merge conflicts

.git-blame-ignore-revs

@@ -0,0 +1,2 @@
+# Formatted Semgrep YAML files using prettier
+c12bb5b7bf893466c24bdad5b234dcd3ad3b42df

.github/workflows/semgrep-rules-format.yml

@@ -0,0 +1,21 @@
+name: semgrep-rules-format
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+jobs:
+  semgrep-rules-format:
+    name: run semgrep rules format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: "npm"
+          # Use this file as the cache-dependency-path because the dependencies
+          # are manually specified below, and not in a package-lock.json
+          cache-dependency-path: .github/workflows/semgrep-rules-format.yml
+      - run: npm install --global prettier
+      - run: prettier --check './**/*.{yaml,yml}'

.github/workflows/semgrep-rules-test.yml

@@ -5,7 +5,7 @@ on:
     branches:
       - main
 jobs:
-  build:
+  semgrep-rules-test:
     name: run semgrep rules tests
     runs-on: ubuntu-latest
     steps:
@@ -18,7 +18,25 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           python3 -m pip install semgrep
+          python3 -m pip install jsonschema pyyaml
       - name: validations
-        run: semgrep --validate --config .
+        run: |
+          config_args=$(
+            for dir in $(
+              find . -type d -maxdepth 1 -mindepth 1 -not -path '*/.*'
+            );
+            do
+              echo -n " --config $dir";
+            done
+          )
+          echo "Semgrep config arguments: $config_args"
+          semgrep scan --validate $config_args
       - name: tests
         run: semgrep --test --test-ignore-todo
+      - name: metadata-tests
+        run: |
+          wget https://raw.githubusercontent.com/returntocorp/semgrep-rules/c5ad4bb0f4c7ee5b8cd47276b582e8bb57bd0a4d/.github/scripts/validate-metadata.py
+          wget https://raw.githubusercontent.com/returntocorp/semgrep-rules/develop/metadata-schema.yaml.schm
+          python ./validate-metadata.py -s ./metadata-schema.yaml.schm -f .
+      - name: rules-tests
+        run: semgrep scan --config="r/yaml.semgrep" --severity ERROR .

.github/workflows/update-semgrep-registry.yml

@@ -4,13 +4,11 @@ on:
     branches:
       - main
 jobs:
-  build:
+  update-semgrep-registry:
     name: Update semgrep.dev
     runs-on: ubuntu-latest
     steps:
-      - name: update dev.semgrep.dev
-        run: curl --fail -X POST -L https://dev.semgrep.dev/api/admin/update-registry
       - name: update staging.semgrep.dev
-        run: curl --fail -X POST -L https://staging.semgrep.dev/api/admin/update-registry
+        run: curl --fail -X POST -L https://staging.semgrep.dev/api/admin/update-registry?rule_type=sast
       - name: update semgrep.dev
-        run: curl --fail -X POST -L https://semgrep.dev/api/admin/update-registry
+        run: curl --fail -X POST -L https://semgrep.dev/api/admin/update-registry?rule_type=sast

CODEOWNERS

@@ -1,3 +1,3 @@
-* @GrosQuildu
-/go/ @GrosQuildu @Vasco-jofra
-/python/ @suhacker1 @GrosQuildu @Vasco-jofra
+* @GrosQuildu @mschwager
+/go/ @GrosQuildu @mschwager @Vasco-jofra
+/python/ @suhacker1 @GrosQuildu @mschwager @Vasco-jofra

CONTRIBUTING.md

@@ -26,7 +26,19 @@ Then [install semgrep CLI](https://semgrep.dev/docs/getting-started/), and you a
 
 ### Linting
 
-Currenty we don't use any linting tools. In the future we plan to use `yamlfmt`.
+First, [install `prettier`](https://prettier.io/docs/en/install), or [use `brew`](https://formulae.brew.sh/formula/prettier) to do so.
+
+Use the following command to check rule files for formatting errors:
+
+```bash
+prettier --check '**/*.{yaml,yml}'
+```
+
+Any issues can be automatically fixed with the following command:
+
+```bash
+prettier --write '**/*.{yaml,yml}'
+```
 
 ### Testing
 
@@ -70,6 +82,7 @@ Before publishing a new rule, or updating an existing one, make sure to review t
     - [ ] Use `>-` for multiline messages
     - [ ] Use backticks in messages e.g., `$VAR`, `$FUNC`, `some.method()`
     - The `languages` field in `[go, java]` format are preferable (not `- go \n -java`)
+    - [ ] Run prettier (see [Linting](#linting))
 
