From 0504c61bfde1e9219f6e5f908e85d2e6c1d6859c Mon Sep 17 00:00:00 2001
From: Aman Agrawal <amanagr@zulip.com>
Date: Mon, 18 May 2020 21:31:59 +0530
Subject: [PATCH] semgrep: Use pattern-where-python operator to filter
 patterns.

See https://github.com/returntocorp/semgrep/blob/experimental/docs/config/advanced.md#pattern-where-python for usage.

This helps us minimize duplication of similar patterns.
---
 tools/lint        | 11 ++++++++++-
 tools/semgrep.yml | 28 +++++++---------------------
 2 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/tools/lint b/tools/lint
index 6995e19c62..e222cb6c08 100755
--- a/tools/lint
+++ b/tools/lint
@@ -89,7 +89,16 @@ def run() -> None:
                                   description="Checks commit messages for common formatting errors."
                                   "(config: .gitlint)")
 
-    semgrep_command = ["semgrep", "--config=./tools/semgrep.yml", "--error"]
+    semgrep_command = ["semgrep", "--config=./tools/semgrep.yml", "--error",
+                       # This option is dangerous in the context of running
+                       # semgrep-as-a-service on untrusted user code, since it
+                       # causes Python code in the rules configuration to be
+                       # executed.  From our standpoint, it is required for
+                       # `pattern-where-python` rules, and there's no real
+                       # security impact, since if you can put arbitrary code
+                       # into zulip.git, you can run arbitrary code in a Zulip
+                       # development environment anyway.
+                       "--dangerously-allow-arbitrary-code-execution-from-rules"]
     linter_config.external_linter('semgrep-py', [*semgrep_command, "--lang=python"], ['py'],
                                   fix_arg='--autofix',
                                   description="Syntactic Grep (semgrep) Code Search Tool "
diff --git a/tools/semgrep.yml b/tools/semgrep.yml
index 517b8fc410..d241636bd1 100644
--- a/tools/semgrep.yml
+++ b/tools/semgrep.yml
@@ -52,27 +52,13 @@ rules:
 
   - id: logging-format
     languages: [python]
-    pattern-either:
-      - pattern: logging.debug(... % ...)
-      - pattern: logging.debug(... .format(...))
-      - pattern: logger.debug(... % ...)
-      - pattern: logger.debug(... .format(...))
-      - pattern: logging.info(... % ...)
-      - pattern: logging.info(... .format(...))
-      - pattern: logger.info(... % ...)
-      - pattern: logger.info(... .format(...))
-      - pattern: logging.warning(... % ...)
-      - pattern: logging.warning(... .format(...))
-      - pattern: logger.warning(... % ...)
-      - pattern: logger.warning(... .format(...))
-      - pattern: logging.error(... % ...)
-      - pattern: logging.error(... .format(...))
-      - pattern: logger.error(... % ...)
-      - pattern: logger.error(... .format(...))
-      - pattern: logging.critical(... % ...)
-      - pattern: logging.critical(... .format(...))
-      - pattern: logger.critical(... % ...)
-      - pattern: logger.critical(... .format(...))
+    patterns:
+      - pattern-either:
+          - pattern: logging.$Y(... % ...)
+          - pattern: logging.$Y(... .format(...))
+          - pattern: logger.$Y(... % ...)
+          - pattern: logger.$Y(... .format(...))
+      - pattern-where-python: "vars['$Y'] in ['debug', 'info', 'warning', 'error', 'critical']"
     severity: ERROR
     message: "Pass format arguments to logging (https://docs.python.org/3/howto/logging.html#optimization)"