From 99c9e26614ebf03875ae874171aca7a2c66c9cbf Mon Sep 17 00:00:00 2001
From: Abubakar Abid <abubakar@huggingface.co>
Date: Sat, 5 Oct 2024 16:47:50 -0700
Subject: [PATCH] update semgrep rules (#9560)

* update

* format
---
 .github/configs/semgrep_rules.yaml | 53 ++++++++++++++++++++++--------
 .github/workflows/semgrep.yml      |  4 +--
 2 files changed, 42 insertions(+), 15 deletions(-)

diff --git a/.github/configs/semgrep_rules.yaml b/.github/configs/semgrep_rules.yaml
index 4eab4c6351..2c0e014466 100644
--- a/.github/configs/semgrep_rules.yaml
+++ b/.github/configs/semgrep_rules.yaml
@@ -1,18 +1,45 @@
 rules:
-  - id: detect-os-system-calls
-    pattern: os.system(...)
-    message: "Unsafe use of os.system(). Consider using subprocess.run() instead."
-    languages: [python]
+  - id: third-party-action-not-pinned-to-commit-sha
+    pattern-either:
+      - pattern: uses: $ACTION@$REF
+        metavariable-regex:
+          $ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$
+          $REF: ^(v?\d+(\.\d+){0,2}|[^@]+)$
+      - pattern: uses: $ACTION
+        metavariable-regex:
+          $ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$
+    message: >
+      Third-party GitHub Action is not pinned to a specific commit SHA.
+      This can be a security risk as the action may be modified unexpectedly.
+      Consider using a full length commit SHA instead of a tag or branch name.
     severity: WARNING
+    languages: [yaml]
+    paths:
+      include:
+        - '**/workflows/*.yml'
+        - '**/workflows/*.yaml'
+    metadata:
+      category: security
+      technology:
+        - github-actions
+      references:
+        - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 
-  - id: detect-sql-injection
-    pattern: 'execute("SELECT * FROM " + $TABLE)'
-    message: "Potential SQL injection detected. Use parameterized queries."
+  - id: insecure-file-permissions
+    pattern: os.chmod(..., $PERMS)
+    message: >
+      Detected a call to os.chmod() with potentially insecure permissions.
+      Ensure that file permissions are set correctly to prevent unauthorized access.
+    severity: WARNING
     languages: [python]
-    severity: ERROR
+    metadata:
+      category: security
+      technology:
+        - python
+      references:
+        - https://docs.python.org/3/library/os.html#os.chmod
+        - https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
+    fix-regex:
+      regex: os\.chmod\((.*?),\s*(.*?)\)
+      replacement: os.chmod($1, 0o600) 
 
-  - id: detect-eval-usage
-    pattern: eval(...)
-    message: "Use of eval() detected. This can be dangerous if used with untrusted input."
-    languages: [python]
-    severity: ERROR
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index cdacb31e75..6115544a4e 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -47,8 +47,8 @@ jobs:
       - name: restart docker
         uses: docker://docker
         with:
-          args: docker restart semgrepcontainer          
-      - run: ls -la /mnt     
+          args: docker restart semgrepcontainer
+      - run: ls -la /mnt
       - run: semgrep ci --config=/mnt/semgrep_rules.yaml
   update-status:
     permissions: