update semgrep rules (#9560)

* update * format
2025-04-06 12:30:29 +08:00 · 2024-10-05 16:47:50 -07:00 · 2024-10-05 16:47:50 -07:00 · 99c9e26614
commit 99c9e26614
parent 4ed5339c2b
2 changed files with 42 additions and 15 deletions
--- a/.github/configs/semgrep_rules.yaml
+++ b/.github/configs/semgrep_rules.yaml
@ -1,18 +1,45 @@
 rules:
-  - id: detect-os-system-calls
-    pattern: os.system(...)
-    message: "Unsafe use of os.system(). Consider using subprocess.run() instead."
-    languages: [python]
+  - id: third-party-action-not-pinned-to-commit-sha
+    pattern-either:
+      - pattern: uses: $ACTION@$REF
+        metavariable-regex:
+          $ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$
+          $REF: ^(v?\d+(\.\d+){0,2}|[^@]+)$
+      - pattern: uses: $ACTION
+        metavariable-regex:
+          $ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$
+    message: >
+      Third-party GitHub Action is not pinned to a specific commit SHA.
+      This can be a security risk as the action may be modified unexpectedly.
+      Consider using a full length commit SHA instead of a tag or branch name.
    severity: WARNING
+    languages: [yaml]
+    paths:
+      include:
+        - '**/workflows/*.yml'
+        - '**/workflows/*.yaml'
+    metadata:
+      category: security
+      technology:
+        - github-actions
+      references:
+        - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

-  - id: detect-sql-injection
-    pattern: 'execute("SELECT * FROM " + $TABLE)'
-    message: "Potential SQL injection detected. Use parameterized queries."
+  - id: insecure-file-permissions
+    pattern: os.chmod(..., $PERMS)
+    message: >
+      Detected a call to os.chmod() with potentially insecure permissions.
+      Ensure that file permissions are set correctly to prevent unauthorized access.
+    severity: WARNING
    languages: [python]
-    severity: ERROR
+    metadata:
+      category: security
+      technology:
+        - python
+      references:
+        - https://docs.python.org/3/library/os.html#os.chmod
+        - https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
+    fix-regex:
+      regex: os\.chmod\((.*?),\s*(.*?)\)
+      replacement: os.chmod($1, 0o600) 

-  - id: detect-eval-usage
-    pattern: eval(...)
-    message: "Use of eval() detected. This can be dangerous if used with untrusted input."
-    languages: [python]
-    severity: ERROR
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -47,8 +47,8 @@ jobs:
      - name: restart docker
        uses: docker://docker
        with:
-          args: docker restart semgrepcontainer          
-      - run: ls -la /mnt     
+          args: docker restart semgrepcontainer
+      - run: ls -la /mnt
      - run: semgrep ci --config=/mnt/semgrep_rules.yaml
  update-status:
    permissions: