commit - 246324df16d78ed9ef39467ac96ab796d34cafd1
commit + 289af9cae9bd370a1f704c7a3ba16a1bf2b73cea
blob - daf42933e5b1f6dbbb42c53966d9150889c4fbc7
blob + efd83c0db33397b96d8eedf815eed2e90a224879
--- rules/lua/basic/cmp_by_reference.yaml
+++ rules/lua/basic/cmp_by_reference.yaml
rules:
- id: cmp_reference
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ references:
+ - https://www.lua.org/manual/5.3/manual.html#pdf-rawequal
+ message:
+ It is not possible to compare tables, threads and functions when
+ "__eq", "__lt" and "le" methods are undefined.
+ languages: [lua]
+ severity: WARNING
pattern-either:
- pattern: $OBJ1 < ...
- pattern: $OBJ1 > ...
- pattern-either:
- pattern: $OBJ1 = coroutine.create(...)
- pattern: $OBJ1 = function(...) ... end
- message:
- It is not possible to compare tables, threads and functions when
- "__eq", "__lt" and "le" methods are undefined.
- languages: [lua]
- severity: WARNING
blob - 4b3fdf8993a7d31ee7a515185db00c709591543b
blob + beac85b8cfead60b22e60e1baaf03dbec4c57460
--- rules/lua/basic/fd_leak.yaml
+++ rules/lua/basic/fd_leak.yaml
rules:
- id: fd_leak
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ references:
+ - https://cwe.mitre.org/data/definitions/403.html
+ message:
+ The file object "$FD" opened without corresponding close.
+ languages: [lua]
+ severity: ERROR
patterns:
- pattern-either:
- pattern-inside: |
...
- pattern-not: $FD:close()
- pattern-not: io.close($FD)
- message:
- The file object "$FD" opened without corresponding close.
- languages: [lua]
- severity: ERROR
blob - 23e3a5304abfbc5b8bb6ea69e713641676c0fbcd
blob + 4cf861661b8ced75f9e02536d699114fd5b77827
--- rules/lua/basic/func_inside_func.yaml
+++ rules/lua/basic/func_inside_func.yaml
rules:
- id: func_inside_func
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: |
+ Function shouldn't be declared inside functions.
+ languages: [lua]
+ severity: INFO
pattern-either:
- pattern-inside: |
$FN1 = function(...)
end
...
end
- message: |
- Function shouldn't be declared inside functions.
- languages: [lua]
- severity: INFO
blob - 9292ee2e047e5377ee9a7d298b7ba16e99d1a0e8
blob + c32149c001d98018a08f87a74b1d9816c0eb766a
--- rules/lua/basic/init_rng_without_seed.lua
+++ rules/lua/basic/init_rng_without_seed.lua
-- ruleid: init_rng_without_seed
-math.random()
+math.randomseed()
-- ok: init_rng_without_seed
-math.random(os.time())
+math.randomseed(os.time())
-- ok: init_rng_without_seed
-math.random(384)
+math.randomseed(384)
blob - 6c50db91c69ce4e811ff303ae58a4c7a9c5e082c
blob + eff056c95d9bd1111cd587363bf972e635d53bc6
--- rules/lua/basic/init_rng_without_seed.yaml
+++ rules/lua/basic/init_rng_without_seed.yaml
rules:
- id: init_rng_without_seed
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: math.random() is used without random seed.
+ languages: [lua]
+ severity: INFO
patterns:
- pattern: |
...
...
math.random()
...
- message: math.random() is used without random seed.
- languages: [lua]
- severity: INFO
blob - 7a381b69e7741656bd59e809f0af3a35bc4e5c22
blob + f1d9d60666abefa5ba2de2235c4baa193c7d9379
--- rules/lua/basic/loadstring.yaml
+++ rules/lua/basic/loadstring.yaml
rules:
- id: loadstring
- pattern-either:
- - patterns:
- - pattern-not: loadstring("...")
- - pattern: loadstring(...)
- - patterns:
- - pattern-not: load("...")
- - pattern: load(...)
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
message: >-
Detected the use of loadstring(). loadstring() can be dangerous if used
to evaluate dynamic content. If this content can be input from outside the
content is not definable by external sources.
languages: [lua]
severity: WARNING
+ pattern-either:
+ - patterns:
+ - pattern-not: loadstring("...")
+ - pattern: loadstring(...)
+ - patterns:
+ - pattern-not: load("...")
+ - pattern: load(...)
blob - 3ac7d7dad6a6f07cb05d2391a8fda9c8846b7b90
blob + db6fc07c6702e58dcbc28177bdee670d88284ed5
--- rules/lua/basic/magic_number.yaml
+++ rules/lua/basic/magic_number.yaml
rules:
- id: magic_number
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: magic_number
+ languages: [lua]
+ severity: INFO
patterns:
- pattern-either:
- pattern: ... < ...
- pattern: ... and ...
- pattern: $FN(..., ..., ...)
- pattern-regex: \d
- message: magic_number
- languages: [lua]
- severity: INFO
blob - ab25d531ef3838013669c87b6af7b8341e2564d4
blob + e0e2d1d5a4b54f8d619704e1577358c0e0a27a8d
--- rules/lua/basic/pcall_err_handling.yaml
+++ rules/lua/basic/pcall_err_handling.yaml
rules:
- id: pcall_err_handling
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: pcall_err_handling
+ languages: [lua]
+ severity: INFO
patterns:
- pattern: $RES, $ERR = pcall(...)
- pattern-not: if $RES then ... end
- pattern-not: if $ERR then ... end
- message: pcall_err_handling
- languages: [lua]
- severity: INFO
blob - a48bb14651abd24569bdfa98295b7fb64332e9c6
blob + d4d87eced1e6b4ed4035b896c756554b9ecd14e4
--- rules/lua/basic/pcall_with_method.yaml
+++ rules/lua/basic/pcall_with_method.yaml
rules:
- id: pcall_with_method
- pattern: pcall($OBJ.$F)
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
message: Use pcall(self.func, self).
languages: [lua]
severity: WARNING
+ pattern: pcall($OBJ.$F)
blob - 6d639d8e3bd26e9fc496c06c374bbbedb95d10d2
blob + ebfa43edaa1c9d2cfa05e36ae03ef0dc73d43a40
--- rules/lua/basic/print.yaml
+++ rules/lua/basic/print.yaml
rules:
- id: print
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: |
+ "print()" is not capable for printing Lua tables, functions and threads.
+ languages: [lua]
+ severity: INFO
pattern-either:
- patterns:
- pattern: print(...)
- pattern-not: |
$CO = coroutine.create(...)
print(..., $CO, ...)
- message: |
- "print()" is not capable for printing Lua tables, functions and threads.
- languages: [lua]
- severity: INFO
blob - 06055f4743b500d0a13814582bd9f5ed101fbd45
blob + 987146e79eaf6bda65b62118532a298e27e7b00a
--- rules/lua/basic/require_inside_func.yaml
+++ rules/lua/basic/require_inside_func.yaml
rules:
- id: require_inside_func
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: |
+ Function "require()" shouldn't be used inside functions.
+ languages: [lua]
+ severity: INFO
pattern-either:
- pattern: |
function(...)
require($M)
...
end
- message: |
- Function "require()" shouldn't be used inside functions.
- languages: [lua]
- severity: INFO
blob - f19f2b1e1658affc577fa8cd6179b7be91c97058
blob + 868af1207f0be56433e6981403ed9b8ed83c31f8
--- rules/lua/basic/setting_looping_variables.yaml
+++ rules/lua/basic/setting_looping_variables.yaml
rules:
- id: setting_looping_variables
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ references:
+ - http://www.lua.org/manual/5.4/manual.html#3.3.5
+ message: |
+ In a loop the looping variables key and value are locals. So reassigning
+ them, it just changes the value referenced by the local variable. After
+ the first run of the loop, locals run out of scope and are discarded.
+ To change the value in the table reference to the table itself like
+ `t[key] = "hello"`.
