.force-ssl-false.force-ssl-false + version_id: e1T03L6 + url: https://semgrep.dev/playground/r/e1T03L6/ruby.lang.security.force-ssl-false.force-ssl-false origin: community languages: - ruby @@ -35780,8 +36220,8 @@ rules: semgrep.dev: rule: rule_id: bwULyN - version_id: WrTWdNY - url: https://semgrep.dev/playground/r/WrTWdNY/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase + version_id: d6TrvQR + url: https://semgrep.dev/playground/r/d6TrvQR/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase origin: community patterns: - pattern-either: @@ -35886,8 +36326,8 @@ rules: semgrep.dev: rule: rule_id: NbUe4N - version_id: 0bTLwr1 - url: https://semgrep.dev/playground/r/0bTLwr1/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size + version_id: ZRTQp7j + url: https://semgrep.dev/playground/r/ZRTQp7j/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size origin: community patterns: - pattern-either: @@ -35950,8 +36390,8 @@ rules: semgrep.dev: rule: rule_id: oqU4p2 - version_id: O9TyLb - url: https://semgrep.dev/playground/r/O9TyLb/ruby.lang.security.md5-used-as-password.md5-used-as-password + version_id: 8KTQyjj + url: https://semgrep.dev/playground/r/8KTQyjj/ruby.lang.security.md5-used-as-password.md5-used-as-password origin: community mode: taint pattern-sources: @@ -35994,8 +36434,8 @@ rules: semgrep.dev: rule: rule_id: OrUGNk - version_id: 7ZTOqz - url: https://semgrep.dev/playground/r/7ZTOqz/ruby.lang.security.no-eval.ruby-eval + version_id: 5PTdeO9 + url: https://semgrep.dev/playground/r/5PTdeO9/ruby.lang.security.no-eval.ruby-eval origin: community languages: - ruby @@ -36062,8 +36502,8 @@ rules: semgrep.dev: rule: rule_id: v8U5Yn - version_id: 8KTbO4 - url: https://semgrep.dev/playground/r/8KTbO4/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify + version_id: RGTDRgR + url: https://semgrep.dev/playground/r/RGTDRgR/ruby.lang.security.ssl-mode-no-verify.ssl-mode-no-verify origin: community - id: ruby.lang.security.weak-hashes-md5.weak-hashes-md5 message: Should not use md5 to generate hashes. md5 is proven to be vulnerable through @@ -36093,8 +36533,8 @@ rules: semgrep.dev: rule: rule_id: nJUYxZ - version_id: 0bTL5Kb - url: https://semgrep.dev/playground/r/0bTL5Kb/ruby.lang.security.weak-hashes-md5.weak-hashes-md5 + version_id: DkT6Ypw + url: https://semgrep.dev/playground/r/DkT6Ypw/ruby.lang.security.weak-hashes-md5.weak-hashes-md5 origin: community languages: - ruby @@ -36137,8 +36577,8 @@ rules: semgrep.dev: rule: rule_id: EwU4jq - version_id: K3TvbKL - url: https://semgrep.dev/playground/r/K3TvbKL/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1 + version_id: WrTW3oG + url: https://semgrep.dev/playground/r/WrTW3oG/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1 origin: community languages: - ruby @@ -36183,8 +36623,8 @@ rules: semgrep.dev: rule: rule_id: BYUdW6 - version_id: JdTqA6 - url: https://semgrep.dev/playground/r/JdTqA6/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation + version_id: l4T469e + url: https://semgrep.dev/playground/r/l4T469e/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation origin: community message: This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. @@ -36227,8 +36667,8 @@ rules: semgrep.dev: rule: rule_id: DbU1dr - version_id: 5PT60y - url: https://semgrep.dev/playground/r/5PT60y/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access + version_id: YDTpnRx + url: https://semgrep.dev/playground/r/YDTpnRx/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access origin: community message: Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to. @@ -36307,8 +36747,8 @@ rules: semgrep.dev: rule: rule_id: WAUyzp - version_id: GxT25o - url: https://semgrep.dev/playground/r/GxT25o/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call + version_id: 6xTvQj4 + url: https://semgrep.dev/playground/r/6xTvQj4/ruby.rails.security.audit.avoid-tainted-ftp-call.avoid-tainted-ftp-call origin: community message: Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to. @@ -36355,8 +36795,8 @@ rules: semgrep.dev: rule: rule_id: 0oU2x3 - version_id: RGTbYA - url: https://semgrep.dev/playground/r/RGTbYA/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request + version_id: o5Tg9eQ + url: https://semgrep.dev/playground/r/o5Tg9eQ/ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request origin: community message: Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to. @@ -36444,8 +36884,8 @@ rules: semgrep.dev: rule: rule_id: KxU72k - version_id: A8TR15 - url: https://semgrep.dev/playground/r/A8TR15/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call + version_id: zyTKDkv + url: https://semgrep.dev/playground/r/zyTKDkv/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call origin: community message: Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to. @@ -36573,8 +37013,8 @@ rules: semgrep.dev: rule: rule_id: NbUAz7 - version_id: WrTb2D - url: https://semgrep.dev/playground/r/WrTb2D/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli + version_id: vdTY8n2 + url: https://semgrep.dev/playground/r/vdTY8n2/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli origin: community severity: WARNING - id: ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to @@ -36607,8 +37047,8 @@ rules: semgrep.dev: rule: rule_id: lBU8Qj - version_id: l4T5wG - url: https://semgrep.dev/playground/r/l4T5wG/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to + version_id: ExTjA4j + url: https://semgrep.dev/playground/r/ExTjA4j/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to origin: community message: This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed @@ -36663,8 +37103,8 @@ rules: semgrep.dev: rule: rule_id: YGUDqJ - version_id: 6xTeOg - url: https://semgrep.dev/playground/r/6xTeOg/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect + version_id: LjTqA42 + url: https://semgrep.dev/playground/r/LjTqA42/ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect origin: community message: When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, @@ -36736,8 +37176,8 @@ rules: semgrep.dev: rule: rule_id: 6JU1bL - version_id: o5Tnj1 - url: https://semgrep.dev/playground/r/o5Tnj1/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path + version_id: 8KTQyEj + url: https://semgrep.dev/playground/r/8KTQyEj/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path origin: community message: Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, @@ -36804,8 +37244,8 @@ rules: semgrep.dev: rule: rule_id: wdUkBP - version_id: xyT4DW - url: https://semgrep.dev/playground/r/xyT4DW/ruby.rails.security.brakeman.check-before-filter.check-before-filter + version_id: 0bTLeEq + url: https://semgrep.dev/playground/r/0bTLeEq/ruby.rails.security.brakeman.check-before-filter.check-before-filter origin: community - id: ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include mode: search @@ -36855,8 +37295,8 @@ rules: semgrep.dev: rule: rule_id: JDUokO - version_id: e1Tx2z - url: https://semgrep.dev/playground/r/e1Tx2z/ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include + version_id: qkT2BoK + url: https://semgrep.dev/playground/r/qkT2BoK/ruby.rails.security.brakeman.check-dynamic-render-local-file-include.check-dynamic-render-local-file-include origin: community - id: ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion mode: search @@ -36903,8 +37343,8 @@ rules: semgrep.dev: rule: rule_id: x8UdDE - version_id: vdT2A4 - url: https://semgrep.dev/playground/r/vdT2A4/ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion + version_id: l4T46de + url: https://semgrep.dev/playground/r/l4T46de/ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion origin: community - id: ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling patterns: @@ -36959,8 +37399,8 @@ rules: semgrep.dev: rule: rule_id: lBUX1r - version_id: ExTn3N - url: https://semgrep.dev/playground/r/ExTn3N/ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling + version_id: GxTv805 + url: https://semgrep.dev/playground/r/GxTv805/ruby.rails.security.brakeman.check-rails-session-secret-handling.check-rails-session-secret-handling origin: community - id: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to mode: taint @@ -37049,8 +37489,8 @@ rules: semgrep.dev: rule: rule_id: kxUOJ6 - version_id: 7ZTOjn - url: https://semgrep.dev/playground/r/7ZTOjn/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to + version_id: RGTDRPZ + url: https://semgrep.dev/playground/r/RGTDRPZ/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to origin: community - id: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos mode: taint @@ -37126,8 +37566,8 @@ rules: semgrep.dev: rule: rule_id: YGUY4R - version_id: LjT0ok - url: https://semgrep.dev/playground/r/LjT0ok/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos + version_id: A8T9XWO + url: https://semgrep.dev/playground/r/A8T9XWO/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos origin: community - id: ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include mode: taint @@ -37198,8 +37638,8 @@ rules: semgrep.dev: rule: rule_id: ReU2pZ - version_id: zyTKkZp - url: https://semgrep.dev/playground/r/zyTKkZp/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include + version_id: BjTXpBl + url: https://semgrep.dev/playground/r/BjTXpBl/ruby.rails.security.brakeman.check-render-local-file-include.check-render-local-file-include origin: community - id: ruby.rails.security.brakeman.check-reverse-tabnabbing.check-reverse-tabnabbing mode: search @@ -37275,8 +37715,8 @@ rules: semgrep.dev: rule: rule_id: DbUNX4 - version_id: gETqor - url: https://semgrep.dev/playground/r/gETqor/ruby.rails.security.brakeman.check-reverse-tabnabbing.check-reverse-tabnabbing + version_id: DkT6YWJ + url: https://semgrep.dev/playground/r/DkT6YWJ/ruby.rails.security.brakeman.check-reverse-tabnabbing.check-reverse-tabnabbing origin: community - id: ruby.rails.security.brakeman.check-secrets.check-secrets patterns: @@ -37319,8 +37759,8 @@ rules: semgrep.dev: rule: rule_id: AbUNqO - version_id: o5TgzjX - url: https://semgrep.dev/playground/r/o5TgzjX/ruby.rails.security.brakeman.check-secrets.check-secrets + version_id: WrTW3ZB + url: https://semgrep.dev/playground/r/WrTW3ZB/ruby.rails.security.brakeman.check-secrets.check-secrets origin: community - id: ruby.rails.security.brakeman.check-send-file.check-send-file mode: taint @@ -37379,8 +37819,8 @@ rules: semgrep.dev: rule: rule_id: BYUKbl - version_id: 3ZTdzb - url: https://semgrep.dev/playground/r/3ZTdzb/ruby.rails.security.brakeman.check-send-file.check-send-file + version_id: 0bTLeEn + url: https://semgrep.dev/playground/r/0bTLeEn/ruby.rails.security.brakeman.check-send-file.check-send-file origin: community - id: ruby.rails.security.brakeman.check-sql.check-sql mode: taint @@ -37488,8 +37928,8 @@ rules: semgrep.dev: rule: rule_id: OrUv2z - version_id: 44TowG - url: https://semgrep.dev/playground/r/44TowG/ruby.rails.security.brakeman.check-sql.check-sql + version_id: K3TvG41 + url: https://semgrep.dev/playground/r/K3TvG41/ruby.rails.security.brakeman.check-sql.check-sql origin: community - id: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods mode: taint @@ -37551,8 +37991,8 @@ rules: semgrep.dev: rule: rule_id: eqUZ2Q - version_id: PkTYXn - url: https://semgrep.dev/playground/r/PkTYXn/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods + version_id: qkT2Bo8 + url: https://semgrep.dev/playground/r/qkT2Bo8/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods origin: community - id: ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection mode: taint @@ -37619,8 +38059,8 @@ rules: semgrep.dev: rule: rule_id: wdUkYA - version_id: JdTqY2 - url: https://semgrep.dev/playground/r/JdTqY2/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection + version_id: l4T46dO + url: https://semgrep.dev/playground/r/l4T46dO/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection origin: community - id: ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find mode: taint @@ -37685,8 +38125,8 @@ rules: semgrep.dev: rule: rule_id: x8Ud6d - version_id: 5PT62x - url: https://semgrep.dev/playground/r/5PT62x/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find + version_id: YDTpnrb + url: https://semgrep.dev/playground/r/YDTpnrb/ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find origin: community - id: ruby.rails.security.brakeman.check-validation-regex.check-validation-regex mode: search @@ -37736,8 +38176,8 @@ rules: semgrep.dev: rule: rule_id: OrUv1X - version_id: GxT2Kb - url: https://semgrep.dev/playground/r/GxT2Kb/ruby.rails.security.brakeman.check-validation-regex.check-validation-regex + version_id: 6xTvQq9 + url: https://semgrep.dev/playground/r/6xTvQq9/ruby.rails.security.brakeman.check-validation-regex.check-validation-regex origin: community - id: ruby.rails.security.injection.raw-html-format.raw-html-format languages: @@ -37777,8 +38217,8 @@ rules: semgrep.dev: rule: rule_id: kxUwZX - version_id: A8TRZ1 - url: https://semgrep.dev/playground/r/A8TRZ1/ruby.rails.security.injection.raw-html-format.raw-html-format + version_id: zyTKDy4 + url: https://semgrep.dev/playground/r/zyTKDy4/ruby.rails.security.injection.raw-html-format.raw-html-format origin: community mode: taint pattern-sanitizers: @@ -37846,8 +38286,8 @@ rules: semgrep.dev: rule: rule_id: bwU8gl - version_id: BjTEnn - url: https://semgrep.dev/playground/r/BjTEnn/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string + version_id: pZT1LGK + url: https://semgrep.dev/playground/r/pZT1LGK/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string origin: community mode: taint pattern-sources: @@ -37930,8 +38370,8 @@ rules: semgrep.dev: rule: rule_id: zdUY0W - version_id: DkTQZP - url: https://semgrep.dev/playground/r/DkTQZP/ruby.rails.security.injection.tainted-url-host.tainted-url-host + version_id: 2KTz34D + url: https://semgrep.dev/playground/r/2KTz34D/ruby.rails.security.injection.tainted-url-host.tainted-url-host origin: community mode: taint pattern-sanitizers: @@ -37985,8 +38425,8 @@ rules: semgrep.dev: rule: rule_id: qNUKDg - version_id: l4T5AG - url: