diff --git a/rules/c/security/file-access-before-action-c.yml b/rules/c/security/file-access-before-action-c.yml index 1d76a130..7a5a733e 100644 --- a/rules/c/security/file-access-before-action-c.yml +++ b/rules/c/security/file-access-before-action-c.yml @@ -11,7 +11,7 @@ note: >- ast-grep-essentials: true utils: - PATTERN_1(identifier): + PATTERN_1_identifier: kind: identifier regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ all: @@ -97,7 +97,7 @@ utils: - kind: identifier regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - PATTERN_3(field_expression): + PATTERN_3_field_expression: kind: field_expression has: nthChild: 1 @@ -183,5 +183,5 @@ utils: rule: any: - - matches: PATTERN_1(identifier) - - matches: PATTERN_3(field_expression) + - matches: PATTERN_1_identifier + - matches: PATTERN_3_field_expression diff --git a/rules/c/security/file-stat-before-action-c.yml b/rules/c/security/file-stat-before-action-c.yml index 1b522409..373d4370 100644 --- a/rules/c/security/file-stat-before-action-c.yml +++ b/rules/c/security/file-stat-before-action-c.yml @@ -11,7 +11,7 @@ note: >- ast-grep-essentials: true utils: - PATTERN_1(identifier)nth1: + PATTERN_1_identifier_nth1: kind: identifier regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ all: @@ -88,7 +88,7 @@ utils: follows: regex: ^==$ - PATTERN_1(identifier)nth2: + PATTERN_1_identifier_nth2: kind: identifier regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ all: @@ -172,7 +172,7 @@ utils: - kind: identifier regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - PATTERN_3(field_expression)(identifier)nth1: + PATTERN_3_field_expression_identifier_nth1: kind: field_expression has: nthChild: 1 @@ -251,7 +251,7 @@ utils: follows: regex: ^==$ - PATTERN_3(field_expression)(identifier)nth2: + PATTERN_3_field_expression_identifier_nth2: kind: field_expression has: nthChild: 1 @@ -332,7 +332,7 @@ utils: rule: any: - - matches: PATTERN_1(identifier)nth1 - - matches: PATTERN_1(identifier)nth2 - - matches: PATTERN_3(field_expression)(identifier)nth1 - - matches: PATTERN_3(field_expression)(identifier)nth2 + - matches: PATTERN_1_identifier_nth1 + - matches: PATTERN_1_identifier_nth2 + - matches: PATTERN_3_field_expression_identifier_nth1 + - matches: PATTERN_3_field_expression_identifier_nth2 diff --git a/rules/c/security/insecure-hash-c.yml b/rules/c/security/insecure-hash-c.yml index e80bf532..b2dfca41 100644 --- a/rules/c/security/insecure-hash-c.yml +++ b/rules/c/security/insecure-hash-c.yml @@ -25,7 +25,7 @@ utils: stopBy: neighbor kind: argument_list - MATCH_PATTERN_TWO_(EVP_MD_fetch): + MATCH_PATTERN_TWO_EVP_MD_fetch: kind: expression_statement has: stopBy: neighbor @@ -50,7 +50,7 @@ utils: kind: string_content regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - MATCH_PATTERN_TWO_with_instance_(EVP_MD_fetch): + MATCH_PATTERN_TWO_with_instance_EVP_MD_fetch: kind: expression_statement all: - has: @@ -142,7 +142,7 @@ utils: not: kind: comment - MATCH_PATTERN_TWO_(EVP_get_digestbyname): + MATCH_PATTERN_TWO_EVP_get_digestbyname: kind: expression_statement has: stopBy: neighbor @@ -174,7 +174,7 @@ utils: not: kind: comment - MATCH_PATTERN_TWO_with_instance_(EVP_get_digestbyname): + MATCH_PATTERN_TWO_with_instance_EVP_get_digestbyname: kind: expression_statement all: - has: @@ -250,7 +250,7 @@ utils: kind: string_content regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - MATCH_PATTERN_THREE_(gcry_md_hash_buffers): + MATCH_PATTERN_THREE_gcry_md_hash_buffers: kind: expression_statement has: stopBy: neighbor @@ -277,12 +277,12 @@ rule: - kind: expression_statement any: - matches: MATCH_PATTERN_ONE - - matches: MATCH_PATTERN_TWO_(EVP_MD_fetch) - - matches: MATCH_PATTERN_TWO_with_instance_(EVP_MD_fetch) + - matches: MATCH_PATTERN_TWO_EVP_MD_fetch + - matches: MATCH_PATTERN_TWO_with_instance_EVP_MD_fetch - matches: MATCH_PATTERN_THREE - - matches: MATCH_PATTERN_TWO_(EVP_get_digestbyname) - - matches: MATCH_PATTERN_TWO_with_instance_(EVP_get_digestbyname) - - matches: MATCH_PATTERN_THREE_(gcry_md_hash_buffers) + - matches: MATCH_PATTERN_TWO_EVP_get_digestbyname + - matches: MATCH_PATTERN_TWO_with_instance_EVP_get_digestbyname + - matches: MATCH_PATTERN_THREE_gcry_md_hash_buffers not: all: - has: diff --git a/rules/c/security/world-writable-file-c.yml b/rules/c/security/world-writable-file-c.yml index a514fd7d..668505fc 100644 --- a/rules/c/security/world-writable-file-c.yml +++ b/rules/c/security/world-writable-file-c.yml @@ -29,7 +29,7 @@ utils: kind: argument_list field: arguments - AND_2_EQUALS_2_&_S_IXXXX: + AND_2_EQUALS_2_S_IXXXX: any: - kind: number_literal regex: ^-?([2367]|[0-9]*(0[2367]|1[014589]|2[2367]|3[014589]|4[2367]|5[014589]|6[2367]|7[014589]|8[2367]|9[014589]))$ @@ -44,7 +44,7 @@ rule: any: # chmod/fchmod/creat - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX + - matches: AND_2_EQUALS_2_S_IXXXX - kind: identifier pattern: $MODE inside: @@ -63,7 +63,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - kind: expression_statement any: - has: @@ -75,7 +75,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - has: kind: comma_expression has: @@ -87,7 +87,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX nthChild: position: 2 ofRule: @@ -117,7 +117,7 @@ rule: # fchmodat - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX + - matches: AND_2_EQUALS_2_S_IXXXX - kind: identifier pattern: $MODE inside: @@ -136,7 +136,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - kind: expression_statement any: - has: @@ -148,7 +148,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - has: kind: comma_expression has: @@ -160,7 +160,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX nthChild: position: 3 ofRule: @@ -183,7 +183,7 @@ rule: # open - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX + - matches: AND_2_EQUALS_2_S_IXXXX - kind: identifier pattern: $MODE inside: @@ -202,7 +202,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - kind: expression_statement any: - has: @@ -214,7 +214,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - has: kind: comma_expression has: @@ -226,7 +226,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX nthChild: position: 3 ofRule: @@ -256,7 +256,7 @@ rule: # openat - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX + - matches: AND_2_EQUALS_2_S_IXXXX - kind: identifier pattern: $MODE inside: @@ -275,7 +275,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - kind: expression_statement any: - has: @@ -287,7 +287,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - has: kind: comma_expression has: @@ -299,7 +299,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX nthChild: position: 4 ofRule: diff --git a/rules/cpp/security/file-access-before-action-cpp.yml b/rules/cpp/security/file-access-before-action-cpp.yml index 20ccfc62..4162bd26 100644 --- a/rules/cpp/security/file-access-before-action-cpp.yml +++ b/rules/cpp/security/file-access-before-action-cpp.yml @@ -11,7 +11,7 @@ note: >- ast-grep-essentials: true utils: - PATTERN_1(identifier): + PATTERN_1_identifier: kind: identifier regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ all: @@ -92,7 +92,7 @@ utils: follows: regex: ^==$ - PATTERN_2(qualified_identifier): + PATTERN_2_qualified_identifier: kind: qualified_identifier any: - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ @@ -184,7 +184,7 @@ utils: - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ - regex: ^(boost::)?(filesystem::file_size|filesystem::create_directory|filesystem::create_directories|filesystem::remove|filesystem::remove_all|filesystem::rename|filesystem::copy_file|filesystem::copy|filesystem::copy_directory|filesystem::resize_file|filesystem::last_write_time|filesystem::permissions|filesystem::symlink_status|filesystem::create_symlink|filesystem::create_hard_link|filesystem::read_symlink)$ - PATTERN_3(field_expression): + PATTERN_3_field_expression: kind: field_expression has: nthChild: 1 @@ -270,6 +270,6 @@ utils: rule: any: - - matches: PATTERN_1(identifier) - - matches: PATTERN_2(qualified_identifier) - - matches: PATTERN_3(field_expression) + - matches: PATTERN_1_identifier + - matches: PATTERN_2_qualified_identifier + - matches: PATTERN_3_field_expression diff --git a/rules/cpp/security/file-stat-before-action-cpp.yml b/rules/cpp/security/file-stat-before-action-cpp.yml index 74bd9bc3..1bdd25e9 100644 --- a/rules/cpp/security/file-stat-before-action-cpp.yml +++ b/rules/cpp/security/file-stat-before-action-cpp.yml @@ -11,7 +11,7 @@ note: >- ast-grep-essentials: true utils: - PATTERN_1(identifier)nth1: + PATTERN_1_identifier_nth1: kind: identifier regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ all: @@ -86,7 +86,7 @@ utils: follows: regex: ^==$ - PATTERN_2(qualified_identifier)nth1: + PATTERN_2_qualified_identifier_nth1: kind: qualified_identifier any: - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ @@ -165,7 +165,7 @@ utils: follows: regex: ^==$ - PATTERN_1(identifier)nth2: + PATTERN_1_identifier_nth2: kind: identifier regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ all: @@ -242,7 +242,7 @@ utils: follows: regex: ^==$ - PATTERN_2(qualified_identifier)nth2: + PATTERN_2_qualified_identifier_nth2: kind: qualified_identifier any: - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ @@ -330,7 +330,7 @@ utils: - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ - regex: ^(boost::)?(filesystem::file_size|filesystem::create_directory|filesystem::create_directories|filesystem::remove|filesystem::remove_all|filesystem::rename|filesystem::copy_file|filesystem::copy|filesystem::copy_directory|filesystem::resize_file|filesystem::last_write_time|filesystem::permissions|filesystem::symlink_status|filesystem::create_symlink|filesystem::create_hard_link|filesystem::read_symlink)$ - PATTERN_3(field_expression)(identifier)nth1: + PATTERN_3_field_expression_identifier_nth1: kind: field_expression has: nthChild: 1 @@ -410,7 +410,7 @@ utils: follows: regex: ^==$ - PATTERN_3(field_expression)(identifier)nth2: + PATTERN_3_field_expression_identifier_nth2: kind: field_expression has: nthChild: 1 @@ -492,9 +492,9 @@ utils: rule: any: - - matches: PATTERN_1(identifier)nth1 - - matches: PATTERN_2(qualified_identifier)nth1 - - matches: PATTERN_1(identifier)nth2 - - matches: PATTERN_2(qualified_identifier)nth2 - - matches: PATTERN_3(field_expression)(identifier)nth1 - - matches: PATTERN_3(field_expression)(identifier)nth2 + - matches: PATTERN_1_identifier_nth1 + - matches: PATTERN_2_qualified_identifier_nth1 + - matches: PATTERN_1_identifier_nth2 + - matches: PATTERN_2_qualified_identifier_nth2 + - matches: PATTERN_3_field_expression_identifier_nth1 + - matches: PATTERN_3_field_expression_identifier_nth2 diff --git a/rules/cpp/security/string-view-temporary-string-cpp.yml b/rules/cpp/security/string-view-temporary-string-cpp.yml index 874d9df0..06682dd7 100644 --- a/rules/cpp/security/string-view-temporary-string-cpp.yml +++ b/rules/cpp/security/string-view-temporary-string-cpp.yml @@ -14,7 +14,7 @@ note: >- ast-grep-essentials: true utils: - $VAR = std::to_string(...): + VAR_std_to_string: # $VAR = std::to_string(...); kind: expression_statement has: @@ -37,7 +37,7 @@ utils: stopBy: neighbor kind: argument_list - $VAR = $EXPR.substr(...): + VAR_EXPR_substr: # $VAR = std::to_string(...); kind: expression_statement has: @@ -60,7 +60,7 @@ utils: stopBy: neighbor kind: argument_list - $VAR = $EXPR + ...: + VAR_EXPR: # $VAR = $EXPR + ... kind: expression_statement has: @@ -80,7 +80,7 @@ utils: regex: ^(wstring|string)$ nthChild: 1 - $VAR = "..." + $EXPR: + VAR_EXPR_2: # $VAR = "..." + $EXPR kind: expression_statement has: @@ -104,7 +104,7 @@ utils: kind: identifier regex: ^(string|wstring)$ - $VAR_instance = "..." + $EXPR: + VAR_instance_EXPR: # $VAR_instance = "..." + $EXPR kind: expression_statement all: @@ -208,7 +208,7 @@ utils: kind: identifier pattern: $VAR_INSTANCE - $VAR_instance = $EXPR_instance + ...: + VAR_instance_EXPR_instance: kind: expression_statement all: - has: @@ -292,7 +292,7 @@ utils: kind: identifier pattern: $VAR_INSTANCE - $VAR_instance = $EXPR_instance.substr(...): + VAR_instance_EXPR_instance_substr: # $VAR = std::to_string(...); kind: expression_statement all: @@ -397,7 +397,7 @@ utils: kind: identifier pattern: $VAR_INSTANCE - $VAR_instance = std::to_string(...): + VAR_instance_std_to_string: # $VAR = std::to_string(...); kind: expression_statement all: @@ -435,7 +435,7 @@ utils: kind: identifier pattern: $VAR_INSTANCE - $VAR(std::to_string(...)): + VAR_std_to_string_2: kind: call_expression all: - has: @@ -456,7 +456,7 @@ utils: stopBy: neighbor kind: argument_list - $VAR(std::to_string(...))_as_declaration: + VAR_std_to_string_as_declaration: kind: declaration all: - has: @@ -474,7 +474,7 @@ utils: stopBy: neighbor kind: argument_list - $VAR($EXPR + ...): + VAR_EXPR_3: kind: call_expression all: - has: @@ -489,7 +489,7 @@ utils: regex: ^(wstring|string)$ nthChild: 1 - $VAR($EXPR_instance + ...): + VAR_EXPR_instance: kind: call_expression all: - has: @@ -558,7 +558,7 @@ utils: stopBy: end pattern: $EXPR_INSTANCE - $VAR("..." + $EXPR_instance ): + VAR_EXPR_instance_2: kind: call_expression all: - has: @@ -635,7 +635,7 @@ utils: stopBy: end pattern: $EXPR_INSTANCE - $VAR("..." + $EXPR): + VAR_EXPR_4: kind: call_expression all: - has: @@ -661,7 +661,7 @@ utils: nthChild: 2 regex: ^(wstring|string)$ - $VAR($EXPR.substr(...)): + VAR_EXPR_substr_2: kind: call_expression all: - has: @@ -682,7 +682,7 @@ utils: stopBy: neighbor kind: argument_list - $VAR($EXPR_instance.substr(...)): + VAR_EXPR_instance_substr: kind: call_expression all: - has: @@ -770,7 +770,7 @@ utils: stopBy: end pattern: $EXPR_INSTANCE - $VAR_instance $VAR = "..." + $EXPR: + VAR_instance_VAR_EXPR: # $VAR_instance $VAR = "..." + $EXPR kind: declaration all: @@ -831,7 +831,7 @@ utils: kind: identifier pattern: $EXPR_INSTANCE - $VAR $VAR_instance = "..." + $EXPR: + VAR_VAR_instance_EXPR: # $VAR_instance = "..." + $EXPR kind: declaration all: @@ -909,29 +909,29 @@ rule: any: - kind: expression_statement any: - - matches: $VAR = std::to_string(...) - - matches: $VAR = $EXPR.substr(...) - - matches: $VAR = $EXPR + ... - - matches: $VAR = "..." + $EXPR - - matches: $VAR_instance = "..." + $EXPR - - matches: $VAR_instance = $EXPR_instance + ... - - matches: $VAR_instance = $EXPR_instance.substr(...) - - matches: $VAR_instance = $EXPR_instance.substr(...) - - matches: $VAR_instance = std::to_string(...) + - matches: VAR_std_to_string + - matches: VAR_EXPR_substr + - matches: VAR_EXPR + - matches: VAR_EXPR_2 + - matches: VAR_instance_EXPR + - matches: VAR_instance_EXPR_instance + - matches: VAR_instance_EXPR_instance_substr + - matches: VAR_instance_EXPR_instance_substr + - matches: VAR_instance_std_to_string - kind: call_expression any: - - matches: $VAR(std::to_string(...)) - - matches: $VAR($EXPR + ...) - - matches: $VAR($EXPR_instance + ...) - - matches: $VAR("..." + $EXPR_instance ) - - matches: $VAR("..." + $EXPR) - - matches: $VAR($EXPR.substr(...)) - - matches: $VAR($EXPR_instance.substr(...)) + - matches: VAR_std_to_string_2 + - matches: VAR_EXPR_3 + - matches: VAR_EXPR_instance + - matches: VAR_EXPR_instance_2 + - matches: VAR_EXPR_4 + - matches: VAR_EXPR_substr_2 + - matches: VAR_EXPR_instance_substr - kind: declaration any: - - matches: $VAR(std::to_string(...))