+ languages: [lua]
+ severity: WARNING
patterns:
- pattern-inside: |
for $K, $V in ... do
$K = ...
...
end
- message: |
- In a loop the looping variables key and value are locals. So reassigning
- them, it just changes the value referenced by the local variable. After
- the first run of the loop, locals run out of scope and are discarded.
- To change the value in the table reference to the table itself like
- `t[key] = "hello"`.
- metadata:
- references:
- - http://www.lua.org/manual/5.4/manual.html#3.3.5
- languages: [lua]
- severity: WARNING
blob - b83480fdf33935a93fb3fc670df5ff08c1780c70
blob + 981001de838c8a9cf29e3d5da8685700772d9026
--- rules/lua/basic/trace_enabled.yaml
+++ rules/lua/basic/trace_enabled.yaml
rules:
- id: trace_enabled
- patterns:
- - pattern: debug.sethook(...)
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
message: Using `debug.sethook()` will slowdown your code.
languages: [lua]
severity: INFO
+ patterns:
+ - pattern: debug.sethook(...)
blob - bd1afc4adc226449278d449899d5ba3b08d52321
blob + 082ac0cf6182195a47ae54789059211d4d5fc99a
--- rules/lua/basic/unsafe_function.yaml
+++ rules/lua/basic/unsafe_function.yaml
rules:
- id: unsafe_function
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: Using unsafe function.
+ # https://fuzz-introspector.readthedocs.io/en/latest/user-guides/analyse-sink-function.html
+ languages: [lua]
+ severity: WARNING
pattern-either:
- pattern: os.execute(...)
- pattern: io.popen(...)
- pattern: loadfile(...)
- pattern: dofile(...)
- pattern: os.remove(...)
- message: Using unsafe function.
- languages: [lua]
- severity: WARNING
blob - 74fa172c2fcde6c919e6c558a0ca7241e67d226c
blob + c608983072cebc3b2dd8b61bef3d4fa2ea1fe93a
--- rules/lua/basic/use_fd_after_close.yaml
+++ rules/lua/basic/use_fd_after_close.yaml
+# Фалсит ужасно.
+# home.sergeyb.sources.semgrep-rules.rules.lua.tarantool.fio.use_fd_after_close
+# use_fd_after_close
+
+# 10┆ endpoints = {string.format("http://%s:2379", os.getenv('ETCD_HOST') or 'etcd')};
+# ⋮┆----------------------------------------
+# 10┆ endpoints = {string.format("http://%s:2379", os.getenv('ETCD_HOST') or 'etcd')};
+# ⋮┆----------------------------------------
+# 10┆ endpoints = {string.format("http://%s:2379", os.getenv('ETCD_HOST') or 'etcd')};
+# ⋮┆----------------------------------------
+# 10┆ endpoints = {string.format("http://%s:2379", os.getenv('ETCD_HOST') or 'etcd')};
+
rules:
- id: use_fd_after_close
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: use_fd_after_close
+ languages: [lua]
+ severity: ERROR
patterns:
- pattern-either:
- pattern: |
- pattern: io.write($FD)
- pattern: io.input($FD)
- pattern: io.output($FD)
- message: use_fd_after_close
- languages: [lua]
- severity: ERROR
blob - 2a8977403d062bce79f2de71df483339e6b510f0
blob + 56f222899132bdb2c2257c8860b610ff62427f56
--- rules/lua/basic/writing_to_file_in_read_mode.yaml
+++ rules/lua/basic/writing_to_file_in_read_mode.yaml
rules:
- id: writing_to_file_in_read_mode
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: |
+ The file object "$FD" was opened in read mode, but is being
+ written to. This will cause a runtime error.
+ severity: ERROR
+ languages: [lua]
patterns:
- pattern: |
$FD = io.open($NAME, $MODE)
- metavariable-pattern:
metavariable: $MODE
pattern-regex: "r"
- message: |
- The file object "$FD" was opened in read mode, but is being
- written to. This will cause a runtime error.