https://semgrep.dev/playground/r/l4T5AG/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid + version_id: yeTRZyR + url: https://semgrep.dev/playground/r/yeTRZyR/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid origin: community languages: - rust @@ -38020,8 +38460,8 @@ rules: semgrep.dev: rule: rule_id: YGU8LK - version_id: 6xTewg - url: https://semgrep.dev/playground/r/6xTewg/rust.lang.security.rustls-dangerous.rustls-dangerous + version_id: bZTb9NK + url: https://semgrep.dev/playground/r/bZTb9NK/rust.lang.security.rustls-dangerous.rustls-dangerous origin: community languages: - rust @@ -38048,8 +38488,8 @@ rules: semgrep.dev: rule: rule_id: 6JU0Bl - version_id: o5Tnp1 - url: https://semgrep.dev/playground/r/o5Tnp1/rust.lang.security.ssl-verify-none.ssl-verify-none + version_id: NdT3oYk + url: https://semgrep.dev/playground/r/NdT3oYk/rust.lang.security.ssl-verify-none.ssl-verify-none origin: community languages: - rust @@ -38144,8 +38584,8 @@ rules: semgrep.dev: rule: rule_id: WAUdK0 - version_id: 2KT1oq - url: https://semgrep.dev/playground/r/2KT1oq/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode + version_id: xyTKp2x + url: https://semgrep.dev/playground/r/xyTKp2x/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode origin: community - id: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled patterns: @@ -38239,8 +38679,8 @@ rules: semgrep.dev: rule: rule_id: 0oUwzP - version_id: 9lTz9K - url: https://semgrep.dev/playground/r/9lTz9K/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled + version_id: ZRTQpgN + url: https://semgrep.dev/playground/r/ZRTQpgN/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled origin: community - id: scala.lang.security.audit.tainted-sql-string.tainted-sql-string languages: @@ -38279,8 +38719,8 @@ rules: semgrep.dev: rule: rule_id: WAUY8B - version_id: 2KTz7E1 - url: https://semgrep.dev/playground/r/2KTz7E1/scala.lang.security.audit.tainted-sql-string.tainted-sql-string + version_id: PkTJdBK + url: https://semgrep.dev/playground/r/PkTJdBK/scala.lang.security.audit.tainted-sql-string.tainted-sql-string origin: community pattern-sources: - patterns: @@ -38424,8 +38864,8 @@ rules: semgrep.dev: rule: rule_id: lBUyRR - version_id: ZRTw9e - url: https://semgrep.dev/playground/r/ZRTw9e/scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass + version_id: 5PTde8l + url: https://semgrep.dev/playground/r/5PTde8l/scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass origin: community - id: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings patterns: @@ -38469,8 +38909,8 @@ rules: semgrep.dev: rule: rule_id: GdUDJO - version_id: nWT7bp - url: https://semgrep.dev/playground/r/nWT7bp/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings + version_id: GxTv8Z5 + url: https://semgrep.dev/playground/r/GxTv8Z5/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings origin: community - id: scala.play.security.tainted-html-response.tainted-html-response mode: taint @@ -38502,8 +38942,8 @@ rules: semgrep.dev: rule: rule_id: 0oUwn2 - version_id: ExTnLN - url: https://semgrep.dev/playground/r/ExTnLN/scala.play.security.tainted-html-response.tainted-html-response + version_id: RGTDRoZ + url: https://semgrep.dev/playground/r/RGTDRoZ/scala.play.security.tainted-html-response.tainted-html-response origin: community message: Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which @@ -38599,8 +39039,8 @@ rules: semgrep.dev: rule: rule_id: GdUDWO - version_id: 7ZTOln - url: https://semgrep.dev/playground/r/7ZTOln/scala.play.security.tainted-slick-sqli.tainted-slick-sqli + version_id: A8T9XGO + url: https://semgrep.dev/playground/r/A8T9XGO/scala.play.security.tainted-slick-sqli.tainted-slick-sqli origin: community message: Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input @@ -38683,8 +39123,8 @@ rules: semgrep.dev: rule: rule_id: 0oUpon - version_id: LjT0Wk - url: https://semgrep.dev/playground/r/LjT0Wk/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request + version_id: BjTXp7l + url: https://semgrep.dev/playground/r/BjTXp7l/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request origin: community pattern-sources: - patterns: @@ -38767,8 +39207,8 @@ rules: semgrep.dev: rule: rule_id: kxUl7x - version_id: w8T9JpA - url: https://semgrep.dev/playground/r/w8T9JpA/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens + version_id: O9TNd6l + url: https://semgrep.dev/playground/r/O9TNd6l/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens origin: community patterns: - pattern-either: @@ -38915,8 +39355,8 @@ rules: semgrep.dev: rule: rule_id: wdUx3D - version_id: xyTKn8d - url: https://semgrep.dev/playground/r/xyTKn8d/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate + version_id: e1T03zD + url: https://semgrep.dev/playground/r/e1T03zD/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate origin: community patterns: - pattern: | @@ -39054,8 +39494,8 @@ rules: semgrep.dev: rule: rule_id: eqUkx4 - version_id: vdTYnX8 - url: https://semgrep.dev/playground/r/vdTYnX8/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy + version_id: ZRTQpON + url: https://semgrep.dev/playground/r/ZRTQpON/solidity.security.compound-borrowfresh-reentrancy.compound-borrowfresh-reentrancy origin: community patterns: - pattern-inside: | @@ -39094,8 +39534,8 @@ rules: semgrep.dev: rule: rule_id: v8Uz2o - version_id: d6Trj3y - url: https://semgrep.dev/playground/r/d6Trj3y/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted + version_id: nWTxoZo + url: https://semgrep.dev/playground/r/nWTxoZo/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted origin: community patterns: - pattern-inside: | @@ -39140,8 +39580,8 @@ rules: semgrep.dev: rule: rule_id: d8UGDL - version_id: ZRTQ522 - url: https://semgrep.dev/playground/r/ZRTQ522/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy + version_id: ExTjAKE + url: https://semgrep.dev/playground/r/ExTjAKE/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy origin: community patterns: - pattern: "$POOL.get_virtual_price()\n" @@ -39218,8 +39658,8 @@ rules: semgrep.dev: rule: rule_id: nJU47w - version_id: ExTj2ov - url: https://semgrep.dev/playground/r/ExTj2ov/solidity.security.encode-packed-collision.encode-packed-collision + version_id: LjTqA5R + url: https://semgrep.dev/playground/r/LjTqA5R/solidity.security.encode-packed-collision.encode-packed-collision origin: community patterns: - pattern-either: @@ -39307,8 +39747,8 @@ rules: semgrep.dev: rule: rule_id: L1Ub0L - version_id: 8KTQjNL - url: https://semgrep.dev/playground/r/8KTQjNL/solidity.security.erc677-reentrancy.erc677-reentrancy + version_id: QkTWwdg + url: https://semgrep.dev/playground/r/QkTWwdg/solidity.security.erc677-reentrancy.erc677-reentrancy origin: community patterns: - pattern-inside: | @@ -39342,8 +39782,8 @@ rules: semgrep.dev: rule: rule_id: 8GUkbo - version_id: gET31PL - url: https://semgrep.dev/playground/r/gET31PL/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom + version_id: 3ZTkrjx + url: https://semgrep.dev/playground/r/3ZTkrjx/solidity.security.erc721-arbitrary-transferfrom.erc721-arbitrary-transferfrom origin: community patterns: - pattern-inside: | @@ -39392,8 +39832,8 @@ rules: semgrep.dev: rule: rule_id: gxU2qG - version_id: QkTWzXL - url: https://semgrep.dev/playground/r/QkTWzXL/solidity.security.erc721-reentrancy.erc721-reentrancy + version_id: 44TR61x + url: https://semgrep.dev/playground/r/44TR61x/solidity.security.erc721-reentrancy.erc721-reentrancy origin: community patterns: - pattern: _checkOnERC721Received(...) @@ -39423,8 +39863,8 @@ rules: semgrep.dev: rule: rule_id: QrUrJj - version_id: 3ZTkPR5 - url: https://semgrep.dev/playground/r/3ZTkPR5/solidity.security.erc777-reentrancy.erc777-reentrancy + version_id: PkTJdoK + url: https://semgrep.dev/playground/r/PkTJdoK/solidity.security.erc777-reentrancy.erc777-reentrancy origin: community patterns: - pattern: "$X.tokensReceived(...);" @@ -39454,8 +39894,8 @@ rules: semgrep.dev: rule: rule_id: 4bUPoB - version_id: PkTJZzq - url: https://semgrep.dev/playground/r/PkTJZzq/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash + version_id: 5PTdeLl + url: https://semgrep.dev/playground/r/5PTdeLl/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash origin: community patterns: - pattern-either: @@ -39495,8 +39935,8 @@ rules: semgrep.dev: rule: rule_id: PeUrYv - version_id: JdTNykY - url: https://semgrep.dev/playground/r/JdTNykY/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation + version_id: GxTv8r5 + url: https://semgrep.dev/playground/r/GxTv8r5/solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation origin: community patterns: - pattern: "$KEEPER.current($TOKENIN, $AMOUNTIN, $TOKENOUT);" @@ -39525,8 +39965,8 @@ rules: semgrep.dev: rule: rule_id: GdUE2p - version_id: RGTDgp7 - url: https://semgrep.dev/playground/r/RGTDgp7/solidity.security.no-slippage-check.no-slippage-check + version_id: BjTXpdl + url: https://semgrep.dev/playground/r/BjTXpdl/solidity.security.no-slippage-check.no-slippage-check origin: community patterns: - pattern-either: @@ -39613,8 +40053,8 @@ rules: semgrep.dev: rule: rule_id: BYU0EL - version_id: DkT6pkA - url: https://semgrep.dev/playground/r/DkT6pkA/solidity.security.proxy-storage-collision.proxy-storage-collision + version_id: 0bTLe2n + url: https://semgrep.dev/playground/r/0bTLe2n/solidity.security.proxy-storage-collision.proxy-storage-collision origin: community patterns: - pattern-either: @@ -39698,8 +40138,8 @@ rules: semgrep.dev: rule: rule_id: DbU0Qb - version_id: WrTWo84 - url: https://semgrep.dev/playground/r/WrTWo84/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug + version_id: K3TvG71 + url: https://semgrep.dev/playground/r/K3TvG71/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug origin: community patterns: - pattern-inside: | @@ -39734,8 +40174,8 @@ rules: semgrep.dev: rule: rule_id: WAUpbw - version_id: 0bTL5ob - url: https://semgrep.dev/playground/r/0bTL5ob/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control + version_id: qkT2BX8 + url: https://semgrep.dev/playground/r/qkT2BX8/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control origin: community patterns: - pattern: function setMultipleAllowances(...) {...} @@ -39766,8 +40206,8 @@ rules: semgrep.dev: rule: rule_id: 0oUbvd - version_id: K3TvboL - url: https://semgrep.dev/playground/r/K3TvboL/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control + version_id: l4T468O + url: https://semgrep.dev/playground/r/l4T468O/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control origin: community patterns: - pattern-either: @@ -39828,8 +40268,8 @@ rules: semgrep.dev: rule: rule_id: KxUqld - version_id: qkT2jO7 - url: https://semgrep.dev/playground/r/qkT2jO7/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection + version_id: YDTpnDb + url: https://semgrep.dev/playground/r/YDTpnDb/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection origin: community patterns: - pattern: "$T.decodeCtx(ctx);" @@ -39862,8 +40302,8 @@ rules: semgrep.dev: rule: rule_id: qNUnN0 - version_id: l4T49Z0 - url: https://semgrep.dev/playground/r/l4T49Z0/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug + version_id: JdTNvLx + url: https://semgrep.dev/playground/r/JdTNvLx/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug origin: community patterns: - pattern-inside: | @@ -39911,8 +40351,8 @@ rules: semgrep.dev: rule: rule_id: KxUqoZ - version_id: JdTN6GE - url: https://semgrep.dev/playground/r/JdTN6GE/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults + version_id: A8T9XQ6 + url: https://semgrep.dev/playground/r/A8T9XQ6/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults origin: community languages: - swift @@ -40133,8 +40573,8 @@ rules: semgrep.dev: rule: rule_id: kxU6A8 - version_id: BjTEgn - url: https://semgrep.dev/playground/r/BjTEgn/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version + version_id: d6Trv4N + url: https://semgrep.dev/playground/r/d6Trv4N/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version origin: community languages: - hcl @@ -40180,8 +40620,8 @@ rules: semgrep.dev: rule: rule_id: x8UGBG - version_id: WrTbXD - url: https://semgrep.dev/playground/r/WrTbXD/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention + version_id: nWTxoG1 + url: https://semgrep.dev/playground/r/nWTxoG1/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention origin: community - id: terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted patterns: @@ -40225,8 +40665,8 @@ rules: semgrep.dev: rule: rule_id: v8U4kG - version_id: l4T5KG - url: https://semgrep.dev/playground/r/l4T5KG/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted + version_id: 8KTQyAR + url: https://semgrep.dev/playground/r/8KTQyAR/terraform.aws.security.aws-codebuild-project-unencrypted.aws-codebuild-project-unencrypted origin: community - id: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging patterns: @@ -40270,8 +40710,8 @@ rules: semgrep.dev: rule: rule_id: d8U4RA - version_id: JdTqBr - url: https://semgrep.dev/playground/r/JdTqBr/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging + version_id: QkTWwnx + url: https://semgrep.dev/playground/r/QkTWwnx/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging origin: community - id: terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted patterns: @@ -40320,8 +40760,8 @@ rules: semgrep.dev: rule: rule_id: nJUGe2 - version_id: BjTEgw - url: https://semgrep.dev/playground/r/BjTEgw/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted + version_id: 5PTdepz + url: https://semgrep.dev/playground/r/5PTdepz/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted origin: community - id: terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk patterns: @@ -40364,8 +40804,8 @@ rules: semgrep.dev: rule: rule_id: EwUqko - version_id: DkTQPO - url: https://semgrep.dev/playground/r/DkTQPO/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk + version_id: GxTv8zA + url: https://semgrep.dev/playground/r/GxTv8zA/terraform.aws.security.aws-ebs-snapshot-encrypted-with-cmk.aws-ebs-snapshot-encrypted-with-cmk origin: community languages: - hcl @@ -40407,8 +40847,8 @@ rules: semgrep.dev: rule: rule_id: 7KUW7K - version_id: WrTbXb - url: https://semgrep.dev/playground/r/WrTbXb/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted + version_id: RGTDRq5 + url: https://semgrep.dev/playground/r/RGTDRq5/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted origin: community - id: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip patterns: @@ -40457,8 +40897,8 @@ rules: semgrep.dev: rule: rule_id: 8GUA2n - version_id: qkTNEY - url: https://semgrep.dev/playground/r/qkTNEY/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip + version_id: DkT6Yx8 + url: https://semgrep.dev/playground/r/DkT6Yx8/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip origin: community languages: - hcl @@ -40541,8 +40981,8 @@ rules: semgrep.dev: rule: rule_id: qNUzov - version_id: X0TP1g - url: https://semgrep.dev/playground/r/X0TP1g/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal + version_id: o5Tg9Br + url: https://semgrep.dev/playground/r/o5Tg9Br/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal origin: community languages: - hcl @@ -40589,8 +41029,8 @@ rules: semgrep.dev: rule: rule_id: YGUle7 - version_id: 9lTzvy - url: https://semgrep.dev/playground/r/9lTzvy/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version + version_id: 2KTz377 + url: https://semgrep.dev/playground/r/2KTz377/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version origin: community - id: terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled patterns: @@ -40657,8 +41097,8 @@ rules: semgrep.dev: rule: rule_id: 3qU6J7 - version_id: yeTXE2 - url: https://semgrep.dev/playground/r/yeTXE2/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled + version_id: X0TQ25A + url: https://semgrep.dev/playground/r/X0TQ25A/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled origin: community languages: - hcl @@ -40717,8 +41157,8 @@ rules: semgrep.dev: rule: rule_id: AbUeYK - version_id: O9Ty9R - url: https://semgrep.dev/playground/r/O9Ty9R/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal + version_id: NdT3oBG + url: https://semgrep.dev/playground/r/NdT3oBG/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal origin: community languages: - hcl @@ -40778,8 +41218,8 @@ rules: semgrep.dev: rule: rule_id: BYUzY5 - version_id: e1TxlA - url: https://semgrep.dev/playground/r/e1TxlA/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin + version_id: kbTdL25 + url: https://semgrep.dev/playground/r/kbTdL25/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin origin: community languages: - hcl @@ -40840,8 +41280,8 @@ rules: semgrep.dev: rule: rule_id: DbUx8l - version_id: vdT2ED - url: https://semgrep.dev/playground/r/vdT2ED/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy + version_id: w8T9DAy + url: https://semgrep.dev/playground/r/w8T9DAy/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy origin: community languages: - hcl @@ -40906,8 +41346,8 @@ rules: semgrep.dev: rule: rule_id: v8UOle - version_id: ZRTw8k - url: https://semgrep.dev/playground/r/ZRTw8k/terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version + version_id: O9TNdJ4 + url: https://semgrep.dev/playground/r/O9TNdJ4/terraform.aws.security.aws-insecure-api-gateway-tls-version.aws-insecure-api-gateway-tls-version origin: community - id: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration patterns: @@ -40960,8 +41400,8 @@ rules: semgrep.dev: rule: rule_id: 0oUrOj - version_id: nWT7ED - url: https://semgrep.dev/playground/r/nWT7ED/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration + version_id: e1T03Dw + url: https://semgrep.dev/playground/r/e1T03Dw/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration origin: community languages: - hcl @@ -41024,8 +41464,8 @@ rules: semgrep.dev: rule: rule_id: lBUWPD - version_id: 8KTb66 - url: https://semgrep.dev/playground/r/8KTb66/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal + version_id: nWTxoy1 + url: https://semgrep.dev/playground/r/nWTxoy1/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal origin: community languages: - hcl @@ -41092,8 +41532,8 @@ rules: semgrep.dev: rule: rule_id: PeU0L3 - version_id: gETqzj - url: https://semgrep.dev/playground/r/gETqzj/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation + version_id: ExTjArL + url: https://semgrep.dev/playground/r/ExTjArL/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation origin: community - id: terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials patterns: @@ -41148,8 +41588,8 @@ rules: semgrep.dev: rule: rule_id: JDU6gj - version_id: zyTKyvK - url: https://semgrep.dev/playground/r/zyTKyvK/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials + version_id: 7ZTgnxG + url: https://semgrep.dev/playground/r/7ZTgnxG/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials origin: community languages: - hcl @@ -41206,8 +41646,8 @@ rules: semgrep.dev: rule: rule_id: OrU9Ox - version_id: 44ToBr - url: https://semgrep.dev/playground/r/44ToBr/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn + version_id: 8KTQyGR + url: https://semgrep.dev/playground/r/8KTQyGR/terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn origin: community - id: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials patterns: @@ -41252,8 +41692,8 @@ rules: semgrep.dev: rule: rule_id: d8U4n0 - version_id: pZT1Gvk - url: https://semgrep.dev/playground/r/pZT1Gvk/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + version_id: PkTJdxG + url: https://semgrep.dev/playground/r/PkTJdxG/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials origin: community - id: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention patterns: @@ -41299,8 +41739,8 @@ rules: semgrep.dev: rule: rule_id: GdUzwQ - version_id: RGTb8l - url: https://semgrep.dev/playground/r/RGTb8l/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention + version_id: 5PTdeyz + url: https://semgrep.dev/playground/r/5PTdeyz/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention origin: community - id: terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal patterns: @@ -41387,8 +41827,8 @@ rules: semgrep.dev: rule: rule_id: PeUl9d - version_id: l4T5b4 - url: https://semgrep.dev/playground/r/l4T5b4/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal + version_id: K3TvGwv + url: https://semgrep.dev/playground/r/K3TvGwv/terraform.aws.security.aws-sqs-queue-policy-wildcard-principal.aws-sqs-queue-policy-wildcard-principal origin: community languages: - hcl @@ -41398,9 +41838,8 @@ rules: - pattern-either: - patterns: - pattern: ssl_policy = $ANYTHING - - pattern-not-inside: ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" - - pattern-not-inside: ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08" - - pattern-not-inside: ssl_policy = "ELBSecurityPolicy-FS-1-2-2019-08" + - pattern-not-regex: ELBSecurityPolicy-TLS13-1-[23]-[0-9-]+ + - pattern-not-regex: ELBSecurityPolicy-FS-1-2-[(Res)0-9-]+ - patterns: - pattern: protocol = "HTTP" - pattern-not-inside: | @@ -41433,8 +41872,8 @@ rules: ' message: Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, - set your `ssl_policy` to `"ELBSecurityPolicy-FS-1-2-Res-2019-08"`, or include - a default action to redirect to HTTPS. + set your `ssl_policy` to `"ELBSecurityPolicy-TLS13-1-2-2021-06"`, or include a + default action to redirect to HTTPS. metadata: category: security technology: @@ -41460,8 +41899,8 @@ rules: semgrep.dev: rule: rule_id: 2ZUP9K - version_id: jQTKWr - url: https://semgrep.dev/playground/r/jQTKWr/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version + version_id: A8T9XN3 + url: https://semgrep.dev/playground/r/A8T9XN3/terraform.aws.security.insecure-load-balancer-tls-version.insecure-load-balancer-tls-version origin: community languages: - hcl @@ -41511,8 +41950,8 @@ rules: semgrep.dev: rule: rule_id: 5rUL1P - version_id: 9lTz2y - url: https://semgrep.dev/playground/r/9lTz2y/terraform.aws.security.wildcard-assume-role.wildcard-assume-role + version_id: WrTW3YQ + url: https://semgrep.dev/playground/r/WrTW3YQ/terraform.aws.security.wildcard-assume-role.wildcard-assume-role origin: community languages: - hcl @@ -41575,8 +42014,8 @@ rules: semgrep.dev: rule: rule_id: 0oU23p - version_id: xyT4Ow - url: https://semgrep.dev/playground/r/xyT4Ow/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled + version_id: bZTb9Xr + url: https://semgrep.dev/playground/r/bZTb9Xr/terraform.azure.security.appservice.appservice-authentication-enabled.appservice-authentication-enabled origin: community languages: - hcl @@ -41636,8 +42075,8 @@ rules: semgrep.dev: rule: rule_id: KxU7LJ - version_id: O9TyzR - url: https://semgrep.dev/playground/r/O9TyzR/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2 + version_id: NdT3oqP + url: https://semgrep.dev/playground/r/NdT3oqP/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2 origin: community languages: - hcl @@ -41690,8 +42129,8 @@ rules: semgrep.dev: rule: rule_id: qNUXwx - version_id: e1Tx5A - url: https://semgrep.dev/playground/r/e1Tx5A/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only + version_id: kbTdLYJ + url: https://semgrep.dev/playground/r/kbTdLYJ/terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only origin: community languages: - hcl @@ -41743,8 +42182,8 @@ rules: semgrep.dev: rule: rule_id: lBU8D6 - version_id: vdT2gD - url: https://semgrep.dev/playground/r/vdT2gD/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert + version_id: w8T9DKO + url: https://semgrep.dev/playground/r/w8T9DKO/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert origin: community languages: - hcl @@ -41784,8 +42223,8 @@ rules: semgrep.dev: rule: rule_id: YGUDbZ - version_id: d6TD1E - url: https://semgrep.dev/playground/r/d6TD1E/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy + version_id: xyTKpq7 + url: https://semgrep.dev/playground/r/xyTKpq7/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy origin: community languages: - hcl @@ -41833,8 +42272,8 @@ rules: semgrep.dev: rule: rule_id: bwU1Eg - version_id: ExTnOP - url: https://semgrep.dev/playground/r/ExTnOP/terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled + version_id: vdTY8G6 + url: https://semgrep.dev/playground/r/vdTY8G6/terraform.azure.security.appservice.azure-appservice-detailed-errormessages-enabled.azure-appservice-detailed-errormessages-enabled origin: community languages: - hcl @@ -41879,8 +42318,8 @@ rules: semgrep.dev: rule: rule_id: x8UZRP - version_id: gETqjj - url: https://semgrep.dev/playground/r/gETqjj/terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only + version_id: ExTjAg9 + url: https://semgrep.dev/playground/r/ExTjAg9/terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only origin: community languages: - hcl @@ -41923,8 +42362,8 @@ rules: semgrep.dev: rule: rule_id: 0oUlgp - version_id: DkTQlG - url: https://semgrep.dev/playground/r/DkTQlG/terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date + version_id: GxTv86W + url: https://semgrep.dev/playground/r/GxTv86W/terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date origin: community languages: - hcl @@ -41969,8 +42408,8 @@ rules: semgrep.dev: rule: rule_id: 6JUJG8 - version_id: qkTN6B - url: https://semgrep.dev/playground/r/qkTN6B/terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version + version_id: WrTW3Q2 + url: https://semgrep.dev/playground/r/WrTW3Q2/terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version origin: community languages: - hcl @@ -42013,8 +42452,8 @@ rules: semgrep.dev: rule: rule_id: oqUloL - version_id: l4T5kJ - url: https://semgrep.dev/playground/r/l4T5kJ/terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled + version_id: 0bTLelY + url: https://semgrep.dev/playground/r/0bTLelY/terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled origin: community languages: - hcl @@ -42059,8 +42498,8 @@ rules: semgrep.dev: rule: rule_id: zdU8NN - version_id: YDToWE - url: https://semgrep.dev/playground/r/YDToWE/terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version + version_id: K3TvGjD + url: https://semgrep.dev/playground/r/K3TvGjD/terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version origin: community languages: - hcl @@ -42102,8 +42541,8 @@ rules: semgrep.dev: rule: rule_id: gxUgXq - version_id: d6TDXg - url: https://semgrep.dev/playground/r/d6TDXg/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires + version_id: vdTY885 + url: https://semgrep.dev/playground/r/vdTY885/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires origin: community languages: - hcl @@ -42145,8 +42584,8 @@ rules: semgrep.dev: rule: rule_id: QrUdNy - version_id: ZRTw0A - url: https://semgrep.dev/playground/r/ZRTw0A/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires + version_id: d6Trvvl + url: https://semgrep.dev/playground/r/d6Trvvl/terraform.azure.security.keyvault.keyvault-ensure-secret-expires.keyvault-ensure-secret-expires origin: community languages: - hcl @@ -42195,8 +42634,8 @@ rules: semgrep.dev: rule: rule_id: 3qUjw9 - version_id: nWT7XR - url: https://semgrep.dev/playground/r/nWT7XR/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled + version_id: ZRTQppO + url: https://semgrep.dev/playground/r/ZRTQppO/terraform.azure.security.keyvault.keyvault-purge-enabled.keyvault-purge-enabled origin: community languages: - hcl @@ -42243,8 +42682,8 @@ rules: semgrep.dev: rule: rule_id: pKUpDA - version_id: 8KTbRb - url: https://semgrep.dev/playground/r/8KTbRb/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https + version_id: LjTqAAX + url: https://semgrep.dev/playground/r/LjTqAAX/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https origin: community languages: - hcl @@ -42298,8 +42737,8 @@ rules: semgrep.dev: rule: rule_id: AbUQdL - version_id: QkTJPK - url: https://semgrep.dev/playground/r/QkTJPK/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy + version_id: gET3OOO + url: https://semgrep.dev/playground/r/gET3OOO/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy origin: community languages: - hcl @@ -42341,8 +42780,8 @@ rules: semgrep.dev: rule: rule_id: gxUrdg - version_id: DkTQEG - url: https://semgrep.dev/playground/r/DkTQEG/terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging + version_id: O9TNdpn + url: https://semgrep.dev/playground/r/O9TNdpn/terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging origin: community - id: terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1 patterns: @@ -42404,8 +42843,8 @@ rules: semgrep.dev: rule: rule_id: 7KUZZb - version_id: d6TDYg - url: https://semgrep.dev/playground/r/d6TDYg/terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1 + version_id: l4T46Jb + url: https://semgrep.dev/playground/r/l4T46Jb/terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1 origin: community languages: - hcl @@ -42454,8 +42893,8 @@ rules: semgrep.dev: rule: rule_id: v8Uod5 - version_id: o5Tn6q - url: https://semgrep.dev/playground/r/o5Tn6q/terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl + version_id: 8KTQyNO + url: https://semgrep.dev/playground/r/8KTQyNO/terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl origin: community languages: - hcl @@ -42522,8 +42961,8 @@ rules: semgrep.dev: rule: rule_id: d8U7Ll - version_id: zyT5Ez - url: https://semgrep.dev/playground/r/zyT5Ez/terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database + version_id: gET3OPo + url: https://semgrep.dev/playground/r/gET3OPo/terraform.gcp.security.gcp-sql-public-database.gcp-sql-public-database origin: community languages: - hcl @@ -42566,8 +43005,8 @@ rules: semgrep.dev: rule: rule_id: WAUZW5 - version_id: NdT171 - url: https://semgrep.dev/playground/r/NdT171/terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume + version_id: BjTXpbZ + url: https://semgrep.dev/playground/r/BjTXpbZ/terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume origin: community - id: terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional languages: @@ -42600,8 +43039,8 @@ rules: semgrep.dev: rule: rule_id: GdU0eA - version_id: kbT71A - url: https://semgrep.dev/playground/r/kbT71A/terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional + version_id: DkT6Ykj + url: https://semgrep.dev/playground/r/DkT6Ykj/terraform.lang.security.ec2-imdsv1-optional.ec2-imdsv1-optional origin: community pattern-either: - patterns: @@ -42694,8 +43133,8 @@ rules: semgrep.dev: rule: rule_id: OrUl6W - version_id: gETqQe - url: https://semgrep.dev/playground/r/gETqQe/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code + version_id: jQTgy1R + url: https://semgrep.dev/playground/r/jQTgy1R/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code origin: community - id: terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket pattern: acl = "public-read-write" @@ -42729,8 +43168,8 @@ rules: semgrep.dev: rule: rule_id: 6JUqvn - version_id: PkTYPz - url: https://semgrep.dev/playground/r/PkTYPz/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket + version_id: rxTy4nj + url: https://semgrep.dev/playground/r/rxTy4nj/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket origin: community - id: typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust message: Detected the use of `$TRUST`. This can introduce a Cross-Site-Scripting @@ -42766,8 +43205,8 @@ rules: semgrep.dev: rule: rule_id: oqUzgA - version_id: 5PT6gr - url: https://semgrep.dev/playground/r/5PT6gr/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust + version_id: NdT3o6d + url: https://semgrep.dev/playground/r/NdT3o6d/typescript.angular.security.audit.angular-domsanitizer.angular-bypasssecuritytrust origin: community languages: - typescript @@ -42902,8 +43341,8 @@ rules: semgrep.dev: rule: rule_id: bwU8qz - version_id: GxT2dB - url: https://semgrep.dev/playground/r/GxT2dB/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption + version_id: kbTdLWL + url: https://semgrep.dev/playground/r/kbTdLWL/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption origin: community languages: - typescript @@ -42971,8 +43410,8 @@ rules: semgrep.dev: rule: rule_id: NbUN8B - version_id: RGTb4r - url: https://semgrep.dev/playground/r/RGTb4r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl + version_id: w8T9DWR + url: https://semgrep.dev/playground/r/w8T9DWR/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl origin: community languages: - ts @@ -43022,8 +43461,8 @@ rules: semgrep.dev: rule: rule_id: kxUwqO - version_id: A8TRon - url: https://semgrep.dev/playground/r/A8TRon/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue + version_id: xyTKpR8 + url: https://semgrep.dev/playground/r/xyTKpR8/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue origin: community languages: - ts @@ -43083,8 +43522,8 @@ rules: semgrep.dev: rule: rule_id: wdUjZK - version_id: BjTE3Q - url: https://semgrep.dev/playground/r/BjTE3Q/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod + version_id: O9TNdQQ + url: https://semgrep.dev/playground/r/O9TNdQQ/typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod origin: community languages: - ts @@ -43135,8 +43574,8 @@ rules: semgrep.dev: rule: rule_id: x8UxXZ - version_id: DkTQrL - url: https://semgrep.dev/playground/r/DkTQrL/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public + version_id: e1T034b + url: https://semgrep.dev/playground/r/e1T034b/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public origin: community languages: - ts @@ -43188,8 +43627,8 @@ rules: semgrep.dev: rule: rule_id: x8UWvK - version_id: jQTglPx - url: https://semgrep.dev/playground/r/jQTglPx/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml + version_id: A8T9XEl + url: https://semgrep.dev/playground/r/A8T9XEl/typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml origin: community languages: - typescript @@ -43344,8 +43783,8 @@ rules: semgrep.dev: rule: rule_id: QrU68w - version_id: bZTGjY - url: https://semgrep.dev/playground/r/bZTGjY/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method + version_id: RGTDRnQ + url: https://semgrep.dev/playground/r/RGTDRnQ/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method origin: community languages: - typescript @@ -43497,8 +43936,8 @@ rules: semgrep.dev: rule: rule_id: 3qUBl4 - version_id: 1QTOzG9 - url: https://semgrep.dev/playground/r/1QTOzG9/typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property + version_id: A8T9X0z + url: https://semgrep.dev/playground/r/A8T9X0z/typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property origin: community languages: - typescript @@ -43663,8 +44102,8 @@ rules: semgrep.dev: rule: rule_id: NbUA3O - version_id: w8T37Q - url: https://semgrep.dev/playground/r/w8T37Q/typescript.react.security.react-insecure-request.react-insecure-request + version_id: DkT6YXK + url: https://semgrep.dev/playground/r/DkT6YXK/typescript.react.security.react-insecure-request.react-insecure-request origin: community languages: - typescript @@ -43732,15 +44171,15 @@ rules: - argo license: Commons Clause License Condition v1.0[LGPL-2.1-only] vulnerability_class: - - Command Injection - Code Injection + - Command Injection source: https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection shortlink: https://sg.run/yqeZ semgrep.dev: rule: rule_id: 10U0zW - version_id: ExTkN4 - url: https://semgrep.dev/playground/r/ExTkN4/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection + version_id: 0bTLegr + url: https://semgrep.dev/playground/r/0bTLegr/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection origin: community severity: ERROR patterns: @@ -43842,8 +44281,8 @@ rules: semgrep.dev: rule: rule_id: DbUW17 - version_id: d6TDGj - url: https://semgrep.dev/playground/r/d6TDGj/yaml.docker-compose.security.privileged-service.privileged-service + version_id: l4T46ox + url: https://semgrep.dev/playground/r/l4T46ox/yaml.docker-compose.security.privileged-service.privileged-service origin: community languages: - yaml @@ -43885,8 +44324,8 @@ rules: semgrep.dev: rule: rule_id: EwUQ9x - version_id: 7ZTO9W - url: https://semgrep.dev/playground/r/7ZTO9W/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands + version_id: zyTKDNL + url: https://semgrep.dev/playground/r/zyTKDNL/yaml.github-actions.security.allowed-unsecure-commands.allowed-unsecure-commands origin: community patterns: - pattern-either: @@ -43929,8 +44368,8 @@ rules: semgrep.dev: rule: rule_id: OrUQvK - version_id: 8KTbkv - url: https://semgrep.dev/playground/r/8KTbkv/yaml.github-actions.security.github-script-injection.github-script-injection + version_id: 2KTz355 + url: https://semgrep.dev/playground/r/2KTz355/yaml.github-actions.security.github-script-injection.github-script-injection origin: community patterns: - pattern-inside: 'steps: [...]' @@ -44008,8 +44447,8 @@ rules: semgrep.dev: rule: rule_id: v8UjQj - version_id: QkTJr0 - url: https://semgrep.dev/playground/r/QkTJr0/yaml.github-actions.security.run-shell-injection.run-shell-injection + version_id: jQTgyDN + url: https://semgrep.dev/playground/r/jQTgyDN/yaml.github-actions.security.run-shell-injection.run-shell-injection origin: community patterns: - pattern-inside: 'steps: [...]' @@ -44079,8 +44518,8 @@ rules: semgrep.dev: rule: rule_id: 4bU8E4 - version_id: 3ZTdAr - url: https://semgrep.dev/playground/r/3ZTdAr/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout + version_id: 9lTd5qE + url: https://semgrep.dev/playground/r/9lTd5qE/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout origin: community patterns: - pattern-inside: | @@ -44169,8 +44608,8 @@ rules: semgrep.dev: rule: rule_id: WAU5J6 - version_id: 44ToPE - url: https://semgrep.dev/playground/r/44ToPE/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext + version_id: NdT3oG0 + url: https://semgrep.dev/playground/r/NdT3oG0/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext origin: community languages: - yaml @@ -44238,8 +44677,8 @@ rules: semgrep.dev: rule: rule_id: 0oUkqQ - version_id: PkTYrz - url: https://semgrep.dev/playground/r/PkTYrz/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true + version_id: kbTdL3y + url: https://semgrep.dev/playground/r/kbTdL3y/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true origin: community languages: - yaml @@ -44310,8 +44749,8 @@ rules: semgrep.dev: rule: rule_id: 6JUqEO - version_id: JdTqrn - url: https://semgrep.dev/playground/r/JdTqrn/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation + version_id: w8T9DNP + url: https://semgrep.dev/playground/r/w8T9DNP/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation origin: community languages: - yaml @@ -44352,8 +44791,8 @@ rules: semgrep.dev: rule: rule_id: d8Uz6v - version_id: GxT2EB - url: https://semgrep.dev/playground/r/GxT2EB/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath + version_id: O9TNdEz + url: https://semgrep.dev/playground/r/O9TNdEz/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath origin: community languages: - yaml @@ -44407,8 +44846,8 @@ rules: semgrep.dev: rule: rule_id: oqUz2p - version_id: DkTQ0L - url: https://semgrep.dev/playground/r/DkTQ0L/yaml.kubernetes.security.privileged-container.privileged-container + version_id: ZRTQpxY + url: https://semgrep.dev/playground/r/ZRTQpxY/yaml.kubernetes.security.privileged-container.privileged-container origin: community languages: - yaml @@ -44451,8 +44890,8 @@ rules: semgrep.dev: rule: rule_id: zdUynw - version_id: YDTo0B - url: https://semgrep.dev/playground/r/YDTo0B/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled + version_id: gET3OEw + url: https://semgrep.dev/playground/r/gET3OEw/yaml.kubernetes.security.seccomp-confinement-disabled.seccomp-confinement-disabled origin: community languages: - yaml @@ -44506,8 +44945,8 @@ rules: semgrep.dev: rule: rule_id: YGUYEb - version_id: JdTqrb - url: https://semgrep.dev/playground/r/JdTqrb/yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file + version_id: QkTWwA4 + url: https://semgrep.dev/playground/r/QkTWwA4/yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file origin: community languages: - yaml @@ -44544,8 +44983,8 @@ rules: semgrep.dev: rule: rule_id: zdUyWx - version_id: 5PT6DW - url: https://semgrep.dev/playground/r/5PT6DW/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster + version_id: 3ZTkrWd + url: https://semgrep.dev/playground/r/3ZTkrWd/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster origin: community languages: - yaml @@ -44582,8 +45021,8 @@ rules: semgrep.dev: rule: rule_id: pKUGXr - version_id: GxT2E1 - url: https://semgrep.dev/playground/r/GxT2E1/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service + version_id: 44TR653 + url: https://semgrep.dev/playground/r/44TR653/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service origin: community languages: - yaml diff --git a/assets/semgrep_rules/generated/oss/audit.yaml b/assets/semgrep_rules/generated/oss/audit.yaml index a1284f8b..b677b0b0 100644 --- a/assets/semgrep_rules/generated/oss/audit.yaml +++ b/assets/semgrep_rules/generated/oss/audit.yaml @@ -74,13 +74,17 @@ rules: - pattern: | free($PTR); ... - free($PTR); + $FREE($PTR); - pattern-not: | free($PTR); ... $PTR = $EXPR; ... free($PTR); + - metavariable-pattern: + metavariable: "$FREE" + pattern: free + - focus-metavariable: "$FREE" - id: raptor-format-string-bugs metadata: author: Marco Ivaldi @@ -281,6 +285,64 @@ rules: - pattern: "(unsigned long $UNSIGNED) >= 0" - pattern: "(unsigned long int $UNSIGNED) >= 0" - pattern: "(size_t $UNSIGNED) >= 0" +- id: raptor-incorrect-use-of-free + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/590 + - https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_spirit.c + confidence: MEDIUM + license: MIT + category: security + subcategory: + - audit + source: https://github.com/0xdea/semgrep-rules/blob/main/c/incorrect-use-of-free.yaml + message: The software calls free() on a pointer to memory that has a short lifetime + and was not allocated using associated heap allocation functions such as malloc(), + calloc(), or realloc(). + severity: ERROR + languages: + - c + - cpp + pattern-either: + - patterns: + - pattern: free($PTR) + - pattern-either: + - pattern-inside: | + $TYPE $PTR[$LEN]; + ... + - pattern-inside: | + $TYPE $PTR[$LEN] = $EXPR; + ... + - pattern-inside: | + $TYPE $ARR[$LEN]; + ... + $PTR = $ARR; + ... + - pattern-inside: | + $TYPE $ARR[$LEN] = $EXPR; + ... + $PTR = $ARR; + ... + - patterns: + - pattern: free(&$VAR) + - pattern-either: + - pattern-inside: | + $TYPE $VAR; + ... + - pattern-inside: "$TYPE $VAR = $EXPR;\n... \n" + - pattern-inside: | + $TYPE $VAR[$LEN]; + ... + - pattern-inside: | + $TYPE $VAR[$LEN] = $EXPR; + ... + - pattern-inside: | + $TYPE * $VAR; + ... + - pattern-inside: | + $TYPE * $VAR = $EXPR; + ... - id: raptor-incorrect-use-of-memset metadata: author: Marco Ivaldi @@ -341,6 +403,28 @@ rules: - pattern-inside: | $TYPE * $PTR = $EXPR; ... +- id: raptor-incorrect-use-of-sprintf-snprintf + metadata: + author: Marco Ivaldi + references: + - https://linux.die.net/man/3/sprintf + confidence: MEDIUM + license: MIT + category: security + subcategory: + - audit + source: https://github.com/0xdea/semgrep-rules/blob/main/c/incorrect-use-of-sprintf-snprintf.yaml + message: C standards specify that the results are undefined if a call to sprintf(), + snprintf(), vsprintf(), or vsnprintf() would cause copying to take place between + objects that overlap (e.g., if the target string array and one of the supplied + input arguments refer to the same buffer). + severity: WARNING + languages: + - c + - cpp + pattern-either: + - pattern: sprintf($DST, ..., $DST, ...) + - pattern: snprintf($DST, $N, ..., $DST, ...) - id: raptor-incorrect-use-of-strncat metadata: author: Marco Ivaldi @@ -372,6 +456,7 @@ rules: $TYPE $DST[$LEN] = $EXPR; ... - pattern: strncat($DST, $SRC, sizeof($DST)) + - pattern: strncat($DST, $SRC, strlen($DST)) - pattern: strncat($DST, $SRC, sizeof($DST) - strlen($DST)) - id: raptor-incorrect-use-of-strncpy-stpncpy-strlcpy metadata: @@ -476,10 +561,11 @@ rules: subcategory: - audit source: https://github.com/0xdea/semgrep-rules/blob/main/c/insecure-api-atoi-atol-atof.yaml - message: The atoi(), atol(), atof(), and similar functions have undefined behavior - if the value of the result cannot be represented. They return 0 (or 0.0) if the - string does not represent an integer (or decimal), which is indistinguishable - from a correctly formatted, zero-denoting input string. + message: The atoi(), atol(), atof(), and similar functions don't handle errors. + They don't check for integer overflow and can return a negative value. They have + undefined behavior if the value of the result cannot be represented. They return + 0 (or 0.0) if the string does not represent an integer (or decimal), which is + indistinguishable from a correctly formatted, zero-denoting input string. severity: INFO languages: - c @@ -591,6 +677,28 @@ rules: - metavariable-regex: metavariable: "$FMT" regex: (".*%l?s.*"|".*%S.*"|[a-zA-Z_][a-zA-Z0-9_]*) +- id: raptor-insecure-api-signal + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/364 + - https://cwe.mitre.org/data/definitions/479 + - https://cwe.mitre.org/data/definitions/828 + confidence: HIGH + license: MIT + category: security + subcategory: + - audit + source: https://github.com/0xdea/semgrep-rules/blob/main/c/insecure-api-signal.yaml + message: The signal() API should be regarded as deprecated. When possible, sigaction() + should be used instead, because it allows to precisely specify the desired behavior + in case two signals arrive shortly after each other thus preventing many race + conditions. + severity: WARNING + languages: + - c + - cpp + pattern: signal(...) - id: raptor-insecure-api-sprintf-vsprintf metadata: author: Marco Ivaldi @@ -975,7 +1083,7 @@ rules: - https://cwe.mitre.org/data/definitions/209 - https://cwe.mitre.org/data/definitions/497 - https://github.com/struct/mms - confidence: MEDIUM + confidence: LOW license: MIT category: security subcategory: @@ -1206,6 +1314,30 @@ rules: - pattern-not: 'switch ($VAR) { default: ... } ' +- id: raptor-missing-return + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/393 + - https://cwe.mitre.org/data/definitions/394 + confidence: LOW + license: MIT + category: security + subcategory: + - audit + source: https://github.com/0xdea/semgrep-rules/blob/main/c/missing-return.yaml + message: A non-void function does not have a return statement. Hence, its return + value can be considered undefined. + severity: INFO + languages: + - c + - cpp + patterns: + - pattern: "$TYPE $FUN($ARG, ...) { ... }" + - pattern-not: "$TYPE $FUN(...);" + - pattern-not: "$TYPE $FUN(...) { ... return $RET; }" + - pattern-not: int main(...) { ... } + - pattern-not: void $FUN(...) { ... } - id: raptor-off-by-one metadata: author: Marco Ivaldi @@ -1214,7 +1346,7 @@ rules: - https://cwe.mitre.org/data/definitions/787 - https://g.co/kgs/PCHQjJ - https://github.com/struct/mms - confidence: LOW + confidence: MEDIUM license: MIT category: security subcategory: @@ -1222,30 +1354,32 @@ rules: source: https://github.com/0xdea/semgrep-rules/blob/main/c/off-by-one.yaml message: The software calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. - severity: INFO + severity: WARNING languages: - c - cpp pattern-either: - pattern: "$BUF[sizeof($BUF)] = $EXPR" - patterns: - - pattern: "$BUF[$SIZE] = $EXPR" + - pattern: "$BUF[$LEN] = $EXPR" - pattern-inside: | - $TYPE $BUF[$SIZE]; + $TYPE $BUF[$LEN]; ... - $BUF[$SIZE] = $EXPR; + $BUF[$LEN] = $EXPR; - patterns: - - pattern: "*($BUF + $SIZE) = $EXPR\n" + - pattern: "*($BUF + $LEN) = $EXPR\n" - pattern-inside: | - $TYPE $BUF[$SIZE]; - ... - *($BUF + $SIZE) = $EXPR; - - pattern: for (<... $I = $NUM ...>; <... $I <= $SIZE ...>; <... $I++ ...>) ... - - pattern: for (<... $I = $NUM ...>; <... $I <= $SIZE ...>; <... ++$I ...>) ... - - pattern: for ($TYPE $I = $NUM; <... $I <= $SIZE ...>; <... $I++ ...>) ... - - pattern: for ($TYPE $I = $NUM; <... $I <= $SIZE ...>; <... ++$I ...>) ... - - pattern: while (<... $I <= $SIZE ...>) ... - - pattern: do ... while (<... $I <= $SIZE ...>); + $TYPE $BUF[$LEN]; + ... + *($BUF + $LEN) = $EXPR; + - patterns: + - pattern: "$BUF[$X][$Y] = $EXPR" + - pattern-either: + - pattern-inside: | + $TYPE $BUF[$A][$Y]; + ... + $BUF[$X][$Y] = $EXPR; + - pattern-inside: "$TYPE $BUF[$X][$B];\n...\n$BUF[$X][$Y] = $EXPR; \n" - pattern: strlen($SRC) > sizeof($DST) - pattern: strlen($SRC) <= sizeof($DST) - pattern: sizeof($DST) < strlen($SRC) @@ -1311,6 +1445,45 @@ rules: $TYPE * $PTR2; $TYPE * $PTR3 = $PTR1; ... +- id: raptor-putenv-stack-var + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/686 + - https://cwe.mitre.org/data/definitions/562 + - https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf + confidence: LOW + license: MIT + category: security + subcategory: + - audit + source: https://github.com/0xdea/semgrep-rules/blob/main/c/putenv-stack-var.yaml + message: The software calls putenv() with a variable that has a short lifetime, + such as a pointer to an automatic variable allocated on the stack. The correct + behavior is to call putenv() with a static/global string. + severity: INFO + languages: + - c + - cpp + patterns: + - pattern: putenv($PTR); + - pattern-either: + - pattern-inside: | + $TYPE $PTR[$LEN]; + ... + - pattern-inside: | + $TYPE $PTR[$LEN] = $EXPR; + ... + - pattern-inside: | + $TYPE $ARR[$LEN]; + ... + $PTR = $ARR; + ... + - pattern-inside: | + $TYPE $ARR[$LEN] = $EXPR; + ... + $PTR = $ARR; + ... - id: raptor-ret-stack-address metadata: author: Marco Ivaldi @@ -1337,18 +1510,18 @@ rules: - pattern: return $PTR; - pattern-either: - pattern-inside: | - $TYPE $PTR[$SIZE]; + $TYPE $PTR[$LEN]; ... - pattern-inside: | - $TYPE $PTR[$SIZE] = $EXPR; + $TYPE $PTR[$LEN] = $EXPR; ... - pattern-inside: | - $TYPE $ARR[$SIZE]; + $TYPE $ARR[$LEN]; ... $PTR = $ARR; ... - pattern-inside: | - $TYPE $ARR[$SIZE] = $EXPR; + $TYPE $ARR[$LEN] = $EXPR; ... $PTR = $ARR; ... @@ -1361,6 +1534,18 @@ rules: - pattern-inside: | $TYPE $VAR = $EXPR; ... + - pattern-inside: | + $TYPE $VAR[$LEN]; + ... + - pattern-inside: | + $TYPE $VAR[$LEN] = $EXPR; + ... + - pattern-inside: | + $TYPE * $VAR; + ... + - pattern-inside: | + $TYPE * $VAR = $EXPR; + ... - id: raptor-signed-unsigned-conversion metadata: author: Marco Ivaldi @@ -1444,7 +1629,7 @@ rules: - pattern: read($FD, $BUF, (int $LEN)) - pattern: recv($SD, $BUF, (int $LEN), $FL) - pattern: recvfrom($SD, $BUF, (int $LEN), $FL, ...) - - pattern: fread($PTR, (int $SIZE), $NITEMS, $FS) + - pattern: fread($PTR, (int $LEN), $NITEMS, $FS) - pattern: "(int $SIGNED) = <... (unsigned int $UNSIGNED) ...>" - pattern: | int $FUN(...) @@ -1494,14 +1679,10 @@ rules: - cpp patterns: - pattern-either: - - pattern: "$ASSERT(<... $A < $B ...>)" - - pattern: "$ASSERT(<... $A < $B ...>, ...)" - - pattern: "$ASSERT(<... $A <= $B ...>)" - - pattern: "$ASSERT(<... $A <= $B ...>, ...)" - - pattern: "$ASSERT(<... $A > $B ...>)" - - pattern: "$ASSERT(<... $A > $B ...>, ...)" - - pattern: "$ASSERT(<... $A >= $B ...>)" - - pattern: "$ASSERT(<... $A >= $B ...>, ...)" + - pattern: "$ASSERT(..., <... $A < $B ...>, ...)" + - pattern: "$ASSERT(..., <... $A <= $B ...>, ...)" + - pattern: "$ASSERT(..., <... $A > $B ...>, ...)" + - pattern: "$ASSERT(..., <... $A >= $B ...>, ...)" - metavariable-regex: metavariable: "$ASSERT" regex: "(?i)^\\w*assert\\w*\\s*$" @@ -1530,7 +1711,10 @@ rules: - cpp pattern-either: - pattern: for ($EXPR1 == $EXPR2; $EXPR3; $EXPR4) ... - - pattern: "$EXPR1 == $EXPR2;" + - patterns: + - pattern: "$EXPR1 == $EXPR2;" + - pattern-not-inside: return $EXPR; + - pattern-not-inside: assert(...); - patterns: - pattern: if (<... $EXPR1 = $EXPR2 ...>) ... - pattern-not-inside: if (<... ($EXPR1 = $EXPR2) == $EXPR ...>) ... @@ -1564,18 +1748,19 @@ rules: - pattern: "($EXPR <= $EXPR)" - pattern: "($EXPR > $EXPR)" - pattern: "($EXPR >= $EXPR)" - - pattern-either: - - pattern: "(char * $PTR) = '\\0'" - - pattern: "(char * $PTR) == '\\0'" - - pattern: "(char * $PTR) != '\\0'" + - pattern: "(char * $PTR) = '\\0'" + - pattern: "(char * $PTR) == '\\0'" + - pattern: "(char * $PTR) != '\\0'" + - pattern: if (<... strcpy(...) ...>) ... + - pattern: if (<... strncpy(...) ...>) ... - pattern: if ($COND); - pattern: for ($EXPR1; $EXPR2; $EXPR3); - patterns: - pattern-either: - - pattern: "$TYPE $ARR[$SIZE];" - - pattern: "$TYPE $ARR[$SIZE] = $EXPR;" + - pattern: "$TYPE $ARR[$LEN];" + - pattern: "$TYPE $ARR[$LEN] = $EXPR;" - metavariable-regex: - metavariable: "$SIZE" + metavariable: "$LEN" regex: "^0.*" - id: raptor-unchecked-ret-malloc-calloc-realloc metadata: @@ -1668,6 +1853,49 @@ rules: - pattern-not-inside: "<... $ALLOC == NULL ...>" - pattern-not-inside: "<... $ALLOC != NULL ...>" - pattern-not-inside: "<... !$ALLOC ...>" +- id: raptor-unchecked-ret-scanf-etc + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/252 + - https://codeql.github.com/codeql-query-help/cpp/cpp-missing-check-scanf/ + confidence: MEDIUM + license: MIT + category: security + subcategory: + - audit + source: https://github.com/0xdea/semgrep-rules/blob/main/c/unchecked-ret-scanf-etc.yaml + message: The software does not check the return value from a method or function, + which can prevent it from detecting unexpected states and conditions. + severity: WARNING + languages: + - c + - cpp + patterns: + - pattern: "$FUN(...)" + - metavariable-pattern: + metavariable: "$FUN" + pattern-either: + - pattern: scanf + - pattern: vscanf + - pattern: fscanf + - pattern: vfscanf + - pattern: sscanf + - pattern: vsscanf + - pattern: wscanf + - pattern: vwscanf + - pattern: fwscanf + - pattern: vfwscanf + - pattern: swscanf + - pattern: vswscanf + - pattern-not-inside: "$RET = $FUN(...)" + - pattern-not-inside: "<... $FUN(...) == $VAL ...>" + - pattern-not-inside: "<... $FUN(...) != $VAL ...>" + - pattern-not-inside: "<... $FUN(...) < $VAL ...>" + - pattern-not-inside: "<... $FUN(...) <= $VAL ...>" + - pattern-not-inside: "<... $FUN(...) > $VAL ...>" + - pattern-not-inside: "<... $FUN(...) >= $VAL ...>" + - pattern-not-inside: return $FUN(...); - id: raptor-unchecked-ret-setuid-seteuid metadata: author: Marco Ivaldi @@ -1896,66 +2124,26 @@ rules: languages: - c - cpp - pattern-either: - - patterns: - - pattern: | - free($PTR); - ... - $FUN(..., $PTR, ...); - - pattern-not: | - free($PTR); - ... - $PTR = $EXPR; - ... - $FUN(..., $PTR, ...); - - metavariable-pattern: - metavariable: "$FUN" - patterns: - - pattern-not: free - - patterns: - - pattern: | - free($PTR); - ... - $FUN(..., $PTR->$MEM, ...); - - pattern-not: | - free($PTR); - ... - $PTR = $EXPR; - ... - $FUN(..., $PTR->$MEM, ...); - - patterns: - - pattern: | - free($PTR); - ... - $PTR->$FUN(...); - - pattern-not: | - free($PTR); - ... - $PTR = $EXPR; - ... - $PTR->$FUN(...); - - patterns: - - pattern: | - free($PTR); - ... - return $PTR; - - pattern-not: | - free($PTR); - ... - $PTR = $EXPR; - ... - return $PTR; - - patterns: - - pattern: | - free($PTR); - ... - return $PTR[$POS]; - - pattern-not: | - free($PTR); - ... - $PTR = $EXPR; - ... - return $PTR; + patterns: + - pattern-either: + - pattern: "$PTR->$MEM" + - pattern: "(*$PTR).$MEM" + - pattern: "$PTR[$POS]" + - pattern: return $PTR; + - pattern: return *$PTR; + - patterns: + - pattern-either: + - pattern: "$FUN(..., <... $PTR ...>, ...)" + - pattern: "$FUN(..., <... $PTR->$MEM ...>, ...)" + - pattern: "$FUN(..., <... (*$PTR).$MEM ...>, ...)" + - pattern: "$FUN(..., <... $PTR[$POS] ...>, ...)" + - pattern: "$PTR->$FUN(...)" + - metavariable-pattern: + metavariable: "$FUN" + patterns: + - pattern-not: free + - pattern-inside: free($PTR); ... + - pattern-not-inside: "free($PTR);\n...\n$PTR = $EXPR; \n...\n" - id: raptor-write-into-stack-buffer metadata: author: Marco Ivaldi @@ -1978,7 +2166,7 @@ rules: - patterns: - pattern: "$FUN($BUF, ...)" - pattern-inside: | - $TYPE $BUF[$SIZE]; + $TYPE $BUF[$LEN]; ... $FUN($BUF, ...); - pattern-not: $FUN($BUF, "...", ...) @@ -2011,7 +2199,7 @@ rules: - patterns: - pattern: "$FUN($BUF, $FMT, ...)" - pattern-inside: | - $TYPE $BUF[$SIZE]; + $TYPE $BUF[$LEN]; ... $FUN($BUF, $FMT, ...); - metavariable-regex: @@ -2023,9 +2211,9 @@ rules: - pattern: sprintf - pattern: vsprintf - patterns: - - pattern: "$FUN($BUF, $LEN, $FMT, ...)" + - pattern: "$FUN($BUF, $N, $FMT, ...)" - pattern-inside: | - $TYPE $BUF[$SIZE]; + $TYPE $BUF[$LEN]; ... $FUN($BUF, $LEN, $FMT, ...); - metavariable-regex: @@ -2039,7 +2227,7 @@ rules: - patterns: - pattern: "$FUN($BUF, ...)" - pattern-inside: | - $TYPE $BUF[$SIZE]; + $TYPE $BUF[$LEN]; ... $FUN($BUF, ...); - metavariable-pattern: @@ -2053,7 +2241,7 @@ rules: - patterns: - pattern: "$FUN($ARG1, $BUF, ...)" - pattern-inside: | - $TYPE $BUF[$SIZE]; + $TYPE $BUF[$LEN]; ... $FUN($ARG1, $BUF, ...); - pattern-not: $FUN("...", $BUF, ...) @@ -2064,7 +2252,7 @@ rules: - patterns: - pattern: "$FUN($ARG1, $BUF, ...)" - pattern-inside: | - $TYPE $BUF[$SIZE]; + $TYPE $BUF[$LEN]; ... $FUN($ARG1, $BUF, ...); - metavariable-pattern: @@ -2101,22 +2289,32 @@ rules: semgrep.dev: rule: rule_id: kxU6Xb - version_id: gET3W1b - url: https://semgrep.dev/playground/r/gET3W1b/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable + version_id: DkT6Gbr + url: https://semgrep.dev/playground/r/DkT6Gbr/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable origin: community patterns: - - pattern-either: - - pattern: | - $X, err = ... - if err != nil { - <... $X ...> - } - - pattern: | - $X, err := ... - if err != nil { - ... - <... $X.$Y ...> - } + - pattern: | + ..., $X, ..., $ERR = ... + if $ERR != nil { + ... + <... $X.$Y ...> + } + - pattern-not: | + ..., $X, ..., $ERR = ... + if $ERR != nil { + ... + $X, ... = ... + ... + <... $X.$Y ...> + } + - pattern-not: | + ..., $X, ..., $ERR = ... + if $ERR != nil { + ... + $X = ... + ... + <... $X.$Y ...> + } - id: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map message: Iteration over a possibly empty map `$C`. This is likely a bug or redundant code diff --git a/assets/semgrep_rules/generated/oss/others.yaml b/assets/semgrep_rules/generated/oss/others.yaml index 125b8a96..319cb6b5 100644 --- a/assets/semgrep_rules/generated/oss/others.yaml +++ b/assets/semgrep_rules/generated/oss/others.yaml @@ -1,103 +1,5 @@ --- rules: -- id: gitlab.bandit.B105 - languages: - - python - message: 'Possible hardcoded password - - ' - metadata: - cwe: CWE-259 - owasp: A3:2017-Sensitive Data Exposure - shortDescription: Use of Hard-coded Password - primary_identifier: bandit.B105 - secondary_identifiers: - - name: Bandit Test ID B105 - type: bandit_test_id - value: B105 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B105 - shortlink: https://sg.run/kL4A - semgrep.dev: - rule: - rule_id: 6JUqKb - version_id: ExTj4xk - url: https://semgrep.dev/playground/r/ExTj4xk/gitlab.bandit.B105 - origin: community - patterns: - - pattern-either: - - pattern: $MASK == "..." - - pattern: $MASK = "..." - - pattern: "$X[$MASK] = ..." - - metavariable-regex: - metavariable: "$MASK" - regex: "[^\\[]*([Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]|pass|passwd|pwd|secret|token|secrete)[^\\]]*" - severity: WARNING -- id: gitlab.bandit.B106 - languages: - - python - message: 'Possible hardcoded password - - ' - metadata: - cwe: CWE-259 - owasp: A3:2017-Sensitive Data Exposure - shortDescription: Use of Hard-coded Password - primary_identifier: bandit.B106 - secondary_identifiers: - - name: Bandit Test ID B106 - type: bandit_test_id - value: B106 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B106 - shortlink: https://sg.run/wxqd - semgrep.dev: - rule: - rule_id: oqUzxg - version_id: nWTxYL7 - url: https://semgrep.dev/playground/r/nWTxYL7/gitlab.bandit.B106 - origin: community - patterns: - - pattern: $FUNC(..., $PW="...", ...) - - metavariable-regex: - metavariable: "$PW" - regex: ".*([Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]|pass|passwd|pwd|secret|token|secrete).*" - severity: WARNING -- id: gitlab.bandit.B107 - languages: - - python - message: | - Hardcoded password is used as a default argument to `$FUNC`. This could be dangerous if a real - password is not supplied. - metadata: - cwe: CWE-259 - owasp: A3:2017-Sensitive Data Exposure - shortDescription: Use of Hard-coded Password - primary_identifier: bandit.B107 - secondary_identifiers: - - name: Bandit Test ID B107 - type: bandit_test_id - value: B107 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B107 - shortlink: https://sg.run/xYly - semgrep.dev: - rule: - rule_id: zdUyRj - version_id: ZRTQqAL - url: https://semgrep.dev/playground/r/ZRTQqAL/gitlab.bandit.B107 - origin: community - patterns: - - pattern: | - def $FUNC(..., password="...", ...): - ... - severity: WARNING - id: gitlab.bandit.B108-1 pattern: open("=~/^\/tmp.*/", ...) message: 'Detected hardcoded temp directory. Consider using ''tempfile.TemporaryFile'' @@ -118,315 +20,6 @@ rules: severity: WARNING languages: - python -- id: gitlab.bandit.B108-2 - languages: - - python - message: 'Probable insecure usage of temp file/directory. - - ' - metadata: - cwe: CWE-377 - shortDescription: Insecure Temporary File - primary_identifier: bandit.B108-2 - secondary_identifiers: - - name: Bandit Test ID B108 - type: bandit_test_id - value: B108 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B108-2 - shortlink: https://sg.run/O1Yk - semgrep.dev: - rule: - rule_id: pKUGl6 - version_id: LjTq43N - url: https://semgrep.dev/playground/r/LjTq43N/gitlab.bandit.B108-2 - origin: community - patterns: - - pattern: open($DIR, ...) - - metavariable-regex: - metavariable: "$DIR" - regex: '[''"](/tmp|/var/tmp|/dev/shm).*[''"]' - severity: WARNING -- id: gitlab.bandit.B110 - languages: - - python - message: 'Try, Except, Pass - - ' - metadata: - cwe: CWE-703 - shortDescription: Improper Check or Handling of Exceptional Conditions - primary_identifier: bandit.B110 - secondary_identifiers: - - name: Bandit Test ID B110 - type: bandit_test_id - value: B110 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B110 - shortlink: https://sg.run/e4nL - semgrep.dev: - rule: - rule_id: 2ZU40b - version_id: O9TNGxx - url: https://semgrep.dev/playground/r/O9TNGxx/gitlab.bandit.B110 - origin: community - pattern-either: - - pattern: | - try: ... - except $EXCEPTION: pass - - pattern: | - try: ... - except $EXCEPTION as $X: pass - - pattern: | - try: ... - except ... : ... - except $EXCEPTION: pass - - pattern: | - try: ... - except $EXCEPTION: pass - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION as $X: pass - - pattern: | - try: ... - except $EXCEPTION as $X: pass - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except $EXCEPTION: pass - - pattern: | - try: ... - except $EXCEPTION: pass - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION: pass - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except $EXCEPTION as $X: pass - - pattern: | - try: ... - except $EXCEPTION as $X: pass - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION as $X: pass - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except ... : ... - except $EXCEPTION: pass - - pattern: | - try: ... - except $EXCEPTION: pass - except ... : ... - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION: pass - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except $EXCEPTION: pass - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except ... : ... - except $EXCEPTION: pass - - pattern: | - try: ... - except ... : ... - except ... : ... - except ... : ... - except $EXCEPTION as $X: pass - - pattern: | - try: ... - except $EXCEPTION as $X: pass - except ... : ... - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION as $X: pass - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except $EXCEPTION as $X: pass - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except ... : ... - except $EXCEPTION as $X: pass - severity: INFO -- id: gitlab.bandit.B112 - languages: - - python - message: 'Try, Except, Continue - - ' - metadata: - cwe: CWE-703 - shortDescription: Improper Check or Handling of Exceptional Conditions - primary_identifier: bandit.B112 - secondary_identifiers: - - name: Bandit Test ID B112 - type: bandit_test_id - value: B112 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B112 - shortlink: https://sg.run/v0K0 - semgrep.dev: - rule: - rule_id: X5UZ3Z - version_id: xyTKWzr - url: https://semgrep.dev/playground/r/xyTKWzr/gitlab.bandit.B112 - origin: community - pattern-either: - - pattern: | - try: ... - except $EXCEPTION: continue - - pattern: | - try: ... - except $EXCEPTION as $X: continue - - pattern: | - try: ... - except ... : ... - except $EXCEPTION: continue - - pattern: | - try: ... - except $EXCEPTION: continue - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION as $X: continue - - pattern: | - try: ... - except $EXCEPTION as $X: continue - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except $EXCEPTION: continue - - pattern: | - try: ... - except $EXCEPTION: continue - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION: continue - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except $EXCEPTION as $X: continue - - pattern: | - try: ... - except $EXCEPTION as $X: continue - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION as $X: continue - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except ... : ... - except $EXCEPTION: continue - - pattern: | - try: ... - except $EXCEPTION: continue - except ... : ... - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION: continue - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except $EXCEPTION: continue - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except ... : ... - except $EXCEPTION: continue - - pattern: | - try: ... - except ... : ... - except ... : ... - except ... : ... - except $EXCEPTION as $X: continue - - pattern: | - try: ... - except $EXCEPTION as $X: continue - except ... : ... - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except $EXCEPTION as $X: continue - except ... : ... - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except $EXCEPTION as $X: continue - except ... : ... - - pattern: | - try: ... - except ... : ... - except ... : ... - except ... : ... - except $EXCEPTION as $X: continue - severity: INFO - id: gitlab.bandit.B202 languages: - python @@ -822,40 +415,6 @@ rules: severity: WARNING languages: - python -- id: gitlab.bandit.B309 - languages: - - python - message: | - The HTTPSConnection API has changed frequently with minor releases of Python.Ensure you are - using the API for your version of Python securely. For example, Python 3 versions prior to - 3.4.3 - will not verify SSL certificates by default. - metadata: - cwe: CWE-295 - owasp: A3:2017-Sensitive Data Exposure - shortDescription: Improper Certificate Validation - primary_identifier: bandit.B309 - secondary_identifiers: - - name: Bandit Test ID B309 - type: bandit_test_id - value: B309 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B309 - shortlink: https://sg.run/GWA6 - semgrep.dev: - rule: - rule_id: ZqUqEy - version_id: d6Trzxk - url: https://semgrep.dev/playground/r/d6Trzxk/gitlab.bandit.B309 - origin: community - patterns: - - pattern-either: - - pattern: httplib.HTTPSConnection(...) - - pattern: http.client.HTTPSConnection(...) - - pattern: six.moves.http_client.HTTPSConnection(...) - severity: WARNING - id: gitlab.bandit.B310-1 languages: - python @@ -924,78 +483,6 @@ rules: - pattern: "$OPENER.open(...)" - pattern: "$OPENER.retrieve(...)" severity: WARNING -- id: gitlab.bandit.B310-2 - languages: - - python - message: | - Detected a dynamic value being used with urllib. urllib supports `file://` schemes, so a - dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit - uses of urllib calls to ensure user data cannot control the URLs, or consider using the - `requests` library instead. - metadata: - cwe: CWE-939 - owasp: A5:2017-Broken Access Control - shortDescription: Improper Authorization in Handler for Custom URL Scheme - primary_identifier: bandit.B310-2 - secondary_identifiers: - - name: Bandit Test ID B310 - type: bandit_test_id - value: B310 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B310-2 - shortlink: https://sg.run/Al4B - semgrep.dev: - rule: - rule_id: EwU4kb - version_id: gET3WD6 - url: https://semgrep.dev/playground/r/gET3WD6/gitlab.bandit.B310-2 - origin: community - pattern-either: - - pattern: urllib.urlopen(...) - - pattern: urllib2.urlopen(...) - - pattern: urllib2.Request(...) - - pattern: urllib.Request(...) - - pattern: urllib.URLopener(...) - - pattern: urllib.FancyURLopener(...) - - pattern: urllib.request.FancyURLopener(...) - - pattern: urllib.request.urlopen(...) - - pattern: urllib.request.URLopener(...) - - pattern: urllib.request.urlretrieve(...) - - pattern: six.moves.urllib.request.urlopen(...) - - pattern: six.moves.urllib.request.urlretrieve(...) - - pattern: six.moves.urllib.request.URLopener(...) - - pattern: six.moves.urllib.request.FancyURLopener(...) - severity: WARNING -- id: gitlab.bandit.B312 - languages: - - python - message: 'Telnet does not encrypt communications. Use SSH instead. - - ' - metadata: - cwe: CWE-319 - owasp: A3:2017-Sensitive Data Exposure - shortDescription: Cleartext Transmission of Sensitive Information - primary_identifier: bandit.B312 - secondary_identifiers: - - name: Bandit Test ID B312 - type: bandit_test_id - value: B312 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B312 - shortlink: https://sg.run/Gwwp - semgrep.dev: - rule: - rule_id: eqUpp1 - version_id: 7ZTge3N - url: https://semgrep.dev/playground/r/7ZTge3N/gitlab.bandit.B312 - origin: community - pattern: telnetlib.