Merge pull request #3006 from returntocorp/merge-develop-to-release

Merge Develop into Release
semgrep · Jul 20, 2023 · d9cd4fe · d9cd4fe
2 parents d02fbbd + 56569db
commit d9cd4fe
Show file tree

Hide file tree

Showing 18 changed files with 99 additions and 92 deletions.
diff --git a/c/lang/security/insecure-use-printf-fn.c b/c/lang/security/insecure-use-printf-fn.c
@@ -12,7 +12,7 @@ void bad_vsprintf(int argc, char **argv) {
     vsprintf(buffer, argv[1], args);
 
     //ok: insecure-use-printf-fn
-    vsprintf("%s\n",argv[0])
+    vsprintf("%s\n",argv[0]);
 
     //ok: insecure-use-printf-fn
     vsnprintf(buffer, format, args);
@@ -34,7 +34,7 @@ void bad_sprintf(int argc, char **argv) {
     sprintf(buffer, argv[2], a, b, c);
 
     //ok: insecure-use-printf-fn
-    sprintf("%s\n",argv[0])
+    sprintf("%s\n",argv[0]);
 
     //ok: insecure-use-printf-fn
     snprintf(buffer, format, a,b,c);
@@ -53,7 +53,7 @@ void bad_printf() {
     printf("hello");
 
     //ok: insecure-use-printf-fn
-    printf("%s\n",argv[0])
+    printf("%s\n",argv[0]);
 }
 
 int main() {

diff --git a/contrib/react/react_html_parser.js b/contrib/react/react_html_parser.js
@@ -2,7 +2,7 @@
 import ReactHtmlParser from 'react-html-parser';
 
 
-renderContent() {
+function renderContent() {
     let content = this.props.content;
     if (!content || (typeof content === 'string' && !content.length)) {
         if (this.props.children) {

diff --git a/csharp/dotnet/security/audit/xpath-injection.yaml b/csharp/dotnet/security/audit/xpath-injection.yaml
@@ -25,7 +25,7 @@ rules:
   pattern-sources:
   - pattern-either:
     - pattern: $T $M($INPUT,...) {...}
-    - pattern: "$T $M(...) {\n  ...\n  string $INPUT\n}\n"
+    - pattern: "$T $M(...) {\n  ...\n  string $INPUT;\n}\n"
   pattern-sinks:
   - pattern-either:
     - pattern: XPathExpression $EXPR = $NAV.Compile("..." + $INPUT + "...");

diff --git a/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.cs b/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.cs
@@ -15,7 +15,7 @@ public void SetTFL(string json)
             var dict = new Hashtable();
             dict["typeFilterLevel"] = "Full";
             // ruleid: insecure-typefilterlevel-full
-            BinaryServerFormatterSinkProvider serverProvider2 = new BinaryServerFormatterSinkProvider(dict, null)
+            BinaryServerFormatterSinkProvider serverProvider2 = new BinaryServerFormatterSinkProvider(dict, null);
         }
     }
 }
diff --git a/csharp/lang/security/sqli/csharp-sqli.cs b/csharp/lang/security/sqli/csharp-sqli.cs
@@ -79,7 +79,7 @@ public void sqli6(string sqli)
             using (SqlConnection connection = new SqlConnection("Data Source=(local);Initial Catalog=Northwind;Integrated Security=SSPI;")) {
                connection.Open();
                // ruleid: csharp-sqli
-               SqlCommand command = new SqlCommand(sqli)
+               SqlCommand command = new SqlCommand(sqli);
             }
         }
 

diff --git a/dockerfile/audit/dockerfile-source-not-pinned.dockerfile b/dockerfile/audit/dockerfile-source-not-pinned.dockerfile
@@ -17,4 +17,4 @@ FROM python:3.10.1-alpine3.15@v1
 FROM python:3.10.1-alpine3.15@sha256
 
 # ok: dockerfile-source-not-pinned
-FROM python:3.10.1-alpine3.15@sha256:4be65b406f7402b5c4fd5df7173d2fd7ea3fdaa74d9c43b6ebd896197a45c448
+FROM python:3.10.1-alpine3.15@sha256:4be65b406f7402b5c4fd5df7173d2fd7ea3fdaa74d9c43b6ebd896197a45c448
diff --git a/dockerfile/correctness/missing-assume-yes-switch.dockerfile b/dockerfile/correctness/missing-assume-yes-switch.dockerfile
@@ -63,4 +63,4 @@ RUN apt-get update \
     zip \
     jq \
     && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+    && rm -rf /var/lib/apt/lists/*
diff --git a/dockerfile/correctness/multiple-entrypoint-instructions.dockerfile b/dockerfile/correctness/multiple-entrypoint-instructions.dockerfile
@@ -2,5 +2,6 @@
 