_as_declaration - - matches: $VAR_instance $VAR = "..." + $EXPR - - matches: $VAR $VAR_instance = "..." + $EXPR + - matches: VAR_std_to_string_as_declaration + - matches: VAR_instance_VAR_EXPR + - matches: VAR_VAR_instance_EXPR all: - not: has: diff --git a/rules/cpp/security/world-writable-file-cpp.yml b/rules/cpp/security/world-writable-file-cpp.yml index d6bc7177..7e13dc76 100644 --- a/rules/cpp/security/world-writable-file-cpp.yml +++ b/rules/cpp/security/world-writable-file-cpp.yml @@ -29,7 +29,7 @@ utils: kind: argument_list field: arguments - AND_2_EQUALS_2_&_S_IXXXX: + AND_2_EQUALS_2_S_IXXXX: any: - kind: number_literal regex: ^-?([2367]|[0-9]*(0[2367]|1[014589]|2[2367]|3[014589]|4[2367]|5[014589]|6[2367]|7[014589]|8[2367]|9[014589]))$ @@ -45,7 +45,7 @@ rule: any: # chmod/fchmod/creat - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX + - matches: AND_2_EQUALS_2_S_IXXXX - kind: identifier pattern: $MODE inside: @@ -64,7 +64,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - kind: expression_statement any: - has: @@ -76,7 +76,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - has: kind: comma_expression has: @@ -88,7 +88,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX nthChild: position: 2 ofRule: @@ -118,7 +118,7 @@ rule: # fchmodat - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX + - matches: AND_2_EQUALS_2_S_IXXXX - kind: identifier pattern: $MODE inside: @@ -137,7 +137,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - kind: expression_statement any: - has: @@ -149,7 +149,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - has: kind: comma_expression has: @@ -161,7 +161,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX nthChild: position: 3 ofRule: @@ -184,7 +184,7 @@ rule: # open - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX + - matches: AND_2_EQUALS_2_S_IXXXX - kind: identifier pattern: $MODE inside: @@ -203,7 +203,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - kind: expression_statement any: - has: @@ -215,7 +215,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - has: kind: comma_expression has: @@ -227,7 +227,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX nthChild: position: 3 ofRule: @@ -257,7 +257,7 @@ rule: # openat - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX + - matches: AND_2_EQUALS_2_S_IXXXX - kind: identifier pattern: $MODE inside: @@ -276,7 +276,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - kind: expression_statement any: - has: @@ -288,7 +288,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX - has: kind: comma_expression has: @@ -300,7 +300,7 @@ rule: pattern: $MODE - has: nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX + matches: AND_2_EQUALS_2_S_IXXXX nthChild: position: 4 ofRule: diff --git a/rules/csharp/security/jwt-decode-without-verify-csharp.yml b/rules/csharp/security/jwt-decode-without-verify-csharp.yml index cc971d93..140b31ec 100644 --- a/rules/csharp/security/jwt-decode-without-verify-csharp.yml +++ b/rules/csharp/security/jwt-decode-without-verify-csharp.yml @@ -14,7 +14,7 @@ note: >- ast-grep-essentials: true utils: - (IJwtDecoder $D).Decode($X,verify-false,.): + IJwtDecoder_D_Decode_X_verify-false: kind: invocation_expression all: - has: @@ -70,7 +70,7 @@ utils: kind: identifier pattern: $INST - (IJwtDecoder $D).Decode(false): + IJwtDecoder_D_Decode_false: kind: invocation_expression all: - has: @@ -121,7 +121,7 @@ utils: kind: identifier pattern: $INST - $D.Decode($X,verify-false,.): + D_Decode_X_verify-false: kind: invocation_expression all: - has: @@ -192,7 +192,7 @@ utils: kind: identifier regex: ^JwtDecoder$ - ($D).Decode(false): + D_Decode_false: kind: invocation_expression all: - has: @@ -258,7 +258,7 @@ utils: kind: identifier regex: ^JwtDecoder$ - JwtBuilder..Decode(...): + JwtBuilder_Decode: kind: invocation_expression all: - not: @@ -312,7 +312,7 @@ utils: - pattern: using JWT.Builder; - pattern: using Microsoft.IdentityModel.Tokens; - $B. ... .Decode(...): + B_Decode: kind: invocation_expression all: - has: @@ -454,7 +454,7 @@ utils: - precedes: kind: argument_list - new ValidationParameters() {..., ValidateSignature = false, ...}: + new_ValidationParameters_ValidateSignature_false: kind: object_creation_expression all: - inside: @@ -476,7 +476,7 @@ utils: kind: assignment_expression pattern: ValidateSignature = false - $V.ValidateSignature = false: + V_ValidateSignature_false: kind: assignment_expression all: - has: @@ -536,7 +536,7 @@ utils: kind: identifier regex: ^ValidationParameters$ - new JwtAuthenticationOptions() {..., VerifySignature = false, ...}: + new_JwtAuthenticationOptions_VerifySignature_false: kind: object_creation_expression all: - inside: @@ -558,7 +558,7 @@ utils: kind: assignment_expression pattern: VerifySignature = false - $V.VerifySignature = false: + V_VerifySignature_false: kind: assignment_expression all: - has: @@ -629,7 +629,7 @@ utils: kind: identifier regex: ^AddJwt$ - new TokenValidationParameters() {..., ValidateIssuerSigningKey = false, ...}: + new_TokenValidationParameters_ValidateIssuerSigningKey_false: kind: object_creation_expression all: - inside: @@ -651,7 +651,7 @@ utils: kind: assignment_expression pattern: ValidateIssuerSigningKey = false - $V.ValidateIssuerSigningKey = false: + V_ValidateIssuerSigningKey_false: kind: assignment_expression all: - has: @@ -713,15 +713,15 @@ utils: rule: any: - - matches: (IJwtDecoder $D).Decode($X,verify-false,.) - - matches: (IJwtDecoder $D).Decode(false) - - matches: $D.Decode($X,verify-false,.) - - matches: ($D).Decode(false) - - matches: JwtBuilder..Decode(...) - - matches: $B. ... .Decode(...) - - matches: new ValidationParameters() {..., ValidateSignature = false, ...} - - matches: $V.ValidateSignature = false - - matches: new JwtAuthenticationOptions() {..., VerifySignature = false, ...} - - matches: $V.VerifySignature = false - - matches: new TokenValidationParameters() {..., ValidateIssuerSigningKey = false, ...} - - matches: $V.ValidateIssuerSigningKey = false + - matches: IJwtDecoder_D_Decode_X_verify-false + - matches: IJwtDecoder_D_Decode_false + - matches: D_Decode_X_verify-false + - matches: D_Decode_false + - matches: JwtBuilder_Decode + - matches: B_Decode + - matches: new_ValidationParameters_ValidateSignature_false + - matches: V_ValidateSignature_false + - matches: new_JwtAuthenticationOptions_VerifySignature_false + - matches: V_VerifySignature_false + - matches: new_TokenValidationParameters_ValidateIssuerSigningKey_false + - matches: V_ValidateIssuerSigningKey_false diff --git a/rules/csharp/security/jwt-hardcoded-secret-csharp.yml b/rules/csharp/security/jwt-hardcoded-secret-csharp.yml index 6b52764a..7c54c50e 100644 --- a/rules/csharp/security/jwt-hardcoded-secret-csharp.yml +++ b/rules/csharp/security/jwt-hardcoded-secret-csharp.yml @@ -11,7 +11,7 @@ note: >- ast-grep-essentials: true utils: - (IJwtEncoder $D).Encode($X, "..."): + IJwtEncoder_D_Encode_X: kind: invocation_expression all: - has: @@ -79,7 +79,7 @@ utils: - pattern: using JWT; - pattern: using JWT.Builder; - (IJwtDecoder $D).Decoder($X, "..."): + IJwtDecoder_D_Decoder_X: kind: invocation_expression all: - has: @@ -147,7 +147,7 @@ utils: - pattern: using JWT; - pattern: using JWT.Builder; - (IJwtEncoder $D).Encode($X, "...")_With_Instance: + IJwtEncoder_D_Encode_X_With_Instance: kind: invocation_expression all: - has: @@ -245,7 +245,7 @@ utils: has: kind: string_literal_content - (IJwtDecoder $D).Decoder($X, "...")_With_Instance: + IJwtDecoder_D_Decoder_X_With_Instance: kind: invocation_expression all: - has: @@ -343,7 +343,7 @@ utils: has: kind: string_literal_content - $B. ... .WithSecret("..."): + B_WithSecret: kind: invocation_expression all: - has: @@ -428,7 +428,7 @@ utils: nthChild: 2 pattern: JwtBuilder.Create() - (JwtBuilder $B). ... .WithSecret("..."): + JwtBuilder_B_WithSecret: kind: invocation_expression all: - has: @@ -466,7 +466,7 @@ utils: - pattern: using JWT; - pattern: using JWT.Builder; - $B. ... .WithSecret("...")_With_Instance: + B_WithSecret_With_Instance: kind: invocation_expression all: - has: @@ -558,7 +558,7 @@ utils: has: kind: string_literal_content - (JwtBuilder $B). ... .WithSecret("...")_With_Instance: + JwtBuilder_B_WithSecret_With_Instance: kind: invocation_expression all: - has: @@ -613,7 +613,7 @@ utils: has: kind: string_literal_content - (JwtBuilder $B). ... .WithSecret("...")_With_Instance2: + JwtBuilder_B_WithSecret_With_Instance2: kind: invocation_expression all: - has: @@ -671,12 +671,12 @@ utils: rule: any: - - matches: (JwtBuilder $B). ... .WithSecret("...")_With_Instance2 - - matches: (IJwtEncoder $D).Encode($X, "...") - - matches: (IJwtDecoder $D).Decoder($X, "...") - - matches: (IJwtEncoder $D).Encode($X, "...")_With_Instance - - matches: (IJwtDecoder $D).Decoder($X, "...")_With_Instance - - matches: $B. ... .WithSecret("...") - - matches: (JwtBuilder $B). ... .WithSecret("...") - - matches: $B. ... .WithSecret("...")_With_Instance - - matches: (JwtBuilder $B). ... .WithSecret("...")_With_Instance + - matches: JwtBuilder_B_WithSecret_With_Instance2 + - matches: IJwtEncoder_D_Encode_X + - matches: IJwtDecoder_D_Decoder_X + - matches: IJwtEncoder_D_Encode_X_With_Instance + - matches: IJwtDecoder_D_Decoder_X_With_Instance + - matches: B_WithSecret + - matches: JwtBuilder_B_WithSecret + - matches: B_WithSecret_With_Instance + - matches: JwtBuilder_B_WithSecret_With_Instance diff --git a/rules/csharp/security/networkcredential-hardcoded-secret-python.yml b/rules/csharp/security/networkcredential-hardcoded-secret-python.yml index 796bd13f..e49a3644 100644 --- a/rules/csharp/security/networkcredential-hardcoded-secret-python.yml +++ b/rules/csharp/security/networkcredential-hardcoded-secret-python.yml @@ -296,7 +296,7 @@ utils: kind: identifier - has: kind: argument_list - (NetworkCredential $VALUE).Password = "$PASSWORD": + NetworkCredential_VALUE_Password_PASSWORD: kind: assignment_expression all: - has: @@ -400,6 +400,6 @@ rule: - matches: match_instance_without_braces - matches: braces_instance - matches: match_password_with_instance - - matches: (NetworkCredential $VALUE).Password = "$PASSWORD" + - matches: NetworkCredential_VALUE_Password_PASSWORD - matches: match_network_credential1 - matches: match_network_credential2 diff --git a/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml index 5c57f8dd..acbdbd6e 100644 --- a/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml +++ b/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml @@ -296,7 +296,7 @@ utils: kind: identifier - has: kind: argument_list - (NpgsqlConnectionStringBuilder $VALUE).Password = "$PASSWORD": + NpgsqlConnectionStringBuilder_VALUE_Password_PASSWORD: kind: assignment_expression all: - has: @@ -347,4 +347,4 @@ rule: - matches: match_instance_without_braces - matches: braces_instance - matches: match_password_with_instance - - matches: (NpgsqlConnectionStringBuilder $VALUE).Password = "$PASSWORD" + - matches: NpgsqlConnectionStringBuilder_VALUE_Password_PASSWORD diff --git a/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml index 1cf2d7f4..a84124d2 100644 --- a/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml +++ b/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml @@ -296,7 +296,7 @@ utils: kind: identifier - has: kind: argument_list - (OracleConnectionStringBuilder $VALUE).Password = "$PASSWORD": + OracleConnectionStringBuilder_VALUE_Password_PASSWORD: kind: assignment_expression all: - has: @@ -347,4 +347,4 @@ rule: - matches: match_instance_without_braces - matches: braces_instance - matches: match_password_with_instance - - matches: (OracleConnectionStringBuilder $VALUE).Password = "$PASSWORD" + - matches: OracleConnectionStringBuilder_VALUE_Password_PASSWORD diff --git a/rules/csharp/security/sqlconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/sqlconnectionstringbuilder-hardcoded-secret-csharp.yml index ffc2a11e..f94d8562 100644 --- a/rules/csharp/security/sqlconnectionstringbuilder-hardcoded-secret-csharp.yml +++ b/rules/csharp/security/sqlconnectionstringbuilder-hardcoded-secret-csharp.yml @@ -296,7 +296,7 @@ utils: kind: identifier - has: kind: argument_list - (SqlConnectionStringBuilder $VALUE).Password = "$PASSWORD": + SqlConnectionStringBuilder_VALUE_Password_PASSWORD: kind: assignment_expression all: - has: @@ -347,4 +347,4 @@ rule: - matches: match_instance_without_braces - matches: braces_instance - matches: match_password_with_instance - - matches: (SqlConnectionStringBuilder $VALUE).Password = "$PASSWORD" + - matches: SqlConnectionStringBuilder_VALUE_Password_PASSWORD diff --git a/rules/csharp/security/stacktrace-disclosure-csharp.yml b/rules/csharp/security/stacktrace-disclosure-csharp.yml index 252e1479..24ce3240 100644 --- a/rules/csharp/security/stacktrace-disclosure-csharp.yml +++ b/rules/csharp/security/stacktrace-disclosure-csharp.yml @@ -25,7 +25,7 @@ utils: nthChild: 2 kind: argument_list - $APP.UseDeveloperExceptionPage(...): + APP_UseDeveloperExceptionPage: kind: expression_statement pattern: $APP.UseDeveloperExceptionPage($$$); not: @@ -41,7 +41,7 @@ utils: matches: kind_invocation_expression rule: kind: expression_statement - matches: $APP.UseDeveloperExceptionPage(...) + matches: APP_UseDeveloperExceptionPage all: - not: has: diff --git a/rules/go/security/openai-empty-secret-go.yml b/rules/go/security/openai-empty-secret-go.yml index 8a7f6157..bb967947 100644 --- a/rules/go/security/openai-empty-secret-go.yml +++ b/rules/go/security/openai-empty-secret-go.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - MATCH_openai.NewClient: + MATCH_openai_NewClient: kind: call_expression all: - has: @@ -63,7 +63,7 @@ utils: stopBy: end kind: import_spec regex: "github.com/sashabaranov/go-openai" - MATCH_openai.NewClient_instance: + MATCH_openai_NewClient_instance: kind: call_expression all: - has: @@ -189,8 +189,8 @@ utils: rule: kind: call_expression any: - - matches: MATCH_openai.NewClient - - matches: MATCH_openai.NewClient_instance + - matches: MATCH_openai_NewClient + - matches: MATCH_openai_NewClient_instance not: all: - has: diff --git a/rules/go/security/openai-hardcoded-secret-go.yml b/rules/go/security/openai-hardcoded-secret-go.yml index 6180459f..e8238b0c 100644 --- a/rules/go/security/openai-hardcoded-secret-go.yml +++ b/rules/go/security/openai-hardcoded-secret-go.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - MATCH_openai.NewClient: + MATCH_openai_NewClient: kind: call_expression all: - has: @@ -65,7 +65,7 @@ utils: stopBy: end kind: import_spec regex: "github.com/sashabaranov/go-openai" - MATCH_openai.NewClient_instance: + MATCH_openai_NewClient_instance: kind: call_expression all: - has: @@ -197,8 +197,8 @@ utils: rule: kind: call_expression any: - - matches: MATCH_openai.NewClient - - matches: MATCH_openai.NewClient_instance + - matches: MATCH_openai_NewClient + - matches: MATCH_openai_NewClient_instance not: all: - has: diff --git a/rules/java/security/datanucleus-hardcoded-connection-password-java.yml b/rules/java/security/datanucleus-hardcoded-connection-password-java.yml index 3233e169..7016a300 100644 --- a/rules/java/security/datanucleus-hardcoded-connection-password-java.yml +++ b/rules/java/security/datanucleus-hardcoded-connection-password-java.yml @@ -17,7 +17,7 @@ ast-grep-essentials: true utils: - (org.datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): + org_datanucleus_api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS: kind: identifier regex: ^setConnectionPassword$ all: @@ -59,7 +59,7 @@ utils: kind: identifier pattern: $INST - (org.datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: + org_datanucleus_api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance: kind: identifier regex: ^setConnectionPassword$ all: @@ -117,7 +117,7 @@ utils: has: kind: string_fragment - (jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): + jdo_JDOPersistenceManagerFactory_JDO_SETPASS: kind: identifier regex: ^setConnectionPassword$ all: @@ -166,7 +166,7 @@ utils: - pattern: import org.datanucleus.api.*; - pattern: import org.datanucleus.api; - (jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: + jdo_JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance: kind: identifier regex: ^setConnectionPassword$ all: @@ -231,7 +231,7 @@ utils: - pattern: import org.datanucleus.api.*; - pattern: import org.datanucleus.api; - (JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): + JDOPersistenceManagerFactory_JDO_SETPASS: kind: identifier regex: ^setConnectionPassword$ all: @@ -282,7 +282,7 @@ utils: - pattern: import org.datanucleus.api.jdo.*; - pattern: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - (JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: + JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance: kind: identifier regex: ^setConnectionPassword$ all: @@ -349,7 +349,7 @@ utils: - pattern: import org.datanucleus; - pattern: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - (api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): + api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS: kind: identifier regex: ^setConnectionPassword$ all: @@ -398,7 +398,7 @@ utils: - pattern: import org.datanucleus.*; - pattern: import org.datanucleus; - (api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: + api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance: kind: identifier regex: ^setConnectionPassword$ all: @@ -463,7 +463,7 @@ utils: - pattern: import org.datanucleus.*; - pattern: import org.datanucleus; - (datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): + datanucleus_api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS: kind: identifier regex: ^setConnectionPassword$ all: @@ -512,7 +512,7 @@ utils: - pattern: import org.*; - pattern: import org; - (datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: + datanucleus_api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance: kind: identifier regex: ^setConnectionPassword$ all: @@ -580,14 +580,14 @@ utils: rule: any: - - matches: (org.datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (org.datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance + - matches: org_datanucleus_api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS + - matches: org_datanucleus_api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance + - matches: jdo_JDOPersistenceManagerFactory_JDO_SETPASS + - matches: jdo_JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance + - matches: JDOPersistenceManagerFactory_JDO_SETPASS + - matches: JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance + - matches: api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS + - matches: api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance + - matches: datanucleus_api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS + - matches: datanucleus_api_jdo_JDOPersistenceManagerFactory_JDO_SETPASS_with_Instance diff --git a/rules/java/security/drivermanager-hardcoded-secret-java.yml b/rules/java/security/drivermanager-hardcoded-secret-java.yml index 6d6922d2..9fef8ebe 100644 --- a/rules/java/security/drivermanager-hardcoded-secret-java.yml +++ b/rules/java/security/drivermanager-hardcoded-secret-java.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - MATCH_PATTERN_DriverManager.getConnection: + MATCH_PATTERN_DriverManager_getConnection: kind: method_invocation all: - has: @@ -142,7 +142,7 @@ utils: rule: any: - kind: method_invocation - matches: MATCH_PATTERN_DriverManager.getConnection + matches: MATCH_PATTERN_DriverManager_getConnection - kind: object_creation_expression matches: MATCH_PATTERN_DriverManagerDataSource diff --git a/rules/java/security/hardcoded-connection-password-java.yml b/rules/java/security/hardcoded-connection-password-java.yml index e47ec3e8..fad9d67c 100644 --- a/rules/java/security/hardcoded-connection-password-java.yml +++ b/rules/java/security/hardcoded-connection-password-java.yml @@ -17,7 +17,7 @@ ast-grep-essentials: true utils: - (javax.jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("..."): + javax_jdo_PersistenceManagerFactory_JDO_SETPASS: kind: identifier regex: ^setConnectionPassword$ all: @@ -59,7 +59,7 @@ utils: kind: identifier pattern: $INST - (javax.jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: + javax_jdo_PersistenceManagerFactory_JDO_SETPASS_with_Instance: kind: identifier regex: ^setConnectionPassword$ all: @@ -117,7 +117,7 @@ utils: has: kind: string_fragment - (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("..."): + jdo_PersistenceManagerFactory_JDO_SETPASS: kind: identifier regex: ^setConnectionPassword$ all: @@ -165,7 +165,7 @@ utils: any: - pattern: import javax.*; - (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: + jdo_PersistenceManagerFactory_JDO_SETPASS_with_Instance: kind: identifier regex: ^setConnectionPassword$ all: @@ -229,7 +229,7 @@ utils: any: - pattern: import javax.*; - (PersistenceManagerFactory $JDO). ... .$SETPASS("..."): + PersistenceManagerFactory_JDO_SETPASS: kind: identifier regex: ^setConnectionPassword$ all: @@ -278,7 +278,7 @@ utils: - pattern: import javax.jdo.*; - pattern: import javax.jdo.PersistenceManagerFactory; - (PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: + PersistenceManagerFactory_JDO_SETPASS_with_Instance: kind: identifier regex: ^setConnectionPassword$ all: @@ -344,9 +344,9 @@ utils: - pattern: import javax.jdo.PersistenceManagerFactory; rule: any: - - matches: (javax.jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (javax.jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance \ No newline at end of file + - matches: javax_jdo_PersistenceManagerFactory_JDO_SETPASS + - matches: javax_jdo_PersistenceManagerFactory_JDO_SETPASS_with_Instance + - matches: jdo_PersistenceManagerFactory_JDO_SETPASS + - matches: jdo_PersistenceManagerFactory_JDO_SETPASS_with_Instance + - matches: PersistenceManagerFactory_JDO_SETPASS + - matches: PersistenceManagerFactory_JDO_SETPASS_with_Instance \ No newline at end of file diff --git a/rules/java/security/hardcoded-secret-in-credentials-java.yml b/rules/java/security/hardcoded-secret-in-credentials-java.yml index 8c2701a4..2bb61169 100644 --- a/rules/java/security/hardcoded-secret-in-credentials-java.yml +++ b/rules/java/security/hardcoded-secret-in-credentials-java.yml @@ -14,7 +14,7 @@ note: >- ast-grep-essentials: true utils: - Credentials.basic($USERNAME, "..."): + Credentials_basic_USERNAME: kind: method_invocation all: - has: @@ -53,7 +53,7 @@ utils: - pattern: import okhttp3.Credentials.*; - pattern: import okhttp3.*; - Credentials.basic($USERNAME, "...")_with_Instance: + Credentials_basic_USERNAME_with_Instance: kind: method_invocation all: - has: @@ -107,7 +107,7 @@ utils: has: kind: string_fragment - basic($USERNAME, "..."): + basic_USERNAME: kind: method_invocation all: - has: @@ -141,7 +141,7 @@ utils: any: - pattern: import okhttp3.Credentials.*; - basic($USERNAME, "...")_with_Instance: + basic_USERNAME_with_Instance: kind: method_invocation all: - has: @@ -174,7 +174,7 @@ utils: any: - pattern: import okhttp3.Credentials.*; - okhttp3.Credentials.basic($USERNAME, "..."): + okhttp3_Credentials_basic_USERNAME: kind: method_invocation all: - has: @@ -220,7 +220,7 @@ utils: - pattern: import okhttp3.Credentials.*; - pattern: import okhttp3.Credentials; - okhttp3.Credentials.basic($USERNAME, "...")_with_Instance: + okhttp3_Credentials_basic_USERNAME_with_Instance: kind: method_invocation all: - has: @@ -283,10 +283,10 @@ utils: rule: any: - - matches: Credentials.basic($USERNAME, "...") - - matches: Credentials.basic($USERNAME, "...")_with_Instance - - matches: basic($USERNAME, "...") - - matches: basic($USERNAME, "...")_with_Instance - - matches: okhttp3.Credentials.basic($USERNAME, "...") - - matches: okhttp3.Credentials.basic($USERNAME, "...")_with_Instance + - matches: Credentials_basic_USERNAME + - matches: Credentials_basic_USERNAME_with_Instance + - matches: basic_USERNAME + - matches: basic_USERNAME_with_Instance + - matches: okhttp3_Credentials_basic_USERNAME + - matches: okhttp3_Credentials_basic_USERNAME_with_Instance diff --git a/rules/java/security/java-jwt-hardcoded-secret-java.yml b/rules/java/security/java-jwt-hardcoded-secret-java.yml index d1df5d02..ed9e0990 100644 --- a/rules/java/security/java-jwt-hardcoded-secret-java.yml +++ b/rules/java/security/java-jwt-hardcoded-secret-java.yml @@ -14,7 +14,7 @@ note: >- ast-grep-essentials: true utils: - (Algorithm $ALG) = $ALGO.$HMAC("$Y"): + Algorithm_ALG_ALGO_HMAC_Y: kind: string_literal all: - has: @@ -58,7 +58,7 @@ utils: not: kind: line_comment - (Algorithm $ALG) = $ALGO.$HMAC($SECRET): + Algorithm_ALG_ALGO_HMAC_SECRET: kind: string_literal all: - has: @@ -116,9 +116,9 @@ utils: rule: any: - kind: string_literal - matches: (Algorithm $ALG) = $ALGO.$HMAC("$Y") + matches: Algorithm_ALG_ALGO_HMAC_Y - kind: string_literal - matches: (Algorithm $ALG) = $ALGO.$HMAC($SECRET) + matches: Algorithm_ALG_ALGO_HMAC_SECRET not: all: - has: diff --git a/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml b/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml index 53cddb78..1095eed2 100644 --- a/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml +++ b/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - redis.clients.jedis.DefaultJedisClientConfig.builder().password("..."): + redis_clients_jedis_DefaultJedisClientConfig_builder_password: kind: method_invocation all: - has: @@ -44,7 +44,7 @@ utils: not: kind: line_comment - (redis.clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("..."): + redis_clients_jedis_DefaultJedisClientConfig_Builder_JEDIS_password: kind: method_invocation all: - has: @@ -88,7 +88,7 @@ utils: kind: identifier pattern: $INST - redis.clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): + redis_clients_jedis_DefaultJedisClientConfig_create_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER: kind: method_invocation all: - has: @@ -110,7 +110,7 @@ utils: has: kind: string_fragment - new redis.clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): + new_redis_clients_jedis_DefaultJedisClientConfig_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER: kind: object_creation_expression all: - has: @@ -126,7 +126,7 @@ utils: has: kind: string_fragment - (redis.clients.jedis.JedisClientConfig $JEDIS).updatePassword("..."): + redis_clients_jedis_JedisClientConfig_JEDIS_updatePassword: kind: method_invocation all: - has: @@ -170,7 +170,7 @@ utils: kind: identifier pattern: $INST - (redis.clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("..."): + redis_clients_jedis_DefaultJedisClientConfig_JEDIS_updatePassword: kind: method_invocation all: - has: @@ -214,7 +214,7 @@ utils: kind: identifier pattern: $INST - DefaultJedisClientConfig.builder().password("..."): + DefaultJedisClientConfig_builder_password: kind: method_invocation all: - has: @@ -252,7 +252,7 @@ utils: - pattern: import redis.clients.jedis; - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - (DefaultJedisClientConfig.Builder $JEDIS).password("..."): + DefaultJedisClientConfig_Builder_JEDIS_password: kind: method_invocation all: - has: @@ -305,7 +305,7 @@ utils: - pattern: import redis.clients.jedis; - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): + DefaultJedisClientConfig_create_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER: kind: method_invocation all: - has: @@ -336,7 +336,7 @@ utils: - pattern: import redis.clients.jedis; - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - new DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): + new_DefaultJedisClientConfig_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER: kind: object_creation_expression all: - has: @@ -361,7 +361,7 @@ utils: - pattern: import redis.clients.jedis; - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - (JedisClientConfig|DefaultJedisClientConfig $JEDIS).updatePassword("..."): + JedisClientConfig_DefaultJedisClientConfig_JEDIS_updatePassword: kind: method_invocation all: - has: @@ -414,7 +414,7 @@ utils: - pattern: import redis.clients.jedis; - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - jedis.DefaultJedisClientConfig.builder().password("..."): + jedis_DefaultJedisClientConfig_builder_password: kind: method_invocation all: - has: @@ -451,7 +451,7 @@ utils: - pattern: import redis.clients.*; - pattern: import redis.clients; - jedis.DefaultJedisClientConfig.Builder $JEDIS).password("..."): + jedis_DefaultJedisClientConfig_Builder_JEDIS_password: kind: method_invocation all: - has: @@ -503,7 +503,7 @@ utils: - pattern: import redis.clients.*; - pattern: import redis.clients; - jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): + jedis_DefaultJedisClientConfig_create_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER: kind: method_invocation all: - has: @@ -533,7 +533,7 @@ utils: - pattern: import redis.clients.*; - pattern: import redis.clients; - new jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): + new_jedis_DefaultJedisClientConfig_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER: kind: object_creation_expression all: - has: @@ -557,7 +557,7 @@ utils: - pattern: import redis.clients.*; - pattern: import redis.clients; - (jedis.JedisClientConfig|jedis.DefaultJedisClientConfig $JEDIS).updatePassword("..."): + jedis_JedisClientConfig_jedis_DefaultJedisClientConfig_JEDIS_updatePassword: kind: method_invocation all: - has: @@ -610,7 +610,7 @@ utils: - pattern: import redis.clients; - pattern: import redis.clients.jedis.