paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

semgrep: Strengthen HTML and SQL injection checks.

Browse Source 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg
2025-06-29 00:54:41 -04:00
committed by Tim Abbott
parent d64ab7abf7
commit a113a42e11
1 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
tools/semgrep-py.yml
View File

@@ -135,6 +135,9 @@ rules:
pattern-either:
- pattern: markupsafe.Markup(... .format(...))
- pattern: markupsafe.Markup(f"...")
- pattern: markupsafe.Markup(f"..." "...")
- pattern: markupsafe.Markup("..." f"...")
- pattern: markupsafe.Markup("..." f"..." "...")
- pattern: markupsafe.Markup(... + ...)
severity: ERROR
message: "Do not write an HTML injection vulnerability please"
@@ -142,17 +145,29 @@ rules:
- id: sql-format
languages: [python]
pattern-either:
- pattern: ... .execute("...".format(...))
- pattern: ... .execute(f"...")
- pattern: ... .execute(... + ...)
- pattern: ... .execute("...".format(...), ...)
- pattern: ... .execute(f"...", ...)
- pattern: ... .execute(f"..." "...", ...)
- pattern: ... .execute("..." f"...", ...)
- pattern: ... .execute("..." f"..." "...", ...)
- pattern: ... .execute(... + ..., ...)
- pattern: psycopg2.sql.SQL(... .format(...))
- pattern: psycopg2.sql.SQL(f"...")
- pattern: psycopg2.sql.SQL(f"..." "...")
- pattern: psycopg2.sql.SQL("..." f"...")
- pattern: psycopg2.sql.SQL("..." f"..." "...")
- pattern: psycopg2.sql.SQL(... + ...)
- pattern: django.db.migrations.RunSQL(..., "..." .format(...), ...)
- pattern: django.db.migrations.RunSQL(..., f"...", ...)
- pattern: django.db.migrations.RunSQL(..., f"..." "...", ...)
- pattern: django.db.migrations.RunSQL(..., "..." f"...", ...)
- pattern: django.db.migrations.RunSQL(..., "..." f"..." "...", ...)
- pattern: django.db.migrations.RunSQL(..., ... + ..., ...)
- pattern: django.db.migrations.RunSQL(..., [..., "..." .format(...), ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., f"...", ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., f"..." "...", ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., "..." f"...", ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., "..." f"..." "...", ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., ... + ..., ...], ...)
severity: ERROR
message: "Do not write a SQL injection vulnerability please"