 FROM busybox
 ENTRYPOINT /bin/true
+RUN echo hello
 # ruleid: multiple-entrypoint-instructions
 ENTRYPOINT /bin/false
diff --git a/dockerfile/correctness/multiple-entrypoint-instructions.yaml b/dockerfile/correctness/multiple-entrypoint-instructions.yaml
@@ -6,15 +6,18 @@ rules:
       - pattern: |
           ENTRYPOINT ...
           ...
-          $ENTRYPOINT ...
+          $ENTRYPOINT_INSTR
+      # Restrict the match to just the second ENTRYPOINT instruction.
+      # This avoids producing unstable findings due to capturing
+      # many lines of irrelevant code with the ellipsis.
       - metavariable-pattern:
-          metavariable: $ENTRYPOINT
-          patterns:
-            - pattern: |
-                ENTRYPOINT ...
-      - focus-metavariable: $ENTRYPOINT
+          metavariable: $ENTRYPOINT_INSTR
+          pattern: |
+            ENTRYPOINT ...
+      - focus-metavariable: $ENTRYPOINT_INSTR
     message: >-
-      Multiple ENTRYPOINT instructions were found. Only the last one will take effect.
+      Multiple ENTRYPOINT instructions were found. Only the last one
+      will take effect.
     metadata:
       source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4004
       references:

diff --git a/java/lang/security/audit/formatted-sql-string.java b/java/lang/security/audit/formatted-sql-string.java
@@ -82,7 +82,7 @@ public class SQLExample3 {
     public void getAllFields(String tableName) throws SQLException {
         Connection c = db.getConnection();
         // ruleid:formatted-sql-string
-        ResultSet rs = c.createStatement().execute(String.format("SELECT * FROM %s", tableName);
+        ResultSet rs = c.createStatement().execute(String.format("SELECT * FROM %s", tableName));
     }
 
     public void findAccountsById(String id) throws SQLException {
@@ -104,7 +104,7 @@ public List<AccountDTO> findAccountsById(String id) {
     }
 
     public void findAccountsByIdOk() throws SQLException {
-        String id = "const"
+        String id = "const";
         String sql = String.format("SELECT * FROM accounts WHERE id = '%s'", id);
         Connection c = db.getConnection();
         // ok:formatted-sql-string

diff --git a/java/spring/security/audit/spring-sqli.java b/java/spring/security/audit/spring-sqli.java
@@ -77,7 +77,7 @@ public void queryBatchUpdate(JdbcTemplate jdbcTemplate, String sql, String taint
         jdbcTemplate.batchUpdate(sql, new ArrayList<Object[]>());
 
         // ok:spring-sqli
-        jdbcTemplate.batchUpdate("SELECT foo FROM bar WHERE baz = 'biz'", new ArrayList<Object[]>(Arrays.asList(new Object[] {taintedString}));
+        jdbcTemplate.batchUpdate("SELECT foo FROM bar WHERE baz = 'biz'", new ArrayList<Object[]>(Arrays.asList(new Object[] {taintedString})));
         // ruleid:spring-sqli
         jdbcTemplate.batchUpdate(sql, new ArrayList<Object[]>(), new int[]{Types.INTEGER, Types.VARCHAR, Types.VARCHAR});
     }

diff --git a/java/spring/security/injection/tainted-sql-string.java b/java/spring/security/injection/tainted-sql-string.java
@@ -218,4 +218,5 @@ public ResultSet ok8(@RequestBody String name, SiteModel sitemodel) {
         Statement stmt = conn.createStatement();
         ResultSet rs = stmt.execute(sql);
         return rs;
+  }
 }
diff --git a/ruby/lang/security/hardcoded-secret-rsa-passphrase.rb b/ruby/lang/security/hardcoded-secret-rsa-passphrase.rb
@@ -1,63 +1,64 @@
 module Test
 
