semgrep: Use pattern-where-python operator to filter patterns.

See https://github.com/returntocorp/semgrep/blob/experimental/docs/config/advanced.md#pattern-where-python for usage. This helps us minimize duplication of similar patterns.
2025-10-24 08:33:43 +00:00 · 2020-05-18 21:31:59 +05:30
parent 9442835386
commit 0504c61bfd
2 changed files with 17 additions and 22 deletions
--- a/tools/lint
+++ b/tools/lint
@@ -89,7 +89,16 @@ def run() -> None:
                                  description="Checks commit messages for common formatting errors."
                                  "(config: .gitlint)")

-    semgrep_command = ["semgrep", "--config=./tools/semgrep.yml", "--error"]
+    semgrep_command = ["semgrep", "--config=./tools/semgrep.yml", "--error",
+                       # This option is dangerous in the context of running
+                       # semgrep-as-a-service on untrusted user code, since it
+                       # causes Python code in the rules configuration to be
+                       # executed.  From our standpoint, it is required for
+                       # `pattern-where-python` rules, and there's no real
+                       # security impact, since if you can put arbitrary code
+                       # into zulip.git, you can run arbitrary code in a Zulip
+                       # development environment anyway.
+                       "--dangerously-allow-arbitrary-code-execution-from-rules"]
    linter_config.external_linter('semgrep-py', [*semgrep_command, "--lang=python"], ['py'],
                                  fix_arg='--autofix',
                                  description="Syntactic Grep (semgrep) Code Search Tool "