*; - clients.jedis.DefaultJedisClientConfig.builder().password("..."): + clients_jedis_DefaultJedisClientConfig_builder_password: kind: method_invocation all: - has: @@ -647,7 +647,7 @@ utils: - pattern: import redis.*; - pattern: import redis; - clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("..."): + clients_jedis_DefaultJedisClientConfig_Builder_JEDIS_password: kind: method_invocation all: - has: @@ -699,7 +699,7 @@ utils: - pattern: import redis.*; - pattern: import redis; - clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): + clients_jedis_DefaultJedisClientConfig_create_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER: kind: method_invocation all: - has: @@ -729,7 +729,7 @@ utils: - pattern: import redis.*; - pattern: import redis; - new clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): + new_clients_jedis_DefaultJedisClientConfig_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER: kind: object_creation_expression all: - has: @@ -753,7 +753,7 @@ utils: - pattern: import redis.*; - pattern: import redis; - (clients.jedis.JedisClientConfig|clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("..."): + clients_jedis_JedisClientConfig_clients_jedis_DefaultJedisClientConfig_JEDIS_updatePassword: kind: method_invocation all: - has: @@ -807,24 +807,24 @@ utils: rule: any: - - matches: redis.clients.jedis.DefaultJedisClientConfig.builder().password("...") - - matches: (redis.clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("...") - - matches: redis.clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: new redis.clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: (redis.clients.jedis.JedisClientConfig $JEDIS).updatePassword("...") - - matches: (redis.clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...") - - matches: DefaultJedisClientConfig.builder().password("...") - - matches: (DefaultJedisClientConfig.Builder $JEDIS).password("...") - - matches: DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: new DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: (JedisClientConfig|DefaultJedisClientConfig $JEDIS).updatePassword("...") - - matches: jedis.DefaultJedisClientConfig.builder().password("...") - - matches: jedis.DefaultJedisClientConfig.Builder $JEDIS).password("...") - - matches: jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: new jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: (jedis.JedisClientConfig|jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...") - - matches: clients.jedis.DefaultJedisClientConfig.builder().password("...") - - matches: clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("...") - - matches: clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: new clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: (clients.jedis.JedisClientConfig|clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...") \ No newline at end of file + - matches: redis_clients_jedis_DefaultJedisClientConfig_builder_password + - matches: redis_clients_jedis_DefaultJedisClientConfig_Builder_JEDIS_password + - matches: redis_clients_jedis_DefaultJedisClientConfig_create_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER + - matches: new_redis_clients_jedis_DefaultJedisClientConfig_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER + - matches: redis_clients_jedis_JedisClientConfig_JEDIS_updatePassword + - matches: redis_clients_jedis_DefaultJedisClientConfig_JEDIS_updatePassword + - matches: DefaultJedisClientConfig_builder_password + - matches: DefaultJedisClientConfig_Builder_JEDIS_password + - matches: DefaultJedisClientConfig_create_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER + - matches: new_DefaultJedisClientConfig_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER + - matches: JedisClientConfig_DefaultJedisClientConfig_JEDIS_updatePassword + - matches: jedis_DefaultJedisClientConfig_builder_password + - matches: jedis_DefaultJedisClientConfig_Builder_JEDIS_password + - matches: jedis_DefaultJedisClientConfig_create_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER + - matches: new_jedis_DefaultJedisClientConfig_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER + - matches: jedis_JedisClientConfig_jedis_DefaultJedisClientConfig_JEDIS_updatePassword + - matches: clients_jedis_DefaultJedisClientConfig_builder_password + - matches: clients_jedis_DefaultJedisClientConfig_Builder_JEDIS_password + - matches: clients_jedis_DefaultJedisClientConfig_create_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER + - matches: new_clients_jedis_DefaultJedisClientConfig_CONNECTIONTIMEOUTMILLIS_SOTIMEOUTMILLIS_BLOCKINGSOCKETTIMEOUTMILLIS_USER + - matches: clients_jedis_JedisClientConfig_clients_jedis_DefaultJedisClientConfig_JEDIS_updatePassword \ No newline at end of file diff --git a/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml b/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml index 553c16d0..c3013022 100644 --- a/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml +++ b/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml @@ -81,7 +81,7 @@ utils: - pattern: import redis.clients.jedis.JedisFactory; - pattern: import redis.clients.jedis.JedisFactory.*; - MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY: + MATCH_PATTERN_CLIENT_JEDIS_JEDISFACTORY: kind: expression_statement all: - has: @@ -153,7 +153,7 @@ utils: - pattern: import redis.clients.jedis; - pattern: import redis.clients.jedis.*; - MATCH_PATTERN_JEDIS.JEDISFACTORY: + MATCH_PATTERN_JEDIS_JEDISFACTORY: kind: expression_statement all: - has: @@ -223,7 +223,7 @@ utils: - pattern: import redis.clients.jedis; - pattern: import redis.clients.jedis.*; - MATCH_PATTERN_JEDIS.CONNECTIONFACTORY: + MATCH_PATTERN_JEDIS_CONNECTIONFACTORY: kind: expression_statement all: - has: @@ -293,7 +293,7 @@ utils: - pattern: import redis.clients.jedis; - pattern: import redis.clients.jedis.*; - MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY: + MATCH_PATTERN_REDIS_CLIENT_JEDIS_JEDISFACTORY: kind: expression_statement all: - has: @@ -438,7 +438,7 @@ utils: - pattern: import redis.clients.jedis.ConnectionFactory; - pattern: import redis.clients.jedis.ConnectionFactory.*; - MATCH_PATTERN_JEDIS.JEDISFACTORY(instance): + MATCH_PATTERN_JEDIS_JEDISFACTORY_instance: kind: expression_statement all: - has: @@ -522,7 +522,7 @@ utils: has: kind: string_fragment - MATCH_PATTERN_JEDISFACTORY(instance): + MATCH_PATTERN_JEDISFACTORY_instance: kind: expression_statement all: - has: @@ -603,7 +603,7 @@ utils: has: kind: string_fragment - MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY(instance): + MATCH_PATTERN_CLIENT_JEDIS_JEDISFACTORY_instance: kind: expression_statement all: - has: @@ -688,7 +688,7 @@ utils: - pattern: import redis.clients.jedis; - pattern: import redis.clients.jedis.*; - MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY(instance): + MATCH_PATTERN_REDIS_CLIENT_JEDIS_JEDISFACTORY_instance: kind: expression_statement all: - has: @@ -758,7 +758,7 @@ utils: has: kind: string_fragment - MATCH_PATTERN_JEDIS.CONNECTIONFACTORY(instance): + MATCH_PATTERN_JEDIS_CONNECTIONFACTORY_instance: kind: expression_statement all: - has: @@ -842,7 +842,7 @@ utils: has: kind: string_fragment - MATCH_PATTERN_CONNECTIONFACTORY(instance): + MATCH_PATTERN_CONNECTIONFACTORY_instance: kind: expression_statement all: - has: @@ -926,18 +926,18 @@ utils: rule: kind: expression_statement any: - - matches: MATCH_PATTERN_JEDIS.JEDISFACTORY + - matches: MATCH_PATTERN_JEDIS_JEDISFACTORY - matches: MATCH_PATTERN_JEDISFACTORY - - matches: MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY - - matches: MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY + - matches: MATCH_PATTERN_CLIENT_JEDIS_JEDISFACTORY + - matches: MATCH_PATTERN_REDIS_CLIENT_JEDIS_JEDISFACTORY - matches: MATCH_PATTERN_CONNECTIONFACTORY - - matches: MATCH_PATTERN_JEDIS.CONNECTIONFACTORY - - matches: MATCH_PATTERN_JEDIS.JEDISFACTORY(instance) - - matches: MATCH_PATTERN_JEDISFACTORY(instance) - - matches: MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY(instance) - - matches: MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY(instance) - - matches: MATCH_PATTERN_JEDIS.CONNECTIONFACTORY(instance) - - matches: MATCH_PATTERN_CONNECTIONFACTORY(instance) + - matches: MATCH_PATTERN_JEDIS_CONNECTIONFACTORY + - matches: MATCH_PATTERN_JEDIS_JEDISFACTORY_instance + - matches: MATCH_PATTERN_JEDISFACTORY_instance + - matches: MATCH_PATTERN_CLIENT_JEDIS_JEDISFACTORY_instance + - matches: MATCH_PATTERN_REDIS_CLIENT_JEDIS_JEDISFACTORY_instance + - matches: MATCH_PATTERN_JEDIS_CONNECTIONFACTORY_instance + - matches: MATCH_PATTERN_CONNECTIONFACTORY_instance not: all: - has: diff --git a/rules/java/security/missing-httponly-java.yml b/rules/java/security/missing-httponly-java.yml index 90f65f94..a629949e 100644 --- a/rules/java/security/missing-httponly-java.yml +++ b/rules/java/security/missing-httponly-java.yml @@ -51,7 +51,7 @@ utils: precedes: kind: argument_list - cookie.of_pattern_for_c_equals_Cookie.of: + cookie_of_pattern_for_c_equals_Cookie_of: nthChild: 1 kind: identifier any: diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml index 1ad4bd8e..7d183e3c 100644 --- a/rules/java/security/missing-secure-java.yml +++ b/rules/java/security/missing-secure-java.yml @@ -50,7 +50,7 @@ utils: precedes: kind: argument_list - cookie.of_pattern_for_c_equals_Cookie.of: + cookie_of_pattern_for_c_equals_Cookie_of: nthChild: 1 kind: identifier any: diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml index 4aab8efd..eaac6db9 100644 --- a/rules/java/security/use-of-rc2-java.yml +++ b/rules/java/security/use-of-rc2-java.yml @@ -11,7 +11,7 @@ note: >- - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html ast-grep-essentials: true utils: - $CIPHER.getInstance("RC2"): + CIPHER_getInstance_RC2: kind: method_invocation all: - has: @@ -36,7 +36,7 @@ utils: stopBy: end kind: array_access - $CIPHER.getInstance("RC2")_with_instance: + CIPHER_getInstance_RC2_with_instance: kind: method_invocation all: - has: @@ -83,5 +83,5 @@ utils: rule: kind: method_invocation any: - - matches: $CIPHER.getInstance("RC2") - - matches: $CIPHER.getInstance("RC2")_with_instance + - matches: CIPHER_getInstance_RC2 + - matches: CIPHER_getInstance_RC2_with_instance diff --git a/rules/java/security/use-of-sha1-java.yml b/rules/java/security/use-of-sha1-java.yml index b2268c1c..75a8e2a2 100644 --- a/rules/java/security/use-of-sha1-java.yml +++ b/rules/java/security/use-of-sha1-java.yml @@ -13,7 +13,7 @@ note: >- ast-grep-essentials: true utils: - java.security.MessageDigest.getInstance("SHA-1"): + java_security_MessageDigest_getInstance_SHA-1: kind: method_invocation all: - has: @@ -37,7 +37,7 @@ utils: - regex: ^SHA-1 - regex: ^SHA1 - MessageDigest.getInstance("SHA-1"): + MessageDigest_getInstance_SHA-1: kind: method_invocation all: - has: @@ -69,7 +69,7 @@ utils: kind: import_declaration pattern: import java.security.MessageDigest - MessageDigest.getInstance("SHA-1")_with_Instance: + MessageDigest_getInstance_SHA-1_with_Instance: kind: method_invocation all: - has: @@ -115,7 +115,7 @@ utils: - regex: ^SHA-1 - regex: ^SHA1 - java.security.MessageDigest.getInstance("SHA-1")_with_Instance: + java_security_MessageDigest_getInstance_SHA-1_with_Instance: kind: method_invocation all: - has: @@ -156,11 +156,11 @@ utils: rule: kind: method_invocation any: - - matches: java.security.MessageDigest.getInstance("SHA-1") + - matches: java_security_MessageDigest_getInstance_SHA-1 - pattern: $DU.getSha1Digest().digest($$$) - - matches: MessageDigest.getInstance("SHA-1") - - matches: MessageDigest.getInstance("SHA-1")_with_Instance - - matches: java.security.MessageDigest.getInstance("SHA-1")_with_Instance + - matches: MessageDigest_getInstance_SHA-1 + - matches: MessageDigest_getInstance_SHA-1_with_Instance + - matches: java_security_MessageDigest_getInstance_SHA-1_with_Instance all: - not: inside: diff --git a/rules/php/security/openssl-cbc-static-iv-php.yml b/rules/php/security/openssl-cbc-static-iv-php.yml index 2e1df39c..9b628960 100644 --- a/rules/php/security/openssl-cbc-static-iv-php.yml +++ b/rules/php/security/openssl-cbc-static-iv-php.yml @@ -425,7 +425,7 @@ utils: stopBy: end kind: encapsed_string - Match_pattern_directly_with_prefix_openssl_encrypt_return_statement_(instance of cbc): + Match_pattern_directly_with_prefix_openssl_encrypt_return_statement_instance_of_cbc: kind: function_call_expression all: - not: @@ -639,7 +639,7 @@ rule: any: - matches: Match_pattern_with_prefix_openssl_decrypt - matches: Match_pattern_directly_with_prefix_openssl_encrypt_return_statement - - matches: Match_pattern_directly_with_prefix_openssl_encrypt_return_statement_(instance of cbc) + - matches: Match_pattern_directly_with_prefix_openssl_encrypt_return_statement_instance_of_cbc all: - not: has: diff --git a/rules/python/security/avoid_app_run_with_bad_host-python.yml b/rules/python/security/avoid_app_run_with_bad_host-python.yml index c0876275..154911ef 100644 --- a/rules/python/security/avoid_app_run_with_bad_host-python.yml +++ b/rules/python/security/avoid_app_run_with_bad_host-python.yml @@ -10,7 +10,7 @@ note: >- https://owasp.org/Top10/A01_2021-Broken_Access_Control ast-grep-essentials: true utils: - MATCH_PATTERN_app.run: + MATCH_PATTERN_app_run: kind: call all: - has: @@ -33,7 +33,7 @@ utils: kind: string regex: ^"0.0.0.0"$ - MATCH_PATTERN_app.run_HOST: + MATCH_PATTERN_app_run_HOST: kind: call all: - has: @@ -70,5 +70,5 @@ utils: rule: kind: call any: - - matches: MATCH_PATTERN_app.run - - matches: MATCH_PATTERN_app.run_HOST + - matches: MATCH_PATTERN_app_run + - matches: MATCH_PATTERN_app_run_HOST diff --git a/rules/python/security/debug-enabled-python.yml b/rules/python/security/debug-enabled-python.yml index 4e184544..de234f73 100644 --- a/rules/python/security/debug-enabled-python.yml +++ b/rules/python/security/debug-enabled-python.yml @@ -12,7 +12,7 @@ note: >- - https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ ast-grep-essentials: true utils: - MATCH_PATTERN_debug=True: + MATCH_PATTERN_debug_True: kind: call all: - has: @@ -90,4 +90,4 @@ utils: rule: kind: call any: - - matches: MATCH_PATTERN_debug=True + - matches: MATCH_PATTERN_debug_True diff --git a/rules/python/security/hashids-with-django-secret-python.yml b/rules/python/security/hashids-with-django-secret-python.yml index 94104dfe..fef8bfc3 100644 --- a/rules/python/security/hashids-with-django-secret-python.yml +++ b/rules/python/security/hashids-with-django-secret-python.yml @@ -14,7 +14,7 @@ note: >- http://carnage.github.io/2015/08/cryptanalysis-of-hashids ast-grep-essentials: true utils: - Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH): + Hashids_salt_settings_SECRET_KEY_min_length_settings_ID_HASH_MIN_LENGTH: kind: call all: - has: @@ -65,7 +65,7 @@ utils: kind: import_from_statement pattern: from hashids import Hashids - Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet): + Hashids_settings_SECRET_KEY_min_length_length_alphabet_alphabet: kind: call all: - has: @@ -110,7 +110,7 @@ utils: kind: import_from_statement pattern: from hashids import Hashids - hashids.Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH): + hashids_Hashids_salt_settings_SECRET_KEY_min_length_settings_ID_HASH_MIN_LENGTH: kind: call all: - has: @@ -148,7 +148,7 @@ utils: kind: import_from_statement pattern: from django.conf import settings - hashids.Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet): + hashids_Hashids_settings_SECRET_KEY_min_length_length_alphabet_alphabet: kind: call all: - has: @@ -182,7 +182,7 @@ utils: kind: import_from_statement pattern: from django.conf import settings - hashids.Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH): + hashids_Hashids_salt_django_conf_settings_SECRET_KEY_min_length_settings_ID_HASH_MIN_LENGTH: kind: call all: - has: @@ -202,7 +202,7 @@ utils: kind: attribute regex: ^django.conf.settings.SECRET_KEY$ - hashids.Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet): + hashids_Hashids_django_conf_settings_SECRET_KEY_min_length_length_alphabet_alphabet: kind: call all: - has: @@ -216,7 +216,7 @@ utils: kind: attribute regex: ^django.conf.settings.SECRET_KEY$ - Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet): + Hashids_django_conf_settings_SECRET_KEY_min_length_length_alphabet_alphabet: kind: call all: - has: @@ -241,7 +241,7 @@ utils: kind: import_from_statement pattern: from hashids import Hashids - Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH): + Hashids_salt_django_conf_settings_SECRET_KEY_min_length_settings_ID_HASH_MIN_LENGTH: kind: call all: - has: @@ -275,11 +275,11 @@ utils: rule: any: - - matches: Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) - - matches: Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet) - - matches: hashids.Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) - - matches: hashids.Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet) - - matches: hashids.Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) - - matches: hashids.Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet) - - matches: Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet) - - matches: Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) \ No newline at end of file + - matches: Hashids_salt_settings_SECRET_KEY_min_length_settings_ID_HASH_MIN_LENGTH + - matches: Hashids_settings_SECRET_KEY_min_length_length_alphabet_alphabet + - matches: hashids_Hashids_salt_settings_SECRET_KEY_min_length_settings_ID_HASH_MIN_LENGTH + - matches: hashids_Hashids_settings_SECRET_KEY_min_length_length_alphabet_alphabet + - matches: hashids_Hashids_salt_django_conf_settings_SECRET_KEY_min_length_settings_ID_HASH_MIN_LENGTH + - matches: hashids_Hashids_django_conf_settings_SECRET_KEY_min_length_length_alphabet_alphabet + - matches: Hashids_django_conf_settings_SECRET_KEY_min_length_length_alphabet_alphabet + - matches: Hashids_salt_django_conf_settings_SECRET_KEY_min_length_settings_ID_HASH_MIN_LENGTH \ No newline at end of file diff --git a/rules/python/security/hashids-with-flask-secret-python.yml b/rules/python/security/hashids-with-flask-secret-python.yml index 6a39154e..059c2581 100644 --- a/rules/python/security/hashids-with-flask-secret-python.yml +++ b/rules/python/security/hashids-with-flask-secret-python.yml @@ -13,7 +13,7 @@ note: >- - http://carnage.github.io/2015/08/cryptanalysis-of-hashids ast-grep-essentials: true utils: - hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...): + hashids_Hashids_salt_flask_current_app_config_SECRET_KEY: # hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...) kind: call all: @@ -36,7 +36,7 @@ utils: stopBy: neighbor kind: subscript pattern: flask.current_app.config['SECRET_KEY'] - hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...): + hashids_Hashids_flask_current_app_config_SECRET_KEY: # hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...) kind: call all: @@ -51,7 +51,7 @@ utils: stopBy: neighbor kind: subscript pattern: flask.current_app.config['SECRET_KEY'] - hashids.Hashids($APP.config['SECRET_KEY'], ...): + hashids_Hashids_APP_config_SECRET_KEY: # hashids.Hashids($APP.config['SECRET_KEY'], ...) kind: call all: @@ -76,7 +76,7 @@ utils: stopBy: neighbor kind: assignment pattern: $APP = flask.Flask($$$) - hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...): + hashids_Hashids_salt_APP_config_SECRET_KEY: # hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...) kind: call all: @@ -109,7 +109,7 @@ utils: stopBy: neighbor kind: assignment pattern: $APP = flask.Flask($$$) - Hashids(salt=app.config['SECRET_KEY']): + Hashids_salt_app_config_SECRET_KEY: # from hashids import Hashids # from flask import current_app as app # hash_id = Hashids(salt=app.config['SECRET_KEY']) @@ -154,7 +154,7 @@ utils: stopBy: end kind: assignment pattern: $APP = Flask($$$) - Hashids(salt=current_app.config['SECRET_KEY']): + Hashids_salt_current_app_config_SECRET_KEY: # from hashids import Hashids # from flask import current_app # hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY']) @@ -194,9 +194,9 @@ utils: rule: kind: call any: - - matches: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...) - - matches: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...) - - matches: hashids.Hashids($APP.config['SECRET_KEY'], ...) - - matches: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...) - - matches: Hashids(salt=app.config['SECRET_KEY']) - - matches: Hashids(salt=current_app.config['SECRET_KEY']) + - matches: hashids_Hashids_salt_flask_current_app_config_SECRET_KEY + - matches: hashids_Hashids_flask_current_app_config_SECRET_KEY + - matches: hashids_Hashids_APP_config_SECRET_KEY + - matches: hashids_Hashids_salt_APP_config_SECRET_KEY + - matches: Hashids_salt_app_config_SECRET_KEY + - matches: Hashids_salt_current_app_config_SECRET_KEY diff --git a/rules/python/security/insecure-cipher-algorithm-rc4-python.yml b/rules/python/security/insecure-cipher-algorithm-rc4-python.yml index c5b3e805..a23e01a4 100644 --- a/rules/python/security/insecure-cipher-algorithm-rc4-python.yml +++ b/rules/python/security/insecure-cipher-algorithm-rc4-python.yml @@ -15,7 +15,7 @@ note: >- - https://www.pycryptodome.org/src/cipher/cipher ast-grep-essentials: true utils: - MATCH_PATTERN_arc4.new: + MATCH_PATTERN_arc4_new: kind: call all: - has: @@ -74,6 +74,6 @@ utils: rule: kind: call any: - - matches: MATCH_PATTERN_arc4.new + - matches: MATCH_PATTERN_arc4_new - pattern: Cryptodome.Cipher.ARC4.new($$$) - pattern: Crypto.Cipher.ARC4.new($$$) diff --git a/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml b/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml index 998ba36a..394566d3 100644 --- a/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml +++ b/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - elasticsearch.Elasticsearch(..., bearer_auth="...",...): + elasticsearch_Elasticsearch_bearer_auth: # elasticsearch.Elasticsearch(..., bearer_auth="...",...) kind: call all: @@ -59,7 +59,7 @@ utils: kind: string_content rule: kind: call - matches: elasticsearch.Elasticsearch(..., bearer_auth="...",...) + matches: elasticsearch_Elasticsearch_bearer_auth not: all: - has: diff --git a/rules/python/security/python-ldap3-empty-password-python.yml b/rules/python/security/python-ldap3-empty-password-python.yml index ed07a710..c4b0d900 100644 --- a/rules/python/security/python-ldap3-empty-password-python.yml +++ b/rules/python/security/python-ldap3-empty-password-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - ldap3.Connection(..., password="",...)_INSTANCE: + ldap3_Connection_password_INSTANCE: kind: call all: - has: @@ -58,7 +58,7 @@ utils: has: kind: string_content - ldap3.Connection(..., password="",...): + ldap3_Connection_password: kind: call all: - has: @@ -87,8 +87,8 @@ utils: rule: kind: call any: - - matches: ldap3.Connection(..., password="",...)_INSTANCE - - matches: ldap3.Connection(..., password="",...) + - matches: ldap3_Connection_password_INSTANCE + - matches: ldap3_Connection_password not: all: - has: diff --git a/rules/python/security/python-peewee-mysql-empty-password-python.yml b/rules/python/security/python-peewee-mysql-empty-password-python.yml index e5d4bee5..8a8b18a2 100644 --- a/rules/python/security/python-peewee-mysql-empty-password-python.yml +++ b/rules/python/security/python-peewee-mysql-empty-password-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - $DB(..., password="...",...): + DB_password: # $DB(..., password="...",...) kind: call all: @@ -44,7 +44,7 @@ utils: kind: string_content rule: kind: call - matches: $DB(..., password="...",...) + matches: DB_password not: all: - has: diff --git a/rules/python/security/python-peewee-mysql-hardcoded-secret-python.yml b/rules/python/security/python-peewee-mysql-hardcoded-secret-python.yml index 40c8c338..c0fed837 100644 --- a/rules/python/security/python-peewee-mysql-hardcoded-secret-python.yml +++ b/rules/python/security/python-peewee-mysql-hardcoded-secret-python.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - $DB(..., password="...",...): + DB_password: # $DB(..., password="...",...) kind: call all: @@ -42,7 +42,7 @@ utils: kind: string_content rule: kind: call - matches: $DB(..., password="...",...) + matches: DB_password not: all: - has: diff --git a/rules/python/security/python-peewee-pg-empty-password-python.yml b/rules/python/security/python-peewee-pg-empty-password-python.yml index c71ae1c6..39e80e99 100644 --- a/rules/python/security/python-peewee-pg-empty-password-python.yml +++ b/rules/python/security/python-peewee-pg-empty-password-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - $DB(..., password="...",...): + DB_password: # $DB(..., password="...",...) kind: call all: @@ -44,7 +44,7 @@ utils: kind: string_content rule: kind: call - matches: $DB(..., password="...",...) + matches: DB_password all: - not: has: diff --git a/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml b/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml index 7d0d77e1..d96eda92 100644 --- a/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml +++ b/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - $DB(..., password="...",...): + DB_password: # $DB(..., password="...",...) kind: call all: @@ -42,7 +42,7 @@ utils: kind: string_content rule: kind: call - matches: $DB(..., password="...",...) + matches: DB_password all: - not: has: diff --git a/rules/python/security/python-pg8000-empty-password-python.yml b/rules/python/security/python-pg8000-empty-password-python.yml index e567c16b..3474c5c7 100644 --- a/rules/python/security/python-pg8000-empty-password-python.yml +++ b/rules/python/security/python-pg8000-empty-password-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - pg8000.dbapi.connect(..., password="...",...): + pg8000_dbapi_connect_password: # pg8000.dbapi.connect(..., password="...",...) kind: call pattern: $CALL @@ -46,5 +46,5 @@ utils: kind: string_content rule: kind: call - matches: pg8000.dbapi.connect(..., password="...",...) + matches: pg8000_dbapi_connect_password diff --git a/rules/python/security/python-pg8000-hardcoded-secret-python.yml b/rules/python/security/python-pg8000-hardcoded-secret-python.yml index db66b30d..284274fd 100644 --- a/rules/python/security/python-pg8000-hardcoded-secret-python.yml +++ b/rules/python/security/python-pg8000-hardcoded-secret-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - pg8000.dbapi.connect(..., password="...",...): + pg8000_dbapi_connect_password: # pg8000.dbapi.connect(..., password="...",...) kind: call pattern: $CALL @@ -61,7 +61,7 @@ utils: kind: string_content rule: kind: call - matches: pg8000.dbapi.connect(..., password="...",...) + matches: pg8000_dbapi_connect_password all: - not: has: diff --git a/rules/python/security/python-psycopg2-empty-password-python.yml b/rules/python/security/python-psycopg2-empty-password-python.yml index 8921395e..18f82a60 100644 --- a/rules/python/security/python-psycopg2-empty-password-python.yml +++ b/rules/python/security/python-psycopg2-empty-password-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - psycopg2.connect(..., password="",...): + psycopg2_connect_password: kind: call all: - has: @@ -59,7 +59,7 @@ utils: kind: string_content rule: kind: call - matches: psycopg2.connect(..., password="",...) + matches: psycopg2_connect_password not: all: - has: diff --git a/rules/python/security/python-psycopg2-hardcoded-secret-python.yml b/rules/python/security/python-psycopg2-hardcoded-secret-python.yml index df80aeea..e30b6db9 100644 --- a/rules/python/security/python-psycopg2-hardcoded-secret-python.yml +++ b/rules/python/security/python-psycopg2-hardcoded-secret-python.