semgrep / semgrep-rules Goto Github PK

Semgrep rules registry

License: Other

Python 19.96% Java 15.76% Makefile 0.01% JavaScript 8.21% Go 7.16% C 0.59% Ruby 3.62% HTML 1.35% Pug 0.21% OCaml 0.20% Vue 0.01% HCL 27.12% TypeScript 2.08% PHP 7.28% Dockerfile 0.91% Mustache 0.45% EJS 0.31% Kotlin 0.64% C# 3.81% Shell 0.31%

static-analysis grep-like program-analysis security security-scanner semgrep semgrep-rules semgrep-registry

semgrep-rules's Introduction

semgrep-rules

branch	using semgrep docker image	test status
`develop`	`returntocorp/semgrep:develop`

Welcome! This repository is the standard library for Semgrep rules. There are many more rules available in the Semgrep Registry written by Semgrep, Inc. and other contributors. The Semgrep Registry includes rules from this repository and additional rules that are accessible within Semgrep Cloud Platform. If there is a specific rule you are looking for, see the Semgrep registry search. To contribute, find details about contributing in the Contributing to Semgrep rules documentation.

Using Semgrep rules repository

Run existing and custom Semgrep rules locally with the Semgrep command line interface (Semgrep CLI) or continuously with Semgrep in CI while using Semgrep App. To start using Semgrep rules, see Semgrep tutorial, Getting started with Semgrep CLI, and Getting started with Semgrep App.

Contributing

We welcome Semgrep rule contributions directly to this repository! When you submit your contribution to the semgrep-rules repository we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other Semgrep Registry users pursuant to the LGPL 2.1 under the Commons Clause. See full license details.

Note: To contribute, review the Contributing to Semgrep rules documentation.

You can also contact us at [email protected] to make Semgrep rule contributions. We will import your rules for everyone to use!

Additional information

Help

Join Slack for the fastest answers to your questions! Or contact the team at [email protected].

GitHub action to run tests

If you fork this repository or create your own, you can add a special semgrep -rules-test GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our semgrep-rules-test.

Rulesets

Rulesets are groups of rules organized by purpose, language, or framework sourced from the Semgrep Registry. If you want to modify existing rulesets or create your own, please contact us at [email protected].

semgrep-rules's People

Contributors

Stargazers

Watchers

Forkers

underyx inkz wireghoul ajinabraham krit2521 etsangsplk saaspeter minusworld 0xedward robmullen dee-see sfc-gh-spandey zeta1999 disconnect3d yeyisan spoint42 tmfrook milo-minderbinder salecharohit shubhamgupta0x0 dbaxa cameronlonsdale ashis101 thornycrackers-forks chgg-kboberg vihrael rezen dkasak teozosa emilva ekse saipraveen-a hunt3rkillerz ylorgat aramrami tmmmmmr redshiftzero bertonjulian rmol dtphuc moshekaplan obeleh gogo2464 vetsin silentsoul04 ccrims0n secteria dmitris rbdixon watch-dog-man midisfi pierre-ernst charlesmure kiwiz lbbooleans kbuyens-salesforce lonemeow 78778443 subham-deepsource hazanasec mzehrer iagoabal ankush jpmartinezz narendra-gandhi-bounteous luke-goddard gby56 rohitjoshi x64-latacora chensanle mlissner samm-git securingapps st0rm-85 ben-elttam dbolkensteyn terrorizer1980 jarijaas timhemel albertwidi mfocuz sjord bella-laybourn timfaraci malexmave kingbbello bernardoamc awh-jlr keertanakamesh skelkar-splunk huonw hassanksalim cljacoby ap00rv staaldraad gdraperi brooksmtownsend christophetd rezaduty jsherm-fwdsec

ulzii  2 hours ago
Per https://flask.palletsprojects.com/en/1.1.x/quickstart/#a-minimal-application

ulzii  2 hours ago
You should not set it to 0.0.0.0

ulzii  2 hours ago
And in production, you say “flaks run --host=0.0.0.0” which will pass the host as ENV variable to flask

ulzii  2 hours ago
That way you are not hardcoding bad config while still maintaining the flexibility for production configuration

grayson  2 hours ago
The relevant bit from that documentation is:

grayson  2 hours ago
Externally Visible ServerIf you run the server you will notice that the server is only accessible from your own computer, not from any other in the network. This is the default because in debugging mode a user of the application can execute arbitrary Python code on your computer.
If you have the debugger disabled or trust the users on your network, you can make the server publicly available simply by adding --host=0.0.0.0 to the command line:
$ flask run --host=0.0.0.0
This tells your operating system to listen on all public IPs.

grayson  2 hours ago
davidism is of the opinion that one should use flask run instead of python3 app.py and using flask run --host=0.0.0.0 to launch a prod server

grayson  2 hours ago
IMO, it's kind of a nit-pick

grayson  2 hours ago
It kind of depends on one's level of paranoia

grayson  2 hours ago
Perhaps an extension to the check could be only surfacing 0.0.0.0 if debug mode is on?

daghan  2 hours ago
I agree. This may be a better style but certainly not a security issue.

grayson  2 hours ago
Cool, I'll make a ticket

ulzii  1 hour ago
I do not think it is just a style issue: https://stackoverflow.com/questions/7023052/configure-flask-dev-server-to-be-visible-across-the-network. I think it is the proper way to deploy flask app. I would agree its not a security issue because exploitability of it is determined by firewall etc.
Stack OverflowStack Overflow
Configure Flask dev server to be visible across the network
I'm not sure if this is Flask specific, but when I run an app in dev mode (http://localhost:5000), I cannot access it from other machines on the network (with http://[dev-host-ip]:5000). With Rails...

send_file checks: #4
avoid_app_run_with_bad_host: #3
app_run_without_guard: #3
Flask Deprecated APIs
accessing g request.form, request.json, request.data outside POST/PUT/DELETE handler #30