Semgrep: subpattern where-python:`arbitrary python code`

Created on 6 Feb 2020  路  7Comments  路  Source: returntocorp/semgrep

We'd like to make rule files even more pluggable and dynamic. To that end, it would be valuable to have python / javascript scriptability that can execute arbitrary code to decide whether or not a rule should fire. For instance:

pattern-with-guard:
    pattern: foo($X)
    where-python: "0 <= vars['$X'] <= 100"

Specifically, many of the checks @mschwager wrote in dlint would be good candidates for this pattern. Eg https://github.com/dlint-py/dlint/blob/master/dlint/linters/bad_urllib3_kwarg_use.py could become:

pattern-with-guard:
    pattern: urllib3.PoolManager(cert_reqs=$X)
    where-python: "vars['$X'] in ['CERT_NONE', 'NONE']"
enhancement good first issue

Most helpful comment

This is why you use a scripting language for, to script! to leverage eval()! (there is no other use for those languages IMHO :) )

All 7 comments

Ohoho, oh yes!
I can then scratch one of the items in https://returntocorp.quip.com/flmmAhOAzbj9/Pads-long-term-goals

and now we are sensitive to command/eval injection!

(is there a sandbox mode in python like in Perl?)

This is why you use a scripting language for, to script! to leverage eval()! (there is no other use for those languages IMHO :) )

I'd like to throw a suggestion in the ring here... can we point to a separate python file? It would be nice to, e.g., lint that file.

I don't understand what you want nathan. Can you give an example of what you want?

@aryx I think @nbrahms means, a way to say:

pattern-where-python-file-returns-true: pass_me_metavars.py

And then have that python file be invoked with the metavars as CLI arguments and return code being true/false for the filter.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ievans picture ievans  路  5Comments

zythosec picture zythosec  路  5Comments

msorens picture msorens  路  4Comments

nbrahms picture nbrahms  路  5Comments

Mandawi picture Mandawi  路  4Comments