2020-12-03 16:54:36 +01:00
|
|
|
# See https://semgrep.dev/docs/writing-rules/rule-syntax/ for documentation on YAML rule syntax
|
2020-03-19 00:32:26 +01:00
|
|
|
|
|
|
|
rules:
|
2020-07-01 21:19:49 +02:00
|
|
|
####################### PYTHON RULES #######################
|
2020-03-19 00:32:26 +01:00
|
|
|
- id: deprecated-render-usage
|
|
|
|
pattern: django.shortcuts.render_to_response(...)
|
2020-04-27 13:46:53 +02:00
|
|
|
message: "Use render() (from django.shortcuts) instead of render_to_response()"
|
2020-03-19 00:32:26 +01:00
|
|
|
languages: [python]
|
|
|
|
severity: ERROR
|
2020-04-27 13:46:53 +02:00
|
|
|
|
2020-04-29 13:50:36 +02:00
|
|
|
- id: dont-use-stream-objects-filter
|
|
|
|
pattern: Stream.objects.filter(...)
|
|
|
|
message: "Please use access_stream_by_*() to fetch Stream objects"
|
|
|
|
languages: [python]
|
|
|
|
severity: ERROR
|
|
|
|
paths:
|
2020-06-05 10:10:37 +02:00
|
|
|
include:
|
|
|
|
- zerver/views/
|
2020-05-01 08:56:20 +02:00
|
|
|
|
|
|
|
- id: dont-import-models-in-migrations
|
|
|
|
patterns:
|
|
|
|
- pattern-not: from zerver.lib.redis_utils import get_redis_client
|
|
|
|
- pattern-not: from zerver.models import filter_pattern_validator
|
|
|
|
- pattern-not: from zerver.models import filter_format_validator
|
|
|
|
- pattern-not: from zerver.models import generate_email_token_for_stream
|
|
|
|
- pattern-either:
|
|
|
|
- pattern: from zerver import $X
|
|
|
|
- pattern: from analytics import $X
|
|
|
|
- pattern: from confirmation import $X
|
2021-06-17 15:02:52 +02:00
|
|
|
message: "Don't import models or other code in migrations; see https://zulip.readthedocs.io/en/latest/subsystems/schema-migrations.html"
|
2020-05-01 08:56:20 +02:00
|
|
|
languages: [python]
|
|
|
|
severity: ERROR
|
|
|
|
paths:
|
2020-06-05 10:10:37 +02:00
|
|
|
include:
|
|
|
|
- "**/migrations"
|
|
|
|
exclude:
|
|
|
|
- zerver/migrations/0032_verify_all_medium_avatar_images.py
|
|
|
|
- zerver/migrations/0104_fix_unreads.py
|
|
|
|
- zerver/migrations/0206_stream_rendered_description.py
|
|
|
|
- zerver/migrations/0209_user_profile_no_empty_password.py
|
|
|
|
- zerver/migrations/0260_missed_message_addresses_from_redis_to_db.py
|
2022-04-01 02:25:27 +02:00
|
|
|
- zerver/migrations/0387_reupload_realmemoji_again.py
|
2020-06-05 10:10:37 +02:00
|
|
|
- pgroonga/migrations/0002_html_escape_subject.py
|
2020-05-02 08:44:14 +02:00
|
|
|
|
2023-03-21 07:10:20 +01:00
|
|
|
- id: html-format
|
|
|
|
languages: [python]
|
|
|
|
pattern-either:
|
|
|
|
- pattern: markupsafe.Markup(... .format(...))
|
|
|
|
- pattern: markupsafe.Markup(f"...")
|
|
|
|
- pattern: markupsafe.Markup(... + ...)
|
|
|
|
severity: ERROR
|
|
|
|
message: "Do not write an HTML injection vulnerability please"
|
|
|
|
|
2020-05-04 01:56:44 +02:00
|
|
|
- id: sql-format
|
|
|
|
languages: [python]
|
|
|
|
pattern-either:
|
|
|
|
- pattern: ... .execute("...".format(...))
|
2020-06-15 23:39:16 +02:00
|
|
|
- pattern: ... .execute(f"...")
|
2023-03-21 07:10:20 +01:00
|
|
|
- pattern: ... .execute(... + ...)
|
2020-05-04 01:56:44 +02:00
|
|
|
- pattern: psycopg2.sql.SQL(... .format(...))
|
2020-06-15 23:39:16 +02:00
|
|
|
- pattern: psycopg2.sql.SQL(f"...")
|
2023-03-21 07:10:20 +01:00
|
|
|
- pattern: psycopg2.sql.SQL(... + ...)
|
2020-06-14 03:48:07 +02:00
|
|
|
- pattern: django.db.migrations.RunSQL(..., "..." .format(...), ...)
|
2020-06-15 23:39:16 +02:00
|
|
|
- pattern: django.db.migrations.RunSQL(..., f"...", ...)
|
2023-03-21 07:10:20 +01:00
|
|
|
- pattern: django.db.migrations.RunSQL(..., ... + ..., ...)
|
2020-06-14 04:05:38 +02:00
|
|
|
- pattern: django.db.migrations.RunSQL(..., [..., "..." .format(...), ...], ...)
|
2020-06-15 23:39:16 +02:00
|
|
|
- pattern: django.db.migrations.RunSQL(..., [..., f"...", ...], ...)
|
2023-03-21 07:10:20 +01:00
|
|
|
- pattern: django.db.migrations.RunSQL(..., [..., ... + ..., ...], ...)
|
2020-05-04 01:56:44 +02:00
|
|
|
severity: ERROR
|
|
|
|
message: "Do not write a SQL injection vulnerability please"
|
2020-06-13 05:24:42 +02:00
|
|
|
|
2020-06-15 23:22:24 +02:00
|
|
|
- id: translated-format
|
|
|
|
languages: [python]
|
|
|
|
pattern-either:
|
2021-04-16 00:57:30 +02:00
|
|
|
- pattern: django.utils.translation.gettext(... .format(...))
|
|
|
|
- pattern: django.utils.translation.gettext(f"...")
|
|
|
|
- pattern: django.utils.translation.gettext_lazy(... .format(...))
|
|
|
|
- pattern: django.utils.translation.gettext_lazy(f"...")
|
2020-06-15 23:22:24 +02:00
|
|
|
severity: ERROR
|
|
|
|
message: "Format strings after translation, not before"
|
|
|
|
|
2020-10-17 02:53:53 +02:00
|
|
|
- id: translated-format-lazy
|
|
|
|
languages: [python]
|
2021-04-16 00:57:30 +02:00
|
|
|
pattern: django.utils.translation.gettext_lazy(...).format(...)
|
2020-10-17 02:53:53 +02:00
|
|
|
severity: ERROR
|
|
|
|
message: "Immediately formatting a lazily translated string destroys its laziness"
|
|
|
|
|
2020-06-13 05:24:42 +02:00
|
|
|
- id: mutable-default-type
|
|
|
|
languages: [python]
|
|
|
|
pattern-either:
|
|
|
|
- pattern: |
|
|
|
|
def $F(..., $A: typing.List[...] = zerver.lib.request.REQ(..., default=[...], ...), ...) -> ...:
|
|
|
|
...
|
|
|
|
- pattern: |
|
|
|
|
def $F(..., $A: typing.Optional[typing.List[...]] = zerver.lib.request.REQ(..., default=[...], ...), ...) -> ...:
|
|
|
|
...
|
|
|
|
- pattern: |
|
|
|
|
def $F(..., $A: typing.Dict[...] = zerver.lib.request.REQ(..., default={}, ...), ...) -> ...:
|
|
|
|
...
|
|
|
|
- pattern: |
|
|
|
|
def $F(..., $A: typing.Optional[typing.Dict[...]] = zerver.lib.request.REQ(..., default={}, ...), ...) -> ...:
|
|
|
|
...
|
|
|
|
severity: ERROR
|
|
|
|
message: "Guard mutable default with read-only type (Sequence, Mapping, AbstractSet)"
|
2020-06-14 07:01:21 +02:00
|
|
|
|
|
|
|
- id: percent-formatting
|
|
|
|
languages: [python]
|
|
|
|
pattern-either:
|
|
|
|
- pattern: '"..." % ...'
|
2021-04-16 00:57:30 +02:00
|
|
|
- pattern: django.utils.translation.gettext(...) % ...
|
|
|
|
- pattern: django.utils.translation.gettext_lazy(...) % ...
|
2020-06-14 07:01:21 +02:00
|
|
|
severity: ERROR
|
|
|
|
message: "Prefer f-strings or .format for string formatting"
|
2020-06-26 02:35:16 +02:00
|
|
|
|
2021-02-14 00:03:40 +01:00
|
|
|
- id: change-user-is-active
|
|
|
|
languages: [python]
|
|
|
|
patterns:
|
|
|
|
- pattern-either:
|
|
|
|
- pattern: |
|
|
|
|
$X.is_active = ...
|
|
|
|
- pattern: |
|
|
|
|
setattr($X, 'is_active', ...)
|
|
|
|
- pattern-not-inside: |
|
|
|
|
def change_user_is_active(...):
|
|
|
|
...
|
|
|
|
message: "Use change_user_is_active to mutate user_profile.is_active"
|
|
|
|
severity: ERROR
|
2021-10-06 17:13:57 +02:00
|
|
|
paths:
|
|
|
|
exclude:
|
|
|
|
- zerver/migrations/0373_fix_deleteduser_dummies.py
|
2021-12-02 20:31:42 +01:00
|
|
|
|
|
|
|
- id: confirmation-object-get
|
|
|
|
languages: [python]
|
|
|
|
patterns:
|
|
|
|
- pattern-either:
|
|
|
|
- pattern: Confirmation.objects.get(...)
|
|
|
|
- pattern: Confirmation.objects.filter(..., confirmation_key=..., ...)
|
|
|
|
- pattern-not-inside: |
|
|
|
|
def get_object_from_key(...):
|
|
|
|
...
|
|
|
|
paths:
|
|
|
|
exclude:
|
|
|
|
- zerver/tests/
|
|
|
|
message: "Do not fetch a Confirmation object directly, use get_object_from_key instead"
|
|
|
|
severity: ERROR
|