From a326e6f005b08bc7823d5483a3392a1cafca913e Mon Sep 17 00:00:00 2001 From: Nat Mote Date: Tue, 20 Aug 2024 17:00:54 -0700 Subject: [PATCH] python: Future-proof use-ftp-tls for stdlib libdefs --- .../insecure-transport/ftplib/use-ftp-tls.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/python/lang/security/audit/insecure-transport/ftplib/use-ftp-tls.yaml b/python/lang/security/audit/insecure-transport/ftplib/use-ftp-tls.yaml index ec88a53ba7..11beea5840 100644 --- a/python/lang/security/audit/insecure-transport/ftplib/use-ftp-tls.yaml +++ b/python/lang/security/audit/insecure-transport/ftplib/use-ftp-tls.yaml @@ -1,6 +1,18 @@ rules: - id: use-ftp-tls - pattern: ftplib.FTP(...) + patterns: + - pattern: ftplib.FTP(...) + # With stdlib libdefs, Semgrep knows that `ftplib.FTP_TLS` is a subclass of + # `ftplib.FTP`, and therefore the pattern `ftplib.FTP` matches when we + # encounter `ftplib.FTP_TLS` too. + # + # Therefore, we explicitly exclude `FTP_TLS`. + # + # Currently libdefs are only available with the interfile engine, and since + # this rule does not have `interfile: true` we only run the interfile engine + # over it in tests. However, it's preferable to future-proof this rule + # rather than exclude it from our interfile test suite. + - pattern-not: ftplib.FTP_TLS(...) fix-regex: regex: FTP(.*)\) replacement: FTP_TLS\1, context=ssl.create_default_context())