From ebc1bd098515e98c80d1935971d5f1805ce85aa8 Mon Sep 17 00:00:00 2001 From: Artem Chaikin Date: Thu, 1 Aug 2024 13:12:12 +0100 Subject: [PATCH] add pip -f pattern --- .../semgrep_rules/services/find-links-without-no-index.txt | 6 +++++- .../semgrep_rules/services/find-links-without-no-index.yaml | 6 ++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/assets/semgrep_rules/services/find-links-without-no-index.txt b/assets/semgrep_rules/services/find-links-without-no-index.txt index b559e0de..bd00ecaf 100644 --- a/assets/semgrep_rules/services/find-links-without-no-index.txt +++ b/assets/semgrep_rules/services/find-links-without-no-index.txt @@ -9,4 +9,8 @@ sphinx-reredirects==0.1.2 // ruleid: find-links-without-no-index --find-links https://mlc.ai/wheels mlc-ai-nightly ---find-links --no-index https://mlc.ai/wheels \ No newline at end of file +--find-links --no-index https://mlc.ai/wheels +--no-index --find-links https://mlc.ai/wheels +// ruleid: find-links-without-no-index +pip install --quiet --pre -U -f https://mlc.ai/wheels mlc-ai-nightly +pip install --quiet --pre -U -f --no-index https://mlc.ai/wheels mlc-ai-nightly diff --git a/assets/semgrep_rules/services/find-links-without-no-index.yaml b/assets/semgrep_rules/services/find-links-without-no-index.yaml index 6abf6cfe..842fcec0 100644 --- a/assets/semgrep_rules/services/find-links-without-no-index.yaml +++ b/assets/semgrep_rules/services/find-links-without-no-index.yaml @@ -6,8 +6,10 @@ rules: - https://portswigger.net/daily-swig/dependency-confusion-attack-mounted-via-pypi-repo-exposes-flawed-package-installer-behavior - https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/ confidence: LOW - pattern-regex: '^(?!.*--no-index).*--find-links' - message: "When --find-links is used without --no-index, pip may try to install the package from PyPI. Add --no-index to avoid dependency confusion." + pattern-either: + - pattern-regex: ^(?!.*--no-index).*--find-links + - pattern-regex: ^(?!.*--no-index).*pip\s.*\s-f + message: "When --find-links or -f is used without --no-index, pip may try to install the package from PyPI. Add --no-index to avoid dependency confusion." severity: INFO languages: - generic