- severity: ERROR
- languages: [lua]
blob - 57fb3cb66ec9bc1031f66c04abb4c7c71b23b59e
blob + a054e736f169019ed4c78fe77fb052c1231c50c0
--- rules/lua/luajit/jit/partial.yaml
+++ rules/lua/luajit/jit/partial.yaml
All aspects of Lua are implemented in LuaJIT's interpreter, but not all of
them are implemented in LuaJIT's JIT compiler.
- Function bay be JIT-compiled, depending on the circumstances. Otherwise
+ Function may be JIT-compiled, depending on the circumstances. Otherwise
will fall back to the interpreter or stitch.
languages: [lua]
metadata:
blob - 190a20d4461bab14175f5bbf28c4f44304769d41
blob + baa39d6482cbdff823831c31ca11bfcbb42d1dcd
--- rules/lua/tarantool/box/box_cfg_raw_access.yaml
+++ rules/lua/tarantool/box/box_cfg_raw_access.yaml
rules:
- id: box_cfg_raw_access
- pattern: box.cfg.$OPT = $VALUE
- message: box_cfg_raw_access
- languages: [lua]
metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
references:
+ - https://www.tarantool.io/en/doc/latest/reference/reference_lua/box_cfg/
- https://github.com/tarantool/tarantool/issues/2867
+ message: box_cfg_raw_access
+ languages: [lua]
severity: WARNING
+ pattern: box.cfg.$OPT = $VALUE
blob - bead57b0cd17f2e1add833a9ca5f004e7a0b0cdc
blob + 3d4909e4e105f29c56d0a63a73366b059c6dab58
--- rules/lua/tarantool/box/grant_guest_full_access.yaml
+++ rules/lua/tarantool/box/grant_guest_full_access.yaml
rules:
- id: grant_guest_full_access
- patterns:
- - pattern: box.schema.user.grant('guest', $PRIVELEGE, 'universe')
- message: Пользователю guest не предоставляют полный доступ на universe.
- languages: [lua]
metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
references:
- https://www.tarantool.io/ru/doc/latest/book/admin/access_control/
+ message: Пользователю guest предоставляют полный доступ на universe.
+ languages: [lua]
severity: WARNING
+ patterns:
+ - pattern: box.schema.user.grant('guest', $PRIVELEGE, 'universe')
blob - 2f963d9d1901495cceb573114935688235e6f7b5
blob + 76767e3161f59f4f08918d8bedc2bcfcc91b1940
--- rules/lua/tarantool/box/missed_if_not_exist.yaml
+++ rules/lua/tarantool/box/missed_if_not_exist.yaml
rules:
- id: missed_if_not_exist
+ metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
+ message: if_not_exist
+ languages: [lua]
+ severity: WARNING
pattern-either:
- patterns:
- pattern-inside: box.schema.space.create(...)
#- pattern: |
# $SPACE = box.schema.space.create(...)
# $SPACE:create_index($NAME, { if_not_exists = true })
- message: if_not_exist
- languages: [lua]
- severity: WARNING
# TODO: box.schema.user.grant()
# https://www.tarantool.io/en/doc/latest/reference/reference_lua/box_schema/user_grant/
blob - e8745990154b6fe3d226611c5401cdb94fe68562
blob + 46425fdf117f7f17c9618abfec8193a2c31505ca
--- rules/lua/tarantool/box/set_trigger_once.yaml
+++ rules/lua/tarantool/box/set_trigger_once.yaml
rules:
- id: set_trigger_once
- patterns:
- - pattern: box.$SPACE:before_replace(...)
- - pattern-not: box.$SPACE:before_replace($NEW, $OLD)
- message: set_trigger_once
- languages: [lua]
metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
references:
- https://www.tarantool.io/en/doc/latest/concepts/triggers/
+ message: set_trigger_once
+ languages: [lua]
severity: WARNING
+ patterns:
+ - pattern: box.$SPACE:before_replace(...)