$ANYTHING(...) - severity: WARNING - id: gitlab.bandit.B313.B314.B315.B316.B318.B319.B320.B405.B406.B407.B408.B409.B410 pattern-either: - pattern: import xml @@ -1039,99 +526,6 @@ rules: severity: ERROR languages: - python -- id: gitlab.bandit.B325 - languages: - - python - message: 'The Python `os` `tempnam|tmpnam` functions are vulnerable to symlink attacks - - ' - metadata: - cwe: CWE-377 - shortDescription: Insecure Temporary File - primary_identifier: bandit.B325 - secondary_identifiers: - - name: Bandit Test ID B325 - type: bandit_test_id - value: B325 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B325 - shortlink: https://sg.run/DwwY - semgrep.dev: - rule: - rule_id: nJUrrQ - version_id: 8KTQEZQ - url: https://semgrep.dev/playground/r/8KTQEZQ/gitlab.bandit.B325 - origin: community - pattern-either: - - pattern: os.tempnam(...) - - pattern: os.tmpnam(...) - severity: WARNING -- id: gitlab.bandit.B402 - languages: - - python - message: | - functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP orsome other encrypted - protocol - metadata: - cwe: CWE-319 - owasp: A3:2017-Sensitive Data Exposure - shortDescription: Cleartext Transmission of Sensitive Information - primary_identifier: bandit.B402 - secondary_identifiers: - - name: Bandit Test ID B402 - type: bandit_test_id - value: B402 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B402 - shortlink: https://sg.run/KW0n - semgrep.dev: - rule: - rule_id: QrU6yY - version_id: vdTY56P - url: https://semgrep.dev/playground/r/vdTY56P/gitlab.bandit.B402 - origin: community - patterns: - - pattern-either: - - pattern: import ftplib - - pattern: from ftplib import FTP - - pattern: ftplib.FTP(...) - severity: ERROR -- id: gitlab.bandit.B403 - languages: - - python - message: 'Consider possible security implications associated with pickle module. - - ' - metadata: - cwe: CWE-502 - owasp: A8:2017-Insecure Deserialization - shortDescription: Deserialization of Untrusted Data - primary_identifier: bandit.B403 - secondary_identifiers: - - name: Bandit Test ID B403 - type: bandit_test_id - value: B403 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B403 - shortlink: https://sg.run/qrAO - semgrep.dev: - rule: - rule_id: 3qUBJZ - version_id: JdTNPjL - url: https://semgrep.dev/playground/r/JdTNPjL/gitlab.bandit.B403 - origin: community - patterns: - - pattern-either: - - pattern: import pickle - - pattern: import cPickle - - pattern: import dill - severity: INFO - id: gitlab.bandit.B404 languages: - python @@ -1162,250 +556,6 @@ rules: patterns: - pattern: import subprocess severity: WARNING -- id: gitlab.bandit.B405 - languages: - - python - message: 'Consider possible security implications associated with etree module. - - ' - metadata: - cwe: CWE-502 - owasp: A8:2017-Insecure Deserialization - shortDescription: Deserialization of Untrusted Data - primary_identifier: bandit.B405 - secondary_identifiers: - - name: Bandit Test ID B405 - type: bandit_test_id - value: B405 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B405 - shortlink: https://sg.run/G6Yp - semgrep.dev: - rule: - rule_id: 5rUYqA - version_id: QkTW6O7 - url: https://semgrep.dev/playground/r/QkTW6O7/gitlab.bandit.B405 - origin: community - patterns: - - pattern-either: - - pattern: import xml.etree.cElementTree - - pattern: import xml.etree.ElementTree - severity: INFO -- id: gitlab.bandit.B406 - languages: - - python - message: | - Using various methods to parse untrusted XML data is known to be vulnerable to - XML attacks. Replace vulnerable imports with the equivalent defusedxml package, - or make sure defusedxml.defuse_stdlib() is called. - metadata: - cwe: CWE-502 - owasp: A8:2017-Insecure Deserialization - shortDescription: Deserialization of Untrusted Data - primary_identifier: bandit.B406 - secondary_identifiers: - - name: Bandit Test ID B406 - type: bandit_test_id - value: B406 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B406 - shortlink: https://sg.run/RALO - semgrep.dev: - rule: - rule_id: GdUWq8 - version_id: GxTv0RD - url: https://semgrep.dev/playground/r/GxTv0RD/gitlab.bandit.B406 - origin: community - patterns: - - pattern-either: - - pattern: import xml.sax - severity: INFO -- id: gitlab.bandit.B407 - languages: - - python - message: | - Using various methods to parse untrusted XML data is known to be vulnerable to - XML attacks. Replace vulnerable imports with the equivalent defusedxml package, - or make sure defusedxml.defuse_stdlib() is called. - metadata: - cwe: CWE-502 - owasp: A8:2017-Insecure Deserialization - shortDescription: Deserialization of Untrusted Data - primary_identifier: bandit.B407 - secondary_identifiers: - - name: Bandit Test ID B407 - type: bandit_test_id - value: B407 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B407 - shortlink: https://sg.run/AWDp - semgrep.dev: - rule: - rule_id: ReUwp0 - version_id: 3ZTkB1P - url: https://semgrep.dev/playground/r/3ZTkB1P/gitlab.bandit.B407 - origin: community - patterns: - - pattern-either: - - pattern: import xml.dom.expatbuilder - severity: INFO -- id: gitlab.bandit.B408 - languages: - - python - message: | - Using various methods to parse untrusted XML data is known to be vulnerable - to XML attacks. Replace vulnerable imports with the equivalent defusedxml - package, or make sure defusedxml.defuse_stdlib() is called. - metadata: - cwe: CWE-502 - owasp: A8:2017-Insecure Deserialization - shortDescription: Deserialization of Untrusted Data - primary_identifier: bandit.B408 - secondary_identifiers: - - name: Bandit Test ID B408 - type: bandit_test_id - value: B408 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B408 - shortlink: https://sg.run/WKv4 - semgrep.dev: - rule: - rule_id: DbUekX - version_id: PkTJkyB - url: https://semgrep.dev/playground/r/PkTJkyB/gitlab.bandit.B408 - origin: community - patterns: - - pattern-either: - - pattern: import xml.dom.minidom - severity: INFO -- id: gitlab.bandit.B409 - languages: - - python - message: | - Using various methods to parse untrusted XML data is known to be vulnerable to - XML attacks. Replace vulnerable imports with the equivalent defusedxml package, - or make sure defusedxml.defuse_stdlib() is called. - metadata: - cwe: CWE-502 - owasp: A8:2017-Insecure Deserialization - shortDescription: Deserialization of Untrusted Data - primary_identifier: bandit.B409 - secondary_identifiers: - - name: Bandit Test ID B409 - type: bandit_test_id - value: B409 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B409 - shortlink: https://sg.run/B0WW - semgrep.dev: - rule: - rule_id: AbUnqq - version_id: 5PTd4zp - url: https://semgrep.dev/playground/r/5PTd4zp/gitlab.bandit.B409 - origin: community - patterns: - - pattern-either: - - pattern: import xml.dom.pulldom - severity: INFO -- id: gitlab.bandit.B410 - languages: - - python - message: | - Using various methods to parse untrusted XML data is known to be vulnerable to - XML attacks. Replace vulnerable imports with the equivalent defusedxml package. - metadata: - cwe: CWE-502 - owasp: A8:2017-Insecure Deserialization - shortDescription: Deserialization of Untrusted Data - primary_identifier: bandit.B410 - secondary_identifiers: - - name: Bandit Test ID B410 - type: bandit_test_id - value: B410 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B410 - shortlink: https://sg.run/DqKY - semgrep.dev: - rule: - rule_id: BYUGby - version_id: 44TRzdz - url: https://semgrep.dev/playground/r/44TRzdz/gitlab.bandit.B410 - origin: community - patterns: - - pattern-either: - - pattern: import lxml - severity: INFO -- id: gitlab.bandit.B411 - languages: - - python - message: 'Consider possible security implications associated with xmlrpclib module. - - ' - metadata: - cwe: CWE-502 - owasp: A8:2017-Insecure Deserialization - shortDescription: Deserialization of Untrusted Data - primary_identifier: bandit.B411 - secondary_identifiers: - - name: Bandit Test ID B411 - type: bandit_test_id - value: B411 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B411 - shortlink: https://sg.run/Ygyd - semgrep.dev: - rule: - rule_id: PeUkL4 - version_id: RGTDPl2 - url: https://semgrep.dev/playground/r/RGTDPl2/gitlab.bandit.B411 - origin: community - pattern-either: - - pattern: import xmlrpclib - severity: ERROR -- id: gitlab.bandit.B412 - languages: - - python - message: 'Consider possible security implications associated with httpoxy module. - - ' - metadata: - cwe: CWE-284 - owasp: A5:2017-Broken Access Control - shortDescription: Improper Access Control - primary_identifier: bandit.B412 - secondary_identifiers: - - name: Bandit Test ID B412 - type: bandit_test_id - value: B412 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B412 - shortlink: https://sg.run/6rOK - semgrep.dev: - rule: - rule_id: JDUPgX - version_id: NdT3Ay7 - url: https://semgrep.dev/playground/r/NdT3Ay7/gitlab.bandit.B412 - origin: community - pattern-either: - - pattern: wsgiref.handlers.CGIHandler(...) - - pattern: twisted.web.twcgi.CGIDirectory(...) - severity: ERROR - id: gitlab.bandit.B502 languages: - python @@ -1924,42 +1074,6 @@ rules: - pattern-inside: subprocess.$W(..., shell=True, ...) - pattern-regex: "(tar|chmod|chown|rsync)(.*?)\\*" severity: WARNING -- id: gitlab.bandit.B703 - languages: - - python - message: | - `mark_safe()` is used to mark a string as `safe` for HTML output. - This disables escaping and could therefore subject the content to - XSS attacks. Use `django.utils.html.format_html()` to build HTML - for rendering instead. - metadata: - cwe: CWE-79 - owasp: A7:2017-Cross-Site Scripting (XSS) - shortDescription: Improper Neutralization of Input During Web Page Generation - ('Cross-site Scripting') - primary_identifier: bandit.B703 - secondary_identifiers: - - name: Bandit Test ID B703 - type: bandit_test_id - value: B703 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B703 - shortlink: https://sg.run/dgk0 - semgrep.dev: - rule: - rule_id: j2UqOR - version_id: w8T98ox - url: https://semgrep.dev/playground/r/w8T98ox/gitlab.bandit.B703 - origin: community - patterns: - - pattern-not-inside: django.utils.html.format_html(...) - - pattern-either: - - patterns: - - pattern: django.utils.safestring.mark_safe(...) - - pattern-not: django.utils.safestring.mark_safe("...") - severity: WARNING - id: gitlab.eslint.detect-object-injection patterns: - pattern: "$O[$ARG]" @@ -2417,33 +1531,6 @@ rules: origin: community pattern: GetTempFileName(...) severity: WARNING -- id: gitlab.flawfinder.InitializeCriticalSection-1 - languages: - - c - message: 'Use InitializeCriticalSectionAndSpinCount instead. - - ' - metadata: - shortDescription: Exceptions can be thrown in low-memory situations - cwe: CWE-754 - primary_identifier: flawfinder.InitializeCriticalSection-1 - secondary_identifiers: - - name: Flawfinder - InitializeCriticalSection - type: flawfinder_func_name - value: InitializeCriticalSection - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.flawfinder.InitializeCriticalSection-1 - shortlink: https://sg.run/967k - semgrep.dev: - rule: - rule_id: L1Urv6 - version_id: K3Tv4Xg - url: https://semgrep.dev/playground/r/K3Tv4Xg/gitlab.flawfinder.InitializeCriticalSection-1 - origin: community - pattern: InitializeCriticalSection(...) - severity: WARNING - id: gitlab.flawfinder.LoadLibrary-1 languages: - c @@ -2867,83 +1954,6 @@ rules: - pattern: _wtoi(...) - pattern: _wtoi64(...) severity: INFO -- id: gitlab.flawfinder.char-1.TCHAR-1.wchar_t-1 - languages: - - c - message: | - Perform bounds checking, use functions that limit length, or ensure that the size is larger - than the maximum possible length. - metadata: - cwe: CWE-120 - owasp: A1:2017-Injection - shortDescription: Statically-sized arrays can be improperly restricted, leading - to potential overflows or other issues (CWE-119!/CWE-120) - primary_identifier: flawfinder.char-1.TCHAR-1.wchar_t-1 - secondary_identifiers: - - name: Flawfinder - char - type: flawfinder_func_name - value: char - - name: Flawfinder - TCHAR - type: flawfinder_func_name - value: TCHAR - - name: Flawfinder - wchar_t - type: flawfinder_func_name - value: wchar_t - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.flawfinder.char-1.TCHAR-1.wchar_t-1 - shortlink: https://sg.run/w1kx - semgrep.dev: - rule: - rule_id: PeUBNk - version_id: DkT6WjY - url: https://semgrep.dev/playground/r/DkT6WjY/gitlab.flawfinder.char-1.TCHAR-1.wchar_t-1 - origin: community - pattern-either: - - patterns: - - pattern-regex: "(wchar_t) *[a-zA-Z0-9_]+\\[.*\\]" - - pattern-not-regex: (wchar_t) *[a-zA-Z0-9_]+\[\](\s|)\= *([a-zA-Z]|)(\s|)("|{)(.*) - - patterns: - - pattern-regex: "(char) *[a-zA-Z0-9_]+\\[.*\\]" - - pattern-not-regex: (char) *[a-zA-Z0-9_]+\[\](\s|)\= *([a-zA-Z]|)(\s|)("|{)(.*) - - patterns: - - pattern-regex: "(TCHAR) *[a-zA-Z0-9_]+\\[.*\\]" - - pattern-not-regex: (TCHAR) *[a-zA-Z0-9_]+\[\](\s|)\= *([a-zA-Z]|)(\s|)("|{)(.*) - - patterns: - - pattern-regex: static *(const)? *(wchar_t|char|TCHAR) *[a-zA-Z0-9_]+ *\[.*\]\*(={.*})? - - patterns: - - pattern-regex: "(.*|)(\\s|)\\=(\\s|)\\((char.*) (malloc)\\(.*\\[[0-9]+\\].*\\)" - severity: INFO -- id: gitlab.flawfinder.chgrp-1 - languages: - - c - message: 'Use fchgrp( ) instead. - - ' - metadata: - cwe: CWE-362 - owasp: A5:2017-Broken Access Control - shortDescription: This accepts filename arguments; if an attacker can move those - files, a race condition results. (CWE-362) - primary_identifier: flawfinder.chgrp-1 - secondary_identifiers: - - name: Flawfinder - chgrp - type: flawfinder_func_name - value: chgrp - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.flawfinder.chgrp-1 - shortlink: https://sg.run/nknG - semgrep.dev: - rule: - rule_id: DbUKrn - version_id: l4T4d01 - url: https://semgrep.dev/playground/r/l4T4d01/gitlab.flawfinder.chgrp-1 - origin: community - pattern: chgrp(...) - severity: ERROR - id: gitlab.flawfinder.chmod-1 languages: - c @@ -3019,35 +2029,6 @@ rules: origin: community pattern: chown(...) severity: ERROR -- id: gitlab.flawfinder.chroot-1 - languages: - - c - message: | - Make sure the program immediately chdir("/"), closes file descriptors, and drops root - privileges, and that all necessary files (and no more!) are in the new root. - metadata: - cwe: CWE-22 - owasp: A5:2017-Broken Access Control - shortDescription: chroot can be very helpful, but is hard to use correctly (CWE-250, - CWE-22) - primary_identifier: flawfinder.chroot-1 - secondary_identifiers: - - name: Flawfinder - chroot - type: flawfinder_func_name - value: chroot - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.flawfinder.chroot-1 - shortlink: https://sg.run/N8Dx - semgrep.dev: - rule: - rule_id: 3qUE0p - version_id: qkT2oyL - url: https://semgrep.dev/playground/r/qkT2oyL/gitlab.flawfinder.chroot-1 - origin: community - pattern: chroot(...) - severity: WARNING - id: gitlab.flawfinder.crypt-1.crypt_r-1 languages: - c @@ -3592,53 +2573,6 @@ rules: origin: community pattern: g_get_tmp_dir(...) severity: WARNING -- id: gitlab.flawfinder.getchar-1.fgetc-1.getc-1.read-1._gettc-1 - languages: - - c - message: 'CWE-20: Check buffer boundaries if used in a loop including recursive - loops - - ' - metadata: - cwe: CWE-20 - owasp: A1:2017-Injection - shortDescription: Check buffer boundaries if used in a loop including recursive - loops (CWE-120, CWE-20) - primary_identifier: flawfinder.getchar-1.fgetc-1.getc-1.read-1._gettc-1 - secondary_identifiers: - - name: Flawfinder - getchar - type: flawfinder_func_name - value: getchar - - name: Flawfinder - fgetc - type: flawfinder_func_name - value: fgetc - - name: Flawfinder - getc - type: flawfinder_func_name - value: getc - - name: Flawfinder - read - type: flawfinder_func_name - value: read - - name: Flawfinder - _gettc - type: flawfinder_func_name - value: _gettc - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.flawfinder.getchar-1.fgetc-1.getc-1.read-1._gettc-1 - shortlink: https://sg.run/d0WP - semgrep.dev: - rule: - rule_id: AbUGwN - version_id: WrTWZwq - url: https://semgrep.dev/playground/r/WrTWZwq/gitlab.flawfinder.getchar-1.fgetc-1.getc-1.read-1._gettc-1 - origin: community - pattern-either: - - pattern: getchar(...) - - pattern: fgetc(...) - - pattern: getc(...) - - pattern: read(...) - - pattern: _gettc(...) - severity: INFO - id: gitlab.flawfinder.getenv-1.curl_getenv-1 languages: - c @@ -3710,41 +2644,6 @@ rules: origin: community pattern: getlogin(...) severity: ERROR -- id: gitlab.flawfinder.getopt-1.getopt_long-1 - languages: - - c - message: 'Check implementation on installation, or limit the size of all string - inputs. - - ' - metadata: - cwe: CWE-120 - owasp: A1:2017-Injection - shortDescription: Some older implementations do not protect against internal buffer - overflows (CWE-120, CWE-20) - primary_identifier: flawfinder.getopt-1.getopt_long-1 - secondary_identifiers: - - name: Flawfinder - getopt - type: flawfinder_func_name - value: getopt - - name: Flawfinder - getopt_long - type: flawfinder_func_name - value: getopt_long - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.flawfinder.getopt-1.getopt_long-1 - shortlink: https://sg.run/nk2G - semgrep.dev: - rule: - rule_id: DbUKAn - version_id: 0bTLEXo - url: https://semgrep.dev/playground/r/0bTLEXo/gitlab.flawfinder.getopt-1.getopt_long-1 - origin: community - pattern-either: - - pattern: getopt(...) - - pattern: getopt_long(...) - severity: WARNING - id: gitlab.flawfinder.getpass-1 languages: - c diff --git a/assets/semgrep_rules/generated/oss/security_noaudit_novuln.yaml b/assets/semgrep_rules/generated/oss/security_noaudit_novuln.yaml index a4cdb3f7..1e2f6fe3 100644 --- a/assets/semgrep_rules/generated/oss/security_noaudit_novuln.yaml +++ b/assets/semgrep_rules/generated/oss/security_noaudit_novuln.yaml @@ -2596,68 +2596,6 @@ rules: - pattern: lxml.etree.getDefaultParser(...) - pattern: lxml.etree.check_docinfo(...) severity: WARNING -- id: gitlab.bandit.B321 - languages: - - python - message: | - The application was found using an FTP library. As FTP does not provide encryption, it is - strongly recommended that any file transfers be done over a more secure transport such as - SSH. - - The [paramiko](https://www.paramiko.org/) library can be used with an SCP module to allow - secure file transfers. - - Example using `paramiko` SSH client and the `scp` module: - ``` - import paramiko - import scp - - # Create an SSH client - with paramiko.SSHClient() as ssh: - # Load the system host keys so we can confirm the - # host we are connecting to is legitimate - ssh.load_system_host_keys('/home/appuser/.ssh/known_hosts') - - # Connect to the remote host using our SSH private key - ssh.connect(hostname='example.org', - port=22, - username='appuser', - key_filename='/home/appuser/.ssh/private_key') - - # Create an SCP client with the ssh transport and copy files - with scp.SCPClient(ssh.get_transport()) as secure_copy: - secure_copy.get('remote/test.file', 'local/test.file') - secure_copy.put('local/some.file', 'remote/some.file') - ``` - - For more information on the paramiko module see: - - https://www.paramiko.org/ - - For more information on the scp module see: - - https://github.com/jbardin/scp.py - metadata: - cwe: CWE-319 - owasp: A3:2017-Sensitive Data Exposure - category: security - shortDescription: Cleartext transmission of sensitive information - primary_identifier: bandit.B321 - secondary_identifiers: - - name: Bandit Test ID B321 - type: bandit_test_id - value: B321 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B321 - shortlink: https://sg.run/Awwp - semgrep.dev: - rule: - rule_id: d8Ully - version_id: e1T0vjO - url: https://semgrep.dev/playground/r/e1T0vjO/gitlab.bandit.B321 - origin: community - pattern: ftplib.$ANYTHING(...) - severity: WARNING - id: gitlab.bandit.B323 languages: - python @@ -2882,36 +2820,6 @@ rules: - pattern: import Crypto.Signature - pattern: import Crypto.Util severity: ERROR -- id: gitlab.bandit.B415 - languages: - - python - pattern-either: - - pattern: import pyghmi - message: | - An IPMI-related module is being imported. IPMI is considered insecure. Use an encrypted - protocol. - metadata: - shortDescription: Cryptographic issues - cwe: CWE-310 - category: security - cisa: https://www.cisa.gov/uscert/ncas/alerts/TA13-207A - primary_identifier: bandit.B415 - secondary_identifiers: - - name: Bandit Test ID B415 - type: bandit_test_id - value: B415 - license: MIT - vulnerability_class: - - Other - source: https://semgrep.dev/r/gitlab.bandit.B415 - shortlink: https://sg.run/5NO3 - semgrep.dev: - rule: - rule_id: v8Ubxq - version_id: kbTdRGn - url: https://semgrep.dev/playground/r/kbTdRGn/gitlab.bandit.B415 - origin: community - severity: ERROR - id: gitlab.bandit.B501 languages: - python @@ -16578,70 +16486,68 @@ rules: origin: community severity: WARNING - id: gitlab.security_code_scan.SCS0028-1 - patterns: - - pattern-not: $OBJ.Deserialize("...") - - pattern-not: $OBJ.UnsafeDeserialize("...") - - pattern-not: $OBJ.UnsafeDeserializeMethodResponse("...") - - pattern-not: $OBJ.ReadObject("...") - - pattern-not: $OBJ.DeserializeFromString("...") - - pattern-not: $OBJ.DeserializeFromReader("...") - - pattern-not: $OBJ.DeserializeFromStream("...") - - pattern-not: $OBJ.DeserializeRequest("...") - - pattern-not: $OBJ.ToObject("...") - - pattern-not: $OBJ.DeserializeResponse("...") - - pattern-not: new System.Runtime.Serialization.DataContractSerializer("...") - - pattern-not: new System.Runtime.Serialization.Json.DataContractJsonSerializer("...") - - pattern-not: new System.Xml.Serialization.XmlSerializer("...") - - pattern-not: new System.Resources.ResourceReader("...") - - pattern-not: (System.Messaging.XmlMessageFormatter $E).Read("...") - - pattern-not: (System.Messaging.BinaryMessageFormatter $E).Read("...") - - pattern-either: - - pattern: "$OBJ.Deserialize(...)" - - pattern: "$OBJ.UnsafeDeserialize(...)" - - pattern: "$OBJ.UnsafeDeserializeMethodResponse(...)" - - pattern: "$OBJ.ReadObject(...)" - - pattern: "$OBJ.DeserializeFromString(...)" - - pattern: "$OBJ.DeserializeFromReader(...)" - - pattern: "$OBJ.DeserializeFromStream(...)" - - pattern: "$OBJ.DeserializeRequest(...)" - - pattern: "$OBJ.ToObject(...)" - - pattern: "$OBJ.DeserializeResponse(...)" - - pattern: new System.Runtime.Serialization.DataContractSerializer(...) - - pattern: new System.Runtime.Serialization.Json.DataContractJsonSerializer(...) - - pattern: new System.Xml.Serialization.XmlSerializer(...) - - pattern: new System.Resources.ResourceReader(...) - - pattern: "(System.Messaging.XmlMessageFormatter $E).Read(...)" - - pattern: "(System.Messaging.BinaryMessageFormatter $E).Read(...)" + mode: taint + pattern-sources: + - pattern: Request.Cookies[...] + - pattern: Request.Cookies.Get(...) + - pattern: Request.Form[...] + - pattern: Request.Form.Get(...) + - pattern: Request.Headers[...] + - pattern: Request.Headers.Get(...) + - pattern: Request.QueryString[...] + - pattern: Request.QueryString.Get(...) + - pattern: Request.Body + - pattern: "$CTX.Request.Cookies[...]" + - pattern: "$CTX.Request.Cookies.Get(...)" + - pattern: "$CTX.Request.Form[...]" + - pattern: "$CTX.Request.Form.Get(...)" + - pattern: "$CTX.Request.Headers[...]" + - pattern: "$CTX.Request.Headers.Get(...)" + - pattern: "$CTX.Request.QueryString[...]" + - pattern: "$CTX.Request.QueryString.Get(...)" + - pattern: "$CTX.Request.Body" + - pattern: System.IO.File.ReadAllText(...) + - pattern: System.IO.File.ReadAllTextAsync(...) + - pattern: System.IO.File.ReadAllLines(...) + - pattern: System.IO.File.ReadAllLinesAsync(...) + - pattern: System.IO.File.ReadAllBytes(...) + - pattern: System.IO.File.ReadAllBytesAsync(...) + - pattern: System.IO.File.ReadLines(...) + - pattern: System.IO.File.ReadLinesAsync(...) + - pattern: System.Environment.GetEnvironmentVariable(...) + pattern-sinks: + - pattern: "(System.Runtime.Serialization.Formatters.Binary.BinaryFormatter $OBJ).Deserialize(...)" + - pattern: "(System.Runtime.Serialization.Formatters.Binary.BinaryFormatter $OBJ).UnsafeDeserialize(...)" + - pattern: "(System.Runtime.Serialization.Formatters.Binary.BinaryFormatter $OBJ).UnsafeDeserializeMethod(...)" + - pattern: "(System.Runtime.Serialization.Formatters.Soap.SoapFormatter $OBJ).Deserialize(...)" + - pattern: "(System.Runtime.Serialization.NetDataContractSerializer $OBJ).Deserialize(...)" + - pattern: "(System.Web.UI.LosFormatter $OBJ).Deserialize(...)" languages: - csharp message: | - Deserialization attacks exploit the process of reading serialized data and turning it back - into an object. By constructing malicious objects and serializing them, an adversary may - attempt to: + Deserialization attacks exploit the process of reading serialized data and turning it back into an + object. By constructing malicious objects and serializing them, an adversary may attempt to: - - Inject code that is executed upon object construction, which occurs during the - deserialization process. - - Exploit mass assignment by including fields that are not normally a part of the serialized - data but are read in during deserialization. + - Inject code that is executed upon object construction, which occurs during the deserialization process. + - Exploit mass assignment by including fields that are not normally a part of the serialized data but are + read in during deserialization. Microsoft recommends no longer using the following serialization formats: + - BinaryFormatter - SoapFormatter - NetDataContractSerializer - LosFormatter - ObjectStateFormatter - Consider safer alternatives such as serializing data in the JSON format. Ensure any format - chosen allows - the application to specify exactly which object types are allowed to be deserialized. - Additionally, when - deserializing, never deserialize to base object types like `Object` and only cast to the exact - object + Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows + the application to specify exactly which object types are allowed to be deserialized. Additionally, when + deserializing, never deserialize to base object types like `Object` and only cast to the exact object type that is expected. - To protect against mass assignment, only allow deserialization of the specific fields that are - required. If this is not easily done, consider creating an intermediary type that - can be serialized with only the necessary fields exposed. + To protect against mass assignment, only allow deserialization of the specific fields that are required. + If this is not easily done, consider creating an intermediary type that can be serialized with only the + necessary fields exposed. For more information see Microsoft's deserialization security guide: https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide @@ -16649,8 +16555,7 @@ rules: For more details on deserialization attacks in general, see OWASP's guide: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html - It should be noted that [tools exist](https://github.com/pwntester/ysoserial.net) to - automatically create + It should be noted that [tools exist](https://github.com/pwntester/ysoserial.net) to automatically create exploit code for these vulnerabilities. metadata: shortDescription: Deserialization of potentially untrusted data @@ -16669,8 +16574,8 @@ rules: semgrep.dev: rule: rule_id: gxUrkX - version_id: o5Tgy7Q - url: https://semgrep.dev/playground/r/o5Tgy7Q/gitlab.security_code_scan.SCS0028-1 + version_id: DkT6ND4 + url: https://semgrep.dev/playground/r/DkT6ND4/gitlab.security_code_scan.SCS0028-1 origin: community severity: WARNING - id: gitlab.security_code_scan.SCS0029-1 diff --git a/assets/semgrep_rules/generated/oss/vulns.yaml b/assets/semgrep_rules/generated/oss/vulns.yaml index 67eaa4b3..6f3fd093 100644 --- a/assets/semgrep_rules/generated/oss/vulns.yaml +++ b/assets/semgrep_rules/generated/oss/vulns.yaml @@ -38,8 +38,8 @@ rules: semgrep.dev: rule: rule_id: j2Uv7B - version_id: bZTbzQz - url: https://semgrep.dev/playground/r/bZTbzQz/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer + version_id: jQTgYdy + url: https://semgrep.dev/playground/r/jQTgYdy/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer origin: community languages: - java @@ -504,8 +504,8 @@ rules: semgrep.dev: rule: rule_id: ReUoP7 - version_id: JdTNPPN - url: https://semgrep.dev/playground/r/JdTNPPN/trailofbits.go.racy-append-to-slice.racy-append-to-slice + version_id: WrTWdKp + url: https://semgrep.dev/playground/r/WrTWdKp/trailofbits.go.racy-append-to-slice.racy-append-to-slice origin: community patterns: - pattern: "$SLICE = append($SLICE, $ITEM)\n" @@ -538,6 +538,11 @@ rules: $MUTEX.Lock() ... $MUTEX.Unlock() + - pattern-not-inside: | + $MUTEX.Lock() + ... + defer $MUTEX.Unlock() + ... - id: trailofbits.go.racy-write-to-map.racy-write-to-map message: Writing `$MAP` from multiple goroutines is not concurrency safe languages: @@ -565,8 +570,8 @@ rules: semgrep.dev: rule: rule_id: AbUGWD - version_id: 5PTd44k - url: https://semgrep.dev/playground/r/5PTd44k/trailofbits.go.racy-write-to-map.racy-write-to-map + version_id: 0bTLwz3 + url: https://semgrep.dev/playground/r/0bTLwz3/trailofbits.go.racy-write-to-map.racy-write-to-map origin: community patterns: - pattern: "$MAP[$KEY] = $VALUE\n" @@ -586,6 +591,11 @@ rules: $MUTEX.Lock() ... $MUTEX.Unlock() + - pattern-not-inside: | + $MUTEX.Lock() + ... + defer $MUTEX.Unlock() + ... - id: trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil message: The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect