semgrep: Use pattern-where-python operator to filter patterns.

See https://github.com/returntocorp/semgrep/blob/experimental/docs/config/advanced.md#pattern-where-python for usage. This helps us minimize duplication of similar patterns.
2025-10-24 16:43:57 +00:00 · 2020-05-18 21:31:59 +05:30
parent 9442835386
commit 0504c61bfd
2 changed files with 17 additions and 22 deletions
--- a/tools/lint
+++ b/tools/lint
@@ -89,7 +89,16 @@ def run() -> None:
                                  description="Checks commit messages for common formatting errors."
                                  "(config: .gitlint)")

-    semgrep_command = ["semgrep", "--config=./tools/semgrep.yml", "--error"]
+    semgrep_command = ["semgrep", "--config=./tools/semgrep.yml", "--error",
+                       # This option is dangerous in the context of running
+                       # semgrep-as-a-service on untrusted user code, since it
+                       # causes Python code in the rules configuration to be
+                       # executed.  From our standpoint, it is required for
+                       # `pattern-where-python` rules, and there's no real
+                       # security impact, since if you can put arbitrary code
+                       # into zulip.git, you can run arbitrary code in a Zulip
+                       # development environment anyway.
+                       "--dangerously-allow-arbitrary-code-execution-from-rules"]
    linter_config.external_linter('semgrep-py', [*semgrep_command, "--lang=python"], ['py'],
                                  fix_arg='--autofix',
                                  description="Syntactic Grep (semgrep) Code Search Tool "
--- a/tools/semgrep.yml
+++ b/tools/semgrep.yml
@@ -52,27 +52,13 @@ rules:

  - id: logging-format
    languages: [python]
-    pattern-either:
-      - pattern: logging.debug(... % ...)
-      - pattern: logging.debug(... .format(...))
-      - pattern: logger.debug(... % ...)
-      - pattern: logger.debug(... .format(...))
-      - pattern: logging.info(... % ...)
-      - pattern: logging.info(... .format(...))
-      - pattern: logger.info(... % ...)
-      - pattern: logger.info(... .format(...))
-      - pattern: logging.warning(... % ...)
-      - pattern: logging.warning(... .format(...))
-      - pattern: logger.warning(... % ...)
-      - pattern: logger.warning(... .format(...))
-      - pattern: logging.error(... % ...)
-      - pattern: logging.error(... .format(...))
-      - pattern: logger.error(... % ...)
-      - pattern: logger.error(... .format(...))
-      - pattern: logging.critical(... % ...)
-      - pattern: logging.critical(... .format(...))
-      - pattern: logger.critical(... % ...)
-      - pattern: logger.critical(... .format(...))
+    patterns:
+      - pattern-either:
+          - pattern: logging.$Y(... % ...)
+          - pattern: logging.$Y(... .format(...))
+          - pattern: logger.$Y(... % ...)
+          - pattern: logger.$Y(... .format(...))
+      - pattern-where-python: "vars['$Y'] in ['debug', 'info', 'warning', 'error', 'critical']"
    severity: ERROR
    message: "Pass format arguments to logging (https://docs.python.org/3/howto/logging.html#optimization)"