2020-04-27 13:46:53 +02:00
|
|
|
# See https://github.com/returntocorp/semgrep/blob/experimental/docs/config/advanced.md
|
2020-03-19 00:32:26 +01:00
|
|
|
|
|
|
|
rules:
|
2020-04-27 13:46:53 +02:00
|
|
|
####################### PYTHON RULES #######################
|
2020-03-19 00:32:26 +01:00
|
|
|
- id: deprecated-render-usage
|
|
|
|
pattern: django.shortcuts.render_to_response(...)
|
2020-04-27 13:46:53 +02:00
|
|
|
message: "Use render() (from django.shortcuts) instead of render_to_response()"
|
2020-03-19 00:32:26 +01:00
|
|
|
languages: [python]
|
|
|
|
severity: ERROR
|
2020-04-27 13:46:53 +02:00
|
|
|
|
2020-03-19 00:32:26 +01:00
|
|
|
- id: useless-if-body
|
|
|
|
patterns:
|
2020-04-27 13:46:53 +02:00
|
|
|
- pattern: |
|
|
|
|
if $X:
|
|
|
|
$S
|
|
|
|
else:
|
|
|
|
$S
|
|
|
|
message: "Useless if statment; both blocks have the same body"
|
2020-03-19 00:32:26 +01:00
|
|
|
languages: [python]
|
|
|
|
severity: ERROR
|
2020-04-29 13:50:36 +02:00
|
|
|
|
|
|
|
- id: dont-use-stream-objects-filter
|
|
|
|
pattern: Stream.objects.filter(...)
|
|
|
|
message: "Please use access_stream_by_*() to fetch Stream objects"
|
|
|
|
languages: [python]
|
|
|
|
severity: ERROR
|
|
|
|
paths:
|
|
|
|
- directory: "zerver/views/"
|
2020-05-01 08:56:20 +02:00
|
|
|
|
|
|
|
- id: dont-import-models-in-migrations
|
|
|
|
patterns:
|
|
|
|
- pattern-not: from zerver.lib.redis_utils import get_redis_client
|
|
|
|
- pattern-not: from zerver.lib.utils import generate_random_token
|
|
|
|
- pattern-not: from zerver.models import filter_pattern_validator
|
|
|
|
- pattern-not: from zerver.models import filter_format_validator
|
|
|
|
- pattern-not: from zerver.models import generate_email_token_for_stream
|
|
|
|
- pattern-either:
|
|
|
|
- pattern: from zerver import $X
|
|
|
|
- pattern: from analytics import $X
|
|
|
|
- pattern: from confirmation import $X
|
|
|
|
message: "Don't import models or other code in migrations; see docs/subsystems/schema-migrations.md"
|
|
|
|
languages: [python]
|
|
|
|
severity: ERROR
|
|
|
|
paths:
|
|
|
|
- directory: "**/migrations"
|
|
|
|
- path-not: 'zerver/migrations/0032_verify_all_medium_avatar_images.py'
|
|
|
|
- path-not: 'zerver/migrations/0104_fix_unreads.py'
|
|
|
|
- path-not: 'zerver/migrations/0206_stream_rendered_description.py'
|
|
|
|
- path-not: 'zerver/migrations/0209_user_profile_no_empty_password.py'
|
|
|
|
- path-not: 'zerver/migrations/0260_missed_message_addresses_from_redis_to_db.py'
|
|
|
|
- path-not: 'pgroonga/migrations/0002_html_escape_subject.py'
|
2020-05-02 08:44:14 +02:00
|
|
|
|
|
|
|
- id: logging-format
|
|
|
|
languages: [python]
|
|
|
|
pattern-either:
|
|
|
|
- pattern: logging.debug(... % ...)
|
|
|
|
- pattern: logging.debug(... .format(...))
|
|
|
|
- pattern: logger.debug(... % ...)
|
|
|
|
- pattern: logger.debug(... .format(...))
|
|
|
|
- pattern: logging.info(... % ...)
|
|
|
|
- pattern: logging.info(... .format(...))
|
|
|
|
- pattern: logger.info(... % ...)
|
|
|
|
- pattern: logger.info(... .format(...))
|
|
|
|
- pattern: logging.warning(... % ...)
|
|
|
|
- pattern: logging.warning(... .format(...))
|
|
|
|
- pattern: logger.warning(... % ...)
|
|
|
|
- pattern: logger.warning(... .format(...))
|
|
|
|
- pattern: logging.error(... % ...)
|
|
|
|
- pattern: logging.error(... .format(...))
|
|
|
|
- pattern: logger.error(... % ...)
|
|
|
|
- pattern: logger.error(... .format(...))
|
|
|
|
- pattern: logging.critical(... % ...)
|
|
|
|
- pattern: logging.critical(... .format(...))
|
|
|
|
- pattern: logger.critical(... % ...)
|
|
|
|
- pattern: logger.critical(... .format(...))
|
|
|
|
severity: ERROR
|
|
|
|
message: "Pass format arguments to logging (https://docs.python.org/3/howto/logging.html#optimization)"
|
2020-05-04 01:56:44 +02:00
|
|
|
|
|
|
|
- id: sql-format
|
|
|
|
languages: [python]
|
|
|
|
pattern-either:
|
|
|
|
- pattern: ... .execute(... % ...)
|
|
|
|
- pattern: ... .execute("...".format(...))
|
|
|
|
- pattern: psycopg2.sql.SQL(... % ...)
|
|
|
|
- pattern: psycopg2.sql.SQL(... .format(...))
|
|
|
|
severity: ERROR
|
|
|
|
message: "Do not write a SQL injection vulnerability please"
|