paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-25 09:03:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

semgrep: Strengthen HTML and SQL injection checks.

Browse Source 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg
2025-06-29 00:54:41 -04:00
committed by Tim Abbott
parent d64ab7abf7
commit a113a42e11
1 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
tools/semgrep-py.yml
View File

@@ -135,6 +135,9 @@ rules:
pattern-either: pattern-either:
- pattern: markupsafe.Markup(... .format(...)) - pattern: markupsafe.Markup(... .format(...))
- pattern: markupsafe.Markup(f"...") - pattern: markupsafe.Markup(f"...")
- pattern: markupsafe.Markup(f"..." "...")
- pattern: markupsafe.Markup("..." f"...")
- pattern: markupsafe.Markup("..." f"..." "...")
- pattern: markupsafe.Markup(... + ...) - pattern: markupsafe.Markup(... + ...)
severity: ERROR severity: ERROR
message: "Do not write an HTML injection vulnerability please" message: "Do not write an HTML injection vulnerability please"
@@ -142,17 +145,29 @@ rules:
- id: sql-format - id: sql-format
languages: [python] languages: [python]
pattern-either: pattern-either:
- pattern: ... .execute("...".format(...)) - pattern: ... .execute("...".format(...), ...)
- pattern: ... .execute(f"...") - pattern: ... .execute(f"...", ...)
- pattern: ... .execute(... + ...) - pattern: ... .execute(f"..." "...", ...)
- pattern: ... .execute("..." f"...", ...)
- pattern: ... .execute("..." f"..." "...", ...)
- pattern: ... .execute(... + ..., ...)
- pattern: psycopg2.sql.SQL(... .format(...)) - pattern: psycopg2.sql.SQL(... .format(...))
- pattern: psycopg2.sql.SQL(f"...") - pattern: psycopg2.sql.SQL(f"...")
- pattern: psycopg2.sql.SQL(f"..." "...")
- pattern: psycopg2.sql.SQL("..." f"...")
- pattern: psycopg2.sql.SQL("..." f"..." "...")
- pattern: psycopg2.sql.SQL(... + ...) - pattern: psycopg2.sql.SQL(... + ...)
- pattern: django.db.migrations.RunSQL(..., "..." .format(...), ...) - pattern: django.db.migrations.RunSQL(..., "..." .format(...), ...)
- pattern: django.db.migrations.RunSQL(..., f"...", ...) - pattern: django.db.migrations.RunSQL(..., f"...", ...)
- pattern: django.db.migrations.RunSQL(..., f"..." "...", ...)
- pattern: django.db.migrations.RunSQL(..., "..." f"...", ...)
- pattern: django.db.migrations.RunSQL(..., "..." f"..." "...", ...)
- pattern: django.db.migrations.RunSQL(..., ... + ..., ...) - pattern: django.db.migrations.RunSQL(..., ... + ..., ...)
- pattern: django.db.migrations.RunSQL(..., [..., "..." .format(...), ...], ...) - pattern: django.db.migrations.RunSQL(..., [..., "..." .format(...), ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., f"...", ...], ...) - pattern: django.db.migrations.RunSQL(..., [..., f"...", ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., f"..." "...", ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., "..." f"...", ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., "..." f"..." "...", ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., ... + ..., ...], ...) - pattern: django.db.migrations.RunSQL(..., [..., ... + ..., ...], ...)
severity: ERROR severity: ERROR
message: "Do not write a SQL injection vulnerability please" message: "Do not write a SQL injection vulnerability please"