Skip to content

trailofbits/semgrep-rules

Repository files navigation

Trail of Bits public Semgrep rules

This repository contains Semgrep rules developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects. They will evolve over time as we identify new techniques.

Visit Testing Handbook for Semgrep guidance.

Using Semgrep

The easiest way to run the rules is to run them from the Semgrep registry. To do so, navigate to the root folder of your project and run the following:

$ semgrep --config "p/trailofbits"

Alternatively, you can clone this repository, navigate to the root folder of your project, and run individual rules using the command below :

$ semgrep --config /path/to/semgrep-rules/semgreprule.yml

To run all rules from the cloned repository:

$ semgrep --config /path/to/semgrep-rules/ .

Useful flags

Semgrep will run against all supported code files except for those in your .gitignore file. If you want to run the rules against all files and directories, including those in your .gitignore, add the --no-git-ignore flag.

$ semgrep --config /path/to/semgrep-rules/ . --no-git-ignore

You can also tell Semgrep to ignore files and directories that match any pattern. For instance, if you want to tell Semgrep to ignore all Go test files you can run the following:

$ semgrep --config /path/to/semgrep-rules/ . --exclude='*_test.go'

Use -o to output results to a file:

$ semgrep --config /path/to/semgrep-rules/hanging-goroutine.yml -o leaks.txt'

Rules

go

ID Playground Impact Confidence Description
eth-rpc-tracetransaction πŸ›πŸ”— πŸŸ₯ πŸŒ• Detects attempts to extract trace information from an EVM transaction or block
eth-txreceipt-status πŸ›πŸ”— πŸŸ₯ πŸŒ• Detects when a transaction receipt's status is read
hanging-goroutine πŸ›πŸ”— 🟩 πŸŒ— Goroutine leaks
invalid-usage-of-modified-variable πŸ›πŸ”— 🟧 🌘 Possible unintentional assignment when an error occurs
iterate-over-empty-map πŸ›πŸ”— 🟩 πŸŒ— Probably redundant iteration over an empty map
missing-runlock-on-rwmutex πŸ›πŸ”— 🟧 πŸŒ— Missing RUnlock on an RWMutex lock before returning from a function
missing-unlock-before-return πŸ›πŸ”— 🟧 πŸŒ— Missing mutex unlock before returning from a function
nil-check-after-call πŸ›πŸ”— 🟧 πŸŒ— Possible nil dereferences
racy-append-to-slice πŸ›πŸ”— 🟧 πŸŒ— Concurrent calls to append from multiple goroutines
racy-write-to-map πŸ›πŸ”— 🟧 πŸŒ— Concurrent writes to the same map in multiple goroutines
servercodec-readrequestbody-unhandled-nil πŸ›πŸ”— 🟩 🌘 Possible incorrect ServerCodec interface implementation
string-to-int-signedness-cast πŸ›πŸ”— 🟧 🌘 Integer underflows
sync-mutex-value-copied πŸ›πŸ”— 🟩 🌘 Copying of sync.Mutex via value receivers
unsafe-dll-loading πŸ›πŸ”— πŸŸ₯ 🌘 Use of function vulnerable to DLL hijacking attacks
waitgroup-add-called-inside-goroutine πŸ›πŸ”— 🟧 πŸŒ— Calls to sync.WaitGroup.Add inside of anonymous goroutines
waitgroup-wait-inside-loop πŸ›πŸ”— 🟧 πŸŒ— Calls to sync.WaitGroup.Wait inside a loop

python

ID Playground Impact Confidence Description
automatic-memory-pinning πŸ›πŸ”— 🟩 🌘 PyTorch memory not automatically pinned
lxml-in-pandas πŸ›πŸ”— 🟧 🌘 Potential XXE attacks from loading lxml in pandas
msgpack-numpy πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from functions reliant on pickling
numpy-distutils πŸ›πŸ”— 🟩 🌘 Use of deprecated numpy.distutils
numpy-f2py-compile πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from NumPy f2py compilation
numpy-in-pytorch-datasets πŸ›πŸ”— 🟩 🌘 Calls to the NumPy RNG inside of a Torch dataset
numpy-in-pytorch-modules πŸ›πŸ”— 🌫️ πŸŒ— Uses of NumPy functions inside PyTorch modules
numpy-load-library πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from NumPy library loading
onnx-session-options πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from ONNX library loading
pandas-eval πŸ›πŸ”— πŸŸ₯ πŸŒ• Potential arbitrary code execution from pandas functions that evaluate user-provided expressions
pickles-in-keras-deprecation πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from Keras' load_model function
pickles-in-keras πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from Keras' load_model function
pickles-in-numpy πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from NumPy functions reliant on pickling
pickles-in-pandas πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from Pandas functions reliant on pickling
pickles-in-pytorch-distributed πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from PyTorch.Distributed functions reliant on pickling
pickles-in-pytorch πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from PyTorch functions reliant on pickling
pickles-in-tensorflow πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from tensorflow's load function
pytorch-classes-load-library πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from PyTorch library loading
pytorch-package πŸ›πŸ”— πŸŸ₯ πŸŒ• Potential arbitrary code execution from torch.package
pytorch-tensor πŸ›πŸ”— 🌫️ 🌘 Possible parsing issues and inefficiency from improper tensor creation
scikit-joblib-load πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from SciKit.Joblib functions reliant on pickling
tarfile-extractall-traversal πŸ›πŸ”— 🟧 πŸŒ— Potential path traversal in call to extractall for a tarfile
tensorflow-load-library πŸ›πŸ”— πŸŸ₯ πŸŒ— Potential arbitrary code execution from TensorFlow library loading
waiting-with-pytorch-distributed πŸ›πŸ”— 🟩 πŸŒ— Possible PyTorch undefined behavior when not waiting for requests

rs

ID Playground Impact Confidence Description
panic-in-function-returning-result πŸ›πŸ”— 🟩 🌘 Calling unwrap or expect in a function returning a Result

javascript

ID Playground Impact Confidence Description
schema-directives πŸ›πŸ”— πŸŸ₯ πŸŒ— Use of outdated ApolloServer option 'schemaDirectives'
use-of-graphql-upload πŸ›πŸ”— 🟧 πŸŒ• Use of the graphql-upload library
v3-potentially-bad-cors πŸ›πŸ”— 🟧 πŸŒ• Potentially bad CORS policy
v3-express-bad-cors πŸ›πŸ”— πŸŸ₯ πŸŒ— Bad CORS policy
v3-express-no-cors πŸ›πŸ”— 🟩 🌘 Lack of CORS policy
v3-bad-cors πŸ›πŸ”— πŸŸ₯ πŸŒ— Bad CORS policy
v3-no-cors πŸ›πŸ”— 🟩 🌘 Lack of CORS policy
v3-csrf-prevention πŸ›πŸ”— 🟧 🌘 Lack of CSRF prevention
v4-csrf-prevention πŸ›πŸ”— 🟧 🌘 CSRF protection disabled

Contributing

Pull Requests and issues are welcomed!

See CONTRIBUTING.md for more information.

Licensing

The rules defined in this repository are licensed under AGPLv3.

The sidecar examples may be derived from other works, and retain their original licenses where required.