-    require 'openssl'
-
-    class Test
-        $pass = 'super secret'
-
-        def initialize(key = nil, iv = nil)
-			@pass1 = 'my secure pass phrase goes here'
-			@keypem = 'foo.pem'
-			#ruleid: hardcoded-secret-rsa-passphrase
-			OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret")
-			bad
-			bad1
-			bad2
-			bad3
-			ok
-        end
-
-
-		def bad
-			key_pem = File.read @keypem
-			#ruleid: hardcoded-secret-rsa-passphrase
-			key = OpenSSL::PKey::RSA.new key_pem, $pass
-		end
-
-		def bad1
-			key_pem = File.read @keypem
-            #ruleid: hardcoded-secret-rsa-passphrase
-			key = OpenSSL::PKey::RSA.new key_pem, @pass1
-			$bad0 = 'secret'
-		end
-
-        def bad2
-			key_pem = File.read @keypem
-            #ruleid: hardcoded-secret-rsa-passphrase
-			key = OpenSSL::PKey::RSA.new key_pem, 'secret'
-			#ruleid: hardcoded-secret-rsa-passphrase
-			key = OpenSSL::PKey::RSA.new key_pem, $bad0
-		end
-
-		def bad3 
-			ca_key = OpenSSL::PKey::RSA.new 2048
-			pass_phrase = 'my secure pass phrase goes here'
-			cipher = OpenSSL::Cipher.new 'AES-256-CBC'
-			#ruleid: hardcoded-secret-rsa-passphrase
-			ca_key.export(cipher, pass_phrase)
-			open 'tmp/ca_key.pem', 'w', 0644 do |io|
-			  #ruleid: hardcoded-secret-rsa-passphrase
-			  io.write ca_key.export(cipher, pass_phrase)
-			  #ruleid: hardcoded-secret-rsa-passphrase
-			  io.write ca_key.export(cipher, $pass)
-			  #ruleid: hardcoded-secret-rsa-passphrase
-			  io.write ca_key.export(cipher, @pass1)
-			end
-		end 
-
-        def ok
-			key_pem = File.read @keypem
-            #ok: hardcoded-secret-rsa-passphrase
-			key = OpenSSL::PKey::RSA.new key_pem, ENV['SECRET']
-		end
-end
+  require 'openssl'
+
+  class Test
+    $pass = 'super secret'
+
+    def initialize(key = nil, iv = nil)
+      @pass1 = 'my secure pass phrase goes here'
+      @keypem = 'foo.pem'
+      #ruleid: hardcoded-secret-rsa-passphrase
+      OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret")
+      bad
+      bad1
+      bad2
+      bad3
+      ok
+    end
+
+
+    def bad
+      key_pem = File.read @keypem
+      #ruleid: hardcoded-secret-rsa-passphrase
+      key = OpenSSL::PKey::RSA.new key_pem, $pass
+    end
+
+    def bad1
+      key_pem = File.read @keypem
+      #ruleid: hardcoded-secret-rsa-passphrase
+      key = OpenSSL::PKey::RSA.new key_pem, @pass1
+      $bad0 = 'secret'
+    end
+
+    def bad2
+      key_pem = File.read @keypem
+      #ruleid: hardcoded-secret-rsa-passphrase
+      key = OpenSSL::PKey::RSA.new key_pem, 'secret'
+      #ruleid: hardcoded-secret-rsa-passphrase
+      key = OpenSSL::PKey::RSA.new key_pem, $bad0
+    end
+
+    def bad3
+      ca_key = OpenSSL::PKey::RSA.new 2048
+      pass_phrase = 'my secure pass phrase goes here'
+      cipher = OpenSSL::Cipher.new 'AES-256-CBC'
+      #ruleid: hardcoded-secret-rsa-passphrase
+      ca_key.export(cipher, pass_phrase)
+      open 'tmp/ca_key.pem', 'w', 0644 do |io|
+        #ruleid: hardcoded-secret-rsa-passphrase
+        io.write ca_key.export(cipher, pass_phrase)
+        #ruleid: hardcoded-secret-rsa-passphrase
+        io.write ca_key.export(cipher, $pass)
+        #ruleid: hardcoded-secret-rsa-passphrase
+        io.write ca_key.export(cipher, @pass1)
+      end
+    end
+
+    def ok
+      key_pem = File.read @keypem
+      #ok: hardcoded-secret-rsa-passphrase
+      key = OpenSSL::PKey::RSA.new key_pem, ENV['SECRET']
+    end
+  end
+end
diff --git a/rust/lang/security/args-os.rs b/rust/lang/security/args-os.rs
@@ -1,4 +1,4 @@
 use std::env;
 
 // ruleid: args-os
-let args = env::args_os()
+let args = env::args_os();
diff --git a/rust/lang/security/args.rs b/rust/lang/security/args.rs
@@ -1,4 +1,4 @@
 use std::env;
 
 // ruleid: args
-let args = env::args()
+let args = env::args();
diff --git a/rust/lang/security/current-exe.rs b/rust/lang/security/current-exe.rs
@@ -1,4 +1,4 @@
 use std::env;
 
 // ruleid: current-exe
-let exe = env::current_exe()
+let exe = env::current_exe();
diff --git a/rust/lang/security/temp-dir.rs b/rust/lang/security/temp-dir.rs
@@ -1,4 +1,4 @@
 use std::env;
 
 // ruleid: temp-dir
-let dir = env::temp_dir()
+let dir = env::temp_dir();
diff --git a/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml b/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml
@@ -4,18 +4,19 @@ rules:
   - pattern: resource
   - pattern-inside: |
       resource "google_dataproc_cluster" "..." {
-      ...
+        ...
       }
   - pattern-not-inside: |
       resource "google_dataproc_cluster" "..." {
-      ...
-      cluster_config {
-        gce_cluster_config {
-          ...
-          internal_ip_only = true
-          ...
+        ...
+        cluster_config {
+          gce_cluster_config {
+            ...
+            internal_ip_only = true
+            ...
+          }
+        ...
         }
-      ...
       }
   message: >-
     Ensure Dataproc Clusters do not have public IPs