+ - pattern-not: box.$SPACE:before_replace($NEW, $OLD)
blob - 524eaf3e6d04698fe528cb708b01debc92804ef6
blob + 323f953bc43fab6c1789ff68d80aa9576812c8d2
--- rules/lua/tarantool/crypto/insecure-hash-algorithm.yaml
+++ rules/lua/tarantool/crypto/insecure-hash-algorithm.yaml
rules:
- id: insecure-hash-algorithm
- pattern-either:
- - pattern: |
- $M = require("crypto")
- ...
- $M.cipher.des.$MODE.encrypt(...)
- fix-regex:
- regex: des
- replacement: aes
- message: |
- Detected DES cipher algorithm which is insecure. The algorithm is
- considered weak and has been deprecated. Use AES instead.
- languages: [lua]
metadata:
references:
- https://www.tarantool.io/en/doc/latest/reference/reference_lua/crypto/
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+ message: |
+ Detected DES cipher algorithm which is insecure. The algorithm is
+ considered weak and has been deprecated. Use AES instead.
+ languages: [lua]
severity: WARNING
+ pattern-either:
+ - pattern: |
+ $M = require("crypto")
+ ...
+ $M.cipher.des.$MODE.encrypt(...)
+ fix-regex:
+ regex: des
+ replacement: aes
blob - cf7016955949963a7fce9016cb29e016c6996978
blob + a9ba6b31c3b0cce4686597fc798a3b871e959ebc
--- rules/lua/tarantool/digest/insecure-hash-algorithm.yaml
+++ rules/lua/tarantool/digest/insecure-hash-algorithm.yaml
rules:
- id: insecure-hash-algorithm-md4
- pattern: |
- $M = require("digest")
- ...
- $M.md4(...)
- fix-regex:
- regex: md5
- replacement: sha256
- message: |
- Detected use of an insecure MD4 hash function.
- This function have known vulnerabilities and is considered deprecated.
- Consider using "SHA256" or a similar function instead.
- languages: [lua]
metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
references:
- https://www.tarantool.io/en/doc/latest/reference/reference_lua/digest/
cwe:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
+ message: |
+ Detected use of an insecure MD4 hash function.
+ This function have known vulnerabilities and is considered deprecated.
+ Consider using "SHA256" or a similar function instead.
+ languages: [lua]
severity: WARNING
-
- - id: insecure-hash-algorithm-md5
pattern: |
$M = require("digest")
...
- $M.md5(...)
+ $M.md4(...)
fix-regex:
regex: md5
replacement: sha256
- message: |
- Detected MD5 hash algorithm which is considered insecure. MD5 is not
- collision resistant and is therefore not suitable as a cryptographic
- signature. Use SHA256 or SHA3 instead.
- languages: [lua]
+
+ - id: insecure-hash-algorithm-md5
metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
references:
- https://www.tarantool.io/en/doc/latest/reference/reference_lua/digest/
- https://tools.ietf.org/html/rfc6151
- https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision
cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp: "A3: Sensitive Data Exposure"
+ message: |
+ Detected MD5 hash algorithm which is considered insecure. MD5 is not
+ collision resistant and is therefore not suitable as a cryptographic
+ signature. Use SHA256 or SHA3 instead.
+ languages: [lua]
severity: WARNING
-
- - id: insecure-hash-algorithm-sha1
pattern: |
$M = require("digest")
...
- $M.sha1(...)
+ $M.md5(...)
fix-regex:
- regex: sha1
+ regex: md5
replacement: sha256
- message: |
- Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
- collision resistant and is therefore not suitable as a cryptographic
- signature. Use SHA256 or SHA3 instead.
- languages: [lua]
+
+ - id: insecure-hash-algorithm-sha1
metadata:
+ author: Sergey Bronnikov <estetus@gmail.com>
references:
- https://www.tarantool.io/en/doc/latest/reference/reference_lua/digest/
- https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
+ message: |
+ Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
+ collision resistant and is therefore not suitable as a cryptographic
+ signature. Use SHA256 or SHA3 instead.
+ languages: [lua]
severity: WARNING
+ pattern: |
+ $M = require("digest")
+ ...
+ $M.sha1(...)
+ fix-regex:
+ regex: sha1
+ replacement: sha256