commit 289af9cae9bd370a1f704c7a3ba16a1bf2b73cea from: Sergey Bronnikov via: Sergey Bronnikov date: Thu Aug 08 14:32:30 2024 UTC rules: update metadata sections commit - 246324df16d78ed9ef39467ac96ab796d34cafd1 commit + 289af9cae9bd370a1f704c7a3ba16a1bf2b73cea blob - daf42933e5b1f6dbbb42c53966d9150889c4fbc7 blob + efd83c0db33397b96d8eedf815eed2e90a224879 --- rules/lua/basic/cmp_by_reference.yaml +++ rules/lua/basic/cmp_by_reference.yaml @@ -1,5 +1,14 @@ rules: - id: cmp_reference + metadata: + author: Sergey Bronnikov + references: + - https://www.lua.org/manual/5.3/manual.html#pdf-rawequal + message: + It is not possible to compare tables, threads and functions when + "__eq", "__lt" and "le" methods are undefined. + languages: [lua] + severity: WARNING pattern-either: - pattern: $OBJ1 < ... - pattern: $OBJ1 > ... @@ -16,8 +25,3 @@ rules: - pattern-either: - pattern: $OBJ1 = coroutine.create(...) - pattern: $OBJ1 = function(...) ... end - message: - It is not possible to compare tables, threads and functions when - "__eq", "__lt" and "le" methods are undefined. - languages: [lua] - severity: WARNING blob - 4b3fdf8993a7d31ee7a515185db00c709591543b blob + beac85b8cfead60b22e60e1baaf03dbec4c57460 --- rules/lua/basic/fd_leak.yaml +++ rules/lua/basic/fd_leak.yaml @@ -1,5 +1,13 @@ rules: - id: fd_leak + metadata: + author: Sergey Bronnikov + references: + - https://cwe.mitre.org/data/definitions/403.html + message: + The file object "$FD" opened without corresponding close. + languages: [lua] + severity: ERROR patterns: - pattern-either: - pattern-inside: | @@ -13,7 +21,3 @@ rules: ... - pattern-not: $FD:close() - pattern-not: io.close($FD) - message: - The file object "$FD" opened without corresponding close. - languages: [lua] - severity: ERROR blob - 23e3a5304abfbc5b8bb6ea69e713641676c0fbcd blob + 4cf861661b8ced75f9e02536d699114fd5b77827 --- rules/lua/basic/func_inside_func.yaml +++ rules/lua/basic/func_inside_func.yaml @@ -1,5 +1,11 @@ rules: - id: func_inside_func + metadata: + author: Sergey Bronnikov + message: | + Function shouldn't be declared inside functions. + languages: [lua] + severity: INFO pattern-either: - pattern-inside: | $FN1 = function(...) @@ -32,7 +38,3 @@ rules: end ... end - message: | - Function shouldn't be declared inside functions. - languages: [lua] - severity: INFO blob - 9292ee2e047e5377ee9a7d298b7ba16e99d1a0e8 blob + c32149c001d98018a08f87a74b1d9816c0eb766a --- rules/lua/basic/init_rng_without_seed.lua +++ rules/lua/basic/init_rng_without_seed.lua @@ -1,8 +1,8 @@ -- ruleid: init_rng_without_seed -math.random() +math.randomseed() -- ok: init_rng_without_seed -math.random(os.time()) +math.randomseed(os.time()) -- ok: init_rng_without_seed -math.random(384) +math.randomseed(384) blob - 6c50db91c69ce4e811ff303ae58a4c7a9c5e082c blob + eff056c95d9bd1111cd587363bf972e635d53bc6 --- rules/lua/basic/init_rng_without_seed.yaml +++ rules/lua/basic/init_rng_without_seed.yaml @@ -1,5 +1,10 @@ rules: - id: init_rng_without_seed + metadata: + author: Sergey Bronnikov + message: math.random() is used without random seed. + languages: [lua] + severity: INFO patterns: - pattern: | ... @@ -9,6 +14,3 @@ rules: ... math.random() ... - message: math.random() is used without random seed. - languages: [lua] - severity: INFO blob - 7a381b69e7741656bd59e809f0af3a35bc4e5c22 blob + f1d9d60666abefa5ba2de2235c4baa193c7d9379 --- rules/lua/basic/loadstring.yaml +++ rules/lua/basic/loadstring.yaml @@ -1,12 +1,7 @@ rules: - id: loadstring - pattern-either: - - patterns: - - pattern-not: loadstring("...") - - pattern: loadstring(...) - - patterns: - - pattern-not: load("...") - - pattern: load(...) + metadata: + author: Sergey Bronnikov message: >- Detected the use of loadstring(). loadstring() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the @@ -14,3 +9,10 @@ rules: content is not definable by external sources. languages: [lua] severity: WARNING + pattern-either: + - patterns: + - pattern-not: loadstring("...") + - pattern: loadstring(...) + - patterns: + - pattern-not: load("...") + - pattern: load(...) blob - 3ac7d7dad6a6f07cb05d2391a8fda9c8846b7b90 blob + db6fc07c6702e58dcbc28177bdee670d88284ed5 --- rules/lua/basic/magic_number.yaml +++ rules/lua/basic/magic_number.yaml @@ -1,5 +1,10 @@ rules: - id: magic_number + metadata: + author: Sergey Bronnikov + message: magic_number + languages: [lua] + severity: INFO patterns: - pattern-either: - pattern: ... < ... @@ -12,6 +17,3 @@ rules: - pattern: ... and ... - pattern: $FN(..., ..., ...) - pattern-regex: \d - message: magic_number - languages: [lua] - severity: INFO blob - ab25d531ef3838013669c87b6af7b8341e2564d4 blob + e0e2d1d5a4b54f8d619704e1577358c0e0a27a8d --- rules/lua/basic/pcall_err_handling.yaml +++ rules/lua/basic/pcall_err_handling.yaml @@ -1,9 +1,11 @@ rules: - id: pcall_err_handling + metadata: + author: Sergey Bronnikov + message: pcall_err_handling + languages: [lua] + severity: INFO patterns: - pattern: $RES, $ERR = pcall(...) - pattern-not: if $RES then ... end - pattern-not: if $ERR then ... end - message: pcall_err_handling - languages: [lua] - severity: INFO blob - a48bb14651abd24569bdfa98295b7fb64332e9c6 blob + d4d87eced1e6b4ed4035b896c756554b9ecd14e4 --- rules/lua/basic/pcall_with_method.yaml +++ rules/lua/basic/pcall_with_method.yaml @@ -1,6 +1,8 @@ rules: - id: pcall_with_method - pattern: pcall($OBJ.$F) + metadata: + author: Sergey Bronnikov message: Use pcall(self.func, self). languages: [lua] severity: WARNING + pattern: pcall($OBJ.$F) blob - 6d639d8e3bd26e9fc496c06c374bbbedb95d10d2 blob + ebfa43edaa1c9d2cfa05e36ae03ef0dc73d43a40 --- rules/lua/basic/print.yaml +++ rules/lua/basic/print.yaml @@ -1,5 +1,11 @@ rules: - id: print + metadata: + author: Sergey Bronnikov + message: | + "print()" is not capable for printing Lua tables, functions and threads. + languages: [lua] + severity: INFO pattern-either: - patterns: - pattern: print(...) @@ -21,7 +27,3 @@ rules: - pattern-not: | $CO = coroutine.create(...) print(..., $CO, ...) - message: | - "print()" is not capable for printing Lua tables, functions and threads. - languages: [lua] - severity: INFO blob - 06055f4743b500d0a13814582bd9f5ed101fbd45 blob + 987146e79eaf6bda65b62118532a298e27e7b00a --- rules/lua/basic/require_inside_func.yaml +++ rules/lua/basic/require_inside_func.yaml @@ -1,5 +1,11 @@ rules: - id: require_inside_func + metadata: + author: Sergey Bronnikov + message: | + Function "require()" shouldn't be used inside functions. + languages: [lua] + severity: INFO pattern-either: - pattern: | function(...) @@ -13,7 +19,3 @@ rules: require($M) ... end - message: | - Function "require()" shouldn't be used inside functions. - languages: [lua] - severity: INFO blob - f19f2b1e1658affc577fa8cd6179b7be91c97058 blob + 868af1207f0be56433e6981403ed9b8ed83c31f8 --- rules/lua/basic/setting_looping_variables.yaml +++ rules/lua/basic/setting_looping_variables.yaml @@ -1,5 +1,17 @@ rules: - id: setting_looping_variables + metadata: + author: Sergey Bronnikov + references: + - http://www.lua.org/manual/5.4/manual.html#3.3.5 + message: | + In a loop the looping variables key and value are locals. So reassigning + them, it just changes the value referenced by the local variable. After + the first run of the loop, locals run out of scope and are discarded. + To change the value in the table reference to the table itself like + `t[key] = "hello"`. + languages: [lua] + severity: WARNING patterns: - pattern-inside: | for $K, $V in ... do @@ -21,14 +33,3 @@ rules: $K = ... ... end - message: | - In a loop the looping variables key and value are locals. So reassigning - them, it just changes the value referenced by the local variable. After - the first run of the loop, locals run out of scope and are discarded. - To change the value in the table reference to the table itself like - `t[key] = "hello"`. - metadata: - references: - - http://www.lua.org/manual/5.4/manual.html#3.3.5 - languages: [lua] - severity: WARNING blob - b83480fdf33935a93fb3fc670df5ff08c1780c70 blob + 981001de838c8a9cf29e3d5da8685700772d9026 --- rules/lua/basic/trace_enabled.yaml +++ rules/lua/basic/trace_enabled.yaml @@ -1,7 +1,9 @@ rules: - id: trace_enabled - patterns: - - pattern: debug.sethook(...) + metadata: + author: Sergey Bronnikov message: Using `debug.sethook()` will slowdown your code. languages: [lua] severity: INFO + patterns: + - pattern: debug.sethook(...) blob - bd1afc4adc226449278d449899d5ba3b08d52321 blob + 082ac0cf6182195a47ae54789059211d4d5fc99a --- rules/lua/basic/unsafe_function.yaml +++ rules/lua/basic/unsafe_function.yaml @@ -1,5 +1,11 @@ rules: - id: unsafe_function + metadata: + author: Sergey Bronnikov + message: Using unsafe function. + # https://fuzz-introspector.readthedocs.io/en/latest/user-guides/analyse-sink-function.html + languages: [lua] + severity: WARNING pattern-either: - pattern: os.execute(...) - pattern: io.popen(...) @@ -8,6 +14,3 @@ rules: - pattern: loadfile(...) - pattern: dofile(...) - pattern: os.remove(...) - message: Using unsafe function. - languages: [lua] - severity: WARNING blob - 74fa172c2fcde6c919e6c558a0ca7241e67d226c blob + c608983072cebc3b2dd8b61bef3d4fa2ea1fe93a --- rules/lua/basic/use_fd_after_close.yaml +++ rules/lua/basic/use_fd_after_close.yaml @@ -1,5 +1,22 @@ +# Фалсит ужасно. +# home.sergeyb.sources.semgrep-rules.rules.lua.tarantool.fio.use_fd_after_close +# use_fd_after_close + +# 10┆ endpoints = {string.format("http://%s:2379", os.getenv('ETCD_HOST') or 'etcd')}; +# ⋮┆---------------------------------------- +# 10┆ endpoints = {string.format("http://%s:2379", os.getenv('ETCD_HOST') or 'etcd')}; +# ⋮┆---------------------------------------- +# 10┆ endpoints = {string.format("http://%s:2379", os.getenv('ETCD_HOST') or 'etcd')}; +# ⋮┆---------------------------------------- +# 10┆ endpoints = {string.format("http://%s:2379", os.getenv('ETCD_HOST') or 'etcd')}; + rules: - id: use_fd_after_close + metadata: + author: Sergey Bronnikov + message: use_fd_after_close + languages: [lua] + severity: ERROR patterns: - pattern-either: - pattern: | @@ -38,6 +55,3 @@ rules: - pattern: io.write($FD) - pattern: io.input($FD) - pattern: io.output($FD) - message: use_fd_after_close - languages: [lua] - severity: ERROR blob - 2a8977403d062bce79f2de71df483339e6b510f0 blob + 56f222899132bdb2c2257c8860b610ff62427f56 --- rules/lua/basic/writing_to_file_in_read_mode.yaml +++ rules/lua/basic/writing_to_file_in_read_mode.yaml @@ -1,5 +1,12 @@ rules: - id: writing_to_file_in_read_mode + metadata: + author: Sergey Bronnikov + message: | + The file object "$FD" was opened in read mode, but is being + written to. This will cause a runtime error. + severity: ERROR + languages: [lua] patterns: - pattern: | $FD = io.open($NAME, $MODE) @@ -8,8 +15,3 @@ rules: - metavariable-pattern: metavariable: $MODE pattern-regex: "r" - message: | - The file object "$FD" was opened in read mode, but is being - written to. This will cause a runtime error. - severity: ERROR - languages: [lua] blob - 57fb3cb66ec9bc1031f66c04abb4c7c71b23b59e blob + a054e736f169019ed4c78fe77fb052c1231c50c0 --- rules/lua/luajit/jit/partial.yaml +++ rules/lua/luajit/jit/partial.yaml @@ -20,7 +20,7 @@ rules: All aspects of Lua are implemented in LuaJIT's interpreter, but not all of them are implemented in LuaJIT's JIT compiler. - Function bay be JIT-compiled, depending on the circumstances. Otherwise + Function may be JIT-compiled, depending on the circumstances. Otherwise will fall back to the interpreter or stitch. languages: [lua] metadata: blob - 190a20d4461bab14175f5bbf28c4f44304769d41 blob + baa39d6482cbdff823831c31ca11bfcbb42d1dcd --- rules/lua/tarantool/box/box_cfg_raw_access.yaml +++ rules/lua/tarantool/box/box_cfg_raw_access.yaml @@ -1,9 +1,11 @@ rules: - id: box_cfg_raw_access - pattern: box.cfg.$OPT = $VALUE - message: box_cfg_raw_access - languages: [lua] metadata: + author: Sergey Bronnikov references: + - https://www.tarantool.io/en/doc/latest/reference/reference_lua/box_cfg/ - https://github.com/tarantool/tarantool/issues/2867 + message: box_cfg_raw_access + languages: [lua] severity: WARNING + pattern: box.cfg.$OPT = $VALUE blob - bead57b0cd17f2e1add833a9ca5f004e7a0b0cdc blob + 3d4909e4e105f29c56d0a63a73366b059c6dab58 --- rules/lua/tarantool/box/grant_guest_full_access.yaml +++ rules/lua/tarantool/box/grant_guest_full_access.yaml @@ -1,10 +1,11 @@ rules: - id: grant_guest_full_access - patterns: - - pattern: box.schema.user.grant('guest', $PRIVELEGE, 'universe') - message: Пользователю guest не предоставляют полный доступ на universe. - languages: [lua] metadata: + author: Sergey Bronnikov references: - https://www.tarantool.io/ru/doc/latest/book/admin/access_control/ + message: Пользователю guest предоставляют полный доступ на universe. + languages: [lua] severity: WARNING + patterns: + - pattern: box.schema.user.grant('guest', $PRIVELEGE, 'universe') blob - 2f963d9d1901495cceb573114935688235e6f7b5 blob + 76767e3161f59f4f08918d8bedc2bcfcc91b1940 --- rules/lua/tarantool/box/missed_if_not_exist.yaml +++ rules/lua/tarantool/box/missed_if_not_exist.yaml @@ -1,5 +1,10 @@ rules: - id: missed_if_not_exist + metadata: + author: Sergey Bronnikov + message: if_not_exist + languages: [lua] + severity: WARNING pattern-either: - patterns: - pattern-inside: box.schema.space.create(...) @@ -10,9 +15,6 @@ rules: #- pattern: | # $SPACE = box.schema.space.create(...) # $SPACE:create_index($NAME, { if_not_exists = true }) - message: if_not_exist - languages: [lua] - severity: WARNING # TODO: box.schema.user.grant() # https://www.tarantool.io/en/doc/latest/reference/reference_lua/box_schema/user_grant/ blob - e8745990154b6fe3d226611c5401cdb94fe68562 blob + 46425fdf117f7f17c9618abfec8193a2c31505ca --- rules/lua/tarantool/box/set_trigger_once.yaml +++ rules/lua/tarantool/box/set_trigger_once.yaml @@ -1,11 +1,12 @@ rules: - id: set_trigger_once - patterns: - - pattern: box.$SPACE:before_replace(...) - - pattern-not: box.$SPACE:before_replace($NEW, $OLD) - message: set_trigger_once - languages: [lua] metadata: + author: Sergey Bronnikov references: - https://www.tarantool.io/en/doc/latest/concepts/triggers/ + message: set_trigger_once + languages: [lua] severity: WARNING + patterns: + - pattern: box.$SPACE:before_replace(...) + - pattern-not: box.$SPACE:before_replace($NEW, $OLD) blob - 524eaf3e6d04698fe528cb708b01debc92804ef6 blob + 323f953bc43fab6c1789ff68d80aa9576812c8d2 --- rules/lua/tarantool/crypto/insecure-hash-algorithm.yaml +++ rules/lua/tarantool/crypto/insecure-hash-algorithm.yaml @@ -1,17 +1,5 @@ rules: - id: insecure-hash-algorithm - pattern-either: - - pattern: | - $M = require("crypto") - ... - $M.cipher.des.$MODE.encrypt(...) - fix-regex: - regex: des - replacement: aes - message: | - Detected DES cipher algorithm which is insecure. The algorithm is - considered weak and has been deprecated. Use AES instead. - languages: [lua] metadata: references: - https://www.tarantool.io/en/doc/latest/reference/reference_lua/crypto/ @@ -20,4 +8,16 @@ rules: - A02:2021 - Cryptographic Failures cwe: - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + message: | + Detected DES cipher algorithm which is insecure. The algorithm is + considered weak and has been deprecated. Use AES instead. + languages: [lua] severity: WARNING + pattern-either: + - pattern: | + $M = require("crypto") + ... + $M.cipher.des.$MODE.encrypt(...) + fix-regex: + regex: des + replacement: aes blob - cf7016955949963a7fce9016cb29e016c6996978 blob + a9ba6b31c3b0cce4686597fc798a3b871e959ebc --- rules/lua/tarantool/digest/insecure-hash-algorithm.yaml +++ rules/lua/tarantool/digest/insecure-hash-algorithm.yaml @@ -1,18 +1,7 @@ rules: - id: insecure-hash-algorithm-md4 - pattern: | - $M = require("digest") - ... - $M.md4(...) - fix-regex: - regex: md5 - replacement: sha256 - message: | - Detected use of an insecure MD4 hash function. - This function have known vulnerabilities and is considered deprecated. - Consider using "SHA256" or a similar function instead. - languages: [lua] metadata: + author: Sergey Bronnikov references: - https://www.tarantool.io/en/doc/latest/reference/reference_lua/digest/ cwe: @@ -20,44 +9,46 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + message: | + Detected use of an insecure MD4 hash function. + This function have known vulnerabilities and is considered deprecated. + Consider using "SHA256" or a similar function instead. + languages: [lua] severity: WARNING - - - id: insecure-hash-algorithm-md5 pattern: | $M = require("digest") ... - $M.md5(...) + $M.md4(...) fix-regex: regex: md5 replacement: sha256 - message: | - Detected MD5 hash algorithm which is considered insecure. MD5 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Use SHA256 or SHA3 instead. - languages: [lua] + + - id: insecure-hash-algorithm-md5 metadata: + author: Sergey Bronnikov references: - https://www.tarantool.io/en/doc/latest/reference/reference_lua/digest/ - https://tools.ietf.org/html/rfc6151 - https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" owasp: "A3: Sensitive Data Exposure" + message: | + Detected MD5 hash algorithm which is considered insecure. MD5 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use SHA256 or SHA3 instead. + languages: [lua] severity: WARNING - - - id: insecure-hash-algorithm-sha1 pattern: | $M = require("digest") ... - $M.sha1(...) + $M.md5(...) fix-regex: - regex: sha1 + regex: md5 replacement: sha256 - message: | - Detected SHA1 hash algorithm which is considered insecure. SHA1 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Use SHA256 or SHA3 instead. - languages: [lua] + + - id: insecure-hash-algorithm-sha1 metadata: + author: Sergey Bronnikov references: - https://www.tarantool.io/en/doc/latest/reference/reference_lua/digest/ - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html @@ -67,4 +58,16 @@ rules: owasp: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures + message: | + Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use SHA256 or SHA3 instead. + languages: [lua] severity: WARNING + pattern: | + $M = require("digest") + ... + $M.sha1(...) + fix-regex: + regex: sha1 + replacement: sha256