 - [ ] Check amount of false-positives on some large public repositories
 

README.md

@@ -49,7 +49,6 @@ $ semgrep --config /path/to/semgrep-rules/hanging-goroutine.yml -o leaks.txt'
 
 | ID | Playground | Impact | Confidence | Description |
 | -- | :--------: | :----: | :--------: | ----------- |
-| [anonymous-race-condition](go/anonymous-race-condition.yaml) | [🛝🔗](https://semgrep.dev/playground/r/trailofbits.go.anonymous-race-condition.anonymous-race-condition) | 🟧 | 🌗 | Race conditions within anonymous goroutines |
 | [hanging-goroutine](go/hanging-goroutine.yaml) | [🛝🔗](https://semgrep.dev/playground/r/trailofbits.go.hanging-goroutine.hanging-goroutine) | 🟩 | 🌗 | Goroutine leaks |
 | [invalid-usage-of-modified-variable](go/invalid-usage-of-modified-variable.yaml) | [🛝🔗](https://semgrep.dev/playground/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable) | 🟧 | 🌘 | Possible unintentional assignment when an error occurs |
 | [iterate-over-empty-map](go/iterate-over-empty-map.yaml) | [🛝🔗](https://semgrep.dev/playground/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map) | 🟩 | 🌗 | Probably redundant iteration over an empty map |

generic/container-privileged.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# ruleid: container-privileged
+docker run --privileged hello-world
+
+# ruleid: container-privileged
+podman run --privileged hello-world
+
+# ok: container-privileged
+docker run hello-world
+
+# ok: container-privileged
+podman run hello-world

generic/container-privileged.yaml

@@ -0,0 +1,36 @@
+rules:
+  - id: container-privileged
+    message: Found container command (docker, podman) with extended privileges
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://docs.docker.com/engine/reference/commandline/run/
+    pattern-either:
+      - pattern: docker ... --privileged
+      - pattern: docker ... --cap-add=ALL
+      - pattern: docker ... --cap-add=SYS_ADMIN
+      - pattern: docker ... --cap-add=SYS_MODULE
+      - pattern: docker ... --net=host
+      - pattern: docker ... --userns=host
+      - pattern: docker ... --pid=host
+      - pattern: docker ... --ipc=host
+      - pattern: docker ... --security-opt seccomp=unconfined
+      - pattern: docker ... --security-opt apparmor=unconfined
+      - pattern: podman ... --privileged
+      - pattern: podman ... --cap-add=ALL
+      - pattern: podman ... --cap-add=SYS_ADMIN
+      - pattern: podman ... --cap-add=SYS_MODULE
+      - pattern: podman ... --net=host
+      - pattern: podman ... --userns=host
+      - pattern: podman ... --pid=host
+      - pattern: podman ... --ipc=host
+      - pattern: podman ... --security-opt seccomp=unconfined
+      - pattern: podman ... --security-opt apparmor=unconfined

generic/container-user-root.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# ruleid: container-user-root
+docker run -u root hello-world
+
+# ruleid: container-user-root
+podman run --user root hello-world
+
+# ok: container-user-root
+docker run hello-world
+
+# ok: container-user-root
+podman run hello-world

generic/container-user-root.yaml

@@ -0,0 +1,24 @@
+rules:
+  - id: container-user-root
+    message: Found container command running as root
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-250: Execution with Unnecessary Privileges"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://docs.docker.com/engine/reference/commandline/run/
+    pattern-either:
+      - pattern: docker ... -u root
+      - pattern: docker ... -u 0
+      - pattern: docker ... --user root
+      - pattern: docker ... --user 0
+      - pattern: podman ... -u root
+      - pattern: podman ... --u 0
+      - pattern: podman ... --user root
+      - pattern: podman ... --user 0

generic/curl-insecure.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# ruleid: curl-insecure
+curl -k https://google.com > /dev/null
+
+# ruleid: curl-insecure
+curl --insecure https://google.com > /dev/null
+
+# ok: curl-insecure
+curl --ksomeotherflag https://google.com > /dev/null
+
+# ok: curl-insecure
+curl https://google.com > /dev/null

generic/curl-insecure.yaml

@@ -0,0 +1,22 @@
+rules:
+  - id: curl-insecure
+    message: Found `curl` command disabling SSL verification
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://curl.se/docs/manpage.html
+    pattern-either:
+      # A space character was left at the end of some patterns to help ensure
+      # that the intended flag was used, and minimize the chance that another,
+      # longer flag that _starts with_ the intended flag results in a false
+      # positive
+      - pattern: "curl ... -k "
+      - pattern: "curl ... --insecure"

generic/curl-unencrypted-url.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# ruleid: curl-unencrypted-url
+curl http://google.com > /dev/null
+
+# ruleid: curl-unencrypted-url
+curl ftp://google.com > /dev/null
+
+# ok: curl-unencrypted-url
+curl https://google.com > /dev/null
+
+# ok: curl-unencrypted-url
+curl http://localhost > /dev/null
+
+# ok: curl-unencrypted-url
+curl http://127.0.0.1 > /dev/null

generic/curl-unencrypted-url.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: curl-unencrypted-url
+    message: Found `curl` command with unencrypted URL (e.g. HTTP, FTP, etc.)
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://curl.se/docs/manpage.html
+    patterns:
+      - pattern-either:
+          - pattern: curl ... http://
+          - pattern: curl ... ftp://
+      - pattern-not-inside: curl ... http://127.0.0.1
+      - pattern-not-inside: curl ... http://localhost

generic/gpg-insecure-flags.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# ruleid: gpg-insecure-flags
+gpg --skip-verify --output doc --decrypt doc.gpg
+
+# ok: gpg-insecure-flags
+gpg --output doc --decrypt doc.gpg

generic/gpg-insecure-flags.yaml

@@ -0,0 +1,27 @@
+rules:
+  - id: gpg-insecure-flags
+    message: Found `gpg` command using insecure flags
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://www.gnupg.org/gph/de/manual/r1023.html
+    pattern-either:
+      - pattern: gpg ... --allow-non-selfsigned-uid
+      - pattern: gpg ... --allow-freeform-uid
+      - pattern: gpg ... --allow-old-cipher-algos
+      - pattern: gpg ... --allow-weak-digest-algos
+      - pattern: gpg ... --allow-weak-key-signatures
+      - pattern: gpg ... --ignore-time-conflict
+      - pattern: gpg ... --ignore-valid-from
+      - pattern: gpg ... --ignore-crc-error
+      - pattern: gpg ... --ignore-mdc-error
+      - pattern: gpg ... --skip-verify
+      - pattern: gpg ... --no-require-cross-certification

generic/installer-allow-untrusted.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# ruleid: installer-allow-untrusted
+sudo installer -pkg /path/to/package.pkg -target / -allowUntrusted
+
+# ok: installer-allow-untrusted
+sudo installer -pkg /path/to/package.pkg -target /

generic/installer-allow-untrusted.yaml

@@ -0,0 +1,16 @@
+rules:
+  - id: installer-allow-untrusted
+    message: Found `installer` command allowing untrusted installations
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-494: Download of Code Without Integrity Check"
+      confidence: HIGH
+      likelihood: HIGH
+      impact: HIGH
+      references:
+        - https://ss64.com/mac/installer.html
+    pattern: installer ... -allowUntrusted

generic/openssl-insecure-flags.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# ruleid: openssl-insecure-flags
+openssl genpkey -algorithm RSA -out private_key.pem -aes-256-cbc -pass pass:mysecretpass
+
+# ok: openssl-insecure-flags
+openssl genpkey -algorithm RSA -out private_key.pem --noencsomeotherflag
+
+# ok: openssl-insecure-flags
+openssl genpkey -algorithm RSA -out private_key.pem -aes-256-cbc -pass env:PASSVAR

generic/openssl-insecure-flags.yaml

@@ -0,0 +1,26 @@
+rules:
+  - id: openssl-insecure-flags
+    message: Found `openssl` command using insecure flags
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      cwe: "CWE-295: Improper Certificate Validation"
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://www.openssl.org/docs/manmaster/man1/
+    pattern-either:
+      # A space character was left at the end of some patterns to help ensure
+      # that the intended flag was used, and minimize the chance that another,
+      # longer flag that _starts with_ the intended flag results in a false
+      # positive
+      - pattern: "openssl ... -pass pass:"
+      - pattern: "openssl ... -passin pass:"
+      - pattern: "openssl ... -passout pass:"
+      - pattern: "openssl ... -nodes "
+      - pattern: "openssl ... -noenc "
+      - pattern: "openssl ... -sha1 "

generic/ssh-disable-host-key-checking.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# ruleid: ssh-disable-host-key-checking
+ssh -o StrictHostKeyChecking=no user@hostname
+
+# ok: ssh-disable-host-key-checking
+ssh user@hostname