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - psycopg2.connect(..., password="",...): + psycopg2_connect_password: kind: call all: - has: @@ -58,7 +58,7 @@ utils: kind: string_content rule: kind: call - matches: psycopg2.connect(..., password="",...) + matches: psycopg2_connect_password not: all: - has: diff --git a/rules/python/security/python-pymongo-empty-password-python.yml b/rules/python/security/python-pymongo-empty-password-python.yml index db0fd45c..eee7ceac 100644 --- a/rules/python/security/python-pymongo-empty-password-python.yml +++ b/rules/python/security/python-pymongo-empty-password-python.yml @@ -17,7 +17,7 @@ note: >- ast-grep-essentials: true utils: - pymongo.MongoClient(..., password="",...): + pymongo_MongoClient_password: kind: call all: - has: @@ -76,7 +76,7 @@ utils: rule: kind: call any: - - matches: pymongo.MongoClient(..., password="",...) + - matches: pymongo_MongoClient_password # - matches: $pymongo.MongoClient(..., password="",...) not: all: diff --git a/rules/python/security/python-pymongo-hardcoded-secret-python.yml b/rules/python/security/python-pymongo-hardcoded-secret-python.yml index 4690aa06..8e673e20 100644 --- a/rules/python/security/python-pymongo-hardcoded-secret-python.yml +++ b/rules/python/security/python-pymongo-hardcoded-secret-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - pymongo.MongoClient(..., password="",...): + pymongo_MongoClient_password: kind: call all: - has: @@ -73,7 +73,7 @@ utils: rule: kind: call any: - - matches: pymongo.MongoClient(..., password="",...) + - matches: pymongo_MongoClient_password # - matches: $pymongo.MongoClient(..., password="",...) not: all: diff --git a/rules/python/security/python-pymssql-empty-password-python.yml b/rules/python/security/python-pymssql-empty-password-python.yml index 87495adf..cf8f7292 100644 --- a/rules/python/security/python-pymssql-empty-password-python.yml +++ b/rules/python/security/python-pymssql-empty-password-python.yml @@ -17,7 +17,7 @@ note: >- ast-grep-essentials: true utils: - mssql.connect(..., password="",...): + mssql_connect_password: kind: call all: - has: @@ -76,7 +76,7 @@ utils: rule: kind: call any: - - matches: mssql.connect(..., password="",...) + - matches: mssql_connect_password # - matches: $mssql.connect(..., password="",...) not: all: diff --git a/rules/python/security/python-pymssql-hardcoded-secret-python.yml b/rules/python/security/python-pymssql-hardcoded-secret-python.yml index 3871aa20..d318ac3b 100644 --- a/rules/python/security/python-pymssql-hardcoded-secret-python.yml +++ b/rules/python/security/python-pymssql-hardcoded-secret-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - mssql.connect(..., password="",...): + mssql_connect_password: kind: call all: - has: @@ -73,7 +73,7 @@ utils: rule: kind: call any: - - matches: mssql.connect(..., password="",...) + - matches: mssql_connect_password # - matches: $mssql.connect(..., password="",...) not: all: diff --git a/rules/python/security/python-pymysql-empty-password-python.yml b/rules/python/security/python-pymysql-empty-password-python.yml index 4277e251..739f66ec 100644 --- a/rules/python/security/python-pymysql-empty-password-python.yml +++ b/rules/python/security/python-pymysql-empty-password-python.yml @@ -17,7 +17,7 @@ note: >- ast-grep-essentials: true utils: - pymysql.connect(..., password="",...): + pymysql_connect_password: kind: call all: - has: @@ -44,7 +44,7 @@ utils: kind: string_content rule: kind: call - matches: pymysql.connect(..., password="",...) + matches: pymysql_connect_password not: all: - has: diff --git a/rules/python/security/python-pymysql-hardcoded-secret-python.yml b/rules/python/security/python-pymysql-hardcoded-secret-python.yml index 190dd608..581ef5f2 100644 --- a/rules/python/security/python-pymysql-hardcoded-secret-python.yml +++ b/rules/python/security/python-pymysql-hardcoded-secret-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - pymysql.connect(..., password="",...): + pymysql_connect_password: kind: call all: - has: @@ -42,7 +42,7 @@ utils: kind: string_content rule: kind: call - matches: pymysql.connect(..., password="",...) + matches: pymysql_connect_password not: all: - has: diff --git a/rules/python/security/python-redis-empty-password-python.yml b/rules/python/security/python-redis-empty-password-python.yml index a3984583..bb76e3f1 100644 --- a/rules/python/security/python-redis-empty-password-python.yml +++ b/rules/python/security/python-redis-empty-password-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - redis.Redis(..., password="...",...): + redis_Redis_password: kind: call all: - has: @@ -59,7 +59,7 @@ utils: kind: string_content rule: kind: call - matches: redis.Redis(..., password="...",...) + matches: redis_Redis_password all: - not: has: diff --git a/rules/python/security/python-redis-hardcoded-secret-python.yml b/rules/python/security/python-redis-hardcoded-secret-python.yml index 98a1f92e..20cb2a66 100644 --- a/rules/python/security/python-redis-hardcoded-secret-python.yml +++ b/rules/python/security/python-redis-hardcoded-secret-python.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - redis.Redis(..., password="...",...): + redis_Redis_password: kind: call all: - has: @@ -58,7 +58,7 @@ utils: kind: string_content rule: kind: call - matches: redis.Redis(..., password="...",...) + matches: redis_Redis_password all: - not: has: diff --git a/rules/python/security/python-requests-empty-password-python.yml b/rules/python/security/python-requests-empty-password-python.yml index 9562f4e2..1d2bba74 100644 --- a/rules/python/security/python-requests-empty-password-python.yml +++ b/rules/python/security/python-requests-empty-password-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - requests.auth.HTTPBasicAuth($USER,"",...): + requests_auth_HTTPBasicAuth_USER: kind: call all: - has: @@ -44,7 +44,7 @@ utils: # regex: ^requests.auth.HTTPBasicAuth$|^requests.auth.HTTPDigestAuth$|^requests.auth.HTTPProxyAuth$ rule: kind: call - matches: requests.auth.HTTPBasicAuth($USER,"",...) + matches: requests_auth_HTTPBasicAuth_USER not: all: - has: diff --git a/rules/python/security/python-requests-hardcoded-secret-python.yml b/rules/python/security/python-requests-hardcoded-secret-python.yml index 937ce2e4..9f99f7ee 100644 --- a/rules/python/security/python-requests-hardcoded-secret-python.yml +++ b/rules/python/security/python-requests-hardcoded-secret-python.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - requests.auth.HTTPBasicAuth($USER,"",...): + requests_auth_HTTPBasicAuth_USER: kind: call all: - has: @@ -36,7 +36,7 @@ utils: stopBy: end kind: string_content - HTTPBasicAuth($USER,"",...): + HTTPBasicAuth_USER: kind: call all: - has: @@ -70,7 +70,7 @@ utils: any: - pattern: from requests.auth import HTTPBasicAuth - HTTPProxyAuth($USER,"",...): + HTTPProxyAuth_USER: kind: call all: - has: @@ -104,7 +104,7 @@ utils: any: - pattern: from requests.auth import HTTPProxyAuth - HTTPDigestAuth($USER,"",...): + HTTPDigestAuth_USER: kind: call all: - has: @@ -141,10 +141,10 @@ utils: rule: kind: call any: - - matches: HTTPProxyAuth($USER,"",...) - - matches: HTTPDigestAuth($USER,"",...) - - matches: HTTPBasicAuth($USER,"",...) - - matches: requests.auth.HTTPBasicAuth($USER,"",...) + - matches: HTTPProxyAuth_USER + - matches: HTTPDigestAuth_USER + - matches: HTTPBasicAuth_USER + - matches: requests_auth_HTTPBasicAuth_USER not: all: - has: diff --git a/rules/python/security/python-requests-oauth-hardcoded-secret-python.yml b/rules/python/security/python-requests-oauth-hardcoded-secret-python.yml index 88f5728d..c883289d 100644 --- a/rules/python/security/python-requests-oauth-hardcoded-secret-python.yml +++ b/rules/python/security/python-requests-oauth-hardcoded-secret-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - requests_oauthlib.OAuth1($KEY, "...", ...): + requests_oauthlib_OAuth1_KEY: kind: call all: - has: @@ -40,7 +40,7 @@ utils: not: kind: comment - requests_oauthlib.OAuth1($KEY, "...", ...)_with_Instance: + requests_oauthlib_OAuth1_KEY_with_Instance: kind: call all: - has: @@ -78,7 +78,7 @@ utils: has: kind: string_content - OAuth1($KEY, "...", ...): + OAuth1_KEY: kind: call all: - has: @@ -108,7 +108,7 @@ utils: kind: import_from_statement pattern: from requests_oauthlib import OAuth1 - OAuth1($KEY, "...", ...)_with_Instance: + OAuth1_KEY_with_Instance: kind: call all: - has: @@ -152,7 +152,7 @@ utils: kind: import_from_statement pattern: from requests_oauthlib import OAuth1 - $OAUTH.fetch_token(..., client_secret="...", ...): + OAUTH_fetch_token_client_secret: kind: call all: - has: @@ -204,7 +204,7 @@ utils: kind: import_from_statement pattern: from requests_oauthlib import OAuth2Session - $OAUTH.fetch_token(..., client_secret="...", ...)_with_Instance: + OAUTH_fetch_token_client_secret_with_Instance: kind: call all: - has: @@ -273,12 +273,12 @@ utils: rule: kind: call any: - - matches: requests_oauthlib.OAuth1($KEY, "...", ...) - - matches: requests_oauthlib.OAuth1($KEY, "...", ...)_with_Instance - - matches: OAuth1($KEY, "...", ...) - - matches: OAuth1($KEY, "...", ...)_with_Instance - - matches: $OAUTH.fetch_token(..., client_secret="...", ...) - - matches: $OAUTH.fetch_token(..., client_secret="...", ...)_with_Instance + - matches: requests_oauthlib_OAuth1_KEY + - matches: requests_oauthlib_OAuth1_KEY_with_Instance + - matches: OAuth1_KEY + - matches: OAuth1_KEY_with_Instance + - matches: OAUTH_fetch_token_client_secret + - matches: OAUTH_fetch_token_client_secret_with_Instance all: - not: inside: diff --git a/rules/python/security/python-tormysql-empty-password-python.yml b/rules/python/security/python-tormysql-empty-password-python.yml index 7b8d8196..6ecc0a77 100644 --- a/rules/python/security/python-tormysql-empty-password-python.yml +++ b/rules/python/security/python-tormysql-empty-password-python.yml @@ -107,7 +107,7 @@ utils: has: kind: string_content - ConnectionPool(password=""): + ConnectionPool_password: kind: call all: - has: @@ -140,7 +140,7 @@ utils: kind: import_from_statement pattern: from tormysql import ConnectionPool - ConnectionPool(password="")_INSTANCE: + ConnectionPool_password_INSTANCE: kind: call all: - has: @@ -205,7 +205,7 @@ utils: kind: import_from_statement pattern: from tormysql import ConnectionPool - $VAR(password=""): + VAR_password: kind: call all: - has: @@ -238,7 +238,7 @@ utils: kind: import_from_statement pattern: from tormysql import ConnectionPool as $VAR - $VAR(password="")_INSTANCE: + VAR_password_INSTANCE: kind: call all: - has: @@ -307,7 +307,7 @@ rule: any: - matches: python-tormysql-hardcoded-secret - matches: python-tormysql-hardcoded-secret_INSTANCE - - matches: ConnectionPool(password="") - - matches: ConnectionPool(password="")_INSTANCE - - matches: $VAR(password="") - - matches: $VAR(password="")_INSTANCE + - matches: ConnectionPool_password + - matches: ConnectionPool_password_INSTANCE + - matches: VAR_password + - matches: VAR_password_INSTANCE diff --git a/rules/python/security/python-tormysql-hardcoded-secret-python.yml b/rules/python/security/python-tormysql-hardcoded-secret-python.yml index 7b6a5a9a..2c68e6e5 100644 --- a/rules/python/security/python-tormysql-hardcoded-secret-python.yml +++ b/rules/python/security/python-tormysql-hardcoded-secret-python.yml @@ -103,7 +103,7 @@ utils: has: kind: string_content - ConnectionPool(password=""): + ConnectionPool_password: kind: call all: - has: @@ -135,7 +135,7 @@ utils: kind: import_from_statement pattern: from tormysql import ConnectionPool - ConnectionPool(password="")_INSTANCE: + ConnectionPool_password_INSTANCE: kind: call all: - has: @@ -198,7 +198,7 @@ utils: kind: import_from_statement pattern: from tormysql import ConnectionPool - $VAR(password=""): + VAR_password: kind: call all: - has: @@ -230,7 +230,7 @@ utils: kind: import_from_statement pattern: from tormysql import ConnectionPool as $VAR - $VAR(password="")_INSTANCE: + VAR_password_INSTANCE: kind: call all: - has: @@ -297,7 +297,7 @@ rule: any: - matches: python-tormysql-hardcoded-secret - matches: python-tormysql-hardcoded-secret_INSTANCE - - matches: ConnectionPool(password="") - - matches: ConnectionPool(password="")_INSTANCE - - matches: $VAR(password="") - - matches: $VAR(password="")_INSTANCE + - matches: ConnectionPool_password + - matches: ConnectionPool_password_INSTANCE + - matches: VAR_password + - matches: VAR_password_INSTANCE diff --git a/rules/python/security/python-urllib3-hardcoded-secret-python.yml b/rules/python/security/python-urllib3-hardcoded-secret-python.yml index f8e4bfb2..1559dd34 100644 --- a/rules/python/security/python-urllib3-hardcoded-secret-python.yml +++ b/rules/python/security/python-urllib3-hardcoded-secret-python.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - urllib3.util.make_headers(...,basic_auth="...",...): + urllib3_util_make_headers_basic_auth: # urllib3.util.make_headers(...,basic_auth="...",...) kind: call all: @@ -47,7 +47,7 @@ utils: rule: kind: call - matches: urllib3.util.make_headers(...,basic_auth="...",...) + matches: urllib3_util_make_headers_basic_auth not: all: - has: diff --git a/rules/python/security/python-webrepl-empty-password-python.yml b/rules/python/security/python-webrepl-empty-password-python.yml index 1869d3ee..aaa345e1 100644 --- a/rules/python/security/python-webrepl-empty-password-python.yml +++ b/rules/python/security/python-webrepl-empty-password-python.yml @@ -17,7 +17,7 @@ note: >- ast-grep-essentials: true utils: - webrepl.start(..., password="",...): + webrepl_start_password: kind: call all: - has: @@ -44,7 +44,7 @@ utils: kind: string_content rule: kind: call - matches: webrepl.start(..., password="",...) + matches: webrepl_start_password not: all: - has: diff --git a/rules/python/security/python-webrepl-hardcoded-secret-python.yml b/rules/python/security/python-webrepl-hardcoded-secret-python.yml index aa04e5a5..b0383115 100644 --- a/rules/python/security/python-webrepl-hardcoded-secret-python.yml +++ b/rules/python/security/python-webrepl-hardcoded-secret-python.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - webrepl.start(..., password="",...): + webrepl_start_password: kind: call all: - has: @@ -42,7 +42,7 @@ utils: kind: string_content rule: kind: call - matches: webrepl.start(..., password="",...) + matches: webrepl_start_password not: all: - has: diff --git a/rules/ruby/security/force-ssl-false-ruby.yml b/rules/ruby/security/force-ssl-false-ruby.yml index cb5966b4..8548a116 100644 --- a/rules/ruby/security/force-ssl-false-ruby.yml +++ b/rules/ruby/security/force-ssl-false-ruby.yml @@ -13,7 +13,7 @@ note: >- ast-grep-essentials: true utils: - config.force_ssl = $FAL: + config_force_ssl_FAL: kind: assignment all: - has: @@ -25,4 +25,4 @@ utils: rule: kind: assignment any: - - matches: config.force_ssl = $FAL + - matches: config_force_ssl_FAL diff --git a/rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml b/rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml index 5bf26bf5..fbd7be31 100644 --- a/rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml +++ b/rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - OpenSSL::PKey::RSA.new(..., '...'): + OpenSSL_PKey_RSA_new: kind: call all: - has: @@ -41,7 +41,7 @@ utils: stopBy: neighbor kind: string_content - OpenSSL::PKey::RSA.new(...).to_pem(..., '...'): + OpenSSL_PKey_RSA_new_to_pem: kind: call all: - has: @@ -71,7 +71,7 @@ utils: stopBy: end nthChild: 3 - OpenSSL::PKey::RSA.new(..., '...')_with_instance: + OpenSSL_PKey_RSA_new_with_instance: kind: call all: - has: @@ -102,7 +102,7 @@ utils: kind: assignment pattern: $SECRET = '$SECRET_VALUE' - OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance: + OpenSSL_PKey_RSA_new_to_pem_with_instance: kind: call all: - has: @@ -133,7 +133,7 @@ utils: kind: assignment pattern: $SECRET = '$SECRET_VALUE' - $OPENSSL.export(...,'...'): + OPENSSL_export: kind: call all: - has: @@ -166,7 +166,7 @@ utils: kind: assignment pattern: $OPENSSL = OpenSSL::PKey::RSA.new - $OPENSSL.to_pem(...,$ASSIGN): + OPENSSL_to_pem_ASSIGN: kind: call all: - has: @@ -223,10 +223,10 @@ utils: rule: kind: call any: - - matches: OpenSSL::PKey::RSA.new(..., '...') - - matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...') - - matches: OpenSSL::PKey::RSA.new(..., '...')_with_instance - - matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance - - matches: $OPENSSL.export(...,'...') - - matches: $OPENSSL.to_pem(...,$ASSIGN) + - matches: OpenSSL_PKey_RSA_new + - matches: OpenSSL_PKey_RSA_new_to_pem + - matches: OpenSSL_PKey_RSA_new_with_instance + - matches: OpenSSL_PKey_RSA_new_to_pem_with_instance + - matches: OPENSSL_export + - matches: OPENSSL_to_pem_ASSIGN - matches: match_call diff --git a/rules/ruby/security/insufficient-rsa-key-size-ruby.yml b/rules/ruby/security/insufficient-rsa-key-size-ruby.yml index bc49a266..ae2194f2 100644 --- a/rules/ruby/security/insufficient-rsa-key-size-ruby.yml +++ b/rules/ruby/security/insufficient-rsa-key-size-ruby.yml @@ -12,7 +12,7 @@ note: >- ast-grep-essentials: true utils: - OpenSSL::PKey::RSA.generate($SIZE,...): + OpenSSL_PKey_RSA_generate_SIZE: # OpenSSL::PKey::RSA.generate($SIZE,...) kind: call all: @@ -41,7 +41,7 @@ utils: not: kind: comment - OpenSSL::PKey::RSA.new($ASSIGN, ...): + OpenSSL_PKey_RSA_new_ASSIGN: # $ASSIGN = $SIZE # OpenSSL::PKey::RSA.new($ASSIGN, ...) kind: call @@ -82,8 +82,8 @@ utils: rule: kind: call any: - - matches: OpenSSL::PKey::RSA.generate($SIZE,...) - - matches: OpenSSL::PKey::RSA.new($ASSIGN, ...) + - matches: OpenSSL_PKey_RSA_generate_SIZE + - matches: OpenSSL_PKey_RSA_new_ASSIGN constraints: KEY: any: diff --git a/rules/ruby/security/ruby-aws-sdk-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-aws-sdk-hardcoded-secret-ruby.yml index 42398ced..8af06878 100644 --- a/rules/ruby/security/ruby-aws-sdk-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-aws-sdk-hardcoded-secret-ruby.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - Aws::Credentials.new($X, "...", ...): + Aws_Credentials_new_X: # Aws::Credentials.new($X, "...", ...) kind: call all: @@ -61,7 +61,7 @@ utils: stopBy: end kind: call pattern: require 'aws-sdk-core' - Aws::Credentials.new($X, "...", ...)_instance: + Aws_Credentials_new_X_instance: # Aws::Credentials.new($X, $VAR, ...) kind: call all: @@ -136,8 +136,8 @@ utils: rule: kind: call any: - - matches: Aws::Credentials.new($X, "...", ...) - - matches: Aws::Credentials.new($X, "...", ...)_instance + - matches: Aws_Credentials_new_X + - matches: Aws_Credentials_new_X_instance all: - not: has: diff --git a/rules/ruby/security/ruby-cassandra-empty-password-ruby.yml b/rules/ruby/security/ruby-cassandra-empty-password-ruby.yml index d1218655..2e3ed3e2 100644 --- a/rules/ruby/security/ruby-cassandra-empty-password-ruby.yml +++ b/rules/ruby/security/ruby-cassandra-empty-password-ruby.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - Cassandra.cluster(): + Cassandra_cluster: # Cassandra.cluster(..., password: "", ...) kind: call all: @@ -63,7 +63,7 @@ utils: kind: call pattern: require 'cassandra' - Cassandra.cluster()_Instance: + Cassandra_cluster_Instance: # Cassandra.cluster(..., password: "", ...) kind: call all: @@ -138,8 +138,8 @@ utils: rule: kind: call any: - - matches: Cassandra.cluster() - - matches: Cassandra.cluster()_Instance + - matches: Cassandra_cluster + - matches: Cassandra_cluster_Instance not: all: - has: diff --git a/rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml index f7a69977..745b7def 100644 --- a/rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - Cassandra.cluster(): + Cassandra_cluster: # Cassandra.cluster(..., password: "", ...) kind: call all: @@ -62,7 +62,7 @@ utils: kind: call pattern: require 'cassandra' - Cassandra.cluster()_Instance: + Cassandra_cluster_Instance: # Cassandra.cluster(..., password: "", ...) kind: call all: @@ -134,8 +134,8 @@ utils: rule: kind: call any: - - matches: Cassandra.cluster() - - matches: Cassandra.cluster()_Instance + - matches: Cassandra_cluster + - matches: Cassandra_cluster_Instance not: all: - has: diff --git a/rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml index 1e02035d..0c9fc19d 100644 --- a/rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - Excon.new(..., :password => "...", ...): + Excon_new_password: # Excon.new(..., :password => "...", ...) kind: call all: @@ -57,7 +57,7 @@ utils: kind: call pattern: require 'excon' - Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...): + Excon_new_password_Excon_Utils_escape_uri: # Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...) kind: call all: @@ -116,7 +116,7 @@ utils: kind: call pattern: require 'excon' - Excon.new(..., :password => "...", ...)_instance: + Excon_new_password_instance: # Excon.new(..., :password => "...", ...) kind: call all: @@ -171,7 +171,7 @@ utils: kind: string - Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_instance: + Excon_new_password_Excon_Utils_escape_uri_instance: # Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...) kind: call all: @@ -226,11 +226,11 @@ utils: rule: kind: call any: - - matches: Excon.new(..., :password => "...", ...) - - matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...) + - matches: Excon_new_password + - matches: Excon_new_password_Excon_Utils_escape_uri - - matches: Excon.new(..., :password => "...", ...)_instance - - matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_instance + - matches: Excon_new_password_instance + - matches: Excon_new_password_Excon_Utils_escape_uri_instance all: - not: has: diff --git a/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml index 93c4ce24..17759db4 100644 --- a/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - $X.request :authorization, :basic, $USER, "...": + X_request_authorization_basic_USER: kind: call all: - has: @@ -79,7 +79,7 @@ utils: kind: call pattern: require "faraday" - $Instance($X.request :authorization, :basic, $USER, "..."): + Instance_X_request_authorization_basic_USER: kind: call all: - has: @@ -142,7 +142,7 @@ utils: kind: assignment pattern: $STRING = $PASSWORD - $X.request :basic_auth, $USER, "...": + X_request_basic_auth_USER: kind: call all: - has: @@ -198,7 +198,7 @@ utils: kind: call pattern: require "faraday" - Instance( $X.request :basic_auth, $USER, "..."): + Instance_X_request_basic_auth_USER: kind: call all: - has: @@ -254,7 +254,7 @@ utils: kind: assignment pattern: $STRING = $PASSWORD - $X.request :token_auth, "...", ...: + X_request_token_auth: kind: call all: - has: @@ -302,7 +302,7 @@ utils: kind: call pattern: require "faraday" - Instance($X.request :token_auth, "...", ...): + Instance_X_request_token_auth: kind: call all: - has: @@ -351,7 +351,7 @@ utils: kind: assignment pattern: $STRING = $PASSWORD - $X.request :authorization, $BEARER, "...": + X_request_authorization_BEARER: kind: call all: - has: @@ -414,7 +414,7 @@ utils: kind: call pattern: require "faraday" - Instance($X.request :authorization, $BEARER, "..."): + Instance_X_request_authorization_BEARER: kind: call all: - has: @@ -479,14 +479,14 @@ utils: rule: kind: call any: - - matches: $X.request :authorization, :basic, $USER, "..." - - matches: $Instance($X.request :authorization, :basic, $USER, "...") - - matches: $X.request :basic_auth, $USER, "..." - - matches: Instance( $X.request :basic_auth, $USER, "...") - - matches: $X.request :token_auth, "...", ... - - matches: Instance($X.request :token_auth, "...", ...) - - matches: $X.request :authorization, $BEARER, "..." - - matches: Instance($X.request :authorization, $BEARER, "...") + - matches: X_request_authorization_basic_USER + - matches: Instance_X_request_authorization_basic_USER + - matches: X_request_basic_auth_USER + - matches: Instance_X_request_basic_auth_USER + - matches: X_request_token_auth + - matches: Instance_X_request_token_auth + - matches: X_request_authorization_BEARER + - matches: Instance_X_request_authorization_BEARER all: - not: has: diff --git a/rules/ruby/security/ruby-mysql2-empty-password-ruby.yml b/rules/ruby/security/ruby-mysql2-empty-password-ruby.yml index 4a9d231e..e9a4a90f 100644 --- a/rules/ruby/security/ruby-mysql2-empty-password-ruby.yml +++ b/rules/ruby/security/ruby-mysql2-empty-password-ruby.yml @@ -17,7 +17,7 @@ note: >- ast-grep-essentials: true utils: - match_Mysql2:Client: + match_Mysql2_Client: kind: call all: - has: @@ -64,7 +64,7 @@ utils: has: kind: string_content regex: "^mysql2$" - match_Mysql2:Client_with_identifier: + match_Mysql2_Client_with_identifier: kind: call all: - has: @@ -121,7 +121,7 @@ utils: has: kind: string_content regex: "^mysql2$" - match_Mysql2:Client_with_identifier2: + match_Mysql2_Client_with_identifier2: kind: call all: - has: @@ -227,8 +227,8 @@ utils: regex: "^mysql2$" rule: any: - - matches: match_Mysql2:Client - - matches: match_Mysql2:Client_with_identifier - - matches: match_Mysql2:Client_with_identifier2 + - matches: match_Mysql2_Client + - matches: match_Mysql2_Client_with_identifier + - matches: match_Mysql2_Client_with_identifier2 - matches: match_Mysql2_new diff --git a/rules/ruby/security/ruby-mysql2-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-mysql2-hardcoded-secret-ruby.yml index 73e4ff8e..ac67a865 100644 --- a/rules/ruby/security/ruby-mysql2-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-mysql2-hardcoded-secret-ruby.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - match_Mysql2:Client: + match_Mysql2_Client: kind: call all: - has: @@ -62,7 +62,7 @@ utils: has: kind: string_content regex: "^mysql2$" - match_Mysql2:Client_with_identifier: + match_Mysql2_Client_with_identifier: kind: call all: - has: @@ -189,7 +189,7 @@ utils: has: kind: string_content regex: "^mysql2$" - match_Mysql2:Client_with_identifier2: + match_Mysql2_Client_with_identifier2: kind: call all: - has: @@ -250,8 +250,8 @@ utils: rule: any: - - matches: match_Mysql2:Client + - matches: match_Mysql2_Client - matches: match_Mysql3 - - matches: match_Mysql2:Client_with_identifier - - matches: match_Mysql2:Client_with_identifier2 + - matches: match_Mysql2_Client_with_identifier + - matches: match_Mysql2_Client_with_identifier2 diff --git a/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml index 722ba8cb..736de72e 100644 --- a/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - Octokit::Client.new(password:""): + Octokit_Client_new_password: # Octokit::Client.new(..., password: "", ...) kind: call all: @@ -58,7 +58,7 @@ utils: stopBy: end kind: call pattern: require 'octokit' - Octokit::Client.new(password:"")_Instance: + Octokit_Client_new_password_Instance: kind: call all: - has: @@ -115,8 +115,8 @@ utils: rule: kind: call any: - - matches: Octokit::Client.new(password:"") - - matches: Octokit::Client.new(password:"")_Instance + - matches: Octokit_Client_new_password + - matches: Octokit_Client_new_password_Instance all: - not: has: diff --git a/rules/ruby/security/ruby-pg-empty-password-ruby.yml b/rules/ruby/security/ruby-pg-empty-password-ruby.yml index a2d63613..0982ae26 100644 --- a/rules/ruby/security/ruby-pg-empty-password-ruby.yml +++ b/rules/ruby/security/ruby-pg-empty-password-ruby.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - PG.connect(password:""): + PG_connect_password: # PG.connect(..., password: "", ...) kind: call all: @@ -53,7 +53,7 @@ utils: has: stopBy: neighbor kind: string_content - PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""): + PG_connect_HOST_PORT_OPS_TTY_DB_USER: # PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "", ...) kind: call all: @@ -79,7 +79,7 @@ utils: has: stopBy: neighbor kind: string_content - PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""): + PG_Connection_new_HOST_PORT_OPS_TTY_DB_USER: # PG::Connection.connect_start($HOST, $PORT, $OPS, $TTY, $DB, $USER,"", ...) kind: call all: @@ -105,7 +105,7 @@ utils: has: stopBy: neighbor kind: string_content - PG::Connection.new(password:""): + PG_Connection_new_password: # PG::Connection.new(..., password: '', ...) kind: call all: @@ -145,10 +145,10 @@ utils: rule: kind: call any: - - matches: PG.connect(password:"") - - matches: PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "") - - matches: PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, "") - - matches: PG::Connection.new(password:"") + - matches: PG_connect_password + - matches: PG_connect_HOST_PORT_OPS_TTY_DB_USER + - matches: PG_Connection_new_HOST_PORT_OPS_TTY_DB_USER + - matches: PG_Connection_new_password not: all: - has: diff --git a/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml index c730d538..c65d6092 100644 --- a/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - PG.connect(password:""): + PG_connect_password: # PG::Connection.new(..., password: '', ...) kind: call all: @@ -62,7 +62,7 @@ utils: stopBy: end kind: call pattern: require "pg" - PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""): + PG_connect_HOST_PORT_OPS_TTY_DB_USER: # PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "", ...) kind: call all: @@ -98,7 +98,7 @@ utils: stopBy: end kind: call pattern: require "pg" - PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""): + PG_Connection_new_HOST_PORT_OPS_TTY_DB_USER: # PG::Connection.connect_start($HOST, $PORT, $OPS, $TTY, $DB, $USER,"", ...) kind: call all: @@ -134,7 +134,7 @@ utils: stopBy: end kind: call pattern: require "pg" - PG::Connection.new(password:""): + PG_Connection_new_password: # PG::Connection.new(..., password: '', ...) kind: call all: @@ -184,10 +184,10 @@ utils: rule: kind: call any: - - matches: PG.connect(password:"") - - matches: PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "") - - matches: PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, "") - - matches: PG::Connection.new(password:"") + - matches: PG_connect_password + - matches: PG_connect_HOST_PORT_OPS_TTY_DB_USER + - matches: PG_Connection_new_HOST_PORT_OPS_TTY_DB_USER + - matches: PG_Connection_new_password not: all: - has: diff --git a/rules/ruby/security/ruby-redis-empty-password-ruby.yml b/rules/ruby/security/ruby-redis-empty-password-ruby.yml index 4f8ef8ca..d29c8464 100644 --- a/rules/ruby/security/ruby-redis-empty-password-ruby.yml +++ b/rules/ruby/security/ruby-redis-empty-password-ruby.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - Redis.new(..., password:"", ...): + Redis_new_password: # Redis.new(..., password: "", ...) kind: call all: @@ -66,7 +66,7 @@ utils: pattern: require "redis" rule: kind: call - matches: Redis.new(..., password:"", ...) + matches: Redis_new_password all: - not: has: diff --git a/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml index 2bfccf0e..eada9eb4 100644 --- a/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml +++ b/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - Redis.new(..., password:"", ...): + Redis_new_password: # Redis.new(..., password: "", ...) kind: call all: @@ -64,7 +64,7 @@ utils: pattern: require "redis" rule: kind: call - matches: Redis.new(..., password:"", ...) + matches: Redis_new_password all: - not: has: diff --git a/rules/rust/security/empty-password-rust.yml b/rules/rust/security/empty-password-rust.yml index a00a3943..1f1d27aa 100644 --- a/rules/rust/security/empty-password-rust.yml +++ b/rules/rust/security/empty-password-rust.yml @@ -15,7 +15,7 @@ note: >- ast-grep-essentials: true utils: - MySqlConnectOptions::new(...). ... .password(""): + MySqlConnectOptions_new_password: kind: call_expression all: - has: @@ -67,7 +67,7 @@ utils: kind: identifier regex: ^MySqlConnectOptions$ - PgConnectOptions::new(...). ... .password(""): + PgConnectOptions_new_password: kind: call_expression all: - has: @@ -119,7 +119,7 @@ utils: kind: identifier regex: ^PgConnectOptions$ - sqlx::mysql::MySqlConnectOptions::new(...). ... .password(""): + sqlx_mysql_MySqlConnectOptions_new_password: kind: call_expression all: - has: @@ -144,7 +144,7 @@ utils: has: kind: string_content - sqlx::postgres::PgConnectOptions::new(...). ... .password(""): + sqlx_postgres_PgConnectOptions_new_password: kind: call_expression all: - has: @@ -169,7 +169,7 @@ utils: has: kind: string_content - $PgConnectOptions::new(...). ... .password(""): + PgConnectOptions_new_password_2: kind: call_expression all: - has: @@ -237,7 +237,7 @@ utils: - has: kind: arguments - $MySqlConnectOptions::new(...). ... .password(""): + MySqlConnectOptions_new_password_2: kind: call_expression all: - has: @@ -305,7 +305,7 @@ utils: - has: kind: arguments - $MySqlConnectOptions::new(...). ... .password("")_with_Instance: + MySqlConnectOptions_new_password_with_Instance: kind: call_expression all: - has: @@ -398,7 +398,7 @@ utils: has: kind: string_content - $PgConnectOption::new(...). ... .password("")_with_Instance: + PgConnectOption_new_password_with_Instance: kind: call_expression all: - has: @@ -491,7 +491,7 @@ utils: has: kind: string_content - sqlx::postgres::PgConnectOptions::new(...). ... .password("")_with_Instance: + sqlx_postgres_PgConnectOptions_new_password_with_Instance: kind: call_expression all: - has: @@ -541,7 +541,7 @@ utils: has: kind: string_content - sqlx::mysql::MySqlConnectOptions::new(...). ... .password("")_with_Instance: + sqlx_mysql_MySqlConnectOptions_new_password_with_Instance: kind: call_expression all: - has: @@ -591,7 +591,7 @@ utils: has: kind: string_content - PgConnectOptions::new(...). ... .password("")_with_Instance: + PgConnectOptions_new_password_with_Instance: kind: call_expression all: - has: @@ -668,7 +668,7 @@ utils: has: kind: string_content - MySqlConnectOptions::new(...). ... .password("")_with_Instance: + MySqlConnectOptions_new_password_with_Instance_2: kind: call_expression all: - has: @@ -745,7 +745,7 @@ utils: has: kind: string_content - let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...): + let_OPTS_sqlx_mysql_MySqlConnectOptions_new: kind: call_expression all: - has: @@ -806,7 +806,7 @@ utils: - has: kind: arguments - let $OPTS = sqlx::postgres::PgConnectOptions::new(...): + let_OPTS_sqlx_postgres_PgConnectOptions_new: kind: call_expression all: - has: @@ -867,7 +867,7 @@ utils: precedes: kind: arguments - let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance: + let_OPTS_sqlx_postgres_PgConnectOptions_new_with_Instance: kind: call_expression all: - has: @@ -953,7 +953,7 @@ utils: has: kind: string_content - let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance: + let_OPTS_sqlx_mysql_MySqlConnectOptions_new_with_Instance: kind: call_expression all: - has: @@ -1041,19 +1041,19 @@ utils: rule: any: - - matches: MySqlConnectOptions::new(...). ... .password("") - - matches: PgConnectOptions::new(...). ... .password("") - - matches: sqlx::mysql::MySqlConnectOptions::new(...). ... .password("") - - matches: sqlx::postgres::PgConnectOptions::new(...). ... .password("") - - matches: $PgConnectOptions::new(...). ... .password("") - - matches: $MySqlConnectOptions::new(...). ... .password("") - - matches: $MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: $PgConnectOption::new(...). ... .password("")_with_Instance - - matches: sqlx::postgres::PgConnectOptions::new(...). ... .password("")_with_Instance - - matches: sqlx::mysql::MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: PgConnectOptions::new(...). ... .password("")_with_Instance - - matches: MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...) - - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...) - - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance \ No newline at end of file + - matches: MySqlConnectOptions_new_password + - matches: PgConnectOptions_new_password + - matches: sqlx_mysql_MySqlConnectOptions_new_password + - matches: sqlx_postgres_PgConnectOptions_new_password + - matches: PgConnectOptions_new_password_2 + - matches: MySqlConnectOptions_new_password_2 + - matches: MySqlConnectOptions_new_password_with_Instance + - matches: PgConnectOption_new_password_with_Instance + - matches: sqlx_postgres_PgConnectOptions_new_password_with_Instance + - matches: sqlx_mysql_MySqlConnectOptions_new_password_with_Instance + - matches: PgConnectOptions_new_password_with_Instance + - matches: MySqlConnectOptions_new_password_with_Instance_2 + - matches: let_OPTS_sqlx_mysql_MySqlConnectOptions_new + - matches: let_OPTS_sqlx_postgres_PgConnectOptions_new + - matches: let_OPTS_sqlx_postgres_PgConnectOptions_new_with_Instance + - matches: let_OPTS_sqlx_mysql_MySqlConnectOptions_new_with_Instance \ No newline at end of file diff --git a/rules/rust/security/hardcoded-password-rust.yml b/rules/rust/security/hardcoded-password-rust.yml index 21161486..5cba2b5a 100644 --- a/rules/rust/security/hardcoded-password-rust.yml +++ b/rules/rust/security/hardcoded-password-rust.yml @@ -16,7 +16,7 @@ note: >- ast-grep-essentials: true utils: - MySqlConnectOptions::new(...). ... .password(""): + MySqlConnectOptions_new_password: kind: call_expression all: - has: @@ -67,7 +67,7 @@ utils: kind: identifier regex: ^MySqlConnectOptions$ - PgConnectOptions::new(...). ... .password(""): + PgConnectOptions_new_password: kind: call_expression all: - has: @@ -118,7 +118,7 @@ utils: kind: identifier regex: ^PgConnectOptions$ - sqlx::mysql::MySqlConnectOptions::new(...). ... .password(""): + sqlx_mysql_MySqlConnectOptions_new_password: kind: call_expression all: - has: @@ -142,7 +142,7 @@ utils: has: kind: string_content - sqlx::postgres::PgConnectOptions::new(...). ... .password(""): + sqlx_postgres_PgConnectOptions_new_password: kind: call_expression all: - has: @@ -166,7 +166,7 @@ utils: has: kind: string_content - $PgConnectOptions::new(...). ... .password(""): + PgConnectOptions_new_password_2: kind: call_expression all: - has: @@ -233,7 +233,7 @@ utils: - has: kind: arguments - $MySqlConnectOptions::new(...). ... .password(""): + MySqlConnectOptions_new_password_2: kind: call_expression all: - has: @@ -300,7 +300,7 @@ utils: - has: kind: arguments - $MySqlConnectOptions::new(...). ... .password("")_with_Instance: + MySqlConnectOptions_new_password_with_Instance: kind: call_expression all: - has: @@ -391,7 +391,7 @@ utils: has: kind: string_content - $PgConnectOption::new(...). ... .password("")_with_Instance: + PgConnectOption_new_password_with_Instance: kind: call_expression all: - has: @@ -482,7 +482,7 @@ utils: has: kind: string_content - sqlx::postgres::PgConnectOptions::new(...). ... .password("")_with_Instance: + sqlx_postgres_PgConnectOptions_new_password_with_Instance: kind: call_expression all: - has: @@ -530,7 +530,7 @@ utils: has: kind: string_content - sqlx::mysql::MySqlConnectOptions::new(...). ... .password("")_with_Instance: + sqlx_mysql_MySqlConnectOptions_new_password_with_Instance: kind: call_expression all: - has: @@ -578,7 +578,7 @@ utils: has: kind: string_content - PgConnectOptions::new(...). ... .password("")_with_Instance: + PgConnectOptions_new_password_with_Instance: kind: call_expression all: - has: @@ -653,7 +653,7 @@ utils: has: kind: string_content - MySqlConnectOptions::new(...). ... .password("")_with_Instance: + MySqlConnectOptions_new_password_with_Instance_2: kind: call_expression all: - has: @@ -728,7 +728,7 @@ utils: has: kind: string_content - let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...): + let_OPTS_sqlx_mysql_MySqlConnectOptions_new: kind: call_expression all: - has: @@ -788,7 +788,7 @@ utils: - has: kind: arguments - let $OPTS = sqlx::postgres::PgConnectOptions::new(...): + let_OPTS_sqlx_postgres_PgConnectOptions_new: kind: call_expression all: - has: @@ -848,7 +848,7 @@ utils: precedes: kind: arguments - let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance: + let_OPTS_sqlx_postgres_PgConnectOptions_new_with_Instance: kind: call_expression all: - has: @@ -932,7 +932,7 @@ utils: has: kind: string_content - let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance: + let_OPTS_sqlx_mysql_MySqlConnectOptions_new_with_Instance: kind: call_expression all: - has: @@ -1018,19 +1018,19 @@ utils: rule: any: - - matches: MySqlConnectOptions::new(...). ... .password("") - - matches: PgConnectOptions::new(...). ... .password("") - - matches: sqlx::mysql::MySqlConnectOptions::new(...). ... .password("") - - matches: sqlx::postgres::PgConnectOptions::new(...). ... .password("") - - matches: $PgConnectOptions::new(...). ... .password("") - - matches: $MySqlConnectOptions::new(...). ... .password("") - - matches: $MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: $PgConnectOption::new(...). ... .password("")_with_Instance - - matches: sqlx::postgres::PgConnectOptions::new(...). ... .password("")_with_Instance - - matches: sqlx::mysql::MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: PgConnectOptions::new(...). ... .password("")_with_Instance - - matches: MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...) - - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...) - - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance \ No newline at end of file + - matches: MySqlConnectOptions_new_password + - matches: PgConnectOptions_new_password + - matches: sqlx_mysql_MySqlConnectOptions_new_password + - matches: sqlx_postgres_PgConnectOptions_new_password + - matches: PgConnectOptions_new_password_2 + - matches: MySqlConnectOptions_new_password_2 + - matches: MySqlConnectOptions_new_password_with_Instance + - matches: PgConnectOption_new_password_with_Instance + - matches: sqlx_postgres_PgConnectOptions_new_password_with_Instance + - matches: sqlx_mysql_MySqlConnectOptions_new_password_with_Instance + - matches: PgConnectOptions_new_password_with_Instance + - matches: MySqlConnectOptions_new_password_with_Instance_2 + - matches: let_OPTS_sqlx_mysql_MySqlConnectOptions_new + - matches: let_OPTS_sqlx_postgres_PgConnectOptions_new + - matches: let_OPTS_sqlx_postgres_PgConnectOptions_new_with_Instance + - matches: let_OPTS_sqlx_mysql_MySqlConnectOptions_new_with_Instance \ No newline at end of file diff --git a/rules/rust/security/postgres-empty-password-rust.yml b/rules/rust/security/postgres-empty-password-rust.yml index ad36d0db..8b7b596b 100644 --- a/rules/rust/security/postgres-empty-password-rust.yml +++ b/rules/rust/security/postgres-empty-password-rust.yml @@ -198,7 +198,7 @@ utils: stopBy: end kind: string_content - MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE: + MATCH_PATTERN_WITH_INSTANCE_PASSWORD_WITH_ITS_INSTANCE: kind: call_expression all: - has: @@ -288,4 +288,4 @@ rule: - matches: MATCH_PATTERN_WITH_INSTANCE - matches: MATCH_PASSWORD_DIRECTLY - matches: MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE - - matches: MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE + - matches: MATCH_PATTERN_WITH_INSTANCE_PASSWORD_WITH_ITS_INSTANCE diff --git a/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml b/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml index 4f703ca4..8ced64ca 100644 --- a/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml +++ b/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml @@ -15,7 +15,7 @@ note: >- - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures ast-grep-essentials: true utils: - MATCH_PATTERN_ONE.basic_auth: + MATCH_PATTERN_ONE_basic_auth: kind: call_expression all: - has: @@ -81,7 +81,7 @@ utils: # kind: block - MATCH_PATTERN_TWO.bearer_auth: + MATCH_PATTERN_TWO_bearer_auth: kind: call_expression all: - has: @@ -143,7 +143,7 @@ utils: stopBy: neighbor kind: identifier - MATCH_PATTERN_ONE.basic_auth_Instance: + MATCH_PATTERN_ONE_basic_auth_Instance: kind: call_expression all: - has: @@ -223,7 +223,7 @@ utils: stopBy: end kind: block - MATCH_PATTERN_TWO.bearer_auth_Instance: + MATCH_PATTERN_TWO_bearer_auth_Instance: kind: call_expression all: - has: @@ -288,10 +288,10 @@ utils: rule: kind: call_expression any: - - matches: MATCH_PATTERN_ONE.basic_auth - - matches: MATCH_PATTERN_TWO.bearer_auth - - matches: MATCH_PATTERN_ONE.basic_auth_Instance - - matches: MATCH_PATTERN_TWO.bearer_auth_Instance + - matches: MATCH_PATTERN_ONE_basic_auth + - matches: MATCH_PATTERN_TWO_bearer_auth + - matches: MATCH_PATTERN_ONE_basic_auth_Instance + - matches: MATCH_PATTERN_TWO_bearer_auth_Instance not: all: - has: diff --git a/rules/typescript/security/node-rsa-weak-key-typescript.yml b/rules/typescript/security/node-rsa-weak-key-typescript.yml index 53054884..7c478897 100644 --- a/rules/typescript/security/node-rsa-weak-key-typescript.yml +++ b/rules/typescript/security/node-rsa-weak-key-typescript.yml @@ -10,7 +10,7 @@ note: >- - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms ast-grep-essentials: true utils: - PATTERN_require("crypto"): + PATTERN_require_crypto: pattern: $NUMBER all: - inside: @@ -272,7 +272,7 @@ utils: stopBy: end kind: array - PATTERN_require("crypto")_pattern_2: + PATTERN_require_crypto_pattern_2: pattern: $NUMBER all: - inside: @@ -552,7 +552,7 @@ utils: stopBy: end kind: array - PATTERN_require("node-rsa"): + PATTERN_require_node-rsa: pattern: $NUMBER all: - inside: @@ -877,7 +877,7 @@ utils: stopBy: end kind: array - PATTERN_require("node-forge"): + PATTERN_require_node-forge: pattern: $NUMBER all: - inside: @@ -1159,7 +1159,7 @@ utils: all: - kind: array - PATTERN_require("node-forge")_pattern_2: + PATTERN_require_node-forge_pattern_2: pattern: $NUMBER all: - inside: @@ -1466,25 +1466,25 @@ rule: any: - kind: number any: - - matches: PATTERN_require("crypto") - - matches: PATTERN_require("crypto")_pattern_2 - - matches: PATTERN_require("node-rsa") - - matches: PATTERN_require("node-forge") - - matches: PATTERN_require("node-forge")_pattern_2 + - matches: PATTERN_require_crypto + - matches: PATTERN_require_crypto_pattern_2 + - matches: PATTERN_require_node-rsa + - matches: PATTERN_require_node-forge + - matches: PATTERN_require_node-forge_pattern_2 - kind: unary_expression any: - - matches: PATTERN_require("crypto") - - matches: PATTERN_require("crypto")_pattern_2 - - matches: PATTERN_require("node-rsa") - - matches: PATTERN_require("node-forge") - - matches: PATTERN_require("node-forge")_pattern_2 + - matches: PATTERN_require_crypto + - matches: PATTERN_require_crypto_pattern_2 + - matches: PATTERN_require_node-rsa + - matches: PATTERN_require_node-forge + - matches: PATTERN_require_node-forge_pattern_2 - kind: binary_expression any: - - matches: PATTERN_require("crypto") - - matches: PATTERN_require("crypto")_pattern_2 - - matches: PATTERN_require("node-rsa") - - matches: PATTERN_require("node-forge") - - matches: PATTERN_require("node-forge")_pattern_2 + - matches: PATTERN_require_crypto + - matches: PATTERN_require_crypto_pattern_2 + - matches: PATTERN_require_node-rsa + - matches: PATTERN_require_node-forge + - matches: PATTERN_require_node-forge_pattern_2 constraints: NUMBER: regex: ^([+-]?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|([+-]?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|[+-]?(\.[0-9]+)|([+-]?\.[0-9]+\/[1-9][0-9]*))$